SlideShare a Scribd company logo

Mitigating worm attacks

Download as PPTX, PDF
D
dkaya

Mitigating Worm Attacks seminar discusses tools and techniques for responding to worm incidents in an enterprise network, including containment, inoculation, quarantine, and treatment methodology. Key tools covered are ACLs, NetFlow, sinkholes, and remote-triggered black hole routing to detect and isolate infected systems. Incident response processes including preparation, triage, analysis, reaction, and post-mortem are also reviewed.

1 of 45
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Mitigating Worm Attacks EVENING SEMINAR Deniz Kaya New Horizons Bulgaria
Agenda • Introduction • Experience • Incident Response • Worm Mitigation Reaction Methodology • Tools and Techniques • Applying the tools to Enterprise Environment • Appendix
Introduction • Internet worms have had a severe impact on many enterprise customers. Recently developed tools and architectural techniques can be employed to assist with the mitigation of worm activity in an enterprise environment. • Here we will speak about: – A conceptual overview of worm mitigation techniques – Details for deployment of these techniques into an overall solution for enterprise customers • This seminar was prepared from a solution standpoint. It is primarily designed to provide a tool kit for dealing with the issue of Internet worms within an enterprise environment. Although this is the primary motivation, the overall solution has application well beyond this primary purpose and additionally provides capability for detecting and responding to other security incidents.
Experience • The techniques described here were originally developed for large Internet service providers (ISPs) and have been adapted for use in enterprise environments. They are well-understood and mature technologies, now applied in a new way to solve a new problem. • Cisco uses the same techniques on its own network to defend against a range of malicious activity, including worms and other security incidents.
Incident Response • An organization’s internal operational processes are a critical aspect of dealing with any security incident. The overall goal of an incident response process is to maintain business operations.
Incident Response Preparation • Although preparation is not part of the formal incident response process, here are some techniques that must be in place prior to the occurrence of a security incident. Having response procedures in place facilitates efficient response during an actual incident. – The Cisco Network Consulting Engineers suggest the following preparatory steps: • Develop a clear understanding of the organization’s primary business and IT resources. • Arrange for 24x7 access to someone who can authorize business decisions during a security incident. • Establish open lines of communication. Operations groups need to know the key contacts within the organization. • Collect links to Internet sites that provide up-to-date and reliable details of security threats and Internet worm activity, such as www.dshield.org, www.securityfocus.com, and bugtraq. • Maintain updated contact details for your ISP or ISPs.
Incident Response: Triage: Initial Analysis and Response • The first phase of incident response is to verify that the event is an actual security incident, such as an attack or worm event. In some cases, an incident could be the result of scheduled maintenance activities. • After the event is confirmed, take quick action to limit the damage. Doing so might entail steps such as turning off a device or removing a device from the network. However, any actions taken need to be in line with maintaining business continuity. • During the process, communicate with other relevant parties within the organization. For example, stay in touch with relevant management and legal contacts.
Incident Response: Analysis • The second phase is the analysis phase. • Next, determine the scope of the incident-the number of devices, data, and other resources affected. • In some cases, it might be necessary to perform a traceback to the origin of the attack; this activity might involve working through your ISP. • Measure the impact. • The results of this analysis will help determine the most appropriate reaction techniques for the specific incident.
Incident Response: Reaction • The reaction phase involves some action to counter the attack. Each situation will dictate the action to be taken, such as widely deploying access control lists (ACLs) in a worm event; restoring a device to normal operation by reloading the OS from the original media and restoring data from backups in a server compromise; or changing any static passwords because they might have been compromised-and an entirely reasonable response in some situations might be to do nothing. • Generally, the highest priority is to regain full business operations. In many cases it is often less important to spend time finding the perpetrator of the attack.
Incident Response: Post-Mortem • A post-mortem involves a full, in-depth analysis of the event and the response to the event. The goal is to determine what can be done to build resistance and prevent this type of attack from happening again-essentially, learning from the experience. • The post-mortem is a step that is often ignored. It is critical that it is not forgotten.
Worm Mitigation Reaction Methodology • Following procedures should be followed when responding to a worm incident – Containment – Inoculation – Quarantine – Treatment – Planning
Worm Mitigation Reaction Methodology: Containment • The first stage of the reaction process is to contain the spread of the worm inside the network. Compartmentalization, a core principle of the SAFE Blueprint from Cisco, is key because it allows isolation of parts of the network that are not yet infected.
Worm Mitigation Reaction Methodology: Inoculation • The inoculation phase involves patching all systems. If the appropriate signature files or plug-ins are available for tools such as OpenVAS, it is worthwhile to start scanning the network for vulnerable systems. This activity might allow operations staff to find vulnerable systems before they become infected. • During a worm crisis, there are three types of systems in your network: – Patched systems – Unpatched systems – Infected systems • Inoculating uninfected systems is imperative and usually happens in parallel with the quarantine and treatment phases.
Worm Mitigation Reaction Methodology: Quarantine • The quarantine phase involves finding each infected machine and disconnecting, removing, or blocking them from the network to prevent them from infecting other unpatched machines on the network. To achieve this goal, the infected systems need to be isolated and quarantined. • Later in this seminar we will outline tools such as remote-triggered black hole routing. This technique allows the rapid isolation of infected machines, limiting their capability to spread the infection.
Worm Mitigation Reaction Methodology: Treatment • The treatment phase involves the cleaning and the patching of each infected system. Some worms might require complete reinstallations of the core system to ensure that the machine is clean.
Worm Mitigation Reaction Methodology: Planning • All of this activity requires planning prior to a worm event. When these events occur, reaction time is critical, and these processes need to be in place. It is strongly recommended that every organization plan the reaction methodology ahead of the next crisis.
Tools and Techniques • It is important to view the following techniques as a tool kit. There is currently no simple guaranteed solution for dealing with these types of security incidents. • The main tools we will discuss here are: • Features – ACLs – NetFlow and NetFlow export – Unicast Reverse Path Forwarding (uRPF) – Routing protocols such as remote-triggered black hole filtering, also known as remote-triggered black hole routing • Products – Cisco routers and switches – NetFlow collectors – Arbor Networks Peakflow X and Peakflow DoS • There are many other products and features that can be used as security tools. Here we are only speak a subset of these tools to help you orientate.
Tools and Techniques: ACLs (Cont.) • ACLs as Security Tools ACLs serve a dual purpose as security tools. They provide: – A mechanism to permit or deny traffic – A mechanism to detect certain traffic types The use of ACLs to permit or deny traffic is a well-understood and well- documented security feature. In terms of worm mitigation, ACLs are likely to play a key role in preventing the spread of a worm by blocking its attack vector, usually a TCP or UDP port.
Tools and Techniques: ACLs (Cont.) • Using ACLs as a Detection Tool – The most common technique when using ACLs as a detection tool is to configure the router as a pseudo packet sniffer. To do so, use an ACL with a series of permit statements to provide a view of the traffic flow. The counters in the ACL entries can then be used to find which protocol types are potential culprits.
Tools and Techniques: ACLs • VLAN ACLs – VLAN access control lists (VACLs) operate somewhat like router-based ACLs. They are a means to apply access control to packets bridged within a VLAN or routed between VLANs. In terms of worm mitigation, VACLs allow access control to be applied directly to the access port. – VACLs use the same Access Control Entry (ACE) format used by router- based ACLs. The permit and deny statements based on Layer 2-4 header information are used to determine what traffic to permit and to deny. VACLs have no sense of direction, unlike router-based ACLs, which are applied on either an inbound or outbound basis. VACLs apply to traffic at both ingress and egress.
Tools and Techniques: NetFlow • NetFlow is used as the foundational technology for obtaining traffic flow information across a network. A flow is defined by seven unique keys: source IP address, destination IP address, source port, destination port, Layer 3 protocol type, ToS byte, and input logical interface (ifIndex). • By observing traffic flows across the network, it is possible to see events that might be malicious. Some events might cause high traffic volumes, such as a denial of service (DoS) attack; others might be more subtle. In any case, observation of the flow information can detect these events
Tools and Techniques: NetFlow (Cont.) • NetFlow has the capability of performing a flow export function. In this case, all expired flow information is sent to a collector. Collectors could be a number of devices, including a Cisco NetFlow Collector, CFLOWD tools, OSU flow-tools (CFLOWD Successor), or the Arbor Networks collector.
Tools and Techniques: NetFlow • The current NetFlow information is also available via the command-line interface (CLI) of the router. The sample output shows two clients infected with the Blaster worm that are scanning for other systems to infect. Note: 0x87 equals port 135 (illustrated in pink below).
Tools and Techniques: NetFlow Deployment (Cont.) • NetFlow monitors an interface’s ingress traffic only. Therefore, to obtain a full picture of bidirectional flow information, NetFlow must be deployed such that all ingress and egress flows are capturedv
Tools and Techniques: NetFlow Deployment (Cont.) • Performance Impact – NetFlow will have some performance impact. The largest dependency from a performance perspective is the number of flows. The performance impact needs to be assessed on a case-by-case basis. In worst-case scenarios, router upgrades might be required. • Collection Tools – There are many options for collecting exported NetFlow information. A commercial option is the Cisco CNS NetFlow Collection Engine. This can be deployed on a number of platforms, including Solaris, HP UX, and Linux. – Freeware tools are also available. The OSU flow-tools from Oregon State University are essentially the successor of CFLOWD and are available at: http://www.splintered.net/sw/flow-tools/ • Exporting and Analyzing Flow Information for Anomalies – Arbor Networks Peakflow provides further details of how the Arbor Peakflow products integrate into the overall solution. Additional NetFlow Information
Tools and Techniques: Arbor Networks Peakflow (Cont.) • Peakflow Overview • The detection and recognition of an attack or a security event is a critical component of any security solution. • Although IDSs provide detection capability, most of them are still signature- based, and therefore of limited benefit in these situations. Cisco itself has used the Arbor Peakflow DoS anomaly detection system to successfully detect and mitigate several worms.
Tools and Techniques: Arbor Networks Peakflow (Cont.) • Arbor offers two solutions to this problem. – Peakflow DoS • The primary application of Peakflow DoS is the detection of external threats and events, making this product widely deployed by ISPs. For enterprises, using Peakflow DoS to detect the presence of an external security event (an event outside the firewall) is key to being in a position to quickly secure the network "internally" from the threat. • In the context of this solution, Peakflow DoS would be used as a tool used to monitor traffic outside an organization’s firewall. – Peakflow X • The primary application of Peakflow X is the detection of internal threats and events. Peakflow X provides an internal anomaly detection solution through relational modeling of the enterprise’s internal network. • In the context of this solution, Peakflow X provides a detailed visualization of the application-level conversations inside an enterprise network.
Tools and Techniques: Arbor Networks Peakflow (Cont.) • Placement of the Arbor Collectors – Both Arbor Peakflow X and Peakflow DoS use a collector and controller architecture. The Arbor collector receives the flow records exported from the routers. Multiple routers can export flow information to a single collector. A controller provides a Web interface, sits in the hierarchy above the collectors, and generally consolidates the information from the controllers.
Tools and Techniques: Sinkholes (Cont.) • A sinkhole is a multifaceted security tool-essentially, a portion of the network that is designed to accept and analyze attack traffic. • In the first sinkhole application, a publicly accessible Web server is the target of either a DoS or DDoS attack. Below we see how server WWW1 is unavailable due to the attack. Additionally, the extremely high traffic volume has saturated links and routers, making server WWW2 unavailable as well.
Tools and Techniques: Sinkholes (Cont.) • Here we can see how a sinkhole can be used to pull attack traffic destined for WWW1 away from the target. • A sinkhole is also a useful tool for analyzing an attack. The sinkhole router can be used to forward the attack traffic to a back-end switch where a network analyzer, such as a sniffer or Ethereal, can be used to look at the details of the attack.
Tools and Techniques: Sinkholes – Monitoring the Worm Propagation – Here we can see how a sinkhole can be deployed to monitor for worm propagation internally within an enterprise. Although this example specifically illustrates the application of a sinkhole for detecting worm propagation, monitoring the bogon and dark IP address space can also detect other usually malicious activity.
Tools and Techniques: Sinkholes – Backscatter Traffic • Packets with unreachable destinations, including the router null0 interface, will have an Internet Control Message Protocol (ICMP) unreachable message sent back to the source address. This "unreachable noise" is known as backscatter. A sinkhole is likely to draw in a substantial amount of backscatter traffic. This is particularly true for Internet-based sinkholes. Backscatter traffic on the Internet is often the result of large-scale DoS or DDoS attacks in which spoofed source addresses have been used.
Tools and Techniques: Sinkholes – Deployment Option 1 • In this scenario, the target router on the right might be a low-cost device, possibly a Cisco 2600 or 3600 series router. Its primary purpose is to gather and export NetFlow information. • Routing announcements for the bogon and dark IP address space can be made from either the target router or the sinkhole gateway.
Tools and Techniques: Sinkholes – Deployment Option 2 • The second design option uses some form of dedicated high-speed router. • A second Ethernet interface should be available on this router for both NetFlow export and dedicated Simple Network Management Protocol (SNMP) polling. As in the first option, bogon and dark IP address space is announced from the sinkhole router, preferably via the redistribution of static routes. The static routes will use a bogus next hop and a static ARP entry to push traffic onto the switched network. ip route 96.0.0.0 63.255.255.255 192.0.2.200 ip arp 192.0.2.200 00.00.0c.12.34.56 arpa
Tools and Techniques: Black Hole Routing • A black hole routing scheme is based on the concept of forwarding traffic to null0. The technique achieves a similar result to an ACL based on destination address. However, because the technique occurs directly in the forwarding (or Cisco Express Forwarding) path, it achieves a dropping function with no performance impact.
Tools and Techniques: Remote-Triggered Black Hole Routing • Although black hole routing is an effective technique for dropping traffic at line rates, we need to add remote trigger capability. This is achieved with two steps. • The first step is to configure an unused route to null0. This needs to be configured on all routers that will act as remote-trigger black hole routers. For example: ip route 192.0.2.0 255.255.255.0 Null0 192.0.2.0 /24 is an unused address block called the Test-Net. As such, it is not publicly allocated and is often used for this application. • In the second step, Border Gateway Protocol (BGP) is used to propagate information about a prefix we want to black hole.
Tools and Techniques: Remote-Triggered Black Hole Routing • After the trigger router is in place, a configuration like the one below is typically used to announce the prefixes that should be black holed. • router bgp 999 • ... • redistribute static route-map STATIC-TO-BGP • ... • ! • route-map STATIC-TO-BGP permit 10 • match tag 66 • set ip next-hop 192.0.2.1 • set local-preference 50 • set origin igp • ! • Route-map STATIC-TO-BGP permit 20 • ! • ... • ip route 171.xxx.xxx.1 255.255.255.255 Null0 Tag 66 • !
Tools and Techniques: Dropping on Source Address • One of the criteria for remote-triggered black hole routing to be effective as a security tool is the ability to drop traffic based on both destination address and source addresses. • A second scenario requiring a mitigation technique is one in which spoofed source addresses are used. With recent worms, such as SQL Slammer and Blaster, the host’s real IP address is used to propagate the worm. This is not to say that other worms might not use spoofed addresses. As such, the scenario needs to be accommodated. There is no reason that any host should ever send out a packet with an address other than what was assigned to it. Any packets being sent out with illegitimate source addresses should be dropped at the first router hop.
Tools and Techniques: Dropping on Source Address • Unicast RPF in Strict Mode : If a packet is received on an interface, a route to that packet’s source address must be available back through the same interface on which the packet was received. If this route does not exist, the packet fails the RPF check and is dropped. interface FastEthernet2/0 ip address 192.xxx.xxx.50 255.255.255.0 ip verify unicast reverse-path
Tools and Techniques: Dropping on Source Address • Unicast RPF in Loose Check Mode In the case of loose check, the only requirement is that the source address must appear in the router’s Cisco Express Forwarding table. If the route does not exist or it has a destination of null0, the packet is dropped. interface FastEthernet2/0 ip address 192.xxx.xxx.50 255.255.255.0 ip verify unicast source reachable-via any
Tools and Techniques: Dropping on Source Address • Selective Remote Traffic Dropping The previous sections on NetFlow and sinkholes provided a set of techniques for identifying infected machines and listed a variety of abnormal behaviors that might represent a security incident. When an infected machine or security event is identified, the operations staff has the option of black holing the device. ip route xxx.xx.xxx.242 255.255.255.255 Null0 Tag 66 ip route xxx.xx.xxx.204 255.255.255.255 Null0 Tag 66
Tools and Techniques: Private VLANs • Private VLANs are a technique for providing Layer 2 isolation of hosts within a VLAN. This technique can improve the security posture of a network by isolating servers that do not need to communicate with each other. From a security standpoint, if one server were to become infected with a worm, its inability to communicate with other servers would prevent the spread. In this case, each server would be attached to an isolated port.
Tools and Techniques: Other Quarantine Techniques • Port control using scripting • Policy-based routing • Web Cache Communication Protocol • MAC addresses • 802.1x • Remote access
Appendix • Aggregated Bogon List http://www.cymru.com/Bogons/index.html • Freeware Tools – http://www.net-snmp.org/ – http://www.cpan.org/ – http://oss.oetiker.ch/mrtg/ – http://oss.oetiker.ch/rrdtool/ – http://www.splintered.net/sw/flow-tools/ – http://net.doit.wisc.edu/~plonka/FlowScan/
Q and A

More Related Content

PDF
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
PDF
Password Attacks.pdf
Andy32903
 
DOC
Dynamic Web Development Report by Frederico Costa
Frederico Costa
 
PDF
Open mic activity logging
Ranjit Rai
 
PDF
Operating system Definition Structures
anair23
 
PPTX
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
DOCX
Crime report
Adarsh Uttarkar
 
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Password Attacks.pdf
Andy32903
 
Dynamic Web Development Report by Frederico Costa
Frederico Costa
 
Open mic activity logging
Ranjit Rai
 
Operating system Definition Structures
anair23
 
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Crime report
Adarsh Uttarkar
 

What's hot (20)

PPTX
Online voting system presentation slide (1)
wasi0013
 
PDF
apply problem solve.pdf
dereje33
 
PDF
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
PPT
Network analysis and design unite_-i.ppt
asaijohn
 
PPTX
Android based crime manage system proposal
Beresa Abebe
 
PDF
Ceh v5 module 08 denial of service
Vi Tính Hoàng Nam
 
PPTX
QR-code based attendance system
trinhanhtuan247
 
PPTX
Phishing simulation exercises
Jisc
 
PPTX
Cyber security
Sabir Raja
 
PDF
Parking lotproject
msyamil_94
 
PPTX
Software Configuration Management
Pratik Tandel
 
PPTX
IAB203.1.2015-Week-6_nc.pptx
ssuser0d0f881
 
PPT
Chap01
professorkarla
 
PPTX
The Stuxnet Virus FINAL
Nicholas Poole
 
PDF
090317 社内勉強会資料「担当者のコトバに振り回されるな!」
Ryohei Katayama
 
PPTX
Packet sniffers
Ravi Teja Reddy
 
PDF
Stepwise Project planning in software development
Prof Ansari
 
PPTX
Cybercrime in Nigeria - Technology and Society
PELUMI APANTAKU
 
PDF
Web Application Design
Hemin Patel
 
PPTX
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
Online voting system presentation slide (1)
wasi0013
 
apply problem solve.pdf
dereje33
 
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
Network analysis and design unite_-i.ppt
asaijohn
 
Android based crime manage system proposal
Beresa Abebe
 
Ceh v5 module 08 denial of service
Vi Tính Hoàng Nam
 
QR-code based attendance system
trinhanhtuan247
 
Phishing simulation exercises
Jisc
 
Cyber security
Sabir Raja
 
Parking lotproject
msyamil_94
 
Software Configuration Management
Pratik Tandel
 
IAB203.1.2015-Week-6_nc.pptx
ssuser0d0f881
 
Chap01
professorkarla
 
The Stuxnet Virus FINAL
Nicholas Poole
 
090317 社内勉強会資料「担当者のコトバに振り回されるな!」
Ryohei Katayama
 
Packet sniffers
Ravi Teja Reddy
 
Stepwise Project planning in software development
Prof Ansari
 
Cybercrime in Nigeria - Technology and Society
PELUMI APANTAKU
 
Web Application Design
Hemin Patel
 
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
Ad

Viewers also liked (15)

PPT
Computer viruses
Harendra Singh
 
PDF
Setting up CSIRT
APNIC
 
PDF
Ceh v5 module 16 virus and worms
Vi Tính Hoàng Nam
 
PDF
The Stuxnet Worm creation process
Ajay Ohri
 
PPTX
Microsoft Days 09 Windows 2008 Security
dkaya
 
PPT
Intrusion Discovery on Windows
dkaya
 
PPT
Hacking Cisco Networks and Countermeasures
dkaya
 
PPT
Sniffing SSL Traffic
dkaya
 
PPT
Mitigating Layer2 Attacks
dkaya
 
PPT
Implementing Cisco AAA
dkaya
 
PPT
Implementing 802.1x Authentication
dkaya
 
PPT
Cisco Switch Security
dkaya
 
PPT
Cisco Ccna Certification
dkaya
 
PPTX
Ccna security
dkaya
 
PPT
Ironport Data Loss Prevention
dkaya
 
Computer viruses
Harendra Singh
 
Setting up CSIRT
APNIC
 
Ceh v5 module 16 virus and worms
Vi Tính Hoàng Nam
 
The Stuxnet Worm creation process
Ajay Ohri
 
Microsoft Days 09 Windows 2008 Security
dkaya
 
Intrusion Discovery on Windows
dkaya
 
Hacking Cisco Networks and Countermeasures
dkaya
 
Sniffing SSL Traffic
dkaya
 
Mitigating Layer2 Attacks
dkaya
 
Implementing Cisco AAA
dkaya
 
Implementing 802.1x Authentication
dkaya
 
Cisco Switch Security
dkaya
 
Cisco Ccna Certification
dkaya
 
Ccna security
dkaya
 
Ironport Data Loss Prevention
dkaya
 
Ad

Similar to Mitigating worm attacks (20)

PPTX
Incident Response
primeteacher32
 
PDF
A theoretical superworm
UltraUploader
 
PPT
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
PDF
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
PPTX
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Mohammed Abdul Lateef
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
PPT
NetWitness
TechBiz Forense Digital
 
PDF
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
PPTX
Pace IT - Threats & Vulnerabilities Mitigation
Pace IT at Edmonds Community College
 
PPTX
IT Security Basics For Managers
Daniel Owens
 
PDF
The Aftermath: You Have Been Attacked! So what's next?
Albert Hui
 
PPT
Capabilities of Cyber-Trerrorists - POTENTIAL ATTACKS - Possibility, Likelyho...
Cristian Driga
 
PPT
CCNA_Security_01Mod-security-ciscopk.ppt
gamely422
 
DOCX
The Maple County court is redesigning its network to ensure more secu.docx
Komlin1
 
PDF
Managing A Network Vulnerability Assessment 1st Edition Thomas R Peltier
schapalandhf
 
PPT
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
PDF
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
DOCX
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
todd521
 
PDF
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
PDF
CNIT 50: 9. NSM Operations
Sam Bowne
 
Incident Response
primeteacher32
 
A theoretical superworm
UltraUploader
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Mohammed Abdul Lateef
 
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
NetWitness
TechBiz Forense Digital
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Pace IT - Threats & Vulnerabilities Mitigation
Pace IT at Edmonds Community College
 
IT Security Basics For Managers
Daniel Owens
 
The Aftermath: You Have Been Attacked! So what's next?
Albert Hui
 
Capabilities of Cyber-Trerrorists - POTENTIAL ATTACKS - Possibility, Likelyho...
Cristian Driga
 
CCNA_Security_01Mod-security-ciscopk.ppt
gamely422
 
The Maple County court is redesigning its network to ensure more secu.docx
Komlin1
 
Managing A Network Vulnerability Assessment 1st Edition Thomas R Peltier
schapalandhf
 
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
todd521
 
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
CNIT 50: 9. NSM Operations
Sam Bowne
 

Mitigating worm attacks

  • 1. Mitigating Worm Attacks EVENING SEMINAR Deniz Kaya New Horizons Bulgaria
  • 2. Agenda • Introduction • Experience • Incident Response • Worm Mitigation Reaction Methodology • Tools and Techniques • Applying the tools to Enterprise Environment • Appendix
  • 3. Introduction • Internet worms have had a severe impact on many enterprise customers. Recently developed tools and architectural techniques can be employed to assist with the mitigation of worm activity in an enterprise environment. • Here we will speak about: – A conceptual overview of worm mitigation techniques – Details for deployment of these techniques into an overall solution for enterprise customers • This seminar was prepared from a solution standpoint. It is primarily designed to provide a tool kit for dealing with the issue of Internet worms within an enterprise environment. Although this is the primary motivation, the overall solution has application well beyond this primary purpose and additionally provides capability for detecting and responding to other security incidents.
  • 4. Experience • The techniques described here were originally developed for large Internet service providers (ISPs) and have been adapted for use in enterprise environments. They are well-understood and mature technologies, now applied in a new way to solve a new problem. • Cisco uses the same techniques on its own network to defend against a range of malicious activity, including worms and other security incidents.
  • 5. Incident Response • An organization’s internal operational processes are a critical aspect of dealing with any security incident. The overall goal of an incident response process is to maintain business operations.
  • 6. Incident Response Preparation • Although preparation is not part of the formal incident response process, here are some techniques that must be in place prior to the occurrence of a security incident. Having response procedures in place facilitates efficient response during an actual incident. – The Cisco Network Consulting Engineers suggest the following preparatory steps: • Develop a clear understanding of the organization’s primary business and IT resources. • Arrange for 24x7 access to someone who can authorize business decisions during a security incident. • Establish open lines of communication. Operations groups need to know the key contacts within the organization. • Collect links to Internet sites that provide up-to-date and reliable details of security threats and Internet worm activity, such as www.dshield.org, www.securityfocus.com, and bugtraq. • Maintain updated contact details for your ISP or ISPs.
  • 7. Incident Response: Triage: Initial Analysis and Response • The first phase of incident response is to verify that the event is an actual security incident, such as an attack or worm event. In some cases, an incident could be the result of scheduled maintenance activities. • After the event is confirmed, take quick action to limit the damage. Doing so might entail steps such as turning off a device or removing a device from the network. However, any actions taken need to be in line with maintaining business continuity. • During the process, communicate with other relevant parties within the organization. For example, stay in touch with relevant management and legal contacts.
  • 8. Incident Response: Analysis • The second phase is the analysis phase. • Next, determine the scope of the incident-the number of devices, data, and other resources affected. • In some cases, it might be necessary to perform a traceback to the origin of the attack; this activity might involve working through your ISP. • Measure the impact. • The results of this analysis will help determine the most appropriate reaction techniques for the specific incident.
  • 9. Incident Response: Reaction • The reaction phase involves some action to counter the attack. Each situation will dictate the action to be taken, such as widely deploying access control lists (ACLs) in a worm event; restoring a device to normal operation by reloading the OS from the original media and restoring data from backups in a server compromise; or changing any static passwords because they might have been compromised-and an entirely reasonable response in some situations might be to do nothing. • Generally, the highest priority is to regain full business operations. In many cases it is often less important to spend time finding the perpetrator of the attack.
  • 10. Incident Response: Post-Mortem • A post-mortem involves a full, in-depth analysis of the event and the response to the event. The goal is to determine what can be done to build resistance and prevent this type of attack from happening again-essentially, learning from the experience. • The post-mortem is a step that is often ignored. It is critical that it is not forgotten.
  • 11. Worm Mitigation Reaction Methodology • Following procedures should be followed when responding to a worm incident – Containment – Inoculation – Quarantine – Treatment – Planning
  • 12. Worm Mitigation Reaction Methodology: Containment • The first stage of the reaction process is to contain the spread of the worm inside the network. Compartmentalization, a core principle of the SAFE Blueprint from Cisco, is key because it allows isolation of parts of the network that are not yet infected.
  • 13. Worm Mitigation Reaction Methodology: Inoculation • The inoculation phase involves patching all systems. If the appropriate signature files or plug-ins are available for tools such as OpenVAS, it is worthwhile to start scanning the network for vulnerable systems. This activity might allow operations staff to find vulnerable systems before they become infected. • During a worm crisis, there are three types of systems in your network: – Patched systems – Unpatched systems – Infected systems • Inoculating uninfected systems is imperative and usually happens in parallel with the quarantine and treatment phases.
  • 14. Worm Mitigation Reaction Methodology: Quarantine • The quarantine phase involves finding each infected machine and disconnecting, removing, or blocking them from the network to prevent them from infecting other unpatched machines on the network. To achieve this goal, the infected systems need to be isolated and quarantined. • Later in this seminar we will outline tools such as remote-triggered black hole routing. This technique allows the rapid isolation of infected machines, limiting their capability to spread the infection.
  • 15. Worm Mitigation Reaction Methodology: Treatment • The treatment phase involves the cleaning and the patching of each infected system. Some worms might require complete reinstallations of the core system to ensure that the machine is clean.
  • 16. Worm Mitigation Reaction Methodology: Planning • All of this activity requires planning prior to a worm event. When these events occur, reaction time is critical, and these processes need to be in place. It is strongly recommended that every organization plan the reaction methodology ahead of the next crisis.
  • 17. Tools and Techniques • It is important to view the following techniques as a tool kit. There is currently no simple guaranteed solution for dealing with these types of security incidents. • The main tools we will discuss here are: • Features – ACLs – NetFlow and NetFlow export – Unicast Reverse Path Forwarding (uRPF) – Routing protocols such as remote-triggered black hole filtering, also known as remote-triggered black hole routing • Products – Cisco routers and switches – NetFlow collectors – Arbor Networks Peakflow X and Peakflow DoS • There are many other products and features that can be used as security tools. Here we are only speak a subset of these tools to help you orientate.
  • 18. Tools and Techniques: ACLs (Cont.) • ACLs as Security Tools ACLs serve a dual purpose as security tools. They provide: – A mechanism to permit or deny traffic – A mechanism to detect certain traffic types The use of ACLs to permit or deny traffic is a well-understood and well- documented security feature. In terms of worm mitigation, ACLs are likely to play a key role in preventing the spread of a worm by blocking its attack vector, usually a TCP or UDP port.
  • 19. Tools and Techniques: ACLs (Cont.) • Using ACLs as a Detection Tool – The most common technique when using ACLs as a detection tool is to configure the router as a pseudo packet sniffer. To do so, use an ACL with a series of permit statements to provide a view of the traffic flow. The counters in the ACL entries can then be used to find which protocol types are potential culprits.
  • 20. Tools and Techniques: ACLs • VLAN ACLs – VLAN access control lists (VACLs) operate somewhat like router-based ACLs. They are a means to apply access control to packets bridged within a VLAN or routed between VLANs. In terms of worm mitigation, VACLs allow access control to be applied directly to the access port. – VACLs use the same Access Control Entry (ACE) format used by router- based ACLs. The permit and deny statements based on Layer 2-4 header information are used to determine what traffic to permit and to deny. VACLs have no sense of direction, unlike router-based ACLs, which are applied on either an inbound or outbound basis. VACLs apply to traffic at both ingress and egress.
  • 21. Tools and Techniques: NetFlow • NetFlow is used as the foundational technology for obtaining traffic flow information across a network. A flow is defined by seven unique keys: source IP address, destination IP address, source port, destination port, Layer 3 protocol type, ToS byte, and input logical interface (ifIndex). • By observing traffic flows across the network, it is possible to see events that might be malicious. Some events might cause high traffic volumes, such as a denial of service (DoS) attack; others might be more subtle. In any case, observation of the flow information can detect these events
  • 22. Tools and Techniques: NetFlow (Cont.) • NetFlow has the capability of performing a flow export function. In this case, all expired flow information is sent to a collector. Collectors could be a number of devices, including a Cisco NetFlow Collector, CFLOWD tools, OSU flow-tools (CFLOWD Successor), or the Arbor Networks collector.
  • 23. Tools and Techniques: NetFlow • The current NetFlow information is also available via the command-line interface (CLI) of the router. The sample output shows two clients infected with the Blaster worm that are scanning for other systems to infect. Note: 0x87 equals port 135 (illustrated in pink below).
  • 24. Tools and Techniques: NetFlow Deployment (Cont.) • NetFlow monitors an interface’s ingress traffic only. Therefore, to obtain a full picture of bidirectional flow information, NetFlow must be deployed such that all ingress and egress flows are capturedv
  • 25. Tools and Techniques: NetFlow Deployment (Cont.) • Performance Impact – NetFlow will have some performance impact. The largest dependency from a performance perspective is the number of flows. The performance impact needs to be assessed on a case-by-case basis. In worst-case scenarios, router upgrades might be required. • Collection Tools – There are many options for collecting exported NetFlow information. A commercial option is the Cisco CNS NetFlow Collection Engine. This can be deployed on a number of platforms, including Solaris, HP UX, and Linux. – Freeware tools are also available. The OSU flow-tools from Oregon State University are essentially the successor of CFLOWD and are available at: http://www.splintered.net/sw/flow-tools/ • Exporting and Analyzing Flow Information for Anomalies – Arbor Networks Peakflow provides further details of how the Arbor Peakflow products integrate into the overall solution. Additional NetFlow Information
  • 26. Tools and Techniques: Arbor Networks Peakflow (Cont.) • Peakflow Overview • The detection and recognition of an attack or a security event is a critical component of any security solution. • Although IDSs provide detection capability, most of them are still signature- based, and therefore of limited benefit in these situations. Cisco itself has used the Arbor Peakflow DoS anomaly detection system to successfully detect and mitigate several worms.
  • 27. Tools and Techniques: Arbor Networks Peakflow (Cont.) • Arbor offers two solutions to this problem. – Peakflow DoS • The primary application of Peakflow DoS is the detection of external threats and events, making this product widely deployed by ISPs. For enterprises, using Peakflow DoS to detect the presence of an external security event (an event outside the firewall) is key to being in a position to quickly secure the network "internally" from the threat. • In the context of this solution, Peakflow DoS would be used as a tool used to monitor traffic outside an organization’s firewall. – Peakflow X • The primary application of Peakflow X is the detection of internal threats and events. Peakflow X provides an internal anomaly detection solution through relational modeling of the enterprise’s internal network. • In the context of this solution, Peakflow X provides a detailed visualization of the application-level conversations inside an enterprise network.
  • 28. Tools and Techniques: Arbor Networks Peakflow (Cont.) • Placement of the Arbor Collectors – Both Arbor Peakflow X and Peakflow DoS use a collector and controller architecture. The Arbor collector receives the flow records exported from the routers. Multiple routers can export flow information to a single collector. A controller provides a Web interface, sits in the hierarchy above the collectors, and generally consolidates the information from the controllers.
  • 29. Tools and Techniques: Sinkholes (Cont.) • A sinkhole is a multifaceted security tool-essentially, a portion of the network that is designed to accept and analyze attack traffic. • In the first sinkhole application, a publicly accessible Web server is the target of either a DoS or DDoS attack. Below we see how server WWW1 is unavailable due to the attack. Additionally, the extremely high traffic volume has saturated links and routers, making server WWW2 unavailable as well.
  • 30. Tools and Techniques: Sinkholes (Cont.) • Here we can see how a sinkhole can be used to pull attack traffic destined for WWW1 away from the target. • A sinkhole is also a useful tool for analyzing an attack. The sinkhole router can be used to forward the attack traffic to a back-end switch where a network analyzer, such as a sniffer or Ethereal, can be used to look at the details of the attack.
  • 31. Tools and Techniques: Sinkholes – Monitoring the Worm Propagation – Here we can see how a sinkhole can be deployed to monitor for worm propagation internally within an enterprise. Although this example specifically illustrates the application of a sinkhole for detecting worm propagation, monitoring the bogon and dark IP address space can also detect other usually malicious activity.
  • 32. Tools and Techniques: Sinkholes – Backscatter Traffic • Packets with unreachable destinations, including the router null0 interface, will have an Internet Control Message Protocol (ICMP) unreachable message sent back to the source address. This "unreachable noise" is known as backscatter. A sinkhole is likely to draw in a substantial amount of backscatter traffic. This is particularly true for Internet-based sinkholes. Backscatter traffic on the Internet is often the result of large-scale DoS or DDoS attacks in which spoofed source addresses have been used.
  • 33. Tools and Techniques: Sinkholes – Deployment Option 1 • In this scenario, the target router on the right might be a low-cost device, possibly a Cisco 2600 or 3600 series router. Its primary purpose is to gather and export NetFlow information. • Routing announcements for the bogon and dark IP address space can be made from either the target router or the sinkhole gateway.
  • 34. Tools and Techniques: Sinkholes – Deployment Option 2 • The second design option uses some form of dedicated high-speed router. • A second Ethernet interface should be available on this router for both NetFlow export and dedicated Simple Network Management Protocol (SNMP) polling. As in the first option, bogon and dark IP address space is announced from the sinkhole router, preferably via the redistribution of static routes. The static routes will use a bogus next hop and a static ARP entry to push traffic onto the switched network. ip route 96.0.0.0 63.255.255.255 192.0.2.200 ip arp 192.0.2.200 00.00.0c.12.34.56 arpa
  • 35. Tools and Techniques: Black Hole Routing • A black hole routing scheme is based on the concept of forwarding traffic to null0. The technique achieves a similar result to an ACL based on destination address. However, because the technique occurs directly in the forwarding (or Cisco Express Forwarding) path, it achieves a dropping function with no performance impact.
  • 36. Tools and Techniques: Remote-Triggered Black Hole Routing • Although black hole routing is an effective technique for dropping traffic at line rates, we need to add remote trigger capability. This is achieved with two steps. • The first step is to configure an unused route to null0. This needs to be configured on all routers that will act as remote-trigger black hole routers. For example: ip route 192.0.2.0 255.255.255.0 Null0 192.0.2.0 /24 is an unused address block called the Test-Net. As such, it is not publicly allocated and is often used for this application. • In the second step, Border Gateway Protocol (BGP) is used to propagate information about a prefix we want to black hole.
  • 37. Tools and Techniques: Remote-Triggered Black Hole Routing • After the trigger router is in place, a configuration like the one below is typically used to announce the prefixes that should be black holed. • router bgp 999 • ... • redistribute static route-map STATIC-TO-BGP • ... • ! • route-map STATIC-TO-BGP permit 10 • match tag 66 • set ip next-hop 192.0.2.1 • set local-preference 50 • set origin igp • ! • Route-map STATIC-TO-BGP permit 20 • ! • ... • ip route 171.xxx.xxx.1 255.255.255.255 Null0 Tag 66 • !
  • 38. Tools and Techniques: Dropping on Source Address • One of the criteria for remote-triggered black hole routing to be effective as a security tool is the ability to drop traffic based on both destination address and source addresses. • A second scenario requiring a mitigation technique is one in which spoofed source addresses are used. With recent worms, such as SQL Slammer and Blaster, the host’s real IP address is used to propagate the worm. This is not to say that other worms might not use spoofed addresses. As such, the scenario needs to be accommodated. There is no reason that any host should ever send out a packet with an address other than what was assigned to it. Any packets being sent out with illegitimate source addresses should be dropped at the first router hop.
  • 39. Tools and Techniques: Dropping on Source Address • Unicast RPF in Strict Mode : If a packet is received on an interface, a route to that packet’s source address must be available back through the same interface on which the packet was received. If this route does not exist, the packet fails the RPF check and is dropped. interface FastEthernet2/0 ip address 192.xxx.xxx.50 255.255.255.0 ip verify unicast reverse-path
  • 40. Tools and Techniques: Dropping on Source Address • Unicast RPF in Loose Check Mode In the case of loose check, the only requirement is that the source address must appear in the router’s Cisco Express Forwarding table. If the route does not exist or it has a destination of null0, the packet is dropped. interface FastEthernet2/0 ip address 192.xxx.xxx.50 255.255.255.0 ip verify unicast source reachable-via any
  • 41. Tools and Techniques: Dropping on Source Address • Selective Remote Traffic Dropping The previous sections on NetFlow and sinkholes provided a set of techniques for identifying infected machines and listed a variety of abnormal behaviors that might represent a security incident. When an infected machine or security event is identified, the operations staff has the option of black holing the device. ip route xxx.xx.xxx.242 255.255.255.255 Null0 Tag 66 ip route xxx.xx.xxx.204 255.255.255.255 Null0 Tag 66
  • 42. Tools and Techniques: Private VLANs • Private VLANs are a technique for providing Layer 2 isolation of hosts within a VLAN. This technique can improve the security posture of a network by isolating servers that do not need to communicate with each other. From a security standpoint, if one server were to become infected with a worm, its inability to communicate with other servers would prevent the spread. In this case, each server would be attached to an isolated port.
  • 43. Tools and Techniques: Other Quarantine Techniques • Port control using scripting • Policy-based routing • Web Cache Communication Protocol • MAC addresses • 802.1x • Remote access
  • 44. Appendix • Aggregated Bogon List http://www.cymru.com/Bogons/index.html • Freeware Tools – http://www.net-snmp.org/ – http://www.cpan.org/ – http://oss.oetiker.ch/mrtg/ – http://oss.oetiker.ch/rrdtool/ – http://www.splintered.net/sw/flow-tools/ – http://net.doit.wisc.edu/~plonka/FlowScan/

Editor's Notes

  • #8: The first phase of incident response is to verify that the event is an actual security incident, such as an attack or worm event. In some cases, an incident could be the result of scheduled maintenance activities. After the event is confirmed, take quick action to limit the damage. Doing so might entail steps such as turning off a device or removing a device from the network. However, any actions taken need to be in line with maintaining business continuity. During the process, communicate with other relevant parties within the organization. For example, stay in touch with relevant management and legal contacts.
  • #9: The second phase is the analysis phase. A key part of this process is incident classification, which involves understanding the type of attack and the damage it is causing. It is important to perform the analysis with as little impact as possible on business functions. Next, determine the scope of the incident-the number of devices, data, and other resources affected. It is important to look beyond the initially identified target, because the event might be more widespread than initially thought. In some cases, it might be necessary to perform a traceback to the origin of the attack; this activity might involve working through your ISP. In other cases, restoration of business operations might require priority over any traceback activities. Measure the impact-what are the resulting effects of the incident on the organization? Has the event caused a minor problem or has it caused a major impact to the business? The results of this analysis will help determine the most appropriate reaction techniques for the specific incident.
  • #11: As a simple example, if a network penetration occurred, it would be prudent to identify what vulnerability was used to obtain access, and then fix all occurrences of that vulnerability. Additionally, it should be determined if the incident was detected in an acceptable time; if not, measures should be deployed to speed detection in the event of further incidents.