Data Theft and the Oregon Consumer ID Theft Protection Act
Always Playing Catch-up
Agencies Slow to Upgrade
Agency Security Practices
Malware Detection and Incident Response
Network Intrusion Detection Systems
State IDS Architecture
SDC Perimeter Intrusion Detection
Multi-vendor Inspection at Internet Connections
Why Detection & Not Prevention? - Encrypted & local attack vectors Webmail (HTTPS://), USB drives, & MP3 players - The IDS sensors typically only see the aftermath –phone home (workstation posture is key to prevention –patches and protection)
The Overall Picture - At the perimeter the IP seen may be a firewall, proxy, or other external IP with thousands of hosts behind it -Perimeter IDS is blind to internal events unless they can phone home -There are so many perimeter attacks that signatures must be carefully enabled and managed
Signature and Rule Management
-A ‘Perimeter’ IDS policy exists and takes into account the physical location of the sensor (Do we want to fill the database with worms simply knocking on the perimeter door? –no) -Multi-sourced rule updates & custom alerts (Accurate but old, new outbreaks, unique to us) -SDC Policy contains over 4000 active IDS rules and nearly 23,000 disabled rules (A known bot-net knocking on our perimeter door –disabled) -A typical one-week period may add 25-62 new rules and update 1000-2000 existing rules. The rules are all evaluated for relevancy before being activated and uploaded
Where We Are Headed
Agency-based IDS Sensors -Sensor can see the internal IP address and identify the host -Captive malware blocked at the agency firewall & not seen at the perimeter can be identified -Enable more IDS signatures since we have eliminated perimeter noise and are behind the firewall -Allow agency access to IDS reports –scope refined to agency IP space only
SDC Perimeter Intrusion Detection
With all those firewalls, web filtering, perimeter & agency IDS boxes we should at least spot an incident in progress right? There are always exceptions: -The latest variant -Encryption -Alternate routes (rogue & not) Workstation posture is still critical Educate, patch and protect…
SDC Malware Detection and Notification
Intrusion detection is the process of discovering, analyzing and reporting unauthorized or damaging network or computer activities.
Capable of performing real-time traffic analysis and packet logging on IP networks.
Used to monitor network traffic and scan for signatures that represent potential attacks, worms, and unusual activities.
Helps identify potentially compromised machines, information leaks, active and passive attacks.
Can perform protocol analysis, content searching/matching and be used to detect a variety of attacks and probes.
Primarily a signature based detection engine, not unlike anti virus engines.
Looks for signatures in data streams and packet headers that are known to indicate an attack, potential attack or data leak.
We are using over 4,000 rules. Snort will only log the packets which triggered an alert.
IDS Malware Detection and Notification
What Do We Watch For?
Data Stealing Trojans
Possible Data Loss
Fake Anti Virus installs
Policy violations like Peer2Peer File Sharing
Snort Alert Key Information
Destination IP address(es)
Host name if discovered
GET or POST command in the packet
What Snort Sees and Alerts On
Waledac Trojan Signature – A Data Stealing Trojan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
Customers of these workstations change all personal and business passwords.
Do not plug an infected workstation back into the network. Examine the workstation offline.
Malware tools are not perfect. There is not a single tool that finds everything.
Err on the side of caution.
Tools are simply that...just tools. As you work with malware, it’s important to have many ways to confirm your results. It’s just as important NOT to totally rely on your tools to provide you with the answers.
In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the complete answer.
mean that nothing is there.
Rebuild that workstation!!!
You Do Not Want This Email…
You do not want to receive this email from me. Unfortunately it happens at least once a week.
If this workstation was “cleaned”, you need new soap. I recommend one called “rebuild it”.
AV has several detection methodologies
Always playing catch up
The newer the malware, the poorer the detection rate
Detection improves over time
Virustotal September 2009
Virustotal 4 months later
If it walks like and talks like a virus, chances are it’s a …
Recognizes malware based on criteria and then blocks it
Uses multiple detection engines and advanced heuristics
The Future of Malware
Sold as a kit
Purchaser can customize
Each build is unique
Avoids A/V signatures
Key stroke logging
SSL field injection
Installs more malware
Root Kit / Boot kit
In short it does whatever you want it to do.
Cleaning vs. Reimaging
Our experience: cleaning will fail to completely remove malware.
Other unknown malware
Must replace MBR (master boot record)
More effective than cleaning
Not practical for large out breaks
Understand what malware is on the system
Independently scan to identify malware locations and if other malware is present.