carleton university school of computer science exposure maps: removing reliance on attribution...

Carleton University School of Computer Science

Exposure Maps: Removing Reliance on Attribution During Scan

Detection

David Whyte, P.C. van Oorschot, Evangelos Kranakis


Outline

• Scanning detection challenges• Problems with attribution-based detection techniques

• Exposure Maps• Experimental Results• Conclusions


Scanning Detection Challenges

• Sophisticated scanning techniques– Slow– Fragmented– Idle– Distributed (Botnet)

• I detected a scan – Was it successful? – What did it reveal?

• Volume of Internet “whitenoise”– Backscatter– Worm propagation (known)– Network diagnostics– Web spiders– Wrong numbers


Attribution-based Scanning Detection

• Variety of scanning detection techniques– Observing connection failures– Abnormal network behavior– Connections to darkspace– Increased connection attempts

• Majority of these rely on correlating scanning activity based on the perceived last-hop

• Focus of detection is who is scanning instead of what is being scanned


Shifting Focus

• Attribution is not practical for an increasing number of sophisticated scanning techniques

• Focus on attribution overlooks critical components of any observed scanning campaign:– What are my adversaries looking for?– Has the network behavior changed as a result of being scanned?

• Exemplar technique: Exposure Maps


Exposure Maps (1/2)

• Passively observe network traffic (training period)

• Ignore network traffic initiated from the inside

• Record only internal system responses to external events such as:– TCP: SYN ACK– TCP: RST– UDP: IP pairs list– ICMP: echo reply, host not found, time exceeded


Exposure Maps (2/2)

• Host Exposure Map (HEM)– Visible and enumerated services– Externally visible interface of an individual host

• Network Exposure Map (NEM)– Union of HEMS in a target network – Externally visible interface of the network

• Let your adversaries do the vulnerability scanning for you!


Host Description TCP Ports UDP Ports

10.0.0.1 Mail/DNS/HTTP Server

22, 25, 80, 993, 631

53

10.0.0.2 DNS/HTTP Server 22, 80, 443 53

10.0.0.3 SSH Server 22

Sample NEM (proof-of-concept)

• Test network size: 1/4 Class C• Test period: two weeks • NEM was stable within 12 hours of the testing period


Scan Detection

• Incoming connection is defined as any atomic TCP connection, UDP or ICMP datagram

• A connection attempt to a host/port combo outside of the NEM is considered a scan and recorded

• No connection state tracking required


Post-Scan Detection Activities

• Monitor changes in the NEM– Validate new services offered– Unexpected changes in the NEM may indicate compromise

• Monitor changes in network scanning activity– Spikes in scanning activity may indicate a new exploit

• Attribution is possible post-scan detection for most unsophisticated and certain classes of sophisticated scanning activity


Detected Scanning Activity


Conclusions

• Shifting focus away from attribution during scan detection may provide a means to detect sophisticated scanning campaigns

• The true insight that can be gained by scanning detection is not who is scanning you but what are they scanning for?


Discussion …..

[email protected]


Observed Sophisticated Scanning

• “Slice and dice” recorded scans using a variety of attributes

• Slow Scan - pcanywhere ~ 15 min intervals

• Possible distributed scan - 6 systems from the same class C network and scanning footprint


Exposures vs. Scanning Activity

• Network scanning possibilities • In practice: |NEM| < |A| < |E|

carleton university school of computer science exposure maps: removing reliance on attribution...

Documents