Presentation is loading. Please wait.

Presentation is loading. Please wait.

SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.

Published byDamian Harper Modified over 9 years ago

Similar presentations

Presentation on theme: "SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA."— Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA March 2011

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Definition and Origin 3 types of info hiding –Cryptography - Make message unreadable –Stegonography - Hide the message in another message – Metaferography - Hide the message in the carrier Easy to design, hard to detect

3 SANS Technology Institute - Candidate for Master of Science Degree 3 Covert Channels Clever misuse of network protocols Nearly undetectable Not all that common “They’ll never see me coming!”

4 SANS Technology Institute - Candidate for Master of Science Degree How it is done Modulate either: –the channel’s characteristics –the content Do it without: –breaking protocol standards –making it look anomalous 4

5 5 SANS Technology Institute - Candidate for Master of Science Degree ICMP ‘Unspecified’ amount of data can be attached Sometime blocked inbounds, rarely outbound Ptunnel, Loki, 007Shell, Hans, more… What a PING looks like. What a “PING” can look like.. 5

6 6 SANS Technology Institute - Candidate for Master of Science Degree DNS Generally allowed through network protective devices http:// Dsf6tas6df5f5d7f5adsf8a6d56a5d7.domain.com OzymanDSN, MSTX, dns2tcp 6

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Future Threats IPv6 –v00d00N3t - fully featured ICMPv6 covert channel Application Layer –VoIP, mail, file transfer Layer 2 –802.11, ARP Using CCs to break out of software sandboxes

8 SANS Technology Institute - Candidate for Master of Science Degree 8 CC Design Considerations Ease of detection Ease of implementation Carrier availability Bandwidth Reliability

9 SANS Technology Institute - Candidate for Master of Science Degree That was Easy! 9 Defensive practices Firewall –Block outgoing ICMP –Block DNS queries other then from internal proxy Snort rules –Spotting known signatures alert udp any any -> any 53 (content:"|00 00 29 10 00 00 00 80 00 00 00|"..... –Exploit specific, as these things are Anomaly Detection –Spot unusual spikes in of DNS traffic on port 53 –Frequent, oversized DNS TXT records –Any anomalous behavior (How hard is that?!)

10 SANS Technology Institute - Candidate for Master of Science Degree 10 Defensive R&D Statistical Analysis –Proven to work in theory Active Wardens –Full scan and rewrite of traffic –Resource intensive

11 SANS Technology Institute - Candidate for Master of Science Degree 11 The Threat Cyber Criminals - (financial data) Cyber-warriors - (political/military) Corporate espionage - (IP theft) Hacktivists - (idealism) Individual Hackers - (fame/thrill) Spammers - (ad distribution)

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Hypothetical ‘Smart’ Covert Channel STUXNET- like scenario –High value target –Motivated and resourced attacker Built in recon ability Protocol flexibility Low and slow Virtually Undetectable

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Why not more common? Benefits vs limitations ‘Signal to Noise Ratio’ Low Throughput High High Covertness Low

14 SANS Technology Institute - Candidate for Master of Science Degree 14 For Good not Evil? Can allow oppressed people to get through Government firewalls/filters Back to the volume dilemma

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Covert Channels are: –the death of perimeter security? –not inconceivable, but not a high priority for most Whatever to do? –Focus on the fundamentals and “low hanging…” –Perform and execute defense in depth, in line with your Threat/Risk Assessment and SANS ‘20 Critical Security Controls’ References and more? Please see my paper is in the SANS Reading room: www.sans.org/reading_room/whitepapers/detection/covert-channels_33413

Download ppt "SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA."

Similar presentations

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google