1 / 38

Detecting Penetration Testing Ron Gula , SOURCE 2010

Detecting Penetration Testing Ron Gula , SOURCE 2010. WE ARE IN A GREAT CAREER FIELD. Amount of grey hair. 90’s. 2000. 2009. PEN TEST REVIEW DETECTION REACTION. PEN TEST REVIEW DETECTION REACTION. I WANT YOUR COMMENTS AND QUESTIONS TOO. WHY DETECT PENETRATION TESTERS? .

aelwen
Download Presentation

Detecting Penetration Testing Ron Gula , SOURCE 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Penetration TestingRon Gula, SOURCE 2010

  2. WE ARE IN A GREAT CAREER FIELD

  3. Amount of grey hair 90’s 2000 2009

  4. PEN TEST REVIEW • DETECTION • REACTION • PEN TEST REVIEW • DETECTION • REACTION

  5. I WANT YOUR COMMENTS AND QUESTIONS TOO

  6. WHY DETECT PENETRATION TESTERS? Real intrusions have real responses John Dillinger from Public Enemies

  7. PENETRATION TESTING HAS POLITICALRESPONSES Working late again! Johnny, your password should be 25 characters We protect customer data Idiot

  8. WE SHOULD BE DETECTING THIS ANYWAY, RIGHT? snort[1578]: [1:2002910:4] ET SCAN Potential VNC Scan 5800-5820 [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.20.24:36493 -> 192.168.20.16:5800 snort[1578]: [1:2001743:8] ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 192.168.20.24:45379 -> 192.168.20.16:1025 snort[1578]: [1:1551:6] WEB-MISC /CVS/Entries access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.24:45896 -> 192.168.20.21:80 snort[1578]: [1:469:4] AUTHORIZED PENETRATION TEST [Classification: OK To Ignore, But Tell Your Boss] [Priority: 2]: {TCP} 192.168.20.24 -> 192.168.20.92

  9. THERE ARE DIFFERENT TYPES OF PENETRATION TESTS IT & Servers Guest Pen Testers External Internal

  10. THERE ARE DIFFERENT TYPES OF PENETRATION TESTS No Way. I have a 0-day for Skype Screw you guys. I’m walking in. SQL Injection rules guys! Web Attacker Services Exploiter No Tech Hacker

  11. WHAT ABOUT CLIENT SIDE PEN TESTS? • Test the browser security • Test the email client security • Test the web proxy security • Test the email spam security • See who clicks on links or opens hostile email

  12. THE MYTHICAL GOD-LIKE PEN TESTER Memory stays the same CPU stays the same Packets are normal Configuration stays the same Firewall logs the same No additional files Communicates the same Error logs stay the same Normal Computer

  13. KNOW WHAT YOU CAN AND CAN’T MONITOR • Packets • Netflow • NIDS Logs • Firewall Logs • NBAD • Authentication • Authorized systems • Normal apps/programs • Web proxy logs • Spam logs • Topology • Vulnerabilities • Patch Audits • Configurations • Host Security • Host Logs • Audit Trail • Vulnerabilities • Application • Patch Audits • Configurations • Host security • File integrity • System and app logs • Audit Trail

  14. KNOW HOW A COMPROMISED SYSTEM BEHAVES • Packets • Netflow • NIDS Logs • Firewall Logs • NBAD • Authentication • Authorized systems • Normal apps/programs • Web proxy logs • Spam logs • Topology • Vulnerabilities • Patch Audits • Configurations • Host Security • Host Logs • Audit Trail • Vulnerabilities • Application • Patch Audits • Configurations • Host security • File integrity • System and app logs • Audit Trail • Access violations • New programs • Blacklisted sites • Modified files • High CPU • System errors • Illegal commands • Firewall Deny • Blacklisted IPs • Spikes in traffic • Illegal Hosts • Illegal Activity • New commands

  15. KNOW HOW A COMPROMISED SYSTEM BEHAVES • Packets • Netflow • NIDS Logs • Firewall Logs • NBAD • Authentication • Authorized systems • Normal apps/programs • Web proxy logs • Spam logs • Topology • Vulnerabilities • Patch Audits • Configurations • Host Security • Host Logs • Audit Trail • Vulnerabilities • Application • Patch Audits • Configurations • Host security • File integrity • System and app logs • Audit Trail • Access violations • New programs • Blacklisted sites • Modified files • High CPU • System errors • Illegal commands • Firewall Deny • Blacklisted IPs • Spikes in traffic • Illegal Hosts • Illegal Activity • New commands

  16. SIMPLE EXAMPLE – HTTP SERVER No DNS. Web server jailed. Use IPS/Proxy to stop 0-days Monitor with NIDS/NBAD Look for outbound denied firewalls Watch for denies SSH client attacks System errors Illegal Commands Unauthorized changes File integrity Port 80 in. Nothing allowed out Port 22 in. Nothing allowed out

  17. PEN TESTING AND “REAL” INCIDENT DIFFERENCES

  18. WHAT DO WEB APP ATTACKS LOOK LIKE ? SQL Injection rules guys! Are you collecting any logs? Can you tell an attack from a transaction? Is your DBA watching things? Will your NIDS/NBAD see anything? What about your SIM? Web Attacker

  19. WHAT DOES A NETWORK ATTACK LOOK LIKE ? No Way. I have a 0-day for Skype Are you collecting any logs? Can you tell an attack from a normal user? Is your admin watching things? Will your NIDS/NBAD see anything? What about your SIM? Services Exploiter

  20. IT GOES ON AND ON !!!! Attackers and penetration testers have a potential infinite supply of places to attack. Hardening systems, reducing complexity and adding defenses reduces the attack points and lets you monitor for known outcomes. Monitor for outcomes you must!

  21. AUTOMATIC VULN SCANNING TOOL DETECTION Experiment Did we detect the scan? [1] Get a vulnscanner [2] Scan your network [3] Check your NIDS/SIM What kind of logs do we make? Can we rely on the NIDS vendors to detect scanners? Does the same scanner scan the same all the time?

  22. PEN TESTING TOOL DETECTION Experiment [1] Get a pen testing tool [2] Hack your network [3] Check your NIDS/SIM What kind of logs do we make? Can we rely on the NIDS vendors to detect pen testing? Does the same pen tester hack the same all the time?

  23. FILE AND SOCIAL TROLLING DETECTION Experiment [1] Use low tech hacking [2] Look for the goods [3] Check your NIDS/SIM/DLP What kind of logs do we make? Can we rely on the NIDS vendors to detect file browsing? Are the same users going to click around the same way all the time?

  24. BEWARE OF FOCUSING ON JUST PEN TESTING TOOLS The jokes on him loyal friend, those tools only look for a few holes. Wah, wah, wah. Not only do I have a custom exploit, it is encoded to get past the Bat IDS! Holy MD5 checksums Batman, the Joker is using a penetration testing tool on the Bat Computer!

  25. What can I do to find pen testers?

  26. MESSING WITH THE PEN TESTERS WITH DNS Give DNS recon tools false information [root@megalon ~]# nslookup exchange.company.com Server: 192.168.20.24 Address: 192.168.20.24#53 ** server can't find exchange.company.com: NXDOMAIN [root@megalon ~]# nslookup imap.company.com Server: 192.168.20.24 Address: 192.168.20.24#53 Name: imap.company.com Address: 192.168.20.23 Goal – waste more time of a potential hacker than your real IT staff’s Where do these records point? Who manages them in IT? How often do you change them? Might have different ones inside vs. outside vs. location Might use a SIM, IDS, .etc to “watch” the target IPs Could use a SIM to watch DNS queries and logs for these domains

  27. MESSING WITH THE PEN TESTERS WITH DNS Slow Down DNS responses Try to make the pen testers waste their time DNS is really reliable – can you convince your IT staff to mess with it? If an attacker knows your IP addresses, this doesn’t help This could slow down an insider pen tester Hopefully only slow down answers for stuff that isn’t live Need very specialized DNS servers; Does not need to be core servers

  28. MAKE FOOTHOLDS SLOW AND HARD TO USE Make them work harder to leverage any compromised target Reverse shells, phone homes,.etc prevented by ACL in network Exploits work, but we’re leveraging that the attacker does not know our defenses Need to have a process to investigate false positives

  29. MAKE FOOTHOLDS SLOW AND HARD TO USE Make them work harder to leverage any compromised target Proxies prevent some tunneling. Packet shapers can slow access. Most IT organizations are OK with proxies and packet shapers Are they hooked up to your SIM or NBAD and part of your monitoring?

  30. Wait a second! MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITS Force them to think – and less likely be a botnet Pen testers pride themselves on doing this. Web Apache attack SQL attack to Unix DB Client side SSH exploit IMAP Exchange Exploit Aren’t you the guy who’s been talking about compliance, repeatable builds and monocultures? Are you looking for these exploits to begin with? Does your SIM chain together these types of attacks?

  31. MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITS Force them to think – and less likely be a botnet Web IIS attack SQL attack to Unix DB Client side RDP exploit IMAP Exchange Exploit Pen testers pride themselves on doing this. Are you looking for these exploits to begin with? Does your SIM chain together these types of attacks?

  32. USE DYNAMIC NAC TO LIMIT INTERNAL ACCESS Kick them off the network while generating alerts • Most people think of NAC as a dead market • NAC is alive and well in your switch vendor Stewie getting his MAC address kicked off the net NAC can block hosts by MAC address, authentication & activity Are NAC logs something sent to you SIM?

  33. HONEYPOTS AND DECOYS Let them eat cake fake servers! InteractiveHoneypot Honeypot target Real server, Honeypot service “Imaginary” Honeypots “Real” Honeypots Firewall or IPS responds Honeypots can add complexity to your network Every packet to a honeypot is not an attacker Have you configured “honeypot” analysis in your SIM, NBAD or IDS?

  34. ENGAGE THE ATTACKERS Attack the attackers Launch DOS attacks against attackers Hook chargen up to services Host fake network diagrams Viruses in honeypot office files Host hidden porn. Monitor for access. ZIP bombs in files obtained Fake chat logs that have fake account info Very large fake password files Replace common commands. “Hack back” is illegal in lots of places You could be playing with fire. This truly is security through obscurity.

  35. HOW MUCH OF THIS DO YOU TELL AUDIT ? They might be impressed They might be confused They might totally out you!

  36. WHAT IF YOU DON’T DETECT THEM? They “only” broke into here and here. Yet they made a huge report

  37. CONCLUSIONS • Detecting real attacks and penetration testing is very similar • We should be good enough to detect intrusions AND differentiate between a “pen test” and a “real attack” • If we don’t have access to the logs, vulns, packets, etc we can’t do either

  38. QUESTIONS or COMMENTS ?? RonGula on TWITTER www.tenablesecurity.com blog.tenablesecurity.com TENABLE is hiring! jobs@tenablesecurity.com

More Related