Interview The developers behind Snort, the open source intrusion detection system, are pushing ahead with a project to develop a system for detecting malformed documents in a bid to provide early warnings about targeted attacks.
Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously constructed files that may take advantage of zero-day vulnerabilities to compromise targeted machines. Such previously unseen attacks are liable to slip by anti-virus and other security defences because no anti-virus signature has yet been created, and because heuristics and even cloud-based approaches are still fundamentally reactive, according to Marty Roesch, CTO of Sourcefire and the developer of Snort.
Roesch told El Reg that firewalls and IDS systems are designed to have high throughput and low latency, so these security devices are ill-suited to analysis of documents – the niche Razorback is trying to occupy. Razorback would offer "deep file inspection" with a forensics backend that provides near-real-time warning that something is amiss, for example, in an email sent to a firm's finance department. The document analysing software does not include a blocking function but "lets you know where to look and what to look for", according to Roesch, who said the technology offered software hooks to Snort and Clam AV.
The software includes a protocol anomaly detector that, for example, would detect Flash components in an Excel file. These flash components are passed on to parts of the technology that understand Flash files. If these handlers say that the file concerned is not a Flash file, then an alert would be generated that a malformed Flash file was found in a spreadsheet, a clear sign that something very odd and probably malign is going on. The approach doesn't rely on looking for patterns matching previously known bad stuff.
The idea is akin to data loss prevention (DLP) technology used for locking down USB ports and preventing the accidental or deliberate export of confidential data via email or other routes, it seems to us. However Roesch said DLP technology would be hard to apply to the detection of "zero-day" document-based targeted attacks, because it doesn't look for "heap sprays or buffer overflow" attacks (Razorback's particular forte).
Adding deep file inspection to client and server anti-virus, intrusion prevention and content inspection adds to the complexity of overall security set-ups, especially when much of this technology is designed to thwart targeted malware-based attacks. Roesch countered that higher-end enterprises had already seen the benefit of the extra line of defence.
Roesch said that Razorback is currently in the alpha stage of development. "The technology might be adapted over time to quarantine or stop suspicious files but that's not its function just now," Roesch added.
More about the project can be found on the Sourcefire labs portal here. ®