detecting penetration testing ron gula, source 2010
Post on 17-Dec-2015
221 Views
Preview:
TRANSCRIPT
WHY DETECT PENETRATION TESTERS?
John Dillinger from Public Enemies
Real intrusionshave
real responses
PENETRATION TESTING HAS POLITICAL RESPONSES
We protect customer data
IdiotJohnny, your password should be 25 characters
Working late
again!
WE SHOULD BE DETECTING THIS ANYWAY, RIGHT?
snort[1578]: [1:2002910:4] ET SCAN Potential VNC Scan 5800-5820 [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.20.24:36493 -> 192.168.20.16:5800
snort[1578]: [1:2001743:8] ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 192.168.20.24:45379 -> 192.168.20.16:1025
snort[1578]: [1:1551:6] WEB-MISC /CVS/Entries access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.24:45896 -> 192.168.20.21:80
snort[1578]: [1:469:4] AUTHORIZED PENETRATION TEST [Classification: OK To Ignore, But Tell Your Boss] [Priority: 2]: {TCP} 192.168.20.24 -> 192.168.20.92
THERE ARE DIFFERENT TYPES OF PENETRATION TESTS
WebAttacker
SQL Injection rules guys!
ServicesExploiter
No Way. I have a 0-day
for Skype
No TechHacker
Screw you guys. I’m
walking in.
WHAT ABOUT CLIENT SIDE PEN TESTS?
Test the browser security Test the email client security Test the web proxy security Test the email spam security See who clicks on links or opens hostile email
THE MYTHICAL GOD-LIKE PEN TESTER
Normal Computer
CPU stays the same
Packets are normal
No additional
filesCommunicates the same
Memory stays the
same
Firewall logs the
same
Configuration stays the same
Error logs stay the
same
KNOW WHAT YOU CAN AND CAN’T MONITOR
• Packets• Netflow• NIDS Logs• Firewall Logs• NBAD
• Topology• Vulnerabilities• Patch Audits• Configurations• Host Security• Host Logs• Audit Trail
• Vulnerabilities• Application• Patch Audits• Configurations• Host security• File integrity• System and app logs• Audit Trail
• Authentication• Authorized systems• Normal apps/programs• Web proxy logs• Spam logs
KNOW HOW A COMPROMISED SYSTEM BEHAVES
• Packets• Netflow• NIDS Logs• Firewall Logs• NBAD
• Topology• Vulnerabilities• Patch Audits• Configurations• Host Security• Host Logs• Audit Trail
• Vulnerabilities• Application• Patch Audits• Configurations• Host security• File integrity• System and app logs• Audit Trail
• Authentication• Authorized systems• Normal apps/programs• Web proxy logs• Spam logs
• Firewall Deny• Blacklisted IPs• Spikes in traffic
• Illegal Hosts• Illegal Activity• New commands
• Modified files• High CPU• System errors• Illegal commands
• Access violations• New programs• Blacklisted sites
KNOW HOW A COMPROMISED SYSTEM BEHAVES
• Packets• Netflow• NIDS Logs• Firewall Logs• NBAD
• Topology• Vulnerabilities• Patch Audits• Configurations• Host Security• Host Logs• Audit Trail
• Vulnerabilities• Application• Patch Audits• Configurations• Host security• File integrity• System and app logs• Audit Trail
• Authentication• Authorized systems• Normal apps/programs• Web proxy logs• Spam logs
• Firewall Deny• Blacklisted IPs• Spikes in traffic
• Illegal Hosts• Illegal Activity• New commands
• Modified files• High CPU• System errors• Illegal commands
• Access violations• New programs• Blacklisted sites
SIMPLE EXAMPLE – HTTP SERVER
Port 80 in.Nothing allowed out Port 22 in.
Nothing allowed out
No DNS.Web server jailed.
Use IPS/Proxy to stop 0-daysMonitor with NIDS/NBAD
Look for outbound denied firewalls
Watch for deniesSSH client attacks
System errorsIllegal Commands
Unauthorized changesFile integrity
PEN TESTING AND “REAL” INCIDENT DIFFERENCES
Pen Test Real Incident
Probability HIGH LOW
Zero Day
Automation
Bumps into ACLs
Lack of tech knowledge
Unlimited time X
Long term access X
Foreign Country X
Real data exfiltration X
Data Destruction X
Lack of ‘respect’ for systems X
Attack security systems X
WHAT DO WEB APP ATTACKS LOOK LIKE ?
WebAttacker
SQL Injection rules guys! Are you collecting any logs?
Can you tell an attack from a transaction?
Is your DBA watching things?
Will your NIDS/NBAD see anything?
What about your SIM?
WHAT DOES A NETWORK ATTACK LOOK LIKE ?
Are you collecting any logs?
Can you tell an attack from a normal user?
Is your admin watching things?
Will your NIDS/NBAD see anything?
What about your SIM?
ServicesExploiter
No Way. I have a 0-day
for Skype
IT GOES ON AND ON !!!!
Attackers and penetration testers have a potential infinite supply of places to attack.
Hardening systems, reducing complexity and adding defenses reduces the attack points and lets you monitor for known outcomes.
Monitor for outcomes you
must!
AUTOMATIC VULN SCANNING TOOL DETECTION
[1] Get a vuln scanner
Experiment
[2] Scan your network
[3] Check your NIDS/SIM
Did we detect the
scan?
What kind of logs do we make?
Can we rely on the NIDS vendors to detect scanners?
Does the same scanner scan the same all the time?
PEN TESTING TOOL DETECTION
[1] Get a pen testing tool
Experiment
[2] Hack your network
[3] Check your NIDS/SIM
What kind of logs do we make?
Can we rely on the NIDS vendors to detect pen testing?
Does the same pen tester hack the same all the time?
FILE AND SOCIAL TROLLING DETECTION
[1] Use low tech hacking
Experiment
[2] Look for the goods
[3] Check your NIDS/SIM/DLP
What kind of logs do we make?
Can we rely on the NIDS vendors to detect file browsing?
Are the same users going to click around the same way all the time?
BEWARE OF FOCUSING ON JUST PEN TESTING TOOLS
Holy MD5 checksums Batman, the Joker is using a penetration testing tool on the
Bat Computer!
The jokes on him loyal friend, those tools only look for a few holes.
Wah, wah, wah. Not only do I have a custom exploit, it is encoded to get
past the Bat IDS!
MESSING WITH THE PEN TESTERS WITH DNS
[root@megalon ~]# nslookup exchange.company.comServer: 192.168.20.24Address: 192.168.20.24#53
** server can't find exchange.company.com: NXDOMAIN
[root@megalon ~]# nslookup imap.company.comServer: 192.168.20.24Address: 192.168.20.24#53
Name: imap.company.comAddress: 192.168.20.23
Give DNS recon tools false information
Might have different ones inside vs. outside vs. locationMight use a SIM, IDS, .etc to “watch” the target IPs
Could use a SIM to watch DNS queries and logs for these domains
Goal – waste more time of a potential
hacker than your real IT staff’s
Where do these records point?Who manages them in IT?
How often do you change them?
MESSING WITH THE PEN TESTERS WITH DNSSlow Down DNS responses
Hopefully only slow down answers for stuff that isn’t liveNeed very specialized DNS servers; Does not need to be core servers
Try to
make the
pen
testers
waste their
time
DNS is really reliable – can you convince your IT staff to mess with it?If an attacker knows your IP addresses, this doesn’t help
This could slow down an insider pen tester
MAKE FOOTHOLDS SLOW AND HARD TO USEMake them work harder to leverage any compromised target
Exploits work, but we’re leveraging that the attacker does not know our defensesNeed to have a process to investigate false positives
Reverse shells,
phone
homes,.etc
prevented by
ACL in network
MAKE FOOTHOLDS SLOW AND HARD TO USEMake them work harder to leverage any compromised target
Most IT organizations are OK with proxies and packet shapersAre they hooked up to your SIM or NBAD and part of your monitoring?
Proxies
prevent some
tunneling.
Packet shapers
can slow
access.
MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITSForce them to think – and less likely be a botnet
Are you looking for these exploits to begin with?Does your SIM chain together these types of attacks?
Web Apache attack
SQL attack to Unix DB
Client side SSH exploit
IMAP Exchange Exploit
Pen testers pride
themselves on doing
this.
Wait a second
!
Aren’t you the guy who’s been talking about compliance,
repeatable builds and
monocultures?
MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITSForce them to think – and less likely be a botnet
Are you looking for these exploits to begin with?Does your SIM chain together these types of attacks?
Web IIS attack
SQL attack to Unix DB
Client side RDP exploit
IMAP Exchange Exploit
Pen testers pride
themselves on doing
this.
USE DYNAMIC NAC TO LIMIT INTERNAL ACCESSKick them off the network while generating alerts
NAC can block hosts by MAC address, authentication & activityAre NAC logs something sent to you SIM?
• Most people think of NAC as a dead market• NAC is alive and well in your switch vendor
Stewie getting his MAC address kicked off the net
HONEYPOTS AND DECOYSLet them eat cake fake servers!
Honeypots can add complexity to your networkEvery packet to a honeypot is not an attacker
Have you configured “honeypot” analysis in your SIM, NBAD or IDS?
Firewall or IPS responds “Real” Honeypots
Honeypottarget
Real server,Honeypot service
InteractiveHoneypot
“Imaginary” Honeypots
Network
Servers
Desktop
Honeypot
ENGAGE THE ATTACKERSAttack the attackers
“Hack back” is illegal in lots of placesYou could be playing with fire.
This truly is security through obscurity.
Launch DOS attacks against
attackersViruses in honeypot office files
ZIP bombs in files
obtained Very large
fake password
files
Fake chat logs that have fake
account info
Hook chargen up to services
Host hidden porn.
Monitor for access.
Host fake network diagrams
Replace common
commands.
HOW MUCH OF THIS DO YOU TELL AUDIT ?
They mightbe impressed They might
be confused
They might totally out you!
CONCLUSIONS
• Detecting real attacks and penetration testing is very similar
• We should be good enough to detect intrusions AND differentiate between a “pen test” and a “real attack”
• If we don’t have access to the logs, vulns, packets, etc we can’t do either
top related