Malicious Information Gathering

advertisement
Malicious Information Gathering
Caezar
Introduction
 By creating mobile agents that communicate
and make decisions, a vast number of
“secrets” can be learned without triggering
the target system’s alarms.
 Presented by Caezar, a network security
research developer
History
 Knowing your opponents strategy has always
been critical to success
 Since the advent of radio transmission
opposing groups have monitored each other’s
strategic communications
 Today, the medium has changed toward the
Internet but the espionage concepts are
identical
Topics of Discussion
 Distributed Hacking
 Agents
 Information Representation
 Goal Seeking
 Mobility
 Application
Distributed Hacking
 Performs identically to common hacking
 Appears to come from many Internet
addresses
 Very difficult to stop, but fairly easy to detect
 Recent examples include Trinoo and TFN
attacks on major web sites
Distributed Hacking
 Each node is a module of the central
command
 With increasing distance between nodes,
communication latency becomes extremely
difficult to manage
 The central command decides which action
to take so the flexibility of the network
decreases as its size increases
Agents
 An agent is a person or thing that acts on
your behalf so that the authority does not
need to be present
 Normally, agents make the best available
decision without consulting the authority
 Only in exceptional cases does an agent halt
to wait for orders or permission
Agents
 A human food-delivery agent, for instance,
will not halt at a closed road, rather he will
choose another route and continue to perform
his tasks
 These are often called “autonomous agents”
in artificial intelligence (AI) research, but I
will refer to them simply as “agents”
Agents
 To be effective, computer agents need
sensors, actors and a management unit
 For information gathering, the sensors are
packet filters and pattern matchers
 The actors simply communicate interesting
data from the sensors back to the Authority
Agent, or an intermediary Director Agent
Agents
 The management unit receives requests from
other Agents or Director Agents and
prioritizes them, possibly declining to
perform the service
 Due to ideal small size requirements, we use
a simple rule set with a busy indicator to
decide when to accept or reject requests
Agents vs. Modules
 Modules have a predefined purpose and use,
agents are multipurpose and have
interchangeable uses
 Modules perform their tasks immediately,
agents may schedule the task for later
completion
 Agents can choose to reject a request,
modules cannot make that choice
Information Representation
 For the system of agents to communicate
effectively they must agree on a format of
representing their collected data
 If the data collected is going to be used to
mount a network attack on a particular target,
the agents should be able to identify
weaknesses and catalog them with a
Librarian for future use by a Director
Information Representation
 To catalog and retrieve learned information,
it must be consistently and uniquely named
 XML or ASN.1 make good information
descriptions
 Both can be used easily with SQL-based
exploit libraries by a Librarian Agent
Goal Seeking
 Bruce Schneier of Counterpane Systems
recently elaborated on attack trees in Doctor
Dobb’s Journal, December 1999
 The attack tree model is an excellent pattern
against which the data collected by the
Librarian can be compared
 Each fully matching branch indicates an
available method for attack success
Goal Seeking
 Creating an attack tree for every desirable
goal allows each goal to be broken into small
pieces and managed by a Director Agent
 Redundant nodes can be applied to several
trees without wasted effort
 With a good set of attack trees and agent
tools, a Director can find and exploit security
flaws without intervention
Goal Seeking
 Given several goals, the management unit
can schedule the agent to fulfill many
requests without requiring further
communication with the network
 Director Agents divide larger tasks into
smaller ones and distribute the work amongst
available agents
Goal Seeking
 An example is port-scanning a Class C domain
 The task can be divided between Directors who
then subdivide the job between their agents
 Each agent will make a small number of requests
 As a whole, this example agent network makes a
complete scan
Mobility
 By adding an exploit sensor to every agent literally
thousands of machines can be found to infect
 If a Librarian agent provides exploit code to the
agents, those found machines become hacked
machines
 If the exploit code starts an agent running, then the
agent network grows of its own volition
Mobility
 For the rest of this presentation, assume that
a particular target network is being attacked;
for instance “bigcompany.com”
 We do not want to infect the whole Internet
to attack or monitor the target
 By restricting the agent to infect only
machines “closer” to the target, we eliminate
the radical growth problem
Application
 To bring all of this material together, we need the
following components:



A goal like “Collect all of the e-mail to or from
bigcompany.com”
A library of exploit code designed to inject a running
agent into currently popular systems
A Librarian Agent capable of searching the database and
returning code matched to a requested target
Application
 Component list (continued):



E-mail capture code with source and destination
filters (e.g. dsniff by Dug Song)
A Director Agent to manage agent
communication, e.g. to Librarian Agent
A communication channel; direct TCP for
simplicity
Application
 Identify a large list of initial nodes, perhaps by
scanning for known Trojans
 Insert Librarian and Director Agents
 Communicate the initial target list to the Director
 As the Director spawns new agents they begin to
feed data back regarding more potential targets,
network layout, adjacency, etc.
Application
 The agent network surrounds the target
 Depending on the quality of the exploit
library it will be able to monitor portions of
the target’s network traffic
 The ability to attack routers, ISP hosts and
other “hard” targets is critical to the success
of this sort of attack
What This Means
 Distributed information gathering, especially
agent-based, can do much of the work of
network mapping software without triggering
your IDS
 Corporate and government security models
must consider simple TCP services like
SMTP, POP3 and HTTP as totally insecure
unless explicitly audited
What This Means
 Assume that mobile, autonomous agents are
already available to the intelligence
community
 Assume that attackers do not need to probe
your network before attacking
 They can listen long enough before attacking
to passively identify your systems and
servers
What This Means
 With the introduction of automated
distributed attacks, it is reasonable to expect
that Artificial Intelligence and Superficial
Intelligence will pose new threats to online
security
Download