The Reconnaissance Phase

Similar documents
Firewalls, Tunnels, and Network Intrusion Detection

Overview Intrusion Detection Systems and Practices

Table of Contents 1 TCP Proxy Configuration 1-1

CSE 565 Computer Security Fall 2018

Detecting Specific Threats

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Basic Concepts in Intrusion Detection

Scan Detection on Very Large Networks Using Logistic Regression Modeling

Forensic Analysis for Epidemic Attacks in Federated Networks

Attack Prevention Technology White Paper

Module 19 : Threats in Network What makes a Network Vulnerable?

Computer Network Vulnerabilities

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

Distributed Denial of Service (DDoS)

Intrusion Detection System

HP High-End Firewalls

Intrusion Detection Systems

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Security Events and Alarm Categories (for Stealthwatch System v6.9.0)

Pyrite or gold? It takes more than a pick and shovel

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Developing the Sensor Capability in Cyber Security

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Investigating Study on Network Scanning Techniques

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Network Analysis of Point of Sale System Compromises

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

A Software Tool for Network Intrusion Detection

IDS: Signature Detection

Configuring Anomaly Detection

OSSIM Fast Guide

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale

HP High-End Firewalls

Network Intrusion Analysis (Hands on)

Stopping Scanners Early and Quickly

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Network Security. Thierry Sans

Mapping Internet Sensors with Probe Response Attacks

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Computer Security and Privacy

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Anomaly Detection in Communication Networks

Intrusion Detection Systems and Network Security

ASA Access Control. Section 3

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Configuring Flood Protection

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

CYBER ATTACKS ON INTRUSION DETECTION SYSTEM

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Network Awareness and Network Security

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Sirindhorn International Institute of Technology Thammasat University

Configuring attack detection and prevention 1

DDoS and Traceback 1

Payment Card Industry (PCI) Executive Report 11/07/2017

The GenCyber Program. By Chris Ralph

Intrusion Detection - Snort

Denial of Service, Traceback and Anonymity

Welcome to this session on Network Flow Analysis.

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Intrusion Detection - Snort

Chapter 8 roadmap. Network Security

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Hands-On Ethical Hacking and Network Defense 3 rd Edition

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

intelop Stealth IPS false Positive

TDC DoS Protection Service Description and Special Terms

CS 161 Computer Security

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Denial of Service. EJ Jung 11/08/10

2. INTRUDER DETECTION SYSTEMS

SCP SC Security Certified Program. Download Full Version :

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Mapping Internet Sensors with Probe Response Attacks

Network Security: Firewall, VPN, IDS/IPS, SIEM

ProCurve Network Immunity

Training for the cyber professionals of tomorrow

A quick theorical introduction to network scanning. 23rd November 2005

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Understanding the Internet

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Chapter 10: Denial-of-Services

4-2 Rapid Analysis Technologies for Live Networks

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Firewalls, Tunnels, and Network Intrusion Detection

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

Transcription:

The Reconnaissance Phase Detecting the Enemy Before the Attack Carrie Gates PhD Candidate, Dalhousie University Visiting Scientist, CERT, Carnegie Mellon University

Outline! Indicate a gap in our defences! Talk about how we re addressing it now! Talk about how it can be addressed! Give examples to indicate why we should address it! Concluding statement gates@cs.dal.ca CERIAS Security Symposium 2004 2 of 25

Timeline Defence Forensic Analysis Protection (e.g. firewalls) Prevention (e.g. patches) GAP Reconnaissance Port Scanning Detection (e.g. IDS) Gaining Access Maintaining Access Covering tracks and hiding Intrusion (Skoudis, 2002) gates@cs.dal.ca CERIAS Security Symposium 2004 3 of 25

How to cover the gap?! Detection of reconnaissance! Detection of port scanning! Correlation of information from different sources (technical)! Correlation of information from different sources (non-technical) gates@cs.dal.ca CERIAS Security Symposium 2004 4 of 25

Detection of Reconnaissance This is hard! "! E.g. who-is databases, newsgroup browsing! We don t have access to many of these logs (and we would be swamped if we did!)! BUT, can track web browsing (but how to tell benign from malicious?)! AND, can track social engineering attacks gates@cs.dal.ca CERIAS Security Symposium 2004 5 of 25

Detection of Port Scanning Here is where we have concentrated the most effort. gates@cs.dal.ca CERIAS Security Symposium 2004 6 of 25

Why is this hard?! How can you determine if a packet is legitimate?! What is suspicious?! Too many destinations?! May still all be legitimate. What is too many?! Malformed packets?! Yes, but not very common usually SYN scans! Too many SYN packets with no connections?! People are now faking connection-like traffic gates@cs.dal.ca CERIAS Security Symposium 2004 7 of 25

Some Solutions! Snort (Roesch, 1999) malformed packets, x destinations in y seconds! Bro (Paxson, 1999) uses threshold on number of destinations, plus some payload analysis! Require (unidirectional) packet-level information! Thresholds prone to false positives (if too low) or false negatives (if too high) gates@cs.dal.ca CERIAS Security Symposium 2004 8 of 25

! Spice (Staniford et al., 2000) examines anomalous (as determined by Spade) incoming packets, grouping them using a simulated annealing procedure! Still unidirectional packet level! Groups represent more than just scans gates@cs.dal.ca CERIAS Security Symposium 2004 9 of 25

! (Robertson et al., 2003) examines return traffic and thresholds on number of missing/rejected responses! (Jung et al., 2004) examines return traffic and builds hypothesis based on number of hits (SYN-ACKs) versus misses (no response/rsts)! Require packet-level information! Require packets in both directions gates@cs.dal.ca CERIAS Security Symposium 2004 10 of 25

! Flow-dscan (Fullmer and Romig, 2000) Uses thresholds on destinations/source with suppress lists, ports < 1024 only! MISSILE (work in progress at CERT) Uses combination of various metrics to indicate likelihood of a scan! Uses unidirectional flow data gates@cs.dal.ca CERIAS Security Symposium 2004 11 of 25

MISSILE! Examines characteristics of all TCP flows from each source, looking for activity that indicates a scan! Also looks at event level for scans (e.g. majority of flows just SYN, malformed packets) gates@cs.dal.ca CERIAS Security Symposium 2004 12 of 25

Sample output! One class B for one week:! 24,114,559 flows! 3 hours to process! 7481 unique sources identified as scanning! 1436 unique sources identified as attempting exploit during scan! 5667 sources identified as SYN scanning! Average: 452 destinations/source! Maximum: 196073 destinations 3 ports (1080, 3128 and 10080) on 65469 IPs in ~ 8 hours gates@cs.dal.ca CERIAS Security Symposium 2004 13 of 25

How is this scan information used?! To proactively block scanning IP addresses to prevent information gain! Can be used as a denial of service! Some network admins don t want the performance hit from extra routers! To send complaint letters RARE! Largely ignored # gates@cs.dal.ca CERIAS Security Symposium 2004 14 of 25

How could this information be used?! What was targeted?! Who answered?! Who (destinations) should I watch?! Is someone about to attack? Tells you:! Who to patch!! Who might have been compromised! gates@cs.dal.ca CERIAS Security Symposium 2004 15 of 25

! Scans can include exploit! Who responded? Was there a conversation? What machines might have been compromised?! The Honeynet Project has noted that there is an increase in attackers performing scan bundled with exploit! Nearly 20% of attackers identified in previous example (1436/7481) gates@cs.dal.ca CERIAS Security Symposium 2004 16 of 25

! Scans can be for pure reconnaissance so attacker might return later! Who responded? What is likely to be targeted? Are patches up to date on that service on the responding machines?! We don t know how common this is! What if someone comes back from a new IP? gates@cs.dal.ca CERIAS Security Symposium 2004 17 of 25

Example Scan TCP SYN scan of port 80 (web) Internal Addresses Scanned Internal Addresses Replied days 01-06 21,234,579 53% days 14-21 19,124,423 47% days 01-06 299,511 90% days 14-21 34,454 10% gates@cs.dal.ca CERIAS Security Symposium 2004 18 of 25

Distribution of Replies to this Scan 1-pkt, TCP: rst 51% 1-pkt, TCP: syn ack 48% Others 1% ICMP >1-pkt, TCP other gates@cs.dal.ca CERIAS Security Symposium 2004 19 of 25

! This same activity occurred over the following timeline:! Days 1 6: scanning (scattered over the days)! Days 8 9: (6 hours) apparent attacks on selected subnets; seems to have targeted only hosts that had replied to the earlier scan with! 1-pkt, TCP: syn ack, or! multiple TCP packets in a flow! Days 14 21: scanning of additional subnets (scattered over the days)! gates@cs.dal.ca CERIAS Security Symposium 2004 20 of 25

Correlation of Information Technical! Correlation between logs is being researched, but concentration is on correlation between different IDSs (e.g. (Cuppens and Miège, 2002) and (Ning et al., 2002))! We need to add in other forms of information, e.g. IDS, NetFlow, web logs gates@cs.dal.ca CERIAS Security Symposium 2004 21 of 25

Correlation of Information Non-technical! Need to add into correlation of information all non-technical information, such as if a social engineering attack has been attempted gates@cs.dal.ca CERIAS Security Symposium 2004 22 of 25

Network Intelligence Analysis! Trying to bridge the gap between Protection/Prevention and Detection has been likened to intelligence gathering (e.g. SIGINT, HUMINT), e.g. (Shimeall and Dunlevy, 2001)! However, network intelligence includes an even broader perspective:! Political events (e.g. hactivism)! Social events (e.g. holidays)! Technical events (e.g. vulnerability releases) gates@cs.dal.ca CERIAS Security Symposium 2004 23 of 25

Concluding Remarks Without a solid network intelligence, defenders are required to respond equally to all intrusions. This is untenable in the long run. (Shimeall and Dunlevy, 2001) gates@cs.dal.ca CERIAS Security Symposium 2004 24 of 25

Thanks! "! CERIAS! CERT Analysis Center! IBM Centers for Advanced Studies! Dalhousie University gates@cs.dal.ca CERIAS Security Symposium 2004 25 of 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback