Upload
barnaby-osborne
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
The Home Team Advantage
A. Padgett Peterson, P.E.Information Protection
Lockheed Martin Corporation
Orlando, Florida
app0627992
The Home Team Advantage
Why bother ? Attacks coming faster Using novel mechanisms for attack (dare I
say “covert channels” ?) Responses slow “Nothing worse than an expert out of their
field”
app0627993
The Home Team Advantage
Is defense feasible ? Good question Defenders need to close every hole, attacker
needs to find just one Many find “school of fish” approach attractive
(may I suggest a tontine ?) Others just keep their resume updated
app0627994
The Home Team Advantage
If defense is to work, defenders need an “unfair advantage” Perimeter Defense Desktop defense Layered Defense Defense in depth
“It’s not just an admin job anymore”
app0627995
The Home Team Advantage
For years tools have been designed be “universal” applications. Can be launched from anywhere Operate across bridges/firewalls Operate unattended
Consider portscanners ISS Cybercop Satan/Santa Socket2me
app0627996
The Home Team Advantage
All are essentially similar Select an IP (or range) Identify hardware/OS Select a port from a list Try to open it If it opens, perform known manipulations If that works, identify vulnerability
To here is basically the same for attacker and defender
app0627997
The Home Team Advantage
“Home Team” can Identify IP range Identify hardware/OS Compare to map Correct Exceptions Run Portmapper/NetStat Identify Services (expected/not) Identify vulnerabilities
app0627998
The Home Team Advantage
Difference: can walk up to machine, run local tests, interview administrator
Example: consider “Back Oriface” Scanner can only detect if uses default (no
password/ port 31337 Portmapper/NetStat will show anomalous
UDP no matter what configuration Of course you must know what to expect.
app0627999
The Home Team Advantage
Or consider Port Scanners themselves Most check only most common ports FWTK checks less than half Commercial scanners may check as many as
100 known ports Why ? RTT
But if you are local can test all 65,536 ports in about ten minutes
app06279910
The Home Team Advantage
Some are wondering “why all 65,536 ports ?” For one, is a nice firewall test but takes two
machines – one on each side of wall. Pump 65,536 packets (131,072 with UDP, couple more for ICMP (LOKI).
Find out quickly what gets through and what doesn’t.
Reverse for other side. Takes about an hour but often revealing.
app06279911
The Home Team Advantage
Some are still wondering … Well if defense is just a screening router,
can just read the ACLs (why bother with test at all).
But if the “firewall” is a “farm” 15 to 25 different machines Several different products
Is often easier to detect ports first, then say “why ?”
app06279912
The Home Team Advantage
Another is MAC addresses (quick: name four different meanings of MAC)
Lost when cross bridge/router/firewall But if you can run scanner locally then header
contains MAC address Six byte value Identifies manufacturer and often model Must open box to change VAX magically becoming PC is cause for concern
Believe Mr. Smith knows about MAC (now).
app06279913
The Home Team Advantage
If MAC addresses are known, can also record location of machine On error know where to dispatch help Can identify movement on dubnets
Can also use active hubs (e.g. 3Com) Allow traffic on that line only to/from that
MAC address Defeats promiscuous setting, will only
receive own and broadcast traffic.
app06279914
The Home Team Advantage
Yet another is knowing which IP addresses are assigned. Devise a promiscuous machine to
respond/record any attempt to ping or open a port on an unassigned IP.
Alarm if multiple DHCP provides a different problem and
requires an active system with knowledge of assignments
app06279915
The Home Team Advantage
Growing increasingly important is control of executable attachments and embedded instructions
Major difficulty is identifying executable attachments and syntax.
Could block all incoming containing attachments
All executable HTML (<IFRAME>) Might not be popular
app06279916
The Home Team Advantage
May need to be creative Would Melissa/Papa/ExploreZip work if MAPI
only allowed one message per 30 seconds ? What happens if CDO is disabled ? CAN CDO be disabled ? (anyone know what CDO is ?)
app06279917
The Home Team Advantage Virus Scanners
Everyone has them Virus writers get them first Reactive in nature Best turnaround measured in hours (Destructive attack can take minutes)
Decade of “voting with wallets” has made scanners the winner.
app06279918
The Home Team Advantage
Keep scanners, just add “more”. Macro detectors & signing Executable signing Executable analyzers/unpackers/disassemblers Integrity Managers (oh – they went out of
business) CRC validators (they went out of business
too ?) Tripwire for NT/98/95 ? Need to be creative
app06279919
The Home Team Advantage
Identify a “crisis management team” It will happen Cannot afford delay while pulls together Need two teams – information crisis often lasts
longer than a day Three is better – one to manage, one to
analyze, one to rest but probably so not have enough.
Must have authority to “close watertight doors”.
app06279920
The Home Team Advantage
Problem World is different Used to say “Cannot get a virus from E-Mail.”
They fixed that bug. Thems ain’t bugs, thems features
(“EditFlags”) Single layer defense not enough (proven with
Melissa).
app06279921
The Home Team Advantage
Solution ? Need policy mandating defense Need architecture to support defense Need enforcement to guarantee defense Need tools to test defense Need conviction to not accept less
Leave any out & would be a good idea to keep that resume updated