Over the last week or so I have been reading through a lot of security “training” material that either has been recently published or was being submitted for publishing. The problem is, a lot of the material was very old and not necessarily even relevant anymore.
Most Anti-Virus programs catch new threats by installing an updated virus signature so it can recognize the new threat. They “learn” to detect the newer threats. Granted many “new viruses” are just re-hashed code that has been modified so it’s signature changes. But there are completely new creatures out there that haven’t been seen before.
If the anti-virus engine didn’t evolve, it would never be able to stop (or detect) the never threats.
I find it concerning that of all the “new” security articles and training material that I have read in the last two weeks, one of the most advanced techniques I read about was from a security book written in 2004!
The example talked about a new attack that the author detected hitting Air Force systems. The attack was actually pretty impressive, the attacker used several machines and each machine was programmed to attack a certain system but intermittently and only for a brief amount of time.
The individual attacker systems would only run one small attack per day and then it wouldn’t attack the system again for a week or so. The next attacker system would do the same thing. It would attack a different part of the target system. Then like the first, it wouldn’t attack again for a long time. These systems attacked one after the other, a sort of distributed botnet of attacking systems each hitting only once for a brief amount of time.
It was very difficult for the system analysts to detect this attack. They had to focus on the attacked system, not the attackers, to find a pattern. Because they had full data capture of all their network traffic, they were able to find and track the attacks against the target network. But the pattern only showed up over weeks and months of network security monitoring – analyzing captured packets for patterns.
Pretty advanced stuff!
The problem is that this attack was recorded as happening in 1999…
Hacker groups are very good at sharing attack techniques with others in their groups. They share training and tools fairly rapidly on hidden websites and secure forums. Granted security groups that are meeting once a month are doing a good job at getting security techniques disseminated, but there is still a long way to go to get the good guys up to speed and on the same page.
Also be aware when looking into purchasing security training material. Check into the company and the instructors. You may be getting recycled material that may no longer be relevant.