IDS mailing list archives

Re: ForeScout ActiveScout


From: Brent Stackhouse <brentstackhouse () yahoo com>
Date: Fri, 7 Jan 2005 22:22:39 -0800 (PST)

ZhiHen,

Thanks very much for the feedback.  I agree that
proactive is better than reactive.  However, the next
0-day isn't necessarily going to fit ActiveScout's
recon model any better than a traditional IDS vendor.

In fact, I believe ISS has had some success with
detecting 0-days because of their focus on the
vulnerability rather than the attack/exploit method. 
Apologies to Robert Graham if I got that wrong.

My big fuzziness with this product is twofold:
1.  How does it determine what traffic is interesting,
i.e., worth monitoring.  I don't think it tries to
"tag" everything, which is how they claim 100%
accuracy.
2.  Why does it respond with data that indicates ports
are open/vulnerable when they're not?  That doesn't
seem helpful.

Based on a simple TCP scan (that someone else ran) of
a network with only HTTP, DNS, and SMTP open,
ActiveScout caused the scan results to indicate that
NetBIOS, SunRPC and other historically-vulnerable
services were open.  Seems like a strange way to
encourage the bad guys to move on.  I won't debate the
benefit or not of using RST packets to tear down
sessions, since that's been done to death in this
forum numerous times.

Thanks again,

Brent
--- dywzh dywzh <zhihen.wang () gmail com> wrote:

One of the biggest challenge in intrusion detection
is to
differentiate bad from good with precision and ahead
of the attack.

The server lock down, or patch to the latest, will
only help you last
till the next brand new unknown attacks to surface.
And if you lucky
(hence your security vendor notifies you before the
actual propagation
hits you), then you might have a chance to be
immunized, but what if
you run out of luck, what if your security vendor
didn't even notice
such attack yet ...

So to win this battle against the attackers, we have
to take a
proactive and better yet pre-emptive approach,
sitting there trying to
lock down the server following some other guy's
hardening steps, or
begging M$ for a patch release, are just not good
enough to protect
yourself.

All right, back to this ForeScout approach, they
throw some fake but
enticing bone (information) back to the attackers or
would-be
attackers to try to find out what's the intent
behind such perimeter
scanning activities, if that intent proven being
bad, then take
appropriate action, such as notifying firewall.

I personally think this is a pretty neat approach,
sort of being proactive.

But one weak point I see in their approach (or their
product offering)
is that they narrowed their intrusion detection
scope to only on those
traffics going to the fake place.

Recently, I have been exposed to a start-up security
company,
CyberShield Networks. They developed a similar
approach to enable
users being proactive, but the complete package they
offer goes way
beyond just reporting attacks from the fake place,
they cover
intrusion detection over the entire IP space
assigned under their
protection. Also they implemented a RADAR screen and
transformed
attacks into blips on the RADAR, that makes our
security guys life a
lot easier as far as sorting out the priorities
among the attacks
reported. Pretty cool stuff.

Anyway, I hope this helps you a little bit.

ZhiHen
CISSP
Senior Security Analyst
Shanghai Rasing Consulting, China, Inc.




----------------------
Hello,

Just a quick question on ForeScout ActiveScout as to
whether anyone out there has used/eval'd it.  I'm
working with a client that is using an old version
(2.7.x, I believe), is considering an upgrade, and
I'm
not sure it's worth the time and effort.

They claim 100% accuracy which we all know is silly.

Their whole methodology is based on an attacker
using
recon in advance of an attack and that the recon
activity is detectable enough to start interfering
with it.

From what I can gather from ForeScout's literature
and
the management console of the app itself, when it's
able to run at all (Java-based, slow as dirt), this
product sits on the outside of the perimeter and
looks
for suspicious traffic via a span session.  When it
detects scans or similar recon activity, it can both
send back spurious information to the source IP and
update a firewall to block it.  It seems to track
attacking IP's based on the spurious info it already
fed them.

Also, this version doesn't seem to track SMTP and
DNS,
two of the most oft-attacked protocols out there.

Having run one or two firewalls and NIDS setups
myself, I'm not clear on the benefit of this beast
compared to either inline IPS or IDS plus firewall
blocking (or a firewall and patched servers, while
I'm
going that way).

Stupid question - if my perimeter devices, including
DMZ servers, are patched, why the heck would I want
to
send back _any_ data to an attacker?  I guess if
your
servers weren't patchable for some reason, maybe
you'd
want to fake that they really are.  Um, okay. 
Probably better ways to handle that.  I would think
that if my perimeter is properly locked-down, I'm
quite happy for an attacker to scan it and figure
that
out for themselves - assuming they get much of a
scan
past IPS/IDS/firewall.

What am I missing?  Thanks for the feedback.

Brent Stackhouse, GSEC/GCIH, etc.


              
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from 
CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

--------------------------------------------------------------------------




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


Current thread: