litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect esecure Secure in a networked world.
Download ReportTranscript litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect esecure Secure in a networked world.
litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect esecure Secure in a networked world Agenda Introduction 10 reasons why honey pots suck Demo of dtk vs s’kiddie 10 things you can do instead Demo of litmus and snort vs s’kiddie Introduction Who is that fat bugger? Where is Australia? How does e-Secure fit into this talk? Andrew van der Stock Senior Security Architect Cat slave and MCSE (NT/2K) Contributor to various open source projects, such as NetBSD, XFree86 and pnm2ppa Immediate Past SAGE-AU President On auDA’s DNS Competition Panel Where is Australia? Who are e-Secure? They employ me, and more importantly, they paid for me to be here We are one of Australia’s largest specialist security consulting firms We don’t sell product, and we are platform and vendor neutral We have offices along the east coast of Australia Why do I think you are here? Most of you will have excellent ITIL security processes All your hosts are patched and secure Your internal staff are absolutely trustworthy You have a large risk management group and an even larger security group, all of whom are extremely clueful and proactive Your major risk is from unknown sources and you need to know when they occur Nothing could be more wrong Most organizations spend far too much on defending against the wrong risks Some risks are over-hyped and get far too much press Most (>95%) organizations are not even able to repeat a simple secure host installation let alone trust their staff What’s wrong with honey pots? Greater security profile If you can run almost every corporate network on three visible ports, why add more? You don’t learn anything new All software has defects Best practice says that software can only hope to have as few as one defect per 1 KLOC Normal code has 5-15 bugs per 1000 lines dtk 0.9 has 14978 lines with comments, or 9279 lines without comments. Do the math What’s wrong with honey pots? The insurance model will not allow you to take unnecessary risks without a substantial increase in premium Risk management says that honey pots increase risk for demonstrably invalid reasons You can learn more by using better instrumentation What’s wrong with honey pots? The threat reality is that most attackers are morons and will attack with DoS if denied real access Honey pots must be kept up to date but in general aren’t Honey pots must act like the host operating system Fix current problems rather than generating new ones Demo: dtk vs. s’kiddie Or why out of date software is useless Risk Management 101 Or if everyone did the right thing, why would there still be so many vulnerable hosts? Guess! Too many hosts to secure Most operating systems and network devices are insecure out of the box This must change Operating systems maintained by normal users must be set to take care of themselves by default Growth of the net will be the single largest factor as to why there are so many vulnerable systems It is unrealistic to assume that the net will ever be safe Risk Management Risk 1 factors impact likelihood Risk Management Large corporations use risk management to reduce risk to their operations Risk management is not absolute and is not “every risk is eradicated” Most likelihoods are subjective Generally expressed as “once in every x years” It is possible to determine likelihood (insurance companies do, for example), so you should try Most impacts can be relatively accurately expressed in $ per incident The dollar figure ranges from zero to millions Risk model Cost of attack vs frequency of attack f $ Risk model – excess f $ Risk model – self insuring f $ Risk model – catastrophic f $ Insurance 101 Or why insurance will not reduce famous defacements Insurance – the SME experience Insurance – the SME experience Small to medium enterprises (4-100 employees) make up the majority of all corporations They will have little choice but to take out insurance products once they are developed Sometimes, there will be “no insurance at any price” if certain things aren’t done (think GPS trackers for regularly stolen cars, and apply…) The excess will still be there Insurance – Mega Corps In large corporations, insurance is a method to assign the risk of catastrophic events to another entity Most large corporations are self insuring for most risks (for example, one of my clients simply pays for all car accidents; it’s just cheaper that way) Most large corporations do not see the point in insuring an intangible risk such as a web defacement, but they might insure good will. Threat models Or why a s’kiddie is more of a threat than extremely well funded or knowledgeable attackers Old thinking: external threats Old thinking: Seasoned attacker with extreme skills will be attacking me every time Reality #1: s’kiddies will launch zillions of RDS attacks at you, even though you might be running Solaris Reality #2: your staff are much more of a risk than the s’kiddies of this world Anatomy of a s’kiddie attack Collect tools Tag & Brag Attack victims Anatomy of a gifted amateur attack Collect tools Develop skills Gather info Attack victim Anatomy of a strong attack Platform mastery Gather info Develop tools Identify targets Attack victim Internet age threats Real threats arise from people with motive Most external attacks are simple, but not all Most successful attacks are essentially internal fraud Audit controls will help It is nearly always easier to socially engineer from within than attack a system from without once minimum defenses are added Intrusion Detection Systems Are generally useless in most environments Where does IDS fit? IDS are useful as an additional layer of defense, no more IDS are helpful when advanced attackers are attacking you with new attacks Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc) Missing IDS type: application IDS eEye’s SecureIIS might be a precursor, but has been proven flawed already AZN-API is a useful new direction for authorization issues Generic issues with IDS It’s either an AI issue or yet another system that has to be monitored Yet another set of logs that will be ignored Too verbose? Not sensitive enough? Not enough eyes to monitor all your systems? The “three cries and you’re out” problem No one likes being woken up continuously at 3 am Host IDS Host based IDS perform a range of useful integrity tests, such as tracking file system changes WinNT/2K: prefer auditing to tripwire (or maybe use both) – auditing is real time, and you know which user caused the event as they are doing it Tripwire and AIDE are non-real time and only let you know something has happened after the fact Commercial host IDS do way more than open source IDS today, but expect this to change soon Network IDS Usually has one or more interfaces in promiscuous mode – which makes them detectable in certain circumstances (see anti-sniff) Useful to spot unusual traffic trends Even with the fastest processors, most commercial and non-commercial network IDS cannot cope with > 100 Mb/s traffic Good example: snort Issue: useful only if you can monitor it and the alarms have been calibrated to suit your needs Application IDS Doesn’t exist … but should! Requires the assistance of applications to really function correctly Typical nascent example: eEye’s SecureIIS product More of a shim than real protection A good first start, except… There isn’t a general purpose API to implement this, and many product writers believe that they are writing secure software, so… Where to deploy IDS The typical place is in the DMZ or behind the firewall There’s too many lame attacks for IDS to be out in no man’s land Much more useful to see those attacks that have penetrated your firewall or are in a sensitive network Call to Action Or what you can do to visibly improve your site’s security Do the fundamentals first… If you don’t do the basics, don’t bother with any form of honey pot or a real IDS as you already have many fine examples in your production network To prevent most s’kiddies, reduce your security profile To prevent real loss, improve your security processes Deter, Defend, Delay Defense in depth Deter: warning banners, low profile, high prosecution profile Defend: keep up to date, install security helpers such as firewalls Delay: keep the attacker from causing any lasting damage Destroy: if you can identify your attacker in real life, if you’re big enough, you can cause real pain to them (ie deny service if you’re a telco) Passive Defense Traditional security mainstays: Firewalls Bastion hosts IDS Logs Deny all unless permitted The above are necessary, nice and shiny, but insufficient to cope with modern security threats Active Defense Counterattack Intelligence gathering At best – misguided. Breaking the law does not help you illegal in most countries with infosec laws your ISP will dump you if they catch you worthwhile but handle evidence properly Prosecution Costly but worthwhile if the scumbag is in your jurisdiction AND you have enforceable infosec laws (see !Philippines ) The Top 10 things you can do If you only do one of them, do the first one… Keep up with patches If your vendor ships an update to a known vulnerability, test it and patch your hosts Nearly all scripted attacks can be warded off by this very simple measure Even advanced attackers prefer to use known vulnerabilities rather than develop new ones Automated Software Distribution Without automated software distribution, you cannot look after your hosts in a time of crisis Test any solution you put in, including OS upgrades (along with the requisite reboot) Ensure that the distribution point(s) are secure, are controlled by you, and allow you to constrain what is deployed on your network ie, don’t update from a local Debian mirror blindly Business Recovery Planning This encompasses many, many things, including disaster recovery plans and incident response Thinking through a fully fledged BRP will help in times of real crisis Include news media handling in the BRP if you are publicly traded or rely heavily on lots of customers In a crisis where real damage is caused, you must keep your customers informed and allow them to report events to you in a timely fashion Backups Always have a recent backup Always verify … there is no excuse Keep off-sites Practice restores diligently use different tapes and drives to ensure that you have media compatibility Constantly Improve Processes Continuous improvement is the only acceptable option if you use 1990 levels of security knowledge, you will be successfully attacked Security is a continuous process of learning, mitigating and defending When you learn something, incorporate it Harden Critical Hosts Adopt a router or switch today! Most operating systems have various security postures out of the box or have third party guides to assist with lockdowns Use them Test the result Come back and do it again next week Repeat ad nauseam Reduce Your Security Profile Make as many DMZ or extranet hosts invisible to the Internet For most corporations, only three ports need to be visible (tcp/25, tcp/80, udp/53) Make a map of your network; you’d be surprised at the number of exceptions. Fix them! Create a security policy Adopt a security posture suitable for your line of business and business culture Be reasonable about it – humans will work around any fascistic control you might think desirable Use ISO 17799 as a guide Once adopted, identify systems and processes at risk and fix them Subscribe to security mailing lists Not only to bugtraq, ntbugtraq, Win2kSecAdvice, but also to your vendor’s patch announcements Most lists are a good source of new and upcoming vulnerabilities Sometimes overwhelming in terms of volume and usefulness Delegate someone to summarize each day Counterattack when you can The only legal active defense open to you is prosecution Learn about forensic data preservation (you cannot prosecute without a strong chain of untampered evidence) and practice regularly. Fix those systems that are forensic-proof When a s’kiddie or attacker really gets you, help law enforcement all the way. If you get a rep as a hard target with real consequences, hopefully more people will stay away This can backfire (see US Military or Microsoft) Note what wasn’t mentioned No mention of IDS IDS are really only suitable once you have a really top notch security environment and you want an additional layer of defense Still better to spend money on self-repairing content checkers, backups, and other security items An IDS in an immature environment is worse than the immature environment. It gives a false sense of security where none exists litmus Is simply a passive configuration of IP Filter, running under NetBSD coupled to a log scanner for escalation Portable to other operating systems who also use IP Filter (OpenBSD, FreeBSD, Solaris) Since IP Filter is IPv6 native, so is litmus Not promiscuous – harder to detect, particularly if you run it on hosts that actually have a function Limited use – it’s only a litmus test Demo: litmus vs s’kiddy Snort is better Conclusion Honey pots are never the right answer for any corporate network under any circumstance Judicious use of various types of IDS can be used to some effect, but… You must cover the fundamentals first or you will waste money on baubles finis Thanks for listening. Questions?