Tuesday, February 16, 2010

Advanced Persistent Threat Part III

It certainly is possible to examine host or network outbound conversations.    But we then have to determine which outbound conversations are legitimate.   Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous'  malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations.  On OpenBSD if we are looking at  outbound connections, we might sniff as thus using Snort:

/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0  'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)' 

On Vista, we might have two interfaces (wired and wireless) we need to examine:

start /min cmd /c C:\snort\bin\snort.exe  -vdeXX -l .  -i 1  port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe  -vdeXX -l .  -i 2  port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)

We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
    327  74.125.103.208:80
    133  74.202.67.83:80
    105  216.35.221.76:80
    100  198.104.200.154:80
     51  72.21.91.19:80
     32  96.17.70.50:80
....

Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers.  This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting".  Other solutions might include:

(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'

The industry awaits such solutions.

1 comment:

  1. Ryan, I agree that it is possible to examine the outbound conversations. In most companies that invests in server support, a thorough inspection of abnormalities in data flows are inspected to fully protect their system.

    Very informative post. Thanks!

    ReplyDelete