Detecting Penetration Testing
Ron Gula, SOURCE 2010
WE ARE IN A GREAT CAREER FIELD
Amount of grey hair
2009
2000
90’s
• PEN TEST REVIEW
• DETECTION
• REACTION
I WANT YOUR COMMENTS AND QUESTIONS TOO
WHY DETECT PENETRATION TESTERS?
Real intrusions
have
real responses
John Dillinger from Public Enemies
PENETRATION TESTING HAS POLITICAL RESPONSES
Working
late
again!
Johnny, your password
should be 25 characters
We protect
customer data
Idiot
WE SHOULD BE DETECTING THIS ANYWAY, RIGHT?
snort[1578]: [1:2002910:4] ET SCAN Potential VNC Scan 5800-5820
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.20.24:36493 -> 192.168.20.16:5800
snort[1578]: [1:2001743:8] ET TROJAN HackerDefender Root Kit
Remote Connection Attempt Detected [Classification: A Network
Trojan was detected] [Priority: 1]: {TCP} 192.168.20.24:45379 ->
192.168.20.16:1025
snort[1578]: [1:1551:6] WEB-MISC /CVS/Entries access [Classification:
access to a potentially vulnerable web application] [Priority: 2]: {TCP}
192.168.20.24:45896 -> 192.168.20.21:80
snort[1578]: [1:469:4] AUTHORIZED PENETRATION TEST
[Classification: OK To Ignore, But Tell Your Boss] [Priority: 2]: {TCP}
192.168.20.24 -> 192.168.20.92
THERE ARE DIFFERENT TYPES OF PENETRATION TESTS
IT & Servers
Guest Pen
Testers
External
Internal
THERE ARE DIFFERENT TYPES OF PENETRATION TESTS
SQL Injection
rules guys!
Web
Attacker
No Way. I
have a 0-day
for Skype
Services
Exploiter
Screw you
guys. I’m
walking in.
No Tech
Hacker
WHAT ABOUT CLIENT SIDE PEN TESTS?
 Test the browser security
 Test the email client security
 Test the web proxy security
 Test the email spam security
 See who clicks on links or opens hostile email
THE MYTHICAL GOD-LIKE PEN TESTER
CPU stays
the same
Memory
stays the
same
Configuration
stays the same
Firewall
logs the
same
Communicates
the same
Packets are
normal
Normal Computer
Error logs
stay the
same
No
additional
files
KNOW WHAT YOU CAN AND CAN’T MONITOR
• Packets
• Netflow
• NIDS Logs
• Firewall Logs
• NBAD
• Topology
• Vulnerabilities
• Patch Audits
• Configurations
• Host Security
• Host Logs
• Audit Trail
• Vulnerabilities
• Application
• Patch Audits
• Configurations
• Host security
• File integrity
• System and app logs
• Audit Trail
• Authentication
• Authorized systems
• Normal apps/programs
• Web proxy logs
• Spam logs
KNOW HOW A COMPROMISED SYSTEM BEHAVES
• Packets
• Netflow
• NIDS Logs
• Firewall Logs
• NBAD
• Topology
• Vulnerabilities
• Patch Audits
• Configurations
• Host Security
• Host Logs
• Audit Trail
• Vulnerabilities
• Application
• Patch Audits
• Configurations
• Host security
• File integrity
• System and app logs
• Audit Trail
• Firewall Deny
• Blacklisted IPs
• Spikes in traffic
• Illegal Hosts
• Illegal Activity
• New commands
• Modified files
• High CPU
• System errors
• Illegal commands
• Authentication
• Authorized systems
• Normal apps/programs
• Web proxy logs
• Spam logs
• Access violations
• New programs
• Blacklisted sites
KNOW HOW A COMPROMISED SYSTEM BEHAVES
• Packets
• Netflow
• NIDS Logs
• Firewall Logs
• NBAD
• Topology
• Vulnerabilities
• Patch Audits
• Configurations
• Host Security
• Host Logs
• Audit Trail
• Vulnerabilities
• Application
• Patch Audits
• Configurations
• Host security
• File integrity
• System and app logs
• Audit Trail
• Firewall Deny
• Blacklisted IPs
• Spikes in traffic
• Illegal Hosts
• Illegal Activity
• New commands
• Modified files
• High CPU
• System errors
• Illegal commands
• Authentication
• Authorized systems
• Normal apps/programs
• Web proxy logs
• Spam logs
• Access violations
• New programs
• Blacklisted sites
SIMPLE EXAMPLE – HTTP SERVER
Use IPS/Proxy to stop 0-days
Monitor with NIDS/NBAD
Look for outbound denied firewalls
Port 80 in.
Nothing allowed out
No DNS.
Web server jailed.
System errors
Illegal Commands
Unauthorized changes
File integrity
Port 22 in.
Nothing allowed out
Watch for denies
SSH client attacks
PEN TESTING AND “REAL” INCIDENT DIFFERENCES
Pen Test
Real Incident
HIGH
LOW
Zero Day


Automation


Bumps into ACLs


Lack of tech knowledge


Unlimited time
X

Long term access
X

Foreign Country
X

Real data exfiltration
X

Data Destruction
X

Lack of ‘respect’ for systems
X

Attack security systems
X

Probability
WHAT DO WEB APP ATTACKS LOOK LIKE ?
SQL Injection
rules guys!
Are you collecting any logs?
Can you tell an attack from a transaction?
Is your DBA watching things?
Will your NIDS/NBAD see anything?
What about your SIM?
Web
Attacker
WHAT DOES A NETWORK ATTACK LOOK LIKE ?
No Way. I
have a 0-day
for Skype
Are you collecting any logs?
Can you tell an attack from a normal user?
Is your admin watching things?
Will your NIDS/NBAD see anything?
What about your SIM?
Services
Exploiter
IT GOES ON AND ON !!!!
Attackers and penetration testers have a potential
infinite supply of places to attack.
Hardening systems, reducing complexity and adding
defenses reduces the attack points and lets you
monitor for known outcomes.
Monitor for
outcomes you must!
AUTOMATIC VULN SCANNING TOOL DETECTION
Did we
detect the
scan?
Experiment
[1] Get a vuln scanner
[2] Scan your network
[3] Check your NIDS/SIM
What kind of logs do we make?
Can we rely on the NIDS vendors to detect scanners?
Does the same scanner scan the same all the time?
PEN TESTING TOOL DETECTION
Experiment
[1] Get a pen testing tool
[2] Hack your network
[3] Check your NIDS/SIM
What kind of logs do we make?
Can we rely on the NIDS vendors to detect pen testing?
Does the same pen tester hack the same all the time?
FILE AND SOCIAL TROLLING DETECTION
Experiment
[1] Use low tech hacking
[2] Look for the goods
[3] Check your NIDS/SIM/DLP
What kind of logs do we make?
Can we rely on the NIDS vendors to detect file browsing?
Are the same users going to click around the same way all the time?
BEWARE OF FOCUSING ON JUST PEN TESTING TOOLS
The jokes on him loyal friend, those
tools only look for a few holes.
Wah, wah, wah. Not only do I have a
Holy MD5 checksums
Batman,
theit Joker
custom
exploit,
is encoded to get
is using a penetration testing
tool
theIDS!
past
theonBat
Bat Computer!
What can I
do to find
pen testers?
MESSING WITH THE PEN TESTERS WITH DNS
Give DNS recon tools false information
[root@megalon ~]# nslookup exchange.company.com
Server:
192.168.20.24
Address:
192.168.20.24#53
** server can't find exchange.company.com: NXDOMAIN
[root@megalon ~]# nslookup imap.company.com
Server:
192.168.20.24
Address:
192.168.20.24#53
Name: imap.company.com
Address: 192.168.20.23
Where
do these
records
point?
Might have
different
ones inside
vs. outside
vs. location
Might use
a SIM,
IDS, .etc tothem
“watch”inthe
target IPs
Who
manages
IT?
Could use aHow
SIM tooften
watch do
DNSyou
queries
and logsthem?
for these domains
change
MESSING WITH THE PEN TESTERS WITH DNS
Slow Down DNS responses
DNS is really reliable
– can you convince your IT staff to mess with it?
Hopefully only slow down answers for stuff that isn’t live
If an
attacker
knowsDNS
your
IP addresses,
help
Need
very specialized
servers;
Does not needthis
to be doesn’t
core servers
This could slow down an insider pen tester
MAKE FOOTHOLDS SLOW AND HARD TO USE
Make them work harder to leverage any compromised target
Exploits work, but we’re leveraging that the attacker does not know our defenses
Need to have a process to investigate false positives
MAKE FOOTHOLDS SLOW AND HARD TO USE
Make them work harder to leverage any compromised target
Most IT organizations are OK with proxies and packet shapers
Are they hooked up to your SIM or NBAD and part of your monitoring?
Wait a REQUIRE DIFFERENT EXPLOITS
MAKE ATTACKERS
second!
Force them to think – and less likely be a botnet
Web Apache
attack
SQL attack
to Unix DB
Client side
SSH exploit
IMAP Exchange
Exploit
Aren’t you the guy
who’s been talking
about compliance,
Are you looking repeatable
for these exploits to
begin with?
builds
and
monocultures?
Does your SIM chain together these types of attacks?
Pen testers
pride
themselves
on doing this.
MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITS
Force them to think – and less likely be a botnet
Web IIS
attack
SQL attack
to Unix DB
Client side
RDP exploit
IMAP Exchange
Exploit
Pen testers
pride
themselves
on doing this.
Are you looking for these exploits to begin with?
Does your SIM chain together these types of attacks?
USE DYNAMIC NAC TO LIMIT INTERNAL ACCESS
Kick them off the network while generating alerts
• Most people think of NAC as a dead market
• NAC is alive and well in your switch vendor
Stewie getting
his MAC address
kicked off the net
NAC can block hosts by MAC address, authentication & activity
Are NAC logs something sent to you SIM?
HONEYPOTS AND DECOYS
Let them eat cake fake servers!
Network
Interactive
Honeypot
Honeypot
target
Servers
Desktop
Real server,
Honeypot service
Honeypot
Firewall or IPS responds
“Real” Honeypots
“Imaginary”
Honeypots
Honeypots can add complexity to your network
Every packet to a honeypot is not an attacker
Have you configured “honeypot” analysis in your SIM, NBAD or IDS?
ENGAGE THE ATTACKERS
Attack the attackers
Launch DOS
attacks
against
attackers
Host hidden
porn.
Monitor for
access.
Replace
common
commands.
Hook
chargen up
to services
Viruses in
honeypot
office files
Fake chat
logs that
have fake
account info
ZIP bombs in
files
obtained
“Hack back” is illegal in lots of places
You could be playing with fire.
This truly is security through obscurity.
Host fake
network
diagrams
Very large
fake
password
files
HOW MUCH OF THIS DO YOU TELL AUDIT ?
They might
be impressed
They might
be confused
They might
totally out you!
WHAT IF YOU DON’T DETECT THEM?
They “only” broke into here and here.
Yet they made a huge report
CONCLUSIONS
• Detecting real attacks and penetration testing
is very similar
• We should be good enough to detect
intrusions AND differentiate between a “pen
test” and a “real attack”
• If we don’t have access to the logs, vulns,
packets, etc we can’t do either
QUESTIONS or COMMENTS ??
RonGula on TWITTER
www.tenablesecurity.com
TENABLE is hiring!
blog.tenablesecurity.com
jobs@tenablesecurity.com