Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection."— Presentation transcript:

1 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection

2 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem Domain Viruses, Worms, Trojans, and Bad Code… Hybrid Threats designed to improve chances for propagation –MS_Blaster –NIMDA –CodeRed –SQL Slammer Hackers, Script Kiddies, Malicious Insiders Theft of Intellectual Property, Confidentiality, and associated Legal Liability –HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley Amendment

3 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. State of Security Today Firewalls and anti-virus were not capable of stopping any of the last 5 major Internet attacks Add MS Blaster!

4 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Example - HTTP-based Attack

5 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Remote User = Unsecured Outside firewall –Connections are not monitored Visit unsuitable websites Download unsuitable software Broadband –Faster connections encourage ‘other uses’ Peer to peer software Instant Messenger tools Software vulnerabilities –Targeted by hybrid worms

6 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Accidental Internal Attack INTRUDER Company Confidential

7 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem: Firewalls are Not Enough Firewalls can’t block malicious traffic Many ports must be kept open for healthy applications to run Users unwittingly download dangerous applications or other forms of malicious code “Always on” connection = Always vulnerable Peer-to-peer and instant messaging have introduced new infection vectors

8 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem: AV is Not Enough AV signature scanning is a reactive model Several must suffer infection before samples can be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world

9 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem: Network IPS is not enough Although Network IPS has its place, many threats originate at the Desktop To protect at the Source, Host based Intrusion Detection and Prevention is necessary Detecting only at the Network may be too late

10 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Multi-layered Compromise INTRUDER You have Mail ! Company Confidential

11 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. “All I Have To Do Is Patch My Systems” “It takes 30-60 days to install a single patch at every one of our 110 bases” - US Air Force “It is a never- ending cycle, trying to keep up with this stuff” - Toyota Source: Forbes, May 26, 2003

12 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Vulnerability and Threat Time-Line Vulnerability Disclosure Exploit Disclosure Worm No Patch. Security Patch available. Typically, apply patch to perimeter network Apply patches everywhere after business is disrupted

13 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Exploit Signature Based Time-Line Vulnerability Disclosure Exploit Disclosure Worm No exploit patterns No exploit patterns Reactive. Add exploit pattern and variants. Reactive. Add worm exploit pattern. Similar to anti-virus, add new variants

14 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Virtual Patch Based Time line Vulnerability Disclosure Exploit Disclosure Worm Protocol Validation. Virtual Patch Proactive. Protected.

15 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Case Study Microsoft SQL Server Resolution Protocol Stack-based Overflow (MS SQL Slammer Worm)

16 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. What was the bug? Vulnerability –Microsoft SQL Server 2000 and MSDE –Buffer-overflow in “SQL Server Resolution” Vuln = ssrp.name.length > 97 –Disclosed July, 2002 Exploit –Several noted well before January 25th –Worm on January 25, 2003

17 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. What do sigs look like? All sigs –UDP port 1434 –First byte equal to 4 Pattern-match sigs –Slammer pattern Protocol-analysis sigs –Check length of field for overflow

18 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Snort alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \ msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

19 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Vulnerability Signature SQL_SSRP_StackBo is ( udp.dst == 1434 ssrp.type == 4 ssrp.name.length > ssrp.threshold) where ssrp.type is first-byte of packet where ssrp.name is nul-terminated string starting at second where ssrp.threshold defaults to 97 SQL_SSRP_SlammerWorm is ( SQL_SSRP_StackBo pattern-search[offset=97] = DCC9B042EB0E010101010101 )

20 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Security Technology Evolution Integrated Application

21 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Layered Technologies PFW IDS/IPS IBEAppCtrl BuffOP Port 80 Port 135 Port 445 Port 1025 Port xyz Network Based Attack Vector File Based Attack Vector AV BehavioralBehavioral Execution Space Pre-Execution ReactiveReactive

22 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Buffer Overflow Stack Local VariablesReturn Address Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); } funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”); …

23 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Buffer Overflow Stack Local VariablesReturn Address Attacker then jumps to new user- controlled return address x90\x90\x90\x90\x90\x90\xeb \xff\x81\x36\x80\xbf\x32\x94 \x05\xe8\xe2\xff\xff\xff\x03\ Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….) Overflow buffer with shellcode and overwrite original return address

24 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. File Based Attack Vector Case: Network: MS Blaster: DayZERO PFW IDS/IPS 0-dayAppCtrl BuffOP Port 80 Port 135 Port 445 Port 1025 Port xyz AV BehavioralBehavioral Execution Space Pre-Execution ReactiveReactive RPC Network Based Attack Vector

25 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. File Based Attack Vector Case: Network: MS Blaster: DayZERO PFW IDS/IPS IBEAppCtrl BuffOP Port 80 Port 135 Port 445 Port 1025 Port xyz AV BehavioralBehavioral Execution Space Pre-Execution ReactiveReactive RPC Network Based Attack Vector RPC Service has been DOS’d Must Reboot

26 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. What’s the difference? Protecting against exploits is reactive –Too late for many –Variants undo previous updates –Typical of AV and most IDS/IPS vendors Protecting against vulnerabilities is proactive –Stops threat at source –Requires advanced R&D

27 © 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Thanks! Questions?

Download ppt "© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection."

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.

Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.
Packets and Protocols Chapter Seven Real World Packet Captures.

Packets and Protocols Chapter Seven Real World Packet Captures.
(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.

(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Next Generation with Application Intelligence Protection Against Network.

©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Next Generation with Application Intelligence Protection Against Network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

Similar presentations

Ads by Google