270 likes | 437 Views
Beyond Intrusion Detection - Prevention & Protection. Problem Domain. Viruses, Worms, Trojans, and Bad Code… Hybrid Threats designed to improve chances for propagation MS_Blaster NIMDA CodeRed SQL Slammer Hackers, Script Kiddies, Malicious Insiders
E N D
Problem Domain • Viruses, Worms, Trojans, and Bad Code… • Hybrid Threats designed to improve chances for propagation • MS_Blaster • NIMDA • CodeRed • SQL Slammer • Hackers, Script Kiddies, Malicious Insiders • Theft of Intellectual Property, Confidentiality, and associated Legal Liability • HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley Amendment
State of Security Today Firewalls and anti-virus were not capable of stopping any of the last 5 major Internet attacks Add MS Blaster!
Remote User = Unsecured • Outside firewall • Connections are not monitored • Visit unsuitable websites • Download unsuitable software • Broadband • Faster connections encourage ‘other uses’ • Peer to peer software • Instant Messenger tools • Software vulnerabilities • Targeted by hybrid worms
Accidental Internal Attack INTRUDER Company Confidential
Problem: Firewalls are Not Enough • Firewalls can’t block malicious traffic • Many ports must be kept open for healthy applications to run • Users unwittingly download dangerous applications or other forms of malicious code • “Always on” connection = Always vulnerable • Peer-to-peer and instant messaging have introduced new infection vectors
Problem: AV is Not Enough • AV signature scanning is a reactive model • Several must suffer infection before samples can be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints • MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world
Problem: Network IPS is not enough • Although Network IPS has its place, many threats originate at the Desktop • To protect at the Source, Host based Intrusion Detection and Prevention is necessary • Detecting only at the Network may be too late
Multi-layered Compromise You have Mail ! INTRUDER Company Confidential
“All I Have To Do Is Patch My Systems” “It is a never-ending cycle, trying to keep up with this stuff” - Toyota “It takes 30-60 days to install a single patch at every one of our 110 bases” - US Air Force Source: Forbes, May 26, 2003
Typically, apply patch to perimeter network No Patch. Security Patch available. Apply patches everywhere after business is disrupted Vulnerability and Threat Time-Line Vulnerability Disclosure Exploit Disclosure Worm
Exploit Signature Based Time-Line Reactive. Add exploit pattern and variants. No exploit patterns Vulnerability Disclosure Exploit Disclosure Worm No exploit patterns Reactive. Add worm exploit pattern. Similar to anti-virus, add new variants
Virtual Patch Based Time line Proactive. Protected. Protocol Validation. Vulnerability Disclosure Exploit Disclosure Worm Virtual Patch Proactive. Protected.
Case Study Microsoft SQL Server Resolution Protocol Stack-based Overflow (MS SQL Slammer Worm)
What was the bug? • Vulnerability • Microsoft SQL Server 2000 and MSDE • Buffer-overflow in “SQL Server Resolution” • Vuln = ssrp.name.length > 97 • Disclosed July, 2002 • Exploit • Several noted well before January 25th • Worm on January 25, 2003
What do sigs look like? • All sigs • UDP port 1434 • First byte equal to 4 • Pattern-match sigs • Slammer pattern • Protocol-analysis sigs • Check length of field for overflow
Snort alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \ msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
Vulnerability Signature SQL_SSRP_StackBo is ( udp.dst == 1434 ssrp.type == 4 ssrp.name.length > ssrp.threshold)where ssrp.type is first-byte of packetwhere ssrp.name is nul-terminated string starting at secondwhere ssrp.threshold defaults to 97 SQL_SSRP_SlammerWorm is ( SQL_SSRP_StackBo pattern-search[offset=97] = DCC9B042EB0E010101010101 )
Integrated Application Security Technology Evolution
Layered Technologies File Based Attack Vector Network Based Attack Vector AV AppCtrl IBE BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space
Buffer Overflow Local Variables Return Address Stack Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); } funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”); …
Buffer Overflow Local Variables Return Address x90\x90\x90\x90\x90\x90\xeb \xff\x81\x36\x80\xbf\x32\x94 \x05\xe8\xe2\xff\xff\xff\x03\ Stack Overflow buffer with shellcode and overwrite original return address Attacker then jumps to new user-controlled return address Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….)
Case: Network: MS Blaster: DayZERO File Based Attack Vector Network Based Attack Vector AV AppCtrl 0-day BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 RPC Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space
Case: Network: MS Blaster: DayZERO RPC Service has been DOS’d Must Reboot File Based Attack Vector Network Based Attack Vector AV AppCtrl IBE BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 RPC RPC Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space
What’s the difference? • Protecting against exploits is reactive • Too late for many • Variants undo previous updates • Typical of AV and most IDS/IPS vendors • Protecting against vulnerabilities is proactive • Stops threat at source • Requires advanced R&D