september 5, 2015copyright © 2007 tenable network security, inc. 1 good and bad uses of...

April 19, 2023

Copyright © 2007 Tenable Network Security, Inc. 1

Good and Bad UsesOf Vulnerability Data

For IDS Event Correlation

Mostly Bad UsesOf Vulnerability Data

For IDS Event Correlation

April 19, 2023


Introduction

The goalgoal of this talk is tohelp those of us with networkmonitoring programs tounderstand the limits of IDS/VA correlation.

April 19, 2023


Introduction

-- OR --

April 19, 2023


Introduction

We all have purchasedexpensive SIM and IPS products and this will help you operate them better!

April 19, 2023


Introduction

I hope no-one needs to recode their software orstrangle their sales guyafter this …

April 19, 2023


IDS/VA is in lots of places already

• SIMs do it – Arcsight, Q1, Cisco MARS, Tenable, .etc

• IDS/IPS do it – Sourcefire, Lucid, NFR, .etc

• Threat Simulators do it – Skybox, RedSeal, .etc

• Pre/Post NAC looks a lot like this too• Home grown applications !!!

– Your MSPs and internal IT projects

April 19, 2023


Why listen to me?

• CTO/CEO and Co-Founder of Tenable– Nessus Vulnerability Scanner– Several monitoring & correlation products

• Founder of Network Security Wizards which made the Dragon Intrusion Detection System

• Director of Risk Mitigation at USi• Consultant, pen-tester & security

researcher for GTE, BBN and NSA• Captain in USAF

April 19, 2023


Overview

• Basic VA/IDS Concepts• Sources of Correlation Errors• Multiple Vulnerability Scan Handling• Under Emphasis of IDS events• Operating System Based Correlation• Why isn’t Patch Auditing and Passive Network

Data used more? • IDS/IPS configuration based on Vulns• Latent Scanner Handicaps• Questions and comments

April 19, 2023


Basic VA/IDS Concepts

• Why correlate at all?– Typical NIDS have imperfect knowledge of the

networks they are watching– Most NIDS are not intrusion detection systems,

but are instead attack and probe detection systems

– A NIDS may give you hundreds of thousands of events per day (hour); correlating this with your known vulnerabilities can reduce this to a small handful

– You can use the fact that your NIDS device has such a high false positive rate that you can justify VA scanning everyday instead of once per quarter

April 19, 2023



Which describes you better?

Want to see anyand all possibleattacks.

Only respondingto events which effect your business

April 19, 2023



April 19, 2023


V

VV

V

V


April 19, 2023


V


April 19, 2023


V

IDS Says: “Nine Attacks!”


April 19, 2023


V

VA/IDS Says:“1 REAL attack”


April 19, 2023



Which is more accurate?

Your favorite: • IDS• IPS• UTM• NBAD

Your favorite: • Scanner• PCI Scanning MSP• Patch Tester• Agent

April 19, 2023


IDS

VA

FalsePositive

100%Accuracy

FalseNegative

FalsePositive

Sends you a well qualified event that is false!

Over-emphasizes a valid IDS event

Can’t help directly

100%Accuracy Removes IDS

false positiveDesiredAlerting

Potentially reconfigure

the NIDS

FalseNegative

IDS Events that are incorrect are

not removed

IDS Events are not emphasized

Can’t help directly


April 19, 2023


Sources of IDS/IPS FP/FN

• False Positives– Bad Signature– Good signature, but unexpected matching

traffic

• False Negatives– No signature

• Unknown attack/vuln• Can’t write a rule to look for it

– Bypass detection with encoding

April 19, 2023


Sources of Vuln FP/FN

• False Positives– Bad Rule/Plugin/Check– Good Rule/Plugin/Check, but unexpected

matching data or application– Back-porting of Daemons

• Nessus “Paranoid” mode

April 19, 2023


Sources of Vuln FP/FN

• False Negatives– No signature– Didn’t scan that port– Didn’t use credentials– Didn’t scan that often– Back-porting of Daemons

• Nessus “Paranoid” mode

– Can’t perform a check for this• Credentialed vs. scanning• “We’d like you to develop a non-credentialed method

to test for the new Daylight Savings Time patch”

April 19, 2023


Introduction

And even when it does work ….

April 19, 2023



The Security Grind

Hey Joe, I thinkthere is something

wrong with our SIM!!!

Why do you say that?

According to this, we’ve just had

several hundred successful Telnet and DNS attacks

There is the human layer:

April 19, 2023


Sources of Correlation Errors

Simple Algorithm1. Receive IDS event2. “Lookup” to see if target is vuln3. Launch missiles if real attack

April 19, 2023


• Magic “Lookup” functions– What is the correlation based on?

• CVE, Bugtraq, Nessus ID, X-Force ID, .etc

– Is it port and protocol specific? – How does it get updated?

• IDS and vuln scanners get daily updates• How does the solution sync with this new data?

– How correct is the code?• Does it accept “CVE” and “CAN”• Does it handle multiple CVE/Bugtraq entries per

vulnerability or IDS event?


April 19, 2023



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:13;)

April 19, 2023


April 19, 2023



• What happens when the META DATA is incorrect?– Advisories can have incorrect CVEs, Bugtraq

IDs and so on– We’ve seen cases where the wrong CVE or

Bugtraq reference is in the IDS signature– With 14,000+ plugins, we’ve made mistakes

putting the wrong CVE, Bugtraq ID, .etc in Nessus scripts too

April 19, 2023



• Disparity in NIDS ports and Scanned Ports• Few organizations scan all 65k TCP and

UDP port• Few organizations scan for ALL available

vulnerabilities• So what happens if vulnerability #44 is on

port 55000 but we never scanned for it?

April 19, 2023



• Disparity in NIDS rules and Scanner checks• NIDS Rules are updated daily, and so are

vuln scanner checks, but scans might not happen daily

• What happens when your NIDS starts to detect today’s attack-of-the-week but you have not scanned for it yet? – More on this in a moment …

April 19, 2023


Multiple Vulnerability Scans

• There is only one network.• It might change.• We scan it often to detect the change.• Hopefully our VA/IDS solution is keeping

up with the scans.

• More solutions are becoming available that detect network changes in order to drive scans.

April 19, 2023



• Very Cheap Model– No real correlation; VA data just presented

when requested or invoked

• Cheap Models– Only the last scan is used for correlation– Vulnerabilities are not port/protocol centric

• Misleading Models– Vulnerabilities never get fixed– “point scans” magically fix other vulnerabilities

• i.e the monthly SSH scan didn’t find any FTP issues

April 19, 2023



PatchAudit

FullPortScan

SANSTop20

PatchVerifyScan

DMZScan

DMZScan

MailScan

MailScan

PointVulnScan

April 19, 2023


Under Emphasis

• Basic idea– De-emphasize stuff I’m not effected by– Alert me if I’ve been attacked

• Problem– What if my vulnerability data isn’t as updated

as my IDS data?

April 19, 2023


Under Emphasis

SCAN

SCAN

NewIDS

Rules

NewIDS

Rules

NewIDS

RulesNewIDS

Rules

NewScanRules

NewScanRules

NewScanRules

NewScanRules

NewScanRules

NewScanRules

April 19, 2023


Under Emphasis

• For the latest round of “major” vulns:– Telnet -froot– ANI

MS DNS

• When did you first scan for these?• When did you first notice these in your IDS

logs?

April 19, 2023


OS Based VA/IDS Correlation

• Attempt to discover the type of OS and then associate relative vulnerabilities from it

• Lots of ways to guess the remote OS– Passive and/or Active fingerprint– Asset database

• These are not 100% accurate, but let’s assume they are …

April 19, 2023



• Once we know the OS, which vulnerabilities do we associate with it?– All of them? – What if they have been patched?

April 19, 2023



• What about client-side applications like Outlook?

• What about cross-platform applications like Skype, Mozilla, iTunes, .etc?

April 19, 2023



• In a mixed environment of Solaris, UNIX, Linux, Windows, .etc filtering out or highlighting attacks is useful. – Example vendor customer testimonial: “With

product XYZ, we go from 1,000,000 events a day to just 100”.

– Keep in mind a lot of IDS events just don’t correlate

• For discriminating between two servers where one has a patch and the other doesn’t, it is misleading.

April 19, 2023


Patch and Passive Data

Why isn’t patch data used more?

Positive • Accuracy• Client Vulns• Works all over• Fast

Negative• No more agents!• Can’t get creds!• IT won’t share

April 19, 2023



I’ve been scanning since you were in diapers sunny!

Those IT guys don’t

know #%#$# about

security.

April 19, 2023



Why isn’t passive data used more?

Positive • Real Time• Client Vulns• Works all over• Fast

Negative• Accuracy • No span port• BW or topology

April 19, 2023


Tuning Your IDS/IPS

• Based on your discovered assets, applications or vulnerabilities, only enable certain rules– Your NIDS runs faster !!– No more silly false positives !!

• Example– None of your systems run SNMP – Remove all of the SNMP rules on your IDS/IPS

April 19, 2023


Tuning Your IDS/IPS

• Marketing claims from some IPS vendors:– “Vulnerability Shielding”– “Virtual Patching”– “In-line Patching”

• The key is to have near-real time awareness of what is on your network

• Any lag between network change and what your IPS is blocking is a window of time where events are not prevented or monitored correctly.

April 19, 2023


Latent Scanner Handicaps

• Need to know your tools and processes– What ports do we scan for?– What checks do we use?– Are we using credentials or agents?

April 19, 2023



• How does your scanner technology get updated with new checks?– Does each scanner need a manual update?– How often is my organization pushing new

checks?– Are there RSS feeds or email alerts when new

checks are available?

April 19, 2023



• What is in my scanner “black box”?– They might say Nessus … – They probably are using Nessus 2 …– They probably are using checks which were

relevant in 2005, and not doing patch auditing on modern MS OSes

April 19, 2023



• What is in my MSP’s “black box” scanner?– How often do they push new checks into

production?– What is their source of new checks?

• Qualys, Nessus, nCircle, IBM/ISS, .etc

April 19, 2023


Summary

• Basic VA/IDS Concepts• Sources of Correlation Errors• Multiple Vulnerability Scan Handling• Under Emphasis of IDS events• Operating System Based Correlation• Why isn’t Patch Auditing and Passive Network

Data used more? • IDS/IPS configuration based on Vulns• Latent Scanner Handicaps• Questions and comments

April 19, 2023


Questions?

April 19, 2023


Resources

• Tenable White Papers– Correlating IDS Alerts with Vulnerability

Information– Security Event Management – Advanced Event Correlation Scripting– Blended Vulnerability Assessments

• Tenable BLOG & Demos & Webinars– http://blog.tenablesecurity.com– http://www.tenablesecurity.com

• Click “DEMOS” for Webinars & Product info

• http://www.nessus.org

April 19, 2023


April 19, 2023


Questions?

• Other question topics:– IDS evasion?– Scanner impact? – IPv6 and IDS/Scanners?– Configuration auditing and IDS events?– Testing for IDS vulnerabilities?– Host IDS logs and VA/IDS correlation?

september 5, 2015copyright © 2007 tenable network security, inc. 1 good and bad uses of...

Documents

tenable network security

comments slide

usaf slide

quarter slide

business slide

passive network data

network monitoring programs

ids event correlation