nCircle.com >> 360 Security

« Finally some top-notch Phishing | Main | SCADAGard SIG To Be Established »

cansecwest/core06: "real time threat mitigation techniques"

Real Time Threat Mitigation Techniques
Josh Ryder – Univ. of Alberta

Hmmm….the claim is that they have developed a method that accomplishes non-signature based worm detection and isolation. In opening, he put the presentation in to the context of their network. (the problem space)
To the degree that you can fit your problem in to their problems space, this will be useful.

Their corporate network is not surprising. Big ungoverned inside, lots of border control and all that vanilla stuff.

Their definition of worms: capable of spreading without user intervention. I’m good with that. Multi-vector points of entry being exploited, standard Warhol worms.

They created their own Warhol worm. They wanted a best in class worm: modeled after MS.Blast; both will start 20 threads, 60/40 ratio of offLan/OnLan targets, 6k payload. Blah blah blah.

Victim environment: 50 identical machines, each machine had the same vulnerability, engineered the network so that they would be able to monitor all the flows. It is on a /24 with all machines vulnerabilities having line-of-sight from all others. Dude, this is a dream target surface for this unstructured threat!

Their worm detection and isolation strategy is described as:
1 Worm enters the network
2 Sensor reports the worm traffic to collector
3 Collector analyzes reports
4 Collector signals Reactor
5 Reactor takes appropriate action

So, the methods were in 4 categories:
Packet filtering Firewall
Filter a set of machines from the worm. Silly but I guess they needed to toss it in. The rule is that if the worm can see it, it is owned.

Threshold based Detection
‘pf’ facility for connection rate limited was used for a threshold model.
They would just count the ‘connection states’ in that the norm for desktops was 25-35 states, 15k connection states with compromised machines.

Signature based Detection
‘snort’ – used for when they were lucky enough to get a signature match

Honeypot based Detection
‘honeyd’ used to identify recon on the network. Populate inactive IP space with honey pots acting as end-point sensors.

In this last method, they then tied the honeypot detection with the actions of a firewall to perform the mitigation.
Honeypot + Firewall == Honeywall
I guess you could have also called it a Firepot but I digress.

Result Sets:
I’ll format it as
method:settings:#systems:#comprimised:elapse_time:%_violated

Baseline:
none:none:50systems:50violated:68secs:100%
Comments: baseline with no detection of protection.

Firewall:acl-set:27:27:27secs:54%
Comments: meaningless

Threshold based strategy using ‘pf connection state’
pf:50cons/4sec:50systems:12comprimised:77secs:42%
pf:8cons/4sec:50systems:2comprimised:5.7secs:4%
Note: this threashold was so low that they DoS’ed denied all good stuff
Pf:28cons/4sec:50systems:11comprimised:16secs:22%
Comments: There is no magic here. To the degree that your threshold settings can differentiate between bad and good, you will be effective.
This is all keyed off of the patterns of the worm being different from the patterns of normal traffic.

Signature analysis
Snort:custom_rules:50systems,2compromised:0.78secs:4%
Snort:all_rules&&custom_rules:50systems,2compromised:0.99:4%
Comments: If you have the pattern in your knowledge base, ie a signature or a pattern, great! If not, you suck because you have placed your detection method at the mercy of your adversary. As you would expect, just because you add a mass of signatures that have nothing to do with your controlled experiment, nothing is gained other than processes latency.


Honeywall
Honeywall:low-interaction:50systems:1comprimised:0.27secs:2%

They conclude that honeywalls can be effective on small LANS.

I asked about the test: What was the size of the segment because I needed to know 50 machines out or what? 50/n. From a set theory standpoint, the question is what is the value for the Universal Set? It turned out to be 2^8 (/24 segment) As you can see, if a segment was 95% populated with operational hosts and only 5% honeypot’ed, the percent of compromised hosts would be much different.

Good stuff. As I said in the beginning, if your problem is simular to this problem, then it is useful.

--tk

Posted on April 6, 2006 9:34 PM |

Search


About

This page contains a single entry from the blog posted on April 6, 2006 9:34 PM.

The previous post in this blog was Finally some top-notch Phishing.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]