Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.
-
Upload
grant-blankenship -
Category
Documents
-
view
214 -
download
1
Transcript of Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.
![Page 1: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/1.jpg)
Innovative Hackers are Bad for Business
Brian O’Higgins
CTO, Third Brigade Inc.
October 14, 2005
![Page 2: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/2.jpg)
2 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
![Page 3: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/3.jpg)
3 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
![Page 4: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/4.jpg)
4 © 2005, Third Brigade Inc.
Attacks are changing
Major Malware Trends
1985 1995 2005
Boot sector virus
Files and executables
Office macrovirus
Email attachments
Web applicationattacks
![Page 5: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/5.jpg)
5 © 2005, Third Brigade Inc.
Old Internet security statistics
Source: www.cert.org/stats
Vulnerabilities are the root cause for malware
Vulnerabilities
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 1997 1999 2001 20030
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
1995 1997 1999 2001 2003
Attackers are getting more efficient at
exploiting vulnerabilities
Incidents
![Page 6: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/6.jpg)
6 © 2005, Third Brigade Inc.
Where are attackers successful?
Remote
LocalNetwork
LocalSystem
71%
18%
11%
Source of attack
Vulnerability
45%
Configuration
31%
BruteForce
12%
12%Other
Type of exploit
Source: Zone-h.org
![Page 7: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/7.jpg)
7 © 2005, Third Brigade Inc.
Attacks: Increasingly Sophisticated
1980 1985 1990 1995 2000
High
Low
Knowledge
Adapted from www.cert.org
Password guessing
Self replicating code
Password cracking
Exploiting known vulnerabilities
Burglaries
Hijacking sessions
Network management diagnostics
GUI
Automated probes/scans
Automated probes/scans
www attacks
DDOS attacks
Disabling audits
Back doors
Sweepers
Sniffers
Packet spoofing
Denial of service
Stealth scanning techniques Tools
ASN.1 attacks
2005
![Page 8: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/8.jpg)
8 © 2005, Third Brigade Inc.
Automated exploit tools
“…The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only”
![Page 9: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/9.jpg)
9 © 2005, Third Brigade Inc.
The root cause
• 1 vulnerability for every 1,000-4,000 lines of code
• 100M+ lines of code not unusual
• Many sources of compromise (confidentiality, integrity & availability)
• Not likely to change in the near and medium future
Server (Host)Server (Host)
Database
Database
Web/App Server
Web/App Server
OSOS
Web AppWeb App
Client (Host)Client (Host)
OSOS
Client BrowserClient
BrowserOther AppsOther Apps
Other AppsOther Apps
![Page 10: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/10.jpg)
10 © 2005, Third Brigade Inc.
Software vulnerabilities
• Symantec Internet Security Report, 1H 2005– 1,862 new vulnerabilities, highest ever– 59% related to web applications
• SANS Top 20 list, Q1 2005 – 600+ new vulnerabilities listed that:
1. Affect large number of users
2. Not patched on substantial number of machines
3. Allow computer to be taken over by remote, non- authorized user
4. Sufficient details published on the internet
5. Discovered or first patched during Q1 2005
![Page 11: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/11.jpg)
11 © 2005, Third Brigade Inc.
Business impact
Source: Computer Economics Impact of Malicious Code Study of 100 I.T. and Security Executives
Worldwide Financial Losses
$20 B
$15 B
$10 B
$5 B
2002 2003 2004Millions USD
per hour of downtime
Lost Revenue
Trans
Retail
E-Comm
Media
Banking
Brokerage
Source: Yankee Group
![Page 12: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/12.jpg)
12 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
![Page 13: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/13.jpg)
13 © 2005, Third Brigade Inc.
Hacking is changing
• Mass nuisance profit motive
• Targeted attacks take advantage of s/w vulnerabilities– Can exploit a database without
having to compromise any servers
$
![Page 14: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/14.jpg)
14 © 2005, Third Brigade Inc.
Bot Nets for hire
• “First hour is free”– Infect web servers, then unsuspecting PCs– Change infection after a few thousand
downloads to stay under virus signature radar– Call to the mothership for subsequent updates– Password stealing program web site count
doubled from June 2005 to July 2005 (www.antiphishing.org)
![Page 15: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/15.jpg)
15 © 2005, Third Brigade Inc.
Popular Web Application Attacks
$ Buffer overflow
Command injection
Cross-site scripting
Parameter manipulation
Session hijacking
Improper error handling
Google hacking
![Page 16: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/16.jpg)
16 © 2005, Third Brigade Inc.
SB 1386 impact
• California breach notification legislation– Spreading to other jurisdictions– Notifications and subsequent press are
biggest contributor to online fear– Since the Feb 15 2005 ChoicePoint breach,
78 notifications have been publicized covering 50M individuals (www.privacyrights.org)
![Page 17: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/17.jpg)
17 © 2005, Third Brigade Inc.
Consumer confidence erodes
• U.S. survey on data security breach notification (sep 25 2005)
– Ponemon Institute (www.ponemon.org) survey of 10,000 victims of data security breach
• 19% of respondents have terminated relationship• 40% more said they are thinking about terminating• 5% had hired lawyers• Businesses using canned communication are 3X
more likely to lose the customer vs. personalized
![Page 18: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/18.jpg)
18 © 2005, Third Brigade Inc.
Security fears harm e-banking
• Forrester Research study of 11,300 users in the UK– Concludes that 600,000 from a total of 15M
have quit online banking – 20% of internet users say security fears will
stop them from ever banking online– 50% of UK internet users paranoid about
online banking security
![Page 19: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/19.jpg)
19 © 2005, Third Brigade Inc.
Breach notification is costly
• Feb 2005 ChoicePoint breach– 145,000 records – $11.4 M charges Q1 and Q2 2005– $79/per account. Gartner estimates this is
more likely $90/account all in.
$750M mkt cap drop immediately after the breach publicized
![Page 20: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/20.jpg)
20 © 2005, Third Brigade Inc.
Costs for notification
• Smaller numbers, cost per account higher 5,000 accounts ~ $1,500 per account
• Very large compromises, >1M accounts, direct costs ~$50 per account.– But this may be the death sentence for the
company (CardSystems 40M accounts)
Source: Gartner, Data Protection is Less Costly Than Data Breaches, 28 Sept 2005
![Page 21: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/21.jpg)
21 © 2005, Third Brigade Inc.
Business case to protect data
• Three recommendations from Garter, and ballpark costs for 100K accounts
1. Encrypt Stored Data $5/account initial, $1 recurring
2. Deploy HIPS on servers $6/account initial, $2 recurring
3. More rigorous audits $4/account recurringvs. expenditure of $90/customer account exposed in a breach
*Source: Gartner, Data Protection is Less Costly Than Data Breaches, 28 Sept 2005
![Page 22: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/22.jpg)
22 © 2005, Third Brigade Inc.
Mitigating attacks
24% Known VulnerabilitiesPreventative Action:
– Patching– Shielding (virtual patching)
21 % Unknown VulnerabilitiesPreventative Action:
– Shielding (virtual patching)
Vulnerability
45%
Configuration
31%
BruteForce
12%
12%Other
They exploit
![Page 23: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/23.jpg)
23 © 2005, Third Brigade Inc.
Patching: A race you can’t win
Source: Symantec Internet Security Threat Report, H1, 2005
Vulnerabilitypublished
54 days
Exploit 6 days
Patch
![Page 24: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/24.jpg)
24 © 2005, Third Brigade Inc.
Patching needs to take time
Start Safe
Last System Patched & Rebooted
High value systems are difficult to patch:• Patch may impact the system
• Patches inherently slow and expensive to test
• Most patches not designed to be easily reversible
• Service disruption or machine reboot
Vulnerability Published and
Patch Released
Push new Image
TestPatch
Evaluate Patch
Develop &documentnew image
NoticePatch
![Page 25: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/25.jpg)
25 © 2005, Third Brigade Inc.
Attacks are occurring faster
Start time
Vulnerability Published & Patch Released
Approaching the Zero Day Attack
2003 - MSBlast WormKnown vulnerability in Windows ~8 million computers infected`
28 days
2004 - Sasser Worm Exploited Windows hole: “Local Security Authority Subsystem Service” ~10 million Windows computers infected in 4 days
18 days
2005 - Zotob Worm6 days later, 10 variants, widespread in 1 weekWindows plug and play flaw
1 day
![Page 26: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/26.jpg)
26 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
![Page 27: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/27.jpg)
27 © 2005, Third Brigade Inc.
Good Guys: Patch
The vulnerability gap
time
Vulnerability Gap
Bad Guys: ATTACK
Vulnerability Published and
Patch Released
Unknown Exploits Known Exploits Last System Patched & Rebooted
![Page 28: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/28.jpg)
28 © 2005, Third Brigade Inc.
Good Guys: Patch
Getting ahead of the attackers
time
Vulnerability Gap
Bad Guys: ATTACK
Last System Patched & Rebooted
Smart Guys: Shield
Known Exploits
Vulnerability Published and
Patch Released
Unknown Exploits
![Page 29: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/29.jpg)
29 © 2005, Third Brigade Inc.
Host Intrusion Prevention
Security Technologies You Will Probably Need
Host-based IPS
802.1x
Quarantine/containment
Personal intrusion prevention and URL blocking
Gateway spam/antivirus scanning
Security audit capabilities
Vulnerability management
Web services security
Identity management
SSL/TLS
Business-continuity plan
PC lockdown cables and anti-tamper alarms
Source: Gartner Security ITxpo, June, 2005
![Page 30: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/30.jpg)
30 © 2005, Third Brigade Inc.
IDS
Security controls: evolution of the perimeter
DMZ
Firewall
ERPFinanceEmailWeb LaptopHR Workstation
Corporate Network
Fir
ew
all
IPS
Branch
Network
![Page 31: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/31.jpg)
31 © 2005, Third Brigade Inc.
Network defenses are necessary but not sufficient
DMZ
Firewall
ERPFinanceEmailWeb LaptopHR Workstation
Corporate Network
Fir
ew
all
IPS
Encrypted attacks over the internet
Mobile users leaving the
safety of the perimeter
WLAN providing alternate
paths into the network
Insider attacks
Branch
Network
![Page 32: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/32.jpg)
32 © 2005, Third Brigade Inc.
The host is the last line of defense
DMZ
Firewall
ERPFinanceEmailWeb LaptopHR Workstation
Corporate Network
Fir
ew
all
Branch
Network
IPS
Encrypted attacks over the internet
Mobile users leaving the
safety of the perimeter
WLAN providing alternate
paths into the network
Insider attacks
Firewall
IPS
![Page 33: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/33.jpg)
33 © 2005, Third Brigade Inc.
Experts agree
“Firewall-based prevention solutions that function with deep packet inspection techniques are key to effective protection from the growing number of cyber threats”
Gartner, Richard Stiennon, Research VP
“By 2006, 50% of enterprise servers and 30% of corporate PCs will incorporate host-based security agents (0.7 probability)”
Gartner, John Pescatore, Research VP
![Page 34: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/34.jpg)
34 © 2005, Third Brigade Inc.
Different perspectives of HIP
What is HIP?
Analysts
IPSvendors
Firewallvendors
IDSvendors
Anti-virusvendors
![Page 35: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/35.jpg)
35 © 2005, Third Brigade Inc.
Gartner HIP framework
Attack-FacingNetwork
Inspection
PersonalFirewall
Vulnerability-Facing Network
Inspection
AntivirusSystem
HardeningApplicationInspection
ResourceShielding
Application Hardening
Behavioral Containment
1 2 3
4 5 6
7 8 9
Gartner “Understanding the Nine Protection Styles of Host-Based Intrusion Prevention”
Malicious Code
Trying to enter
Trying to execute
Executing
![Page 36: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/36.jpg)
36 © 2005, Third Brigade Inc.
Which approach to use?
Attack-FacingNetwork
Inspection
PersonalFirewall
Vulnerability-Facing Network
Inspection
AntivirusSystem
HardeningApplicationInspection
ResourceShielding
Application Hardening
Behavioral Containment
1 2 3
4 5 6
7 8 9
Gartner “Understanding the Nine Protection Styles of Host-Based Intrusion Prevention”
Attack-FacingNetwork
Inspection
Antivirus
ResourceShielding
Known Bad
PersonalFirewall
SystemHardening
Application Hardening
Known Good
Vulnerability-Facing Network
Inspection
ApplicationInspection
Behavioral Containment
Unknown
Stop malicious code before it
enters the host
“Gartner believes that leading HIP solutions will use multiple protection techniques, and recommends solutions that take a network-level approach be considered mandatory for deployment by the end of the year.”
Neil MacDonald, Gartner
![Page 37: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/37.jpg)
37 © 2005, Third Brigade Inc.
Analysts recommend HIP
– “The Role of Network Intrusion Prevention in Protecting Medical Devices” (2004)
– “Most Important Security Action: Limiting Access to Corporate and Customer Data” (2005)
– “Host-Intrusion Prevention is here to Stay” (2004)
![Page 38: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/38.jpg)
38 © 2005, Third Brigade Inc.
HIP: Security best practise
Found in security guidelines
– “Recommended Security Controls for Federal Information System 800-53” (2005)
– SANS: HIPAA Security Step-by- Step
![Page 39: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/39.jpg)
39 © 2005, Third Brigade Inc.
How HIP works
Firewall
Known Good
Network-based HIP security mechanisms
Deep Packet Inspection
Known Bad
Signatures
Unknown
Rules-basedengine
![Page 40: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/40.jpg)
40 © 2005, Third Brigade Inc.
Protecting the host
HIP Agent
Incoming or
Outgoing
Network
Traffic
Protected
and
Corrected
TrafficStatefulfirewall
Signaturefilters
Rulesbasedfilters
![Page 41: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/41.jpg)
41 © 2005, Third Brigade Inc.
Non-intrusive at the network layer
System Execution Control- Highly dynamic environment
- OS versioning and patching
- Application versioning and patching
- Control mechanism versioning and updating
- High test requirements (run applications)
Applications
Network Based- Implemented at the network layer which
is less subject to change
- Transparent to Applications and the OS
- Easy to test (replay data through it) Network-Based
TCP/IP
OS
ApplicationsSystem Execution
Control TCP/IP
OS
![Page 42: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/42.jpg)
42 © 2005, Third Brigade Inc.
Software must resist attack
• Software agents must be resilient to attack ‘knocking out the security guard’– Use kernel-mode implementations rather than
user-mode– Stateful implementations are resistant to
evading deep packet inspection
• Manage agents with a central console, not the end user
![Page 43: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/43.jpg)
43 © 2005, Third Brigade Inc.
Accuracy: Perfect is impossible, but make the errors really small
Sensitivity
Probabilityof error
False Positives: Stopping the wrong thing
False Negatives: Not stopping
the attack
0
100%
• Trade-off on errors• Tune more accurately• Host based allows fine tuning
![Page 44: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/44.jpg)
44 © 2005, Third Brigade Inc.
Proof: HIP stops attacks
OWASP Top 10 Vulnerabilities Unprotected Protected
1. Unvalidated input 25 02. Broken access control 0 03. Broken authentication and session mgt. 10 04. Cross site scripting (XSS) flaws 8 05. Buffer overflows 3 06. Injection flaws 13 07. Improper error handling 23 08. Insecure storage 0 09. Denial of service 2 010. Insecure configuration management 17 0
Industry leading web application scanner: several thousands tests on typical web application
![Page 45: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/45.jpg)
45 © 2005, Third Brigade Inc.
Commercial applications
Software
(# of known major vulnerabilities)
Rules-based filters
Rules-based
+ signature filters
FTP – 3com, Netterm, wuftpd (17) 94% 100%HTTP – IIS (105) 86% 100%HTTP – Apache (20) 90% 100%SMTP – Exchange, Sendmail (3) 100% 100%
Protected with Network-based HIP
![Page 46: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/46.jpg)
46 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
![Page 47: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/47.jpg)
47 © 2005, Third Brigade Inc.
Internet, intrusions and HIP everywhere
VoIP
Telecom
Mobile & PDAFinancial
Enterprise Computing
SCADA Medical Systems
Military
![Page 48: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/48.jpg)
48 © 2005, Third Brigade Inc.
Evaluate HIP now
• Host Intrusion Prevention
technology and products are
becoming mainstream by YE 2005.
• Organizations need to start
evaluating options and testing
solutions now.
![Page 49: Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada7dc/html5/thumbnails/49.jpg)
49 © 2005, Third Brigade Inc.
Deployment strategy
• Incorporate HIP into pilots– Confirm user acceptance (performance,
transparency and manageability)– Identify the types of threats these systems are
seeing– Demonstrate the effectiveness of HIP in
protecting these systems
• Deploy applications with confidence– Protect against known and unknown
vulnerabilities