1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft...
-
Upload
linette-armstrong -
Category
Documents
-
view
218 -
download
0
Transcript of 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft...
![Page 1: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/1.jpg)
1
![Page 2: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/2.jpg)
2
● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software.
● In 2010, Symantec’s GlobalInternet Security Threat Report indicated that over93% vulnerabilities exploited worldwide are now client-side
Vulnerability Landscape
Source: http://www.symantec.com
![Page 3: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/3.jpg)
3
● Client-side attacks have special properties compared to traditional server-side attacks▸ Extremely complex structures for document formats▸ Embedding of interpreters and scripting languages▸ Embedding of arbitrary formats within other
container formats▸ Obsfucation techniques▸ Multiple delivery channels for the same vulnerability
Protecting the Client
![Page 4: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/4.jpg)
4
● Intrusion prevention platforms are evaluated by market analysis firms according to two criteria▸ Throughput▸ Coverage
● A key term in modern IPS is deep packet inspection but implementation is practically limited by the main two evaluation criteria
● A supplemental system is required to defend against client side attacks
Network Intrusion Prevention Systems
![Page 5: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/5.jpg)
5
● Razorback is a distributed data collection and analysis framework
● Modular architecture allows for collection and analysis modules to be distributed over a network in arbitrary configurations▸ Retrieval of data over the wire or from server
software after delivery▸ Analysis of complex file formats distributed over a
server farm
Razorback Framework
![Page 6: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/6.jpg)
6
● A collection of elements working together
● Each element performs a discrete task
● Elements are tied together via the Dispatcher
● Nugget types:
Razorback Framework
Correlation Defense Update Workstation
Data Collection Data Detection/Analysis Output Intelligence
![Page 7: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/7.jpg)
7
Razorback Framework Architecture
Dispatcher
Collection Nugget
Detection NuggetDetection
NuggetDetection Nuggets
Database
Output NuggetOutput Nugget
Output Nuggets
Collection NuggetCollection
Nuggets
Other Types of Nuggets
![Page 8: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/8.jpg)
8
Database
● Configuration information
● Event information
● Contextual information
● Metadata
● Provides a wealth of information for correlating events and activities
![Page 9: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/9.jpg)
9
Nuggets
● Dispatcher Registration▸ Types of data handled▸ Types of output generated
● UUIDs▸ Identifier of nuggets▸ Type of nugget▸ Types of data handled and/or provided▸ Allows for easy addition and removal of elements
![Page 10: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/10.jpg)
10
Nugget Registration
Dispatcher
Detection Nugget
Detection Nugget
Collection Nugget
Output Nugget
registerNugget()
registerNugget()
registerNugget()
registerNugget()
![Page 11: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/11.jpg)
11
Collection Nugget
● Capture data▸ From the network▸ From a network device directly▸ From log files
● Contact dispatcher for handling▸ Has this data been evaluated before?▸ Send the data to the Dispatcher
![Page 12: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/12.jpg)
12
● Snort-as-a-Collector (SaaC)▸ SMTP mail stream capture▸ Web capture▸ DNS capture
● Custom post-mortem debugger▸ Traps applications as they crash▸ Sends the file that triggered the crash to Dispatcher▸ Sends the metadata of the crash to the Dispatcher
Collection Nuggets
![Page 13: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/13.jpg)
13
Detection Nugget
● Handles incoming data from Collection Nuggets
● Splits incoming data into logical sub-blocks▸ Requests additional processing of sub-blocks
● Provides alerting feedback to the Dispatcher
![Page 14: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/14.jpg)
14
Detection Nuggets
● Zynamics PDF Dissector▸ Deobfuscation and normalization of objects▸ Target known JavaScript attacks
● JavaScript Analyzer (w/ Zynamics)▸ Search for shellcode in unescaped blocks▸ Look for heap spray▸ Look for obvious obfuscation possibilities
www.zynamics.com/dissector.html
![Page 15: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/15.jpg)
15
Detection Nuggets
● Shellcode Analyzer (w/ libemu)▸ Detection and execution of shellcode▸ Look for code blocks that unwrap shellcode▸ Win32 api hooking
● Determine the function call● Capture the arguments
▸ Provide alerts that include shellcode action
libemu.carnivore.it
![Page 16: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/16.jpg)
16
Detection Nuggets
● Office Cat Nugget▸ Full Office file parsing ▸ Vuln-centric detection against known threats
● SWF Nugget▸ Decompresses and analyzes flash▸ Detects known flash threats
![Page 17: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/17.jpg)
17
Detection Nuggets
● ClamAV Nugget▸ Analyze any format▸ Signature- and pattern-based detection▸ Updatable signature DB▸ Can further serve as a collector ▸ Can issue defense updates
![Page 18: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/18.jpg)
18
Output Nugget
● Receives alert notification from Dispatcher
● If alert is of a handled type, additional information is requested:▸ Short Data▸ Long Data▸ Complete Data Block▸ Normalized Data Block
● Sends output data to relevant system
![Page 19: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/19.jpg)
19
Output Nuggets
● Deep Alerting System▸ Provide full logging output of all alerts▸ Write out each component block▸ Include normalized view of documents as well
● Maltego Interface▸ Provide data transformations targeting the
Razorback database
www.paterva.com
![Page 20: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/20.jpg)
20
Analysis Nuggets
● Intelligence Nugget ▸ Generate metadata for correlation
● Correlation Nugget ▸ Compare results of various intelligence nuggets
![Page 21: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/21.jpg)
21
Defense Update Nugget
● Receives update instructions from dispatcher
● Performs dynamic updates of network device(s)
● Update multiple devices
● Update multiple devices of different types!
● Notifies dispatcher of defense update actions
![Page 22: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/22.jpg)
22
Workstation Nugget
● Authenticates on a per-analyst basis
● Provides analyst with ability to:▸ Manage nugget components▸ Manage alerts and events
● Consolidate events● Add custom notes● Set review flags● Delete events
▸ Review system logs
![Page 23: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/23.jpg)
23
Dispatcher Operation
Dispatcher
Detection Nugget
Javascript Analysis
PDF Analysis
Database
Alert/Event data
Collected data
Detection results
Embedded sub-component data
Embedded sub-component dataDetection results
1
2
4
3
Detection Nugget
![Page 24: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/24.jpg)
24
DEMO
![Page 25: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/25.jpg)
25
![Page 26: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/26.jpg)
26
![Page 27: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/27.jpg)
27
![Page 28: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/28.jpg)
28
![Page 29: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/29.jpg)
29
![Page 30: 1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649e415503460f94b33acc/html5/thumbnails/30.jpg)
30
Contact
● Richard Johnson▸ [email protected]▸ @richinseattle▸ http://rjohnson.uninformed.org
● Sourcefire VRT▸ labs.snort.org▸ vrt-sourcefire.blogspot.com▸ @VRT_Sourcefire
Razorback Team:Alex KambisAlex KirkAlain ZidouembaChristopher McBeeKevin MiklavcicLurene GrenierMatt OlneyMatt WatchinskiNigel HoughtonPatrick MullenRyan PentneySojeong Hong