Look Out Open Source Extrusion Detection Eric Conrad

Look Out! Open Source Extrusion Detection Eric Conrad http: //www. ericconrad. com May 2010

The target network • The techniques described in this talk evolved from experience securing a large network – 20, 000 node WAN spanning 3 states – 12, 000 employees – 100+ WAN sites – Limited network security staff and budget – Countless attacks per day – Blocked ¼ million spam per business day 2

Defense-in-depth • Target network had multiple firewalls, web content scanning proxies, NIDS, antivirus, etc – All email scanned by 4 separate auto-updating virus scanners – Malware still got through – Blocking 99% of 250, 000 spam/day means 2, 500 get through • 99% success rate == failure 3

Proxies rule • Target network used proxies for all outbound client-based internet access – Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone reinvents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a securityconscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place – Marcus Ranum 4

Prevention is ideal, but detection is a must • Server-side internet attacks vs. target network usually failed, but: – Insecure WAN sites and extranet partners – Plus client-side attacks, infected USB tokens, infected mobile devices, etc – “A sufficiently determined, but not necessarily well -funded attacker can break into any organization. ” - Ed Skoudis • Bottom line: both detection and prevention failed, frequently 5

Desperate times, desperate measures • Step 1: Admit defeat • Step 2: Fall back and regroup • Step 3: Formulate plan B Look Out! 6

Look Out! • NIDS (mostly) inspect inbound traffic • Lots of terms describe the science of outbound traffic that violates security policy – Data Loss Prevention (DLP), Intellectual Property Leakage (IPL), exfiltration detection, extrusion detection/prevention • Data Loss Prevention is becoming mainstream – Host-based focus, may have network elements – Focus is on loss of sensitive data 7

A word on DLP • Many DLP solutions require an agent installed on each PC • “Complexity is the worst enemy of security” Bruce Schneier • Metasploit has almost 2 dozen antivirus and backup agent exploits – Why would DLP agents be any different? • “Agents are scary… DLP agents are scarier” – E Monti & D Moniz, Matasano Security 8

Extrusion vs. Exfiltration • Exfiltration is a military term – “The removal of personnel or units from areas under enemy control. ” - Fred J. Pushies – Exfiltration now applies to loss of sensitive data • Extrusion is simply the opposite of intrusion – “If we turn the problem around, we can perform ‘extrusion detection’ by watching for suspicious outbound connections from internal systems to the internet. ” - Richard Bejtlich • ‘Extrusion detection’ is connection-focused 9

We have a winner: extrusion detection • Extrusion detection is the reverse of networked intrusion detection • Includes sensitive data loss, plus: – – Malware ‘phoning home’ Outbound portion of client-side attacks Any outbound traffic that violates security Broader and simpler than DLP • Why not perform intrusion and extrusion detection on one box? 10

Can’t we do it all on one box? • Experience running mail relays for 12, 000 users proved illuminating – One box, in theory, could handle both inbound and outbound mail (but was a PITA in reality) – TCO was lowered by ‘separating the streams’ to two logical boxes • Intrusion and extrusion detection also benefit – KISS – NIDS are very sensitive to CPU/memory limitations 11

NIDS performance anxiety • I have been testing intrusion scenarios with a half-dozen commercial NIDS • They are highly sensitive to CPU/memory limitations • A simple SAMBA drag/drop via 100 -megabit network caused false negatives to spike • Adding hundreds of extrusion rules to a NIDS could have negative consequences 12

FAIL • All NIDS suffer false positives and negatives • Extrusion detection is harder than intrusion detection – A write-down trojan can do anything a user can do – Most users could find a way to exfiltrate data without being detected • Bottom line: NIDS fail, and NEDS will fail more frequently 13

Why bother? • All controls can fail • Some extrusion detection is better than none • A bullet-proof vest does not make you Superman – But police still wear them • Extrusion detection systems can help avoid reaching the security ‘tipping point’ 14

“Don't cross the streams” – Dr. Egon Spengler • Target network separated the streams – NIDS used EXTERNAL_NET -> HOME_NET rules – NEDS used HOME_NET -> EXTERNAL_NET rules – Sat side-by-side on same tap • NEDS also parsed proxy logs – Including traffic analysis • Immediate, quantifiable wins 15

The st 1 win: naked downloads • Perl script that parsed http proxy logs to identify downloads of EXEs from ‘naked IPs’ • First hit: – 172. 17. 103. 3 - - [19/May/2009: 15: 48: 10 -0400] "GET http: //10. 93. 59. 108/lksdfhwey/r. exe HTTP/1. 0" 200 731 TCP_MISS: DIRECT – “Why is a nursing station downloading software from a former Soviet Union country? ” • PC was compromised, inbound prevention and detection had failed 16

The 2 nd win: persistent connections • Perl script that parsed http proxy logs to look for ‘persistent’ connections – Any source IP that connected to a destination IP via http/https at least once every 10 minutes, 24/7 • Script found: – – Weather toolbars, etc ‘Legit’ reverse https tunnels (known and unknown) Loads of spyware “Why is the accountant’s PC constantly connecting to an IP in Panama? ” – PC was a member of a botnet; inbound prevention and detection failed again 17

The rd 3 win: unencrypted e. PHI • Policy required encryption of Electronic Protected Healthcare Information (e. PHI) on the internet • Wrote custom Snort rules that detected unencrypted outbound (e. PHI) on external internet interface – alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: 65535 (msg: "Unencrypted HIPAA Transaction (Health Care Eligibility Benefit Inquiry and Response)"; content: "004010 X 092"; flags: A+; classtype: policy-violation; sid: 1000092; rev: 1; ) • We saw immediate hits 18

OK, we’re on to something • Refined into a dedicated extrusion detection system: – – – Snort, BASE, Mysql Wireshark, tshark, ngrep, etc Aforementioned scripts + others Pre-selected outbound Snort rules Custom Snort rules • Pre-configured and ready-to-go • Sniffs eth 0 by default, logs to My. SQL DB, view events via BASE • Why not make it a Live CD? 19

The Xfiltr 8 Live CD • http: //xfiltr 8. sourceforge. net/ – Currently ALPHA software • Ubuntu desktop ISO • Snort, BASE, mysql, Wireshark, etc. • Collection of outbound Snort and Emerging Threats rules – HOME_NET -> EXTERNAL_NET • Scripts for persistent connections and exe downloads from ‘naked IPs’, and more • Boots as a live CD, with an OS install option 20

Xfiltr 8 is handy in a pinch • Xfiltr 8 also contains the inbound rules – Both Snort and Emerging Threats – Inbound rules disabled by default • Makes a good NIDS in a pinch – BASE, snort, mysql, all pre-configured • Just reconfigure snort. conf to use the inbound rules 21

I need help • xfiltr 8. sourceforge. net is quite lame right now – It has the alpha ISO, and that’s about it • I would like to build an extrusion detection community • Volunteers needed! • Send email to xfiltr 8@ericconrad. com, include xfiltr 8 in the title 22