Lessons From a Honeynet That Attracted 700,000 Attacks

Over the 5 year lifetime of the IrishHoneynet, we have witnessed hundreds of thousands of scans, probes and attacks against the servers that comprise the network. Our estimation is that given an average of 3,000 attack attempts a week, each server has seen more than 700,000 compromise attempts over the 5 years. Taken at face value, this is a remarkable figure.

The attacks have been thick and steady, and the relentless hackers appear hell bent on taking control of as many vulnerable systems as possible. This article will focus on providing some basic guidelines that will serve to assist you in conducting your own vulnerability management and performing scans against your own systems and networks, in the hope that you will identify and remedy any serious vulnerabilities and bugs in advance of the unyielding hackers, ultimately resulting in computer systems that are secure and protected.

Remediation of network vulnerabilities is something to consider, ideally before hackers exploit the weaknesses! Effective remediation entails continuous processes that together have become known as Vulnerability Management. Vulnerability management can assist organisations efficiently find and fix network security vulnerabilities. Systematic use of these processes protects business systems from ever more frequent viruses, worms and other network-borne attacks. The process of vulnerability management goes far beyond the traditional vulnerability scanning efforts, and generally involves a number of well-defined and structured steps, carried out on a continuous basis over time.

The Continuous Processes of Vulnerability Management

  • Create security policies & controls
  • Track inventory / categorize assets
  • Scan systems for vulnerabilities
  • Compare vulnerabilities against inventory
  • Classify risks
  • Pre-test patches
  • Apply patches
  • Re-scan and confirm fixes

Like it or not, there are five to twenty bugs in every thousand lines of software code, according to the National Institute of Standards and Technology. It’s a problem that will not vanish in the foreseeable future so dealing with it is the only practical option. Systematic use of vulnerability management processes is taking a step in the right direction. It ultimately will help keep you out of reactive mode and safe from those mean spirited attackers!

Everything starts with a policy
Policy management is critical. Enterprise policies start at the top of an organisation and require executive oversight. Policies determine the nature of controls used to ensure security, such as standard configurations for all security devices and applications including antivirus, firewall and intrusion prevention. Policies and controls also should include servers, network services, applications and ens-user PCs. In the past, policy management was a manual, cumbersome process. New software tools can automate some aspects of policy management and enforce configurations on endpoint devices. Automation saves time, improves accuracy and lowers total cost of ownership.

It is only possible to secure what you know you have. You need to find vulnerabilities before you can fix them. Creating and maintaining a current database of all IP devices attached to the network is an absolute must. It is also useful to categorise assets by business value to prioritise vulnerability remediation. An accurate inventory ensures that you select and apply the correct patches during the remediation phase. Discovering devices, software and services and tracking this inventory can be done manually. However, it is possible to automate the entire discovery and tracking inventory process with automated scanning software tools.

Vulnerability Scanning
A vulnerability scan tests the effectiveness of security policy and controls by examining the network infrastructure for vulnerabilities. The scanning process will systematically test and analyse IP devices, services and applications against known security holes. There are many software tools available that will perform vulnerability scanning. Some are open-source and freely downloadable, such as the Nessus public domain scanner. Other commercial solutions such as the Qualysguard web-based solution does the scans for you over the Internet and provides more comprehensive reporting functionality that you would expect from a commercial vendor. Another advantage to a commercial service is being always up-to-date with the most recent vulnerabilities. Similar to anti-virus technology, you are only as good as the most recent database.

Classify the Risk. It is practically impossible to fix everything at once. Most scanners will rank vulnerabilities helping you to determine what to fix first. Microsoft, for example, publishes four categories of risk: Critical, Important, Moderate and Low with corresponding rates of remediation.

Software always has and always will have bugs, so it is prudent to pre-test patches before applying them to live systems. Some faulty patches have crashed business processes. Most problems with patches are due to third-party applications or modifications to default configuration settings. It is also important to verify cryptographic checksums, Pretty Good Privacy signatures and digital certificate to confirm patch authenticity.

Fixing security problems is the result of vulnerability management. Traditional manual processes for applying patches and other remediation are slow and expensive. Sometimes the high cost of patching coupled with the high volume of patches released by vendors encourages organisations to delay remediation. Organisations may delay updates – even for critical patches – until multiple patches or service packs are available, or until arrival of a regular monthly, quarterly or annual update process. Unfortunately, delay can be a fatal strategy so it’s important to remediate vulnerabilities as quickly as possible. Automated patch management and software distribution solutions can help speed this process and keep costs to a minimum. After application of a patch or remediation process, organisations should rescan IP-connected assets to ensure that the fix worked and that it does not cause other network devices, services or applications to malfunction. Verification of fixes with resulting scan reports provides documentation for compliance with security provisions of laws and regulations such as PCI and Sarbanes-Oxley.

The bottom line is that Vulnerability Management is a valuable pro-active tool in your protection arsenal. It is only by taking pro-active steps, and ultimately getting there before it is too late, that you can confidently thwart the determined efforts of the few bully-boy attackers who relentlessly flood our networks with their malicious payloads.