Sunday, May 19, 2013

How do you do this without NSM?

Comments on Facebook
I have had many many conversations over the past few weeks on the difference between traditional IDS and NSM and I am shocked that NSM is still a foreign concept to people. Sometimes there is a challenge to help folks realize what the real difference is. If you don't know what NSM is then read this book written by Richard Bejtlich. This is not a ploy to sell more books for Richard but a cry out to detection folks out there that you could be doing it differently.

Several years ago I stumbled upon Sguil when I was looking for a way to better manage my Snort environment. I was using Acid (yea.. I know) and I just wasn't happy with it. I was finding bad hosts with obvious signatures such as SQL Slammer and Code Red (yea.. I am dating myself) which was great but I didn't know what I was missing. I thought I was happy, management was happy I was finding these bad hosts, and for me everything was good in the world. What I didn't know is I was only scratching the surface on what could be done.

Now the landscape back then was completely different but I think back on what else I could have detected. This was before people could make money off huge botnets and most people didn't bank online. But with today's climate with all the drive bye java exploits and APT1 noise having an alert is no longer sufficient to protecting your environment.

You see IT teams think the security guys are crying wolf all the time because 1 out of the last 20 hits was a false positive. It takes more proof these days generally to get them off their seats to do something. You cannot be an effective analyst if all you do is send resources on wild goose chases. Lets choose an example that is relevant to current events. You see a host hit a drive-by site. That is all the information you have in your console. So we know this person hit a site and did the AV on the system catch the evil that was potentially pushed to the machine. You could use the aliens approach and nuke the site from orbit and re-image the machine, but chances are the IT dudes will run AV and say I got nothing that says there is anything bad on this box. Thanks for the false positive and you move on to the next one. You used all the information and your layered security approach to show you "Hey this was a blip.. maybe the evil code was taken down etc". What you don't know is this machine is WTFPWNTSAUCED.

You don't know this because the evil it downloaded was new to AV. In the NSM world once you got the alert the first thing you would do is pull the transcript of the entire session of the drive-by  In that case you see the host hit the site and was directed to download a jar file. Now we know that it downloaded a jar file but what else happened? Here is where things get fun. So you could pull that jar file from the stream using wireshark and run it on a sand box and see what it does. (You know like @SecShoggoth MASTIFF) Another option is you could pull the session data from the host for 2 minutes before the incident and 2 minutes after and see that after it downloaded that jar it made connections out to other internet IP addresses in suspect countries. You could also pull the HTTP info from it to see that it then requested an exe file from a suspect looking domain. Now you can pull that from PCAP and see what it does. You run it through MASTIFF and see it starts up a process called kungfu.exe and then tries to reach out to an IRC server in the Ukraine. Or flip it around.. You see the first stage is successful by grabbing the jar file but in the second stage you see a 404 when its trying to grab its evil.

So what does NSM really give you? It gives you options. It gives you all the data you need to make an informed descision about what is the real deal vs what is just noise. As attacks become more and more behavior based there will be even further needs for this type of info. The best part of it all is the best tools out there to do this are open source. You can get started today by simply downloading Security Onion.

I did not write this to say traditional IDS is useless but to show folks that there is a difference. You may believe that your methods are awesome and I am full of crap and that is fine but I have never heard anyone complain they have too much information on an incident. I just know that having an alert for me is not enough information to make an informed decision on the state of the machines involved.

No comments:

Post a Comment