Bruce Potter

1
Host Integrity Monitoring

• Bruce Potter
• gdead_at_shmoo.com
• potter_bruce_at_bah.com

2
Dont Believe Anything I say

• "Do not believe in anything simply because you
  have heard it. Do not believe in anything simply
  because it is spoken and rumored by many. Do not
  believe in anything simply because it is found
  written in your religious books. Do not believe
  in anything merely on the authority of your
  teachers and elders. Do not believe in traditions
  because they have been handed down for many
  generations. But after observation and analysis,
  when you find that anything agrees with reason
  and is conducive to the good and benefit of one
  and all, then accept it and live up to it. -
  Buddha

3
Who Is this Guy?

• Bruce Potter
• By Day - Security Consultant for Booz Allen
  Hamilton
• By Night - Founder of the Shmoo Group, author of
  some stuff, generally freaky

4
Agenda

• Operational Security
• Host Integrity Monitoring Scenarios
• HIMS Architectures and Challenges
• Further Reading

5
Lets Talk about Security

• For the feds, Information Assurance
• Tactical Coding Error vs Design Flaw
• Script kiddie vs Dedicated Attacker
• Host Hardening vs Long term Operational security
• Security Functionality vs Secure Functionality
• PKI - Security functionality
• JPEG rendering - Needs to be secure

6
Current Reality of Operational Security

• Often viewed at Firewalls, IDS, and Anti-Virus
• A very network centric view of the world
• Arguably focused on security, not secure
  operations
• While patch management is an important part of
  operations, how much money do you spend on patch
  mgt vs your firewall/IDS infrastructure?

7
Long Term Operational Security

• An overlooked aspect of security
• We are not an end in and of ourselves
• Further, and IDS does not operational security
  make
• Anybody can be trained to secure a host
• Just look at all the security books on the shelf
• Running a long term secure enterprise is the
  tough thing

8
Pyramid of IT Security Needs
9
Lets find intruders...

• Where do we look for the bad guys?
• Firewalls? No, this is where we stop the bad
  guys. Port 80 open to the world, so its really
  hard to see bad guys on port 80
• IDS? No, this is where we find the bad guys
  trying to do stupid stuff. Were they successful?
  Who knows...
• IPS? Youve got to be joking...

10
WMF Zero - Overexposed

• WMF vuln from Jan 2006 caused the security
  industry and media to freak out
• To the point of recommending unofficial patches
  be deployed
• There was fear of doom and destruction
• Worms, viruses, and bots, oh my!
• Ultimately very little resulted from the WMF vuln
• Biggest threat? target attacks...

11
WMF Targeted Attack British Parliament

• http//news.com.com/Britishparliamentattackedus
  ingWMFexploit/2100-7349_3-6029691.html
• The British Parliament was attacked late last
  year by hackers who tried to exploit a recent
  serious Microsoft Windows flaw, security experts
  confirmed on Friday.
• MessageLabs, the e-mail-filtering provider for
  the U.K. government, told ZDNet UK that targeted
  e-mails were sent to various individuals within
  government departments in an attempt to take
  control of their computers. The e-mails harbored
  an exploit for the Windows Meta File
  vulnerability.

12
Host Integrity Monitoring

• Looking for honest to goodness intrusions
• The next 0-day that rolls through, youll at
  least find the attackers once theyre in the
  walls
• Reactionary, but more focused
• Examine the integrity of various system aspects
  to determine health of a machine
• This presentation is going to discuss general
  HIMS issues, not specific implementation/config
• You can all use Google, Im sure...

13
HIMS Capability

• File Checksums
• Has a file been changed?
• File MAC times
• Who touched it when?
• File Perms
• LKMs
• Are there new modules?

• Configurations
• Has the system configuration changed?
• SID
• On Windows, has the SID changed?
• etc...

14
HIMS Lifecycle
Create Configuration

• Tell HIMS what to scan, how often, etc..
• Compile binaries for target
• Configure central server
• Challenges
• Many OSs Many configurations
• Configurations change over time

15
HIMS Lifecycle
Create Configuration
Deploy Agents

• Push all configurations and software to remote
  systems
• Challenges
• Need a secure channel for command and control
• Need to keep track of where agents are installed

16
HIMS Lifecycle
Create Configuration

• Determine known good state
• May be able to precompute
• www.knowngoods.org
• Challenges
• Hard to know if a box is good
• Many boxes with small config diffs PIA

Deploy Agents
Get Baseline Scan
17
HIMS Lifecycle
Create Configuration
Deploy Agents

• Periodically scan each host
• May be initiated from server or by client
• Challenges
• The more detailed, the longer the scan can take
• Can be IO intensive

Get Baseline Scan
Periodic Scan
18
HIMS Lifecycle
Create Configuration

• Compare initial scan to new scan to find diffs
• Update if change is valid, respond if attacked
• Challenges
• Many changes can take a long time to reconcile
• Determining valid from invalid change can be hard

Deploy Agents
Get Baseline Scan
Periodic Scan
Compare Update/Respond
19
OSS HIMS Solutions

• Osiris - http//www.hostintegrity.com/
• Samhain - http//www.la-samhna.de/
• AIDE - http//www.cs.tut.fi/rammer/aide.html
• Each has pros and cons... too much to get into
  here
• Best to think about problems you are likely to
  have given the previous slides, then start
  comparing

20
Further Reading

• Im not going to go over installation, features,
  etc... you can all use Google
• http//www.hostintegrity.com/
• Host Integrity Monitoring - Wotring