[Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9

Jason Wallace jason.r.wallace at ...11827...
Thu Feb 3 09:59:18 EST 2011

On Wed, Feb 2, 2011 at 5:23 PM, Martin Holste <mcholste at ...11827...> wrote:
>> Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside already infected. You MUST focus on CnC channels, I don't see any alternative.
> This is the key point.  We responded to over a thousand incidents last
> year alone, and in each case, AV had been completely overtaken (only
> even generating an alert about 1/3 of the time) and more than half of
> the cases were on fully patched machines.  This is IDS's core
> competency.  Packets will never lie (though you may misinterpret what
> they say).  The same cannot be said of anything on a host that may
> have been compromised.

Again I am not advocating completely ignoring malware or the CnC, but
it only works if the assets connects to a segment being monitored by
an IDS. In an organization where the majority of user assets are
mobile, a stationary monitoring solution is not adequate. We have
sales folks that might connect to the corporate network via VPN 2-3
times a month. I can't just write them off as lost. I have to
aggressively protect them and my network IDS isn't going to be able to
do that.

> The NSS testing is becoming increasingly irrelevant because exploits
> aren't actionable--infections are.  If I told you that you could have
> the choice between a magic blinking box that told you whenever a host
> was infected versus a box that told you whenever someone tried to
> infect a box, wouldn't you go with the first one?  Most orgs aren't

If we are talking plausible hypotheticals then I'd say... neither. I'd
take HIPS, Firewall, AV, and content filtering on a host built from a
standardized image with limited user rights and white-listed
executables with integrity checking and all managed under a
comprehensive vulnerability management program. I'm not saying that is
what I have, but if we are wishing that is what I'd want. That
combination will out protect any IDS you can buy with any ruleset you
can buy. And that will be true today and a year from now.

> interested in attempts--they're interested in break-ins.  The idea of
> detecting exploits via IDS comes from way back in the 90's when CnC
> channels (or malware) didn't really exist like they do now.  Your only
> chance then was to detect the break-in.  There's been a complete
> reversal in the last few years and now your only real chance is to
> detect the CnC channel because the exploit doesn't really exist like
> it did then.

I don't disagree with the first part of this, but I'm also not ready
to throw in the towel for "defense" and allocate those resources to
just cleaning up the mess created from a "resistance is futile"

> Exploit code is far more likely to be encrypted/encoded than check-in
> traffic (URL's at least).  It is almost impossible to write signatures
> to catch the exploits in the wild for anything more than the PoC
> examples or the kit-of-the-day.  So many SF and ET signatures look for

That is why writing to the vulnerability is preferred over writing to
the exploit. That mindset switch was made back around the 6000-7000
SID time frame.

> things like CLSID's for ActiveX objects, which will almost never hit
> on an actual exploit, because they will be heavily obfuscated with
> Javascript.  It's very unfortunate, because most Snort instances will
> be dropping packets because of the wasted cycles on those signatures,
> so they're missing the check-ins as well.  You can get far better
> results by running a handful of signatures to look for basic file
> types like executables, PDF, Flash, and Java, then matching those hits
> (which will be very numerous) with disreputable autonomous systems
> (AS's).

I agree, but again your area of coverage is very small when compared
to everywhere that asset can go. If we limit our view to our network,
then there is still a better way to catch this stuff than traditional
IDS. You touched on it a bit. Correlation. Take those two pieces of
information, combined with log and flow data from the hosts and a good
baseline traffic profile. You'll catch far more than just malware.
You'll catch insider abuse and data theft/loss as well. And for no
extra cost you'll find misconfigured systems/network gear too.

> I bet anyone on this list a case of beer that the next JAR
> file coming out of Latvia to their corporate network is a malware
> loader (no cheating please!).

1) Is that JAR on the white-list? No? I'm not overly worried about it then.

2) Oh how I wish I could just write areas of the globe off. In 10
seconds can think of 5 countries I would outright block at the edge if
I could. The problem is in a multi-billion dollar company with a
global sales presence you can't do that. Of those 5 countries I'd
write off, we have an office in 2 of them, so not everyone is afforded
the luxury of geographic blocking. I run all the IP based
known/possible bad host rules from the ET set. Most of the lists are
pretty good indicators of something that needs to be looked at, but
90'ish% of the hits we get from the RBN lists are for legitimate
business traffic.

> The other critical component to that is regarding Jason's point about
> off-network infections.  CnC check-ins are your only hope at that
> point--try to spot the already-infected devices so that they can be
> cleaned.  Since the host has already failed to defend itself, the
> network IDS is your last chance.

Yup that was my point. The host protecting its self is the PRIMARY
defense. Not IDS. Host based Content filtering, firewall, HIPS, AV ...
then network IDS. That puts IDS as the 5th level of protection. And it
only works when connected to the protected network.

> Both the Mandiant M-Trends and Verizon Data Breach Report each year
> have been illustrating how futile it is to expect to be able to defend
> all of your endpoints.  They do, however, show how damage isn't
> usually done for days or weeks after the initial infection, so if you
> can find the infected machines within a few business days, you've got
> a good chance of emerging unscathed (other than the re-images, of
> course).

That is interesting. I have not read either of those, but I definitely
will. Thanks.

Thanks for the response,

More information about the Snort-users mailing list