Download Covert Channels: A Primer for Security Professionals

Covert Channels
A Primer for Security Professionals
Erik Couture
GIAC GSEC GCIH GCIA
March 2011
SANS Technology Institute - Candidate for Master of Science Degree
1
Definition and Origin
• 3 types of info hiding
– Cryptography - Make message unreadable
– Stegonography - Hide the message in another message
– Metaferography - Hide the message in the carrier
• Easy to design, hard to detect
SANS Technology Institute - Candidate for Master of Science Degree
2
Covert Channels
• Clever misuse of
network protocols
• Nearly undetectable
• Not all that common
“They’ll never
see me coming!”
SANS Technology Institute - Candidate for Master of Science Degree
3
How it is done
• Modulate either:
– the channel’s characteristics
– the content
• Do it without:
– breaking protocol standards
– making it look anomalous
SANS Technology Institute - Candidate for Master of Science Degree
4
ICMP
• ‘Unspecified’ amount of data can be attached
• Sometime blocked inbounds, rarely outbound
• Ptunnel, Loki, 007Shell, Hans, more…
What a PING looks like.
What a “PING” can look like..
SANS Technology Institute - Candidate for Master of Science Degree
5
DNS
• Generally allowed through network protective devices
• http://Dsf6tas6df5f5d7f5adsf8a6d56a5d7.domain.com
• OzymanDSN, MSTX, dns2tcp
SANS Technology Institute - Candidate for Master of Science Degree
6
Future Threats
• IPv6
– v00d00N3t - fully featured ICMPv6 covert channel
• Application Layer
– VoIP, mail, file transfer
• Layer 2
– 802.11, ARP
• Using CCs to break out of software sandboxes
SANS Technology Institute - Candidate for Master of Science Degree
7
CC Design Considerations
• Ease of detection
• Ease of implementation
• Carrier availability
• Bandwidth
• Reliability
SANS Technology Institute - Candidate for Master of Science Degree
8
Defensive practices
• Firewall
– Block outgoing ICMP
– Block DNS queries other then from internal proxy
• Snort rules
– Spotting known signatures
• alert udp any any -> any 53 (content:"|00 00 29 10 00 00 00 80 00 00 00|".....
– Exploit specific, as these things are
• Anomaly Detection
– Spot unusual spikes in of DNS traffic on port 53
– Frequent, oversized DNS TXT records
– Any anomalous behavior (How hard is that?!)
SANS Technology Institute - Candidate for Master of Science Degree
9
Defensive R&D
• Statistical Analysis
– Proven to work in theory
• Active Wardens
– Full scan and rewrite of traffic
– Resource intensive
SANS Technology Institute - Candidate for Master of Science Degree
10
The Threat
• Cyber Criminals - (financial data)
• Cyber-warriors - (political/military)
• Corporate espionage - (IP theft)
• Hacktivists - (idealism)
• Individual Hackers - (fame/thrill)
• Spammers - (ad distribution)
SANS Technology Institute - Candidate for Master of Science Degree
11
Hypothetical
‘Smart’ Covert Channel
• STUXNET- like scenario
– High value target
– Motivated and resourced attacker
• Built in recon ability
• Protocol flexibility
• Low and slow
• Virtually Undetectable
SANS Technology Institute - Candidate for Master of Science Degree
12
Why not more common?
• Benefits vs limitations
• ‘Signal to Noise Ratio’
High
Covertness
Low
Low
Throughput
High
SANS Technology Institute - Candidate for Master of Science Degree
13
For Good not Evil?
• Can allow oppressed people to
get through Government
firewalls/filters
• Back to the volume dilemma
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Covert Channels are:
– the death of perimeter security?
– not inconceivable, but not a high priority for most
• Whatever to do?
– Focus on the fundamentals and “low hanging…”
– Perform and execute defense in depth, in line with your
Threat/Risk Assessment and SANS ‘20 Critical Security Controls’
References and more?
Please see my paper is in the SANS Reading room:
www.sans.org/reading_room/whitepapers/detection/covert-channels_33413
SANS Technology Institute - Candidate for Master of Science Degree
15