Beyond Intrusion Detection - Prevention & Protection

1. Beyond Intrusion Detection - Prevention & Protection

2. Problem Domain • Viruses, Worms, Trojans, and Bad Code… • Hybrid Threats designed to improve chances for propagation • MS_Blaster • NIMDA • CodeRed • SQL Slammer • Hackers, Script Kiddies, Malicious Insiders • Theft of Intellectual Property, Confidentiality, and associated Legal Liability • HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley Amendment

3. State of Security Today Firewalls and anti-virus were not capable of stopping any of the last 5 major Internet attacks Add MS Blaster!

4. Example - HTTP-based Attack

5. Remote User = Unsecured • Outside firewall • Connections are not monitored • Visit unsuitable websites • Download unsuitable software • Broadband • Faster connections encourage ‘other uses’ • Peer to peer software • Instant Messenger tools • Software vulnerabilities • Targeted by hybrid worms

6. Accidental Internal Attack INTRUDER Company Confidential

7. Problem: Firewalls are Not Enough • Firewalls can’t block malicious traffic • Many ports must be kept open for healthy applications to run • Users unwittingly download dangerous applications or other forms of malicious code • “Always on” connection = Always vulnerable • Peer-to-peer and instant messaging have introduced new infection vectors

8. Problem: AV is Not Enough • AV signature scanning is a reactive model • Several must suffer infection before samples can be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints • MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world

9. Problem: Network IPS is not enough • Although Network IPS has its place, many threats originate at the Desktop • To protect at the Source, Host based Intrusion Detection and Prevention is necessary • Detecting only at the Network may be too late

10. Multi-layered Compromise You have Mail ! INTRUDER Company Confidential

11. “All I Have To Do Is Patch My Systems” “It is a never-ending cycle, trying to keep up with this stuff” - Toyota “It takes 30-60 days to install a single patch at every one of our 110 bases” - US Air Force Source: Forbes, May 26, 2003

12. Typically, apply patch to perimeter network No Patch. Security Patch available. Apply patches everywhere after business is disrupted Vulnerability and Threat Time-Line Vulnerability Disclosure Exploit Disclosure Worm

13. Exploit Signature Based Time-Line Reactive. Add exploit pattern and variants. No exploit patterns Vulnerability Disclosure Exploit Disclosure Worm No exploit patterns Reactive. Add worm exploit pattern. Similar to anti-virus, add new variants

14. Virtual Patch Based Time line Proactive. Protected. Protocol Validation. Vulnerability Disclosure Exploit Disclosure Worm Virtual Patch Proactive. Protected.

15. Case Study Microsoft SQL Server Resolution Protocol Stack-based Overflow (MS SQL Slammer Worm)

16. What was the bug? • Vulnerability • Microsoft SQL Server 2000 and MSDE • Buffer-overflow in “SQL Server Resolution” • Vuln = ssrp.name.length > 97 • Disclosed July, 2002 • Exploit • Several noted well before January 25th • Worm on January 25, 2003

17. What do sigs look like? • All sigs • UDP port 1434 • First byte equal to 4 • Pattern-match sigs • Slammer pattern • Protocol-analysis sigs • Check length of field for overflow

18. Snort alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \ msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

19. Vulnerability Signature SQL_SSRP_StackBo is ( udp.dst == 1434 ssrp.type == 4 ssrp.name.length > ssrp.threshold)where ssrp.type is first-byte of packetwhere ssrp.name is nul-terminated string starting at secondwhere ssrp.threshold defaults to 97 SQL_SSRP_SlammerWorm is ( SQL_SSRP_StackBo pattern-search[offset=97] = DCC9B042EB0E010101010101 )

20. Integrated Application Security Technology Evolution

21. Layered Technologies File Based Attack Vector Network Based Attack Vector AV AppCtrl IBE BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space

22. Buffer Overflow Local Variables Return Address Stack Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); } funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”); …

23. Buffer Overflow Local Variables Return Address x90\x90\x90\x90\x90\x90\xeb \xff\x81\x36\x80\xbf\x32\x94 \x05\xe8\xe2\xff\xff\xff\x03\ Stack Overflow buffer with shellcode and overwrite original return address Attacker then jumps to new user-controlled return address Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….)

24. Case: Network: MS Blaster: DayZERO File Based Attack Vector Network Based Attack Vector AV AppCtrl 0-day BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 RPC Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space

25. Case: Network: MS Blaster: DayZERO RPC Service has been DOS’d Must Reboot File Based Attack Vector Network Based Attack Vector AV AppCtrl IBE BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 RPC RPC Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space

26. What’s the difference? • Protecting against exploits is reactive • Too late for many • Variants undo previous updates • Typical of AV and most IDS/IPS vendors • Protecting against vulnerabilities is proactive • Stops threat at source • Requires advanced R&D

27. Thanks! Questions?