Wednesday, September 28, 2005

Rootkits Make NSM More Relevant Than Ever



Federico Biancuzzi conducted an excellent interview with Greg Hoglund and Jamie Butler, authors of Rootkits: Subverting the Windows Kernel. I reviewed this book during publication for Addison-Wesley, but I don't plan to read it for personal education until I get deep into the programming part of my reading list. This is the sort of book that looks K-RAD on your bookshelf, telling those passing your cube that you've got m@d 31337 sk1llz. Doing something useful with the contents take some real mastery of Windows programming, especially device driver development and thorough knowledge of material in Microsoft® Windows® Internals, Fourth Edition.

The interview reminded me that network security monitoring is needed now more than ever. It is easy for host-centric security types to concentrate on defending the desktop. In reality the battle for the desktop PC has been lost. When intruders can completely control all aspects of a running system, there is almost no where else for defenders to go. The only places left are found in CPU microcode or outside the CPU itself, monitoring it via a hardware JTAG port as described in a recent Dr Dobbs Journal article.

If the desktop cannot be trusted then detection and prevention must be performed elsewhere, on a trusted platform outside of the intruder's, and more importantly, user's reaches. This can only be done at the network infrastructure. While the network will not yield as rich a collection of evidence about host exploitation, the data collected via network platforms bears a higher degree of trust.

I foresee a few roads ahead for corporate PC users, some of which may be taken simultaneously. We may see this at .mil or .gov earlier. One day arbitrary Web browsing and email communication with non-business-related parties will be forbidden. Alternatively (or simultaneously) PCs will be replaced by true non-Windows thin clients like Sun Ray 170s. Organizations adopting these practices will realize that they must do something to reduce the overall threat level (first option) and/or vulnerability level (second option).

6 comments:

John Moore said...

Richard,
The Sun Rays were crap, at least the ones 2-3 years ago. SMU Legacy at Plano ACEC has a classroom full of them and the instructors loathed them due to unreliablity. It might be easier for corporations to make use of Live CDs. The technology is mature. WinPE shows that even Windows can run from a RAMDISK, but it's so crippled it's sad. Another alternative is to redirect users folders to a server and reimage the workstation automatically every so often, or if some condition is met. Some Brazilians did this with Linux and Windows on the same platform. The computer ran Windows, but if there was a problem, it could be rebooted into Linux and a new Windows image installed.

Richard Bejtlich said...

John,

Ok, so you think the Sun Rays from 2-3 years ago were bad. I am talking about Sun Ray 170s that were just released earlier this year and deployed at my last job. They are good, as far as I was able to judge them.

Years ago at BATC Bamm and I used even older Sun Ray technology without problems.

Keydet89 said...

In reality the battle for the desktop PC has been lost.

As sad as it sounds, Richard, you may very well be right. It may be b/c while the good guys have stood around twiddling their thumbs and patting themselves (and each other) on the back, others have subverted the systems.

When I was doing research for my book, I located a KB article from the MS PSS Security team, stating that most of the compromised systems they dealt with were compromised as a result of weak or non-existent Admin/root passwords. At that point, is the vendor really to blame, or did the Administrator give away the keys to the kingdom at installation?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

Couple points. First of all, I think the current trend is towards mobility, and that means laptops in the enterprise. Eventually this will continue on down the "smaller and faster" continuum until PDAs and cell phones take over the office. Only after this mobility swing can we can back to grounded workers...and by then I'll agree: thin is in.

Secondly, I agree that most Windows compromises are due to lack of administrative control and bad practices. However, I sympathize with anyone in an enterprise that does not give proper or full risk to security breaches. Unless you are regulated or your reputation will be damaged very badly, most companies go the easy and dangerous route of letting users run as admin, having little software installation protection, and overall poor desktop security. The perimeter is a strong point in most networks now, the internal network is still getting attention, but the desktops...oooh those soft luscious desktops....

Combine both points 1 and 2, and you have a formula that explains why I don't sleep some nights. :) (We have many laptops and getting more every week...and we just can't get people to accept more security.)
-LonerVamp

Joe said...

Laptops are a huge liability and should only be given out to certain people in a company.

Anonymous said...

I concur with Richard, with this caveat. My experience is that signature based systems (host and network) fail too often with both false positives and negatives. I've been focusing on statistical network anomaly detection for a while now. IDS systems like Bro or Snort/Spade, armed with detailed asset risk information can be used to more quickly detect unathorized behavior.

So...the terminal is eternally compromisable. Okay. The custom trojan/rootkit that can't be detected by signature mechanisms will still show up in your network session data. Hmmm...why is this box that never talks out to the internet all of a sudden transferring gigabytes at a time to a foreign IP address? Hmm...why has point-to-point DNS (or ICMP) traffic between these two hosts skyrocketed? Etc.

Also from personal experience though, advanced detection doesn't always equate to intelligent incident response.

YMMV,

Random Analyst