Download Era of Spybots - A Secure Design Solution Using

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts

Quantum key distribution wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Symantec wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cyberattack wikipedia , lookup

Network tap wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Wireless security wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Era of Spybots - A Secure Design Solution Using
Intrusion Prevention Systems
This paper is presented in the form of a case study. It utilizes a fictitious company, GIAC Enterprises, a
growing small retail company whose clients span the nation. In early spring GIACE was compromised with the
Spybot worm which caused a business outage.
AD
Copyright SANS Institute
Author Retains Full Rights
.
hts
rig
ful
l
ins
eta
rr
tho
Au
Era of Spybots - A Secure Design Solution Using
08
,
Intrusion Prevention Systems
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
GCIH Gold Certification
te
Author: Siva Kumar
Accepted: September 2007
©
SA
NS
Ins
titu
Adviser: Richard Wanner
© SANS Institute 2008,
Author retains full rights.
hts
.
An Era of Spybots – A Secure Design Solution using Intrusion Prevention Systems
©
SA
NS
Ins
titu
te
20
08
,
Au
tho
rr
eta
ins
ful
l
rig
Introduction .............................................................................................................. 3
Environment................................................................................................................. 4
Figure 1: GIACE Infrastructure................................................................. 5
Attack Process .......................................................................................................... 6
Incident Handling Process................................................................................... 6
Preparation Phase:.................................................................................................. 7
Identification Phase: ........................................................................................... 8
Containment Phase:.................................................................................................. 9
Eradication Phase:................................................................................................ 11
Spybot Vulnerability Analysis .................................................................... 11
Recovery Phase: ...................................................................................................... 14
Lessons Learned Phase: ....................................................................................... 15
Tipping Point IPS Secure Design ................................................................ 17
Figure 2: GIACE Network Design............................................................... 19
Figure 3: GIACE Network Design - Detailed ....................................... 20
GIACE Infrastructure Secure Design.......................................................... 21
Physical layer:............................................................................................... 21
Datalink layer:............................................................................................... 21
Network Layer: ................................................................................................. 22
Transport Layer:............................................................................................. 23
Session
Layer:
.................................................................................................
24
Key fingerprint
= AF19 FA27
2F94 998D
FDB5 DE3D F8B5 06E4 A169 4E46
Presentation Layer: ...................................................................................... 24
Application Layer: ........................................................................................ 24
GIACE incident handling process ................................................................ 25
Conclusion................................................................................................................. 27
Reference................................................................................................................... 28
Appendix ..................................................................................................................... 30
Figure 4: IPS – Device Details............................................................... 31
Figure 5: IPS – Device configuration.................................................. 32
Figure 6: SMS – Attack Events................................................................. 33
Figure 7: Application Filter Search .................................................... 34
Figure 8: Sagevo - Apply Filter Settings ......................................... 35
Figure 9: Sagevo Filter – Action Set.................................................. 36
Figure 10: Filter Search for malicious virus................................. 37
Figure 11: Infrastructure protection settings............................... 38
Figure 12: Application Profile............................................................... 39
Figure 13: Reconnaissance Profile ........................................................ 40
© SANS Institute 2008,
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Introduction
ful
l
This paper is presented in the form of a case study. It
utilizes a fictitious company, GIAC Enterprises, a growing small
ins
retail company whose clients span the nation. In early spring
GIACE was compromised with the Spybot worm which caused a
eta
business outage.
rr
To assist with the remediation GIACE contracted a security
tho
consulting firm to investigate and propose a robust, secure
from similar future attacks.
Au
solution to mitigate these worms as well as protect the business
08
,
The security consulting team conducted a detailed incident
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
handling process. The following sections flows through all the
20
phases indicated in the PICERL methodology. The goal of the
security consulting team is to provide a secure design solution
©
SA
NS
Ins
titu
requirements.
te
for GIACE current and future needs meeting the corporate
Siva Kumar
© SANS Institute 2008,
3
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Environment
ful
l
The GIACE network infrastucture shown in figure-1 consists
of dual-homed data centers. Each data center has distribution
ins
layer routers facing the Internet traffic, trading partners via
a DMZ environment, core layer switches protecting sensitive
eta
business applications and a WAN layer to support all point to
point connections and retail connectivity. GIACE uses a
rr
combination of Checkpoint firewalls at the DMZ and the Cisco
tho
6509 chassis at the core layer. Most of the machines are
Au
workstations segmented based on their geographic location.
A full mesh topology was implemented to provide “High
08
,
Availability” functionality. The current infrastructure is also
20
Key fingerprint
= AF19 FA27
2F94 998D FDB5for
DE3Dfuture
F8B5 06E4
A169 4E46
a scalable
architecture
growth.
All workstation traffic is unrestricted between their
te
retail connections and the Internet. The GIACE workstations are
Ins
titu
Windows based systems running Symantec AV security client. GIACE
uses Radia to push updates to the workstation since the system
owners do not have administrative rights. Radia is a centralized
software downloader that installs workstations with new software
NS
applications, operating systems installations (service packs),
patches etc. This also helps to standardize workstations across
SA
diverse user community. GIACE had a Symantec AV client user
license agreement as part of their maintenance contract on all
©
workstations. This gives GIACE some form of security assurance.
Siva Kumar
© SANS Institute 2008,
4
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 1: GIACE Infrastructure
Siva Kumar
© SANS Institute 2008,
5
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Attack Process
In early spring the GIACE Help Desk Service Management
ful
l
application tracked a stream of workstation performance issues.
The IT operations team discovered that it was not an isolated
ins
system since new tickets with same issues were reported in other
eta
geographic locations.
The operations team also noted steady outbound traffic
rr
originating from the problem workstations on their DMZ firewalls
tho
on TCP ports 8555 and 2967 to specific destinations
204.138.154.20 and 54.163.146.74 at the network boundary. Backup
Au
firewall logs from previous months didn’t show any normal
activity on these ports or destinations. It was ascertained that
08
,
these workstations were in fact the point of focus. They noticed
Key fingerprint
2F94 998D
FDB5 DE3Dthe
F8B5same
06E4 A169
4E46
other= AF19
new FA27
systems
reporting
behavior.
It was quite
20
evident that there was a worm attack in progress and it was
te
unknown about the spread across other systems.
Ins
titu
Incident Handling Process
GIACE contracted an outside security consulting firm to
investigate the current attacks and counter measures for future
NS
attacks including their security infrastructure assessment. The
security consulting firm consisted of forensic experts,
SA
architects and incident handlers. They followed the SANS -
©
PICERL methodology in their incident handling process.
Siva Kumar
© SANS Institute 2008,
6
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Preparation Phase:
The consulting security firm formulated the team based on
ins
What (Data) – administrative privileges
ful
l
the six basic communication interrogatives (Zachman, 2007).
How (Function) - GIACE process flow – on call rotation
eta
Where (Network) – list of devices (firewalls, workstations)
Who (People) – GIACE organization structure
rr
When (Time) – time events
tho
Why (Motivation) – GIACE business Goals/Strategy
Au
The security team found several key issues. GIACE does not
have a formal incident handling team. They do have a problem
08
,
escalation process via their NOC (network operations center) –
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Operations – Engineering. The security team activated the
20
required team from the list of on-call rotation people. GIACE
also provided the necessary access to the critical peripheral
te
devices and access to the logs. The goal of the preparation
©
SA
NS
Ins
titu
phase is to get the team ready to handle incidents.
Siva Kumar
© SANS Institute 2008,
7
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Identification Phase:
ful
l
The goal of the identification phase is to gather events,
analyze them and determine whether there is an incident. The
ins
security team analyzed the firewall logs provided by GIACE,
setup sniffer traces between the affected hosts. They deployed
eta
snort sensors to capture additional data. Their analytical
process is again based on the following six criteria: (Zachman,
tho
rr
2007)
What (Data) – tcp dumps, snort deployment
Au
How (Function) - snort filter tools
Where (Network) – perimeter firewalls, workstations
08
,
Who (People) – on call person reports
Key fingerprint =When
AF19 FA27
2F94 998D
FDB5 DE3D
06E4 A169 4E46
(Time)
– attack
in F8B5
progress
20
Why (Motivation) – GIACE infrastructure analysis
Ins
titu
te
The coorelation yielded on the firewalls/workstation:
1. Defined range of ip-address on tcp port 2967 on DMZ
firewall logs.
2. A new NL.exe file creation on affected workstations
NS
3. Unknown domain connection to ftpd.3322.org
SA
4. Unusual higher bandwidth utilization causing network
performance issues.
©
5. Lowered security level on the Symantec Antivirus tool.
The above events, in particular the lowered security level
on the offended workstation when compared to a normal
Siva Kumar
© SANS Institute 2008,
8
Author retains full rights.
functioning workstation, suggested the possibility of a
rig
vulnerability related to the Symantec Antivirus tool.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
ful
l
The Security team further consulted the Symantec “Security
Response System” and identified that this port (tcp 2967) is
ins
being employed by a variant of Spybot (Detected by Symantec AV
eta
as W32.Sagevo.Worm) (Doherty, 2007).
Identification occurred at all three levels namely DMZ
rr
firewalls (network perimeter detection), IP address source range
tho
on work stations (host perimeter detection) and antivirus tools,
Au
shared access services (system level detection).
The security team declared that an incident has been
08
,
identified.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
20
Containment Phase:
The goal of the containment phase is to stop the bleeding,
Ins
titu
prevent the attacker from getting any deeper into the impacted
systems, or spreading to other systems. The security team
consulted with the GIACE legal team regarding the forensic
NS
analysis needed for the compromised workstations.
As a short term containment strategy it is decided to
SA
quarantine the affected workstations by moving them offline from
network. The users were notified via e-mail that the affected
©
systems will undergo routine maintenance. The workstations were
disconnected from their network connection activity. System hard
drives were duplicated for evidence.
Siva Kumar
© SANS Institute 2008,
They acquired review logs
9
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
of other periphery firewall devices to access the extent of the
rig
risk.
ful
l
As a long term containment strategy the security consulting
ins
team proposed the following actions:
1. Patch the systems. At the time of this incident a patch
eta
was available to the public at the Symantec. Since GIACE
does not have a formal incident response process a
rr
process break down and an oversight caused the spread of
tho
the worm.
Au
2. Filter TCP port 2967 inbound/outbound at the network
08
,
perimeter firewalls to ensure no unauthorized access.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Example:
20
deny tcp any any eq 2967 log
Ins
titu
processed
te
The logging provides additional details when the ACL is
3. Filter outgoing connections to 204.138.154.20 and
NS
54.163.146.74 at the network devices.
©
SA
Example:
deny ip any host 204.138.154.20
deny ip any host 54.163.146.74
The purpose of long term containment is to keep the
production up while building a clean system during eradication.
Siva Kumar
© SANS Institute 2008,
10
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Eradication Phase:
ful
l
The eradication phase is to get rid of the infected worm,
perform a vulnerability analysis and improve defense (protection
eta
ins
techniques, hardening systems etc).
The security team consulted with Symantec’s “Deep Site”
rr
Threat management System to perform a malware analysis and
Au
beyond the scope of this paper.
tho
shared their findings with GIACE. A detailed malware analysis is
08
,
Spybot Vulnerability Analysis
Key fingerprint =The
AF19W32.Sagevo
FA27 2F94 998Dworm
FDB5 DE3D
F8B5 06E4
A169 4E46
spreads
by exploiting
the Symantec
20
Antivirus Remote Stack Buffer Overflow Vulnerability (BID 18107)
te
over TCP port 2967. (Security Focus, 2007)
In the paper titled “Symantec Client Security Exploitation
Ins
titu
and Activity Alert”, Aaron I. Adams et al wrote:
“The symantec client security stack-based overflow
vulnerability associated with Spybot worm identified earlier
NS
occurs when handling data transmitted over TCP port 2967. The
precise issue occurs because of the erroneous use of the
SA
strncat() function. Specifically, the length of data copied
during the strncat() is dictated by the result of a subtraction
©
operation involving a static value minus the length of a usersupplied string. If the length of the string is greater than the
static value, the integer will wrap, causing an unbounded
Siva Kumar
© SANS Institute 2008,
11
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
strncat() to occur and memory to become corrupted as a result.
rig
The destination buffer is 0x180 bytes in size.
ful
l
The vulnerability is triggered using what is known as Type
10 messages, specifically when issuing the COM_FORWARD_LOG
(0x24) command. By supplying a backslash character within the
ins
exploit packet, an attacker can trigger the aforementioned
eta
strncat() code to be invoked.
rr
Upon triggering the bug, the attacker would be able to
trivially exploit the issue by either overwriting the command
tho
handler’s return address or a Structured Exception Handler
Au
Record, which would facilitate arbitrary code execution.
It appears that the exploit that is being used to leverage
08
,
this issue by Spybot variants and Sagevo is derived from the
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
same exploit base. The only differences are the exploit’s
payload, a bindshell for spybot and connect-back for Sagevo.”
te
(Adams, 2006)
Ins
titu
Symantec’s website provides the following technical details
regarding this spybot:
“ W32.Sagevo, when executed performs the following actions:
NS
1. Copies itself as the following file:
SA
%System%\wins\svchost.exe
©
2. Attempts to spread using the symantec client security
and symantec antivirus elevation of privilege (as
described in symantec advisory SYM06-010).
Siva Kumar
© SANS Institute 2008,
12
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
4.
ful
l
range of IP addresses on TCP port 2967.
rig
3. Creates 512 threads and then attempts to connect to a
Obtains the IP address of the compromised computer,
ins
generates an IP address, and attempts to infect the
eta
computer that has that address. The IP address is
generated according to the following algorithms:
If the IP address is 192.168.C.D, it starts with
rr
a.
tho
192.168.0.1.
b. If the IP address is 10.B.C.D, it starts with 10.0.0.1.
Au
c. If the IP address is not one of the above and the third
digit is greater than 11, it must be A.B.C.0. If the
08
,
third digit is less than 11, the address must be
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
A.B.0.0.
20
Example:
te
GIACE Infected workstation IP: 13.10.50.40
Ins
titu
Scan pattern: 13.10.40.40, 13.10.40.41, 13.10.40.42, ...,
13.10.41.1
5. Increment the 0 part of the IP address by 1, attempting
NS
to find and exploit other computers based on the new IP
©
SA
address, until it reaches 254. If the IP reaches
240.254.254.254, the worm restarts the infection
sequence with 10.0.0.0 again.
6. Drops the following .bat file and deletes itself:
Siva Kumar
© SANS Institute 2008,
13
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
%Temp%\NL[RANDOM].bat
ful
l
7. Downloads a .bat file from the server and executes it.
eta
ins
Eradication process recommended by Symantec:
Disable System Restore (Windows Me/XP).
2.
Update the virus definitions.
3.
Run a full system scan.
4.
Delete any values added to the registry.” (Doherty 2007)
Au
tho
rr
1.
08
,
The security team applied the appropriate patches on
infected workstations. The patches were downloaded from the
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
Symantec website: (proper license required)(Symantec support
te
site, 2007)
Ins
titu
Recovery Phase:
The goal of the recovery phase is to put back the impacted
systems back into production in a safe manner and validate the
NS
host systems that the worm has been eradicated.
SA
The security consultants deployed the quarantined
workstations that has been patched back into the production
©
network and ran test suites for an overall validation. The test
suite consisted of:
Siva Kumar
© SANS Institute 2008,
14
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
1. Business unit tests
rig
2. Functional test plans
3. Network traffic stress tests
ful
l
4. OS and application logs validation
ins
The security team also demonstrated that the patched
workstation may not be re-infected again by this worm. They
eta
created a custom signature to trigger on the original attack
vector utilizing the snort tool and proved that the system was
tho
availability to the user community.
rr
indeed hardened. The GIACE e-mail system announced the system
Au
As part of the lessons learned phase GIACE security
consulting evaluated the current network infrastructure and
08
,
proposed/demonstrated an IPS based solution.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
20
Lessons Learned Phase:
The goal of the lessons learned phase is to document what
Ins
titu
happened and improve the infrastructure capabilities for GIACE.
This phase will also focus on the GIACE processes, technology
road map and improved incident handling capabilities.
NS
The security consulting team prepared a formal Incident
SA
Response Report to the Senior Management after proper consensus.
©
The Report focused on
1.
Brief summary of the w32.sagevo virus exploitation.
2.
Activities of the security consulting team.
Siva Kumar
© SANS Institute 2008,
15
Author retains full rights.
Executive summary and recommendations.
As an extension to their executive summary and
rig
3.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
ful
l
recommendations the security consulting team proposed:
ins
1. An IPS based secure solution for GIACE.
2. Infrastructure security for GIACE.
rr
eta
3. A formal incident handling team/process.
tho
An IPS solution was proposed for the following reasons:
GIACE checkpoint DMZ firewalls were not capable of
Au
inspecting traffic beyond layer 3. There is always a possibility
of worm attack using well known ports for backdoor entry. The
08
,
stateful inspection firewall does not have the intelligence to
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
look into the data payload.
te
GIACE workstation installed Symantec anti-virus software is
isolated only to the workstations. They are signature driven and
Ins
titu
cannot protect from zero-day attacks or other denial of service
type attacks. GIACE is reliant on the RADIA application push for
new patches for individual workstations. An easy oversight may
cause a delay in updating the patch and can cause a virus
NS
outbreak which was the case with GIACE in this incident. There
SA
is also a separate administrative component involved.
An IDS may not be a viable solution. GIACE must spend the
©
time and resource to examine the reports generated, and
remediate virus/worm as necessary. There is also a time lag to
Siva Kumar
© SANS Institute 2008,
16
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
re-deploy the system and may include a network downtime for
rig
sensitive financial applications.
ful
l
A high-performance Intrusion Prevention System can function
as a virtual software patch, where host patches are not feasible
ins
or not applied. It protects vulnerable computers from a
compromise. An IPS proactively inspects all traffic through
eta
Layer 7 and blocks malicious traffic. An IPS is complimentary to
tho
Au
Tipping Point IPS Secure Design
rr
the existing network security systems. (Telechoice, 2006)
Figure-2 depicts the new infrastructure design proposed for
08
,
GIACE. The placement of the IPS design is a 2 tiered approach.
Key fingerprint
= AF19 FA27
2F94 998D
FDB5 DE3D
F8B5 06E4
4E46
The tier-1
device
placed
outside
the A169
firewall
is mainly focused
20
on the Internet traffic inbound and outbound.
te
The tier-2 IPS devices are deployed at the datacenter
Ins
titu
focused on both inbound and outbound traffic and for quarantine
purposes. They are also setup in (HA) high availability mode to
decrease the likelihood of interrupted GIACE traffic. With this
design the IPS devices are centrally located to encompass all
NS
the geographic sites of GIACE. It also cuts the operating costs
SA
in deploying at all divisions within GIACE individually.
The reasoning for a tier-1 IPS device outside the firewall
©
is to monitor the traffic which is dropped by the firewalls
provided they are tuned. This will assist in monitoring the
Internet traffic that targets GIACE proactively.
Siva Kumar
© SANS Institute 2008,
17
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Tier-2 IPS devices assist in coorelating the tier-1 IPS as
well as monitoring worm traffic that passed through the firewall
ful
l
using known ports.
ins
The inline design blends easily with the existing
infrastucture. Being a layer-2 (bump in the wire) device the IPS
eta
devices are easier to manage and there are no routing protocols
(MPLS, OSPF) configuration changes to the existing architecture
tho
rr
are needed.
A single vendor for all IPS devices is recommended because
Au
of centralized management, reduced interoperability issues and
08
,
lower maintenance/support costs.
Key fingerprint =Figure-3
AF19 FA27 2F94
998D FDB5
DE3D F8B5
06E4
A169 4E46
depicts
a single
IPS
device
which is cross
20
connected with the WAN layer routers via HSRP (Hot Standby
Routing Protocol). The fall back mode assures un-interrupted
te
production traffic and also uses the ZPHA (Zero Power High
Ins
titu
Availability). The architecture also allows for traffic
classification based on DSCP (Differentiated Services Code
Point) and complex rate shaping QOS (Quality of Service)
policies. The IPS devices operate at wire speed (gigabit)
NS
blocking malicious attacks with low latency.
SA
The proposed network infrastructure protects GIACE from
Spybot style worm attacks. A quarantine action is also put in
©
place in case of a similar incident in the future (Appendix).
Siva Kumar
© SANS Institute 2008,
18
Author retains full rights.
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
08
,
Au
tho
rr
eta
ins
ful
l
Figure 2: GIACE Network Design
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Siva Kumar
© SANS Institute 2008,
19
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
Ins
titu
te
Figure 3: GIACE Network Design - Detailed
Siva Kumar
© SANS Institute 2008,
20
Author retains full rights.
hts
.
An Era of Spybots – A Secure Design Solution using Intrusion Prevention Systems
rig
GIACE Infrastructure Secure Design
The security team evaluated the existing infrastructure,
ful
l
identified areas of network security vulnerabilites and
recommended some best security practices for GIACE network in
eta
ins
addition to the IPS solution.
rr
Physical layer:
GIACE workstations were not following any security
tho
policies. Workstations were accessible by bystanders. The patch
panel/switch ports where the network connections are attached
08
,
Au
were also accessible in open.
The security team recommended using workstation locks for
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
individual owners as well as separate secure room/enclosure to
Ins
titu
Datalink layer:
te
access the patch panel.
GIACE workstation network connections were not properly
hardcoded to switch ports. Workstation owners were allowed to
NS
plug in to any open ports on the switch. This provided wider
security vulnerability for GIACE. GIACE often have third party
SA
vendors at their premise using their own laptops. Any
compromised laptop would easily infiltrate GIACE network if they
©
are connected to the available live switch ports.
The security team recommended MAC based security on the
switch ports. 802.1x is an IEEE standard for media access at
© SANS Institute 2008,
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
layer 2. GIACE current technology vendor supports 802.1x port
rig
based security and should be leveraged for layer 2 network
control. A NAC (Network Access Control) based solution further
ins
risk of network threats like worms and viruses.
ful
l
quarantines workstations that are not patched and lowers the
eta
Network Layer:
GIACE has vlan segmentation at the corporate level.
rr
Workstations in zone 1 also share the same vlan as zone 2
tho
workstations. This causes any virus outbreak to propagate within
the vlan. There was also no emergency acl to protect in case of
Au
an outbreak. There was no authentication for control routing
08
,
protocols.
Key fingerprint =The
AF19security
FA27 2F94 998D
FDB5
DE3D F8B5 06E4
A169 4E46
team
recommended
segmenting
further the GIACE
switches.
20
internal network by creating layer 2 segments in layer 3
Micro segmentation is a cost effective method to
te
harden the network against worms. Preparing emergency and roll
Ins
titu
back acl policies assist in containing worm outbreaks. Cisco IOS
ACLs and VLAN ACLs provide additional traffic filtering. For
routing between the aggregation switches and routers MD5
NS
authentication is recommended.
Example:
SA
router ospf 5
router-id 172.25.0.24
©
log-adjacency-changes
area 140 authentication message-digest
passive-interface default
Siva Kumar
© SANS Institute 2008,
22
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
no passive-interface Vlan81
rig
no passive-interface Vlan94
no passive-interface GigabitEthernet7/16
description ****GIACE financial****
rr
ip helper-address 172.25.148.18
eta
ip address 172.25.95.1 255.255.255.0
ins
interface Vlan75
ful
l
network 172.25.0.24 0.0.0.0 area 150
no ip redirects
Au
tho
ip ospf message-digest-key 1 md5 7 04521901583B54
GIACE infrastucture routers should utilize Loopback
08
,
interfaces for purpose of routing and security. The Loopback
should be sourced for NTP, AAA, logging etc.
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Example:
te
interface Loopback0
Ins
titu
ip address 172.25.0.24 255.255.255.255
no ip redirects
no ip unreachables
NS
no ip proxy-arp
SA
Transport Layer:
GIACE utilized firewalls only at the DMZ layer. Any syn
©
flood attacks originating from inside can easily compromise the
network. GIACE also were using the NTP (Network Time Protocol)
for logging but in-band.
Siva Kumar
© SANS Institute 2008,
23
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
The security team recommends a server layer firewall
approach utilizing the Cisco FWSM inline modules which can
ful
l
easily integrate into existing 6500 chassis. The firewall
service modules provide enhanced reliability and integrates
ins
firewall security inside the GIACE network infrastucture.
Network Time Protocol is essential for time-stamp accuracy for
eta
logging, because logs are polled under different devices
geographically. It is recommended that NTP traffic is carried
tho
rr
out of band management.
Au
Session Layer:
GIACE client-server connectivity still utilizes telnet
08
,
method of access. The security team recommends migrating from
te
Presentation Layer:
20
telnet
to FA27
SSH22F94
protocol
access
Key fingerprint
= AF19
998D FDB5for
DE3Dall
F8B5admin
06E4 A169
4E46 to GIACE servers.
Ins
titu
GIACE uses custom applications and most of them were outsourced.
There is no data encryption for the internal traffic. The
security team recommends data encryption as well data
compression if feasible. This enhances in prevention of data
NS
snooping or masquerading.
SA
Application Layer:
©
GIACE did not have a dedicated appliance like IPS to
mitigate worms/viruses. The current SNMP polling is in-band
using known community strings. The security team recommended an
Siva Kumar
© SANS Institute 2008,
24
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
in-line IPS solution with low latency. The SNMP traffic should
rig
be out-of band or on a dedicated vlan with private community
ful
l
strings.
ins
GIACE incident handling process
eta
GIACE is inadequately prepared for incidents of this type.
As preparation for future incidents, establishing a dedicated
rr
computer security incident response team (CSIRT) is recommended.
This team will provide rapid response and reduce future events
tho
and also establish performance standards.
The suggested members
could be the on-call person from a multi-disciplinary team
Au
including operations, network management, legal counsel, human
resources, disaster recovery / business continuity planning. The
08
,
security team proposed the following flow chart template for
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
Ins
titu
te
20
incident response process.
Siva Kumar
© SANS Institute 2008,
25
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Siva Kumar
© SANS Institute 2008,
26
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Conclusion
ful
l
This document has attempted to show how any organization
can be vulnerable to a worm attack when there is a break in the
ins
process flow. It also demonstrates the SANS-PICERL methodology
eta
as the Incident Handling Process.
rr
The next section focuses on the Infrastucture secure design
using an Intrusion Prevention System. GIACE infrastructure is
tho
re-designed to deploy an IPS integrated secure solution. A
series of screen shots (Appendix) shows a TippingPoint
08
,
quarantine in the future.
Au
configuration template for spybot style virus that can block and
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The next section focuses on general infrastructure design
20
focusing on the network security. The solution proposed overlays
te
using the existing vendor technology.
Ins
titu
An IPS is recommended for a long term strategic solution
for GIACE. The blended threat suppression approach provides a
proactive solution for future needs.
NS
This sort of architecture using in-line IPS can be used to
reduce the complexity, deployment costs, and maintenance costs
©
SA
of deploying individual network elements.
Siva Kumar
© SANS Institute 2008,
27
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
References
August 15, 2007, from sans.org. Web Site:
ins
http://www.sans.org/resources/policies
ful
l
The SANS Institute. Security Policy Project. Retrieved
eta
Northcutt, Stephen (2002). Network Intrusion Detection. SAMS
rr
Skoudis, Ed (2006). SANS Security 504: Hacker Techniques,
tho
Exploits and Incident Handling. SANS course
Au
Adams, Aaron et al(2006). Symantec Client Security Exploitation
and Activity Alert. Retrieved August 15, 2007, from
08
,
symantec.com. Web site: https://tms.symantec.com/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
Doherty, Stephen (2007). W32.Sagevo – Symantec. Retrieved August
15, 2007, from symantec.com. Web site:
te
http://www.symantec.com/security_response/writeup.jsp?docid
Ins
titu
=2006-121309-3331-99&tabid=1
Cisco connection Online Retrieved August 15, 2007, from
cisco.com. Web site:
NS
http://www.cisco.com/en/US/netsol/ns731/networking_solution
s_solution.html
SA
Case for an IPS (2006). Retrieved August 15, 2007, from
©
telechoice.com. Web site:
http://www.telechoice.com/presentations/caseforips.pdf
Siva Kumar
© SANS Institute 2008,
28
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
Symantec support site (2007). The SYM06-010 patch for Symantec
rig
Client Security and Symantec AntiVirus. Retrieved August
15, 2007, from symantec.com. Web site:
ful
l
http://entsupport.symantec.com/docs/n2006052609181248
ins
Denial of Service and Distributed Denial of Service Protection.
Retrieved August 15, 2007, from tippingpoint.com. Web Site:
eta
http://www.tippingpoint.com/resources_whitepapers.html
tho
wikipedia.org. Web site:
rr
Zachman Architecture (2007), Retrieved August 15, 2007, from
Au
http://en.wikipedia.org/wiki/Zachman_framework
Security Focus, Symantec antivirus Remote stack buffer overflow
08
,
vulnerability. Retrieved August 15, 2007, from
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
securityfocus.com. Web site:
te
20
http://www.securityfocus.com/bid/18107
Irwin, Victoria (2004) RSA Conference paper, Retrieved August
Ins
titu
15, 2007, from rsaconference.com. Web site:
http://www.rsaconference.com/uploadedFiles/VirtualSoftwareP
NS
atch.pdf
Bejtlich, Richard (2005). Extrusion Detection: Security
SA
Monitoring for Internal Intrusions. Addison-Wesley
©
Professional.
Siva Kumar
© SANS Institute 2008,
29
Author retains full rights.
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
rig
Appendix
This section includes TippingPoint device configuration
ful
l
pertaining to the prevention of spybot style worm attacks. It
includes setting up profiles/filters, host level, SMS IPS level
ins
and monitoring functionalities. The configuration can be applied
either directly on the device or pushed via SMS (Security
eta
Management System). This SMS system consists of a Java based SMS
rr
client and SMS Server.
tho
The ease of use with configuration assists the
administrators a free choice of defining interfaces as trusted
Au
or untrusted. Also they have an option to scale their filter
08
,
settings across segments or traffic patterns. (Irwin, 2004)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
TippingPoint IPS is focused on blocking exploitation of the
20
threats underlying these bots rather than the individual bots
themselves. The TippingPoint approach provides a much higher
te
level of protection. The first one, w32.sagevo, exploits the
Ins
titu
SYM06-010 vulnerability, which the IPS can detect and block with
custom filter 4463: SYMANTEC: AntiVirus Client Buffer Overflow.
The simple approach would be to enable this filter in Block
NS
and Notify, or configure a quarantine action to notify users
that they are infected. The second approach is a blended threat,
©
SA
and can exploit a number of vulnerabilities.
Siva Kumar
© SANS Institute 2008,
30
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 4: IPS – Device Details
NS
Using the SMS client the user can select the IPS device
that needs to be configured. The above screen shows the details
SA
of the IPS device – includes the digital vaccine release, TOS
©
version and an overall health check.
Siva Kumar
© SANS Institute 2008,
31
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ins
titu
Figure 5: IPS – Device configuration
This screen shows how the network traffic can be segmented
for GIACE. It shows all interfaces can be logically selected as
©
SA
NS
internal or external.
Siva Kumar
© SANS Institute 2008,
32
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 6: SMS – Attack Events
The main interface window is shown above. By selecting the
events tab, a current snap shot of all activities for the pre-
NS
defined time period is displayed. The events screen provides
number of options for monitoring attack detection and response.
SA
Also categorizes attack levels. The name category shows the
predefined filter and shows the current types (eg block, enable
©
mode). It also provides the source/destination ports as attack
vector.
Siva Kumar
© SANS Institute 2008,
33
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ins
titu
Figure 7: Application Filter Search
In the profiles tab an advanced search is performed.
“Symantec” is used as the filter specific info. This yields a
set of predefined available filters. By double clicking the
NS
“4463 – antivirus client buffer flow” filter more details are
©
SA
available regarding the vulnerability.
Siva Kumar
© SANS Institute 2008,
34
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ins
titu
te
Figure 8: Sagevo - Apply Filter Settings
In the above screen shot shows a new filter named “sagevo”
being edited. This is the first step in the process of creating
©
SA
NS
a filter.
Siva Kumar
© SANS Institute 2008,
35
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
Figure 9: Sagevo Filter – Action Set
Ins
titu
A new filter profile “sagevo” is configured in the previous
action set. Block and Quarantine action is selected. It also
provides options to quarantine –eg a web page or a simple block
©
SA
NS
options.
Siva Kumar
© SANS Institute 2008,
36
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ins
titu
Figure 10: Filter Search for malicious virus
The profiles tab (advanced search window pane) shows the
list of active predefined profiles and their state (Action set).
The filter specific criteria for “symantec” show a list of
The user
NS
defined filters, and current control measures taken.
©
SA
defined ruleset “Segavo” is listed and applied as enabled state.
Siva Kumar
© SANS Institute 2008,
37
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 11: Infrastructure protection settings
The Profiles tab and the infrastructure window pane shows
all the recommended filters with their corresponding severity
NS
level. Users have the option to activate or deactivate the
filters by checking the radio button. The security team enabled
©
SA
most common filter settings.
Siva Kumar
© SANS Institute 2008,
38
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
Figure 12: Application Profile
Ins
titu
The application filter profile shows a set of pre-defined
filter categories that defend against known and unknown
exploits. It shows a list of recommended filters for GIACE that
©
SA
NS
are currently in enabled state.
Siva Kumar
© SANS Institute 2008,
39
Author retains full rights.
08
,
Au
tho
rr
eta
ins
ful
l
rig
hts
.
An Era of Spybots - A Secure Solution using Intrusion Prevention Systems
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ins
titu
Figure 13: Reconnaissance Profile
The reconnaissance filters include probes and scan sweeps.
The above screen shot shows the recommended reconnaissance
©
SA
NS
filter settings for GIACE.
Siva Kumar
© SANS Institute 2008,
40
Author retains full rights.
Last Updated: May 10th, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Northern Virginia - Reston 2017
Reston, VAUS
May 21, 2017 - May 26, 2017
Live Event
SANS London May 2017
London, GB
May 22, 2017 - May 27, 2017
Live Event
SEC545: Cloud Security Architecture and Ops
Atlanta, GAUS
May 22, 2017 - May 26, 2017
Live Event
SANS Melbourne 2017
Melbourne, AU
May 22, 2017 - May 27, 2017
Live Event
SANS Madrid 2017
Madrid, ES
May 29, 2017 - Jun 03, 2017
Live Event
SANS Stockholm 2017
Stockholm, SE
May 29, 2017 - Jun 03, 2017
Live Event
SANS Atlanta 2017
Atlanta, GAUS
May 30, 2017 - Jun 04, 2017
Live Event
SANS Houston 2017
Houston, TXUS
Jun 05, 2017 - Jun 10, 2017
Live Event
Security Operations Center Summit & Training
Washington, DCUS
Jun 05, 2017 - Jun 12, 2017
Live Event
SANS San Francisco Summer 2017
San Francisco, CAUS
Jun 05, 2017 - Jun 10, 2017
Live Event
SANS Thailand 2017
Bangkok, TH
Jun 12, 2017 - Jun 30, 2017
Live Event
SANS Milan 2017
Milan, IT
Jun 12, 2017 - Jun 17, 2017
Live Event
SEC555: SIEM-Tactical Analytics
San Diego, CAUS
Jun 12, 2017 - Jun 17, 2017
Live Event
SANS Charlotte 2017
Charlotte, NCUS
Jun 12, 2017 - Jun 17, 2017
Live Event
SANS Secure Europe 2017
Amsterdam, NL
Jun 12, 2017 - Jun 20, 2017
Live Event
SANS Rocky Mountain 2017
Denver, COUS
Jun 12, 2017 - Jun 17, 2017
Live Event
SANS Minneapolis 2017
Minneapolis, MNUS
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS Philippines 2017
Manila, PH
Jun 19, 2017 - Jun 24, 2017
Live Event
DFIR Summit & Training 2017
Austin, TXUS
Jun 22, 2017 - Jun 29, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MDUS
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Paris 2017
Paris, FR
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, AU
Jun 26, 2017 - Jul 08, 2017
Live Event
SEC564:Red Team Ops
San Diego, CAUS
Jun 29, 2017 - Jun 30, 2017
Live Event
SANS London July 2017
London, GB
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
Tokyo, JP
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, DE
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS ICS & Energy-Houston 2017
Houston, TXUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Los Angeles - Long Beach 2017
Long Beach, CAUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, SG
Jul 10, 2017 - Jul 15, 2017
Live Event
SANSFIRE 2017
Washington, DCUS
Jul 22, 2017 - Jul 29, 2017
Live Event
Security Awareness Summit & Training 2017
Nashville, TNUS
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio Fall 2017
San Antonio, TXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Zurich 2017
OnlineCH
May 15, 2017 - May 20, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced
Related documents
Instructor Rubric for Presentations
Instructor Rubric for Presentations
WWW Lab1
WWW Lab1
Document
Document
Tapeworm Diseases - AAP Red Book
Tapeworm Diseases - AAP Red Book
CFP - IEEE SMC 2017
CFP - IEEE SMC 2017
Mini EURO Conference on Operational Research in Computational
Mini EURO Conference on Operational Research in Computational
Slide 1 - AccessAnesthesiology
Slide 1 - AccessAnesthesiology
Third International Conference on Signal and Image Processing
Third International Conference on Signal and Image Processing
One Act Play Festival
One Act Play Festival
- AAP Red Book - American Academy of Pediatrics
- AAP Red Book - American Academy of Pediatrics