Presentation on theme: "1 Look Out! Open Source Extrusion Detection Eric Conrad May 2010."— Presentation transcript:
1 Look Out! Open Source Extrusion Detection Eric Conrad http://www.ericconrad.com May 2010
2 The target network The techniques described in this talk evolved from experience securing a large network –20,000 node WAN spanning 3 states –12,000 employees –100+ WAN sites –Limited network security staff and budget –Countless attacks per day –Blocked ¼ million spam per business day
3 Defense-in-depth Target network had multiple firewalls, web content scanning proxies, NIDS, antivirus, etc –All email scanned by 4 separate auto-updating virus scanners –Malware still got through –Blocking 99% of 250,000 spam/day means 2,500 get through 99% success rate == failure
4 Proxies rule Target network used proxies for all outbound client-based internet access –Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone re- invents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a security- conscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place – Marcus Ranum
5 Prevention is ideal, but detection is a must Server-side internet attacks vs. target network usually failed, but: –Insecure WAN sites and extranet partners –Plus client-side attacks, infected USB tokens, infected mobile devices, etc –“A sufficiently determined, but not necessarily well-funded attacker can break into any organization.” - Ed Skoudis Bottom line: both detection and prevention failed, frequently
6 Desperate times, desperate measures Step 1: Admit defeat Step 2: Fall back and regroup Step 3: Formulate plan B Look Out!
7 NIDS (mostly) inspect inbound traffic Lots of terms describe the science of outbound traffic that violates security policy –Data Loss Prevention (DLP), Intellectual Property Leakage (IPL), exfiltration detection, extrusion detection/prevention Data Loss Prevention is becoming mainstream –Host-based focus, may have network elements –Focus is on loss of sensitive data
8 A word on DLP Many DLP solutions require an agent installed on each PC “Complexity is the worst enemy of security” - Bruce Schneier Metasploit has almost 2 dozen antivirus and backup agent exploits –Why would DLP agents be any different? “Agents are scary… DLP agents are scarier” – E Monti & D Moniz, Matasano Security
9 Extrusion vs. Exfiltration Exfiltration is a military term – “The removal of personnel or units from areas under enemy control.” - Fred J. Pushies –Exfiltration now applies to loss of sensitive data Extrusion is simply the opposite of intrusion –“If we turn the problem around, we can perform ‘extrusion detection’ by watching for suspicious outbound connections from internal systems to the internet.” - Richard Bejtlich ‘Extrusion detection’ is connection-focused
10 We have a winner: extrusion detection Extrusion detection is the reverse of networked intrusion detection Includes sensitive data loss, plus: –Malware ‘phoning home’ –Outbound portion of client-side attacks –Any outbound traffic that violates security –Broader and simpler than DLP Why not perform intrusion and extrusion detection on one box?
11 Can’t we do it all on one box? Experience running mail relays for 12,000 users proved illuminating –One box, in theory, could handle both inbound and outbound mail (but was a PITA in reality) –TCO was lowered by ‘separating the streams’ to two logical boxes Intrusion and extrusion detection also benefit –KISS –NIDS are very sensitive to CPU/memory limitations
12 NIDS performance anxiety I have been testing intrusion scenarios with a half-dozen commercial NIDS They are highly sensitive to CPU/memory limitations A simple SAMBA drag/drop via 100-megabit network caused false negatives to spike Adding hundreds of extrusion rules to a NIDS could have negative consequences
13 FAIL All NIDS suffer false positives and negatives Extrusion detection is harder than intrusion detection –A write-down trojan can do anything a user can do –Most users could find a way to exfiltrate data without being detected Bottom line: NIDS fail, and NEDS will fail more frequently
14 Why bother? All controls can fail Some extrusion detection is better than none A bullet-proof vest does not make you Superman –But police still wear them Extrusion detection systems can help avoid reaching the security ‘tipping point’
15 “Don't cross the streams” – Dr. Egon Spengler Target network separated the streams –NIDS used EXTERNAL_NET -> HOME_NET rules –NEDS used HOME_NET -> EXTERNAL_NET rules –Sat side-by-side on same tap NEDS also parsed proxy logs –Including traffic analysis Immediate, quantifiable wins
16 The 1 st win: naked downloads Perl script that parsed http proxy logs to identify downloads of EXEs from ‘naked IPs’ First hit: –172.17.103.3 - - [19/May/2009:15:48:10 -0400] "GET http://10.93.59.108/lksdfhwey/r.exe HTTP/1.0" 200 731 TCP_MISS:DIRECT –“Why is a nursing station downloading software from a former Soviet Union country?” PC was compromised, inbound prevention and detection had failed
17 The 2 nd win: persistent connections Perl script that parsed http proxy logs to look for ‘persistent’ connections –Any source IP that connected to a destination IP via http/https at least once every 10 minutes, 24/7 Script found: –Weather toolbars, etc –‘Legit’ reverse https tunnels (known and unknown) –Loads of spyware –“Why is the accountant’s PC constantly connecting to an IP in Panama?” – PC was a member of a botnet; inbound prevention and detection failed again
18 The 3 rd win: unencrypted ePHI Policy required encryption of Electronic Protected Healthcare Information (ePHI) on the internet Wrote custom Snort rules that detected unencrypted outbound (ePHI) on external internet interface –alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024:65535 (msg:"Unencrypted HIPAA Transaction (Health Care Eligibility Benefit Inquiry and Response)"; content:"004010X092"; flags:A+; classtype: policy-violation; sid:1000092; rev:1;) We saw immediate hits
19 OK, we’re on to something Refined into a dedicated extrusion detection system: –Snort, BASE, Mysql –Wireshark, tshark, ngrep, etc –Aforementioned scripts + others –Pre-selected outbound Snort rules –Custom Snort rules Pre-configured and ready-to-go Sniffs eth0 by default, logs to MySQL DB, view events via BASE Why not make it a Live CD?
20 The Xfiltr8 Live CD http://xfiltr8.sourceforge.net/ –Currently ALPHA software Ubuntu desktop ISO Snort, BASE, mysql, Wireshark, etc. Collection of outbound Snort and Emerging Threats rules –HOME_NET -> EXTERNAL_NET Scripts for persistent connections and exe downloads from ‘naked IPs’, and more Boots as a live CD, with an OS install option
21 Xfiltr8 is handy in a pinch Xfiltr8 also contains the inbound rules –Both Snort and Emerging Threats –Inbound rules disabled by default Makes a good NIDS in a pinch –BASE, snort, mysql, all pre-configured Just reconfigure snort.conf to use the inbound rules
22 I need help xfiltr8.sourceforge.net is quite lame right now –It has the alpha ISO, and that’s about it I would like to build an extrusion detection community Volunteers needed! Send email to email@example.com, include xfiltr8 in the title