Finding The Fox In The Hen House – Practical Tips
Let’s face it, no matter how hard we try, or how elaborate the defense, sometimes the fox gets in the hen house (Or sometimes it just eats at McDonald’s). When I was in college taking a computer systems design course my professor stated that computer technology is invented in fits and starts. For example, someone would invent really fast memory, but speed was limited by the bus, therefore negating the performance improvement. This could not be more true when it comes to computer security. Anti-Virus vendors, for example, will take a step forward in detection, and malware authors figure out a way around it, and the cycle continues. This is evident in the latest versions of the Metasploit framework, version 3.2, which has improved its ability to dodge anti-virus tools (See John Strand’s great video tutorial on this feature here).
I believe that a fox will always stand out in a hen house, no matter how much it tries to look like a hen, it will always be a fox. When an attacker compromises a system, they may try to mask the behavior as legitimate. When they communicate with the compromised system, and collect information from it, it may be masked as legitimate. However, there is typically some behavior or artifact left, either on the system or on the network, which indicates an attack has occurred. The big question is not even what we do about it, but how do we deal with it in a cost effective manner. In Jason’s previous post he poses part of the the problem referred to as the “Security 3-legged Stool”:
“…let’s look at this from the perspective of an executive or even a control engineer. They want the biggest security bang for their buck which includes not only hard cost but ongoing maintenance expense.”
Cost is but one leg of the stool, usability and performance comprise the others. Many will say that a “Security 3-legged Stool” does not exist. That does not mean we can give up hope! Lets look at some practical defensive tips in the categories of protection, detection, and reaction that strive to be cost-effective (and in a perfect world usable and fast):
1) System Hardening (Protection) – As Jason mentions, Bandolier is a great project for systems hardening on control systems (or any system for that matter). As I go through the various system hardening techniques, I think about how each control is affecting the attackers ability to collect information, maintain system access, and clean-up their tracks. Windows especially has some powerful features that can make it difficult for attackers, even once the system has been compromised. The DISA standards are very comprehensive and my pick for hardening guides (Windows 2003 Security Checklist Version 6, Release 1.8 – September 22, 2008) . This process can be cost effective if properly built into your systems administration procedures as it does not require any additional hardware or software.
2) Log Monitoring (Detection) – This measure is high maintenance as you have to correlate and check the logs regularly in order to be effective. However, there are many commercial and open-source tools available for log correlation and a control systems specific projects in the for of Portaledge and Quickdraw. Log monitoring can be expensive, but if limited in scope to only critical systems can start out more cost effective.
3) Network Monitoring (Detection) – While systems can be penetrated, and logs can be deleted by the attacker, at some point traffic must pass through the network. Network intrusion detection is a very important defensive measure, and using “Extrusion” rules (Such as the ones from Emerging Threats) can provide a fantastic way to detect post-exploitation traffic in your network. While some may say its too late, I always advise that we use extrusion detection to identify malicious behavior sooner rather than later. What’s worse, a system that has been compromised for a few hours, or a system that has been compromised for months or even years? (Back at the University I heard stories of a mainframe computer that had been compromised for several years, and the attacker gave himself away because he was applying patches to prevent others from compromising it). Snort can be used to implement this monitoring and is free when combined with the emerging threats rules.
4) Incident Response (Reaction) – Its always best to be prepared, have an incident response plan and test it. Some of the most damaging incidents I have encountered were made worse by the absence of a well-defined incident response plan. SANS has some great examples and guides. The only cost to this process is time.
The above four defensive measures are not the perfect solutions for all organizations (they do require time and maintenance). However, they do lay a nice foundation to build upon, and good process can help alleviate the time problem. Most importantly they will help you quickly spot that fox in the hen house.
Author: Paul Asadoorian
Posted: December 2nd, 2008 under Anti-Virus, Bandolier, IDS / IPS, Portaledge, Quickdraw.
Comments: 2
Comments
Comment from Marius
Time: December 3, 2008, 6:03 am
“However, they do lay a nice foundation to build upon, and good process can help alleviate the time problem. Most importantly they will help you quickly spot that fox in the hen house.”
I always imagined this “hardending” as a kind of circle: technology develops for both. For good guys, which use it constructively and build something. But also for bad guys, which seek destruction and/or own personal wealth. It’s a matter how far the distance gets, what we call effectivity in case of attacks or defense structures.
The primary point to look at is motivation. The more treasures I protect with a system, the more interesting it gets to break it. People will find innovative ways – or at least try to. They will find ways around your IDS, around your detection; they will find a weak point in your hardended, logged systems. Maybe an 0day, maybe social attacks, maybe just a small piece of “innovation” that entirely goes through all your defenses. Like browser based malware, prepared USB sticks auto-starting malicious code. There’s much new attack stuff. But where are our new innovative defenses? What you point out here is Defense in Depth strategy. It has a simple problem:
“I believe that a fox will always stand out in a hen house, no matter how much it tries to look like a hen, it will always be a fox.”
I have significant doubt here. Because you can get foxes in a house, you aren’t able to track back. Economy wants _cheap_ defense. A constructive support out of IT security – management doesn’t see this. Only in very seldom cases. So while we try to convince the farmer that his stall is in danger the fox is already there.
Once in your podcast you compared the security development with building a house. Well a fortress or so has had very similar development. Guards, preventing intrusion (even inside), gates, walls, in short control.
But innovative defenses are seldom.
Point is: as long as there’s no awareness, at management, at employees – at the company – and they know what their treasures are, there’ll be no hard to break security. It starts and ends where the people are, not where the systems are: where the hens sleep. As long as the hens do not care for logins, policy, system administration, anti-virus and malware, as long as they are uneducated, the fox may come in as a nice looking stranger with a hoover. And believe me the “hoover guy” works very well 
even in great companies.
Thanks for this article ,
Marius
Comment from Paul Asadoorian
Time: December 3, 2008, 10:49 am
Thanks Marius,
Motivation is certainly a key factor, and attackers will find ways around defenses. My hope was that we can pick up on the post-exploitation behavior rather than rely on detecting/preventing the actual attack.
I agree, the user awareness issue was not addressed in this post, I will think about that topic for next time 
Cheers,
Paul
Write a comment