ISACA Columbus April 2006

Transcription

ISACA Columbus April 2006
The War Against Worms
Flow-Based Network Anomaly Detection
and Other Forms of Worm Combat
Presenter: Mark McDaniel
Senior Security Engineer
Lancope, Inc.
AGENDA
•
Worms: a quick overview on the state of
affairs
•
•
•
Current weapons of choice against worms
•
•
Infrastructure Intrusion Prevention
Countermeasures against worms
A new weapon: Flow-based Network
Anomaly Detection
Wrap-up / Q&A
WORMS: ARE THEY DEAD OR JUST EVOLVING?
• Evolution Through Hardship (i.e. Recent
Microsoft attempt to remove raw sockets
capability)
• Who is writing the code? (vandals vs.
professional criminal) Criminals = higher quality
code and more sophisticated attacks
• Hybrid Attacks (instant messaging -> email ->
network scanning / propagation)
• Mutation - Polymorphic Code
• Encryption - Defeat IPS/IDS Detection
• Malicious Payload - A rootkit with your Bagel?
SCREAMING HEADLINES!
•
April 11, 2006 - MS Patch Day-10 Flaws Fixed in Monster IE Update
–
•
•
Microsoft ships a browser security makeover 18 days after hackers launch a wave of zeroday attacks
April 4, 2006 - "When you are dealing with rootkits and some
advanced spyware programs, the only solution is to rebuild from
scratch. In some cases, there really is no way to recover without
nuking the systems from orbit," Mike Danseglio, PM, Security Solutions, Microsoft
New Worm Propagation Vectors
– “Mac OSX Worm Wiggles Its Way Into the Wild”-February 17, 06
– J2ME Cell Phones - February 28, 06
– “Worm attacks via instant-messaging increased tenfold in 2005”
January 31, 06, Postini Report
•
February 3, 06 “Blackworm D-Day Turns Out to Be a Dud”. “ONLY”
300,000 machines infected. City of Milan disconnects 10,000
computers after infection.
SCREAMING HEADLINES - FEDERAL GOVERNMENT EDITION
• “FBI Computer Crime Survey Finds Widespread Attacks”
–
–
–
–
–
90 percent of attacked organizations reported them
Viruses/Worms were detected by 83 percent of respondents
Spyware was detected by 79 percent of respondents
Data sabotage was detected by 20 percent of respondents
Slightly more than 64% of those surveyed said computer security
caused them to lose money. The FBI calculated an average $24,000
loss for the 1,324 companies that suffered a loss
• 2005 FBI Computer Crime Survey of more than 2066 public and private
organizations with more than $1 Million in revenue in Iowa, Nebraska,
Texas and New York.
INTERNAL THREATS AND RESPONSE - WHAT’S REALLY GOING ON
•
“Internal Threat Report” - Enterprise Strategy Group - 12/05
– 84% provide network access to non-employees as part of business use.
– Half of the respondents reported that their internal networks had been
compromised by at least one worm in the last 12 months
– 17% said their organizations had suffered a targeted attack from an internal
source
– 23% said there had been an "internal security breach" caused by a
credentialed employee or contractor. 20% named "intellectual property theft"
as the cause.
– 56% said it took up to three hours to detect a worm invasion, while another
25% said it took 3 to 6 hours.
– 28% said it took 3 to 6 hours to clean up and remediate the impact of the
attack, 14% said 6 to 12 hours, 12% said it took 12 to 24 hours, and 26%
claimed more than 24 hours. (3% "did not know").
– Corporate division responsible for detecting and responding to attacks, 47%
said the "network operations group," 51% said the "security group", 2% were
"other" and 1% was "didn't know."
WEAPON #1: HOST-BASED AV
• Host-based Anti-Virus (McAfee, Norton, Symantec)
WEAPON #2: FIREWALLS AND ACLS
•
Firewalls and Access Control Lists (Checkpoint, NetScreen)
WEAPON #3: NIDS
•
Network-based Intrusion Detection (ISS, snort, Dragon)
WEAPON #4: HIDS
•
Host-based Intrusion Detection (ISS Server Sensor, Tripwire)
WEAPON #5: MAIL-SERVER AV
•
Mail Server-based Anti-Virus
WEAPON #6: HIPS/FIREWALL
•
Host-based Intrusion Prevention (Okena, Entercept, BlackIce)
WEAPON #7: NIPS
•
Network-based Intrusion Prevention (TippingPoint, Intruvert, ISS
Proventia)
OTHERS
There are others that weren’t mentioned!
(can you name a few?)
COUNTERMEASURE #1: THREATS FROM THE INSIDE
EXTERNAL
INTERNAL
COUNTERMEASURE #2: SIGNATURES AREN’T ENOUGH
•
Signatures are reactive
ref: symantec.com
•
Signatures (pattern matching) are defeated by
encryption and mutation
•
Many attacks simply have no signature and violate
no known standard
COUNTERMEASURE #3: HARDWARE DEPLOYMENT
(COST AND COMPLEXITY)
12
IDS/IPS
2 IDP/IPS
Sensors
Sensors
Required
Required
COUNTERMEASURE #4: “INTELLIGENT DESIGN”
(even more hardware, cost and complexity; multiple points of failure)
WEAPONS MATRIX
Intrusive?
Blocks
Attacks?
Requires Requires
Agent?
Hardware?
Signaturebased?
Internal
Deployment
Ready?
Anti-Virus
YES
YES
YES
NO
YES
YES
Firewall
ACL
YES
YES/NO
NO
YES
NO
NO
NIDS
NO
NO
NO
YES
YES
YES/NO
HIDS
NO
NO
YES
NO
YES
NO
Mail Server
Anti-Virus
YES
YES/NO
NO
NO
YES
YES/NO
HIPS
FIREAWALL
YES
YES
YES
NO
YES/NO
YES
NIPS
YES
YES
NO
YES
YES
NO
ROLE OF A SIM/SEM AND THE MSSP
Arcsight, NetForensics,
Intellitactics, Cisco Protego,
Guarded Net, LUHRQ, etc.
WEAPON #8: NBA (NETWORK BEHAVIOR ANALYSIS)
Remote
Sites
Remote
Users
Extranet
Flow Collector
Marketing
Sales
Servers
WHAT ARE FLOWS (EXAMPLE: NETFLOW)?
router
NETFLOW COLLECTION
NETFLOW SUPPORT AND AVAILABILITY
Open Source Software
(SiLK, nprobe, flow-tools)
Juniper
Enterasys
BENEFIT: ENTERPRISE-WIDE VISIBILITY
BENEFIT: ENTERPRISE-WIDE VISIBILITY
ENTERPRISE WIDE VISIBILITY IN ACTION
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
1 NetFlow
Collector
Required
12 IDP/IPS
Sensors
Required
SLIGHTLY OFF TOPIC: FORENSICS
NetFlow v5 Details
PIX Firewall Log Details
Flow Duration
Client Host IP
Server Host IP
Start Time
Last Time
Status
Protocol
Server Port
Client Port
Server Packets
TCP Flags
Client Packets
Client payload
Server Payload
Source AS
Destination AS
ToS
Source Interface
Destination Interface
Kbps Rate
Server Header Bytes
Client Header Bytes
Server Payload Bytes
Client Payload Bytes
Fragmentation
Nexthop Router
Source Netmask
Target Netmask
Source IP
Target IP
Protocol
Port
Length
IP Precedence
Status
Interface
HOW DO WE DETECT ATTACKS USING NETFLOW?
Look for patterns of behavior in NetFlow traffic…
•
One hosts contacting large numbers of other hosts
in short time frame (PTP apps, worms)
•
•
Long flow durations (VPNs, covert channels)
•
•
Bandwidth anomalies (DoS, warez servers)
Unauthorized ports in use (rogue servers,
applications)
Unauthorized communications (VPN host talking to
accounting server)
THE FLOW ANALYSIS PROCESS
Number of concurrent flows
Packets per sec
Bits per second
New flows created
Number of SYNs sent
Time of day
Number of SYNs received
Rate of connection resets
Duration of the flow
<Many others>
INFRASTRUCTURE BASED NBA MITIGATION
INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS
Remote
Sites
Remote
Users
Extranet
Flow Collector
Marketing
Sales
Servers
INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS
Remote
Sites
Remote
Users
Extranet
Flow Collector
Marketing
Sales
Servers
INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS
Remote
Sites
Remote
Users
Extranet
!
Flow Collector
Marketing
Sales
Servers
INFRASTRUCTURE BASED NBA MITIGATION - HOW IT WORKS
Remote
Sites
Remote
Users
disable
port
Extranet
!
Flow Collector
Marketing
Sales
Servers
NBA MITIGATION MODE: AUTHORIZE
NBA MITIGATION MODE: AUTOMATIC
NBA WORM DEFENSE WEAPON MATRIX
NBA
Intrusive?
Blocks
Attacks?
NO
YES
Requires Requires
Agent?
Hardware?
NO
NO
Signaturebased?
Internal
Deployment
Ready?
NO
YES
* Note that this slide should be considered in the context of worms. There is no silver bullet
solution to network security.
SUMMARY
•
There are many weapons to choose from in the
battle against worms and other malware. No one
technology will suffice.
•
Network Behavior Analysis (NBA) provides powerful
forensics, auditing, and attack detection capability
without the need for additional hardware or software
updates.
•
Cisco routers are everywhere.
Anywhere there is Cisco, there is NetFlow.
•
Both open-source and commercial products are
available for analyzing NetFlow.
•
New worms and viruses are detected without the
need for signatures.
Thank You
Mark McDaniel
Senior Security Engineer
Lancope, Inc.
mmcdaniel@lancope.com
http://www.lancope.com