1 / 27

Beyond Intrusion Detection - Prevention & Protection

Beyond Intrusion Detection - Prevention & Protection. Problem Domain. Viruses, Worms, Trojans, and Bad Code… Hybrid Threats designed to improve chances for propagation MS_Blaster NIMDA CodeRed SQL Slammer Hackers, Script Kiddies, Malicious Insiders

dusty
Download Presentation

Beyond Intrusion Detection - Prevention & Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond Intrusion Detection - Prevention & Protection

  2. Problem Domain • Viruses, Worms, Trojans, and Bad Code… • Hybrid Threats designed to improve chances for propagation • MS_Blaster • NIMDA • CodeRed • SQL Slammer • Hackers, Script Kiddies, Malicious Insiders • Theft of Intellectual Property, Confidentiality, and associated Legal Liability • HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley Amendment

  3. State of Security Today Firewalls and anti-virus were not capable of stopping any of the last 5 major Internet attacks Add MS Blaster!

  4. Example - HTTP-based Attack

  5. Remote User = Unsecured • Outside firewall • Connections are not monitored • Visit unsuitable websites • Download unsuitable software • Broadband • Faster connections encourage ‘other uses’ • Peer to peer software • Instant Messenger tools • Software vulnerabilities • Targeted by hybrid worms

  6. Accidental Internal Attack INTRUDER Company Confidential

  7. Problem: Firewalls are Not Enough • Firewalls can’t block malicious traffic • Many ports must be kept open for healthy applications to run • Users unwittingly download dangerous applications or other forms of malicious code • “Always on” connection = Always vulnerable • Peer-to-peer and instant messaging have introduced new infection vectors

  8. Problem: AV is Not Enough • AV signature scanning is a reactive model • Several must suffer infection before samples can be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints • MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world

  9. Problem: Network IPS is not enough • Although Network IPS has its place, many threats originate at the Desktop • To protect at the Source, Host based Intrusion Detection and Prevention is necessary • Detecting only at the Network may be too late

  10. Multi-layered Compromise You have Mail ! INTRUDER Company Confidential

  11. “All I Have To Do Is Patch My Systems” “It is a never-ending cycle, trying to keep up with this stuff” - Toyota “It takes 30-60 days to install a single patch at every one of our 110 bases” - US Air Force Source: Forbes, May 26, 2003

  12. Typically, apply patch to perimeter network No Patch. Security Patch available. Apply patches everywhere after business is disrupted Vulnerability and Threat Time-Line Vulnerability Disclosure Exploit Disclosure Worm

  13. Exploit Signature Based Time-Line Reactive. Add exploit pattern and variants. No exploit patterns Vulnerability Disclosure Exploit Disclosure Worm No exploit patterns Reactive. Add worm exploit pattern. Similar to anti-virus, add new variants

  14. Virtual Patch Based Time line Proactive. Protected. Protocol Validation. Vulnerability Disclosure Exploit Disclosure Worm Virtual Patch Proactive. Protected.

  15. Case Study Microsoft SQL Server Resolution Protocol Stack-based Overflow (MS SQL Slammer Worm)

  16. What was the bug? • Vulnerability • Microsoft SQL Server 2000 and MSDE • Buffer-overflow in “SQL Server Resolution” • Vuln = ssrp.name.length > 97 • Disclosed July, 2002 • Exploit • Several noted well before January 25th • Worm on January 25, 2003

  17. What do sigs look like? • All sigs • UDP port 1434 • First byte equal to 4 • Pattern-match sigs • Slammer pattern • Protocol-analysis sigs • Check length of field for overflow

  18. Snort alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \ msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

  19. Vulnerability Signature SQL_SSRP_StackBo is ( udp.dst == 1434 ssrp.type == 4 ssrp.name.length > ssrp.threshold)where ssrp.type is first-byte of packetwhere ssrp.name is nul-terminated string starting at secondwhere ssrp.threshold defaults to 97 SQL_SSRP_SlammerWorm is ( SQL_SSRP_StackBo pattern-search[offset=97] = DCC9B042EB0E010101010101 )

  20. Integrated Application Security Technology Evolution

  21. Layered Technologies File Based Attack Vector Network Based Attack Vector AV AppCtrl IBE BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space

  22. Buffer Overflow Local Variables Return Address Stack Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); } funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”); …

  23. Buffer Overflow Local Variables Return Address x90\x90\x90\x90\x90\x90\xeb \xff\x81\x36\x80\xbf\x32\x94 \x05\xe8\xe2\xff\xff\xff\x03\ Stack Overflow buffer with shellcode and overwrite original return address Attacker then jumps to new user-controlled return address Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….)

  24. Case: Network: MS Blaster: DayZERO File Based Attack Vector Network Based Attack Vector AV AppCtrl 0-day BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 RPC Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space

  25. Case: Network: MS Blaster: DayZERO RPC Service has been DOS’d Must Reboot File Based Attack Vector Network Based Attack Vector AV AppCtrl IBE BuffOP PFW IDS/IPS Port 80 Behavioral Reactive Port 135 RPC RPC Port 445 Port 1025 Port xyz Pre-Execution Pre-Execution Execution Space

  26. What’s the difference? • Protecting against exploits is reactive • Too late for many • Variants undo previous updates • Typical of AV and most IDS/IPS vendors • Protecting against vulnerabilities is proactive • Stops threat at source • Requires advanced R&D

  27. Thanks! Questions?

More Related