ISACA Columbus April 2006
Transcription
ISACA Columbus April 2006
The War Against Worms Flow-Based Network Anomaly Detection and Other Forms of Worm Combat Presenter: Mark McDaniel Senior Security Engineer Lancope, Inc. AGENDA • Worms: a quick overview on the state of affairs • • • Current weapons of choice against worms • • Infrastructure Intrusion Prevention Countermeasures against worms A new weapon: Flow-based Network Anomaly Detection Wrap-up / Q&A WORMS: ARE THEY DEAD OR JUST EVOLVING? • Evolution Through Hardship (i.e. Recent Microsoft attempt to remove raw sockets capability) • Who is writing the code? (vandals vs. professional criminal) Criminals = higher quality code and more sophisticated attacks • Hybrid Attacks (instant messaging -> email -> network scanning / propagation) • Mutation - Polymorphic Code • Encryption - Defeat IPS/IDS Detection • Malicious Payload - A rootkit with your Bagel? SCREAMING HEADLINES! • April 11, 2006 - MS Patch Day-10 Flaws Fixed in Monster IE Update – • • Microsoft ships a browser security makeover 18 days after hackers launch a wave of zeroday attacks April 4, 2006 - "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, PM, Security Solutions, Microsoft New Worm Propagation Vectors – “Mac OSX Worm Wiggles Its Way Into the Wild”-February 17, 06 – J2ME Cell Phones - February 28, 06 – “Worm attacks via instant-messaging increased tenfold in 2005” January 31, 06, Postini Report • February 3, 06 “Blackworm D-Day Turns Out to Be a Dud”. “ONLY” 300,000 machines infected. City of Milan disconnects 10,000 computers after infection. SCREAMING HEADLINES - FEDERAL GOVERNMENT EDITION • “FBI Computer Crime Survey Finds Widespread Attacks” – – – – – 90 percent of attacked organizations reported them Viruses/Worms were detected by 83 percent of respondents Spyware was detected by 79 percent of respondents Data sabotage was detected by 20 percent of respondents Slightly more than 64% of those surveyed said computer security caused them to lose money. The FBI calculated an average $24,000 loss for the 1,324 companies that suffered a loss • 2005 FBI Computer Crime Survey of more than 2066 public and private organizations with more than $1 Million in revenue in Iowa, Nebraska, Texas and New York. INTERNAL THREATS AND RESPONSE - WHAT’S REALLY GOING ON • “Internal Threat Report” - Enterprise Strategy Group - 12/05 – 84% provide network access to non-employees as part of business use. – Half of the respondents reported that their internal networks had been compromised by at least one worm in the last 12 months – 17% said their organizations had suffered a targeted attack from an internal source – 23% said there had been an "internal security breach" caused by a credentialed employee or contractor. 20% named "intellectual property theft" as the cause. – 56% said it took up to three hours to detect a worm invasion, while another 25% said it took 3 to 6 hours. – 28% said it took 3 to 6 hours to clean up and remediate the impact of the attack, 14% said 6 to 12 hours, 12% said it took 12 to 24 hours, and 26% claimed more than 24 hours. (3% "did not know"). – Corporate division responsible for detecting and responding to attacks, 47% said the "network operations group," 51% said the "security group", 2% were "other" and 1% was "didn't know." WEAPON #1: HOST-BASED AV • Host-based Anti-Virus (McAfee, Norton, Symantec) WEAPON #2: FIREWALLS AND ACLS • Firewalls and Access Control Lists (Checkpoint, NetScreen) WEAPON #3: NIDS • Network-based Intrusion Detection (ISS, snort, Dragon) WEAPON #4: HIDS • Host-based Intrusion Detection (ISS Server Sensor, Tripwire) WEAPON #5: MAIL-SERVER AV • Mail Server-based Anti-Virus WEAPON #6: HIPS/FIREWALL • Host-based Intrusion Prevention (Okena, Entercept, BlackIce) WEAPON #7: NIPS • Network-based Intrusion Prevention (TippingPoint, Intruvert, ISS Proventia) OTHERS There are others that weren’t mentioned! (can you name a few?) COUNTERMEASURE #1: THREATS FROM THE INSIDE EXTERNAL INTERNAL COUNTERMEASURE #2: SIGNATURES AREN’T ENOUGH • Signatures are reactive ref: symantec.com • Signatures (pattern matching) are defeated by encryption and mutation • Many attacks simply have no signature and violate no known standard COUNTERMEASURE #3: HARDWARE DEPLOYMENT (COST AND COMPLEXITY) 12 IDS/IPS 2 IDP/IPS Sensors Sensors Required Required COUNTERMEASURE #4: “INTELLIGENT DESIGN” (even more hardware, cost and complexity; multiple points of failure) WEAPONS MATRIX Intrusive? Blocks Attacks? Requires Requires Agent? Hardware? Signaturebased? Internal Deployment Ready? Anti-Virus YES YES YES NO YES YES Firewall ACL YES YES/NO NO YES NO NO NIDS NO NO NO YES YES YES/NO HIDS NO NO YES NO YES NO Mail Server Anti-Virus YES YES/NO NO NO YES YES/NO HIPS FIREAWALL YES YES YES NO YES/NO YES NIPS YES YES NO YES YES NO ROLE OF A SIM/SEM AND THE MSSP Arcsight, NetForensics, Intellitactics, Cisco Protego, Guarded Net, LUHRQ, etc. WEAPON #8: NBA (NETWORK BEHAVIOR ANALYSIS) Remote Sites Remote Users Extranet Flow Collector Marketing Sales Servers WHAT ARE FLOWS (EXAMPLE: NETFLOW)? router NETFLOW COLLECTION NETFLOW SUPPORT AND AVAILABILITY Open Source Software (SiLK, nprobe, flow-tools) Juniper Enterasys BENEFIT: ENTERPRISE-WIDE VISIBILITY BENEFIT: ENTERPRISE-WIDE VISIBILITY ENTERPRISE WIDE VISIBILITY IN ACTION BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY 1 NetFlow Collector Required 12 IDP/IPS Sensors Required SLIGHTLY OFF TOPIC: FORENSICS NetFlow v5 Details PIX Firewall Log Details Flow Duration Client Host IP Server Host IP Start Time Last Time Status Protocol Server Port Client Port Server Packets TCP Flags Client Packets Client payload Server Payload Source AS Destination AS ToS Source Interface Destination Interface Kbps Rate Server Header Bytes Client Header Bytes Server Payload Bytes Client Payload Bytes Fragmentation Nexthop Router Source Netmask Target Netmask Source IP Target IP Protocol Port Length IP Precedence Status Interface HOW DO WE DETECT ATTACKS USING NETFLOW? Look for patterns of behavior in NetFlow traffic… • One hosts contacting large numbers of other hosts in short time frame (PTP apps, worms) • • Long flow durations (VPNs, covert channels) • • Bandwidth anomalies (DoS, warez servers) Unauthorized ports in use (rogue servers, applications) Unauthorized communications (VPN host talking to accounting server) THE FLOW ANALYSIS PROCESS Number of concurrent flows Packets per sec Bits per second New flows created Number of SYNs sent Time of day Number of SYNs received Rate of connection resets Duration of the flow <Many others> INFRASTRUCTURE BASED NBA MITIGATION INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS Remote Sites Remote Users Extranet Flow Collector Marketing Sales Servers INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS Remote Sites Remote Users Extranet Flow Collector Marketing Sales Servers INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS Remote Sites Remote Users Extranet ! Flow Collector Marketing Sales Servers INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS Remote Sites Remote Users disable port Extranet ! Flow Collector Marketing Sales Servers NBA MITIGATION MODE: AUTHORIZE NBA MITIGATION MODE: AUTOMATIC NBA WORM DEFENSE WEAPON MATRIX NBA Intrusive? Blocks Attacks? NO YES Requires Requires Agent? Hardware? NO NO Signaturebased? Internal Deployment Ready? NO YES * Note that this slide should be considered in the context of worms. There is no silver bullet solution to network security. SUMMARY • There are many weapons to choose from in the battle against worms and other malware. No one technology will suffice. • Network Behavior Analysis (NBA) provides powerful forensics, auditing, and attack detection capability without the need for additional hardware or software updates. • Cisco routers are everywhere. Anywhere there is Cisco, there is NetFlow. • Both open-source and commercial products are available for analyzing NetFlow. • New worms and viruses are detected without the need for signatures. Thank You Mark McDaniel Senior Security Engineer Lancope, Inc. mmcdaniel@lancope.com http://www.lancope.com