Grey is the New Black

With the dangers found on the Internet today, people are attracted to the concept of blacklisting. They want to unconditionally reject malicious software but on the other hand, don’t want their resources limited as a result.  Herein lies the importance of the greylist.  It’s the future of the network security industry.
Stoplight with a grey light The traditional black (always block) and white (always allow) lists are not sufficient anymore.  Bad actors have become professionals at blending their malicious data in with valid traffic. A new detection system needs to be put into place.

For example the online gaming community uses IRC to communicate from player to player.  Malicious botnet herders are using the same protocol to send commands in encoded messages to their infected bots. You cannot completely block all the traffic using this protocol without upsetting the end user.

So what is a solution?  One solution is teaching the computer and networking systems not simplistic yes or no, but to look at the situation, analyze the patterns, and make decisions based on the behaviors exhibited.  Instead of determining if a data stream is or is not blocked, security solutions evaluate criteria to determine under what situation a data stream should be blocked.  Computers and networking systems need to recognize more than “This host at this port is bad”.  They need to determine that when traffic behavior is unexpected and shows traits of maliciousness then it is considered malicious and gets put on the “greylist.”

The greylist is a record of the criteria that are used to define potentially dangerous traffic, which can then be compared to the traffic leaving your organization.  Armed with this greylist, you can put the data into context and ask if this is somewhere data would normally go?  By using this method the greylist can lead to blocking decisions regardless of the protocols used.

Mechanisms used to prevent malicious behavior must be able to function in the grey area, which means more detailed data.  The challenge is making anti-botnet efforts capable of identifying black and white areas but also able to deal with grey areas containing both legitimate and non-legitimate traffic.  The solution is analyzing sequence behavior and compiling a greylist.  The next phase of security solutions will include greylists.

- Marc

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>