Being the Caveman - Tenable Style

After reading Richard Bejtlich's "Be the Caveman" blog post about the convicted hacker Robert Moore, I felt it would be interesting to show how unifying vulnerability monitoring, configuration auditing, passive network discovery and log analysis helps organizations detect intruders. This blog post focuses on the techniques mentioned by Moore and Bejtlich, and how tools like Nessus and the Security Center can make this easy to do for any size organization.

Testing for Default and Weak Passwords

During his interview, Moore was quoted saying that default and common passwords were used on most of the networks they penetrated.

Both Nessus and the Passive Vulnerability Scanner (PVS) identify network services such as Telnet, Secure Shell and web based administration access. These services can be scanned by Nessus for a variety of vulnerabilities, including default passwords. Nessus also includes the ability to run the Hydra password guessing program which performs brute-force password guessing on many different types of applications. Both Nessus and the PVS also identify web based services which don't use encryption for passwords. And lastly, Nessus Direct Feed or Security Center users can audit UNIX and Windows OSes for basic password policies such as minimum length and how often they should be changed.

Performing this type of analysis on a periodic basis will help identify which services may be vulnerable to remote attacks, and which systems have been configured incorrectly. If this type of analysis and monitoring was accomplished on the networks attacked by Moore, he would have not been able to gain access with simple password attacks. If your organization has external "Internet reachable" devices, they are likely being probed right now for weak and default passwords.

Auditing Routers and Switches

Many of the targets that Moore exploited were also routers and switches.  Both Nessus and the PVS can be used to audit vulnerabilities and mis-configurations in a wide variety of routers and switches.

For example, the Nessus vulnerability scanner has an entire family dedicated to Cisco device checks.  Many of these can be performed without credentials and some can take advantage of the SNMP management protocol. Tenable has also produced Nessus checks for non-Cisco network vendors including 3Com, Alcatel, Nortel, Avaya and others.

Passively, the PVS can monitor network traffic for detection of a wide variety of routers and switches, as well as analyzing the packets going to and from these devices to see if there are any known vulnerabilities present.

Both Nessus and the PVS also identify basic routing services and protocols such as BGP, RIP and OSPF. Nessus and the PVS can also identify SIP enabled devices for Voice Over IP applications.

Having a clear picture of where a network's routers and switches are located and if they are secure is a vital step in keeping remote hackers from obtaining access to these systems. Once again, if the organizations attacked by Moore knew where all of their routers were and knew if they had any vulnerabilities they could have monitored them for exploitation or attempted to mitigate any security issues.

Network and System Logging

When analyzing logs, we'd like to see many things, but if we were looking to identify Robert Moore's alleged activities, we'd want to be able to determine:

• which routers and systems did NOT have logging or coverage
• which devices had login failures from external sources
• if there had been any suspicious changes in bandwidth or activity

As was said before, Nessus can be used to audit the configuration of a remote system. This can be used to see if logging is indeed enabled. If Nessus is unable to obtain this type of information, logs can still be analyzed by an asset basis. Below is an image of all log events by asset type:

This view comes from the Security Center managing a Log Correlation Engine (LCE). The default view encompasses all log sources such as netflow, syslog, windows events and IDS events. The above log shows a complete lack of any type of log for an asset group known as the 'Switch'. This could indicate that logs from this group of systems are not available, the switch isn't configured to generate them or perhaps an IDS or firewall isn't in place to see attacks against the switching infrastructure.

Looking at your log sources by asset group with the Security Center enables quick determination of logs (or lack of) for different types of network and system events. This same query could be extended to show logins and login failures across all asset groups. Not seeing any login, logout or login failures for an asset group is a good way to recognize that you don't have any useful logs for a critical asset.

Presence and coverage can include actual logs from the monitored devices, but also implicit logs from network IDSes and firewalls. For example, being able to view all of your IDS logs across each asset (including the 'Network' assets) can indicate if you have any events occurring against those assets.

Robert Moore also performed basic default account exploitation. It's difficult to actually say what this would look like without more details but surely there would be at least one successful login event. It's also possible that this login event may have been proceeded by login failure events. Tenable has four TASL correlation scripts for the Log Correlation Engine (LCE) to look for intruders like Moore. They all subscribe to generic network login and login-failure events from many types of sources such as VNC, Windows systems, SSH logins and also routers and switches.

• activity_during_off_hours.tasl
  Subscribes to any login or login-failure event and alerts if this occurs during nighttime.
• brute_force_password_guessing.tasl
  Subscribes to all login-failure events and alerts if there is a spike in this activity.
• login_from_external_network.tasl
  Looks for any successful login event and alerts if the source occurs from outside the local network.
• successful_login_after_multiple_failures.tasl
  This script subscribes to successful login events as well as the events from the brute force password guessing TASL and alerts if a login occurs after multiple login failures have occurred.

And lastly, monitoring general activity for any types of change is useful to not only find remote hackers, but also to understand the mechanisms of your network. Keep in mind that during his interview, Moore said he targeted corporate networks with "lots of traffic" because it was less likely they would notice a few additional calls. Organizations that only monitor the total aggregate amount of network bandwidth, IDS events, firewall logs or so on will miss the fact that a resource doubled its log output or had IDS events where there were none before. Tenable approaches this type of analysis with three different techniques.

First, for any type of log source (netflow, syslog, firewalls, .etc) these logs can be analyzed by a human for trends. This process is very fast. Users can analyze billions of log events with several clicks of the web interface and instantly see trends, ports used and systems and assets involved. Second, regardless of log types, the LCE can alert when any host performs a "new" type of event that has Never Been Seen before and also when the overall amount of activity or unique events from that host is statistically significant. And third, both the LCE and PVS can detect and make sense of system changes in real time.

In the case of Robert More, it is very likely that as he compromised routers and VoIP applications that he made changes to them and also increased their amount of work. Both activities are likely something that would have been alerted on with both log analysis as well as network monitoring.

Passive Network Monitoring

And, almost as a parting shot, Richard makes a final comment in his blog entry about using passive network monitoring to discover hosts if active scanning is politically unacceptable.

Tenable has offered the Passive Vulnerability Scanner product for more than four years. It finds new systems, new hosts, new applications and the vulnerabilities associated with the corresponding clients and servers 24x7 by watching a network tap or spanned port.

We see it as a great complement to an organization that performs vulnerability scanning without credentials. And even if an organization does scan with credentials, there are still many different targets that might not support remote logins, active scans might not occur that often and if a new host or network is added without telling the audit team, it might never be scanned.

In the case of Robert Moore, the Passive Vulnerability Scanner would have been able to identify all externally facing systems, SIP/VoIP applications and routers, determine which ones had exploitable or critical vulnerabilities and also which ones connected to the Internet, as well as each other. And even if these systems had never been alerted in the past because they had never been scanned, as soon as they were scanned, the PVS would have provided relevant data and identified these systems as "new" resources.

In addition to the PVS, the Log Correlation Engine can also be used to watch all network traffic passively. This can be accomplished through a netflow agent, through a direct network sniffing agent or even through firewall logs that log all 'accept', 'permit' or 'allow' connections.

Conclusion

For whatever reason, the organizations compromised by Robert Moore were exploited with relatively simple techniques. If these organizations had any notion of vulnerabilities or intrusions they did not act on them. Tenable's approach to unifying security monitoring makes it easier for any size organization to understand their risk while at the same time monitoring their network for abuse and compromise.