Note: Since I wrote this story back in 2014, events have changed. Norse’s database and methods have been questioned, and the company has seen a massive staff layoff, including its CEO. I would be careful if you choose their products for now.
We all know it is an arms race on the Internet trying to protect our networks against bad actors. There are fake anti-virus alerts that masquerade as malware and an entire category of badness called ransomware that holds your hard disk hostage until you pay someone to unlock its hold on your data. And then there are traditional methods, such as what was used at Target and elsewhere to use legitimate credentials of people with wide-ranging network access to do their mischief.
It is all rather depressing. But because it is an arms race, the good guys have a few tricks up their sleeves too. The latest line of defense is to track sources of potential infections, down to geo-locating them in the physical world to the extent possible. This is what Norse Corp. offers its clients, and having seen some samples, I have to admit it is a great idea.
Here is a screenshot showing you what they capture. The idea is to instrument the vast unwashed Internet (TOR routers, peer-to-peer torrents, and other effluvia that runs across what all of us would not like to think about when we are trying to trying to Get Real Work Done). Norse has placed thousands of its capture appliances around the world and collected a database of more than 120 million malicious URLs. While that sounds like a lot, it isn’t when you compare this to the number of infected PCs or those on existing botnets. But what is significant is that they can find malware sources in the developmental stages, before they start infecting other computers.
Of course, they aren’t the only ones with these appliances: Cisco, McAfee, BlueCoat, Bit9, Palo Alto Networks, and others have instrumented their customers’ routers and firewalls to capture similar information. Some of these companies score the source addresses and have integrated this reputation analysis into their firewall rules engines too. But to my knowledge, Norse is the only one that can locate these TOR exit nodes and start to identify what other IP addresses are being carried through them. And guess what? If you have to use TOR to hide your traffic, you probably aren’t sending nursery rhymes across the Interwebs. And because everything they observe is tied back to a common database, they can figure out some pretty important things. For example, when a hospital’s kidney dialysis machine is collecting credit card information or worse yet, doing actual payment transactions, that should send up a red flag.
I have written about this before, including most recently this piece in Information Security Magazine this past month. Too bad Target and Marriott and others didn’t have this technology when their insider accounts had been compromised. Yeah, too bad.