Exposure Maps: - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Exposure Maps:

Description:

Removing Reliance on Attribution During Scan Detection ... TCP: SYN ACK. TCP: RST. UDP: IP pairs list. ICMP: echo reply, host not found, time exceeded ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 16
Provided by: protonScs
Category:
Tags: ack | exposure | maps

less

Transcript and Presenter's Notes

Title: Exposure Maps:


1
Exposure Maps Removing Reliance on Attribution
During Scan Detection
David Whyte, P.C. van Oorschot, Evangelos
Kranakis
2
Outline
  • Scanning detection challenges
  • Problems with attribution-based detection
    techniques
  • Exposure Maps
  • Experimental Results
  • Conclusions

3
Scanning Detection Challenges
  • Sophisticated scanning techniques
  • Slow
  • Fragmented
  • Idle
  • Distributed (Botnet)
  • I detected a scan
  • Was it successful?
  • What did it reveal?
  • Volume of Internet whitenoise
  • Backscatter
  • Worm propagation (known)
  • Network diagnostics
  • Web spiders
  • Wrong numbers

4
Attribution-based Scanning Detection
  • Variety of scanning detection techniques
  • Observing connection failures
  • Abnormal network behavior
  • Connections to darkspace
  • Increased connection attempts
  • Majority of these rely on correlating scanning
    activity based on the perceived last-hop
  • Focus of detection is who is scanning instead of
    what is being scanned

5
Shifting Focus
  • Attribution is not practical for an increasing
    number of sophisticated scanning techniques
  • Focus on attribution overlooks critical
    components of any observed scanning campaign
  • What are my adversaries looking for?
  • Has the network behavior changed as a result of
    being scanned?
  • Exemplar technique Exposure Maps

6
Exposure Maps (1/2)
  • Passively observe network traffic (training
    period)
  • Ignore network traffic initiated from the inside
  • Record only internal system responses to external
    events such as
  • TCP SYN ACK
  • TCP RST
  • UDP IP pairs list
  • ICMP echo reply, host not found, time exceeded

7
Exposure Maps (2/2)
  • Host Exposure Map (HEM)
  • Visible and enumerated services
  • Externally visible interface of an individual
    host
  • Network Exposure Map (NEM)
  • Union of HEMS in a target network
  • Externally visible interface of the network
  • Let your adversaries do the vulnerability
    scanning for you!

8
Sample NEM (proof-of-concept)
  • Test network size 1/4 Class C
  • Test period two weeks
  • NEM was stable within 12 hours of the testing
    period

9
Scan Detection
  • Incoming connection is defined as any atomic TCP
    connection, UDP or ICMP datagram
  • A connection attempt to a host/port combo outside
    of the NEM is considered a scan and recorded
  • No connection state tracking required

10
Post-Scan Detection Activities
  • Monitor changes in the NEM
  • Validate new services offered
  • Unexpected changes in the NEM may indicate
    compromise
  • Monitor changes in network scanning activity
  • Spikes in scanning activity may indicate a new
    exploit
  • Attribution is possible post-scan detection for
    most unsophisticated and certain classes of
    sophisticated scanning activity

11
Detected Scanning Activity
12
Conclusions
  • Shifting focus away from attribution during scan
    detection may provide a means to detect
    sophisticated scanning campaigns
  • The true insight that can be gained by scanning
    detection is not who is scanning you but what are
    they scanning for?

13
  • Discussion ..
  • dlwhyte_at_scs.carleton.ca

14
Observed Sophisticated Scanning
  • Slice and dice recorded scans using a variety
    of attributes
  • Slow Scan - pcanywhere 15 min intervals
  • Possible distributed scan - 6 systems from the
    same class C network and scanning footprint

15
Exposures vs. Scanning Activity
  • Network scanning possibilities
  • In practice NEM lt A lt E
Write a Comment
User Comments (0)
About PowerShow.com