Tuesday, June 20, 2006

USENIX, TechEd 2006 Trip Report

Saw Richard Bejtlich's talk at USENIX and Mark Russinovich's at TechEd. Russinovitch gives the most complete assessment of the malware problem and the best technical discussion of the technical arms race taking place in the windows rootkit space. Bejtlich discussed security operations and incident response and made the case for replacing simple IDS alert based detection with sophisticated network security monitoring capabilities. Papers, etc available at http://craigchamberlain.com/usenix-teched2006.html

Some memorable Bejtlich quotes:

"Prevention eventually fails; Enterprise is too complex, staffed by overworked, under-resourced administrators meeting 'business requirements;' every enterprise will eventually be compromised."

"Investigations with alert-centric systems quickly end, often without resolving the incident. Analysts stuck with only alert data to inspect cannot make validation and escalation decisions. MSSPs call customers to ask if they have been compromised. Security personnel ignore alerts because they have no other data."

Bejtlich summarizes his network security monitoring methodology like this:

NSM relies upon four forms of traffic-centric data
– Statistical data (Capinfos, Tcpdstat, Trafshow)
• Descriptive, high-level view of aggregated events
– Session data (Argus, SANCP, NetFlow)
• Summaries of conversations between systems
• Content-neutral, compact; encryption no problem
– Full content data (Tcpdump, Tethereal, Snort as packet logger)
• All packet details, including application layer
• Expensive to save, but always most granular analysis
– Alert data (Snort, Bro, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)
• Context-sensitive, either by signature or anomaly

See also this best paper at USENIX Security 2005. I met one of the authors prior to publication at DHS Science & Technology 2005 where he described his methods for mapping sensors belonging to large scale traffic analysis systems like the SANS Internet Storm Center. The point of this is that it becomes possible to evade such early warning systems by avoiding the targeting of instrumented networks:

Mapping Internet SensorsWith Probe Response Attacks
John Bethencourt Jason Franklin Mary Vernon

Papers, etc available at http://craigchamberlain.com/usenix-teched2006.html

No comments: