Do You Have a Canary on Your Network? by George Kurtz

In the heyday of mining it was common practice to take up to three canaries into the mineshaft to test the purity of the air. If any one bird showed signs of distress, it likely indicated that something was amiss and dangerous levels of carbon monoxide existed.

So what does this have to do with computer security? Well, given our experience with companies that were directly impacted by Operation Aurora, it has become clear that companies that have adopted the modern day “canary” were significantly better able to detect and respond to Aurora as well as the daily barrage of malware they encounter.

So what it is this modern day canary? Essentially, the “canary” is a collection of dark network addresses within a company’s internal network. Savvy and security conscious companies typically run Internet proxies to control access and monitor Internet activity. Legitimate Internet traffic routes through a unique network address that serves as a gateway for the environment behind a proxy. As a by product of running a proxy, network routing tables can be configured with default routes that lead to a collection of dark addresses (unused addresses, much like empty houses in a neighborhood) that have no legitimate use other than to wait for illegitimate visitors.

While more sophisticated pieces of malware are proxy aware, injecting themselves into a legitimate browser process, many are not and will blindly try to connect back out to the Internet. It is these connection attempts that can be monitored by the dark addresses and used as a way to quickly identify infected systems.

At McAfee, we have invested significant time thinking about dark addresses and building honey pots with our McAfee Network Threat Response (NTR) product. NTR was developed to overcome the issues that made the transition from research use to operational use difficult for Honeypots: increased solicitation, effective data review, determination of attacks, and quick determination of unknown events.

Just collecting packets in a dark address space yields only UDP payloads, as TCP payloads do not occur till after the handshake. McAfee NTR has implemented a blank socket approach to create a handshake and ACK follow-on packets.

Firstlight, McAfee NTR’s Honeypot solution uses HoneyD in three modes: Shallow, Blank Socket and Proxy back in order to solicit communication from an attack. Shallow/Blank Socket gets enough for covert channel requests, while proxy-back is best for viruses and worms. FirstLight is well designed to capture nefarious traffic, and has an option to capture only the incoming traffic, as we already know the response. Using positive-negative enumeration we can determine new channels/events quickly. This approach allows us to evaluate very large data sets.

Of course the downside to canaries is the amount of traffic that must be evaluated. In a large network, there can be a lot of traffic that is generated that must be processed to determine what are benign packets versus botnet command and control channels. While network canaries aren’t perfect, they do server a very valuable role as part of a layered defense-in-depth architecture.

You can follow McAfee CTO George Kurtz on Twitter.

Tags: Compliance, Cybercrime, kurtz, McAfee Network Threat Response, Operation Aurora