Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series


Extrusion Detection


By Stephen Northcutt


Recently, we were on the NetOptics1 web site looking for a product that could help us determine if a network sniffer, IDS or IPS, was dropping packets. The idea was to keep two sets of books. One is a count on the tap connected to the network and the other is a count kept by the IDS etc and then, compare the two numbers. However, we ran into a .pdf marketing sheet with an interesting comment attributed to Richard Bejtlich2, "A Link Aggregator Tap allows traffic from multiple lower-bandwidth systems to be collected and monitored by a single sensor with a higher-bandwidth NIC. Like other Net Optics products, there are a variety of combinations, such as sending copied traffic to multiple outputs or collecting traffic from fiber and other interface types."3 Why do we care? Well, the problem is we know very little about our internal networks as we typically monitor where we connect to the Internet and not much else.

There are a number of reasons a company might want to monitor their internal network ranging from operational health and status worm detection4 to insider attacks. An article from USA Today discusses the insider problem. "Companies that have spent billions on cyberdefenses to thwart intruders are now addressing an even bigger threat: employees."5 The large number of data breaches in 20066 and 2007 are driving executives up a wall. Liability insurance cost will likely increase as these events continue putting upward price pressure on organizations within a number of industries that are trying to control costs. There are even calculators available on line to predict the cost of a data breach, "Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."7

There are a number of companies with a number of solutions to the loss of data problem. They include:

  • Vontu
  • Tablus
  • Vericept
  • Fidelis
  • Preventure
  • Reconix
And there will probably be a number of start ups in the coming year since this is such a hot area. But the wise security manager takes the time to consider the primary approaches to the problem before talking with sales people.

Layer 3 monitoring
Clearly the majority of breaches are done over the network, so monitoring tools ranging from Snort8 to Bro9 and everywhere in between allow us to look for evidence of a data loss from our networks. It is possible to create signatures that look for well known Personally Identifiable Information that could indicate a data breach. Patrick Harper and Jon Lyons recommend:

alert ip $HOME_NET any -> $EXTERNAL_NET any
(pcre:"/[1-9]{3,3}[-][1-9]{2,2}[-][1-9]{4,4}/"; msg:"SSN# in clear
text"; classtype:policy-violation; sid:2000370; rev:2;)10

The Nessus folks recently released a Nessus plugin to scan for and locate sensitive information. "We have created rules to look for CCNs and SSNs in a variety of formats. In additional, there are also rules to search for international wire transfers, driver's license numbers and even copy written source code. We're expecting to get many requests and ideas for new file formats and new content. The most appealing aspect of this type of search is the ability to customize your own "sensitive content". It is very easy to create rules to search for your own copy written content, employee lists with a few of your company's real employee names, or even "keywords" that would be of interest searching someone's local chat logs."11 This helps in creating an information centric approach to defense in depth. "Information centric is another way to think of the defense-in-depth concept. Think of concentric rings, at the center of the diagram is your information. However, the center can be anything you value, or the answer to the question, "What are you trying to protect?" Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on, and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers."12

One of the latest tools are the log management and SIM/SEM solutions that can use full text search to locate and archive the location of sensitive information. Chris Petersen of CTO LogRhythm was asked the following question, "Splunk is getting a lot of press with the full text search. Can you comment on this? It seems that most vendors in the log management space have the same capability. And, how important is a full text search?"13 He replied, "We and most other log management vendors have had text-based search all along, we just haven't marketed it as well as Splunk, I think we just took this capability for granted. However, unlike Splunk, we also have normalized data. When you are doing a full text search, you may want to contextualize what is being searched for against other values, you don't want to be looking for something brute force that is a million rows back. So, normalized data searches can be combined with full text searches to yield more powerful results."14

The two most helpful SANS courses to learn to identify sensitive information are the poorly named Google Hacking and Defense15 and also Introduction to Using Regular Expressions.16

The bottom line
The tools to locate sensitive data as it travels across the network and when it is at rest are becoming available. It stands to reason that an information assurance manager that can demonstrate a grasp of the fundamental architecture and technology choices needed to protect an organization from a data breach will be far more valuable than one that cannot.

1 http://www.netoptics.com/
2 http://www.taosecurity.com/
3 http://www.netoptics.com/pdf/extrusiondetection.pdf
4 http://www.arbornetworks.com/products_review.php
5 http://www.usatoday.com/tech/news/computersecurity/2004-12-13-security-usat_x.htm
6 http://idtheft.about.com/od/dataandstat1/a/2006_breaches.htm
7 http://www.tech-404.com/calculator.html
8 http://www.snort.org/
9 http://www.bro-ids.org/
10 http://archives.neohapsis.com/archives/snort/2004-09/0200.html
11 http://www.sans.edu/resources/securitylab/ron_gula_interview.php
12 http://www.sans.edu/resources/securitylab/321.php
13 http://www.sans.edu/resources/securitylab/petersen_log_manage.php
14 See note 13 above
15 http://www.sans.org/training/description.php?tid=310
16 http://www.sans.org/training/description.php?tid=552