carleton university school of computer science exposure maps: removing reliance on attribution...

15
Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos Kranakis

Upload: margery-hensley

Post on 01-Jan-2016

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Exposure Maps: Removing Reliance on Attribution During Scan

Detection

David Whyte, P.C. van Oorschot, Evangelos Kranakis

Page 2: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Outline

• Scanning detection challenges• Problems with attribution-based detection techniques

• Exposure Maps• Experimental Results• Conclusions

Page 3: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Scanning Detection Challenges

• Sophisticated scanning techniques– Slow– Fragmented– Idle– Distributed (Botnet)

• I detected a scan – Was it successful? – What did it reveal?

• Volume of Internet “whitenoise”– Backscatter– Worm propagation (known)– Network diagnostics– Web spiders– Wrong numbers

Page 4: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Attribution-based Scanning Detection

• Variety of scanning detection techniques– Observing connection failures– Abnormal network behavior– Connections to darkspace– Increased connection attempts

• Majority of these rely on correlating scanning activity based on the perceived last-hop

• Focus of detection is who is scanning instead of what is being scanned

Page 5: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Shifting Focus

• Attribution is not practical for an increasing number of sophisticated scanning techniques

• Focus on attribution overlooks critical components of any observed scanning campaign:– What are my adversaries looking for?– Has the network behavior changed as a result of being scanned?

• Exemplar technique: Exposure Maps

Page 6: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Exposure Maps (1/2)

• Passively observe network traffic (training period)

• Ignore network traffic initiated from the inside

• Record only internal system responses to external events such as:– TCP: SYN ACK– TCP: RST– UDP: IP pairs list– ICMP: echo reply, host not found, time exceeded

Page 7: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Exposure Maps (2/2)

• Host Exposure Map (HEM)– Visible and enumerated services– Externally visible interface of an individual host

• Network Exposure Map (NEM)– Union of HEMS in a target network – Externally visible interface of the network

• Let your adversaries do the vulnerability scanning for you!

Page 8: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Host Description TCP Ports UDP Ports

10.0.0.1 Mail/DNS/HTTP Server

22, 25, 80, 993, 631

53

10.0.0.2 DNS/HTTP Server 22, 80, 443 53

10.0.0.3 SSH Server 22

Sample NEM (proof-of-concept)

• Test network size: 1/4 Class C• Test period: two weeks • NEM was stable within 12 hours of the testing period

Page 9: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Scan Detection

• Incoming connection is defined as any atomic TCP connection, UDP or ICMP datagram

• A connection attempt to a host/port combo outside of the NEM is considered a scan and recorded

• No connection state tracking required

Page 10: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Post-Scan Detection Activities

• Monitor changes in the NEM– Validate new services offered– Unexpected changes in the NEM may indicate compromise

• Monitor changes in network scanning activity– Spikes in scanning activity may indicate a new exploit

• Attribution is possible post-scan detection for most unsophisticated and certain classes of sophisticated scanning activity

Page 11: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Detected Scanning Activity

Page 12: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Conclusions

• Shifting focus away from attribution during scan detection may provide a means to detect sophisticated scanning campaigns

• The true insight that can be gained by scanning detection is not who is scanning you but what are they scanning for?

Page 13: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Discussion …..

[email protected]

Page 14: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Observed Sophisticated Scanning

• “Slice and dice” recorded scans using a variety of attributes

• Slow Scan - pcanywhere ~ 15 min intervals

• Possible distributed scan - 6 systems from the same class C network and scanning footprint

Page 15: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos

Carleton University School of Computer Science

Exposures vs. Scanning Activity

• Network scanning possibilities • In practice: |NEM| < |A| < |E|