The idea of this article popped in my mind after a colleague of mine asked me to investigate a security incident. Nothing brand new, a customer’s server not properly patched and secured was pwned. I found that the server was hit by the JBoss worm which started to spread in October 2010. Then the server started to scan for other victims, etc. Why was the server not patched and why it was able to access Internet directly, I don’t know. I won’t start a new debate here. I just would like to insist on the ways (read: tools) that can be used to detect such incident at the right time.
When I started my investigations, I had a limited number of data sources: The firewall logs and a network monitoring appliance. No log management solution and the server was turned off “to avoid more problems” (OMG!). The firewall logs gave me of course some relevant information but what about the network monitoring appliance? This is the same kind of appliance that I’m using during the BruCON conference to keep an eye on the visitors traffic. Very nice statistics can be generated. Basically, this appliance performs three tasks:
- Collection of all network flows + statistics (like Netflow)
- IDS (packets are analyzed via a built-in Snort)
- Web categorization
My investigations continued on this appliance and, as you can imagine, I found a multitude of evidences:
- Snort alerts (IRC traffic, id, wget, root alerts)
- Unusual traffic from servers to the Internet
- Suspicious web sites (domains & categories)
By having a look at the information reported by the appliance, the customer could at an early stage (even in real-time!) be alerted of the attack. But those features were simply… not used! The appliance was installed to monitor the network performances, that’s it! But it could do much more!
That’s an effect of the “Microsoft Syndrome“! What is this? I found a good definition on computerworld.com:
“There are several symptoms. One is when a tech company becomes so successful in a market and grows so quickly that it overlooks potential new markets. Another is when a tech company gets so large that it becomes increasingly difficult for it to innovate.“
From my point of view, I would like to extend this definition on the technical aspect of IT products:
“Another symptom is when a software becomes so complex that you only use a few percentage of its features and forgot or don’t know how to use the others.“
A typical example is Microsoft Word. I’m a Word user but, honestly, I must use 10% of all the features! Sometimes, I’m working on RFP which go very deep in the feature requirements and, finally, most of them will remain unused or unimplemented.
I think it’s time to remind the principle of “more with less“. Implementing security solutions is very expensive and budgets are often frozen or reduced. If you put some (lot of) bucks into a solution, be sure to use it at 100%! Read the manuals (you know, “RTFM!”), follow trainings, invest some time! Sometimes, cool features could be used for other purposes and increase the ROI! This reflexion goes in the same direction as one of my previous article about implementing security controls using Nagios.