What I'm describing in this bit is actually a behavioral detection technique
rather than the specification or regexp based method (though the combination of
the two is often preferable, where available) as the detection failure
scenarios data inspection are endless, as you point out. What I'm suggesting is
that while methods and scenarios for obfuscating or concealing data beyond
detection or inspection are supernumerary, there are a few elements that can
usually be reliably detected using flow data, assuming the reporting devices
themselves have not been compromised;
1. network transmission took place with between two IP sockets
2. some number of bytes and packets were transmitted, which can be measured
3. the destination address was or was not part of the organization which owns
the source
4. the destination address is or is not within expectations (e.g. is it a
foreign country or organization with which no business relationship exists)
5. (possibly, if you have some packet content samples with the flow data) the
application protocol appears to be a known application or network protocol
6. this apparent application usage is or is not within expectations - and is or
is not typical
With this information, behavioral detection can sometimes find data leaks in
the form of anomalous network behavior such as the appearance of a new
application protocol e.g. a vpn, ssl or ssh connection - especially on a non
standard port - with a remote destination which is unexpected (while the
encrypted data itself is beyond inspection, the application protocol itself may
be recognizable); or a direct SQL connection from a client desktop, where they
normally connect through a middleware application, or something else.
We use a technique we call anomaly detection in the QRadar tool to detect
appearance of new behaviors for selected high-value systems and networks.
useful either as a corroboration to methods like regexp based inspection or as
a potential method of finding information leaks that evade these detection
methods. Of course, there are scenarios where new behaviors result from normal
changes; none of these methods are perfect, but they are all useful. Combining
them through correlation can sometimes improve accuracy of detection even
further. In my experience, the best method of finding misuse patterns like data
leaks is through sophisticated event correlation - either manual or
programmatic - though it needs to be done programmatically in order to scale.
Craig Chamberlain
Principal Security Consultant
craig@q1labs.com | www.q1labs.com
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Siim Põder
Sent: Friday, October 19, 2007 2:59 AM
To: Craig Chamberlain
Cc: focus-ids@securityfocus.com
Subject: Re: Using Snort to find creditcard data?
Yo!
Craig Chamberlain wrote:
Good point; what I'm suggesting is that while it's relatively easy to
hide or obfuscate the data itself, it is hard to conceal the fact that
data - or packets - are being transmitted, possibly using a
recognizable application protocol, to an unexpected destination, which
can be a useful last-ditch detection mechanism when the other methods
fail - or can be a useful corroboration when correlated with the other
detect data.
There is bound to be some sort of legitimate production traffic. For example,
if there are https connections coming in to a specific machine and specific
port. You can detect if that machine starts sending out data on its own or
starts accepting connections on another port.
However, if the same port starts serving credit card numbers
(obfuscated) or even hides the credit card numbers in tcp sequence numbers (or
does something even more subtle as serving them by changing the case of "A"
letters in http connections from certain addresses) the movement of data
should be extremely hard to detect.
Siim
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
