Cloud Security (WS 2015/16)

Transcription

1 Cloud Security (WS 2015/16) 8. OpenNebula, Intrusion Detection, Honeypots Hans P. Reiser Winter semester 2015/2016, Hans P. Reiser Vervielfältigung nur mit Genehmigung

2 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.2

3 OpenNebula...see slides section 5.39ff Hans P. Reiser CloudSec (Part 8) 8.3

4 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.4

5 Motivation Preventive security measures work maybe 99% of the time Increasing this coverage to 100% is extremely hard Martin Holste: Detection is the new prevention In many cases, most damage can be prevented by detection and containment Not everyone agrees (Jim Brennan, IBM Security Program Director: This notion moves us unnecessarily and dangerously in the wrong direction. ) Real systems require both prevention and detection in a coordinated manner! Hans P. Reiser CloudSec (Part 8) 8.6

6 Motivation Several aspects of detection Intrusion detection Honeypots Computer forensics Detection, virtualization, and cloud computing Hans P. Reiser CloudSec (Part 8) 8.7

7 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.8

8 Basic terminology Intrusion: Attempt of some adversary to break into or misuse your system Adversary may be insider or outsider, with or without physical access to your system Many forms of attacks and vulnerabilities Buffer overflows Race conditions Missing input sanitization ( SQL injection, etc.) Broken protocols (authentication, etc.) Privilege escalation... Many of them are subject of software security! Hans P. Reiser CloudSec (Part 8) 8.9

9 Definitions Intrusion: any activity that violates the security policy of the system Intrusion Detection: process used to identify intrusions Intrusion Detection System (IDS): System that monitors network or system activities for detecting malicious activity or policy violations and produces a report about these incidents Intrusion Prevention System (IPS): Extension of IDS that can also actively prevent or block intrusions (also called Intrusion Detection and Prevention System IDPS) Rational: If we are unable to build a secure system (and apparently we are...), we should at least try to detect when things go wrong and apply corrective measures Hans P. Reiser CloudSec (Part 8) 8.10

10 Classification of IDS Where to detect intrusions? Host based (HIDS) Network based (NIDS) Hypervisor based (HV-IDS) How to detect intrusions? Signature based Anomaly detection Hans P. Reiser CloudSec (Part 8) 8.11

11 Where to detect intrusions? Host-based IDS Host OS or application provide information Example: authentication events, open files, running processes, etc. Analysis of these logs Advantages Detailed system information available Example: OS data (open files, processes, etc.), system log files, Application-internal data Near-realtime detection Disadvantages: Problem of selecting appropriate information to log (detectability of intrusion vs. logging overhead) Risk of manipulation of log information by intruder Hans P. Reiser CloudSec (Part 8) 8.12

12 Where to detect intrusions? Network-based IDS Observation and analysis of network traffic Advantages Monitoring independent of target OS / system Isolation: no influence on behaviour, presence of IDS not detectable for adversary Disadvantages Access to limited amount of information (e.g., no information about host-internal activities of intruder) Difficulty of analysing encrypted network traffic Hans P. Reiser CloudSec (Part 8) 8.13

13 Where to detect intrusions? Virtualization-based IDS Monitoring in separate VM on same physical host as target VM Access to target disk, target main memory (VMI), and network communication Advantages Host-based IDS with isolation Network-based IDS without dedicated monitoring hardware Benefits by combining HIDS and NIDS (e.g., extract encryption key) Disadvantages Difficulty of interpreting VM-internal data structures from outside the VM (e.g., where in memory can we find the process list?) Physical host needs resources to run both IDS system and target system Hans P. Reiser CloudSec (Part 8) 8.14

14 How to detect intrusions? Anomaly detection Model for normal system operation Detection of deviations of this normal behaviour Advantages: Ability to detect novel attacks Disadvantages: False negatives if intrusion does not result in sufficiently unusual behaviour False positives may be triggered by regular variations of behaviour Hans P. Reiser CloudSec (Part 8) 8.15

15 How to detect intrusions? Signature based Observed behaviour matches known attack description Advantages: No knowledge about normal behaviour required Often simple implementations (e.g., simple pattern match on network messages) Disadvantages: Unable to detect novel attacks New detection mechanism needs to implemented for each new attack Possibility of false alarms Hans P. Reiser CloudSec (Part 8) 8.16

16 Homework Read the article Anomaly-based network intrusion detection: Techniques, systems and challenges by Pedro García-Teodoro, Jesús Díaz-Verdejo, Gabriel Maciá-Fernández, Enrique Vázquez. In Computers & Security 28(1-2): (2009) doi: /j.cose (to be discussed next week) Hans P. Reiser CloudSec (Part 8) 8.17

17 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.18

18 Example HIDS: OSSEC OSSEC: Open source HIDS 2005: first release by Daniel B. Cid 2008: acquisition by Third Brigade, acquired by Trend Micro in 2009 Main features: Log analysis File integrity monitoring Registry integrity checking (Windows) Rootkit detection (host-based anomaly detection on Unix) Active response Cross-platform (Linux, Solaris, AIX, HP-UX, MacOS, Windows) Hans P. Reiser CloudSec (Part 8) 8.19

19 Example HIDS: OSSEC Hans P. Reiser CloudSec (Part 8) 8.20

20 Example HIDS: OSSEC Main focus: Log analysis Multiple logs (e.g., syslog, http logs, mail logs) Correlation between logs Log-based Intrusion Detection (LIDS): Definition by Daniel B. Cid: Log Analysis for intrusion detection is the process or techniques used to detect attacks on a specific environment using logs as the primary source of information. LIDS is also used to detect computer misuse, policy violations and other forms of inappropriate activities. Hans P. Reiser CloudSec (Part 8) 8.21

21 Example HIDS: OSSEC: possible configurations Local operation: Collect Collect (ossec-logcollector) OSSEC Agent Collect Collect (ossec-logcollector) Decode Analyze (ossec-analysisd) Distributed operation: OSSEC Server Decode Analyze (ossec-analysisd) Alert (ossec-maild) (ossec-execd) Alert (ossec-maild) (ossec-execd) Hans P. Reiser CloudSec (Part 8) 8.22

22 Example HIDS: OSSEC: agent/server communication Compressed Encrypted (using pre-shared keys with Blowfish algorithm) UDP messages (default: port 1514) Agent 1 Agentd Agent 2 Agentd UDP port 1514 OSSEC Server Remoted Analysisd Device 1 Syslog Hans P. Reiser CloudSec (Part 8) 8.23

23 Example HIDS: OSSEC: details Further details ( inside ossec-analysisd ): see Hans P. Reiser CloudSec (Part 8) 8.24

24 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.25

25 Example NIDS: snort What is snort? Open-source network-based intrusion detection and prevention system Rule-based language for specifying message inspection methods Most widely deployed NIDS (according to snort webpage) 1998: created by Martin Roesch in : M. Roesch founded by Sourcefire 2013: Sourcefire aquired by Cisco Hans P. Reiser CloudSec (Part 8) 8.26

26 Example NIDS: snort Main features: Operating modes: sniffer, packet logger, NIDS Portable (runs on Linux, Winodws, MacOS, Solaris, BSD, and many more) Small (+- 800kLOC) and fast Highly configurable (rule language, flexible reporting options) Wide range of detection capabilities (port scans, buffer overflows, back doors, CGI exploits, etc.) Hans P. Reiser CloudSec (Part 8) 8.27

27 Example NIDS: snort see and exercise class for details Hans P. Reiser CloudSec (Part 8) 8.28

28 Overview: today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.29

29 Honeypots: Motivation Fact: The more you know about your enemy, the better you can protect yourself But how to anticipate actions of the enemy? Anticipate: detect actions before they target your production system Goal of Honeypots: detection of real attacks, but not on a real system Basic approach: Offer a fake target to the enemy Collect information about attacks Hans P. Reiser CloudSec (Part 8) 8.30

30 Honeypot: Definition Lance Spitzner in Honeypots: Definitions and Value of Honeypots (2003): A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Many real manifestations (in terms of functionality of the systems) No real use, so all actions of / interactions with honeypot are likely to be related to attacks Purposes: monitor, detect, and analyze attacks Hans P. Reiser CloudSec (Part 8) 8.31

31 Honeypot: Short history 1989: Cliffard Stoll: The Cuckoo s Egg: Tracking a Spy Through the Maze of Computer Espionage ISBN-13: /1991: Bill Cheswick, AT&T Bell Labs: An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied : Deception Toolkit 1998: snort 1999: The Honeynet project Hans P. Reiser CloudSec (Part 8) 8.32

32 Classification of Honeypots Interaction High / Low / (Medium) Implementation Virtual / Physical Purpose Research / Production Hans P. Reiser CloudSec (Part 8) 8.33

33 Level of interaction Low-interaction honeypot Simulation of some parts of a real system Easy to deploy, with minimal risk Limited information acquisition (functionality not 100% identical to real system) High-interaction honeypot All parts of a real system are available High risk, as it can be fully compromised More information acquisition Hans P. Reiser CloudSec (Part 8) 8.34

34 Level of interaction Some authors also define medium-interaction honeypots Not a real system But extended support for interaction, such as Implement (sufficiently enough) parts of application-level behaviour Allow exploits that inject some shellcode Execute the shellcode, e.g., to download additional malware Usually requires some access to local resource (disk, etc.) Hans P. Reiser CloudSec (Part 8) 8.35

35 Implementation Physical Real machines Virtual Simulation of real machines Single honeypot may simulate a lot of different virtual honeypots Hans P. Reiser CloudSec (Part 8) 8.36

36 Purpose Production honeypots: Protect the system... by adding detection capability to the system Not feasible to analyse all logs in production system High probability of detecting unknown attacks Complement to other IDS components... by adding prevention capability to the system Analysis of attacks yields information about potential vulnerabilities These vulnerabilities can be fixed on real system... by adding reaction capability to the system Taking production systems offline is often undesirable Production operation pollutes traces of attacker Honeypot may help to obtain high-quality evidence / forensic data Hans P. Reiser CloudSec (Part 8) 8.37

37 Purpose Research honeypots: Learn about attacks and attackers Learn about the identity of the adversary Learn about motives and tactics of adversary Learn about specific threats Collect malware samples for analysis Long-term impact on security by improving attack prevention, detection or reaction but only little benefit to the direct security of a system Hans P. Reiser CloudSec (Part 8) 8.38

38 Overview OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.39

39 Example: Honeyd Niels Provos (University of Michigan): Honeyd: A virtual honeypot framework 13th USENIX Security Symposium, 2004 Low-interaction honeypot: Simulate real systems Multiple virtual hosts simulated by single process Responds to network requests according to configured services Matches network behaviour of configured operating system personality Simulate arbitrary network / routing topology Hans P. Reiser CloudSec (Part 8) 8.40

40 Example: Honeyd Hans P. Reiser CloudSec (Part 8) 8.41

41 Example: Honeyd Hans P. Reiser CloudSec (Part 8) 8.42

42 Example: Nepenthes and Dionaea Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix Freiling: The Nepenthes Platform: An Efficient Approach to Collect Malware. RAID 06 Hans P. Reiser CloudSec (Part 8) 8.43

43 Example: Nepenthes Low-interaction honeypot: simulation of vulnerable services Sometimes labelled medium-interaction honeypot : high degree of expressiveness : full emulation of (necessary part of) complex protocols Flexible modular design: Vulnerability modules, shellcode parsing modules, fetch modules Main goal: collect malware samples Hans P. Reiser CloudSec (Part 8) 8.44

44 Example: Nepenthes Hans P. Reiser CloudSec (Part 8) 8.45

45 Example: Nepenthes Results (from paper): Nepenthes assigned to a /18 network 5.5 million exploitation attempts within 33 hours 1.5 million successful downloads of binaries 508 unique binaries within 33 hours 15,500 unique binaries within four month period % of the samples detected by popular antivirus engines Hans P. Reiser CloudSec (Part 8) 8.46

46 Example: Nepenthes Hans P. Reiser CloudSec (Part 8) 8.47

47 Nepenthes limitations Too many attacks using windows SMB sessions (port 445) shellcode detection: using regular expressions (only works well for known shellcode) extendibility: not many contributions, seems like people did not like C++ TLS encryption IPv6... Hans P. Reiser CloudSec (Part 8) 8.48

48 Example: Dionaea Started in 2009 as a successor to Nepenthes Main goal: implement SMB protocol Funded by the Honeynet project as part of Honeynets Summer of Code Hans P. Reiser CloudSec (Part 8) 8.49

49 Example: Dionaea Hans P. Reiser CloudSec (Part 8) 8.50

50 Example: Honeybrid Honeybrid: hybrid approach Combination of low-interaction and high-interaction honeypots Decision Engine to filter incoming traffic Control Engine to limit outgoing traffic Redirection Engine to redirect traffic for further analysis Log Engine to log traffic Hans P. Reiser CloudSec (Part 8) 8.51

51 Example: Honeybrid Hans P. Reiser CloudSec (Part 8) 8.52

52 Summary for today s class OpenNebula Intrusion Detection Motivation Basic definitions Classification of IDS Example HIDS: OSSEC Example NIDS: snort Honeypots Definition and History Classification of Honeypots Example systems: Honeyd, Nepenthes and Dionaea, Honeybrid Hans P. Reiser CloudSec (Part 8) 8.53