Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: What's on your network? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's on your network?

I was looking though my Spam folder this evening to see if there was anything interesting in there.  Of course I found some of your "standard" phishing attempts that we have come to accept as "normal".  While looking at these I got to thinking about how some of them, just from viewing the email (if using html like many do), would serve you content pulled from websites you never clicked on.  In essence, unsolicited requests, would be leaving your network.  This led me to think about software that "phones home" and I realized it had been a while since I had heard about any. 

I thought I must be missing something, but sure enough my Google search turned up empty for anything in the last few months.  So now the real question comes to my mind.  Is that because there is nothing "phoning home" or is it because our networks are so large with so much traffic that no one knows what is on their network anymore?  I subscribe more toward the latter. I think majority of people (and their management) feel there is simply not enough time to figure out what all the traffic really is and they have tools to automate things so they don't have to know cause the tools do it all for them.

This really concerns me because software products are being released constantly.  How much testing really goes on for them?  How much hidden functionality really exists?  How do you know if your software is doing what it should do?  Egress filtering is more important than ever to securing your network.   Too often you find people know enough to get the software up and running but that is about it. 

So I have a couple questions I'd like to get feedback on:

  • Is there no software phoning home anymore or are we just missing it?
  • What steps do you take to ensure the software on your network is only talking to and doing what its documented to do?

 

Lorna

165 Posts
ISC Handler
One of the first things we have done a few years ago, was a mass review of the users privileges in their workstations. This way we have locked (in a technological way) the admin rights, at the same time we published a corporative policy about minimal rights in logical access.
Once we achieve this goal, we focused in the applications:
1. which is the business case that justify their use?
2. what they do?
3. what privileges they need to work? what network traffic must be enable?

Meanwhile we are on this tasks, we made some arrangements in the previous policy about software utilization, by adding a corporative restriction and an approval workflow to allow any application or new software (including operative systems).
vmforno

8 Posts
One way of discovering which software is phoning home is to examine the User Agent field of outgoing http connections leaving your network, this info can be got from examining your proxy logs or sniffing the http headers of connections leaving your network. Once you ignore the IE and Firefoxs entries you will find a mine of information.
Mark McDonagh, NetFort Tech
vmforno
1 Posts
Start looking at your logs. One place I know has Checkpoint firewalls. For other purposes, they generate hourly extracts of the logs that have one entry per source IP, destination IP, and destination port that was done that hour. I wrote a script that went through two weeks of these extracts and counted how many times each sequence happened. Typically you will see a whole bunch of stuff that is active almost every hour of every day for the time period, and then little, and then everything else. Start looking up source and destination IP and start contacting people.

Here are a few of what I found:
- People configured goto meeting on their pc's because the firm provided SecurID card was just too heavy for them to carry.
- A printer was contacting the vendor. Someone left the remote diagnostics enabled on a printer.
- One of our air conditioners was contacting the vendor. No one knew until I started asking.
- MS remote desktop protocol is not allowed out. But SSL is, so someone moved RDP to port 443.
- Skype: they like running on port 443. Nmap is pretty good at identifying the protocol.

So far I have not found any malware using this technique. But plenty of compliance issues. Your milage will vary.

Kenneth

11 Posts

Sign Up for Free or Log In to start participating in the conversation!