Smart Scanning

by Fred Avolio, Avolio Consulting, Inc.

There is one thing I can, without knowing you, state with near-certainty about your networking environment: it is getting more, rather than less, complex. To keep a lid on the ever-increasing threats and weekly announcements about vulnerabilities with the widely deployed software on which our enterprises rely, we install patches and change security parameters.

But, how do we know we made the correct changes? How do we know we did not break something else? Can we be sure that the changes we made, even if they were faultless, remain in place 10 minutes later? Very often the correct answer is, "I'm not sure." This is a very significant answer when asking security questions. (See http://www.avolio.com/weblog/security/SignificantAnswers.html.) This is why any security policy should include verification testing, both at mechanism-deployment time and periodically thereafter. Vulnerability scanning must be part of our verification arsenal. By implementing a continuous vulnerability scanning program, you will be able to proactively protect your enterprise from emerging threats.

Types of tools

We can categorize vulnerability scanners by where they sit on the network and how they scan. Many vulnerability scanners actively probe systems on a network. Given an IP address space, the scanner probes each reachable address, looking for open network ports. That is where a simple port scanner stops. A vulnerability scanner goes a step further. It may try to connect to every discovered port on each system testing for known vulnerabilities based on the service assigned to that port.

If a scan turns up an SSL listener on port 443, it might try to determine which SSL server is running. If it discovers a known server with a known vulnerability (for example OpenSSL 0.9.7), the scanner notes it. Some scanners will go further, actually trying to exploit those vulnerabilities, confirming that the vulnerability exists. And we want to be sure that we really are, or are not, vulnerable to particular threats. Unfortunately, more aggressive probes increase the likelihood of taking down - crashing - a critical system. We would all agree that would be a "Bad Thing".

Passive vulnerability scanners watch traffic on the network, sniffing packets off the wire. They look for patterns indicating an in-progress attack or evidence of already compromised systems. They do not look at particular systems, and so they may miss not-yet-exploited vulnerabilities. But, they will not crash a system. What should we do?

To do

First, you really do need to do some "pre-work." You need to know what systems and networks to check. You also should know a little about your security policy, because one reason to use vulnerability scanner, as I mentioned above, is to verify policy implementation.

The pre-work entails the following:

1. Classify systems. You can make up your own classifications, for example "firewalls," "e-mail servers," "web servers," "application servers," "inside desktops," "mobile desktops," etc.
2. Know what operating systems you have.
3. Know what should and should not be on your network. For example, should there be traffic from user desktop systems making connections to port 25 (Internet e-mail)? Probably. Should they be attempting those connections to outside computers? Probably not. They should connect to your internal e-mail server.
4. Configure scanners to match 1-3.

Once you've done these, you are ready to actually scan. (I assume you have the responsibility, authority, and permission to do this.) Start small and slowly at first. I'd start with an active scanner aimed at a few representative systems in your network, to get a feel for how the scanner works and to see the reports produced. Once you see how it works, and have a high level of assurance that it will not crash systems, add more systems. (Only use vulnerability scanners that allow you to adjust "aggressiveness." Think of an automatic clothes washing machine; to start with, we want to run the scanner on the equivalent of gentle cycle for delicate garments.)

Gradually scan additional systems. If you mix active and passive scanning, you will not need to actively scan all systems. Your managed security service provider is probably already passively scanning key areas of your network. I recommend starting with, or even sticking to, your key server systems and security devices (e.g., firewalls).

Set up a schedule for scanning that will eventually cover your whole network (or the key systems your policy cares about). It's your schedule. It's your network. You get to change this if you need to. But the schedule is security-relevant. Ask someone to review your assumptions and work. You can ask your managed security service provider or someone else in your security or IT organization.

Finally, you will need to actually look at the results of the scans. This may be intimidating. Initially, just look at what the vulnerability scanning tool flags as a problem, and read the commentary. Not all things flagged as vulnerabilities are vulnerabilities. Not all real vulnerabilities are important ones. You'll want to compare the results with what you already know about your network. Something might be flagged as a vulnerability because you misconfigured the scanner. Understand whatever you did not originally understand by asking your managed security service provider for help or conducting research on the Internet. After perusing a number of these reports and tuning your scanners, you will begin to know what normal is. And, so, you will soon quickly spot the abnormalities.

Implementing an effective, continuous scanning program will proactively protect your key, business-critical systems from potential security threats. In the dynamic IT environment in which we all live, scanning must occur to stay abreast of the vulnerabilities in your enterprise. This will also help you evaluate your level of exposure to threats. Whether you follow the steps above to build your own scanning program or subscribe to a vulnerability scanning service provided by your managed security service provider, organizations must implement an effective scanning program to truly protect your enterprise from security threats.

The LEDs Are On, But Nobody's Home

by Joe Stewart, Senior Security Researcher at SecureWorks

With winter drawing to a close, chances are you're thinking about where you're going to vacation this summer. Even network security people have to go on vacation, right? Sooner or later it's time to hand the reins over to a qualified subordinate and bask in the sun on a balmy beach somewhere. Just set up a vacation message on your voicemail, add an out-of-office message to Outlook and you're done, right? Don't be too sure - you may actually be putting your network and even your personal belongings at risk!

The problem is the default out-of-office settings in Outlook. They're kind of brain-dead. The standard action is to send an out-of-office reply once to any email you receive. The problem with this is that many people are subscribed to mailing lists where they receive constant emails from strangers. Would you put a sign on your front door saying "Gone to the Bahamas for a week?" This is effectively what you are doing when you send out-of-office autoreplies to people you don't know.

Ordinarily this will just annoy the person who sent the email to the mailing list. Depending on the size of the list, there may be dozens of people on vacation at any given time. Chances are this person will simply grumble a bit, delete your unwanted autoreply message and move on. However, what about the enterprising hacker who posts messages to mailing lists specifically looking for out-of-office messages? This person loves to get your autoresponse, because it tells him/her that your network is likely going to be either unwatched altogether or in the hands of a less capable administrator for some time. This is the single best time to hack into your network, and this fact is not lost on hackers.

It's not entirely unfounded to suggest that more conventional criminals also may use mailing lists or direct spam to find out-of-office replies. Armed with the vacationing person's name and the company they work for, it is often a simple task to find the person's place of residence in a phone directory. The knowledge of how long you'll be away could help the criminal remove every item from your house in your absence. Although this is by no means commonplace, British police have warned that this type of activity has already occurred in the U.K. If you are worried about responding to spam (which often *is* directly addressed to you), you should consider implementing a spam filter at your gateway. In fact, a good anti-spam/anti-virus gateway is really not an option in this day and age.

The solution to the problem is to be smart about who you send out-of-office messages to. Outlook/Exchange's Out of Office Assistant can still be used, but the better method is not the most obvious. Here are the steps to take to set up your out-of-office autoreply properly:

1. Open the "Out-of-Office" assistant under the "Tools" Menu in Outlook.
2. Ensure that the "AutoReply only once to each sender with the following text" text box is *empty*!
3. Click the "Add Rule" button at the bottom of the dialog box.
4. In the "Edit Rule" dialog, check the "Sent directly to me" and "Cc'ed to me" checkboxes.
5. In the "Perform these actions" box, check the "Reply with" checkbox and click on the template button. Next, type in a brief message to use as your out-of-office notification. Do not give any unnecessary information such as where you are going to be vacationing.
6. Click OK, then set the "I am currently out of the office" option in the Out-of-Office assistant, then click OK one last time.

Since most mailing lists are actually addressed to the list and Bcc'ed to you, taking these steps will keep you from sending autoreplies to newsletters and other mail that isn't specifically addressed to you. Most mailing lists are actually addressed to the list address and Bcc'ed to you, so this will prevent you from sending autoreplies to them from now on. So relax, have a good vacation, and remember that IT people should generally use SPF 50 suntan lotion.

Internet Threat Update

Provided by SecureWorks Security Research Team

This Month's Threat Overview:

• Viruses Coming Fast and Furious
• Microsoft Source Code Leaked, Exploit Code Follows
• Bizex Worm Spreading Through AOL Instant Messenger

Viruses Coming Fast and Furious

During the past month there has been an impressive increase in new viruses:

• Bagle alone is almost at the end of the alphabet due to the number its new variants. A spammer likely created Bagle since the virus facilitates the spread of spam by creating anonymous proxy servers once a system is infected.
• Netsky has been very prolific across the Internet due to its effective social engineering. Netsky is unusual because it looks like it has been launched by a group seeking to "help" users eliminate viruses from their systems. Once Netsky infects a system, the virus then tries to clean the system of other viruses. Netsky is another example of malware authors making their source code available so that others can build and improve on their work.
• Mydoom rounds out the list of new, prolific viruses we have seen in the past month. Spammers may have created Mydoom as well, since it too creates anonymous proxy servers. However, this virus is best known for launching denial-of-service attacks on Microsoft, SCO and the RIAA from infected systems. Mydoom variants are likely to be around for quite some time, as its source code was made available as well. In fact, a recent variant carries a destructive payload that deletes files from infected computers.

Windows 2000 Source Code Leaked, Exploit Code Follows

Microsoft, yet again, makes our Internet Threat Update. Although this time it is not for any specific vulnerability, but for the release of a virtual breeding ground for new threats. Through a mix-up, a portion of Microsoft's Windows 2000 source code has been leaked to Internet users everywhere. The code is rumored to be full of holes according to some sources that have already analyzed it. So far, there has been one exploit posted for a vulnerability discovered in the source. Chances are there will be many more to follow. However, the really dangerous ones will come from those hackers who would prefer to keep their exploits to themselves to carry out attacks at will against vulnerable Windows 2000 systems.

Bizex Worm Spreading Through AOL Instant Messenger

This past month has seen malware authors take advantage of non-traditional means of infection. Phatbot infected users through peer-to-peer networks. Bizex has taken another route and propagates itself through AOL's popular Instant Messenger program. We'll likely see more and more malware propagate through these types of programs, as it is much easier to infect an unsuspecting user. Internet users should make sure their anti-virus definitions are always up-to-date and everyone should have a personal firewall in place. Without these preventative measures, you may fall victim to these types of malware without even knowing it.

SOC War Story: Detecting the "Unknown" in Real-Time

Business Problem

Monitoring your environment for security events is not a new concept by any means. Most enterprises conduct some form of security event monitoring. Typically, monitoring is accomplished through the use of intrusion detection systems and by periodically reviewing firewall logs. Unfortunately, this common practice leaves your organization vulnerable to new threats and increases the likelihood that you will be impacted by a security breach.

At 2:37am on a Thursday morning our Security Analysts noticed unusual SMTP traffic coming from a server that typically does not use SMTP. SecureWorks quickly escalated the incident to the client who confirmed that the server should not be using SMTP. The Analysts worked with the client to quarantine the server so they could examine the traffic without causing any other systems to become infected. Once our Security Analysts examined the SMTP packets they determined that a Trojan was probably the cause of the traffic, but one they had never seen before.

Solution

Our client uses SecureWorks' Security Monitoring, Managed Intrusion Detection, Managed Firewall and Threat Intelligence services. These services provide the client with 24X7, real-time monitoring of their security infrastructure and high-risk information assets. Additionally, we maintain their intrusion detection and firewall infrastructure to ensure they operate at peak performance. Threat Intelligence provides them with early warnings to emerging threats and vulnerability information all tailored to their environment. These solutions worked together to rapidly identify and remediate this threat.

Once the system was quarantined, SecureWorks' security research team conducted a thorough analysis of the SMTP traffic and examined the server for anything suspicious. The Group identified a rogue process on the server that was generating the SMTP traffic. They concluded that they had a new Trojan and sent the file to the client's anti-virus vendor for further analysis. The Threat Intelligence Group published a Threat report containing methods for security teams to identify and eliminate the threat. A few hours later, the anti-virus vendor confirmed that it was a new variant of an existing Trojan that they had not seen before and issued an updated anti-virus signature file. Our Security Analysts then worked with the client to bring the system back online with no damage to the server or any others in their environment. Discovering this new Trojan was only possible because SecureWorks' security event monitoring platform aggregates and analyzes all events for both the known and unknown threats. Once unknown threats are found, SecureWorks' security research team quickly examines them to find ways Threat Intelligence customers can protect their organization from being impacted by the new threats.