Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Transcription

1 Why Device Fingerprinting Provides Better Network Security than IP Blocking How to transform the economics of hacking in your favor

2 Why Device Fingerprinting Provides Better Network Security than IP Blocking How to transform the economics of hacking in your favor Table of Contents Why Fingerprints?...3 Why IP-Reputation Based Blocking Doesn t Work...3 Device Fingerprinting: Changing the economics of hacking...4 How Device Fingerprinting Works...4 Enhance Your Security With a Global Intelligence Network...7 Transform the Economics of Hacking...7 2

3 Why Fingerprints? What if your local police department relied on drivers licenses to identify suspected criminals? Then outlaws would carry fake licenses, and the police would rarely be able to identify career criminals. That s why law enforcement agencies use mug shots, databases of distinguishing marks and, most importantly, fingerprints to discover if a suspect has prior arrests or outstanding warrants. Unfortunately, most network security products rely on the equivalent of drivers licenses: IP addresses associated with known attacks and spam. But there is a better way. In this short paper, we will examine: p Why IP reputation-based blocking doesn t catch smart cybercriminals; p How device fingerprinting changes the economics of hacking; p How device fingerprinting works; p How a global intelligence service based upon device fingerprinting can enhance your network security infrastructure. Why IP-Reputation Based Blocking Doesn t Work Most enterprises and cloud service providers utilize a defense in depth strategy. They employ security products in three layers to: 1. Block network traffic from known cybercriminals and spammers. 2. Identify known attacks by matching threat signatures. 3. Monitor behavior within the network to detect unknown attacks and malicious activities. The first layer includes firewalls and URL filtering products; the second includes anti-malware packages and intrusion prevention systems (IPSes); and the third includes behavior analysis packages, active defense and intrusion deception technology, as well as security information and event management (SIEM) products. Of the three layers, the first is clearly the least effective. The main reason is that almost all products designed to block network traffic from cybercriminals and spammers rely on identifying attackers by their IP addresses and comparing those addresses against a blacklist database. But because cybercriminals can change their IP address constantly by using anonymous proxies, it is easy for them to evade detection through IP-based reputation databases. 3

4 Attackers can also hide behind shared IP addresses. Corporations, government agencies, universities, hotels, retail stores and even coffee shops utilize proxy and network address translation (NAT) technology so that many employees, customers, clients and students access the Internet through the same IP address. It is simply impractical to blacklist the IP address of an entire company, agency or university. In effect, the first layer of defense relies on driver s licenses identification that can easily be faked or shared. Device Fingerprinting: Changing the Economics of Hacking Device fingerprinting is an established technology designed to track specific computers used by hackers and cybercriminals. While cybercriminals can hide behind temporary and shared IP addresses, it is far more difficult and costly for them to change their weapon the workstation they use to probe defenses and launch attacks. Changing workstations not only involves considerable expense, but it also requires re-creating an environment with the hacker s tools, scripts, databases and other components. Even spooling up new virtual machines (VMs) places a major burden on attackers if it must be done repeatedly. For this reason the ability to identify and track workstations associated with suspicious activities changes the economics of hacking. Cybercriminals face the choice of replicating their environment every time they touch a network, or looking elsewhere for easier targets. The value of device fingerprinting is particularly evident in relation to multi-stage attacks and persistent threats. These involve many network sessions for activities like reconnaissance, compromise, privilege escalation, expansion of the attack and information exfiltration. Organizations that can recognize workstations each time they access the network: 1. Can block attacks in the early stages, before any damage is done; and 2. Exponentially raise the costs to cybercriminals of pursuing multi-stage attacks. How Device Fingerprinting Works While device fingerprinting is an established technology, two key developments were required to make its implementation practical for network security: p A reliable technique for profiling remote workstations over an Internet connection. p A robust infrastructure for sharing profiles globally in real time. 4

5 In this section and the following one we will examine how these conditions have now been met through the Junos WebApp Secure technology and Junos Spotlight Secure service from Juniper Networks. 1. Figure 1 shows a visitor accessing a protected website. If Junos WebApp Secure detects any suspicious action (for example, requesting a password file or trying to manipulate a query parameter) or an anomaly (such as a missing header), it creates a unique profile or fingerprint of the visiting device. The profile is based on more than 200 unique attributes, including browser type and version, browser add-ons and plug-ins, fonts, time zone and language preferences. Figure 1: Junos WebApp Secure creates a profile of the attacker s workstation, sends back a super cookie, and sends the profile to the Junos Spotlight Secure profile database. 2. The system also injects an obfuscated super cookie in several locations on the attacker s workstation. 3. Junos WebApp Secure sends the profile and the super cookie to the Junos Spotlight Secure, a cloud-based device intelligence service. 5

6 4. As shown in Figure 2, Junos Spotlight Secure compares the fingerprint against a database of profiles. It returns a message in real time indicating whether the fingerprint matches an existing profile associated with attacks or suspicious activities at other enterprises. Figure 2: Junos Spotlight Secure detects matches with existing threat profiles; Junos WebApp Secure assigns a threat level and takes defensive actions; profiles are shared among enterprises and IT security firms. 5. Junos WebApp Secure combines information from Junos Spotlight Secure and local observations of behavior to assign a threat level to the visitor s device. Based on customer policies specified for the threat level, Junos WebApp Secure blocks the visitor, monitors the visitor s activity, or takes other defensive actions. 6. The updated profile of the attacker, including a global name identifying the device regardless of its IP address, is now available to all other customers of the Junos Spotlight Secure service. The device will now be monitored or blocked at every protected site. It is important to note that the device profiles are anonymous, meaning that they do not include personably identifiable information about the owner of the device or any data from transactions made with the device. 6

7 Enhance Your Security With a Global Intelligence Network The discussion above should make clear that the device intelligence service is a critical part of this solution. To be fully effective, the service must offer: p A robust infrastructure capable of sharing profiles globally in real time. p A profile database that is updated continuously from numerous sources. p Integration with a Web gateway that can enforce security policies. Juniper Networks Junos Spotlight Secure service meets these requirements. It features globally distributed data centers with extremely high levels of reliability, performance and network connectivity. Junos Spotlight Secure also provides a mechanism to share anonymous attacker profiles among enterprises and trusted security companies like RSA. In fact RSA, a division of EMC and one of the leading information security companies in the world, has announced plans to integrate its RSA Live threat intelligence delivery service with Junos Spotlight Secure. This will offer Junos Spotlight Secure customers additional information on malicious networks, including command-and-control and advanced threat-related domains. 1 Junos Spotlight Secure and Junos WebApp Secure are also integrated with Juniper Networks SRX Series Services Gateways, high-performance security, routing and network solutions that pack high port-density, advanced security and flexible connectivity into one easily managed platform. The combination of Junos Spotlight Secure, Junos WebApp Secure and SRX Series Services Gateways provide what Enterprise Strategy Group analyst Jon Oltsik calls, a new and more definitive way to block attacks across the entire Juniper customer base. Transform the Economics of Hacking Device fingerprinting, when supported by a robust, real-time global intelligence network, can transform the economics of hacking in your favor. It prevents hackers from hiding behind anonymous proxies and shared IP addresses, forcing them to change devices or move on to easier targets. It gives you a way to prevent data breaches by the most dangerous cybercriminals, those who target specific sites and return repeatedly to probe and attack. 1 Press release: RSA and Juniper Networks to Expand Technology Partnership to Address Advanced Threats and Mobile Security 7

8 And it shortens the window for certain types of zero-day attacks, by sharing device profiles with many enterprises and security experts. Why depend on drivers licenses, when you can leverage a global fingerprint database? Why wait for attackers to compromise your website, when you can identify and block them on their first visit? Request a 30-day evaluation of Junos Web App Secure and get access to Junos Spotlight Secure at With the growing sophistication of threats, there is a clear need for network security to become more intelligent in how it identifies and stops attacks. Companies are looking for security solutions that not only detect attacks but also provide definitive information about attackers and integrate with core network security controls. Juniper s Spotlight Secure attacker database can address these requirements with its ability to share real-time intelligence with core network security infrastructure, offering a new and more definitive way to block attacks across the entire Juniper customer base. Jon Oltsik, senior principal analyst, Enterprise Strategy Group 8