An idea for detecting sophisticated threats that grew out of a casual conversation at an information security conference last year received a public airing at another one last week, its creators inspiring coders to pick up their tools to further the open source software to root out malicious hackers.
Sourcefire principal vulnerability research engineer Patrick Mullen pitched Razorback as a platform to enable organisations to craft their own responses to threats and share those "nuggets" with others.
A nugget was a bit of code that enabled the software to collect or process data, issue alerts, store and correlate information, the Razorback community website said.
Razorback was known in the information security trade an intrusion detection system except, where most such software stopped an attacker cold, Sourcefire's sought to capture the information for later, offline processing and deeper inspection, Mullen said. (Sourcefire also made the popular Snort open-source network intrusion prevention software.)
For instance, portable document format files could be parsed through Razorback and any suspect payloads run and weeded out or isolated for inspection, reporting or any other further action as required by the user and directed by the nuggets.
Such could include feeding the information to a web proxy to deny future such payloads coming in on email to be executed over the web on the targeted network, Mullen said.
"[Enterprises] know they have attackers inside their networks and they're more concerned about being able to track their movements and contain them rather than stop an individual attack," Mullen said.
- Spooks leave no log unturned in hunt for attackers
- British giant BAE acquires Sydney's Stratsec
- More photos from the AISA National Conference
He said a scenario for trapping an internal attacker was to "take a router and redirect their traffic to keep them contained in a safe space and they can use their tools while they think they are running rampant".
He said he was initially "really shocked" by the call from network security professionals for a software such as Razorback because such systems usually stopped attackers at the firewall "but what Razorback does is provide the next level - further analysis to see what's going on in the network and clean up after attackers and be able to provide many more advanced types of detection".
Delegates to the Australian Information Security Association annual conference last week where Mullen was speaking heard from others that attackers sometimes spent years trawling through compromised systems before they were discovered.
Mullen said the threat landscape was becoming more diverse with file formats used to obfuscate attacks and the range of clients such as tablet PCs increasing in use and sophistication: "To provide full, in-depth coverage your detection system has to take all data coming in and simulate all the different clients it's protecting".
As part of its pitch for the hearts and minds of security developers, Sourcefire ran coding camps to bring them up to speed with the software's architecture and introduce them to the nuggets and data sources the framework supported.
"I'm looking forward to talking to more people in the field and finding what their opinions are with Razorback as well as any additional threats we're seeing and get in touch with people using the product and cleaning up the mess on a day-to-day basis."