litmusa risk reduced alternative to honey pots

Andrew van der Stock

Senior Architecte-secure

Secure in a networked world

Agenda Introduction 10 reasons why honey pots suck Demo of dtk vs s’kiddie 10 things you can do instead Demo of litmus and snort vs s’kiddie

Introduction Who is that fat bugger? Where is Australia? How does e-Secure fit into this talk?

Andrew van der Stock Senior Security Architect Cat slave and MCSE (NT/2K) Contributor to various open source

projects, such as NetBSD, XFree86 and pnm2ppa

Immediate Past SAGE-AU President On auDA’s DNS Competition Panel

Where is Australia?

Who are e-Secure? They employ me, and more importantly,

they paid for me to be here We are one of Australia’s largest specialist

security consulting firms We don’t sell product, and we are platform

and vendor neutral We have offices along the east coast of

Australia

Why do I think you are here? Most of you will have excellent ITIL security

processes All your hosts are patched and secure Your internal staff are absolutely trustworthy You have a large risk management group and an

even larger security group, all of whom are extremely clueful and proactive

Your major risk is from unknown sources and you need to know when they occur

Nothing could be more wrong Most organizations spend far too much on

defending against the wrong risks Some risks are over-hyped and get far too

much press Most (>95%) organizations are not even

able to repeat a simple secure host installation let alone trust their staff

What’s wrong with honey pots? Greater security profile

If you can run almost every corporate network on three visible ports, why add more?

You don’t learn anything new All software has defects

Best practice says that software can only hope to have as few as one defect per 1 KLOC

Normal code has 5-15 bugs per 1000 lines dtk 0.9 has 14978 lines with comments, or 9279 lines

without comments. Do the math

What’s wrong with honey pots? The insurance model will not allow you to

take unnecessary risks without a substantial increase in premium

Risk management says that honey pots increase risk for demonstrably invalid reasons

You can learn more by using better instrumentation

What’s wrong with honey pots? The threat reality is that most attackers are

morons and will attack with DoS if denied real access

Honey pots must be kept up to date but in general aren’t

Honey pots must act like the host operating system

Fix current problems rather than generating new ones

Demo: dtk vs. s’kiddie

Or why out of date software is useless

Risk Management 101

Or if everyone did the right thing, why would there still be so many vulnerable hosts?

Guess!

Too many hosts to secure Most operating systems and network devices are

insecure out of the box This must change

Operating systems maintained by normal users must be set to take care of themselves by default

Growth of the net will be the single largest factor as to why there are so many vulnerable systems

It is unrealistic to assume that the net will ever be safe

Risk Management

factors

likelihoodimpactRisk1

Risk Management Large corporations use risk management to reduce risk

to their operations Risk management is not absolute and is not “every

risk is eradicated” Most likelihoods are subjective

Generally expressed as “once in every x years” It is possible to determine likelihood (insurance companies

do, for example), so you should try Most impacts can be relatively accurately expressed in

$ per incident The dollar figure ranges from zero to millions

Risk model

f

$

Cost of attack vs frequency of attack

Risk model – excess

f

$

Risk model – self insuring

f

$

Risk model – catastrophic

f

$

Insurance 101

Or why insurance will not reduce famous defacements

Insurance – the SME experience

Insurance – the SME experience Small to medium enterprises (4-100 employees)

make up the majority of all corporations They will have little choice but to take out

insurance products once they are developed Sometimes, there will be “no insurance at any

price” if certain things aren’t done (think GPS trackers for regularly stolen cars, and apply…)

The excess will still be there

Insurance – Mega Corps In large corporations, insurance is a method to

assign the risk of catastrophic events to another entity

Most large corporations are self insuring for most risks (for example, one of my clients simply pays for all car accidents; it’s just cheaper that way)

Most large corporations do not see the point in insuring an intangible risk such as a web defacement, but they might insure good will.

Threat models

Or why a s’kiddie is more of a threat than extremely well funded or knowledgeable attackers

Old thinking: external threats Old thinking: Seasoned attacker with

extreme skills will be attacking me every time

Reality #1: s’kiddies will launch zillions of RDS attacks at you, even though you might be running Solaris

Reality #2: your staff are much more of a risk than the s’kiddies of this world

Anatomy of a s’kiddie attack

Collect tools

Attack victims

Tag & Brag

Anatomy of a gifted amateur attack

Collect toolsDevelop skills

Attack victimGather info

Anatomy of a strong attack

Develop tools

Attack victimGather info

Platform mastery Identify targets

Internet age threats Real threats arise from people with motive Most external attacks are simple, but not all Most successful attacks are essentially internal

fraud Audit controls will help

It is nearly always easier to socially engineer from within than attack a system from without once minimum defenses are added

Intrusion Detection Systems

Are generally useless in most environments

Where does IDS fit? IDS are useful as an additional layer of defense, no

more IDS are helpful when advanced attackers are

attacking you with new attacks Two major types today: network IDS (snort) and host

IDS (AIDE, log watcher, etc) Missing IDS type: application IDS

eEye’s SecureIIS might be a precursor, but has been proven flawed already

AZN-API is a useful new direction for authorization issues

Generic issues with IDS It’s either an AI issue or yet another system that

has to be monitored Yet another set of logs that will be ignored

Too verbose? Not sensitive enough? Not enough eyes to monitor all your systems?

The “three cries and you’re out” problem No one likes being woken up continuously at 3 am

Host IDS Host based IDS perform a range of useful

integrity tests, such as tracking file system changes

WinNT/2K: prefer auditing to tripwire (or maybe use both) – auditing is real time, and you know which user caused the event as they are doing it

Tripwire and AIDE are non-real time and only let you know something has happened after the fact

Commercial host IDS do way more than open source IDS today, but expect this to change soon

Network IDS Usually has one or more interfaces in

promiscuous mode – which makes them detectable in certain circumstances (see anti-sniff)

Useful to spot unusual traffic trends Even with the fastest processors, most

commercial and non-commercial network IDS cannot cope with > 100 Mb/s traffic

Good example: snort Issue: useful only if you can monitor it and the

alarms have been calibrated to suit your needs

Application IDS Doesn’t exist … but should! Requires the assistance of applications to really

function correctly Typical nascent example: eEye’s SecureIIS

product More of a shim than real protection A good first start, except…

There isn’t a general purpose API to implement this, and many product writers believe that they are writing secure software, so…

Where to deploy IDS The typical place is in the DMZ or behind

the firewall There’s too many lame attacks for IDS to

be out in no man’s land Much more useful to see those attacks that

have penetrated your firewall or are in a sensitive network

Call to Action

Or what you can do to visibly improve your site’s security

Do the fundamentals first… If you don’t do the basics, don’t bother

with any form of honey pot or a real IDS as you already have many fine examples in your production network

To prevent most s’kiddies, reduce your security profile

To prevent real loss, improve your security processes

Deter, Defend, Delay Defense in depth Deter: warning banners, low profile, high

prosecution profile Defend: keep up to date, install security helpers

such as firewalls Delay: keep the attacker from causing any lasting

damage Destroy: if you can identify your attacker in real

life, if you’re big enough, you can cause real pain to them (ie deny service if you’re a telco)

Passive Defense Traditional security mainstays:

Firewalls Bastion hosts IDS Logs Deny all unless permitted

The above are necessary, nice and shiny, but insufficient to cope with modern security threats

Active Defense Counterattack

At best – misguided. Breaking the law does not help you illegal in most countries with infosec laws your ISP will dump you if they catch you

Intelligence gathering worthwhile but handle evidence properly

Prosecution Costly but worthwhile if the scumbag is in your

jurisdiction AND you have enforceable infosec laws (see !Philippines )

The Top 10 things you can do

If you only do one of them, do the first one…

Keep up with patches If your vendor ships an update to a known

vulnerability, test it and patch your hosts Nearly all scripted attacks can be warded

off by this very simple measure Even advanced attackers prefer to use

known vulnerabilities rather than develop new ones

Automated Software Distribution Without automated software distribution, you

cannot look after your hosts in a time of crisis Test any solution you put in, including OS

upgrades (along with the requisite reboot) Ensure that the distribution point(s) are secure,

are controlled by you, and allow you to constrain what is deployed on your network ie, don’t update from a local Debian mirror blindly

Business Recovery Planning This encompasses many, many things, including

disaster recovery plans and incident response Thinking through a fully fledged BRP will help in

times of real crisis Include news media handling in the BRP if you

are publicly traded or rely heavily on lots of customers

In a crisis where real damage is caused, you must keep your customers informed and allow them to report events to you in a timely fashion

Backups Always have a recent backup Always verify … there is no excuse Keep off-sites Practice restores diligently

use different tapes and drives to ensure that you have media compatibility

Constantly Improve Processes Continuous improvement is the only

acceptable option if you use 1990 levels of security knowledge,

you will be successfully attacked Security is a continuous process of

learning, mitigating and defending When you learn something, incorporate it

Harden Critical Hosts Adopt a router or switch today! Most operating systems have various

security postures out of the box or have third party guides to assist with lockdowns Use them Test the result

Come back and do it again next week Repeat ad nauseam

Reduce Your Security Profile Make as many DMZ or extranet hosts

invisible to the Internet For most corporations, only three ports

need to be visible (tcp/25, tcp/80, udp/53) Make a map of your network; you’d be

surprised at the number of exceptions. Fix them!

Create a security policy Adopt a security posture suitable for your

line of business and business culture Be reasonable about it – humans will work

around any fascistic control you might think desirable

Use ISO 17799 as a guide Once adopted, identify systems and

processes at risk and fix them

Subscribe to security mailing lists Not only to bugtraq, ntbugtraq,

Win2kSecAdvice, but also to your vendor’s patch announcements

Most lists are a good source of new and upcoming vulnerabilities

Sometimes overwhelming in terms of volume and usefulness Delegate someone to summarize each day

Counterattack when you can The only legal active defense open to you is

prosecution Learn about forensic data preservation (you cannot

prosecute without a strong chain of untampered evidence) and practice regularly. Fix those systems that are forensic-proof

When a s’kiddie or attacker really gets you, help law enforcement all the way. If you get a rep as a hard target with real consequences, hopefully more people will stay away This can backfire (see US Military or Microsoft)

Note what wasn’t mentioned No mention of IDS IDS are really only suitable once you have a

really top notch security environment and you want an additional layer of defense

Still better to spend money on self-repairing content checkers, backups, and other security items

An IDS in an immature environment is worse than the immature environment. It gives a false sense of security where none exists

litmus Is simply a passive configuration of IP Filter,

running under NetBSD coupled to a log scanner for escalation

Portable to other operating systems who also use IP Filter (OpenBSD, FreeBSD, Solaris)

Since IP Filter is IPv6 native, so is litmus Not promiscuous – harder to detect, particularly if

you run it on hosts that actually have a function Limited use – it’s only a litmus test

Demo: litmus vs s’kiddy

Snort is better

Conclusion Honey pots are never the right answer for

any corporate network under any circumstance

Judicious use of various types of IDS can be used to some effect, but…

You must cover the fundamentals first or you will waste money on baubles

finis

Thanks for listening.

Questions?