Cleveland bSides 2012 - Albert School - Testing DLP

Albert school and he's going to be presenting on testing Enterprise DLP systems all right um thank you like to um I encourage everybody that uh was here for adrianne's talk to hit his website up he's got a lot of cool stuff there in addition to uh some of the stuff he's talked about there's all kinds of archives of things that I've found useful and things like that so that's worth doing um just kind of um starting out if you if you have cell phones or anything like that I'd like you to make sure that they're turned on and the ringer turned to High um your calls are important to me um I like you to you know I'll stop

and listen in we can all kind of get some personal information so I'd appreciate that um when we look at uh data leakage prevention uh for me I kind of you know ask well what is it what is it what is the problem solving so you know so folks I've seen you know presentations of people getting root on machines getting interactive shells things like that when bad guys do things to large Enterprises they're really not any I don't know if they even were before um other kind of miscreant or whatever but when bad guys are doing things to Enterprises they're doing things to rep ruin the reputation as well as um get xfil trate data out

and so that and when I talk about Enterprises I'm talking about you know DOD getting attacked NASA um government um higher education institutions that are affiliated with defense contractors uh getting all these these research information Pharmacy research um uh you know Biologicals uh chemical warfare information things like that and so um that's not necessarily done by getting a root shell on and poking around and um and and kind of seeing how many how many machines you can own getting domain admin or anything like that that doesn't matter it's the data that's important and so I think up until now um you know we've kind of progressed through um Network protection with firewalls host security endpoint protection um

application security things like that and people are kind of looking at the data and um saying wow you know we've got all these other things but people are still getting our data so we can't just keep them out through all these other mechanisms or I guess lower kind of levels in the in the in the stack so what I'm going to talk about is is the problem that DLP is solving um some of the deployment Enterprise deployment scenarios that that I've seen uh I'm not a DLP administrator and I don't um claim to really know much about DLP other than uh a bunch of threat modeling I've done and and successful tests in exil training

data uh some test scenarios so again uh we're not talking about attacking somebody that's in a coffee shop and exfiltrating out their data we're talking about attacking um somebody on maybe even a classified Network or uh a highly protected Network um uh traditional firewalls endpoint protection DLP agents on machines things like that that's what um that's that's one of the test scenarios and so the so I'll go go over that some of the techniques to just bypass the DLP all together together and um and then that kind of gets into exfiltration techniques and I'll kind of go over Force first order exfiltration what I call first order exfiltration where the data just comes out or second order

where it has to come out in in chunks or has to go through several steps before just coming right out um so what this is is it's more it's focused on DLP but it's more an analysis of systems and how you can look at systems that's why I didn't have any that's why I didn't I purposely didn't make any PowerPoint slides because it's to help you think about threat models and think about General systems as a group of processes technology people and um the interfaces between those and there's always a place to exploit those interfaces and usually once you can enumerate the interfaces where people connect with technology technology connect with processes uh those are some

of the biggest gaps that you'll find and so you know again as as a pentester as a defender or as securing your Enterprise um uh it's very difficult to manage that um so let's see so so again I guess I went over the the problem that DL p is is is trying to solve is that that data is getting out despite web application firewalls despite network controls host controls things like that uh for a while it was it was as simple as somebody losing a laptop that had uh uh downloaded tables of credit card information before um people got the idea to encrypt data um the the um the deployment scenarios are usually a centralized um

kind of just like an again this is this is a large Enterprise this isn't a home network so this is you can assume a a traditional kind of um uh three tier DMZ uh that's that's that web access is proxied outside you can't there's no direct access out of the network um uh within that within that uh context that's where you have a DLP system and so what that is generally if people have have haven't seen these things things it's it's like um um not quite like antivirus but more like uh something tiv something like that for a desktop where you can sit you you put a little agent on the desktop and um a server or group of servers uh

push some policy out to this agent and the agent does what what the policy wants it to do and so the the um that's that's a general deployment the the the way that um the the kind of the the threat model to that is um the uh the the first of all sort of the notion of a security policy that can be pushed out from the central server so before there's any technology there's some policy that says that personal information or whatever information can't be um taken off the network there's um the implementation of that policy on a central Sur that's generally we see through uh regular Expressions through actual data that like if we're looking if if we want

to make sure people don't exfiltrate uh credit card data you can actually get a real feed of the credit cards you process and have that inside of this uh DLP agent and push that out as a policy um the other the other attack area the other deployment scenario is the operational Integrity of the system system and so that encompasses more the people as well as the configuration of the system so so the operation of of um the system what if you know an easy way to attack a real easy way to attack a DLP system is um just kind of dods it unplug it and um and and uh uh you know it doesn't doesn't report back there's

different issues things like that so that that's not that's not an actual scenario but um and then the other thing that that I think some people would probably be pretty aware of is that there's vulnerabilities within the implementation itself so um if anybody that's been around any any length of time that you've seen I Ed the the um example of tiv uh that within um large Enterprise uh products that are essentially uh centrally managed botn Nets on an Enterprise like tiv like um uh State Management Systems from um some Enders can't think of the name right out of the gate but um uh from um uh um antivirus things that that uh that you'll see that there's vulnerabilities

in those actual agents there's vulnerabilities in the servers that run the agents the telephony systems are another good example so gatekeeper things they actually have vulnerabilities in them that you can actually attack attack those and so that's that's another way around it and this is a big pi picture but it goes into the threat model of attacking DLP systems and again kind of if you can think of a generalized view of attacking anything that there's that there's sort of a systematic way to go through and um review different different aspects of a system and find where they're put together where they're weak where they're just kind of put together with duct tape within Enterprises things like

that so um one of the things that that I found with um uh kind of kind of on up from firewalls and network protection and things like that is that a lot of times um security people and sea level Executives really like to use analogies and so we talk about the the like that the uh firewall is like a castle and that there's a moat and that you try to just protect the one draw bridge and if people go through the moat they they go get um alligators or something get them and things like that and so that's something that kind of sticks in your head when you think of firewalls and the reality is that that's not it there's

there's policy on the firewalls there's implementation of the firewalls there's operational considerations of people pushing out wrong rules things like that so all that applies to DLP and this notion of our ability to control data and to precisely understand when data leaves our Network or moves around inside of our Network is um very difficult to pull off with technology and with processes and people and so I think part of what's gotten us into this is this uh mind state of um uh imaginary uh uh analogies that people put together about um antivirus and stuff anybody that works in a corporate environment people are always making these these you know these funny little quips and analogies and whoever um kind

of U you know comes up with one you know goes around for a while things like that so um I kind of call it management by you know inflight magazine things like that somebody comes back from a conference perhaps it'll be like an audit person or something and they'll say we need to do this we can stop data from leaving our Enterprise we need to do this and um and generally the people that come out um no nothing against uh Consultants or anything like that but the people that are doing some of the implementation if you're Enterprise doesn't trust you to do it they hire somebody else that knows less than you do about things like that and they come

in and um you're not getting sort of a rock star usually putting together your your DLP systems um the whole the whole point of it is is that these things are relatively new the technolog is new there's still Acquisitions um there there's all sorts of things so the implementations I'm not really confident are um are as good as as they they they look like on Visos um um let me see so before the the the other the other piece I guess before even the policy so there there's four parts you know the policy that you put in that that people sit at a table that the cleal executives or the um whoever's whoever's determining that come up with

a policy and it's um that policy that gets implemented if you're actually stopping data so if you're preventing data leakage um again when I think that I kind of think of unless you're doing an exact match I kind of think of um intrusion prevention systems which are very good they work well in the lab and things like that as soon as you prevent some something that looks like an attack or trigger the IPS and a nightly batch job that that for for a um important customer stops that's the last time that Enterprise ever uses an intrusion prevention system and the same thing they sit on servers or uh they have uh host host intrusion prevention systems

things like that all the same goes there it's the the complication level is way above the ability and the interest of a large Enterprise to implement correctly so what happens is you get a policy and you say well this is our data that we want to protect um and and we don't want it to we don't want it to leave the Enterprise that's usually kind of a large policy um at the what's not said is is that they also don't want any interruption in business and so so a good example is that um if you if you sort of block transfer of of this sensitive information to a USB drive now all of a sudden your engineers and tech

people that are going out to service PCS are disabled in doing any of their work um if they're trying to transfer um anything that has anything sensitive to a USB drive if they're backing up somebody's desktop or something like that so so the the thing that goes unsa about DLP is very similar to IPS is that do whatever we don't want any data leaving our network but we want to um uh we don't want any interruption in service and if you do interrupt in service then you you start backing down on the rules and that's that's actually what happens is that that um a list of sensitive uh data if it's defined besides something specific as credit

card or um um banking information things like that um is is I I haven't seen it implemented correctly um in in a number of places uh because of this need for business continuity and legitimate need to do business which I think is appropriate what's not appropriate is uh us as security people or uh vendors or um uh people selling DLP as something that can accomplish that without impacting the business um the other part is that um DLP sometimes strategically is is you know if you think about it you have to seal an entire Enterprise and have to monitor every every place in and out of an Enterprise so for a room like again I'll I'll go back to analogies which I I kind

of criticize but there's a lot of doors here so we could have sentries here there's things but you could come through the roof you could you could blow through one of those things um there's there's a lot of ways that need to be thought out when you have the um you know the the the um secondy year um uh person at at a vendor site installing your DLP system for you and and you tell them uh just just set it up you know a default way or something uh the other thing is so so what that leads into is is that most Enterprises while while in this day age most Enterprises have some sort of a data classification system I'm

still finding that when you when you really find the people that seem to know what's going on and ask what what really is sensitive information what would impact your business um you know Dave kind of talks about sometimes about um uh you know sort of pen testing to the point where you can disrupt somebody's business um that's a whole different data set than what you would see as a data classification so people classify things as confidential or highly confidential and public and things like that and they put you know there's all sorts of encryption requirements and things but um one thing I haven't seen is um at least in the in the in the industries that I've worked in is

intellectual property and in some cases um it's you can get you can get um uh credit cards banking data from multiple places and the easiest play well the the best place to get that in aggregate would be a bank and so people have been successful at that uh uh what I what I haven't seen is the protection and DLP policies or even the acknowledgement of intellectual property and so that comes in all sorts of forms and that's not something that you can do exact matching on that's usually business logic that is it comes from the company's best and brightest that is that gets in the form of code that is um you know all throughout the Enterprise in different

forms um the biggest good example of This was um I think was three four years ago now is Goldman Sachs lost some um some a Trader walked out with some um high-speed trading algorithm um data and um there was nothing you know I don't even know if they knew knew prior to that that that that that was a concern to them and so so so while we have the data classification that that potentially could be implemented in policy there's a flaw right there that you can attack as the the fact that those don't match up the the data that people are watching to go out might not be the right data so that that that makes it real

simple so what ends up happening is you have a you have a system that has these agents on a desktop that's looking for regular Expressions maybe some exact pattern matching so assuming so so assume the policy right um if anybody's went up or pent tested any uh web application firewalls or they if they've looked at any um underneath the hood of web application firewalls and that that would even include like mod security which is open source which something as you can look into um you'll see that you can you can it's not it's not easy but it's possible to develop a test case in the same way QA testers develop test cases to exploit those regular

expressions and um again it's not something that most of us would do in five minutes but uh if you wanted attack a system that has a web application firewall in it again the analogy being web application firewall is some static rules and some uh regular Expressions they're not I wouldn't say it's trivial but um it's not difficult to buy they're they're you can bypass them and uh and and that's more due again to the implementation uh you know protect our systems but don't impact our business and so um so that's kind of what we're up against the other thing that I find kind of strange and this is sort of true of web application firewalls but people

have been able to um to un unearth the web application security policies to reverse engineer plus there is one Open Source One um is a lot of the the DLP policy within Enterprises is considered secret and so that um so that any kind of water marking that's done any kind of um uh um these regular Expressions aren't aren't visible to an attacker so in the attack scenarios I want to talk about um are are are an internal employee that has the data and an external employee that has access to the data so I'm not looking at um uh uh finding the data so this assume that you've you've been able to Spearfish you know a CEO or you've been able to um um

uh find you know have that you have the data um uh as an external attacker you know on the inside you know where it is or as a um internal malicious employee um so this this idea of secrecy around the DLP policy is um is good as long as it stays secret uh so so that's kind of that that um you know once somebody knows it that so if you're an internal person and you know that policy then it become then it almost does become trivial to bypass it um so um let's see does anyone have any questions or anything about that or is that does that make sense sort of or maybe not or

whatever okay um okay so um when you attack the operations of a DLP installation again this is the this is a gen you know this is a specific case of a general way to attack systems and I guess one of the ways I I um started to think this way was if you guys know who FX is um I think he's a German or Dutch person that that presents out at Defcon from time to time with phenol it um kind of an old school person um he he did a presentation you can look this up on attacking using using sort of systems analysis to attack Enterprise Blackberry systems and it's it's the same approach of of looking at each

individual component how they're put together um and and being able to usually you you can usually exploit one thing to kind of keep in mind is I find it you can almost always exploit um a system at the where where it has inter face is where the seams are so that that kind of makes sense um from even an analogy standpoint things will split at the seams before they do down the center so once you can enumerate where things are put together where the glue is where the duct tape is or whatever um those those are usually good starting points to attack um so so that the operations of a DLP system um include somebody that's

monitoring this stuff so so you can you can this is kind of the the people part of it and the process so you know who's monitoring what are they monitoring what is whitelisted so now you have you have an agent that has all these regexs and policies and everything like that um so now you have people on the other end seeing seeing that an alert has been generated um what's a false positive how how do you know if there's been um 20 um uh you know if the if the you know CFO say of of a company or um a marketing director something like that if there's been you know thousands of of DLP alerts

off of their system can you go up to them and say say you know is this is this a false positive or something or do you just what's your reaction what's what's the policy what's the um followup um uh what's the process right and so you can take advantage of that as well so if you can if you're just if you're just looking at at monitoring ing so you're not preventing data from coming out but you're just monitoring the data coming out there's this whole lag time determining FR or Foe on whether the the DAT whether whether it was legitimate or whether it was a false positive um and again just like if if anybody has has been in an operational

role um on holidays things like that New Year's Eve um that's when this kind of thing happens so attackers are attackers this and that's from attackers standpoint um you it's easy to determine when there's less operational staff and that's a good time to attack things um let's see

the yeah the other thing about the software being being um vulnerable itself this is something that I haven't looked into a lot but um again for folks that are in um forensics and almost almost any any field that that that people have been in uh there has been some security software that they found that is that has vulnerabilities it's just like any other software a lot of times uh we tend to think that security software is we're in a different universe or something so that includes Ida Pro um it includes things like n case um people you know I've never used n case again but but the um the people I know said you know at least I don't know

couple years back or whatever uh you know would crash all the time so in case is a forensic Imaging uh package if people aren't familiar with it um and the um uh you'd be Imaging a hard drive or you'd be looking for different things and trying to get and the system would crash and and continually crash all those crashes for people that are attackers and and are looking into anti-forensics are potential exploits and so that's that's happened so you can you can um and the same thing has happened where we've had anti virus products that have had buffer overflows where um uh you can get into things again these are these are set up across

the Enterprise so um and so I have no doubt with DLP systems the more we use them the more they get deployed the servers are going to have where they're going to find any kind of web interface that they have we're going to find vulner abilities we to find vulnerabilities in the agents and um people are going to be able to exploit those vulnerabilities um for any number of things but not least a which to exfiltrate data out um okay so um let me see um so so the so the attack scenarios would be um if we take an internal person so this would be somebody that um you sit next to or somebody that is in a

completely different department that um knows and has a legitimate access to say social security numbers and email addresses and there's a DLP a working DLP policy that detects um uh um movement again it's it's depends on how it's implemented but that's what we'll kind of get into um of the of of um just say social security numbers so um so typically you move it to a a um one thing you can find is you can you can move it to um that I found is is that the DLP doesn't doesn't detect when you move things off of your hard drive off of your drive to a network drive it does detect when you move it from um

uh to to a local like like a local drive like USB drive or something like that um there's um things that might prevent it from um being sent out through email clear text uh typically again large Enterprises are still struggling with key management for Email encryption systems and uh just simply encrypting a message bypasses DLP very simply um and so that's that's something that that somebody can do the um um there's not a lot of to be honest with there's not a lot of advanced DLP evasion techniques so encryption is one of them encoding is another um if it doesn't if if your DLP system doesn't un encode so with encryption you have a key and you got to

manage that and everything on on in coding you don't need the key you just you there's different types of encoding base 64 things like that sometimes that'll get right by the DLP um the other way so the the the advanc the the couple Advanced ways to do it um and this is again sort of in contrast to what Dave was talking about about getting a shell and out directly from somebody's desktop by scanning a whole bunch of ports I'm assuming you scan a whole bunch of ports and you just hit that inner firewall and you try to make a um a a web call and you you you can't make it because you're not going through a

correct proxy so um so one of the ways I've come up with is that you you're able to use the IE um object within Windows to post data encrypted data out to a a dead drop and dead drop by Dead Drop I means something on a free web server that you can run a PHP collection script uh that will receive that post data or if you're running botnets you can send it to to a hacked computer computer if that's what you do um so um that's Pro that's probably one one of the one of the easiest ways because the IE object already has the proxy included in it when you when you use that you you get through the proxy

that way another way to do it depending on how DNS is set up within um this isn't this isn't my any any Revelation from me but is if depending on the way the DNS system is set up within an Enterprise you can exfiltrate data out through DNS requests so the way you would do this is and they would be encoded so the way you would do this and I've never seen any DLP system that can catch this is um you have your own domain and uh just say you know test.com um and you um um and again if you're internally this becomes real easy because you just use like NS lookup or something uh um DNS names from from what I from

what I'm thinking you can they're limited like 255 bytes or something like that so so you can do a little bit of data at a time but essentially in the host name the subdomain that you put in of of test.com is some 255 character encoded um piece of data that you want to exfiltrate that you do an NS lookup on for your authoritative domain eventually in order to get the the domain resolved it has to hit your DNS server if you're authoritative for that domain um and in in that you'll see the request for this encoded the encoded data gets gets to your DNS server and so um Dan Kaminsky has done a lot on

tunneling through DNS and all this other stuff like that and so that's kind of the basis of it that you own this domain and you're able to communicate with it um I'm I'm concerned with asynchronous communication though just getting the data out once you've once somebody's clicked on your link or once you've sent it out um same goes for kind of an external um um external attacker the um a lot of times I've seen in in Enterprises that have socks proxies that it's difficult to um restrict What specifically goes out of a socks proxy so if you're familiar with that you have an Enterprise that has a web proxy out that has no direct out um that has

firewalls blocking everything out except you'll have like FTP proxies maybe or you'll have socks proxies for people that need to get from their desktop to an internet server and so typically they'll block web ports so people can't just bypass the web proxy so the the the the other ports I've seen are like IRC or um kind of common ports like that that's where Dave script might come in handy if people saw that was you can enumerate where a sock proxy is and then um tunnel your way out of of through a socks proxy within an Enterprise that's another alternative if you're an outside attacker um um and again the way that I would do that would be um set a um something to

the that um I guess just sends out encrypted through the socks Pro I guess you could use SSH typically that's allowed out um because that's that's people tend to tend to need that so um the let's see um the other thing that's useful is a lot of times policy DLP policy while it's implemented on primary SMTP servers won't be implemented on on um the entire SMTP infrastructure so if you're able to numerate so if you're in a DMZ now um or even internal um we can just stick with the internal part A lot of times if you if you look around you'll see that there are internal SMTP servers that developer test developers use or or

or testers use that um will go out to the internet and send the email out egress that way um and it's been I I've seen those go different routes that that that they miss the antivirus they miss the content filtering just because either they're unknown or they they Wen they weren't supposed to be put in in the first place but they meet some business needs so it's worth looking for scanning for open um SMTP servers and being able to send email out to egress data out that way um let's see I think that's that's pretty much what I had um the other thing I guess one other thing um is that on some some the way

some uh USB controls um I've seen set up you can use alternate drivers so that that that you can install different USB drivers to um um bypass USB restrictions so I don't think it's I don't think I've seen it specifically with DLP um with a d against a DLP agent um but with systems that I'm trying to think of what uh what it was but the idea was basically you couldn't copy over to an unauthorized USB device however if you changed the driver on it you could make a USB device look like a local drive you could look like make a removable Drive look like a local drive and kind of that goes back to the same thing with um if

you have a little network storage device you can pick up at Best Buy you just plug that in and copy everything over the network storage device and you're good to go um I still haven't seen that won't work when when um Enterprises if we ever Implement you know kind of knack or anything like that where but I haven't seen an Enterprise yet that has has has been able to do that that's um uh not sort of a military contract or something like that so um I think that's it that's all I got any questions thanks we had one question one question what are those lined up okay yeah yeah I I don't know I don't know yeah I just I

just kind of put them there you know but but for asking the question you can you can pick any two of them that was a good question I not the gun though what is I don't know if I want to ask about that okay although I'm curious about looking at the gun yeah sure sure sure is it Nerf it's it's it is yeah it's a Nerf brand um yeah it's my son so I got to return it to him uh did Simon swarm me not to squirt anymore than I did um it was getting him angry so you could take two take two please yeah yeah take take your time take your time

yeah

e for