Look Out! - Eric Conrad
Download
Report
Transcript Look Out! - Eric Conrad
Look Out!
Open Source Extrusion Detection
Eric Conrad
http://www.ericconrad.com
May 2010
1
The target network
• The techniques described in this talk
evolved from experience securing a
large network
– 20,000 node WAN spanning 3 states
– 12,000 employees
– 100+ WAN sites
– Limited network security staff and budget
– Countless attacks per day
– Blocked ¼ million spam per business day
2
Defense-in-depth
• Target network had multiple firewalls, web
content scanning proxies, NIDS, antivirus, etc
– All email scanned by 4 separate auto-updating
virus scanners
– Malware still got through
– Blocking 99% of 250,000 spam/day means 2,500
get through
• 99% success rate == failure
3
Proxies rule
• Target network used proxies for all outbound
client-based internet access
– Proxies keep cropping up over and over, because they are
fundamentally a sound idea. Every so often someone reinvents the proxy firewall - as a border spam blocker, or a
'web firewall' or an 'application firewall' or 'database
gateway' - etc. And these technologies work wonderfully.
Why? Because they're a single point where a securityconscious programmer can assess the threat represented by
an application protocol, and can put error detection, attack
detection, and validity checking in place – Marcus Ranum
4
Prevention is ideal, but
detection is a must
• Server-side internet attacks vs. target
network usually failed, but:
– Insecure WAN sites and extranet partners
– Plus client-side attacks, infected USB tokens,
infected mobile devices, etc
– “A sufficiently determined, but not necessarily
well-funded attacker can break into any
organization.” - Ed Skoudis
• Bottom line: both detection and prevention
failed, frequently
5
Desperate times, desperate
measures
• Step 1: Admit defeat
• Step 2: Fall back and regroup
• Step 3: Formulate plan B
Look Out!
6
Look Out!
• NIDS (mostly) inspect inbound traffic
• Lots of terms describe the science of
outbound traffic that violates security policy
– Data Loss Prevention (DLP), Intellectual Property
Leakage (IPL), exfiltration detection, extrusion
detection/prevention
• Data Loss Prevention is becoming mainstream
– Host-based focus, may have network elements
– Focus is on loss of sensitive data
7
A word on DLP
• Many DLP solutions require an agent installed
on each PC
• “Complexity is the worst enemy of security” Bruce Schneier
• Metasploit has almost 2 dozen antivirus and
backup agent exploits
– Why would DLP agents be any different?
• “Agents are scary… DLP agents are scarier” –
E Monti & D Moniz, Matasano Security
8
Extrusion vs. Exfiltration
• Exfiltration is a military term
– “The removal of personnel or units from areas
under enemy control.” - Fred J. Pushies
– Exfiltration now applies to loss of sensitive data
• Extrusion is simply the opposite of intrusion
– “If we turn the problem around, we can perform
‘extrusion detection’ by watching for suspicious
outbound connections from internal systems to
the internet.” - Richard Bejtlich
• ‘Extrusion detection’ is connection-focused
9
We have a winner: extrusion
detection
• Extrusion detection is the reverse of
networked intrusion detection
• Includes sensitive data loss, plus:
–
–
–
–
Malware ‘phoning home’
Outbound portion of client-side attacks
Any outbound traffic that violates security
Broader and simpler than DLP
• Why not perform intrusion and extrusion
detection on one box?
10
Can’t we do it all on one box?
• Experience running mail relays for 12,000
users proved illuminating
– One box, in theory, could handle both inbound
and outbound mail (but was a PITA in reality)
– TCO was lowered by ‘separating the streams’ to
two logical boxes
• Intrusion and extrusion detection also benefit
– KISS
– NIDS are very sensitive to CPU/memory limitations
11
NIDS performance anxiety
• I have been testing intrusion scenarios with a
half-dozen commercial NIDS
• They are highly sensitive to CPU/memory
limitations
• A simple SAMBA drag/drop via 100-megabit
network caused false negatives to spike
• Adding hundreds of extrusion rules to a NIDS
could have negative consequences
12
FAIL
• All NIDS suffer false positives and negatives
• Extrusion detection is harder than intrusion
detection
– A write-down trojan can do anything a user can
do
– Most users could find a way to exfiltrate data
without being detected
• Bottom line: NIDS fail, and NEDS will fail
more frequently
13
Why bother?
• All controls can fail
• Some extrusion detection is better than none
• A bullet-proof vest does not make you
Superman
– But police still wear them
• Extrusion detection systems can help avoid
reaching the security ‘tipping point’
14
“Don't cross the streams” –
Dr. Egon Spengler
• Target network separated the streams
– NIDS used EXTERNAL_NET -> HOME_NET rules
– NEDS used HOME_NET -> EXTERNAL_NET rules
– Sat side-by-side on same tap
• NEDS also parsed proxy logs
– Including traffic analysis
• Immediate, quantifiable wins
15
The
st
1
win: naked downloads
• Perl script that parsed http proxy logs to
identify downloads of EXEs from ‘naked IPs’
• First hit:
– 172.17.103.3 - - [19/May/2009:15:48:10 -0400] "GET
http://10.93.59.108/lksdfhwey/r.exe HTTP/1.0" 200
731 TCP_MISS:DIRECT
– “Why is a nursing station downloading software from a former
Soviet Union country?”
• PC was compromised, inbound prevention
and detection had failed
16
The 2nd win: persistent
connections
• Perl script that parsed http proxy logs to look for
‘persistent’ connections
– Any source IP that connected to a destination IP via
http/https at least once every 10 minutes, 24/7
• Script found:
–
–
–
–
Weather toolbars, etc
‘Legit’ reverse https tunnels (known and unknown)
Loads of spyware
“Why is the accountant’s PC constantly connecting to an IP
in Panama?”
– PC was a member of a botnet; inbound prevention and
detection failed again
17
The
rd
3
win: unencrypted ePHI
• Policy required encryption of Electronic Protected
Healthcare Information (ePHI) on the internet
• Wrote custom Snort rules that detected unencrypted
outbound (ePHI) on external internet interface
– alert tcp $HOME_NET 1024: -> $EXTERNAL_NET
1024:65535 (msg:"Unencrypted HIPAA
Transaction (Health Care Eligibility Benefit
Inquiry and Response)";
content:"004010X092"; flags:A+; classtype:
policy-violation; sid:1000092; rev:1;)
• We saw immediate hits
18
OK, we’re on to something
• Refined into a dedicated extrusion detection system:
–
–
–
–
–
Snort, BASE, Mysql
Wireshark, tshark, ngrep, etc
Aforementioned scripts + others
Pre-selected outbound Snort rules
Custom Snort rules
• Pre-configured and ready-to-go
• Sniffs eth0 by default, logs to MySQL DB, view events
via BASE
• Why not make it a Live CD?
19
The Xfiltr8 Live CD
• http://xfiltr8.sourceforge.net/
– Currently ALPHA software
• Ubuntu desktop ISO
• Snort, BASE, mysql, Wireshark, etc.
• Collection of outbound Snort and Emerging Threats
rules
– HOME_NET -> EXTERNAL_NET
• Scripts for persistent connections and exe downloads
from ‘naked IPs’, and more
• Boots as a live CD, with an OS install option
20
Xfiltr8 is handy in a pinch
• Xfiltr8 also contains the inbound rules
– Both Snort and Emerging Threats
– Inbound rules disabled by default
• Makes a good NIDS in a pinch
– BASE, snort, mysql, all pre-configured
• Just reconfigure snort.conf to use the
inbound rules
21
I need help
• xfiltr8.sourceforge.net is quite lame
right now
– It has the alpha ISO, and that’s about it
• I would like to build an extrusion
detection community
• Volunteers needed!
• Send email to [email protected],
include xfiltr8 in the title
22