Over the past 10 years networks have become much more complex. The introduction of the Open Source Initiative (OSI) has provided a world-wide platform for developers to design computer programs (source code), post those computer programs (referred to as “open source”) on the Internet, and allow any person or organization to download the programs (source code), utilize the programs for personal or professional use and also contribute to advancing the technical capabilities of the programs (source code), for any person or organization to download from the Internet and utilize at any time.
Major corporations and government organizations world-wide now contribute to the OSI in the field of cybersecurity. Specifically, OSI technology (source code) is available to allow network administrators to “test” the security of their networks to find unknown weaknesses or vulnerabilities that may exist in networks. The OSI technology (source code) within the specific area of Network Administrative/Security Tools have become so advanced, the technology allows an administrator to specifically target a device, a group of devices by entering an IP address range, an entire network or search the Internet for weaknesses or vulnerabilities that may exist in a device connected to the Internet.
These Network Administrative/Security Tools (hereafter referred to as “tools”), have the capability to transmit to “targets” (may consist of a device, group of devices, network or networks), and the communications perform an analysis on the target's currently executing processes (program applications), which reside in the memory of the targeted device. These tools are so powerful, the communications have the capability of extracting critical/confidential information from a targeted device and often allow an administrator to successfully penetrate, exploit and/or gain control of a targeted device without the requirement of installing a physical file or physically altering the targeted device.
Hackers, hacking organizations and state sponsored hacking organizations have been downloading such source code to these tools, increasing/enhancing their capabilities, repackaging, reconfiguring (recompiling and linking) and utilizing the tools, releasing these tools to the public for free or for a substantial profit to successfully target, attack and penetrate devices/networks world-wide, leaving no trace whatsoever that an actual cyber attack was successfully executed against a targeted network/device.
Another major world-wide problem is that over the past 10 years cybersecurity experts have developed technology (algorithms) that can successfully probe the world-wide Internet to detect, record and map the whereabouts of cyber defense Internet sensors, which are designed to detect a source (attacking program/tool) attempting to gain access and penetrate a targeted device/network the Internet sensor is monitoring. These Internet sensors have established (defined) policies to determine if a source attempting to communicate (connect) and obtain access to a target is legitimate or malicious activity. If the Internet sensor detects the source and it fails the defined policy, the source is denied access and an alert is transmitted on the source IP address attempting to connect and gain access to the targeted device or network.
These Internet sensors working together comprise corporate, national and world-wide “detection nets” that also act as an “early warnings and indications system” that will allow all networks participating within the “detection net” to defend themselves against a source that has been identified as malicious by an Internet sensor. However, a problem with Internet sensors is that the defined policy is the only mechanism that determines if a source is malicious activity, which produces a large number of “false positives”. There is no automated analysis of the actual communications payload to determine the true intent of a source connecting to a targeted network/device. The Internet sensor determines if the activity (connection) is legitimate or malicious based on a “pass or fail” of the defined policy that determines if device/network access should be granted to the source.
Since 2005, studies (specifications) have been published that allow hackers to perform a reconnaissance and determine the whereabouts of Internet sensors and map their physical IP address locations before they execute an actual cyber attack. This provides hackers the capabilities to automatically bypass Internet sensors/“detection nets” at the time a cyber attack is launched (executed).
Another major world-wide problem is how industrial Programmable Logic Controllers (PLCs) have been, and are still being designed and deployed. PLCs are commonly configured with standard communications protocols such as Telnet, SecureShell (SSH), web/Internet browser access, etc., to allow remote access and management from an external device.
PLCs often utilize standard communication protocols on IANA reserved ports defined for a specific use, such as port 21-File Transfer Protocol, port 22-SecureShell, port 23-Telnet, port 80-World Wide Web/web browser, port 443-Secure World Wide Web, etc.
As an example, many PLCs world-wide are often specifically configured to allow remote access and 100% remote management (control) through reserved IANA port 23-Telnet. Hackers world-wide educated in industrial PLCs will configure their tools to search the US and/or world-wide Internet for devices that will respond to port 23 Telnet commands.
Another problem is with legitimate remote access entry points to devices and/or networks, within both traditional and cloud networks. Commercial corporations and government organizations world-wide utilize commercial “off the shelf” remote access software (hereafter referred to as “login technology”) that allows an individual to connect to a network/device, enter a system name, password, etc. to obtain access to the network/device. Network defense systems commonly do not track sources attempting to gain access to networks via remote access entry points, and leave the login technology to successfully manage all login/unauthorized attempts. Because network defense systems commonly do not track many aspects of login technology activity, many Internet sensors do not track and alert “detection nets” that a source has attempted unauthorized access to a network. Because this activity is not tracked by many network defense systems, successful unauthorized login activity is not detected and therefore lateral movements within and throughout compromised networks is extremely difficult to detect.
With the introduction of Cloud virtualization technology, the requirement for increased bandwidth has substantially grown in order to maintain a stable “Cloud environment” network. The average bandwidth to maintain a Cloud instance communicating to a Cloud platform is 80 kilobytes per second (80 kbps), per user. This equates to approximately 10,000 bytes per second, per user.
As an example, a Cloud network with 10 users will require an average minimum bandwidth that exceeds 100,000 bytes per second to adequately maintain the network. Hackers utilizing attack tools may launch attacks that can successfully exploit/compromise a Cloud network with less than 150 bytes of malicious code that resides in the process buffers/sockets (memory). This presents an extremely difficult problem for network defense systems defending cloud networks to monitor, detect and stop malicious code without seriously affecting (degrading) the performance of the targeted cloud network.
Another problem with Cloud (Virtualization) networks is that specifications have been widely published to determine if a device is an actual computer or a virtual instance. Malicious code can determine if the target is a virtual instance and not execute its malicious code until it successfully reaches an actual (real) computer and determines the environment is suitable to execute against the target.
Over the past ten years, hackers have been continuously refining their skills and publishing methods on how to successfully detect fixed static network defense systems, and bypass (circumvent) those network defense systems to gain access to a targeted network, or confuse the network defense system by transmitting “fragmented” communications that trick and bypass network defense policies.
As an example, a hacker utilizing an attack tool might successfully detect the location (IP address) of a targeted network's internal firewall and/or intrusion detection system by utilizing a method as simple as transmitting ICMP communications. As a general rule, well secured networks normally disable outbound ICMP and many times attack tools can determine exactly where ICMP stops (is disabled) when performing a reconnaissance or probing a network. Hackers many times might correctly assume that where ICMP stops (is disabled) is where the network firewall, intrusion detection system (network defense assets), etc. are physically installed.
Whatever method is utilized to successfully detect fixed static network defense systems, will provide the exact IP addresses on where these defense assets reside, and the hacker will then attempt to bypass (circumvent) or confuse the defense systems with “fragmented” communications.
Honeypots and sinkholes are considered very strong instruments in detecting cyber attacks and in performing an analysis of cyber attacks. However, algorithms have been published to successfully detect and map the world-wide whereabouts of all honeypots and sinkholes. In respect to Cloud computing, virtual honeypots and virtual sinkholes can be instantly detected due to the overhead (environment variables) required in virtual computing.