Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting covert data channels?

from [Ron Gula] Network Security [Permanent Link]
Subject: Re: Detecting covert data channels?
Date: Tue, 29 May 2007 08:40:21 -0400 
Hi Joff,

Detecting covert channels and encryption are two separate fields of
work. Just because a connection looks encrypted, it might still be
legitimate. And a back door that isn't encrypted might still be
considered "covert" if you didn't know to look for whatever protocol it
implemented.

I like to tell users who monitor networks to look for new daemons or
listening ports, but there are more advanced back doors that don't use a
TCP socket and can communicate with raw packets. There are also other
backdoors (as in Malware) that simply surf the web (port 80/443/etc) to
web pages that contain jobs for the owned node to do. There is also a
large body of work on detecting botnets that communicate and receive
commands over IRC, hacked web pages, P2P networks, AIM chat and so on.

On our blog, I've written about finding systems which accept or initiate
encrypted and/or interactive TCP sessions:
http://blog.tenablesecurity.com/2007/02/finding_interac.html

As well as looking at large crowd behaviors from netflow/sniffed TCP
sessions:
http://blog.tenablesecurity.com/2006/08/detecting_crowd.html

You might also want to take a look at the Snort signatures available on
the Bleeding Threats web site:
http://www.bleedingthreat.com/

and look at the wide variety of "detects" for the more common back doors
and malware out there.

And lastly, I think some of the best published work on finding this sort
of communications has been done by Lurhq (now SecureWorks) and you can
read several examples here:
http://www.secureworks.com/research/threats/

There is no single detect for a covert channel, but if you read through
the URLs and links here (plus read the older posts on this list) you
should be able to get a sense of the current state of the art for
finding many different types of covert channels.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
http://blog.tenablesecurity.com
http://www.nessus.org




Joff Thyer wrote:

It is reasonably trivial to encode data within packet headers, and
even encrypt said data as most are probably aware.  There are past
examples where control information has been sent within ICMP and other
packets using header fields.

My question surrounds detection; given that IDS tends to be payload
focused, if a covert channel exists that has encrypted data in a
packet header, how do we go about detecting it?

My initial thought leans toward the fact that encrypted data blocks
are statistically flat over time.  Given say 'snort', how can we use
this idea?   I am not a snort expert by any means, so please no
flames!

I would be happy to summarize opinions.

-Joff Thyer


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Detecting covert data channels?, Skip Carter
Next by Date:  Threats to IDS/IPS deployments, leeahart05
Previous by Thread:  Re: Detecting covert data channels?, Skip Carter
Next by Thread:  Re: Detecting covert data channels?, Richard Bejtlich
Indexes:  [Date] [Thread] [Top] [All Lists]