SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.

Slides:



Advertisements
Similar presentations
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,
Advertisements

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.
Intrusion Detection Systems and Practices
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Security Awareness: Applying Practical Security in Your World
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs.
Norman SecureSurf Protect your users when surfing the Internet.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Firewall Typical Networking and Troubleshooting Common Faults.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
What is FORENSICS? Why do we need Network Forensics?
Web Application Firewall (WAF) RSA ® Conference 2013.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Remote Access Tools Policy John Jarocki May 2010 GIAC GSEC, GCIA, GCIH, GCFW, GPEN.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Data Communications and Networks
Security fundamentals Topic 10 Securing the network perimeter.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
1 CDA 4527 Computer Networking Prof. Cliff Zou School of Computer Science University of Central Florida Fall 2005.
DoS/DDoS attack and defense
Role Of Network IDS in Network Perimeter Defense.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
©2014 Cleo. All rights reserved. Company confidential. Managing Chaos: Andy Moir Director, Product Marketing 2 Data Movement in 2015.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Introducing Kaspersky Anti-Virus 6.0 for Windows Workstations Introducing Kaspersky ® Anti-Virus 6.0 for Windows Workstations.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
Fortinet VoIP Security June 2007 Carl Windsor.
Securing Information Systems
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Jon Peppler, Menlo Security Channels
Firewall Exercise.
CompTIA Security+ Study Guide (SY0-401)
Direct Attached Storage and Introduction to SCSI
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection & Prevention
Managing Chaos: Data Movement in 2014 Steve Jordan
Intrusion Prevention Systems
Chapter 4: Protecting the Organization
Red Team Exercise Part 3 Week 4
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Presentation transcript:

SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA March 2011

SANS Technology Institute - Candidate for Master of Science Degree 2 Definition and Origin 3 types of info hiding –Cryptography - Make message unreadable –Stegonography - Hide the message in another message – Metaferography - Hide the message in the carrier Easy to design, hard to detect

SANS Technology Institute - Candidate for Master of Science Degree 3 Covert Channels Clever misuse of network protocols Nearly undetectable Not all that common “They’ll never see me coming!”

SANS Technology Institute - Candidate for Master of Science Degree How it is done Modulate either: –the channel’s characteristics –the content Do it without: –breaking protocol standards –making it look anomalous 4

5 SANS Technology Institute - Candidate for Master of Science Degree ICMP ‘Unspecified’ amount of data can be attached Sometime blocked inbounds, rarely outbound Ptunnel, Loki, 007Shell, Hans, more… What a PING looks like. What a “PING” can look like.. 5

6 SANS Technology Institute - Candidate for Master of Science Degree DNS Generally allowed through network protective devices Dsf6tas6df5f5d7f5adsf8a6d56a5d7.domain.com OzymanDSN, MSTX, dns2tcp 6

SANS Technology Institute - Candidate for Master of Science Degree 7 Future Threats IPv6 –v00d00N3t - fully featured ICMPv6 covert channel Application Layer –VoIP, mail, file transfer Layer 2 –802.11, ARP Using CCs to break out of software sandboxes

SANS Technology Institute - Candidate for Master of Science Degree 8 CC Design Considerations Ease of detection Ease of implementation Carrier availability Bandwidth Reliability

SANS Technology Institute - Candidate for Master of Science Degree That was Easy! 9 Defensive practices Firewall –Block outgoing ICMP –Block DNS queries other then from internal proxy Snort rules –Spotting known signatures alert udp any any -> any 53 (content:"| |"..... –Exploit specific, as these things are Anomaly Detection –Spot unusual spikes in of DNS traffic on port 53 –Frequent, oversized DNS TXT records –Any anomalous behavior (How hard is that?!)

SANS Technology Institute - Candidate for Master of Science Degree 10 Defensive R&D Statistical Analysis –Proven to work in theory Active Wardens –Full scan and rewrite of traffic –Resource intensive

SANS Technology Institute - Candidate for Master of Science Degree 11 The Threat Cyber Criminals - (financial data) Cyber-warriors - (political/military) Corporate espionage - (IP theft) Hacktivists - (idealism) Individual Hackers - (fame/thrill) Spammers - (ad distribution)

SANS Technology Institute - Candidate for Master of Science Degree 12 Hypothetical ‘Smart’ Covert Channel STUXNET- like scenario –High value target –Motivated and resourced attacker Built in recon ability Protocol flexibility Low and slow Virtually Undetectable

SANS Technology Institute - Candidate for Master of Science Degree 13 Why not more common? Benefits vs limitations ‘Signal to Noise Ratio’ Low Throughput High High Covertness Low

SANS Technology Institute - Candidate for Master of Science Degree 14 For Good not Evil? Can allow oppressed people to get through Government firewalls/filters Back to the volume dilemma

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Covert Channels are: –the death of perimeter security? –not inconceivable, but not a high priority for most Whatever to do? –Focus on the fundamentals and “low hanging…” –Perform and execute defense in depth, in line with your Threat/Risk Assessment and SANS ‘20 Critical Security Controls’ References and more? Please see my paper is in the SANS Reading room:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.