Presentation is loading. Please wait.

Presentation is loading. Please wait.

SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.

Similar presentations


Presentation on theme: "SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA."— Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA March 2011

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Definition and Origin 3 types of info hiding –Cryptography - Make message unreadable –Stegonography - Hide the message in another message – Metaferography - Hide the message in the carrier Easy to design, hard to detect

3 SANS Technology Institute - Candidate for Master of Science Degree 3 Covert Channels Clever misuse of network protocols Nearly undetectable Not all that common “They’ll never see me coming!”

4 SANS Technology Institute - Candidate for Master of Science Degree How it is done Modulate either: –the channel’s characteristics –the content Do it without: –breaking protocol standards –making it look anomalous 4

5 5 SANS Technology Institute - Candidate for Master of Science Degree ICMP ‘Unspecified’ amount of data can be attached Sometime blocked inbounds, rarely outbound Ptunnel, Loki, 007Shell, Hans, more… What a PING looks like. What a “PING” can look like.. 5

6 6 SANS Technology Institute - Candidate for Master of Science Degree DNS Generally allowed through network protective devices Dsf6tas6df5f5d7f5adsf8a6d56a5d7.domain.com OzymanDSN, MSTX, dns2tcp 6

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Future Threats IPv6 –v00d00N3t - fully featured ICMPv6 covert channel Application Layer –VoIP, mail, file transfer Layer 2 –802.11, ARP Using CCs to break out of software sandboxes

8 SANS Technology Institute - Candidate for Master of Science Degree 8 CC Design Considerations Ease of detection Ease of implementation Carrier availability Bandwidth Reliability

9 SANS Technology Institute - Candidate for Master of Science Degree That was Easy! 9 Defensive practices Firewall –Block outgoing ICMP –Block DNS queries other then from internal proxy Snort rules –Spotting known signatures alert udp any any -> any 53 (content:"| |"..... –Exploit specific, as these things are Anomaly Detection –Spot unusual spikes in of DNS traffic on port 53 –Frequent, oversized DNS TXT records –Any anomalous behavior (How hard is that?!)

10 SANS Technology Institute - Candidate for Master of Science Degree 10 Defensive R&D Statistical Analysis –Proven to work in theory Active Wardens –Full scan and rewrite of traffic –Resource intensive

11 SANS Technology Institute - Candidate for Master of Science Degree 11 The Threat Cyber Criminals - (financial data) Cyber-warriors - (political/military) Corporate espionage - (IP theft) Hacktivists - (idealism) Individual Hackers - (fame/thrill) Spammers - (ad distribution)

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Hypothetical ‘Smart’ Covert Channel STUXNET- like scenario –High value target –Motivated and resourced attacker Built in recon ability Protocol flexibility Low and slow Virtually Undetectable

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Why not more common? Benefits vs limitations ‘Signal to Noise Ratio’ Low Throughput High High Covertness Low

14 SANS Technology Institute - Candidate for Master of Science Degree 14 For Good not Evil? Can allow oppressed people to get through Government firewalls/filters Back to the volume dilemma

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Covert Channels are: –the death of perimeter security? –not inconceivable, but not a high priority for most Whatever to do? –Focus on the fundamentals and “low hanging…” –Perform and execute defense in depth, in line with your Threat/Risk Assessment and SANS ‘20 Critical Security Controls’ References and more? Please see my paper is in the SANS Reading room:


Download ppt "SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA."

Similar presentations


Ads by Google