While the number of legitimate Web sites hosting malware continues to rise, reputation-based URL filters still can serve an important role in network security, analysts and vendors claim.
Such filters have become a familiar part of a layered defense against security threats. But as a study released Jan. 22 by Websense shows, hackers are increasingly using legitimate sites to infect unwitting users.
According to Websense, some 51 percent of the Web sites the company classified as malicious were compromised-meaning they were legitimate sites infected by hackers. Because compromised sites have a good reputation, such methods can pose a serious threat to enterprises relying too heavily on reputation filters, the study notes.
Websense, a prominent player in the URL filtering market, is by no means down on reputation-based filtering, and as Gartner analyst John Pescatore noted, if 51 percent of the malicious Web sites found by Websense were legitimate, that still means 49 percent were rogue sites.
“Plus, even legitimate sites can get on the bad reputation list if they are found to be hosting malware,” Pescatore told eWEEK. “This means that if the Miami Dolphins’ site is hacked and the Web Security Gateway folks … detect it, the Dolphins Web site will be on the blocked list-so reputation services are still effective.”
What’s ineffective, he said, is a lot of the anti-phishing mechanisms in place.
“What this all means is that Web site security is still weak. … The servers are becoming the weakest link in the chain again,” he said. “Enterprises need to focus again on making sure their sites aren’t vulnerable. When worms were hitting IIS left and right, Web server security went way up, but there haven’t been those high-visibility attacks, and the discipline has been going down and lots of new technology-such as Web 2.0, blogs and the like-are being used on business Web sites that open up many new vulnerabilities.”
Moving Away from First-Gen Blacklists
At IronPort, a business unit of Cisco, officials said reputation-based systems will become more and more important as enterprises move away from first-generation blacklists.
“Threat writers are constantly looking for new ways to increase their success rate, and distributing more sophisticated threats through legitimate Web pages is a very effective way to increase their hit rate,” said IronPort Product Manager Samantha Madrid. “A common vector for such attacks is through an HTML iFrame. … Since this content comes from an outside Web server, controlling it becomes very difficult. When the user visits a Web site with an iFrame exploit, their browser redirects the request to the site hosting malware. The malware is then downloaded in the background onto the user’s computer. Meanwhile, the user has no idea they’ve been compromised.”
But using Web reputation filters that leverage IronPort’s Senderbase network, the reputation system sees the redirection and can stop the request before any malware enters the network, she said.
As shown by the recent discovery of phishing kits made available for free online by a group of Moroccan identity thieves calling themselves Mr-Brain, there are still plenty of hackers looking to craft realistic-looking rogue Web sites in an effort to steal personal data. More than 18 percent of all Web sites hosting malicious content were created or compromised using professional tool kits available online, the Websense study reported.
Still, a reputation-based Web filter has its limits, said Forrester analyst Chenxi Wang, and should be considered only one part of a broader strategy.
“Its effectiveness depends on how fast a reputation, or update of a reputation, can be derived,” she said. “And there is certainly an arms race between how fast the malicious sites are changing and how fast the filtering mechanism can realize that the site’s nature has changed. I think reputation-based filters are useful but not a panacea; users need real-time content analysis to augment URL filtering-both list-based and reputation-based. So, if you consider reputation-based filtering as one piece of the puzzle, then it’s still effective in providing one piece of functionality, but that functionality is by no means sufficient.”