september 5, 2015copyright © 2007 tenable network security, inc. 1 good and bad uses of...
TRANSCRIPT
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 1
Good and Bad UsesOf Vulnerability Data
For IDS Event Correlation
Mostly Bad UsesOf Vulnerability Data
For IDS Event Correlation
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 2
Introduction
The goalgoal of this talk is tohelp those of us with networkmonitoring programs tounderstand the limits of IDS/VA correlation.
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 3
Introduction
-- OR --
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 4
Introduction
We all have purchasedexpensive SIM and IPS products and this will help you operate them better!
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 5
Introduction
I hope no-one needs to recode their software orstrangle their sales guyafter this …
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 6
IDS/VA is in lots of places already
• SIMs do it – Arcsight, Q1, Cisco MARS, Tenable, .etc
• IDS/IPS do it – Sourcefire, Lucid, NFR, .etc
• Threat Simulators do it – Skybox, RedSeal, .etc
• Pre/Post NAC looks a lot like this too• Home grown applications !!!
– Your MSPs and internal IT projects
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 7
Why listen to me?
• CTO/CEO and Co-Founder of Tenable– Nessus Vulnerability Scanner– Several monitoring & correlation products
• Founder of Network Security Wizards which made the Dragon Intrusion Detection System
• Director of Risk Mitigation at USi• Consultant, pen-tester & security
researcher for GTE, BBN and NSA• Captain in USAF
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 8
Overview
• Basic VA/IDS Concepts• Sources of Correlation Errors• Multiple Vulnerability Scan Handling• Under Emphasis of IDS events• Operating System Based Correlation• Why isn’t Patch Auditing and Passive Network
Data used more? • IDS/IPS configuration based on Vulns• Latent Scanner Handicaps• Questions and comments
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 9
Basic VA/IDS Concepts
• Why correlate at all?– Typical NIDS have imperfect knowledge of the
networks they are watching– Most NIDS are not intrusion detection systems,
but are instead attack and probe detection systems
– A NIDS may give you hundreds of thousands of events per day (hour); correlating this with your known vulnerabilities can reduce this to a small handful
– You can use the fact that your NIDS device has such a high false positive rate that you can justify VA scanning everyday instead of once per quarter
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 10
Basic VA/IDS Concepts
Which describes you better?
Want to see anyand all possibleattacks.
Only respondingto events which effect your business
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 11
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 12
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 13
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 14
V
VV
V
V
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 15
V
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 16
V
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 17
V
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 18
V
IDS Says: “Nine Attacks!”
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 19
V
VA/IDS Says:“1 REAL attack”
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 20
Basic VA/IDS Concepts
Which is more accurate?
Your favorite: • IDS• IPS• UTM• NBAD
Your favorite: • Scanner• PCI Scanning MSP• Patch Tester• Agent
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 21
IDS
VA
FalsePositive
100%Accuracy
FalseNegative
FalsePositive
Sends you a well qualified event that is false!
Over-emphasizes a valid IDS event
Can’t help directly
100%Accuracy Removes IDS
false positiveDesiredAlerting
Potentially reconfigure
the NIDS
FalseNegative
IDS Events that are incorrect are
not removed
IDS Events are not emphasized
Can’t help directly
Basic VA/IDS Concepts
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 22
Sources of IDS/IPS FP/FN
• False Positives– Bad Signature– Good signature, but unexpected matching
traffic
• False Negatives– No signature
• Unknown attack/vuln• Can’t write a rule to look for it
– Bypass detection with encoding
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 23
Sources of Vuln FP/FN
• False Positives– Bad Rule/Plugin/Check– Good Rule/Plugin/Check, but unexpected
matching data or application– Back-porting of Daemons
• Nessus “Paranoid” mode
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 24
Sources of Vuln FP/FN
• False Negatives– No signature– Didn’t scan that port– Didn’t use credentials– Didn’t scan that often– Back-porting of Daemons
• Nessus “Paranoid” mode
– Can’t perform a check for this• Credentialed vs. scanning• “We’d like you to develop a non-credentialed method
to test for the new Daylight Savings Time patch”
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 25
Introduction
And even when it does work ….
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 26
Basic VA/IDS Concepts
The Security Grind
Hey Joe, I thinkthere is something
wrong with our SIM!!!
Why do you say that?
According to this, we’ve just had
several hundred successful Telnet and DNS attacks
There is the human layer:
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 27
Sources of Correlation Errors
Simple Algorithm1. Receive IDS event2. “Lookup” to see if target is vuln3. Launch missiles if real attack
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 28
• Magic “Lookup” functions– What is the correlation based on?
• CVE, Bugtraq, Nessus ID, X-Force ID, .etc
– Is it port and protocol specific? – How does it get updated?
• IDS and vuln scanners get daily updates• How does the solution sync with this new data?
– How correct is the code?• Does it accept “CVE” and “CAN”• Does it handle multiple CVE/Bugtraq entries per
vulnerability or IDS event?
Sources of Correlation Errors
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 29
Sources of Correlation Errors
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:13;)
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 30
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 31
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 32
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 33
Sources of Correlation Errors
• What happens when the META DATA is incorrect?– Advisories can have incorrect CVEs, Bugtraq
IDs and so on– We’ve seen cases where the wrong CVE or
Bugtraq reference is in the IDS signature– With 14,000+ plugins, we’ve made mistakes
putting the wrong CVE, Bugtraq ID, .etc in Nessus scripts too
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 34
Sources of Correlation Errors
• Disparity in NIDS ports and Scanned Ports• Few organizations scan all 65k TCP and
UDP port• Few organizations scan for ALL available
vulnerabilities• So what happens if vulnerability #44 is on
port 55000 but we never scanned for it?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 35
Sources of Correlation Errors
• Disparity in NIDS rules and Scanner checks• NIDS Rules are updated daily, and so are
vuln scanner checks, but scans might not happen daily
• What happens when your NIDS starts to detect today’s attack-of-the-week but you have not scanned for it yet? – More on this in a moment …
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 36
Multiple Vulnerability Scans
• There is only one network.• It might change.• We scan it often to detect the change.• Hopefully our VA/IDS solution is keeping
up with the scans.
• More solutions are becoming available that detect network changes in order to drive scans.
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 37
Multiple Vulnerability Scans
• Very Cheap Model– No real correlation; VA data just presented
when requested or invoked
• Cheap Models– Only the last scan is used for correlation– Vulnerabilities are not port/protocol centric
• Misleading Models– Vulnerabilities never get fixed– “point scans” magically fix other vulnerabilities
• i.e the monthly SSH scan didn’t find any FTP issues
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 38
Multiple Vulnerability Scans
PatchAudit
FullPortScan
SANSTop20
PatchVerifyScan
DMZScan
DMZScan
MailScan
MailScan
PointVulnScan
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 39
Under Emphasis
• Basic idea– De-emphasize stuff I’m not effected by– Alert me if I’ve been attacked
• Problem– What if my vulnerability data isn’t as updated
as my IDS data?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 40
Under Emphasis
SCAN
SCAN
NewIDS
Rules
NewIDS
Rules
NewIDS
RulesNewIDS
Rules
NewScanRules
NewScanRules
NewScanRules
NewScanRules
NewScanRules
NewScanRules
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 41
Under Emphasis
• For the latest round of “major” vulns:– Telnet -froot– ANI
MS DNS
• When did you first scan for these?• When did you first notice these in your IDS
logs?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 42
OS Based VA/IDS Correlation
• Attempt to discover the type of OS and then associate relative vulnerabilities from it
• Lots of ways to guess the remote OS– Passive and/or Active fingerprint– Asset database
• These are not 100% accurate, but let’s assume they are …
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 43
OS Based VA/IDS Correlation
• Once we know the OS, which vulnerabilities do we associate with it?– All of them? – What if they have been patched?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 44
OS Based VA/IDS Correlation
• What about client-side applications like Outlook?
• What about cross-platform applications like Skype, Mozilla, iTunes, .etc?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 45
OS Based VA/IDS Correlation
• In a mixed environment of Solaris, UNIX, Linux, Windows, .etc filtering out or highlighting attacks is useful. – Example vendor customer testimonial: “With
product XYZ, we go from 1,000,000 events a day to just 100”.
– Keep in mind a lot of IDS events just don’t correlate
• For discriminating between two servers where one has a patch and the other doesn’t, it is misleading.
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 46
Patch and Passive Data
Why isn’t patch data used more?
Positive • Accuracy• Client Vulns• Works all over• Fast
Negative• No more agents!• Can’t get creds!• IT won’t share
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 47
Patch and Passive Data
I’ve been scanning since you were in diapers sunny!
Those IT guys don’t
know #%#$# about
security.
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 48
Patch and Passive Data
Why isn’t passive data used more?
Positive • Real Time• Client Vulns• Works all over• Fast
Negative• Accuracy • No span port• BW or topology
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 49
Tuning Your IDS/IPS
• Based on your discovered assets, applications or vulnerabilities, only enable certain rules– Your NIDS runs faster !!– No more silly false positives !!
• Example– None of your systems run SNMP – Remove all of the SNMP rules on your IDS/IPS
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 50
Tuning Your IDS/IPS
• Marketing claims from some IPS vendors:– “Vulnerability Shielding”– “Virtual Patching”– “In-line Patching”
• The key is to have near-real time awareness of what is on your network
• Any lag between network change and what your IPS is blocking is a window of time where events are not prevented or monitored correctly.
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 51
Latent Scanner Handicaps
• Need to know your tools and processes– What ports do we scan for?– What checks do we use?– Are we using credentials or agents?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 52
Latent Scanner Handicaps
• How does your scanner technology get updated with new checks?– Does each scanner need a manual update?– How often is my organization pushing new
checks?– Are there RSS feeds or email alerts when new
checks are available?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 53
Latent Scanner Handicaps
• What is in my scanner “black box”?– They might say Nessus … – They probably are using Nessus 2 …– They probably are using checks which were
relevant in 2005, and not doing patch auditing on modern MS OSes
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 54
Latent Scanner Handicaps
• What is in my MSP’s “black box” scanner?– How often do they push new checks into
production?– What is their source of new checks?
• Qualys, Nessus, nCircle, IBM/ISS, .etc
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 55
Summary
• Basic VA/IDS Concepts• Sources of Correlation Errors• Multiple Vulnerability Scan Handling• Under Emphasis of IDS events• Operating System Based Correlation• Why isn’t Patch Auditing and Passive Network
Data used more? • IDS/IPS configuration based on Vulns• Latent Scanner Handicaps• Questions and comments
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 56
Questions?
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 57
Resources
• Tenable White Papers– Correlating IDS Alerts with Vulnerability
Information– Security Event Management – Advanced Event Correlation Scripting– Blended Vulnerability Assessments
• Tenable BLOG & Demos & Webinars– http://blog.tenablesecurity.com– http://www.tenablesecurity.com
• Click “DEMOS” for Webinars & Product info
• http://www.nessus.org
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 58
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 59
April 19, 2023
Copyright © 2007 Tenable Network Security, Inc. 60
Questions?
• Other question topics:– IDS evasion?– Scanner impact? – IPv6 and IDS/Scanners?– Configuration auditing and IDS events?– Testing for IDS vulnerabilities?– Host IDS logs and VA/IDS correlation?