1 / 15

Covert Channels A Primer for Security Professionals

SANS Technology Institute - Candidate for Master of Science Degree. Covert Channels A Primer for Security Professionals. Erik Couture GIAC GSEC GCIH GCIA March 2011. SANS Technology Institute - Candidate for Master of Science Degree. Definition and Origin. 3 types of info hiding

alena
Download Presentation

Covert Channels A Primer for Security Professionals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SANS Technology Institute - Candidate for Master of Science Degree Covert ChannelsA Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA March 2011

  2. SANS Technology Institute - Candidate for Master of Science Degree Definition and Origin • 3 types of info hiding • Cryptography - Make message unreadable • Stegonography - Hide the message in another message • Metaferography - Hide the message in the carrier • Easy to design, hard to detect

  3. SANS Technology Institute - Candidate for Master of Science Degree Covert Channels • Clever misuse of network protocols • Nearly undetectable • Not all that common “They’ll never see me coming!”

  4. SANS Technology Institute - Candidate for Master of Science Degree How it is done • Modulate either: • the channel’s characteristics • the content • Do it without: • breaking protocol standards • making it look anomalous

  5. SANS Technology Institute - Candidate for Master of Science Degree ICMP • ‘Unspecified’ amount of data can be attached • Sometime blocked inbounds, rarely outbound • Ptunnel, Loki, 007Shell, Hans, more… What a PING looks like. What a “PING” can look like.. 5

  6. SANS Technology Institute - Candidate for Master of Science Degree DNS • Generally allowed through network protective devices • http://Dsf6tas6df5f5d7f5adsf8a6d56a5d7.domain.com • OzymanDSN, MSTX, dns2tcp 6

  7. SANS Technology Institute - Candidate for Master of Science Degree Future Threats • IPv6 • v00d00N3t - fully featured ICMPv6 covert channel • Application Layer • VoIP, mail, file transfer • Layer 2 • 802.11, ARP • Using CCs to break out of software sandboxes

  8. SANS Technology Institute - Candidate for Master of Science Degree CC Design Considerations • Ease of detection • Ease of implementation • Carrier availability • Bandwidth • Reliability

  9. SANS Technology Institute - Candidate for Master of Science Degree Defensive practices That was Easy! • Firewall • Block outgoing ICMP • Block DNS queries other then from internal proxy • Snort rules • Spotting known signatures • alert udp any any -> any 53 (content:"|00 00 29 10 00 00 00 80 00 00 00|"..... • Exploit specific, as these things are • Anomaly Detection • Spot unusual spikes in of DNS traffic on port 53 • Frequent, oversized DNS TXT records • Any anomalous behavior (How hard is that?!)

  10. SANS Technology Institute - Candidate for Master of Science Degree Defensive R&D • Statistical Analysis • Proven to work in theory • Active Wardens • Full scan and rewrite of traffic • Resource intensive

  11. SANS Technology Institute - Candidate for Master of Science Degree The Threat • Cyber Criminals - (financial data) • Cyber-warriors - (political/military) • Corporate espionage - (IP theft) • Hacktivists - (idealism) • Individual Hackers - (fame/thrill) • Spammers - (ad distribution)

  12. SANS Technology Institute - Candidate for Master of Science Degree Hypothetical ‘Smart’ Covert Channel • STUXNET- like scenario • High value target • Motivated and resourced attacker • Built in recon ability • Protocol flexibility • Low and slow • Virtually Undetectable

  13. SANS Technology Institute - Candidate for Master of Science Degree Why not more common? High Covertness Low Low Throughput High • Benefits vs limitations • ‘Signal to Noise Ratio’

  14. SANS Technology Institute - Candidate for Master of Science Degree For Good not Evil? • Can allow oppressed people to get through Government firewalls/filters • Back to the volume dilemma

  15. SANS Technology Institute - Candidate for Master of Science Degree Summary • Covert Channels are: • the death of perimeter security? • not inconceivable, but not a high priority for most • Whatever to do? • Focus on the fundamentals and “low hanging…” • Perform and execute defense in depth, in line with your Threat/Risk Assessment and SANS ‘20 Critical Security Controls’ References and more? Please see my paper is in the SANS Reading room: www.sans.org/reading_room/whitepapers/detection/covert-channels_33413

More Related