27
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection

Beyond Intrusion Detection - Prevention & Protection

  • Upload
    dusty

  • View
    52

  • Download
    0

Embed Size (px)

DESCRIPTION

Beyond Intrusion Detection - Prevention & Protection. Problem Domain. Viruses, Worms, Trojans, and Bad Code… Hybrid Threats designed to improve chances for propagation MS_Blaster NIMDA CodeRed SQL Slammer Hackers, Script Kiddies, Malicious Insiders - PowerPoint PPT Presentation

Citation preview

Page 1: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Beyond Intrusion Detection - Prevention & Protection

Page 2: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Problem Domain

• Viruses, Worms, Trojans, and Bad Code…• Hybrid Threats designed to improve chances for

propagation– MS_Blaster– NIMDA– CodeRed– SQL Slammer

• Hackers, Script Kiddies, Malicious Insiders• Theft of Intellectual Property, Confidentiality, and

associated Legal Liability– HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley

Amendment

Page 3: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

State of Security Today

Firewalls and anti-virus were not capable of stopping any of the last 5 major

Internet attacks

Add MS Blaster!

Page 4: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Example - HTTP-based Attack

Page 5: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Remote User = Unsecured

• Outside firewall– Connections are not monitored

• Visit unsuitable websites• Download unsuitable software

• Broadband– Faster connections encourage ‘other uses’

• Peer to peer software• Instant Messenger tools

• Software vulnerabilities– Targeted by hybrid worms

Page 6: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Accidental Internal Attack

INTRUDER

Company Confidential

Page 7: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Problem: Firewalls are Not Enough

• Firewalls can’t block malicious traffic• Many ports must be kept open for healthy

applications to run• Users unwittingly download dangerous applications

or other forms of malicious code• “Always on” connection = Always vulnerable• Peer-to-peer and instant messaging have

introduced new infection vectors

Page 8: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Problem: AV is Not Enough

• AV signature scanning is a reactive model• Several must suffer infection before samples can

be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints

• MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world

Page 9: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Problem: Network IPS is not enough

• Although Network IPS has its place, many threats originate at the Desktop

• To protect at the Source, Host based Intrusion Detection and Prevention is necessary

• Detecting only at the Network may be too late

Page 10: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Multi-layered Compromise

INTRUDER

You have Mail !

Company Confidential

Page 11: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

“All I Have To Do Is Patch My Systems”

“It takes 30-60 days to install a single patch at every one of our 110 bases”

- US Air Force

“It is a never-ending cycle, trying to keep up with this stuff”

- Toyota

Source: Forbes, May 26, 2003

Page 12: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Vulnerability and Threat Time-Line

VulnerabilityDisclosure

ExploitDisclosure

Worm

No Patch.

Security Patch available.

Typically, apply patch to perimeter network

Apply patches everywhere after business is disrupted

Page 13: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Exploit Signature Based Time-Line

VulnerabilityDisclosure

ExploitDisclosure

Worm

No exploitpatterns

No exploit patterns

Reactive. Add exploitpattern and variants.

Reactive. Add worm exploit pattern. Similar to anti-virus,

add new variants

Page 14: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Virtual Patch Based Time line

VulnerabilityDisclosure

ExploitDisclosure

Worm

ProtocolValidation.

Virtual Patch

Proactive. Protected.

Proactive. Protected.

Page 15: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Case Study

Microsoft SQL Server Resolution Protocol Stack-based Overflow

(MS SQL Slammer Worm)

Page 16: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

What was the bug?

• Vulnerability– Microsoft SQL Server 2000 and MSDE– Buffer-overflow in “SQL Server Resolution”

• Vuln = ssrp.name.length > 97

– Disclosed July, 2002

• Exploit– Several noted well before January 25th– Worm on January 25, 2003

Page 17: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

What do sigs look like?

• All sigs– UDP port 1434– First byte equal to 4

• Pattern-match sigs– Slammer pattern

• Protocol-analysis sigs– Check length of field for overflow

Page 18: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Snort

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \msg:"MS-SQL Worm propagation attempt";content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311;reference:url,vil.nai.com/vil/content/v_99992.htm;sid:2003; rev:2;)

Page 19: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Vulnerability Signature

SQL_SSRP_StackBo is (udp.dst == 1434ssrp.type == 4 ssrp.name.length > ssrp.threshold)

where ssrp.type is first-byte of packetwhere ssrp.name is nul-terminated string starting at secondwhere ssrp.threshold defaults to 97

SQL_SSRP_SlammerWorm is (SQL_SSRP_StackBopattern-search[offset=97] = DCC9B042EB0E010101010101

)

Page 20: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Security Technology Evolution

IntegratedApplication

Page 21: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Layered Technologies

PFW IDS/IPS IBEAppCtrlBuffOP

Port 80

Port 135

Port 445

Port 1025

Port xyz

Network Based Attack Vector File Based Attack Vector

AV

Behavioral

Execution SpacePre-Execution Pre-Execution

Reactive

Page 22: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Buffer Overflow

Stack

Local Variables Return Address

Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); }

funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”);…

Page 23: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Buffer Overflow

Stack

Local Variables Return Address

Attacker then jumps to new user-controlled return address

x90\x90\x90\x90\x90\x90\xeb

\xff\x81\x36\x80\xbf\x32\x94

\x05\xe8\xe2\xff\xff\xff\x03\

Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….)

Overflow buffer with shellcode and overwrite original return address

Page 24: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

File Based Attack Vector

Case: Network: MS Blaster: DayZERO

PFW IDS/IPS 0-dayAppCtrlBuffOP

Port 80

Port 135

Port 445

Port 1025

Port xyz

AV

Behavioral

Execution SpacePre-Execution Pre-Execution

Reactive

RPC

Network Based Attack Vector

Page 25: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

File Based Attack Vector

Case: Network: MS Blaster: DayZERO

PFW IDS/IPS IBEAppCtrlBuffOP

Port 80

Port 135

Port 445

Port 1025

Port xyz

AV

Behavioral

Execution SpacePre-Execution Pre-Execution

Reactive

RPCRPC

Network Based Attack Vector RPC Service has been DOS’dMust Reboot

Page 26: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

What’s the difference?

• Protecting against exploits is reactive– Too late for many– Variants undo previous

updates– Typical of AV and most

IDS/IPS vendors

• Protecting against vulnerabilities is proactive– Stops threat at source– Requires advanced R&D

Page 27: Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Thanks! Questions?