Transcript Slide 1

ShmooCon 2006
Network Security Monitoring
with Sguil
Richard Bejtlich
[email protected]
www.taosecurity.com / taosecurity.blogspot.com
David Bianco
[email protected]
www.vorant.com / infosecpotpourri.blogspot.com
1
Copyright 2006 Richard Bejtlich and David Bianco
Overview
•
•
•
•
The Problem
Network Security Monitoring
Sguil
Case Study
2
Copyright 2006 Richard Bejtlich and David Bianco
The Problem
• You want to know if your network is compromised
• You could... inspect every host for signs of compromise
– Where to begin? What to check? Do you trust results?
– Unless your enterprise is very small, and you are competent to
perform host-centric forensics, this is not a viable option
• You could... perform a vulnerability assessment
– VA indirectly measures compromise by showing potential for
intrusion, not actual intrusions
– VA is vulnerability-centric, not threat-centric; not recommended
• You could... inspect network traffic for signs of
compromise
– Where to monitor? What about encryption or high bandwidth?
– This option represents best return on invested resources, if the
right data is collected, analyzed, and escalated
3
Copyright 2006 Richard Bejtlich and David Bianco
The Problem
• Most people install an IDS or IPS in monitoring mode
and wait for alerts
Event
Example
IDS Action
Event 1
Ping Web site IP address
Ignore
Event 2
Visit Web site
Ignore
Event 3
Exploit Web site flaw
Alert
Event 4
FTP to retrieve tools
Ignore
Event 5
Install back door
Ignore
Event 6
Communicate with back door
Ignore
Event 7
Connect via SSH to another site
Ignore
Event 8
Transfer local exploit via SCP
Ignore
Event ...
And so on...
?
• Thanks to the IDS alert, an analyst is aware of a Web
site problem -- but what about activity before or after the
alert?
4
Copyright 2006 Richard Bejtlich and David Bianco
The Problem
• The previous slide presented a best-case scenario -- at
least the attack was detected by the IDS! But what do
you get with that alert?
– Cryptic message about an attack
– Maybe a packet that specifically triggered an alert
– A reference to visit the vendor's Web site for more generic info
• Factors compounding the problem
– Attack over HTTPS using SSL
– Attack using insertion and evasion methods
– Attack using a zero-day exploit undetected by any IDS
• Scarier scenarios
– Use stolen credentials and connect via SSH
– Compromise a customer or employee and ride their VPN
– Go rogue and steal from your own company
5
Copyright 2006 Richard Bejtlich and David Bianco
The Problem
• Many security developers and vendors believe one or
more of the following
– Attacks can be understood prior to execution
– Methods to detect or prevent attacks can be encapsulated in
programming logic
– Customers will purchase, properly configure, and effectively
deploy products offering sufficient defensive logic
– The customer's environment will behave as anticipated by the
developers and vendors
• Accordingly, developers and vendors field alert-centric
products which act on those beliefs
• All of these beliefs must hold true in order to counter
sophisticated threats, but few do
6
Copyright 2006 Richard Bejtlich and David Bianco
The Problem
• Investigations with alert-centric systems quickly end,
often without resolving the incident
Analyst sees
original alert
Database returns
single alert
ALERT
ALERT
Queries
database
for alerts
Investigation
ends
• Analysts stuck with only alert data to inspect cannot
make validation and escalation decisions
– MSSPs call customers to ask if they have been compromised
– Security personnel ignore alerts because they have no other
data
7
Copyright 2006 Richard Bejtlich and David Bianco
Network Security Monitoring
• Network security monitoring is the collection, analysis
and escalation of indications and warning to detect and
respond to intrusions
• NSM gives analysts the data they need to make decisions
• NSM treats all data as indicators, not "false positives" or
"false negatives"
8
Copyright 2006 Richard Bejtlich and David Bianco
Network Security Monitoring
• NSM relies upon four forms of traffic-centric data
– Statistical data (Capinfos, Tcpdstat)
• Descriptive, high-level view of aggregated events
– Session data (Argus, SANCP, NetFlow)
• Summaries of conversations between systems
• Content-neutral, compact; encryption no problem
– Full content data (Tcpdump, Tethereal, Snort as packet logger)
• All packet details, including application layer
• Expensive to save, but always most granular analysis
– Alert data (Snort, Bro, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)
• Context-sensitive, either by signature or anomaly
• Sguil (www.sguil.net) is an interface to much of this in a
single open source suite
9
Copyright 2006 Richard Bejtlich and David Bianco
Network Security Monitoring
Alert data
Session data
Full content data
Statistical data
10
Copyright 2006 Richard Bejtlich and David Bianco
Network Security Monitoring
• Revisit intrusion scenario when NSM data is available
Event
Example
IDS Action
Helpful NSM Collection
Event 1
Ping Web site IP address
Ignore
Session
Event 2
Visit Web site
Ignore
Session, Full Content
Event 3
Exploit Web site flaw
Alert
Alert, Session
Event 4
FTP to retrieve tools
Ignore
Session, Full Content
Event 5
Install back door
Ignore
Session, Full Content
Event 6
Communicate with back door
Ignore
Session, Full Content *
Event 7
Connect via SSH to another site
Ignore
Session
Event 8
Transfer local exploit via SCP
Ignore
Session
Event ...
And so on...
?
• Analysts have much more data to review
* if unencrypted (more common than you might think)
11
Copyright 2006 Richard Bejtlich and David Bianco
Network Security Monitoring
• Investigations with NSM present many more options
Analyst sees
original alert
Database returns
single alert
ALERT
ALERT
Queries
database
for alerts
FULL CONTENT
FTP data channel
allows analysis of
intruder back door
Queries
database for
sessions
Reconstructs
FTP control and
data channels
Queries
database for
sessions
Analyst sees FTP
to retrieve tools
SESSIONS
Analyst sees connections
to other IPs
SESSIONS
Copyright 2006 Richard Bejtlich and David Bianco
and
so
on...
12
Network Security Monitoring
• NSM does not try to anticipate attacks
• NSM uses a "dumb is smart" approach
– NSM does not rely on fancy systems to pass judgements on
network traffic, to the exclusion of all other collection
mechanisms
– NSM does leverage smart systems (IDS, network anomaly
detection, etc.) for initial clues
• NSM session and full content collection is completely
content neutral
– Session and full content data are collected whether or not any
other system thinks they are interesting
• NSM is not SIM/SEM: a SIM/SEM collects and correlates
log sources which may or may not have any value
13
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
• Sguil is an open source interface to NSM data
• Lead developer: Bamm Visscher
• Ancestry: Snort Personal REal-time GUI (SPREG), circa
2001
• Sguil released as open source at sguil.sf.net in 2003
• Version 0.6.0p1 released 1 Dec 2005
• Coded mainly in Tcl/Tk
• Integrates:
– Alert data from Snort
– Session data from SANCP
– Full content data from a second instance of Snort
14
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
Network traffic on monitored link
Sensor watches traffic
Log_packets.sh collects full content
data, provided on demand via
sensor_agent.tcl
SANCP (www.metre.net/sancp.html)
collects session data, sent to database
via sensor_agent.tcl
Snort sends alert data output to
Barnyard (www.sf.net/projects/barnyard)
Barnyard sends output to
sensor_agent.tcl
Sensor_agent.tcl coordinates data flow
with sguild
Sguil client is
dynamic
Tcl/Tk GUI
on Windows
or UNIX
On Sguil server,
sguild answers
requests from
Sguil client
MySQL database
stores alert and
session data
15
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
Select a sensor, then Start
Sguil
Launch sguil.tk, and enter
Sguild host, port,
username, and password
16
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
17
Copyright 2006 Richard Bejtlich and David Bianco
18
Copyright 2006 Richard Bejtlich and David Bianco
19
Copyright 2006 Richard Bejtlich and David Bianco
20
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
FTP Data Channel shows source code
FTP control channel shows commands
21
Copyright 2006 Richard Bejtlich and David Bianco
How to Pwn a Million PCs Without Breaking a Sweat
A Sguil Case Study
22
Copyright 2006 Richard Bejtlich and David Bianco
Sguil/NSM Case Study
• Study based on an exploit encountered “in the wild”
• The exploit used the WMF vulnerability
• Delivered via a popunder ad while victim was visiting an
otherwise legit website
• This case study recreates my incident research process
to show off the power of sguil
• High-level writeup available on my blog:
– http://infosecpotpourri.blogspot.com/2006/01/how-to-pwn-millioncomputers-without.html
– Aimed towards users/managers
• Saved the good stuff for ShmooCon!
23
Copyright 2006 Richard Bejtlich and David Bianco
Important Notes
• The victim’s identity has been obfuscated to protect the
innocent
• The ad servers’ identities have been obfuscated to
protect the guilty and the not-so-guilty
• Some URLs have been obfuscated to protect the silly
• Legitimate website names appearing in this presentation
have nothing to do with this exploit and are only there to
provide context for understanding the web session
24
Copyright 2006 Richard Bejtlich and David Bianco
“It was a dark and stormy night…”
25
Copyright 2006 Richard Bejtlich and David Bianco
Was that a real exploit I just saw?
26
Copyright 2006 Richard Bejtlich and David Bianco
Was that a real exploit I just saw?
27
Copyright 2006 Richard Bejtlich and David Bianco
What other events were generated?
28
Copyright 2006 Richard Bejtlich and David Bianco
Quick session check (source)
29
Copyright 2006 Richard Bejtlich and David Bianco
Quick session check (victim)
30
Copyright 2006 Richard Bejtlich and David Bianco
“I will hunt you down…”
• Also cross-checked other sources, such as:
– Antivirus logs
– Manual AV update and scan
– Checked system for c:\n.exe as specified in WMF file
• Exploit attempt seems to have been unsuccessful
• Crisis averted, but let’s have some fun!
• All the sessions are HTTP, so we can leverage that to
help us reconstruct the sequence of events
• Begin with the transcript of the exploit session
• Match up “Referrer” tags with requests and work
backwards
– Like climbing a ladder
31
Copyright 2006 Richard Bejtlich and David Bianco
Victim’s Session List
32
Copyright 2006 Richard Bejtlich and David Bianco
Rung #1: Exploit Delivered
33
Copyright 2006 Richard Bejtlich and David Bianco
Rung #2: Spf99 Serves the Ad
34
Copyright 2006 Richard Bejtlich and David Bianco
Victim’s Session List
35
Copyright 2006 Richard Bejtlich and David Bianco
Rung #3: Cash4popupads Handoff to Spf99
36
Copyright 2006 Richard Bejtlich and David Bianco
Victim’s Session List
37
Copyright 2006 Richard Bejtlich and David Bianco
Rung #4: Cash4popupads creates a popunder
38
Copyright 2006 Richard Bejtlich and David Bianco
Victim’s Session List
39
Copyright 2006 Richard Bejtlich and David Bianco
Rung #5: A Legit Site (HTMHelper)
40
Copyright 2006 Richard Bejtlich and David Bianco
HTMHelper Page Source
<!– Cash4popupads.com Advertising Code Begin -->
<SCRIPT LANGUAGE="JavaScript1.1"
SRC="http://popunder.Cash4popupads.com/popup.php?id=XXXX">
</SCRIPT>
<!– Cash4popupads.com Advertising Code End -->
41
Copyright 2006 Richard Bejtlich and David Bianco
Victim’s Session List
42
Copyright 2006 Richard Bejtlich and David Bianco
Rung #6: Another Legit Site (MySpace)
43
Copyright 2006 Richard Bejtlich and David Bianco
MySpace Page Source
<div style="position:absolute;
left:0px;
top:0px;
width:88px;
height:31px;">
<a href="http://www.htmhelper.com/onlineicon/" target="_self">
<img src="http://www.htmhelper.com/onlineicon/clickhere.gif"
alt="Myspace Online Icon" />
</a>
</div>
44
Copyright 2006 Richard Bejtlich and David Bianco
“Insert Tab A into Slot B…”
• Victim browses a MySpace profile page
– The page owner or one of the commenters is online, and has the
“online status” icon showing by their name.
– The status icon is provided by and linked back to the HTMHelper
site
• The HTMHelper page is ad-supported and contains a
JavaScript snippet to display popunder ads from
Cash4popupads. This may be annoying, but not
intrinsically malicious
• Cash4popupads establishes the popunder window but
not the ad content
– It’s acting more as a conduit for the ads, which are provided by
Spf99
45
Copyright 2006 Richard Bejtlich and David Bianco
“Score along line C and fold to meet side D…”
• Spf99 served the actual infected file
– 101.wmf
• Internal codes indicate this was provided by “affiliate
101”
– Could be an individual
– Could be another ad network
– Who knows?
• This is the top of the ladder (for now)
• How would you continue the investigation?
46
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
• Simplest way to try Sguil: use Win client, demo server
–
–
–
–
Install ActiveState TCL (www.activestate.com/Products/Download/Download.plex?id=ActiveTcl)
Visit www.sguil.net, download, extract sguil-client-0.6.0p1.zip
Create a c:\tmp directory
Edit sguil.tk
set VERSION "SGUIL-0.6.0"
– Edit sguil.conf to match Windows environment
# win32 example
set ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"
# Where to save the temporary raw data files on the client system
# You need to remember to delete these yourself.
# set ETHEREAL_STORE_DIR /tmp
# win32 example
set ETHEREAL_STORE_DIR "c:/tmp"
# Favorite browser for looking at sig info on snort.org
# set BROWSER_PATH /usr/bin/mozilla
# win32 example (IE)
set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe
– Launch Sguil client, connect to demo.sguil.net on port 7734 with
47
any username and password
Copyright 2006 Richard Bejtlich and David Bianco
Sguil
• Simplest way to try Sguil with a local setup: use Sguil
server VM or client and server VM
– Described here: sguil.sourceforge.net/index.php?page=vm
– Use Sguil client as described on previous slide to connect to VM
– Use complete Sguil VM
• Other options
– InstantNSM (instantnsm.sf.net)
– FreeBSD installation script
(taosecurity.blogspot.com/2006/01/sguil-installation-scriptv0.html)
• Help available on irc.freenode.net #snort-gui channel
• Free Tao of Network Security Monitoring chapters on
NSM & Sguil in .pdf at www.taosecurity.com/books.html
48
Copyright 2006 Richard Bejtlich and David Bianco
Questions?
• Richard Bejtlich
• [email protected]
• www.taosecurity.com / taosecurity.blogspot.com
• David Bianco
• [email protected]
• www.vorant.com / infosecpotpourri.blogspot.com
• www.sguil.net
• irc.freenode.net / #snort-gui
49
Copyright 2006 Richard Bejtlich and David Bianco