• Aucun résultat trouvé

Learning from the attackers

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Learning from the attackers"

Copied!
15
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Learning from the attackers

What’s the attacker teach us on how to improve our information systems ?

Alexandre Dulaunoy

ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg)

http://www.csrrt.org/

June 8, 2007

(2)

Introduction or Disclaimer

I After a deep analysis of the data captured in a honeypot, we discovered a lot of attackers tools and tactics (sometimes their motives)

I What could we learn from such information ? Can we build conclusion recommendations about security ? or is it so empirical or focused that we’ll recommend wrong paths at the end ?

I At least, we’ll make a partial bridge between theory and practise in ”computer/network” security

Terminology : users are running information systems and attackers are the one trying to attack them.

An user can become an attacker and an attacker can become an user

(3)

Attackers exist

I There was an old myth : ”There is no such thing as attackers in cyberspace”

I They exists and looking at the kind of interaction within the honeypot, they are human

I Thinking and implementing security on your information system is not worthless

I A collateral law, they often don’t target countries but just the cyberspace and its big potential of vulnerable systems

(4)

Attackers discover and exploit vulnerabilities

I Attackers use known or unknown vulnerabilities

I Attackers often use vulnerabilities before their are falling into the known category (e.g. ssh exploit, ptrace bug,...)

I Protecting information systems on only known vulnerabilities is just covering a part (e.g. IDS or malware patterns)

I Implementing Least privilege is important to better contain unknown and known vulnerabilities (”’The principle of least privilege states that a subject should be given only those privileges that it needs in order to complete its task”’)

(5)

Attackers discover and exploit vulnerabilities (2)

I In recent web security issues, the permissions on the /tmp or /temp directory are very important and must follow least privilege principle

I Implementing Fail-Safe principle in software and in their implementation (in other words ”’ In doubt, a none access is given.”’ or avoid default allow from software to network configuration.)

I Attackers monitor security advisory and you ? (e.g. RSS security feeds are nice and free, they just need a bit of time)

(6)

Attackers innovate

I Some years ago, we already discovered a lot of attackers using tunneling protocols like ipv6 over ipv4 to just hide their activities

I Attackers innovate just to pursue their objective

I Don’t minimize their ability of adaptation

I Innovating don’t mean ”buying bleeding edge devices” but more ”what are the (bad & good) potential use of a technology ?”

(7)

Attackers innovate (2)

I The innovation process of an attacker is often a ”thinking out of the box approach” :

I User trying to protect their system : ”What are the risks ?”

I Attackers trying to attack a system : ”How to attack the system ? nice the service X or Y is running, I’ll give a try”

I Each perspective are valid but sometime user should take the hat of an attacker against their own system

I It will better refine the risks and where to focus

(8)

Attackers communicate

I Attackers communicate just like human

I Attackers communicate (very) well :

I They will use any channel of communication available

including covered channel (e.g. from IRC to ICMP tunnelling)

I They exchange information with other attackers and non-attackers (e.g. the announce of a compromised)

I They often integrate the system in a larger network of compromised systems (e.g. IRC interface to your own credit card verification process)

I and you ? are you communicating with colleagues, suppliers or competitors having the same security troubles ?

(9)

Attackers communicate (2)

I When implementing access or remote services, think twice before enabling it as it will be used as a communication channel by the attackers :

I Does the machine in a DMZ really need an Internet access ? often it’s not required and helps the potential attackers to communicate (e.g. using the system to launch other attacks, download toolbox like root-kit, being part of a larger network of compromised system, ...)

I Don’t forget a lot of protocols are full-duplex and encapsulation of non-legitimate traffic is possible (and often easy)

I A end-user can be a communication layer without knowing to be one (e.g. p2p protocol)

(10)

Attackers have toolboxes

I As seen in the Honeypot, attackers use toolboxes to ease their work

I Sometimes they compile or execute their toolboxes on your compromised machine :

I Do you really need a C compiler on your machine ? do you need a C# virtual machine or web browser on a server ?

I Follow the rule of ”if you don’t need it, don’t install it or remove it”

I If an attacker is able to install software, are my permissions correct ? do I follow the principle of least privilege ?

separation of privilege ? do you control regularly file integrity ?

I and you ? do you have your toolbox to analyze a compromised system ? and do you know how to use it ?

(11)

Attackers love any services

I A common myth in information security : ”I’m using a so obscure protocol that no one is interested”

I Some experiment in Honeypot with obscure protocol shows an interest and exploit from the attackers (e.g. the mbus case)

I User often forget that the cost of testing large set of information system on Internet is low

I User must apply the ”Principle of Open Design” (”’The principle of open design states that the security of a

mechanism should not depend on the secrecy of its design or implementation”’)

(12)

Attackers share

I Attackers share :

I Compromised systems with other known (sometimes with unknown) attackers

I Toolboxes and idea with the other attackers (e.g. root-kits are often trojaned by others attackers)

I Services available on your nice compromised systems (e.g. a CC validation system)

I and extend your compromised with new services (e.g. from a sniffer to a phishing website)

I Monitoring your systems for detecting not-known services is important

I Do you share tips about security ?

(13)

Attackers are sexy

I We don’t know... no experiment where done until now

I Collateral point : When analyzing something on a compromised system, everything is a perception

I We learn everyday and security is a never ending process

(14)

Bibliography

I Know Your Enemy, The Honeynet project - various, (second edition) Addison Wesley, ISBN 0-321-16646-9

I Computer Security, Art and Science, Matt Bishop, Addison Wesley, ISBN 0-201-44099-7

(15)

Q and A

I Thanks for listening.

I adulau@foo.be

Références

Télécharger maintenant ( PDF - 15 Page - 176.23 KB )

Documents relatifs

The unnormalized Dempster's rule of combination: a new justification from the Least Commitment Principle and some extensions

In this paper, it has been shown that the unnormalized Dempster’s rule of combination is the least committed rule among the rules based on pointwise combination of conjunctive

THE LEAST

The participants were: Martin Bell (University of Sussex), Andrzej Bolesta (United Nations Economic and Social Commission for Asia and the Pacific), Mafa Evaristus Chipeta

The meaning of knowing what is to be known

Qualitatively different categories of descriptions concerning the meaning of evalua- ting technical solutions, performing a house hop and being able to act with presence

Learning from the attackers

I Implementing Least privilege is important to better contain unknown and known vulnerabilities (”’The principle of least privilege states that a subject should be given only

Schneider suggested that one at least of the two numbers is transcendental

There exists a constant c > 0 such that, for any real number , there are infinitely many integers D for which there exists a tuple of algebraic numbers

Recognizing white privilege

People of colour might tell us about white privilege but until we become sufficiently aware of it and willingly—and humbly—give up the unwarranted advantage that white privilege

It is a privilege.

My fi rst recognition of the changing profi le of residents came several years later when one resident emphatically tried to win me over to his perspective that developing rapport

"An honour and a privilege".

Dr James Rourke has practised for 25 years in Goderich, Ont, with his wife, Dr Leslie Rourke.. Th ey are moving to St John’s, Nfl d, where he has been appointed Dean of Medicine