What I'm describing in this bit is actually a behavioral detection technique rather than the specification or regexp based method (though the combination of the two is often preferable, where available) as the detection failure scenarios data inspection are endless, as you point out. What I'm suggesting is that while methods and scenarios for obfuscating or concealing data beyond detection or inspection are supernumerary, there are a few elements that can usually be reliably detected using flow data, assuming the reporting devices themselves have not been compromised;
1. network transmission took place with between two IP sockets 2. some number of bytes and packets were transmitted, which can be measured 3. the destination address was or was not part of the organization which owns the source 4. the destination address is or is not within expectations (e.g. is it a foreign country or organization with which no business relationship exists) 5. (possibly, if you have some packet content samples with the flow data) the application protocol appears to be a known application or network protocol 6. this apparent application usage is or is not within expectations - and is or is not typical With this information, behavioral detection can sometimes find data leaks in the form of anomalous network behavior such as the appearance of a new application protocol e.g. a vpn, ssl or ssh connection - especially on a non standard port - with a remote destination which is unexpected (while the encrypted data itself is beyond inspection, the application protocol itself may be recognizable); or a direct SQL connection from a client desktop, where they normally connect through a middleware application, or something else. We use a technique we call anomaly detection in the QRadar tool to detect appearance of new behaviors for selected high-value systems and networks. useful either as a corroboration to methods like regexp based inspection or as a potential method of finding information leaks that evade these detection methods. Of course, there are scenarios where new behaviors result from normal changes; none of these methods are perfect, but they are all useful. Combining them through correlation can sometimes improve accuracy of detection even further. In my experience, the best method of finding misuse patterns like data leaks is through sophisticated event correlation - either manual or programmatic - though it needs to be done programmatically in order to scale. Craig Chamberlain Principal Security Consultant [EMAIL PROTECTED] | www.q1labs.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Siim Põder Sent: Friday, October 19, 2007 2:59 AM To: Craig Chamberlain Cc: [email protected] Subject: Re: Using Snort to find creditcard data? Yo! Craig Chamberlain wrote: > Good point; what I'm suggesting is that while it's relatively easy to > hide or obfuscate the data itself, it is hard to conceal the fact that > data - or packets - are being transmitted, possibly using a > recognizable application protocol, to an unexpected destination, which > can be a useful last-ditch detection mechanism when the other methods > fail - or can be a useful corroboration when correlated with the other > detect data. There is bound to be some sort of legitimate production traffic. For example, if there are https connections coming in to a specific machine and specific port. You can detect if that machine starts sending out data on its own or starts accepting connections on another port. However, if the same port starts serving credit card numbers (obfuscated) or even hides the credit card numbers in tcp sequence numbers (or does something even more subtle as serving them by changing the case of "A" letters in http connections from certain addresses) the movement of data should be extremely hard to detect. Siim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
