2016 first - vixie, paul (friday) 20160523
Post on 05-Apr-2022
1 Views
Preview:
TRANSCRIPT
I.Introduction
"Todaymostincidentresponse teamsrelyonvendorthreatfeedstogainadditionalintelligence
abouttheattacksagainsttheirnetwork.
Yetvendorthreatintelligencealoneislimited–iftheIOCs,signatures,orotherfeedsdon'tmatchwhatinvestigatorshavefoundintheirnetworktheinvestigationitselfcancometoanabruptend."
[partoftheabstractforthistalk]
The"Magic"BehindManySecurityVendors'ThreatFeeds
• Cybercriminalsliketominimizetheireffort,andwillreuseanattack,ifsuccessful,againstmanyotherpotentialvictimsites.
• Becauseattacksarerecycled,sharingtheattack'sattributescanhelpothervictimsitesidentifyandrespond totheseattacks.
• Requiredassumption#1: yourgoalisprobablytodotwothings:– Block themaliciousbehavior(ifpossible),butatleast– Detect themaliciousbehavior(incaseeffortsatblockingfail)
• Requiredassumption#2: statistically,you'reunlikelytobeoneofthefirstsiteshit,soyou'llhavetime tolearnfromtheexperiencesofothersandtakeappropriatemeasures(butifyouareattackedfirst,thatattackatleastprovidesintelligenceforeveryoneelse).
• Requiredassumption#3:falsepositives/collateraldamagecanbekeptlowthroughwhitelistingandprofessionalfeedcuration,etc.
4
"Abracadabra"Doesn'tAlwaysYieldARabbit
• Sometimesthemagicofthreatfeedssimplydoesn'twork...• Youmightgethitbyauniqueattackmeantjustforyou.You
weren'tprotectedfromit,andnooneelsemayeverseeit.• Sometimestheremaynotbeatraditionalcontrolpointatwhicha
detectedattackcanbeautomaticallymitigated(example:classicfirewallsmayallowalloutbound connectionattemptsbydefault).
• Youmaynothavevisibility intoallnetworktraffic(example:encryptednetworktrafficsuchasPGP-encryptedemailmessages).
• Ifblockingfails,detectionisadistinctlyinferiorsecondaryoutcome ("hey,wedidatleastspot theincomingnuclearmissile,eventhoughwecouldn'tpreventitfromblastingourcity").
• Collateraldamage/falsepositivesMAYexist&beproblematic.• Sharingindicatorscanresultin intelligencebeingleaked tothe
badguys(disclosureof"sourcesandmethods").5
MoreEmptyHats
• Attribution oftenremainsahugeunsolvedproblem,sothecommunitylargelyignorestheattributionproblem(oremploysnon-scalablemanualeffortsinisolatedcases,suchastheMandiantChinareport).
• Threatfeedsareatactical"solution" thatfocusesonobservablemanifestations(likecoughsyrupforlungcancer)whilewhatweneedisagenuinestrategicsolution thatfocusesoncorrectingrootcauses (analogy:discouragesmokingandothercauses oflungcancer,ratherthanimproveoncologicaltreatmentsorsuppresssymptoms)– Cyberexample:sitesNOTdoingSAVarestilltoleratedbythecommunity,sospoofedDoStrafficremainsaproblem
– Criminalsanctuarynetworksaren'tsummarilyde-peered– Criminalsmaybenon-extraditablefromsomejurisdictions
6
II.DIY
"ThataestheticoftheStarWarsuniverse:thedo-it-yourself,hotrodethic thatGeorgeLucasexportedfromhischildhood,is
exactlythesamekindofsoulbehindwhatwedoandbuildfortheshow.Itmaynotlookpretty,butitgetsthejobdone."
AdamSavage,co-hostofMythbusters [emphasisadded]
WhyConsiderADIYModel?ManyReasons• Themarketdoesn'thavewhatyouneed/want• Whatyouwantisavailable,butyoucan'tafford tobuyit• You'vetriedwhatexists,butitisn'tworkingwellenough• There'ssomethingavailable,butwhat'savailableisproprietary
andpoorlydisclosed, evenunderNDA(andrelyingon"witchdoctoring"seemstobeless-than-standard-of-caretreatment)
• Youlikelayeredapproaches tosecurity(andDIYmightbeabletogiveyouatleastpartof"anothernine'sworth"ofincrementalimprovement)
• Youlikecraftingsolutions/controllingyourowndestiny,muchlikeF/OSSforoperatingsystemsorOpenFlow/SDNnetworking
• Nooneknowsyouruniqueenvironmentaswellasyoudo.• Also:creative"tinkerers"canpotentiallydriveinnovation and
alsopotentiallydriveecosystemimprovements8
ImplicitAssumptionsApplicableToDIYModels
• DIYcanbeasweetwaytosavecash,butitisn'tgoingtobetotally"free."YouWILLneedtoinvestsome"sweatequity," instead.
• ADIYapproachshouldn'tbejusttotallyadhoc,itshouldhaveanarticulabletheoreticalbasis/rationalfoundation
• Theapproachemployedmustbeabletobehorizontallyreplicated(e.g.,begeneralizabletoatleastyourfriends,ifnotthewholeInternet),andthuscannotrelyonthelocalexistenceofawillingexpert(orsecretheuristics)inordertosucceed
• NOTrequireatotal(andtotallyimpractical!)redesignofyouroperationalenvironment–-youneedtobeabletojust"dropitin"
• ADIYapproachCANNOTrequirethatyou"standatthestoveandstircontinually" – you'vegototherstuffyoustillhavetodo.– Forexample,manuallyaddingIPv4/32'stoalocalblocklist(as
spam/phishing/malwaregetslocallynoticedandmanuallyreported)doesn'tscale
9
ManagingSecurityExposureswithDNSRPZ• AssomeonewhohasworkedwithDNSalittle,IthinkDNSmaybe
apromisingsubstrateforimplementingDIYsecuritymeasures• DNSResponsePolicyZones(RPZ)allowustouseDNSasacontrol
point:DNSRPZcanmakeidentifiedunwanteddomainslocallyreturnNXDOMAIN (therebykeepingusersfromaccidentallywanderingintoonlineminefieldsandexperiencingtraumaticcyberamputations)
• RPZscanbepublished/sharedwithothersites,butcurrentlythereareonlyarelativelysmallnumberoflarge-scaleRPZpublishers(mostlythe"usualsuspects,"seehttp://dnsrpz.info/).
• It'swonderfultohavethosemassmarket/atscalesecurityoptions,thankyouall,butweneedmoresmallRPZproviders(theonlineequivalentofhobbyfarmersofferingexoticfruit/heirloomvegetablesatthelocalSaturdayfarmer'smarket).
10
III.DIYExample#1:BlockingSourcesofUnwelcomeBehavior
ByLeveragingPassiveDNSandRPZ
Foolmeonce,shameonyou;foolmetwice,shameonme.
Anonymous
EveryoneSeesAttacks– ButWhatDoYouDo AboutThem?
• EveryoneconnectedtotheInternetseesattemptedattacks• Sometimesthoseattacksarealreadyknowntothevendorsofthe
threatfeedsyouuse;othertimes,theymaynotbe.• Someofyoumayautomaticallysubmitthreatdatatoyourthreat
intelligenceprovider,enrichingthosefeedsandimprovingtheprotectionthateveryoneenjoys(includingyourself)
• ButsometimesNOTHINGgetsdonewiththatattackinformation.Whennothingisdoneafteranattack,abadguycanpoundonyou,and keeppoundingonyou fromwhatshouldnowbeawell-known-to-be-badlocation.Permittingthatisdumb.
• Othertimestheremaybeadelaybetweenthetimethreatinformationgetsshared,andthetimethatthreatinformationgetsincorporatedintopublicthreatfeeds.Itwouldbeusefultoreducethatwindowofvulnerability.
12
LeveragingPassiveDNS• PassiveDNSisawell-knownapproachamongthreatanalysts.
Normallyathreatanalystwilltakeaninitial"clue"(suchasasuspiciousIP,suspiciousdomain,orsuspiciousDNSserver)andusepassiveDNStofindadditionalrelatedbitsofbadness.
• Thissameprocesscanalsobeleveragedforthedevelopmentofdomainliststobeblockedviaa"DNSfirewall"implementedwithRPZ,complementingandextendingIP-basedblocking.
• Forexample,fromarecentsyslogfileonanemployeesystem:May311:34:10[snip]sshd:refusedconnectfrom118.175.5.100May311:59:12[snip]sshd:refusedconnectfrom118.175.5.100[etc]
• Thoseattemptsare gettingautomaticallyblocked,butbeinga"beltandsuspenders"sortofperson,whatelsemightweblock?
• Let'scheckpassiveDNS...13
SimplePassiveDNSfor118.175.5.100$ dnsdb_query.py -i 118.175.5.100 --after=30dmakarak.com. IN A 118.175.5.100www.makarak.com. IN A 118.175.5.100[no other domains seen in the last month]
$ whois makarak.com[...]
Registrant Name: makarakRegistrant Organization: makarakRegistrant Street: makarakRegistrant City: makarakRegistrant State/Province: Krung Thep Maha Nakhon Bangkok
Registrant Postal Code: 99999
Registrant Country: THRegistrant Phone: +999.99999999[etc]
14
PotentialActionOptions• Donothing (Afterall,theunauthorizedsshaccessattemptsare
currentlygettingblocked,butdoingnothingfeels...incomplete).• Reporttheobviouslyincomplete/inaccuratewhoisviaWDPRS
(seehttps://forms.icann.org/en/resources/compliance/complaints/whois/inaccuracy-form).Theproblematicwhoisinformationmaybeaninnocentclericalerror,adomainthat'sbeenhijacked,orsomethinglesssavory.Wedon'tknow/can'tsay.Cleaningupthewhoisisanicefirststeptofindingout.
• AddthatdomaintoalocallymaintainedRPZzone.Why?AssumethedomainmovestoanewIP.Ifwe'reblockingbyIP, oncethebadguymoves,he'sfreetodobadstuffagain(atleastuntilhegetsrelisted).Ifweblockbydomainname,thebadguy'sattempttoavoidblocklistingbymovingtoanewIPaddresswillaccomplishpreciselynothing– he'llstillbeblocked.
15
"HoldOn.What'sRPZ?"
• RPZ==DNSResponsePolicyZones,seehttps://dnsrpz.info/RPZissupportedbycurrentversionsofmultiplenameserversoftwareproducts.
• RPZallowsalocalsitetointentionallyrewrite/overridehowadomainwouldnormallyresolve.
• Forinstance,ifyoudon'twanttoallowyourlocaluserstoaccidentallyaccessexample.com,youcanmakeyourDNSreturnNXDOMAINforthatdomain,redirecttoacaptivewebportal,etc.
• ThisallowsDNStobeusedasa"firewall"ofsorts,protectingallapplicationsthatmightotherwisetrytoaccessabaddomain.
16
"ButVixie!IDon'tWanttoChaseDottedQuads!"
• Okay.YoucanstillleveragethepowerofpassiveDNSandRPZ.• Forinstance:takethelistofCIDRsontheSpamhausDROPand
EDROPlists(www.spamhaus.org/drop)asinputtopassiveDNS,checkingtoseewhatdomainsareusedinthose868CIDRs...
• ThoselistscurrentlyexpandviapassiveDNSto200,680uniquehostnamesseenwithinthepast30days,or,ifwesimplifythatlistbyrunningitagainsttheeffectiveTLDlist,wecanfind65,459uniquedomains(43,742ofthosearefromthecomTLD,FWIW)
• Domainnamesseenincludedomainnameswith:-- randomly-generated-appearingcomponents(DGA's?)-- domainsassociatedwiththeonlinesaleofRXdrugs-- brandsheavilytargetedforinfringement(Nike,Oakley,etc)-- brandsheavilytargetedbyphishers(Paypal,etc.)-- "antivirus"-relateddomains
17
IV.DIYExample#2:"CheapPublicSuffixes"RPZZone
Cheapthingsarenotgood,goodthingsarenotcheap.
ChineseProverb
Hypothetical:"CheapPublicSuffixes"RPZ• Miscreantsneedacontinualstreamofnewdomainsbecausecurrentonesgetblocklistedassoonastheybegintobeused.
• Miscreantsusefreedomains(orsubdomains),orbuythecheapestdomains theycanfind(thataren'twidelyblocklisted).
• Typicalenduserslargely(butnotexclusively)buydomainsintraditionalgTLDs orarelativelysmallsetofccTLDs.
• Priceisn'tcriticalformostuserswithjustafewdomains.• HYPOTHETICALLY,somecheappublicsuffixesmaybeadisproportionatesourceofunwantedtraffic(and,conversely,NOTamaterialsourceoflegittraffic)
• AsitemightthusconstructaDIY"threatfeed"thatblockstrafficfromcheappublicsuffixesviaRPZ(priceschangerelativelyslowly,andnewpublicsuffixesareuncommon,somaintainingsuchazoneshouldn'tbeverypainful).
19
Wait,Wait:What'saPublicSuffixAgain?• Quotinghttps://publicsuffix.org/
A"publicsuffix"isoneunderwhichInternetuserscan(orhistoricallycould)directlyregisternames.Someexamplesofpublicsuffixesare.com,.co.uk andpvt.k12.ma.us.ThePublicSuffixListisalistofallknownpublicsuffixes.
• Therearejustunder8,000publicsuffixesatthistime.Manyofthemyouwillneversee,muchlessseeheavilyabused.SomepublicsuffixesyoumayONLYseeinconjunctionwithabuse.
• Ifyou'rerunninganenterprisenetwork(ratherthananISP),youmightdecidethattherearesomepublicsuffixesthatyoucan"livewithout."
20
BlockingEntirePublicSuffixes:A"Nuclear"OptionThatApparentlyDoes NonethelessGetUsed
• Blockingentirepublicsuffixesisapotentiallyhugelyproblematicpractice, andwilllikelycausecollateraldamage.Thus,thisissomethingthatwereallyhopewouldnormallynotbenecessary.We'dhopethatthoseresponsibleforpublicsuffixeswouldcurbtheworstabusesassociatedwiththeirpartofthenamespace.
• Therefore,normallyatleastonedotisrequiredinanRPZfilterrule (e.g.,bydefaultRPZexpectsyoutobefilteringfoo.bar,notjustaTLDsuchas*.bar).However,thisdefaultcan bechanged.
• Weknow(fromfirsthandreports)thatsome(typicallyenterprise-ish)sitesDOcurrentlyblockaccesstosomeentirepublicsuffixes.
• CommercialmanagedDNSservices(suchasOpenDNSUmbrella),doofferthis– seeforexamplehttps://support.opendns.com/entries/26514730-Web-Content-Filtering-and-Security.
21
WhichPublicSuffixesAreCurrentlyLeastExpensive?• Thereare sitesthattrackatleastpartofthis:https://tld-list.com/• Ifweoperationalize"inexpensive"PublicSuffixesasthosethatare
availablefor<=$1/domain,atthetimethiswasprepared,TLDsknowntobeunderthatdollarperdomainthresholdinclude:.xyz,.top,.bid,.science,.loan,.racing,.win,.faith,.review,.trade,.date,.webcam,.party,.download,.accountant,.cricket,.pw,.press,.website,.site,.tech,.space,.online,.club,and.in
• Thatlistwouldalsoincludes.info,.com,and.us(atleastrightnow),butweshouldprobably excludethoselegacyTLDsduetocollateraldamageconsiderations.
• ThereareotherTLDsinthatlistthatalsoappeartobedealingwiththeabuseissuestheyface,suchas.siteand.in,andwhichthereforemightalsobecandidatesforexclusion.
• Whatyoudo/don'tblockisuptoyou:yournetwork,yourrules.22
"WhatIfAllTheListedSuffixesJustRaisedTheirPriceTo$1.01or$2or[fillinthenumbere here]?"
• Answer#1: Thiswouldbegood:criminalcostsjustincreased.• Answer#2:Ifnecessary,thelistingthresholdcouldobviouslybe
floatedup,particularlyiftherewereindicationsthatpricingwasbeingsetto"game"aprotectivezoneofthissort.
• Answer#3:Eventuallywe'dexpectthatmostsuffixeswouldincreaseinpriceuntileventuallythey'dbeonparwithnormal/non-saledotcomdomainpricing(thisisadecisionfortheentitycontrollingeachpublicsuffix).
• OverallAnswer: RPZcanbeusedasawayforsitestodealwithaparticularcategory ofdomains(suchasthecurrentlowertailofthepublicsuffixcostdistribution),regardlessofwhatexact"cutpoint"mighthappentobe.
23
"WhatAboutAllThoseAlready-RegisteredDomainsinCheapPublicSuffixes?"
• Traditionalper-domain-basedblocklistingcandealwithlegacyalready-registereddomaininventory.
• Mostcheapdomainsareonlyregisteredforayear,and,atrenewal,newpricingwouldtypicallyapply.
• Thecrucialpointforthishypotheticalmodelisdenyingcyber-criminalsacheapandreliablesupplyofnewly-created domains.
• Aside:thisisthesameproblemFarsightalreadydirectlyattackswithourNewlyObservedDomain(NOD)RPZs,butthisputspressureonadifferentdimensionoftheproblem.
24
V.DIYExample#3:BayesianRegistrarScoring
"Hethatwalkethwiththewise,shallbewise:afriendoffoolsshallbecomeliketothem."
Proverbs13:20,Douay-Rheims1899AmericanEdition
AnotherHypotheticalExample:BayesianFilteringofBadGuy-PreferredRegistrars
• Eachdomainhasanassociatedregistrar.SomeregistrarsarefavoritesoftheFortune500.Asecondcategoryofregistrarmightspecializeinhandlinghighvolumedomainerregistrations.Otherregistrarsspecializeinprovidingdomainsforcybercriminals.
• Let'sassumethattherearesomeregistrarslovedbythebadguysandlittleusedbylegitimatedomainregistrants.
• NowimagineapubliclyavailableDNSzonethatmapsdomainnamestoregistrars(muchastheUniversityofOregon'sRouteviewsProjectoffersDNSzonesmappingIPaddressestoASNs).
• TheregistrardataneededforsuchazoneiscurrentlyavailablefromdomainnameregistryWhois(noneedtodorecursiontotheregistrar'sWhoisdata).
26
ExampleofDomainNameRegistry Whois
DomainName:FARSIGHTSECURITY.COMRegistrar:GANDISASSponsoringRegistrarIANAID:81WhoisServer:whois.gandi.netReferralURL:http://www.gandi.netNameServer:NS5.DNSMADEEASY.COMNameServer:NS6.DNSMADEEASY.COMNameServer:NS7.DNSMADEEASY.COMStatus:clientTransferProhibitedhttps://icann.org/epp#clientTransferProhibited
UpdatedDate:14-dec-2015CreationDate:24-jan-2013[etc]
27
HowWeMightUsef(domain)àregistrar?
• ThatfunctioncouldhypotheticallybeusedinemailtomapspamvertisedURLdomainstotheregistrarused, andthenletBayesclassifiersdotheirthingwiththatadditionaltoken.
• E.G.,likethis,butforregistrarsratherthanASNs
https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_ASN.txt
• Anyoneinterestedinthissortofzone?
28
"RiskManagement"
• Weusedtoallbephilosophicalpurists:we'ddotherightthing,fortherightreason,becauseitwastherightthingtodo.
• Now"everyone"(well,alotofpeople)havebecomepragmatists.– Theydowhatseemstohelprightnow (what'sthataboutlongterm?)– Wedowhat"pencilsout,"cost/benefitwise– Wemayonly dowhatcompliancerequirementssaywemust do.
• Thisoftenmeansgivinguphistorically-enjoyed"luxuries:"– Trust-by-default,Convenience,Privacy,BeingAGoodNetworkNeighbor– Etc.
• Example:becauseitissohardtotellfriendsfromenemies,assumeeveryoneishostileunlessprovenotherwise
• Network/systemversionofthis:"defaultdeny"policies
30
System/NetworkExamplesof"DefaultDeny"Today• $umask 077• Emailaddressesarenotsharedbydefault(trytofindapublicly
availableemaildirectoryforaninstitutionotherthanauniversity!)• Socialmediapagesareincreasinglyprivatebydefault(e.g.,
mashable.com/2014/05/22/facebook-private-default-setting/)• Apps/executablesarealluntrustedbydefault,exceptforthose
thathavebeenheavilyscrutinizedandwhitelisted.• Allportsareblockedinboundattheborderfirewall,exceptfor
specificallyallowedexceptions.• Thisisallgenerallyacceptedasanexampleofpeoplebeing
"networksavvy"or"streetwiseonline."• Thebigexception?DNS.DNSisthelast"hippieprotocol."
DNSremainsidealistic/"freelove"/"defaultpermit."(Ofcourse,thatmeansDNSalsotendstoworkprettywellbydefault)
31
FWIW,"DNSDenyByDefault"WouldNotMeanJustBlockingEndUserAccesstoArbitraryResolvers...
• Forcinguserstouseaspecifiedrecursiveresolver(normallytheirISP'srecursiveresolverortheircompany'srecursiveresolver)hasbecomeprettycommonsinceDNSChangerandsimilarthreats.Seeforexample"MessagingAnti-AbuseWorkingGroup(MAAWG)OverviewofDNSSecurity- Port53Protection,"https://www.m3aawg.org/sites/default/files/maawg_dns_port_53v1.0_2010-06.pdf
• Thatdocument'sfullofgreatrecommendations,butitdoesn'tgoasfarascallingforafull"DenybyDefault"modelforDNS.
• Todaywe'reactuallytalkingaboutforcinguseofaspecifiedrecursiveresolverANDcontrollingtheresolution(domainbydomain)thatdoes(ordoesn't)takeplaceonthatresolver,changingfromdefaultpermit(resolveanything)todefaultdeny(onlyresolvethedomainsthatarelocallynecessary).
32
AConceptual ModelFor"DefaultDeny"viaRPZ• Conceptually,ratherthanadefaultpermit("resolveeverythingby
default,exceptforthefollowingbadthingswe'lleditout")model,adefaultdenyapproachmightredirectuserstoaweb"portal"wheretheycouldrequestpermissiontoaccessanew,never-before-requesteddomain.Havingrequestedandreceivedpermissionforthatdomain,thedomainwouldthenresolve,andcontinuetoresolveunless/untilrevokedbythesite.
• Aspartofaddingarequesteddomain,asitemightautomaticallycheckthedomaincharacteristics,orreviewitsreputationatsitessuchasWOT.
• Permissioncouldevenbegrantedsemi-automatically(askforpermission,maybecompleteasimpleCaptcha,thenyou'reGTG).
• Permitteddomainscanalsobereviewedinrealtimebyasite'ssecurityteam,orauditedretrospectively(includingreviewingwhorequestedwhatdomains).
33
VII.Conclusion
"It'sagreatcountry:youcansaywhateveryoulikesolongasitisstrictlytrue—nobodywillevertakeyouseriously."
EdwardAbbey,DesertSolitaire
KeyTakeaways• Do-it-yourselfcanmakesenseasastrategyforleveragingthreat
intelligencewithouthavingtorelyontraditionalvendorthreatfeeds.
• PassiveDNSandDNSResponsePolicyZonescanbepowerfultoolsinyourDIYthreatintelligencetoolbox,complementingandsupplementingothertoolsyoumayalreadybeusing.
• We'veconsideredmultipleexamplesofhowthismightbedone:1)LeveragingPassiveDNSwithRPZ2)A"CheapPublicSuffixes"RPZ3)BayesianRegistrarScoring4)Movingto"DefaultDeny"forDNS
• Wehopeyouexperimentalittlewiththeseapproaches,andsharewhatworksforyou.
• Thankyou!Arethereanyquestions?35
top related