This is a ton of fun, and a great tool for learning. Enjoy!
BananaGlee. I just love saying that word 😉
So, was reading up on the NSA backdoors for Cisco and other OSes, http://cryptome.org/2014/01/nsa-codenames.htm, and got to thinking about how the NSA might exfiltrate their data or run updates…It’s gotta be pretty stealthy, and I’m sure they have means of reflecting data to/from their Remote Operations Center (ROC) in such a way that you can’t merely look at odd destination IPs from your network.
This got me thinking about how I would find such data on a network. First off, obviously, I’d have to tap the firewall between firewall and edge router. I’d also want to tap the firewall for all internal connections. Each of these taps would be duplicated to a separate network card on a passive device.
1) eliminate all traffic that originated from one interface and went out another interface. This has to be an exact match. I would think any changes outside of TTL would be something that would have to be looked at.
2) what is left after (1) would have to be traffic originating from the firewall (although not necessarily using the firewalls IP or MAC). That’s gotta be a much smaller set of data.
3) With the data set from (2), you’ve gotta just start tracing through each one.
This would, no doubt, be tons of fun. I don’t know how often the device phones home to the ROC, what protocol they might use , etc…
If anyone has any ideas, I’d love to hear them. I find this extremely fascinating.
So, my boss had asked me last week to read the Mandiant report and see how these Chinese APT1 attacks could be detected on a network both during and after an attack. After reading the report, I was pretty saddened by just how little has been done in the last 20 years in Infosec. The tactics and protocols used to steal data are old (decades old) and stale. My initial reaction was, and is, that user’s are still not being properly educated AND held responsible for their actions. We’re letting the users off too easily! Corporations are still trying to solve a people problem with software or appliances.
Take a look at the top 15 Security startups of 2013 (http://www.businessinsider.com/15-most-important-security-startups-2013-1?op=1). Now, look at how many of these software products ASSUME that the user will do the wrong thing and click on a link or an attachment. We have sandbox technology so that when the user downloads the malware, software can fix it (remember Pelican SafeTNet from late 90’s early 2000’s). We have software that steers employees away from bad websites (how does this work? A list of bad sites won’t work…downloading the page and running static checks won’t work…I dunno…would be interesting to hear more, but I digress).
Look, if your kids were prone to starting fires while cooking food, is the fix to create a million dollar stove that auto-senses when the heat is too high or when the smell of burnt food is in the air and automatically shuts down? Or, is the fix to teach your kids the proper way to use the stove? If I was a Corporate Security officer, I would make user education a top priority. I would even be willing to bring in a company that specialized in user security education (train the trainer type stuff). That would be money well spent. Every new user gets a class in computer security complete with a hands-on lab, test, and an Acceptable Use policy that they sign after completion. Existing users have to “re-certify” every year when they get a performance review.
Next, hold the user accountable for their actions after completing said training. In this day and age, a compromised computer inside the network is a license to steal. Having a computer with Internet access is a serious responsibility. If you mess up and do what you were trained NOT to do, then you are punished. Keep messing up and you get your pink slip. The user’s aren’t as stupid as we make them out to be. If their actions impact their bottom line, they will act accordingly. If we don’t hold the user responsible, why do they have any reason to change their behavior?
And, on a related tangent, maybe I’m just too old school but I don’t understand why a company would allow their employees (paid to do a Corporate-related job) to surf social media, p2p, job-search sites, dating sites, web-based email, etc. etc.
I had the chance to hang out at the SECCDC yesterday at Kennesaw State Univ. For those not familiar with these events (I wasn’t either, until yesterday), you have colleges who bring in teams to defend against a ‘red team’. UNC Charlotte defended their network better than the other colleges. It was interesting to see these schools throwing in block filters, redirects, etc. on the fly. Impressive from a bunch of college students. The red team was equally impressive. There wasn’t a box that they didn’t, at some point, root thoroughly…
One interesting note. During the competition, there was a full power outage. UPSes died. Images were lost. Router configs were killed. It generally set the entire competition back a few hours (at least). Just a reminder that physical security is every bit as important as the logical security….