1 / 22

Look Out! Open Source Extrusion Detection

Learn about the importance of extrusion detection in securing a large network with limited staff, and the benefits of separating intrusion and extrusion detection for optimal security management.

fmuir
Download Presentation

Look Out! Open Source Extrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Look Out! Open Source Extrusion Detection Eric Conrad http://www.ericconrad.com May 2010

  2. The target network • The techniques described in this talk evolved from experience securing a large network • 20,000 node WAN spanning 3 states • 12,000 employees • 100+ WAN sites • Limited network security staff and budget • Countless attacks per day • Blocked ¼ million spam per business day

  3. Defense-in-depth • Target network had multiple firewalls, web content scanning proxies, NIDS, antivirus, etc • All email scanned by 4 separate auto-updating virus scanners • Malware still got through • Blocking 99% of 250,000 spam/day means 2,500 get through • 99% success rate == failure

  4. Proxies rule • Target network used proxies for all outbound client-based internet access • Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone re-invents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a security-conscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place – Marcus Ranum

  5. Prevention is ideal, but detection is a must • Server-side internet attacks vs. target network usually failed, but: • Insecure WAN sites and extranet partners • Plus client-side attacks, infected USB tokens, infected mobile devices, etc • “A sufficiently determined, but not necessarily well-funded attacker can break into any organization.” - Ed Skoudis • Bottom line: both detection and prevention failed, frequently

  6. Desperate times, desperate measures • Step 1: Admit defeat • Step 2: Fall back and regroup • Step 3: Formulate plan B Look Out!

  7. Look Out! • NIDS (mostly) inspect inbound traffic • Lots of terms describe the science of outbound traffic that violates security policy • Data Loss Prevention (DLP), Intellectual Property Leakage (IPL), exfiltration detection, extrusion detection/prevention • Data Loss Prevention is becoming mainstream • Host-based focus, may have network elements • Focus is on loss of sensitive data

  8. A word on DLP • Many DLP solutions require an agent installed on each PC • “Complexity is the worst enemy of security” - Bruce Schneier • Metasploit has almost 2 dozen antivirus and backup agent exploits • Why would DLP agents be any different? • “Agents are scary… DLP agents are scarier” – E Monti & D Moniz, Matasano Security

  9. Extrusion vs. Exfiltration • Exfiltration is a military term • “The removal of personnel or units from areas under enemy control.” - Fred J. Pushies • Exfiltration now applies to loss of sensitive data • Extrusion is simply the opposite of intrusion • “If we turn the problem around, we can perform ‘extrusion detection’ by watching for suspicious outbound connections from internal systems to the internet.” - Richard Bejtlich • ‘Extrusion detection’ is connection-focused

  10. We have a winner: extrusion detection • Extrusion detection is the reverse of networked intrusion detection • Includes sensitive data loss, plus: • Malware ‘phoning home’ • Outbound portion of client-side attacks • Any outbound traffic that violates security • Broader and simpler than DLP • Why not perform intrusion and extrusion detection on one box?

  11. Can’t we do it all on one box? • Experience running mail relays for 12,000 users proved illuminating • One box, in theory, could handle both inbound and outbound mail (but was a PITA in reality) • TCO was lowered by ‘separating the streams’ to two logical boxes • Intrusion and extrusion detection also benefit • KISS • NIDS are very sensitive to CPU/memory limitations

  12. NIDS performance anxiety • I have been testing intrusion scenarios with a half-dozen commercial NIDS • They are highly sensitive to CPU/memory limitations • A simple SAMBA drag/drop via 100-megabit network caused false negatives to spike • Adding hundreds of extrusion rules to a NIDS could have negative consequences

  13. FAIL • All NIDS suffer false positives and negatives • Extrusion detection is harder than intrusion detection • A write-down trojan can do anything a user can do • Most users could find a way to exfiltrate data without being detected • Bottom line: NIDS fail, and NEDS will fail more frequently

  14. Why bother? • All controls can fail • Some extrusion detection is better than none • A bullet-proof vest does not make you Superman • But police still wear them • Extrusion detection systems can help avoid reaching the security ‘tipping point’

  15. “Don't cross the streams” – Dr. Egon Spengler • Target network separated the streams • NIDS used EXTERNAL_NET -> HOME_NET rules • NEDS used HOME_NET -> EXTERNAL_NET rules • Sat side-by-side on same tap • NEDS also parsed proxy logs • Including traffic analysis • Immediate, quantifiable wins

  16. The 1st win: naked downloads • Perl script that parsed http proxy logs to identify downloads of EXEs from ‘naked IPs’ • First hit: • 172.17.103.3 - - [19/May/2009:15:48:10 -0400] "GET http://10.93.59.108/lksdfhwey/r.exe HTTP/1.0" 200 731 TCP_MISS:DIRECT • “Why is a nursing station downloading software from a former Soviet Union country?” • PC was compromised, inbound prevention and detection had failed

  17. The 2nd win: persistent connections • Perl script that parsed http proxy logs to look for ‘persistent’ connections • Any source IP that connected to a destination IP via http/https at least once every 10 minutes, 24/7 • Script found: • Weather toolbars, etc • ‘Legit’ reverse https tunnels (known and unknown) • Loads of spyware • “Why is the accountant’s PC constantly connecting to an IP in Panama?” • PC was a member of a botnet; inbound prevention and detection failed again

  18. The 3rd win: unencrypted ePHI • Policy required encryption of Electronic Protected Healthcare Information (ePHI) on the internet • Wrote custom Snort rules that detected unencrypted outbound (ePHI) on external internet interface • alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024:65535 (msg:"Unencrypted HIPAA Transaction (Health Care Eligibility Benefit Inquiry and Response)"; content:"004010X092"; flags:A+; classtype: policy-violation; sid:1000092; rev:1;) • We saw immediate hits

  19. OK, we’re on to something • Refined into a dedicated extrusion detection system: • Snort, BASE, Mysql • Wireshark, tshark, ngrep, etc • Aforementioned scripts + others • Pre-selected outbound Snort rules • Custom Snort rules • Pre-configured and ready-to-go • Sniffs eth0 by default, logs to MySQL DB, view events via BASE • Why not make it a Live CD?

  20. The Xfiltr8 Live CD • http://xfiltr8.sourceforge.net/ • Currently ALPHA software • Ubuntu desktop ISO • Snort, BASE, mysql, Wireshark, etc. • Collection of outbound Snort and Emerging Threats rules • HOME_NET -> EXTERNAL_NET • Scripts for persistent connections and exe downloads from ‘naked IPs’, and more • Boots as a live CD, with an OS install option

  21. Xfiltr8 is handy in a pinch • Xfiltr8 also contains the inbound rules • Both Snort and Emerging Threats • Inbound rules disabled by default • Makes a good NIDS in a pinch • BASE, snort, mysql, all pre-configured • Just reconfigure snort.conf to use the inbound rules

  22. I need help • xfiltr8.sourceforge.net is quite lame right now • It has the alpha ISO, and that’s about it • I would like to build an extrusion detection community • Volunteers needed! • Send email to xfiltr8@ericconrad.com, include xfiltr8 in the title

More Related