Exposure Maps:

1
Exposure Maps Removing Reliance on Attribution
During Scan Detection
David Whyte, P.C. van Oorschot, Evangelos
Kranakis
2
Outline

• Scanning detection challenges
• Problems with attribution-based detection
  techniques
• Exposure Maps
• Experimental Results
• Conclusions

3
Scanning Detection Challenges

• Sophisticated scanning techniques
• Slow
• Fragmented
• Idle
• Distributed (Botnet)
• I detected a scan
• Was it successful?
• What did it reveal?
• Volume of Internet whitenoise
• Backscatter
• Worm propagation (known)
• Network diagnostics
• Web spiders
• Wrong numbers

4
Attribution-based Scanning Detection

• Variety of scanning detection techniques
• Observing connection failures
• Abnormal network behavior
• Connections to darkspace
• Increased connection attempts
• Majority of these rely on correlating scanning
  activity based on the perceived last-hop
• Focus of detection is who is scanning instead of
  what is being scanned

5
Shifting Focus

• Attribution is not practical for an increasing
  number of sophisticated scanning techniques
• Focus on attribution overlooks critical
  components of any observed scanning campaign
• What are my adversaries looking for?
• Has the network behavior changed as a result of
  being scanned?
• Exemplar technique Exposure Maps

6
Exposure Maps (1/2)

• Passively observe network traffic (training
  period)
• Ignore network traffic initiated from the inside
• Record only internal system responses to external
  events such as
• TCP SYN ACK
• TCP RST
• UDP IP pairs list
• ICMP echo reply, host not found, time exceeded

7
Exposure Maps (2/2)

• Host Exposure Map (HEM)
• Visible and enumerated services
• Externally visible interface of an individual
  host
• Network Exposure Map (NEM)
• Union of HEMS in a target network
• Externally visible interface of the network
• Let your adversaries do the vulnerability
  scanning for you!

8
Sample NEM (proof-of-concept)

• Test network size 1/4 Class C
• Test period two weeks
• NEM was stable within 12 hours of the testing
  period

9
Scan Detection

• Incoming connection is defined as any atomic TCP
  connection, UDP or ICMP datagram
• A connection attempt to a host/port combo outside
  of the NEM is considered a scan and recorded
• No connection state tracking required

10
Post-Scan Detection Activities

• Monitor changes in the NEM
• Validate new services offered
• Unexpected changes in the NEM may indicate
  compromise
• Monitor changes in network scanning activity
• Spikes in scanning activity may indicate a new
  exploit
• Attribution is possible post-scan detection for
  most unsophisticated and certain classes of
  sophisticated scanning activity

11
Detected Scanning Activity
12
Conclusions

• Shifting focus away from attribution during scan
  detection may provide a means to detect
  sophisticated scanning campaigns
• The true insight that can be gained by scanning
  detection is not who is scanning you but what are
  they scanning for?

13

• Discussion ..
• dlwhyte_at_scs.carleton.ca

14
Observed Sophisticated Scanning

• Slice and dice recorded scans using a variety
  of attributes
• Slow Scan - pcanywhere 15 min intervals
• Possible distributed scan - 6 systems from the
  same class C network and scanning footprint

15
Exposures vs. Scanning Activity

• Network scanning possibilities
• In practice NEM lt A lt E