The Home Team Advantage A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida

The Home Team Advantage

A. Padgett Peterson, P.E.Information Protection

Lockheed Martin Corporation

Orlando, Florida

app0627992


Why bother ? Attacks coming faster Using novel mechanisms for attack (dare I

say “covert channels” ?) Responses slow “Nothing worse than an expert out of their

field”

app0627993


Is defense feasible ? Good question Defenders need to close every hole, attacker

needs to find just one Many find “school of fish” approach attractive

(may I suggest a tontine ?) Others just keep their resume updated

app0627994


If defense is to work, defenders need an “unfair advantage” Perimeter Defense Desktop defense Layered Defense Defense in depth

“It’s not just an admin job anymore”

app0627995


For years tools have been designed be “universal” applications. Can be launched from anywhere Operate across bridges/firewalls Operate unattended

Consider portscanners ISS Cybercop Satan/Santa Socket2me

app0627996


All are essentially similar Select an IP (or range) Identify hardware/OS Select a port from a list Try to open it If it opens, perform known manipulations If that works, identify vulnerability

To here is basically the same for attacker and defender

app0627997


“Home Team” can Identify IP range Identify hardware/OS Compare to map Correct Exceptions Run Portmapper/NetStat Identify Services (expected/not) Identify vulnerabilities

app0627998


Difference: can walk up to machine, run local tests, interview administrator

Example: consider “Back Oriface” Scanner can only detect if uses default (no

password/ port 31337 Portmapper/NetStat will show anomalous

UDP no matter what configuration Of course you must know what to expect.

app0627999


Or consider Port Scanners themselves Most check only most common ports FWTK checks less than half Commercial scanners may check as many as

100 known ports Why ? RTT

But if you are local can test all 65,536 ports in about ten minutes

app06279910


Some are wondering “why all 65,536 ports ?” For one, is a nice firewall test but takes two

machines – one on each side of wall. Pump 65,536 packets (131,072 with UDP, couple more for ICMP (LOKI).

Find out quickly what gets through and what doesn’t.

Reverse for other side. Takes about an hour but often revealing.

app06279911


Some are still wondering … Well if defense is just a screening router,

can just read the ACLs (why bother with test at all).

But if the “firewall” is a “farm” 15 to 25 different machines Several different products

Is often easier to detect ports first, then say “why ?”

app06279912


Another is MAC addresses (quick: name four different meanings of MAC)

Lost when cross bridge/router/firewall But if you can run scanner locally then header

contains MAC address Six byte value Identifies manufacturer and often model Must open box to change VAX magically becoming PC is cause for concern

Believe Mr. Smith knows about MAC (now).

app06279913


If MAC addresses are known, can also record location of machine On error know where to dispatch help Can identify movement on dubnets

Can also use active hubs (e.g. 3Com) Allow traffic on that line only to/from that

MAC address Defeats promiscuous setting, will only

receive own and broadcast traffic.

app06279914


Yet another is knowing which IP addresses are assigned. Devise a promiscuous machine to

respond/record any attempt to ping or open a port on an unassigned IP.

Alarm if multiple DHCP provides a different problem and

requires an active system with knowledge of assignments

app06279915


Growing increasingly important is control of executable attachments and embedded instructions

Major difficulty is identifying executable attachments and syntax.

Could block all incoming containing attachments

All executable HTML (<IFRAME>) Might not be popular

app06279916


May need to be creative Would Melissa/Papa/ExploreZip work if MAPI

only allowed one message per 30 seconds ? What happens if CDO is disabled ? CAN CDO be disabled ? (anyone know what CDO is ?)

app06279917

The Home Team Advantage Virus Scanners

Everyone has them Virus writers get them first Reactive in nature Best turnaround measured in hours (Destructive attack can take minutes)

Decade of “voting with wallets” has made scanners the winner.

app06279918


Keep scanners, just add “more”. Macro detectors & signing Executable signing Executable analyzers/unpackers/disassemblers Integrity Managers (oh – they went out of

business) CRC validators (they went out of business

too ?) Tripwire for NT/98/95 ? Need to be creative

app06279919


Identify a “crisis management team” It will happen Cannot afford delay while pulls together Need two teams – information crisis often lasts

longer than a day Three is better – one to manage, one to

analyze, one to rest but probably so not have enough.

Must have authority to “close watertight doors”.

app06279920


Problem World is different Used to say “Cannot get a virus from E-Mail.”

They fixed that bug. Thems ain’t bugs, thems features

(“EditFlags”) Single layer defense not enough (proven with

Melissa).

app06279921


Solution ? Need policy mandating defense Need architecture to support defense Need enforcement to guarantee defense Need tools to test defense Need conviction to not accept less

Leave any out & would be a good idea to keep that resume updated


Thank you, Questions ?

A. Padgett Peterson, P.E.

Documents

The Home Team Advantage A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida