02 January, 2006

Mining in a corporate environment

Mining in a corporate environment
Kevin Johnson
Author: Kevin Johnson

We have a virus attack! Words that will stop any security professional in their tracks. Even with strict security policies and procedures around patch and anti-virus management, virii are still a major threat. Everyday new virii and variations of old favorites are released into the wild and our networks. A single host, not under our control, being plugged in or a user that shutdowns their anti-virus software for that little extra performance are a couple of the potential entry points. And even more of the virii are coming in through bugs in the browsers we use to surf the web. So what do we do?

Well, as most of us have been taught; “Prevention is ideal, detection is required!” While patches and anti-virus programs may be the prevention methods we choose, they aren’t perfect. And when, not if, they fail and we have a particularly nasty bug running loose through our network, we need to see where it is as soon as possible.

So how do we accomplish this, at minimal cost, while recognizing that our network of responsibility may spread around the globe? We believe that the solution is what are called “canary hosts”. If we take a trick from the history of mining, where they would take a canary down in the mine with them. If it died, they knew they needed to get out of there! To model our solution on this, we deploy a stream-lined, small footprint Snort system to client machines around the network. As a virus attack initially launches, the canary machines will see the attacks and alert to our central reporting server. This enables the incident response team to immediately identify where the virus has originated within the network. Thus enabling the team to contain the virus sooner than normal detection methods. Regular post-incident handling can then be used to recover the infected machines.

The setup of the canary hosts is optimized to be able to run on client machines already deployed throughout the company, without impacting the performance to the end user. This allows us to save money in comparison to using various IDS appliances. Snort is used because of its cost, ease of use and ability to run on practically every platform imaginable.

The rules running on the hosts are optimized to try and minimize false positives while preventing false negatives. The rules are setup to focus on incoming connections, since most workstations do not offer services to be used by other workstations. We also are able to turn off most of the rules relating to servers and public services. The rules are loaded from a central network share along with the actual Snort configuration. This allows us to control the rules and configuration in one location and any changes are picked up on the next restart of the workstation.

Using this system in a controlled deployment, your incident response team will be better prepared to contain any malicious code loose in your network. When your system alerts that a host has detected attack behavior, you will be able to quickly isolate the problem before major parts of your network is affected.

Join the professionally evil newsletter

Related Resources