A. DEFENDERS: SI-4 INTRUSION DETECTION TOOLS AND TECHNIQUES
[the italicized section below is a security control from NIST SP 800-53]
Control: The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
Guidance: Intrusion detection and information system monitoring capability can be achieved through a variety of tools and techniques (e.g., intrusion detection systems, virus protection software, log monitoring software, network forensic analysis tools).
Control Enhancement 1: The organization networks individual intrusion detection tools into a system wide intrusion detection system using common protocols.
Control Enhancement 2: The organization employs automated tools to support near-real-time analysis of events in support of detecting system-level attacks.
Control Enhancement 3: The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
Control Enhancement 4: The information system monitors outbound communications for unusual or unauthorized activities indicating the presence of malware (e.g., malicious code, spyware, adware).
[the following is the PHA response to the security control described above]
Implementation: The Office of Information Architecture as authorized by the Deputy Assistant Secretary for the Office of Information has directed the Office of Cyber Information and Security Compliance Assurance to be responsible for developing and deploying controls on an enterprise basis that protect PHA networks from penetration. This will include network intrusion detection devices to be deployed at each of the national network gateways to the internet. This will insulate the PHA internal network from cyber attacks.
B – ATTACKERS: Zero Day Exploits
A “zero-day” attack is an attack that targets a vulnerability for which there is no solution easily available. Once the vendor releases a patch, the zero-day exposure has ended. A recent example of a critical zero-day vulnerability was the Windows Animated Cursor Remote Execution Vulnerability that was patched by MS07-017 (Microsoft Security Bulletin 925902). This was considered a critical hole because it could allow remote code of the attackers’ choosing to be executed. A security research company called Determina notified Microsoft of the problem on December 20, 2006. The vulnerability was publicly announced on March 28 2007. On April 2nd, Determina released a video demonstration of Metasploit using exploit code against Vista. Microsoft released the patch on April 3, 2007 ending at least six days of zero-day exposure. Exploit code that targeted this vulnerability was active in the wild for at least several days, if not several weeks before the patch was released. Even after a patch is released, many organizations take several days to get around to updating systems with the patch.
Another recent example is the DNS RPC buffer overflow that was patched by MS07-029 . This vulnerability offered remote code execution with SYSTEM access privileges against Microsoft DNS Server on both Win2000 and 2003. Exploit code was seen as early as April 7, 2007, Microsoft released a bulletin acknowledging the vulnerability on April 12, 2007 and the patch closed the hole on May 8, 2007, offering at least 31 days of zero-day opportunity to attackers who had exploit code. Metasploit had exploit code for this vulnerability included before the patch was released.
[Metasploit exploit for DNS RPC]
Earlier in the year, ImmunitySec (maker of Canvas) released an exploit for MS07-004 within hours of Microsoft’s patch release. The exploit used a VML flaw in IE 7.0 to take over full control of the target system. Over the past year or so, this sequence of events has become commonplace. A vulnerability is announced and nearly simultaneously we hear that there is active exploit code. Then we have to wait until a patch or workaround is released. Even when the patch or workaround becomes available, it takes time to deploy. This gives the attackers more than a few major zero-day vulnerabilities available each year if they are patient enough to wait a few weeks or a few months until the next one surfaces.
Gunter Ollmann, Director of Security Strategy at IBM Internet Security Systems has said, “all my consultants have access to over 100 0-days as a matter of course” . He continues, “For those people who say that the 0-day threat is fictional, or that their security system can prevent and contain any such outbreak, my response is ‘dream on’”” and adds, “Responses to successful 0-day penetration tests should be seen as live practices for disaster recover processes”. eEyeDigital Security maintains a zero-day tracker web page that includes both active zero-day vulnerabilities and a history of older ones that have been fixed. http://research.eeye.com/html/alerts/zeroday/
D. Scenario (Zero Day Attacks)
Both the attackers at the perimeter and the ones who had already penetrated the network through other means were waiting patiently for a zero-day vulnerability to become available. The perimeter attack team was holding just outside the network perimeter, but had collected more information about the perimeter gateway systems than the defenders would like. The other three attack teams were already inside the perimeter and had been working hard but quietly to further entrench their position without alerting any of the defenders. When the day finally arrived that the lab announced they had live zero-day exploit code, all four attack teams sprang into action. The exploit was plugged into various framework tools and launched. In a matter of minutes, the attackers found themselves at command prompts on dozens of compromised systems. They immediately began uploading the tools for entrenching their positions and launching more attacks against other systems. They could now attack almost with impunity, knowing that there were no defenses against this attack, including detection by IDS and AV software.
Within a few hours, over a hundred systems had been taken and over the next few days the count soared into the thousands. The preliminary zero-day window stayed open for over a week before the vendor made an announcement about it and it was another two and a half weeks before a patch was released. All told, the attack teams had been given free license to pillage the defenders network for over three weeks and many thousands of systems had been compromised. The attackers now owned most of the critical infrastructure of the network and were confident that they had enough valid credentials to control all of it if they liked.