litmus a risk reduced alternative to honey pots andrew van der stock senior architect e- secure...
TRANSCRIPT
litmusa risk reduced alternative to honey pots
Andrew van der Stock
Senior Architecte-secure
Secure in a networked world
Agenda Introduction 10 reasons why honey pots suck Demo of dtk vs s’kiddie 10 things you can do instead Demo of litmus and snort vs s’kiddie
Andrew van der Stock Senior Security Architect Cat slave and MCSE (NT/2K) Contributor to various open source
projects, such as NetBSD, XFree86 and pnm2ppa
Immediate Past SAGE-AU President On auDA’s DNS Competition Panel
Who are e-Secure? They employ me, and more importantly,
they paid for me to be here We are one of Australia’s largest specialist
security consulting firms We don’t sell product, and we are platform
and vendor neutral We have offices along the east coast of
Australia
Why do I think you are here? Most of you will have excellent ITIL security
processes All your hosts are patched and secure Your internal staff are absolutely trustworthy You have a large risk management group and an
even larger security group, all of whom are extremely clueful and proactive
Your major risk is from unknown sources and you need to know when they occur
Nothing could be more wrong Most organizations spend far too much on
defending against the wrong risks Some risks are over-hyped and get far too
much press Most (>95%) organizations are not even
able to repeat a simple secure host installation let alone trust their staff
What’s wrong with honey pots? Greater security profile
If you can run almost every corporate network on three visible ports, why add more?
You don’t learn anything new All software has defects
Best practice says that software can only hope to have as few as one defect per 1 KLOC
Normal code has 5-15 bugs per 1000 lines dtk 0.9 has 14978 lines with comments, or 9279 lines
without comments. Do the math
What’s wrong with honey pots? The insurance model will not allow you to
take unnecessary risks without a substantial increase in premium
Risk management says that honey pots increase risk for demonstrably invalid reasons
You can learn more by using better instrumentation
What’s wrong with honey pots? The threat reality is that most attackers are
morons and will attack with DoS if denied real access
Honey pots must be kept up to date but in general aren’t
Honey pots must act like the host operating system
Fix current problems rather than generating new ones
Risk Management 101
Or if everyone did the right thing, why would there still be so many vulnerable hosts?
Too many hosts to secure Most operating systems and network devices are
insecure out of the box This must change
Operating systems maintained by normal users must be set to take care of themselves by default
Growth of the net will be the single largest factor as to why there are so many vulnerable systems
It is unrealistic to assume that the net will ever be safe
Risk Management Large corporations use risk management to reduce risk
to their operations Risk management is not absolute and is not “every
risk is eradicated” Most likelihoods are subjective
Generally expressed as “once in every x years” It is possible to determine likelihood (insurance companies
do, for example), so you should try Most impacts can be relatively accurately expressed in
$ per incident The dollar figure ranges from zero to millions
Insurance – the SME experience Small to medium enterprises (4-100 employees)
make up the majority of all corporations They will have little choice but to take out
insurance products once they are developed Sometimes, there will be “no insurance at any
price” if certain things aren’t done (think GPS trackers for regularly stolen cars, and apply…)
The excess will still be there
Insurance – Mega Corps In large corporations, insurance is a method to
assign the risk of catastrophic events to another entity
Most large corporations are self insuring for most risks (for example, one of my clients simply pays for all car accidents; it’s just cheaper that way)
Most large corporations do not see the point in insuring an intangible risk such as a web defacement, but they might insure good will.
Threat models
Or why a s’kiddie is more of a threat than extremely well funded or knowledgeable attackers
Old thinking: external threats Old thinking: Seasoned attacker with
extreme skills will be attacking me every time
Reality #1: s’kiddies will launch zillions of RDS attacks at you, even though you might be running Solaris
Reality #2: your staff are much more of a risk than the s’kiddies of this world
Internet age threats Real threats arise from people with motive Most external attacks are simple, but not all Most successful attacks are essentially internal
fraud Audit controls will help
It is nearly always easier to socially engineer from within than attack a system from without once minimum defenses are added
Where does IDS fit? IDS are useful as an additional layer of defense, no
more IDS are helpful when advanced attackers are
attacking you with new attacks Two major types today: network IDS (snort) and host
IDS (AIDE, log watcher, etc) Missing IDS type: application IDS
eEye’s SecureIIS might be a precursor, but has been proven flawed already
AZN-API is a useful new direction for authorization issues
Generic issues with IDS It’s either an AI issue or yet another system that
has to be monitored Yet another set of logs that will be ignored
Too verbose? Not sensitive enough? Not enough eyes to monitor all your systems?
The “three cries and you’re out” problem No one likes being woken up continuously at 3 am
Host IDS Host based IDS perform a range of useful
integrity tests, such as tracking file system changes
WinNT/2K: prefer auditing to tripwire (or maybe use both) – auditing is real time, and you know which user caused the event as they are doing it
Tripwire and AIDE are non-real time and only let you know something has happened after the fact
Commercial host IDS do way more than open source IDS today, but expect this to change soon
Network IDS Usually has one or more interfaces in
promiscuous mode – which makes them detectable in certain circumstances (see anti-sniff)
Useful to spot unusual traffic trends Even with the fastest processors, most
commercial and non-commercial network IDS cannot cope with > 100 Mb/s traffic
Good example: snort Issue: useful only if you can monitor it and the
alarms have been calibrated to suit your needs
Application IDS Doesn’t exist … but should! Requires the assistance of applications to really
function correctly Typical nascent example: eEye’s SecureIIS
product More of a shim than real protection A good first start, except…
There isn’t a general purpose API to implement this, and many product writers believe that they are writing secure software, so…
Where to deploy IDS The typical place is in the DMZ or behind
the firewall There’s too many lame attacks for IDS to
be out in no man’s land Much more useful to see those attacks that
have penetrated your firewall or are in a sensitive network
Do the fundamentals first… If you don’t do the basics, don’t bother
with any form of honey pot or a real IDS as you already have many fine examples in your production network
To prevent most s’kiddies, reduce your security profile
To prevent real loss, improve your security processes
Deter, Defend, Delay Defense in depth Deter: warning banners, low profile, high
prosecution profile Defend: keep up to date, install security helpers
such as firewalls Delay: keep the attacker from causing any lasting
damage Destroy: if you can identify your attacker in real
life, if you’re big enough, you can cause real pain to them (ie deny service if you’re a telco)
Passive Defense Traditional security mainstays:
Firewalls Bastion hosts IDS Logs Deny all unless permitted
The above are necessary, nice and shiny, but insufficient to cope with modern security threats
Active Defense Counterattack
At best – misguided. Breaking the law does not help you illegal in most countries with infosec laws your ISP will dump you if they catch you
Intelligence gathering worthwhile but handle evidence properly
Prosecution Costly but worthwhile if the scumbag is in your
jurisdiction AND you have enforceable infosec laws (see !Philippines )
Keep up with patches If your vendor ships an update to a known
vulnerability, test it and patch your hosts Nearly all scripted attacks can be warded
off by this very simple measure Even advanced attackers prefer to use
known vulnerabilities rather than develop new ones
Automated Software Distribution Without automated software distribution, you
cannot look after your hosts in a time of crisis Test any solution you put in, including OS
upgrades (along with the requisite reboot) Ensure that the distribution point(s) are secure,
are controlled by you, and allow you to constrain what is deployed on your network ie, don’t update from a local Debian mirror blindly
Business Recovery Planning This encompasses many, many things, including
disaster recovery plans and incident response Thinking through a fully fledged BRP will help in
times of real crisis Include news media handling in the BRP if you
are publicly traded or rely heavily on lots of customers
In a crisis where real damage is caused, you must keep your customers informed and allow them to report events to you in a timely fashion
Backups Always have a recent backup Always verify … there is no excuse Keep off-sites Practice restores diligently
use different tapes and drives to ensure that you have media compatibility
Constantly Improve Processes Continuous improvement is the only
acceptable option if you use 1990 levels of security knowledge,
you will be successfully attacked Security is a continuous process of
learning, mitigating and defending When you learn something, incorporate it
Harden Critical Hosts Adopt a router or switch today! Most operating systems have various
security postures out of the box or have third party guides to assist with lockdowns Use them Test the result
Come back and do it again next week Repeat ad nauseam
Reduce Your Security Profile Make as many DMZ or extranet hosts
invisible to the Internet For most corporations, only three ports
need to be visible (tcp/25, tcp/80, udp/53) Make a map of your network; you’d be
surprised at the number of exceptions. Fix them!
Create a security policy Adopt a security posture suitable for your
line of business and business culture Be reasonable about it – humans will work
around any fascistic control you might think desirable
Use ISO 17799 as a guide Once adopted, identify systems and
processes at risk and fix them
Subscribe to security mailing lists Not only to bugtraq, ntbugtraq,
Win2kSecAdvice, but also to your vendor’s patch announcements
Most lists are a good source of new and upcoming vulnerabilities
Sometimes overwhelming in terms of volume and usefulness Delegate someone to summarize each day
Counterattack when you can The only legal active defense open to you is
prosecution Learn about forensic data preservation (you cannot
prosecute without a strong chain of untampered evidence) and practice regularly. Fix those systems that are forensic-proof
When a s’kiddie or attacker really gets you, help law enforcement all the way. If you get a rep as a hard target with real consequences, hopefully more people will stay away This can backfire (see US Military or Microsoft)
Note what wasn’t mentioned No mention of IDS IDS are really only suitable once you have a
really top notch security environment and you want an additional layer of defense
Still better to spend money on self-repairing content checkers, backups, and other security items
An IDS in an immature environment is worse than the immature environment. It gives a false sense of security where none exists
litmus Is simply a passive configuration of IP Filter,
running under NetBSD coupled to a log scanner for escalation
Portable to other operating systems who also use IP Filter (OpenBSD, FreeBSD, Solaris)
Since IP Filter is IPv6 native, so is litmus Not promiscuous – harder to detect, particularly if
you run it on hosts that actually have a function Limited use – it’s only a litmus test
Conclusion Honey pots are never the right answer for
any corporate network under any circumstance
Judicious use of various types of IDS can be used to some effect, but…
You must cover the fundamentals first or you will waste money on baubles