Look Out! Open Source Extrusion Detection Eric Conrad http://www.ericconrad.com May 2010 1 The target network • The techniques described in this talk evolved from experience securing a large network – 20,000 node WAN spanning 3 states – 12,000 employees – 100+ WAN sites – Limited network security staff and budget – Countless attacks per day – Blocked ¼ million spam per business day 2 Defense-in-depth • Target network had multiple firewalls, web content scanning proxies, NIDS, antivirus, etc – All email scanned by 4 separate auto-updating virus scanners – Malware still got through – Blocking 99% of 250,000 spam/day means 2,500 get through • 99% success rate == failure 3 Proxies rule • Target network used proxies for all outbound client-based internet access – Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone reinvents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a securityconscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place – Marcus Ranum 4 Prevention is ideal, but detection is a must • Server-side internet attacks vs. target network usually failed, but: – Insecure WAN sites and extranet partners – Plus client-side attacks, infected USB tokens, infected mobile devices, etc – “A sufficiently determined, but not necessarily well-funded attacker can break into any organization.” - Ed Skoudis • Bottom line: both detection and prevention failed, frequently 5 Desperate times, desperate measures • Step 1: Admit defeat • Step 2: Fall back and regroup • Step 3: Formulate plan B Look Out! 6 Look Out! • NIDS (mostly) inspect inbound traffic • Lots of terms describe the science of outbound traffic that violates security policy – Data Loss Prevention (DLP), Intellectual Property Leakage (IPL), exfiltration detection, extrusion detection/prevention • Data Loss Prevention is becoming mainstream – Host-based focus, may have network elements – Focus is on loss of sensitive data 7 A word on DLP • Many DLP solutions require an agent installed on each PC • “Complexity is the worst enemy of security” Bruce Schneier • Metasploit has almost 2 dozen antivirus and backup agent exploits – Why would DLP agents be any different? • “Agents are scary… DLP agents are scarier” – E Monti & D Moniz, Matasano Security 8 Extrusion vs. Exfiltration • Exfiltration is a military term – “The removal of personnel or units from areas under enemy control.” - Fred J. Pushies – Exfiltration now applies to loss of sensitive data • Extrusion is simply the opposite of intrusion – “If we turn the problem around, we can perform ‘extrusion detection’ by watching for suspicious outbound connections from internal systems to the internet.” - Richard Bejtlich • ‘Extrusion detection’ is connection-focused 9 We have a winner: extrusion detection • Extrusion detection is the reverse of networked intrusion detection • Includes sensitive data loss, plus: – – – – Malware ‘phoning home’ Outbound portion of client-side attacks Any outbound traffic that violates security Broader and simpler than DLP • Why not perform intrusion and extrusion detection on one box? 10 Can’t we do it all on one box? • Experience running mail relays for 12,000 users proved illuminating – One box, in theory, could handle both inbound and outbound mail (but was a PITA in reality) – TCO was lowered by ‘separating the streams’ to two logical boxes • Intrusion and extrusion detection also benefit – KISS – NIDS are very sensitive to CPU/memory limitations 11 NIDS performance anxiety • I have been testing intrusion scenarios with a half-dozen commercial NIDS • They are highly sensitive to CPU/memory limitations • A simple SAMBA drag/drop via 100-megabit network caused false negatives to spike • Adding hundreds of extrusion rules to a NIDS could have negative consequences 12 FAIL • All NIDS suffer false positives and negatives • Extrusion detection is harder than intrusion detection – A write-down trojan can do anything a user can do – Most users could find a way to exfiltrate data without being detected • Bottom line: NIDS fail, and NEDS will fail more frequently 13 Why bother? • All controls can fail • Some extrusion detection is better than none • A bullet-proof vest does not make you Superman – But police still wear them • Extrusion detection systems can help avoid reaching the security ‘tipping point’ 14 “Don't cross the streams” – Dr. Egon Spengler • Target network separated the streams – NIDS used EXTERNAL_NET -> HOME_NET rules – NEDS used HOME_NET -> EXTERNAL_NET rules – Sat side-by-side on same tap • NEDS also parsed proxy logs – Including traffic analysis • Immediate, quantifiable wins 15 The st 1 win: naked downloads • Perl script that parsed http proxy logs to identify downloads of EXEs from ‘naked IPs’ • First hit: – 172.17.103.3 - - [19/May/2009:15:48:10 -0400] "GET http://10.93.59.108/lksdfhwey/r.exe HTTP/1.0" 200 731 TCP_MISS:DIRECT – “Why is a nursing station downloading software from a former Soviet Union country?” • PC was compromised, inbound prevention and detection had failed 16 The 2nd win: persistent connections • Perl script that parsed http proxy logs to look for ‘persistent’ connections – Any source IP that connected to a destination IP via http/https at least once every 10 minutes, 24/7 • Script found: – – – – Weather toolbars, etc ‘Legit’ reverse https tunnels (known and unknown) Loads of spyware “Why is the accountant’s PC constantly connecting to an IP in Panama?” – PC was a member of a botnet; inbound prevention and detection failed again 17 The rd 3 win: unencrypted ePHI • Policy required encryption of Electronic Protected Healthcare Information (ePHI) on the internet • Wrote custom Snort rules that detected unencrypted outbound (ePHI) on external internet interface – alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024:65535 (msg:"Unencrypted HIPAA Transaction (Health Care Eligibility Benefit Inquiry and Response)"; content:"004010X092"; flags:A+; classtype: policy-violation; sid:1000092; rev:1;) • We saw immediate hits 18 OK, we’re on to something • Refined into a dedicated extrusion detection system: – – – – – Snort, BASE, Mysql Wireshark, tshark, ngrep, etc Aforementioned scripts + others Pre-selected outbound Snort rules Custom Snort rules • Pre-configured and ready-to-go • Sniffs eth0 by default, logs to MySQL DB, view events via BASE • Why not make it a Live CD? 19 The Xfiltr8 Live CD • http://xfiltr8.sourceforge.net/ – Currently ALPHA software • Ubuntu desktop ISO • Snort, BASE, mysql, Wireshark, etc. • Collection of outbound Snort and Emerging Threats rules – HOME_NET -> EXTERNAL_NET • Scripts for persistent connections and exe downloads from ‘naked IPs’, and more • Boots as a live CD, with an OS install option 20 Xfiltr8 is handy in a pinch • Xfiltr8 also contains the inbound rules – Both Snort and Emerging Threats – Inbound rules disabled by default • Makes a good NIDS in a pinch – BASE, snort, mysql, all pre-configured • Just reconfigure snort.conf to use the inbound rules 21 I need help • xfiltr8.sourceforge.net is quite lame right now – It has the alpha ISO, and that’s about it • I would like to build an extrusion detection community • Volunteers needed! • Send email to xfiltr8@ericconrad.com, include xfiltr8 in the title 22