Upload
dusty
View
52
Download
0
Embed Size (px)
DESCRIPTION
Beyond Intrusion Detection - Prevention & Protection. Problem Domain. Viruses, Worms, Trojans, and Bad Code… Hybrid Threats designed to improve chances for propagation MS_Blaster NIMDA CodeRed SQL Slammer Hackers, Script Kiddies, Malicious Insiders - PowerPoint PPT Presentation
Citation preview
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Beyond Intrusion Detection - Prevention & Protection
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Problem Domain
• Viruses, Worms, Trojans, and Bad Code…• Hybrid Threats designed to improve chances for
propagation– MS_Blaster– NIMDA– CodeRed– SQL Slammer
• Hackers, Script Kiddies, Malicious Insiders• Theft of Intellectual Property, Confidentiality, and
associated Legal Liability– HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley
Amendment
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
State of Security Today
Firewalls and anti-virus were not capable of stopping any of the last 5 major
Internet attacks
Add MS Blaster!
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Example - HTTP-based Attack
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Remote User = Unsecured
• Outside firewall– Connections are not monitored
• Visit unsuitable websites• Download unsuitable software
• Broadband– Faster connections encourage ‘other uses’
• Peer to peer software• Instant Messenger tools
• Software vulnerabilities– Targeted by hybrid worms
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Accidental Internal Attack
INTRUDER
Company Confidential
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Problem: Firewalls are Not Enough
• Firewalls can’t block malicious traffic• Many ports must be kept open for healthy
applications to run• Users unwittingly download dangerous applications
or other forms of malicious code• “Always on” connection = Always vulnerable• Peer-to-peer and instant messaging have
introduced new infection vectors
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Problem: AV is Not Enough
• AV signature scanning is a reactive model• Several must suffer infection before samples can
be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints
• MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Problem: Network IPS is not enough
• Although Network IPS has its place, many threats originate at the Desktop
• To protect at the Source, Host based Intrusion Detection and Prevention is necessary
• Detecting only at the Network may be too late
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Multi-layered Compromise
INTRUDER
You have Mail !
Company Confidential
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
“All I Have To Do Is Patch My Systems”
“It takes 30-60 days to install a single patch at every one of our 110 bases”
- US Air Force
“It is a never-ending cycle, trying to keep up with this stuff”
- Toyota
Source: Forbes, May 26, 2003
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Vulnerability and Threat Time-Line
VulnerabilityDisclosure
ExploitDisclosure
Worm
No Patch.
Security Patch available.
Typically, apply patch to perimeter network
Apply patches everywhere after business is disrupted
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Exploit Signature Based Time-Line
VulnerabilityDisclosure
ExploitDisclosure
Worm
No exploitpatterns
No exploit patterns
Reactive. Add exploitpattern and variants.
Reactive. Add worm exploit pattern. Similar to anti-virus,
add new variants
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Virtual Patch Based Time line
VulnerabilityDisclosure
ExploitDisclosure
Worm
ProtocolValidation.
Virtual Patch
Proactive. Protected.
Proactive. Protected.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Case Study
Microsoft SQL Server Resolution Protocol Stack-based Overflow
(MS SQL Slammer Worm)
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What was the bug?
• Vulnerability– Microsoft SQL Server 2000 and MSDE– Buffer-overflow in “SQL Server Resolution”
• Vuln = ssrp.name.length > 97
– Disclosed July, 2002
• Exploit– Several noted well before January 25th– Worm on January 25, 2003
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What do sigs look like?
• All sigs– UDP port 1434– First byte equal to 4
• Pattern-match sigs– Slammer pattern
• Protocol-analysis sigs– Check length of field for overflow
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \msg:"MS-SQL Worm propagation attempt";content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311;reference:url,vil.nai.com/vil/content/v_99992.htm;sid:2003; rev:2;)
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Vulnerability Signature
SQL_SSRP_StackBo is (udp.dst == 1434ssrp.type == 4 ssrp.name.length > ssrp.threshold)
where ssrp.type is first-byte of packetwhere ssrp.name is nul-terminated string starting at secondwhere ssrp.threshold defaults to 97
SQL_SSRP_SlammerWorm is (SQL_SSRP_StackBopattern-search[offset=97] = DCC9B042EB0E010101010101
)
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Security Technology Evolution
IntegratedApplication
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Layered Technologies
PFW IDS/IPS IBEAppCtrlBuffOP
Port 80
Port 135
Port 445
Port 1025
Port xyz
Network Based Attack Vector File Based Attack Vector
AV
Behavioral
Execution SpacePre-Execution Pre-Execution
Reactive
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Buffer Overflow
Stack
Local Variables Return Address
Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); }
funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”);…
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Buffer Overflow
Stack
Local Variables Return Address
Attacker then jumps to new user-controlled return address
x90\x90\x90\x90\x90\x90\xeb
\xff\x81\x36\x80\xbf\x32\x94
\x05\xe8\xe2\xff\xff\xff\x03\
Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….)
Overflow buffer with shellcode and overwrite original return address
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
File Based Attack Vector
Case: Network: MS Blaster: DayZERO
PFW IDS/IPS 0-dayAppCtrlBuffOP
Port 80
Port 135
Port 445
Port 1025
Port xyz
AV
Behavioral
Execution SpacePre-Execution Pre-Execution
Reactive
RPC
Network Based Attack Vector
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
File Based Attack Vector
Case: Network: MS Blaster: DayZERO
PFW IDS/IPS IBEAppCtrlBuffOP
Port 80
Port 135
Port 445
Port 1025
Port xyz
AV
Behavioral
Execution SpacePre-Execution Pre-Execution
Reactive
RPCRPC
Network Based Attack Vector RPC Service has been DOS’dMust Reboot
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What’s the difference?
• Protecting against exploits is reactive– Too late for many– Variants undo previous
updates– Typical of AV and most
IDS/IPS vendors
• Protecting against vulnerabilities is proactive– Stops threat at source– Requires advanced R&D
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Thanks! Questions?