220 likes | 415 Vues
The Home Team Advantage. A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida. The Home Team Advantage. Why bother ? Attacks coming faster Using novel mechanisms for attack (dare I say “covert channels” ?) Responses slow
 
                
                E N D
The Home Team Advantage A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida
The Home Team Advantage • Why bother ? • Attacks coming faster • Using novel mechanisms for attack (dare I say “covert channels” ?) • Responses slow • “Nothing worse than an expert out of their field” app062799
The Home Team Advantage • Is defense feasible ? • Good question • Defenders need to close every hole, attacker needs to find just one • Many find “school of fish” approach attractive (may I suggest a tontine ?) • Others just keep their resume updated app062799
The Home Team Advantage • If defense is to work, defenders need an “unfair advantage” • Perimeter Defense • Desktop defense • Layered Defense • Defense in depth • “It’s not just an admin job anymore” app062799
The Home Team Advantage • For years tools have been designed be “universal” applications. • Can be launched from anywhere • Operate across bridges/firewalls • Operate unattended • Consider portscanners • ISS • Cybercop • Satan/Santa • Socket2me app062799
The Home Team Advantage • All are essentially similar • Select an IP (or range) • Identify hardware/OS • Select a port from a list • Try to open it • If it opens, perform known manipulations • If that works, identify vulnerability • To here is basically the same for attacker and defender app062799
The Home Team Advantage • “Home Team” can • Identify IP range • Identify hardware/OS • Compare to map • Correct Exceptions • Run Portmapper/NetStat • Identify Services (expected/not) • Identify vulnerabilities app062799
The Home Team Advantage • Difference: can walk up to machine, run local tests, interview administrator • Example: consider “Back Oriface” • Scanner can only detect if uses default (no password/ port 31337 • Portmapper/NetStat will show anomalous UDP no matter what configuration • Of course you must know what to expect. app062799
The Home Team Advantage • Or consider Port Scanners themselves • Most check only most common ports • FWTK checks less than half • Commercial scanners may check as many as 100 known ports • Why ? RTT • But if you are local can test all 65,536 ports in about ten minutes app062799
The Home Team Advantage • Some are wondering “why all 65,536 ports ?” • For one, is a nice firewall test but takes two machines – one on each side of wall. Pump 65,536 packets (131,072 with UDP, couple more for ICMP (LOKI). • Find out quickly what gets through and what doesn’t. • Reverse for other side. Takes about an hour but often revealing. app062799
The Home Team Advantage • Some are still wondering … • Well if defense is just a screening router, can just read the ACLs (why bother with test at all). • But if the “firewall” is a “farm” • 15 to 25 different machines • Several different products • Is often easier to detect ports first, then say “why ?” app062799
The Home Team Advantage • Another is MAC addresses • (quick: name four different meanings of MAC) • Lost when cross bridge/router/firewall • But if you can run scanner locally then header contains MAC address • Six byte value • Identifies manufacturer and often model • Must open box to change • VAX magically becoming PC is cause for concern • Believe Mr. Smith knows about MAC (now). app062799
The Home Team Advantage • If MAC addresses are known, can also record location of machine • On error know where to dispatch help • Can identify movement on dubnets • Can also use active hubs (e.g. 3Com) • Allow traffic on that line only to/from that MAC address • Defeats promiscuous setting, will only receive own and broadcast traffic. app062799
The Home Team Advantage • Yet another is knowing which IP addresses are assigned. • Devise a promiscuous machine to respond/record any attempt to ping or open a port on an unassigned IP. • Alarm if multiple • DHCP provides a different problem and requires an active system with knowledge of assignments app062799
The Home Team Advantage • Growing increasingly important is control of executable attachments and embedded instructions • Major difficulty is identifying executable attachments and syntax. • Could block all incoming containing attachments • All executable HTML (<IFRAME>) • Might not be popular app062799
The Home Team Advantage • May need to be creative • Would Melissa/Papa/ExploreZip work if MAPI only allowed one message per 30 seconds ? • What happens if CDO is disabled ? • CAN CDO be disabled ? • (anyone know what CDO is ?) app062799
The Home Team Advantage • Virus Scanners • Everyone has them • Virus writers get them first • Reactive in nature • Best turnaround measured in hours • (Destructive attack can take minutes) • Decade of “voting with wallets” has made scanners the winner. app062799
The Home Team Advantage • Keep scanners, just add “more”. • Macro detectors & signing • Executable signing • Executable analyzers/unpackers/disassemblers • Integrity Managers (oh – they went out of business) • CRC validators (they went out of business too ?) • Tripwire for NT/98/95 ? • Need to be creative app062799
The Home Team Advantage • Identify a “crisis management team” • It will happen • Cannot afford delay while pulls together • Need two teams – information crisis often lasts longer than a day • Three is better – one to manage, one to analyze, one to rest but probably so not have enough. • Must have authority to “close watertight doors”. app062799
The Home Team Advantage • Problem • World is different • Used to say “Cannot get a virus from E-Mail.” They fixed that bug. • Thems ain’t bugs, thems features (“EditFlags”) • Single layer defense not enough (proven with Melissa). app062799
The Home Team Advantage • Solution ? • Need policy mandating defense • Need architecture to support defense • Need enforcement to guarantee defense • Need tools to test defense • Need conviction to not accept less • Leave any out & would be a good idea to keep that resume updated app062799
The Home Team Advantage Thank you, Questions ? A. Padgett Peterson, P.E.