It certainly is possible to examine host or network outbound conversations. But we then have to determine which outbound conversations are legitimate. Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous' malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations. On OpenBSD if we are looking at outbound connections, we might sniff as thus using Snort:
/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0 'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)'
On Vista, we might have two interfaces (wired and wireless) we need to examine:
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 1 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 2 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
327 74.125.103.208:80
133 74.202.67.83:80
105 216.35.221.76:80
100 198.104.200.154:80
51 72.21.91.19:80
32 96.17.70.50:80
....
Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers. This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting". Other solutions might include:
(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'
The industry awaits such solutions.
Selasa, 16 Februari 2010
Advanced Persistent Threat Part III
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar