TechWise TV episode 27
Invisible Attackers: Stop the Bot
Show Notes
Air Date: January10,January 10, 2008 (Register)

Synopsis
Segment 1 – Hiding in Plain Site
Segment 2 – Understanding the Botnet Threat
Segment 3 – Endpoint Enforcement with CSA

Synopsis
It is often what we don’t know that can hurt us the most. Security challenges continue to evolve as everyone gets smarter and the stakes get that much higher. Security is like a chess match where every move provokes a counter move and as we have gotten more intelligent with our defenses, malicious attackers have continued to evolve as well. Now that the focus has shifted from fame to fortune, today’s attacker finds it most advantageous to remain ‘low on the radar’ if not completely invisible. Today’s malicious hacker follows a straightforward credo: “The less you know about my tools and methods the longer the shelf life and the greater my haul.”

In typical TechWiseTV fashion we pull back the curtain to reveal how today’s smart attacker is using common tools and old-fashioned smarts to accomplish lucrative new goals with YOUR network and YOUR systems.
We promise new insights into 7 critical areas:
1. How attackers are hiding in plain sight and what you can do to ‘flush them out’.
2. How attackers are using normal system features to perform abnormal and malicious acts.
3. 6 simple things you can do today to severely limit someone’s ability to cover their tracks.
4. The incredible rise of the botnet, evolution of their malicious code, and why the economics make so much sense.
5. The feedback loop that perpetuates spam, worms and botnets and how to avoid becoming an enabler.
6. How attackers are using indirection to communicate freely in and out of your network.
7. Where you can start construction on a dynamic and intelligent defense plan from the inside out.

It’s episode 27 of TechWiseTV: Technology you can use from geeks you can trust

From Jimmy Ray:
Funny sometimes how things tend to take on a life of their own. This show was an idea Robb and I had for a podcast. As we were working out the details, Robb come to the realization, that we had a TechWise show on our hands. That is the relationship Robb and I have. I am a geek. I can tell disjointed fishing hole stories all day long. Robb is a visionary. He listens and puts together an vision and action plan out of this stuff and a show is born. Amazing really. This is really how BotMasters work also. (Sorry Robb…) They take they disjointed fabric of the Internet, weave a business plan into it and before you know it, a new idea is born out of the thoughts of many.

Segment 1: Hiding in Plain Site
Ever go up to someone wearing camo and say something dumb like, “I can’t see you” I got punched in the head one time for that. (I didn’t know Robb was so sensitive about his wardrobe…) I have been to many hacker conventions and it is easy to spot the noobs, because they tend to brute force their way into systems. Being noisy on the wire and breaking many file dependencies to install their own crapware. This type of behavior is great to doing firewall/IDS demos and Hollywood but with respect to them, in a demo or movie time is our enemy so we have to get to the point. But please do not confuse demos-movies with reality. Time is on the side of the hacker/bothearder. To keep that advantage, that have to hide in plain site. Of course encryption is what many folks drift to, truthfully, I prefer my bothearders to encrypt data. I can spot encrypted traffic easily on my network and react to it fast. The scary stuff is hiding files with ADS (Alternative Data Streams) and then calling those files with HTTP. Microsoft has a free tool called STREAMS that you can download and check for these streamed files. Here is a screenshot of the file we streamed on set and how the Streams utility caught it:


The trick is make sure you specify the search path or it will not work. Of course we also have Covert Channels that are also a threat. These started with a simple ICMP tool called LOKI and they have improved many times over since then. Now CC (as they are called in cool circles; like the 501st Stormtrooper meetings…) now use HTTP, TCP, ICMP as transports to funnel information back and forth. Remember bots are dumb and they need to send information back and forth to work. One of the hiding in plain site methods we did not discuss was Steganography. This is kinda like streaming a file behind another file. Folks are using this “watermarking” process to hide MP3’s and porn behind legitimate pictures. Check out the difference between these two files:
Normal Picture: Carrier Picture with hidden .txt file

Amazing stuff isn’t it! This such a awesome field to be working in!! If you can decode this, it has Robb’s Christmas list and home phone number….

Segment 2: Understanding the Botnet Threat
Learn how and why Botnets have become the modern protagonists for today’s worms, virii and spam attacks. From the technology that makes them tick to the economics that ensure their survival.

Segment 3: Endpoint Enforcement
Where does data reside and the potential for damage remain the greatest? The endpoint of course. John Eppich from the Cisco Security Agent Business Unit discusses the tactics used and the defenses you can employ to protect your most valuable assets today.

Cisco Security Agent uses correlation within rules to prevent zero-day (unknown) attacks, as well as known attacks . Being able to tag something as a network application when it touches the network, and applying preventive rules to protect against malicious behavior, is one of many adaptive ways that CSA is able to protect your systems. As an example, Bots may target a system via IRC in a controlled manner, or P2P in an uncontrolled manner. The moment an application touches the network, these zero-day, zero-update policies will protect the system from malicious action, CSA does not care if about the origin of the attack (IRC, PTP or HTTP).

Bots can also spread and infect other systems by launching a series of exploits targeting the operating system or an application’s vulnerabilities. The concept of correlation comes into play via default preventative rules whereby CSA can recognize and stop for example, a remote process that attempts to execute code or perhaps steal information.

The ability to recognize and stop the automatic installation of software can be one of CSA’s most powerful strengths. CSA will prompt the user at any attempt like this so that nothing invisible can be installed in the background (such as often happens with malware) and any corporate policies on such activities can be easily monitored and regulated down to a per user level.

Beyond Zero-Day, and Zero Update Policies, CSA has other pre-built Acceptable Usage Policies to protect your most valuable assets. One such policy is a Data Theft Policy which allows you to define ‘sensitive data’ and protect from a variety of risks such as clipboard abuse (cut & paste between applications), unauthorized applications attempting to interact with this data, as well as other potential exit points.

CSA can also establish control and oversight in a number of other areas as well:

- Regulatory Compliance: Assign a PCI Compliance Policy to a sgroup protecting cardholder data for example.

- Data Center Security: deploy security patches on your own schedule rather than your software vendors. CSA’s behavioral protection has historically provided protection against every new vulnerability and threat without updates. This can take you far in maintaining sanity with database, application and other critical servers.
- IP Telephony Security: a headless (no management) version of CSA already comes pre-installed on almost all of Cisco’s call management and processing servers. These can be easily upgraded into managed units for increasing overall visibility and correlation with the rest of your CSA installed base.


Additional information for CSA: www.cisco.com/go/csa