Transcript Document
Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos Kranakis Carleton University School of Computer Science Outline • Scanning detection challenges • Problems with attribution-based detection techniques • Exposure Maps • Experimental Results • Conclusions Carleton University School of Computer Science Scanning Detection Challenges • Sophisticated scanning techniques – – – – Slow Fragmented Idle Distributed (Botnet) • I detected a scan – Was it successful? – What did it reveal? • Volume of Internet “whitenoise” – – – – – Backscatter Worm propagation (known) Network diagnostics Web spiders Wrong numbers Carleton University School of Computer Science Attribution-based Scanning Detection • Variety of scanning detection techniques – – – – Observing connection failures Abnormal network behavior Connections to darkspace Increased connection attempts • Majority of these rely on correlating scanning activity based on the perceived last-hop • Focus of detection is who is scanning instead of what is being scanned Carleton University School of Computer Science Shifting Focus • Attribution is not practical for an increasing number of sophisticated scanning techniques • Focus on attribution overlooks critical components of any observed scanning campaign: – What are my adversaries looking for? – Has the network behavior changed as a result of being scanned? • Exemplar technique: Exposure Maps Carleton University School of Computer Science Exposure Maps (1/2) • Passively observe network traffic (training period) • Ignore network traffic initiated from the inside • Record only internal system responses to external events such as: – – – – TCP: SYN ACK TCP: RST UDP: IP pairs list ICMP: echo reply, host not found, time exceeded Carleton University School of Computer Science Exposure Maps (2/2) • Host Exposure Map (HEM) – Visible and enumerated services – Externally visible interface of an individual host • Network Exposure Map (NEM) – Union of HEMS in a target network – Externally visible interface of the network • Let your adversaries do the vulnerability scanning for you! Carleton University School of Computer Science Sample NEM (proof-of-concept) Host Description TCP Ports UDP Ports 10.0.0.1 Mail/DNS/HTTP Server 22, 25, 80, 993, 631 53 10.0.0.2 DNS/HTTP Server 22, 80, 443 53 10.0.0.3 SSH Server 22 • Test network size: 1/4 Class C • Test period: two weeks • NEM was stable within 12 hours of the testing period Carleton University School of Computer Science Scan Detection • Incoming connection is defined as any atomic TCP connection, UDP or ICMP datagram • A connection attempt to a host/port combo outside of the NEM is considered a scan and recorded • No connection state tracking required Carleton University School of Computer Science Post-Scan Detection Activities • Monitor changes in the NEM – Validate new services offered – Unexpected changes in the NEM may indicate compromise • Monitor changes in network scanning activity – Spikes in scanning activity may indicate a new exploit • Attribution is possible post-scan detection for most unsophisticated and certain classes of sophisticated scanning activity Carleton University School of Computer Science Detected Scanning Activity Carleton University School of Computer Science Conclusions • Shifting focus away from attribution during scan detection may provide a means to detect sophisticated scanning campaigns • The true insight that can be gained by scanning detection is not who is scanning you but what are they scanning for? Carleton University School of Computer Science Discussion ….. [email protected] Carleton University School of Computer Science Observed Sophisticated Scanning • “Slice and dice” recorded scans using a variety of attributes • Slow Scan - pcanywhere ~ 15 min intervals • Possible distributed scan - 6 systems from the same class C network and scanning footprint Carleton University School of Computer Science Exposures vs. Scanning Activity • Network scanning possibilities • In practice: |NEM| < |A| < |E| Carleton University School of Computer Science