Moving Away from First-Gen Blacklists
At IronPort, a business unit of Cisco, officials said reputation-based systems will become more and more important as enterprises move away from first-generation blacklists.But using Web reputation filters that leverage IronPort's Senderbase network, the reputation system sees the redirection and can stop the request before any malware enters the network, she said. As shown by the recent discovery of phishing kits made available for free online by a group of Moroccan identity thieves calling themselves Mr-Brain, there are still plenty of hackers looking to craft realistic-looking rogue Web sites in an effort to steal personal data. More than 18 percent of all Web sites hosting malicious content were created or compromised using professional tool kits available online, the Websense study reported. Still, a reputation-based Web filter has its limits, said Forrester analyst Chenxi Wang, and should be considered only one part of a broader strategy. "Its effectiveness depends on how fast a reputation, or update of a reputation, can be derived," she said. "And there is certainly an arms race between how fast the malicious sites are changing and how fast the filtering mechanism can realize that the site's nature has changed. I think reputation-based filters are useful but not a panacea; users need real-time content analysis to augment URL filtering-both list-based and reputation-based. So, if you consider reputation-based filtering as one piece of the puzzle, then it's still effective in providing one piece of functionality, but that functionality is by no means sufficient."
"Threat writers are constantly looking for new ways to increase their success rate, and distributing more sophisticated threats through legitimate Web pages is a very effective way to increase their hit rate," said IronPort Product Manager Samantha Madrid. "A common vector for such attacks is through an HTML iFrame. ... Since this content comes from an outside Web server, controlling it becomes very difficult. When the user visits a Web site with an iFrame exploit, their browser redirects the request to the site hosting malware. The malware is then downloaded in the background onto the user's computer. Meanwhile, the user has no idea they've been compromised."