* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Era of Spybots - A Secure Design Solution Using
Survey
Document related concepts
Quantum key distribution wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cyberattack wikipedia , lookup
Network tap wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Wireless security wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Unix security wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
Transcript
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Era of Spybots - A Secure Design Solution Using Intrusion Prevention Systems This paper is presented in the form of a case study. It utilizes a fictitious company, GIAC Enterprises, a growing small retail company whose clients span the nation. In early spring GIACE was compromised with the Spybot worm which caused a business outage. AD Copyright SANS Institute Author Retains Full Rights . hts rig ful l ins eta rr tho Au Era of Spybots - A Secure Design Solution Using 08 , Intrusion Prevention Systems 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 GCIH Gold Certification te Author: Siva Kumar Accepted: September 2007 © SA NS Ins titu Adviser: Richard Wanner © SANS Institute 2008, Author retains full rights. hts . An Era of Spybots – A Secure Design Solution using Intrusion Prevention Systems © SA NS Ins titu te 20 08 , Au tho rr eta ins ful l rig Introduction .............................................................................................................. 3 Environment................................................................................................................. 4 Figure 1: GIACE Infrastructure................................................................. 5 Attack Process .......................................................................................................... 6 Incident Handling Process................................................................................... 6 Preparation Phase:.................................................................................................. 7 Identification Phase: ........................................................................................... 8 Containment Phase:.................................................................................................. 9 Eradication Phase:................................................................................................ 11 Spybot Vulnerability Analysis .................................................................... 11 Recovery Phase: ...................................................................................................... 14 Lessons Learned Phase: ....................................................................................... 15 Tipping Point IPS Secure Design ................................................................ 17 Figure 2: GIACE Network Design............................................................... 19 Figure 3: GIACE Network Design - Detailed ....................................... 20 GIACE Infrastructure Secure Design.......................................................... 21 Physical layer:............................................................................................... 21 Datalink layer:............................................................................................... 21 Network Layer: ................................................................................................. 22 Transport Layer:............................................................................................. 23 Session Layer: ................................................................................................. 24 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Presentation Layer: ...................................................................................... 24 Application Layer: ........................................................................................ 24 GIACE incident handling process ................................................................ 25 Conclusion................................................................................................................. 27 Reference................................................................................................................... 28 Appendix ..................................................................................................................... 30 Figure 4: IPS – Device Details............................................................... 31 Figure 5: IPS – Device configuration.................................................. 32 Figure 6: SMS – Attack Events................................................................. 33 Figure 7: Application Filter Search .................................................... 34 Figure 8: Sagevo - Apply Filter Settings ......................................... 35 Figure 9: Sagevo Filter – Action Set.................................................. 36 Figure 10: Filter Search for malicious virus................................. 37 Figure 11: Infrastructure protection settings............................... 38 Figure 12: Application Profile............................................................... 39 Figure 13: Reconnaissance Profile ........................................................ 40 © SANS Institute 2008, Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Introduction ful l This paper is presented in the form of a case study. It utilizes a fictitious company, GIAC Enterprises, a growing small ins retail company whose clients span the nation. In early spring GIACE was compromised with the Spybot worm which caused a eta business outage. rr To assist with the remediation GIACE contracted a security tho consulting firm to investigate and propose a robust, secure from similar future attacks. Au solution to mitigate these worms as well as protect the business 08 , The security consulting team conducted a detailed incident Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 handling process. The following sections flows through all the 20 phases indicated in the PICERL methodology. The goal of the security consulting team is to provide a secure design solution © SA NS Ins titu requirements. te for GIACE current and future needs meeting the corporate Siva Kumar © SANS Institute 2008, 3 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Environment ful l The GIACE network infrastucture shown in figure-1 consists of dual-homed data centers. Each data center has distribution ins layer routers facing the Internet traffic, trading partners via a DMZ environment, core layer switches protecting sensitive eta business applications and a WAN layer to support all point to point connections and retail connectivity. GIACE uses a rr combination of Checkpoint firewalls at the DMZ and the Cisco tho 6509 chassis at the core layer. Most of the machines are Au workstations segmented based on their geographic location. A full mesh topology was implemented to provide “High 08 , Availability” functionality. The current infrastructure is also 20 Key fingerprint = AF19 FA27 2F94 998D FDB5for DE3Dfuture F8B5 06E4 A169 4E46 a scalable architecture growth. All workstation traffic is unrestricted between their te retail connections and the Internet. The GIACE workstations are Ins titu Windows based systems running Symantec AV security client. GIACE uses Radia to push updates to the workstation since the system owners do not have administrative rights. Radia is a centralized software downloader that installs workstations with new software NS applications, operating systems installations (service packs), patches etc. This also helps to standardize workstations across SA diverse user community. GIACE had a Symantec AV client user license agreement as part of their maintenance contract on all © workstations. This gives GIACE some form of security assurance. Siva Kumar © SANS Institute 2008, 4 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems © SA NS Ins titu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 1: GIACE Infrastructure Siva Kumar © SANS Institute 2008, 5 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Attack Process In early spring the GIACE Help Desk Service Management ful l application tracked a stream of workstation performance issues. The IT operations team discovered that it was not an isolated ins system since new tickets with same issues were reported in other eta geographic locations. The operations team also noted steady outbound traffic rr originating from the problem workstations on their DMZ firewalls tho on TCP ports 8555 and 2967 to specific destinations 204.138.154.20 and 54.163.146.74 at the network boundary. Backup Au firewall logs from previous months didn’t show any normal activity on these ports or destinations. It was ascertained that 08 , these workstations were in fact the point of focus. They noticed Key fingerprint 2F94 998D FDB5 DE3Dthe F8B5same 06E4 A169 4E46 other= AF19 new FA27 systems reporting behavior. It was quite 20 evident that there was a worm attack in progress and it was te unknown about the spread across other systems. Ins titu Incident Handling Process GIACE contracted an outside security consulting firm to investigate the current attacks and counter measures for future NS attacks including their security infrastructure assessment. The security consulting firm consisted of forensic experts, SA architects and incident handlers. They followed the SANS - © PICERL methodology in their incident handling process. Siva Kumar © SANS Institute 2008, 6 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Preparation Phase: The consulting security firm formulated the team based on ins What (Data) – administrative privileges ful l the six basic communication interrogatives (Zachman, 2007). How (Function) - GIACE process flow – on call rotation eta Where (Network) – list of devices (firewalls, workstations) Who (People) – GIACE organization structure rr When (Time) – time events tho Why (Motivation) – GIACE business Goals/Strategy Au The security team found several key issues. GIACE does not have a formal incident handling team. They do have a problem 08 , escalation process via their NOC (network operations center) – Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Operations – Engineering. The security team activated the 20 required team from the list of on-call rotation people. GIACE also provided the necessary access to the critical peripheral te devices and access to the logs. The goal of the preparation © SA NS Ins titu phase is to get the team ready to handle incidents. Siva Kumar © SANS Institute 2008, 7 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Identification Phase: ful l The goal of the identification phase is to gather events, analyze them and determine whether there is an incident. The ins security team analyzed the firewall logs provided by GIACE, setup sniffer traces between the affected hosts. They deployed eta snort sensors to capture additional data. Their analytical process is again based on the following six criteria: (Zachman, tho rr 2007) What (Data) – tcp dumps, snort deployment Au How (Function) - snort filter tools Where (Network) – perimeter firewalls, workstations 08 , Who (People) – on call person reports Key fingerprint =When AF19 FA27 2F94 998D FDB5 DE3D 06E4 A169 4E46 (Time) – attack in F8B5 progress 20 Why (Motivation) – GIACE infrastructure analysis Ins titu te The coorelation yielded on the firewalls/workstation: 1. Defined range of ip-address on tcp port 2967 on DMZ firewall logs. 2. A new NL.exe file creation on affected workstations NS 3. Unknown domain connection to ftpd.3322.org SA 4. Unusual higher bandwidth utilization causing network performance issues. © 5. Lowered security level on the Symantec Antivirus tool. The above events, in particular the lowered security level on the offended workstation when compared to a normal Siva Kumar © SANS Institute 2008, 8 Author retains full rights. functioning workstation, suggested the possibility of a rig vulnerability related to the Symantec Antivirus tool. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems ful l The Security team further consulted the Symantec “Security Response System” and identified that this port (tcp 2967) is ins being employed by a variant of Spybot (Detected by Symantec AV eta as W32.Sagevo.Worm) (Doherty, 2007). Identification occurred at all three levels namely DMZ rr firewalls (network perimeter detection), IP address source range tho on work stations (host perimeter detection) and antivirus tools, Au shared access services (system level detection). The security team declared that an incident has been 08 , identified. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te 20 Containment Phase: The goal of the containment phase is to stop the bleeding, Ins titu prevent the attacker from getting any deeper into the impacted systems, or spreading to other systems. The security team consulted with the GIACE legal team regarding the forensic NS analysis needed for the compromised workstations. As a short term containment strategy it is decided to SA quarantine the affected workstations by moving them offline from network. The users were notified via e-mail that the affected © systems will undergo routine maintenance. The workstations were disconnected from their network connection activity. System hard drives were duplicated for evidence. Siva Kumar © SANS Institute 2008, They acquired review logs 9 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems of other periphery firewall devices to access the extent of the rig risk. ful l As a long term containment strategy the security consulting ins team proposed the following actions: 1. Patch the systems. At the time of this incident a patch eta was available to the public at the Symantec. Since GIACE does not have a formal incident response process a rr process break down and an oversight caused the spread of tho the worm. Au 2. Filter TCP port 2967 inbound/outbound at the network 08 , perimeter firewalls to ensure no unauthorized access. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Example: 20 deny tcp any any eq 2967 log Ins titu processed te The logging provides additional details when the ACL is 3. Filter outgoing connections to 204.138.154.20 and NS 54.163.146.74 at the network devices. © SA Example: deny ip any host 204.138.154.20 deny ip any host 54.163.146.74 The purpose of long term containment is to keep the production up while building a clean system during eradication. Siva Kumar © SANS Institute 2008, 10 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Eradication Phase: ful l The eradication phase is to get rid of the infected worm, perform a vulnerability analysis and improve defense (protection eta ins techniques, hardening systems etc). The security team consulted with Symantec’s “Deep Site” rr Threat management System to perform a malware analysis and Au beyond the scope of this paper. tho shared their findings with GIACE. A detailed malware analysis is 08 , Spybot Vulnerability Analysis Key fingerprint =The AF19W32.Sagevo FA27 2F94 998Dworm FDB5 DE3D F8B5 06E4 A169 4E46 spreads by exploiting the Symantec 20 Antivirus Remote Stack Buffer Overflow Vulnerability (BID 18107) te over TCP port 2967. (Security Focus, 2007) In the paper titled “Symantec Client Security Exploitation Ins titu and Activity Alert”, Aaron I. Adams et al wrote: “The symantec client security stack-based overflow vulnerability associated with Spybot worm identified earlier NS occurs when handling data transmitted over TCP port 2967. The precise issue occurs because of the erroneous use of the SA strncat() function. Specifically, the length of data copied during the strncat() is dictated by the result of a subtraction © operation involving a static value minus the length of a usersupplied string. If the length of the string is greater than the static value, the integer will wrap, causing an unbounded Siva Kumar © SANS Institute 2008, 11 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems strncat() to occur and memory to become corrupted as a result. rig The destination buffer is 0x180 bytes in size. ful l The vulnerability is triggered using what is known as Type 10 messages, specifically when issuing the COM_FORWARD_LOG (0x24) command. By supplying a backslash character within the ins exploit packet, an attacker can trigger the aforementioned eta strncat() code to be invoked. rr Upon triggering the bug, the attacker would be able to trivially exploit the issue by either overwriting the command tho handler’s return address or a Structured Exception Handler Au Record, which would facilitate arbitrary code execution. It appears that the exploit that is being used to leverage 08 , this issue by Spybot variants and Sagevo is derived from the Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 same exploit base. The only differences are the exploit’s payload, a bindshell for spybot and connect-back for Sagevo.” te (Adams, 2006) Ins titu Symantec’s website provides the following technical details regarding this spybot: “ W32.Sagevo, when executed performs the following actions: NS 1. Copies itself as the following file: SA %System%\wins\svchost.exe © 2. Attempts to spread using the symantec client security and symantec antivirus elevation of privilege (as described in symantec advisory SYM06-010). Siva Kumar © SANS Institute 2008, 12 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 4. ful l range of IP addresses on TCP port 2967. rig 3. Creates 512 threads and then attempts to connect to a Obtains the IP address of the compromised computer, ins generates an IP address, and attempts to infect the eta computer that has that address. The IP address is generated according to the following algorithms: If the IP address is 192.168.C.D, it starts with rr a. tho 192.168.0.1. b. If the IP address is 10.B.C.D, it starts with 10.0.0.1. Au c. If the IP address is not one of the above and the third digit is greater than 11, it must be A.B.C.0. If the 08 , third digit is less than 11, the address must be Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A.B.0.0. 20 Example: te GIACE Infected workstation IP: 13.10.50.40 Ins titu Scan pattern: 13.10.40.40, 13.10.40.41, 13.10.40.42, ..., 13.10.41.1 5. Increment the 0 part of the IP address by 1, attempting NS to find and exploit other computers based on the new IP © SA address, until it reaches 254. If the IP reaches 240.254.254.254, the worm restarts the infection sequence with 10.0.0.0 again. 6. Drops the following .bat file and deletes itself: Siva Kumar © SANS Institute 2008, 13 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig %Temp%\NL[RANDOM].bat ful l 7. Downloads a .bat file from the server and executes it. eta ins Eradication process recommended by Symantec: Disable System Restore (Windows Me/XP). 2. Update the virus definitions. 3. Run a full system scan. 4. Delete any values added to the registry.” (Doherty 2007) Au tho rr 1. 08 , The security team applied the appropriate patches on infected workstations. The patches were downloaded from the Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 Symantec website: (proper license required)(Symantec support te site, 2007) Ins titu Recovery Phase: The goal of the recovery phase is to put back the impacted systems back into production in a safe manner and validate the NS host systems that the worm has been eradicated. SA The security consultants deployed the quarantined workstations that has been patched back into the production © network and ran test suites for an overall validation. The test suite consisted of: Siva Kumar © SANS Institute 2008, 14 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 1. Business unit tests rig 2. Functional test plans 3. Network traffic stress tests ful l 4. OS and application logs validation ins The security team also demonstrated that the patched workstation may not be re-infected again by this worm. They eta created a custom signature to trigger on the original attack vector utilizing the snort tool and proved that the system was tho availability to the user community. rr indeed hardened. The GIACE e-mail system announced the system Au As part of the lessons learned phase GIACE security consulting evaluated the current network infrastructure and 08 , proposed/demonstrated an IPS based solution. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te 20 Lessons Learned Phase: The goal of the lessons learned phase is to document what Ins titu happened and improve the infrastructure capabilities for GIACE. This phase will also focus on the GIACE processes, technology road map and improved incident handling capabilities. NS The security consulting team prepared a formal Incident SA Response Report to the Senior Management after proper consensus. © The Report focused on 1. Brief summary of the w32.sagevo virus exploitation. 2. Activities of the security consulting team. Siva Kumar © SANS Institute 2008, 15 Author retains full rights. Executive summary and recommendations. As an extension to their executive summary and rig 3. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems ful l recommendations the security consulting team proposed: ins 1. An IPS based secure solution for GIACE. 2. Infrastructure security for GIACE. rr eta 3. A formal incident handling team/process. tho An IPS solution was proposed for the following reasons: GIACE checkpoint DMZ firewalls were not capable of Au inspecting traffic beyond layer 3. There is always a possibility of worm attack using well known ports for backdoor entry. The 08 , stateful inspection firewall does not have the intelligence to Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 look into the data payload. te GIACE workstation installed Symantec anti-virus software is isolated only to the workstations. They are signature driven and Ins titu cannot protect from zero-day attacks or other denial of service type attacks. GIACE is reliant on the RADIA application push for new patches for individual workstations. An easy oversight may cause a delay in updating the patch and can cause a virus NS outbreak which was the case with GIACE in this incident. There SA is also a separate administrative component involved. An IDS may not be a viable solution. GIACE must spend the © time and resource to examine the reports generated, and remediate virus/worm as necessary. There is also a time lag to Siva Kumar © SANS Institute 2008, 16 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems re-deploy the system and may include a network downtime for rig sensitive financial applications. ful l A high-performance Intrusion Prevention System can function as a virtual software patch, where host patches are not feasible ins or not applied. It protects vulnerable computers from a compromise. An IPS proactively inspects all traffic through eta Layer 7 and blocks malicious traffic. An IPS is complimentary to tho Au Tipping Point IPS Secure Design rr the existing network security systems. (Telechoice, 2006) Figure-2 depicts the new infrastructure design proposed for 08 , GIACE. The placement of the IPS design is a 2 tiered approach. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 4E46 The tier-1 device placed outside the A169 firewall is mainly focused 20 on the Internet traffic inbound and outbound. te The tier-2 IPS devices are deployed at the datacenter Ins titu focused on both inbound and outbound traffic and for quarantine purposes. They are also setup in (HA) high availability mode to decrease the likelihood of interrupted GIACE traffic. With this design the IPS devices are centrally located to encompass all NS the geographic sites of GIACE. It also cuts the operating costs SA in deploying at all divisions within GIACE individually. The reasoning for a tier-1 IPS device outside the firewall © is to monitor the traffic which is dropped by the firewalls provided they are tuned. This will assist in monitoring the Internet traffic that targets GIACE proactively. Siva Kumar © SANS Institute 2008, 17 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Tier-2 IPS devices assist in coorelating the tier-1 IPS as well as monitoring worm traffic that passed through the firewall ful l using known ports. ins The inline design blends easily with the existing infrastucture. Being a layer-2 (bump in the wire) device the IPS eta devices are easier to manage and there are no routing protocols (MPLS, OSPF) configuration changes to the existing architecture tho rr are needed. A single vendor for all IPS devices is recommended because Au of centralized management, reduced interoperability issues and 08 , lower maintenance/support costs. Key fingerprint =Figure-3 AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 depicts a single IPS device which is cross 20 connected with the WAN layer routers via HSRP (Hot Standby Routing Protocol). The fall back mode assures un-interrupted te production traffic and also uses the ZPHA (Zero Power High Ins titu Availability). The architecture also allows for traffic classification based on DSCP (Differentiated Services Code Point) and complex rate shaping QOS (Quality of Service) policies. The IPS devices operate at wire speed (gigabit) NS blocking malicious attacks with low latency. SA The proposed network infrastructure protects GIACE from Spybot style worm attacks. A quarantine action is also put in © place in case of a similar incident in the future (Appendix). Siva Kumar © SANS Institute 2008, 18 Author retains full rights. rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 08 , Au tho rr eta ins ful l Figure 2: GIACE Network Design © SA NS Ins titu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Siva Kumar © SANS Institute 2008, 19 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA NS Ins titu te Figure 3: GIACE Network Design - Detailed Siva Kumar © SANS Institute 2008, 20 Author retains full rights. hts . An Era of Spybots – A Secure Design Solution using Intrusion Prevention Systems rig GIACE Infrastructure Secure Design The security team evaluated the existing infrastructure, ful l identified areas of network security vulnerabilites and recommended some best security practices for GIACE network in eta ins addition to the IPS solution. rr Physical layer: GIACE workstations were not following any security tho policies. Workstations were accessible by bystanders. The patch panel/switch ports where the network connections are attached 08 , Au were also accessible in open. The security team recommended using workstation locks for Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 individual owners as well as separate secure room/enclosure to Ins titu Datalink layer: te access the patch panel. GIACE workstation network connections were not properly hardcoded to switch ports. Workstation owners were allowed to NS plug in to any open ports on the switch. This provided wider security vulnerability for GIACE. GIACE often have third party SA vendors at their premise using their own laptops. Any compromised laptop would easily infiltrate GIACE network if they © are connected to the available live switch ports. The security team recommended MAC based security on the switch ports. 802.1x is an IEEE standard for media access at © SANS Institute 2008, Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems layer 2. GIACE current technology vendor supports 802.1x port rig based security and should be leveraged for layer 2 network control. A NAC (Network Access Control) based solution further ins risk of network threats like worms and viruses. ful l quarantines workstations that are not patched and lowers the eta Network Layer: GIACE has vlan segmentation at the corporate level. rr Workstations in zone 1 also share the same vlan as zone 2 tho workstations. This causes any virus outbreak to propagate within the vlan. There was also no emergency acl to protect in case of Au an outbreak. There was no authentication for control routing 08 , protocols. Key fingerprint =The AF19security FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 team recommended segmenting further the GIACE switches. 20 internal network by creating layer 2 segments in layer 3 Micro segmentation is a cost effective method to te harden the network against worms. Preparing emergency and roll Ins titu back acl policies assist in containing worm outbreaks. Cisco IOS ACLs and VLAN ACLs provide additional traffic filtering. For routing between the aggregation switches and routers MD5 NS authentication is recommended. Example: SA router ospf 5 router-id 172.25.0.24 © log-adjacency-changes area 140 authentication message-digest passive-interface default Siva Kumar © SANS Institute 2008, 22 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems no passive-interface Vlan81 rig no passive-interface Vlan94 no passive-interface GigabitEthernet7/16 description ****GIACE financial**** rr ip helper-address 172.25.148.18 eta ip address 172.25.95.1 255.255.255.0 ins interface Vlan75 ful l network 172.25.0.24 0.0.0.0 area 150 no ip redirects Au tho ip ospf message-digest-key 1 md5 7 04521901583B54 GIACE infrastucture routers should utilize Loopback 08 , interfaces for purpose of routing and security. The Loopback should be sourced for NTP, AAA, logging etc. 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Example: te interface Loopback0 Ins titu ip address 172.25.0.24 255.255.255.255 no ip redirects no ip unreachables NS no ip proxy-arp SA Transport Layer: GIACE utilized firewalls only at the DMZ layer. Any syn © flood attacks originating from inside can easily compromise the network. GIACE also were using the NTP (Network Time Protocol) for logging but in-band. Siva Kumar © SANS Institute 2008, 23 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig The security team recommends a server layer firewall approach utilizing the Cisco FWSM inline modules which can ful l easily integrate into existing 6500 chassis. The firewall service modules provide enhanced reliability and integrates ins firewall security inside the GIACE network infrastucture. Network Time Protocol is essential for time-stamp accuracy for eta logging, because logs are polled under different devices geographically. It is recommended that NTP traffic is carried tho rr out of band management. Au Session Layer: GIACE client-server connectivity still utilizes telnet 08 , method of access. The security team recommends migrating from te Presentation Layer: 20 telnet to FA27 SSH22F94 protocol access Key fingerprint = AF19 998D FDB5for DE3Dall F8B5admin 06E4 A169 4E46 to GIACE servers. Ins titu GIACE uses custom applications and most of them were outsourced. There is no data encryption for the internal traffic. The security team recommends data encryption as well data compression if feasible. This enhances in prevention of data NS snooping or masquerading. SA Application Layer: © GIACE did not have a dedicated appliance like IPS to mitigate worms/viruses. The current SNMP polling is in-band using known community strings. The security team recommended an Siva Kumar © SANS Institute 2008, 24 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems in-line IPS solution with low latency. The SNMP traffic should rig be out-of band or on a dedicated vlan with private community ful l strings. ins GIACE incident handling process eta GIACE is inadequately prepared for incidents of this type. As preparation for future incidents, establishing a dedicated rr computer security incident response team (CSIRT) is recommended. This team will provide rapid response and reduce future events tho and also establish performance standards. The suggested members could be the on-call person from a multi-disciplinary team Au including operations, network management, legal counsel, human resources, disaster recovery / business continuity planning. The 08 , security team proposed the following flow chart template for Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA NS Ins titu te 20 incident response process. Siva Kumar © SANS Institute 2008, 25 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems © SA NS Ins titu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Siva Kumar © SANS Institute 2008, 26 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Conclusion ful l This document has attempted to show how any organization can be vulnerable to a worm attack when there is a break in the ins process flow. It also demonstrates the SANS-PICERL methodology eta as the Incident Handling Process. rr The next section focuses on the Infrastucture secure design using an Intrusion Prevention System. GIACE infrastructure is tho re-designed to deploy an IPS integrated secure solution. A series of screen shots (Appendix) shows a TippingPoint 08 , quarantine in the future. Au configuration template for spybot style virus that can block and Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The next section focuses on general infrastructure design 20 focusing on the network security. The solution proposed overlays te using the existing vendor technology. Ins titu An IPS is recommended for a long term strategic solution for GIACE. The blended threat suppression approach provides a proactive solution for future needs. NS This sort of architecture using in-line IPS can be used to reduce the complexity, deployment costs, and maintenance costs © SA of deploying individual network elements. Siva Kumar © SANS Institute 2008, 27 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig References August 15, 2007, from sans.org. Web Site: ins http://www.sans.org/resources/policies ful l The SANS Institute. Security Policy Project. Retrieved eta Northcutt, Stephen (2002). Network Intrusion Detection. SAMS rr Skoudis, Ed (2006). SANS Security 504: Hacker Techniques, tho Exploits and Incident Handling. SANS course Au Adams, Aaron et al(2006). Symantec Client Security Exploitation and Activity Alert. Retrieved August 15, 2007, from 08 , symantec.com. Web site: https://tms.symantec.com/ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 Doherty, Stephen (2007). W32.Sagevo – Symantec. Retrieved August 15, 2007, from symantec.com. Web site: te http://www.symantec.com/security_response/writeup.jsp?docid Ins titu =2006-121309-3331-99&tabid=1 Cisco connection Online Retrieved August 15, 2007, from cisco.com. Web site: NS http://www.cisco.com/en/US/netsol/ns731/networking_solution s_solution.html SA Case for an IPS (2006). Retrieved August 15, 2007, from © telechoice.com. Web site: http://www.telechoice.com/presentations/caseforips.pdf Siva Kumar © SANS Institute 2008, 28 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems Symantec support site (2007). The SYM06-010 patch for Symantec rig Client Security and Symantec AntiVirus. Retrieved August 15, 2007, from symantec.com. Web site: ful l http://entsupport.symantec.com/docs/n2006052609181248 ins Denial of Service and Distributed Denial of Service Protection. Retrieved August 15, 2007, from tippingpoint.com. Web Site: eta http://www.tippingpoint.com/resources_whitepapers.html tho wikipedia.org. Web site: rr Zachman Architecture (2007), Retrieved August 15, 2007, from Au http://en.wikipedia.org/wiki/Zachman_framework Security Focus, Symantec antivirus Remote stack buffer overflow 08 , vulnerability. Retrieved August 15, 2007, from Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 securityfocus.com. Web site: te 20 http://www.securityfocus.com/bid/18107 Irwin, Victoria (2004) RSA Conference paper, Retrieved August Ins titu 15, 2007, from rsaconference.com. Web site: http://www.rsaconference.com/uploadedFiles/VirtualSoftwareP NS atch.pdf Bejtlich, Richard (2005). Extrusion Detection: Security SA Monitoring for Internal Intrusions. Addison-Wesley © Professional. Siva Kumar © SANS Institute 2008, 29 Author retains full rights. hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems rig Appendix This section includes TippingPoint device configuration ful l pertaining to the prevention of spybot style worm attacks. It includes setting up profiles/filters, host level, SMS IPS level ins and monitoring functionalities. The configuration can be applied either directly on the device or pushed via SMS (Security eta Management System). This SMS system consists of a Java based SMS rr client and SMS Server. tho The ease of use with configuration assists the administrators a free choice of defining interfaces as trusted Au or untrusted. Also they have an option to scale their filter 08 , settings across segments or traffic patterns. (Irwin, 2004) Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 TippingPoint IPS is focused on blocking exploitation of the 20 threats underlying these bots rather than the individual bots themselves. The TippingPoint approach provides a much higher te level of protection. The first one, w32.sagevo, exploits the Ins titu SYM06-010 vulnerability, which the IPS can detect and block with custom filter 4463: SYMANTEC: AntiVirus Client Buffer Overflow. The simple approach would be to enable this filter in Block NS and Notify, or configure a quarantine action to notify users that they are infected. The second approach is a blended threat, © SA and can exploit a number of vulnerabilities. Siva Kumar © SANS Institute 2008, 30 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems Ins titu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 4: IPS – Device Details NS Using the SMS client the user can select the IPS device that needs to be configured. The above screen shows the details SA of the IPS device – includes the digital vaccine release, TOS © version and an overall health check. Siva Kumar © SANS Institute 2008, 31 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Ins titu Figure 5: IPS – Device configuration This screen shows how the network traffic can be segmented for GIACE. It shows all interfaces can be logically selected as © SA NS internal or external. Siva Kumar © SANS Institute 2008, 32 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems Ins titu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 6: SMS – Attack Events The main interface window is shown above. By selecting the events tab, a current snap shot of all activities for the pre- NS defined time period is displayed. The events screen provides number of options for monitoring attack detection and response. SA Also categorizes attack levels. The name category shows the predefined filter and shows the current types (eg block, enable © mode). It also provides the source/destination ports as attack vector. Siva Kumar © SANS Institute 2008, 33 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Ins titu Figure 7: Application Filter Search In the profiles tab an advanced search is performed. “Symantec” is used as the filter specific info. This yields a set of predefined available filters. By double clicking the NS “4463 – antivirus client buffer flow” filter more details are © SA available regarding the vulnerability. Siva Kumar © SANS Institute 2008, 34 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Ins titu te Figure 8: Sagevo - Apply Filter Settings In the above screen shot shows a new filter named “sagevo” being edited. This is the first step in the process of creating © SA NS a filter. Siva Kumar © SANS Institute 2008, 35 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te Figure 9: Sagevo Filter – Action Set Ins titu A new filter profile “sagevo” is configured in the previous action set. Block and Quarantine action is selected. It also provides options to quarantine –eg a web page or a simple block © SA NS options. Siva Kumar © SANS Institute 2008, 36 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Ins titu Figure 10: Filter Search for malicious virus The profiles tab (advanced search window pane) shows the list of active predefined profiles and their state (Action set). The filter specific criteria for “symantec” show a list of The user NS defined filters, and current control measures taken. © SA defined ruleset “Segavo” is listed and applied as enabled state. Siva Kumar © SANS Institute 2008, 37 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems Ins titu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 11: Infrastructure protection settings The Profiles tab and the infrastructure window pane shows all the recommended filters with their corresponding severity NS level. Users have the option to activate or deactivate the filters by checking the radio button. The security team enabled © SA most common filter settings. Siva Kumar © SANS Institute 2008, 38 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te Figure 12: Application Profile Ins titu The application filter profile shows a set of pre-defined filter categories that defend against known and unknown exploits. It shows a list of recommended filters for GIACE that © SA NS are currently in enabled state. Siva Kumar © SANS Institute 2008, 39 Author retains full rights. 08 , Au tho rr eta ins ful l rig hts . An Era of Spybots - A Secure Solution using Intrusion Prevention Systems te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Ins titu Figure 13: Reconnaissance Profile The reconnaissance filters include probes and scan sweeps. The above screen shot shows the recommended reconnaissance © SA NS filter settings for GIACE. Siva Kumar © SANS Institute 2008, 40 Author retains full rights. Last Updated: May 10th, 2017 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Northern Virginia - Reston 2017 Reston, VAUS May 21, 2017 - May 26, 2017 Live Event SANS London May 2017 London, GB May 22, 2017 - May 27, 2017 Live Event SEC545: Cloud Security Architecture and Ops Atlanta, GAUS May 22, 2017 - May 26, 2017 Live Event SANS Melbourne 2017 Melbourne, AU May 22, 2017 - May 27, 2017 Live Event SANS Madrid 2017 Madrid, ES May 29, 2017 - Jun 03, 2017 Live Event SANS Stockholm 2017 Stockholm, SE May 29, 2017 - Jun 03, 2017 Live Event SANS Atlanta 2017 Atlanta, GAUS May 30, 2017 - Jun 04, 2017 Live Event SANS Houston 2017 Houston, TXUS Jun 05, 2017 - Jun 10, 2017 Live Event Security Operations Center Summit & Training Washington, DCUS Jun 05, 2017 - Jun 12, 2017 Live Event SANS San Francisco Summer 2017 San Francisco, CAUS Jun 05, 2017 - Jun 10, 2017 Live Event SANS Thailand 2017 Bangkok, TH Jun 12, 2017 - Jun 30, 2017 Live Event SANS Milan 2017 Milan, IT Jun 12, 2017 - Jun 17, 2017 Live Event SEC555: SIEM-Tactical Analytics San Diego, CAUS Jun 12, 2017 - Jun 17, 2017 Live Event SANS Charlotte 2017 Charlotte, NCUS Jun 12, 2017 - Jun 17, 2017 Live Event SANS Secure Europe 2017 Amsterdam, NL Jun 12, 2017 - Jun 20, 2017 Live Event SANS Rocky Mountain 2017 Denver, COUS Jun 12, 2017 - Jun 17, 2017 Live Event SANS Minneapolis 2017 Minneapolis, MNUS Jun 19, 2017 - Jun 24, 2017 Live Event SANS Philippines 2017 Manila, PH Jun 19, 2017 - Jun 24, 2017 Live Event DFIR Summit & Training 2017 Austin, TXUS Jun 22, 2017 - Jun 29, 2017 Live Event SANS Columbia, MD 2017 Columbia, MDUS Jun 26, 2017 - Jul 01, 2017 Live Event SANS Paris 2017 Paris, FR Jun 26, 2017 - Jul 01, 2017 Live Event SANS Cyber Defence Canberra 2017 Canberra, AU Jun 26, 2017 - Jul 08, 2017 Live Event SEC564:Red Team Ops San Diego, CAUS Jun 29, 2017 - Jun 30, 2017 Live Event SANS London July 2017 London, GB Jul 03, 2017 - Jul 08, 2017 Live Event Cyber Defence Japan 2017 Tokyo, JP Jul 05, 2017 - Jul 15, 2017 Live Event SANS Munich Summer 2017 Munich, DE Jul 10, 2017 - Jul 15, 2017 Live Event SANS ICS & Energy-Houston 2017 Houston, TXUS Jul 10, 2017 - Jul 15, 2017 Live Event SANS Los Angeles - Long Beach 2017 Long Beach, CAUS Jul 10, 2017 - Jul 15, 2017 Live Event SANS Cyber Defence Singapore 2017 Singapore, SG Jul 10, 2017 - Jul 15, 2017 Live Event SANSFIRE 2017 Washington, DCUS Jul 22, 2017 - Jul 29, 2017 Live Event Security Awareness Summit & Training 2017 Nashville, TNUS Jul 31, 2017 - Aug 09, 2017 Live Event SANS San Antonio Fall 2017 San Antonio, TXUS Aug 06, 2017 - Aug 11, 2017 Live Event SANS Zurich 2017 OnlineCH May 15, 2017 - May 20, 2017 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced