Wednesday, March 7, 2007

February Catch Up

Here's some random stuff I've been meaning to post up here as follow-ups to posts from February. I've been pretty busy with work and am late on these. Sorry.

Python code: I've improved on my original, first Python program by adding the ability to create a whitelist file full of regular expressions. This makes it easy to isolate only those hostnames you want to find without knowing what they are. In case you're wondering, being able to do fast PTR record lookups against your DHCP ranges looking for things you don't know about is the poor man's NAC (oh, you thought EAP was the poor man's NAC?). Most Windows machines will announce their FQDN and register with Windows DHCP/DNS making them findable by doing reverse DNS lookups. Use the whitelist to exclude the stuff you know about like 'myinternaldomain.local'. Link here.

Nepenthes and ops: In this post, I mention that Tim Crothers presented on an easy way to work honeypots into network security ops. And then I totally neglected to describe how that works. Just to be clear, this is Tim's idea, not mine. I'm reposting it without permission. Hopefully he's cool with that.

Step 1. Build a VMWare image as similar to your corporate workstation image as possible. Specifically, keep it at the same patch level and run the same anti-virus or other security software with the same signatures.
Step 2. Install Linux on some old computers. Now install and configure Nepenthes on these as well.
Step 3. Deploy the Nepenthes boxes where they can collect malware: on a DSL/cable connection with no firewall, on a darknet, on a workstation network, outside the corporate firewall.
Step 4. Regularly (or automatically) review nepenthes.log and check the binaries directory for captured malware.
Step 5. Carefully transfer malware (via password-protected ZIP, for example) to the VM built in step 1.
Step 6. Disconnect the VM from the corporate network and unleash the malware. See if your AV tools detect it. Use SysAnalyzer to see what it does.
Step 7. If AV doesn't detect it, send a sample to AV vendor asking for emergency update. Deploy emergency update.

The thing I like about this is the simplicity of it. And being proactive on malware definitely won't hurt you. This stuff changes so fast it's difficult for AV vendors to keep up.

No comments: