Shellshock Bash Bug: Black Swan or White?
The recently-discovered Shellshock vulnerability in the popular Unix Bash shell, also known as Bashdoor, has been labeled a black swan event – that is, a “hard-to-predict and rare event beyond the realm of normal expectations”. Patches are being feverishly rolled out even as these lines are written. And security analysts are decrying the unique danger of a vulnerability rooted so deeply in the veteran OS, which has left yet-unknown applications and components exposed to attack.
It’s truly a dramatic and rare, once-in-a-blue-moon bug.
That is, until the next one is discovered. Or the one after that…
Because the Shellshock Bash Bug isn’t really a black swan. In fact, it’s an all-too-common white swan. We know that there are numerous vulnerabilities out there, we know they potentially lurk in every layer, every application, and every component. Nothing about the recent discovery and disclosure of Shellshock, or the next ‘black-swan’ bug which will inevitably be discovered, will change that reality.
It’s not the Holes, It’s the Water!
If you think about it, holes in the hull don’t sink a ship. What actually sinks the ship is the water that comes in through them.
So, to continue with the sinking ship analogy, Shellshock is one hole in the hull – a big hole, but a single hole nonetheless. The problem is that there are potentially thousands of other holes, in millions of permutations. So, a sound security strategy needs to be more focused on finding the water and bailing it out, and less focused on plugging each individual hole.
The primary takeaway of Shellshock is that attack vectors cannot be predicted. It is true that some vectors are more common than others – such as email attachments carrying a malicious payload that exploits some vulnerability – and these need to be addressed. But creating a list of specific vectors against which you’re protected is essentially creating a list of holes in your hull, even as more open up – it simply cannot guarantee that your organization won’t be the next one in the headlines.
Attempting to predict the next attack vector offers lower odds than roulette. At least in roulette, you know it’s simply a matter of chance. In the case of a targeted attack, the attacker will always aim to use specific vectors that your defenses don’t protect. We see this in numerous post-mortem cyber breach investigations, where someone inevitably claims that the attackers used a rare or unknown vulnerability, by way of justifying why the vector was not covered.
So let’s be clear: there are no black swans in network security. The root of the problem is not the existence of rare bugs, but the failure to build a security posture that copes with the fact that they are out there. The key to effectively thwarting targeted attacks like those that will be facilitated by the Shellshock vulnerability is not to focus on the holes, but rather the water.
Finding the Water
Forward-thinking security professionals are adopting adaptive, intelligent behavioral based technology (like LightCyber Magna) that seek out the water which inevitably seeps in through holes in your perimeter.
These are the attackers that have long breached your hull, but have not yet gained the critical mass to actually sink you. The trick is to find them before the damage is done.
Products like LightCyber Magna closely and automatically monitor all internal network traffic, profiling the normal behavior of every single user and endpoint in your network, and detecting the subtle behavior deviations which characterize malicious activity. Because it is these elusive clues that lead your security teams to the hidden pockets of water that can cause your ship to tilt dangerously. The question is, can you find them in time?
Learn the Tools That Attackers Use
Register to download the 2016 Cyber Weapons Report now. This report focuses on attacks that occur after the initial intrusion, including command and control, reconnaissance, lateral movement and data exfiltration. The Cyber Weapons Report is a first-of-its-kind quantitative view of attack tools.