![Page 1: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/1.jpg)
Carleton University School of Computer Science
Exposure Maps: Removing Reliance on Attribution During Scan
Detection
David Whyte, P.C. van Oorschot, Evangelos Kranakis
![Page 2: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/2.jpg)
Carleton University School of Computer Science
Outline
• Scanning detection challenges• Problems with attribution-based detection techniques
• Exposure Maps• Experimental Results• Conclusions
![Page 3: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/3.jpg)
Carleton University School of Computer Science
Scanning Detection Challenges
• Sophisticated scanning techniques– Slow– Fragmented– Idle– Distributed (Botnet)
• I detected a scan – Was it successful? – What did it reveal?
• Volume of Internet “whitenoise”– Backscatter– Worm propagation (known)– Network diagnostics– Web spiders– Wrong numbers
![Page 4: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/4.jpg)
Carleton University School of Computer Science
Attribution-based Scanning Detection
• Variety of scanning detection techniques– Observing connection failures– Abnormal network behavior– Connections to darkspace– Increased connection attempts
• Majority of these rely on correlating scanning activity based on the perceived last-hop
• Focus of detection is who is scanning instead of what is being scanned
![Page 5: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/5.jpg)
Carleton University School of Computer Science
Shifting Focus
• Attribution is not practical for an increasing number of sophisticated scanning techniques
• Focus on attribution overlooks critical components of any observed scanning campaign:– What are my adversaries looking for?– Has the network behavior changed as a result of being scanned?
• Exemplar technique: Exposure Maps
![Page 6: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/6.jpg)
Carleton University School of Computer Science
Exposure Maps (1/2)
• Passively observe network traffic (training period)
• Ignore network traffic initiated from the inside
• Record only internal system responses to external events such as:– TCP: SYN ACK– TCP: RST– UDP: IP pairs list– ICMP: echo reply, host not found, time exceeded
![Page 7: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/7.jpg)
Carleton University School of Computer Science
Exposure Maps (2/2)
• Host Exposure Map (HEM)– Visible and enumerated services– Externally visible interface of an individual host
• Network Exposure Map (NEM)– Union of HEMS in a target network – Externally visible interface of the network
• Let your adversaries do the vulnerability scanning for you!
![Page 8: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/8.jpg)
Carleton University School of Computer Science
Host Description TCP Ports UDP Ports
10.0.0.1 Mail/DNS/HTTP Server
22, 25, 80, 993, 631
53
10.0.0.2 DNS/HTTP Server 22, 80, 443 53
10.0.0.3 SSH Server 22
Sample NEM (proof-of-concept)
• Test network size: 1/4 Class C• Test period: two weeks • NEM was stable within 12 hours of the testing period
![Page 9: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/9.jpg)
Carleton University School of Computer Science
Scan Detection
• Incoming connection is defined as any atomic TCP connection, UDP or ICMP datagram
• A connection attempt to a host/port combo outside of the NEM is considered a scan and recorded
• No connection state tracking required
![Page 10: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/10.jpg)
Carleton University School of Computer Science
Post-Scan Detection Activities
• Monitor changes in the NEM– Validate new services offered– Unexpected changes in the NEM may indicate compromise
• Monitor changes in network scanning activity– Spikes in scanning activity may indicate a new exploit
• Attribution is possible post-scan detection for most unsophisticated and certain classes of sophisticated scanning activity
![Page 11: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/11.jpg)
Carleton University School of Computer Science
Detected Scanning Activity
![Page 12: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/12.jpg)
Carleton University School of Computer Science
Conclusions
• Shifting focus away from attribution during scan detection may provide a means to detect sophisticated scanning campaigns
• The true insight that can be gained by scanning detection is not who is scanning you but what are they scanning for?
![Page 14: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/14.jpg)
Carleton University School of Computer Science
Observed Sophisticated Scanning
• “Slice and dice” recorded scans using a variety of attributes
• Slow Scan - pcanywhere ~ 15 min intervals
• Possible distributed scan - 6 systems from the same class C network and scanning footprint
![Page 15: Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos](https://reader036.vdocuments.us/reader036/viewer/2022072015/56649ec65503460f94bd28be/html5/thumbnails/15.jpg)
Carleton University School of Computer Science
Exposures vs. Scanning Activity
• Network scanning possibilities • In practice: |NEM| < |A| < |E|