Good Mostly andBad BadUses Uses Of Vulnerability Data For IDS Event Correlation November 6, 2015 Copyright © 2007 Tenable Network Security, Inc.
Download ReportTranscript Good Mostly andBad BadUses Uses Of Vulnerability Data For IDS Event Correlation November 6, 2015 Copyright © 2007 Tenable Network Security, Inc.
Good Mostly andBad BadUses Uses Of Vulnerability Data For IDS Event Correlation November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 1 Introduction The goal of this talk is to help those of us with network monitoring programs to understand the limits of IDS/VA correlation. November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 2 Introduction -- OR -- November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 3 Introduction We all have purchased expensive SIM and IPS products and this will help you operate them better! November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 4 Introduction I hope no-one needs to recode their software or strangle their sales guy after this … November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 5 IDS/VA is in lots of places already • SIMs do it – Arcsight, Q1, Cisco MARS, Tenable, .etc • IDS/IPS do it – Sourcefire, Lucid, NFR, .etc • Threat Simulators do it – Skybox, RedSeal, .etc • Pre/Post NAC looks a lot like this too • Home grown applications !!! – Your MSPs and internal IT projects November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 6 Why listen to me? • CTO/CEO and Co-Founder of Tenable – Nessus Vulnerability Scanner – Several monitoring & correlation products • Founder of Network Security Wizards which made the Dragon Intrusion Detection System • Director of Risk Mitigation at USi • Consultant, pen-tester & security researcher for GTE, BBN and NSA • Captain in USAF November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 7 Overview • • • • • • Basic VA/IDS Concepts Sources of Correlation Errors Multiple Vulnerability Scan Handling Under Emphasis of IDS events Operating System Based Correlation Why isn’t Patch Auditing and Passive Network Data used more? • IDS/IPS configuration based on Vulns • Latent Scanner Handicaps • Questions and comments November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 8 Basic VA/IDS Concepts • Why correlate at all? – Typical NIDS have imperfect knowledge of the networks they are watching – Most NIDS are not intrusion detection systems, but are instead attack and probe detection systems – A NIDS may give you hundreds of thousands of events per day (hour); correlating this with your known vulnerabilities can reduce this to a small handful – You can use the fact that your NIDS device has such a high false positive rate that you can justify VA scanning everyday instead of once per quarter November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 9 Basic VA/IDS Concepts Which describes you better? Want to see any and all possible attacks. November 6, 2015 Only responding to events which effect your business Copyright © 2007 Tenable Network Security, Inc. 10 Basic VA/IDS Concepts November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 11 Basic VA/IDS Concepts November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 12 Basic VA/IDS Concepts November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 13 Basic VA/IDS Concepts V V V V V November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 14 Basic VA/IDS Concepts V November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 15 Basic VA/IDS Concepts V November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 16 Basic VA/IDS Concepts V November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 17 Basic VA/IDS Concepts V IDS Says: “Nine Attacks!” November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 18 Basic VA/IDS Concepts V VA/IDS Says: “1 REAL attack” November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 19 Basic VA/IDS Concepts Which is more accurate? Your favorite: • IDS • IPS • UTM • NBAD November 6, 2015 Your favorite: • Scanner • PCI Scanning MSP • Patch Tester • Agent Copyright © 2007 Tenable Network Security, Inc. 20 Basic VA/IDS Concepts IDS VA False Positive 100% Accuracy False Negative November 6, 2015 False Positive 100% Accuracy False Negative Sends you a well qualified event that is false! Over-emphasizes a valid IDS event Can’t help directly Removes IDS false positive Desired Alerting Potentially reconfigure the NIDS IDS Events that are incorrect are not removed IDS Events are not emphasized Can’t help directly Copyright © 2007 Tenable Network Security, Inc. 21 Sources of IDS/IPS FP/FN • False Positives – Bad Signature – Good signature, but unexpected matching traffic • False Negatives – No signature • Unknown attack/vuln • Can’t write a rule to look for it – Bypass detection with encoding November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 22 Sources of Vuln FP/FN • False Positives – Bad Rule/Plugin/Check – Good Rule/Plugin/Check, but unexpected matching data or application – Back-porting of Daemons • Nessus “Paranoid” mode November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 23 Sources of Vuln FP/FN • False Negatives – – – – – No signature Didn’t scan that port Didn’t use credentials Didn’t scan that often Back-porting of Daemons • Nessus “Paranoid” mode – Can’t perform a check for this • Credentialed vs. scanning • “We’d like you to develop a non-credentialed method to test for the new Daylight Savings Time patch” November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 24 Introduction And even when it does work …. November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 25 Basic VA/IDS Concepts There is the human layer: The Security Grind Hey Joe, I think there is something wrong with our SIM!!! November 6, 2015 Why do you say that? Copyright © 2007 Tenable Network Security, Inc. According to this, we’ve just had several hundred successful Telnet and DNS attacks 26 Sources of Correlation Errors Simple Algorithm 1. Receive IDS event 2. “Lookup” to see if target is vuln 3. Launch missiles if real attack November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 27 Sources of Correlation Errors • Magic “Lookup” functions – What is the correlation based on? • CVE, Bugtraq, Nessus ID, X-Force ID, .etc – Is it port and protocol specific? – How does it get updated? • IDS and vuln scanners get daily updates • How does the solution sync with this new data? – How correct is the code? • Does it accept “CVE” and “CAN” • Does it handle multiple CVE/Bugtraq entries per vulnerability or IDS event? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 28 Sources of Correlation Errors alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:webapplication-activity; sid:1042; rev:13;) November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 29 November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 30 November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 31 November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 32 Sources of Correlation Errors • What happens when the META DATA is incorrect? – Advisories can have incorrect CVEs, Bugtraq IDs and so on – We’ve seen cases where the wrong CVE or Bugtraq reference is in the IDS signature – With 14,000+ plugins, we’ve made mistakes putting the wrong CVE, Bugtraq ID, .etc in Nessus scripts too November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 33 Sources of Correlation Errors • Disparity in NIDS ports and Scanned Ports • Few organizations scan all 65k TCP and UDP port • Few organizations scan for ALL available vulnerabilities • So what happens if vulnerability #44 is on port 55000 but we never scanned for it? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 34 Sources of Correlation Errors • Disparity in NIDS rules and Scanner checks • NIDS Rules are updated daily, and so are vuln scanner checks, but scans might not happen daily • What happens when your NIDS starts to detect today’s attack-of-the-week but you have not scanned for it yet? – More on this in a moment … November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 35 Multiple Vulnerability Scans • • • • There is only one network. It might change. We scan it often to detect the change. Hopefully our VA/IDS solution is keeping up with the scans. • More solutions are becoming available that detect network changes in order to drive scans. November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 36 Multiple Vulnerability Scans • Very Cheap Model – No real correlation; VA data just presented when requested or invoked • Cheap Models – Only the last scan is used for correlation – Vulnerabilities are not port/protocol centric • Misleading Models – Vulnerabilities never get fixed – “point scans” magically fix other vulnerabilities • i.e the monthly SSH scan didn’t find any FTP issues November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 37 Multiple Vulnerability Scans Full Port Scan SANS Top 20 Patch Audit DMZ Scan Mail Scan Point Vuln Scan Patch Verify Scan DMZ Scan Mail Scan November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 38 Under Emphasis • Basic idea – De-emphasize stuff I’m not effected by – Alert me if I’ve been attacked • Problem – What if my vulnerability data isn’t as updated as my IDS data? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 39 Under Emphasis New IDS Rules New New Scan Scan Rules Rules New IDS Rules SCAN New Scan Rules New IDS Rules New Scan Rules SCAN New Scan Rules November 6, 2015 New Scan Rules New IDS Rules Copyright © 2007 Tenable Network Security, Inc. 40 Under Emphasis • For the latest round of “major” vulns: – Telnet -froot – ANI MS DNS • When did you first scan for these? • When did you first notice these in your IDS logs? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 41 OS Based VA/IDS Correlation • Attempt to discover the type of OS and then associate relative vulnerabilities from it • Lots of ways to guess the remote OS – Passive and/or Active fingerprint – Asset database • These are not 100% accurate, but let’s assume they are … November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 42 OS Based VA/IDS Correlation • Once we know the OS, which vulnerabilities do we associate with it? – All of them? – What if they have been patched? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 43 OS Based VA/IDS Correlation • What about client-side applications like Outlook? • What about cross-platform applications like Skype, Mozilla, iTunes, .etc? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 44 OS Based VA/IDS Correlation • In a mixed environment of Solaris, UNIX, Linux, Windows, .etc filtering out or highlighting attacks is useful. – Example vendor customer testimonial: “With product XYZ, we go from 1,000,000 events a day to just 100”. – Keep in mind a lot of IDS events just don’t correlate • For discriminating between two servers where one has a patch and the other doesn’t, it is misleading. November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 45 Patch and Passive Data Why isn’t patch data used more? Positive • Accuracy • Client Vulns • Works all over • Fast November 6, 2015 Negative • No more agents! • Can’t get creds! • IT won’t share Copyright © 2007 Tenable Network Security, Inc. 46 Patch and Passive Data I’ve been scanning since you were in diapers sunny! November 6, 2015 Those IT guys don’t know #%#$# about security. Copyright © 2007 Tenable Network Security, Inc. 47 Patch and Passive Data Why isn’t passive data used more? Positive • Real Time • Client Vulns • Works all over • Fast November 6, 2015 Negative • Accuracy • No span port • BW or topology Copyright © 2007 Tenable Network Security, Inc. 48 Tuning Your IDS/IPS • Based on your discovered assets, applications or vulnerabilities, only enable certain rules – Your NIDS runs faster !! – No more silly false positives !! • Example – None of your systems run SNMP – Remove all of the SNMP rules on your IDS/IPS November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 49 Tuning Your IDS/IPS • Marketing claims from some IPS vendors: – “Vulnerability Shielding” – “Virtual Patching” – “In-line Patching” • The key is to have near-real time awareness of what is on your network • Any lag between network change and what your IPS is blocking is a window of time where events are not prevented or monitored correctly. November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 50 Latent Scanner Handicaps • Need to know your tools and processes – What ports do we scan for? – What checks do we use? – Are we using credentials or agents? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 51 Latent Scanner Handicaps • How does your scanner technology get updated with new checks? – Does each scanner need a manual update? – How often is my organization pushing new checks? – Are there RSS feeds or email alerts when new checks are available? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 52 Latent Scanner Handicaps • What is in my scanner “black box”? – They might say Nessus … – They probably are using Nessus 2 … – They probably are using checks which were relevant in 2005, and not doing patch auditing on modern MS OSes November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 53 Latent Scanner Handicaps • What is in my MSP’s “black box” scanner? – How often do they push new checks into production? – What is their source of new checks? • Qualys, Nessus, nCircle, IBM/ISS, .etc November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 54 Summary • • • • • • Basic VA/IDS Concepts Sources of Correlation Errors Multiple Vulnerability Scan Handling Under Emphasis of IDS events Operating System Based Correlation Why isn’t Patch Auditing and Passive Network Data used more? • IDS/IPS configuration based on Vulns • Latent Scanner Handicaps • Questions and comments November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 55 Questions? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 56 Resources • Tenable White Papers – Correlating IDS Alerts with Vulnerability Information – Security Event Management – Advanced Event Correlation Scripting – Blended Vulnerability Assessments • Tenable BLOG & Demos & Webinars – http://blog.tenablesecurity.com – http://www.tenablesecurity.com • Click “DEMOS” for Webinars & Product info • http://www.nessus.org November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 57 November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 58 November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 59 Questions? • Other question topics: – IDS evasion? – Scanner impact? – IPv6 and IDS/Scanners? – Configuration auditing and IDS events? – Testing for IDS vulnerabilities? – Host IDS logs and VA/IDS correlation? November 6, 2015 Copyright © 2007 Tenable Network Security, Inc. 60