 |
 |
|
 |
"We were very impressed by the technical expertise and rigorous testing methodology that ITS employed while conducting this test." -- Oded Comay, CTO of ForeScout Technologies
|
 |
|
|
ForeScout Technologies CounterACT 3.1.2
September 2004
Test No. ITS04001
|
|
|
Product Overview
As the time between exploit and worm release continues to decrease, the capability to mitigate "zero day" or unknown worms becomes critical to network administrators. To address this growing requirement, ForeScout Technologies introduced CounterACT (formally WormScout), which is designed specifically to automatically mitigate both known and unknown worms from propagating across the network.
|
Independant Validation Claims
During July and August 2004, Independent Testing Services (ITS) was contracted by ForeScout Technologies to independently validate specific capabilities of the CounterACT product. The following claims were subject to open and independent testing verification:
- CounterACT identifies worm-infected computers, contains their activity and suppresses them from infecting other network segments.
- CounterACT identifies and provides mitigation for both known and unknown "zero day" network-based worms.
|
Test Objectives
ITS tested ForeScout Technologies' CounterACT in an isolated test environment designed to duplicate a real-world deployment. The network was populated with 33 vulnerable hosts, then attacked with the following worms:
- Blaster.Worm - Several variants of the W32.Blaster.Worm / Win32.Poza.Worm captured from the wild.
- New, unknown CGI attack - In-house-developed worm based on exploiting a new and unknown vulnerability in Microsoft Windows and ITS created specifically for this testing.
- New, unknown TCP back door - In-house-developed worm that exploits a custom back door based on TCP port 7771.
The objective of the testing was to demonstrate the capability of CounterACT to isolate and mitigate both known and unknown worms from infecting vulnerable hosts across the network.
|
Results Summary
CounterACT uses a suite of TCP mechanisms, including the use of host spoofing, TCP session stalling and TCP resets, first to identify the worm and then to block the infected host from communicating to other network hosts. The results of the testing indicated that CounterACT provided an effective mitigation against both known and unknown worms. Tests consisted of a real-world worm (Blaster) and two ITS Labs in-house-developed worms. The in-house worms exploited custom-developed vulnerabilities in Windows 2000 and IIS.
Native Worm Attack: CounterACT completely blocked several variants of the Blaster.Worm from infecting any vulnerable hosts in the network.
Zero Day HTTP/CGI Worm Attack: CounterACT completely blocked a custom, in-house-developed, “zero day” CGI-based worm.
Zero Day TCP Back Door Attack: CounterACT mitigated a custom, in-house-developed, very aggressive and intelligent worm from infecting all but a few hosts in the network. CounterACT successfully contained the infection so that the vast majority of the network remained unaffected.
|
|
|
|
