1 / 22

The Home Team Advantage

The Home Team Advantage. A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida. The Home Team Advantage. Why bother ? Attacks coming faster Using novel mechanisms for attack (dare I say “covert channels” ?) Responses slow

breindel
Download Presentation

The Home Team Advantage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Home Team Advantage A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida

  2. The Home Team Advantage • Why bother ? • Attacks coming faster • Using novel mechanisms for attack (dare I say “covert channels” ?) • Responses slow • “Nothing worse than an expert out of their field” app062799

  3. The Home Team Advantage • Is defense feasible ? • Good question • Defenders need to close every hole, attacker needs to find just one • Many find “school of fish” approach attractive (may I suggest a tontine ?) • Others just keep their resume updated app062799

  4. The Home Team Advantage • If defense is to work, defenders need an “unfair advantage” • Perimeter Defense • Desktop defense • Layered Defense • Defense in depth • “It’s not just an admin job anymore” app062799

  5. The Home Team Advantage • For years tools have been designed be “universal” applications. • Can be launched from anywhere • Operate across bridges/firewalls • Operate unattended • Consider portscanners • ISS • Cybercop • Satan/Santa • Socket2me app062799

  6. The Home Team Advantage • All are essentially similar • Select an IP (or range) • Identify hardware/OS • Select a port from a list • Try to open it • If it opens, perform known manipulations • If that works, identify vulnerability • To here is basically the same for attacker and defender app062799

  7. The Home Team Advantage • “Home Team” can • Identify IP range • Identify hardware/OS • Compare to map • Correct Exceptions • Run Portmapper/NetStat • Identify Services (expected/not) • Identify vulnerabilities app062799

  8. The Home Team Advantage • Difference: can walk up to machine, run local tests, interview administrator • Example: consider “Back Oriface” • Scanner can only detect if uses default (no password/ port 31337 • Portmapper/NetStat will show anomalous UDP no matter what configuration • Of course you must know what to expect. app062799

  9. The Home Team Advantage • Or consider Port Scanners themselves • Most check only most common ports • FWTK checks less than half • Commercial scanners may check as many as 100 known ports • Why ? RTT • But if you are local can test all 65,536 ports in about ten minutes app062799

  10. The Home Team Advantage • Some are wondering “why all 65,536 ports ?” • For one, is a nice firewall test but takes two machines – one on each side of wall. Pump 65,536 packets (131,072 with UDP, couple more for ICMP (LOKI). • Find out quickly what gets through and what doesn’t. • Reverse for other side. Takes about an hour but often revealing. app062799

  11. The Home Team Advantage • Some are still wondering … • Well if defense is just a screening router, can just read the ACLs (why bother with test at all). • But if the “firewall” is a “farm” • 15 to 25 different machines • Several different products • Is often easier to detect ports first, then say “why ?” app062799

  12. The Home Team Advantage • Another is MAC addresses • (quick: name four different meanings of MAC) • Lost when cross bridge/router/firewall • But if you can run scanner locally then header contains MAC address • Six byte value • Identifies manufacturer and often model • Must open box to change • VAX magically becoming PC is cause for concern • Believe Mr. Smith knows about MAC (now). app062799

  13. The Home Team Advantage • If MAC addresses are known, can also record location of machine • On error know where to dispatch help • Can identify movement on dubnets • Can also use active hubs (e.g. 3Com) • Allow traffic on that line only to/from that MAC address • Defeats promiscuous setting, will only receive own and broadcast traffic. app062799

  14. The Home Team Advantage • Yet another is knowing which IP addresses are assigned. • Devise a promiscuous machine to respond/record any attempt to ping or open a port on an unassigned IP. • Alarm if multiple • DHCP provides a different problem and requires an active system with knowledge of assignments app062799

  15. The Home Team Advantage • Growing increasingly important is control of executable attachments and embedded instructions • Major difficulty is identifying executable attachments and syntax. • Could block all incoming containing attachments • All executable HTML (<IFRAME>) • Might not be popular app062799

  16. The Home Team Advantage • May need to be creative • Would Melissa/Papa/ExploreZip work if MAPI only allowed one message per 30 seconds ? • What happens if CDO is disabled ? • CAN CDO be disabled ? • (anyone know what CDO is ?) app062799

  17. The Home Team Advantage • Virus Scanners • Everyone has them • Virus writers get them first • Reactive in nature • Best turnaround measured in hours • (Destructive attack can take minutes) • Decade of “voting with wallets” has made scanners the winner. app062799

  18. The Home Team Advantage • Keep scanners, just add “more”. • Macro detectors & signing • Executable signing • Executable analyzers/unpackers/disassemblers • Integrity Managers (oh – they went out of business) • CRC validators (they went out of business too ?) • Tripwire for NT/98/95 ? • Need to be creative app062799

  19. The Home Team Advantage • Identify a “crisis management team” • It will happen • Cannot afford delay while pulls together • Need two teams – information crisis often lasts longer than a day • Three is better – one to manage, one to analyze, one to rest but probably so not have enough. • Must have authority to “close watertight doors”. app062799

  20. The Home Team Advantage • Problem • World is different • Used to say “Cannot get a virus from E-Mail.” They fixed that bug. • Thems ain’t bugs, thems features (“EditFlags”) • Single layer defense not enough (proven with Melissa). app062799

  21. The Home Team Advantage • Solution ? • Need policy mandating defense • Need architecture to support defense • Need enforcement to guarantee defense • Need tools to test defense • Need conviction to not accept less • Leave any out & would be a good idea to keep that resume updated app062799

  22. The Home Team Advantage Thank you, Questions ? A. Padgett Peterson, P.E.

More Related