Digg this story   Add to del.icio.us  
Catch Them If You Can
Don Parker, 2008-03-12

High-profile network security breaches have proliferated over the past few years. While many "breaches" consist of lost data or a stolen laptop, true breaches -- where a online attacker compromises a network and removes data -- have become very common.

The TJX data breach, revealed by the company in January 2007, is perhaps the most significant compromise this decade. Data thieves broke into the companies processing servers and removed credit- and debit-card information on more than 100 million accounts. A staggering amount of customer data was obtained as a result of that hack and then quickly put to use by criminal elements.

The highly publicized network intrusion seemingly underscores the claim by many hackers that most, if not all, network security defenses are useless and that defenders are far better off not wasting money on an intrusion detection systems (IDS), intrusion prevention systems (IPS) or an antivirus solutions. A skilled attacker, the mantra goes, can easily bypass these defenses.

Yet, the problem is more that companies have relied on technology and not enough on skilled administrations and users. Of course, any of these systems could be bypassed, especially if deployed by an unskilled defender, but they are not useless.

The biggest problem by far is that the majority of these devices output logs that quickly become ignored after they are installed. This is due to a lack of training for personnel who need to not only be able to interpret the logs, but also verify the accuracy of them. That verification is done by comparing the logged alerts to the actual traffic itself. Unfortunately, too many IT security analysts lack the knowledge to do just that.

This problem is then exacerbated by management not sending their people to get the training required to get them up to snuff. To this day many corporate management teams are loathe to invest money in training for their network security personnel. That attitude only undermines the company's security.

Now, the TJX data breach clearly illustrates the lethality of poor knowledge on the part of security personnel and lack of proper training. The TJX hack was not a zero-day incident, so it should have been picked up almost immediately. This would have been detected had proper analysis techniques been put into place.

Even zero-day threats can be detected by actively monitor network traffic patterns, and outbound data flows.

It has often been said that to recognize the abnormal you must first be able to recognize what is normal. We all know that computer communications are built upon protocols which in turn are sent to and fro using the almighty packet. The one thing that protocols have in common is that there is a request for comment (RFC) document for them. That RFC is a blueprint for how the protocol in question is supposed to work.

Now system administrators and IT security analysts alike should both have a very good understanding of the TCP/IP protocol suite. By studying and understanding these protocol blueprints, the analyst will come away with the knowledge of what normal protocol behavior looks like.

Knowledge of the particulars of an RFC will allow security analysts to recognize bizarre behavior at the protocol level. For example, if you start seeing a heavy volume of traffic exiting your network on UDP/TCP Port 53, that is not a DNS server communicating. For most networks, heavy DNS traffic is not something that should normally not occur. However, using UDP/TCP Port 53 to remove data from a network is a favorite of hackers for a simple reason. Many networks don’t employ aggressive egress filtering on their edge routers and anything from anyone on that port is allowed out.

Having the knowledge to understand how a protocol such as DNS behaves would also allow you to spot a hacker removing documents from your network. After all, it would be rather unusual to see a prolonged series of packets on UDP/TCP Port 53 with a size of 1540 bytes. So we know that if a network gets hit with a zero-day hack or other such stealthy vector that we should still hopefully be able to uncover the attack by the hackers desire to move data from the network.

This investigative approach presumes that the corporate network is logging all traffic. Recording all data traffic is almost a necessity, as it is rather hard to confirm the veracity of any IDS or IPS alert if you have no packets to look at.

The most difficult adversary, though far less frequent a threat, is someone with true skill who has taken an interest in your network and found a way in.

It is very likely that this dangerous opponent is well aware of traffic patterns and protocol behavior. They may choose to do process injection, to name but one technique, in an effort to remove corporate data stealthily. Depending on how much they append to each session it could be truly difficult to find this illegal outbound data flow.

A lot can be done, however, by stressing the basics and leveraging existing knowledge. There is nothing magical or secretive in these methods. Even though the attacker may be very good, what comes in, must eventually come out. That is where you can almost certainly find them. Hackers that proclaim that they can come and go silently like the wind and bypass all network defenses are a threat only in the movies.

Network security analysts must have the necessary expertise to stop attacks. When a break in does occur, the blame quickly falls upon them, but the company would do well to look higher up the management chain.

Too often there is a lack of senior management buy-in for the role and maintenance of security on the corporate network. It is not enough for management to acknowledge the fact that network security is necessary today. They must take concrete steps to not only ensure that quality training for their personnel is budgeted for but also that they continue to provide oversight for this too often neglected part of their business model.

Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences.
    Digg this story   Add to del.icio.us  
Comments Mode:
Catch Them If You Can 2008-03-23
Aa'ed Alqarta


Privacy Statement
Copyright 2010, SecurityFocus