Re: Detecting covert data channels?



Jeremy,

You make some very good points.

Data leakage via a covert storage channel is probable assuming that
both ends of the channel are owned. But, to own both ends, there
needs to be minimally one host compromised in the environment
containing the valuable data.

Therefore on the data leakage front, prevention is absolutely the key.
But I would focus the prevention effort on the end nodes/hosts.

As far as protocol normalization goes, I think there is still some
opportunity for data transmission especially in packet headers. As
you say, "almost all" covert channels.... I dont think we can ever
completely remove the threat because the use of protocol header fields
is subject to interpretation in many RFC's and has changed over time.
It comes down to close manual scruntiny in the end.

Covert storage channels can and do use header fields in protocols that
are part of the protocol itself. My thinking is not just about the
known channels but also what is possible, and perhaps not yet
implemented by anyone.

-Joff




On 13 Jul 2007 17:21:49 -0000, jeremy@xxxxxxxxxxx <jeremy@xxxxxxxxxxx> wrote:
The key question here is 'why?' If your goal is detection and forensics then collecting batches of data for statistical analysis is likely to be both possible and the best approach. You'll want to analyze the data in multiple dimensions to look for anomalies across volume, targets, protocol structure, sequencing, fragmentation, metadata, etc. (Remember you covert channel may not be in the data at all it may be as subtle as the timing of when the packets arrive or the order)

For this approach I'd tend to use tcpdump and various custom scripts doing the batch analysis.


If your goal is to prevent data leakage or generally prevent unmonitored communications then I think that detection is mostly moot. Instead you should focus on prevention. In this case, analyze what you can and what you care about and normalize the rest. All covert channels I can think of rely on using parts of the data streams that are not used for the core protocol goals. Therefore normalizing traffic rates, header fields, sequencing, fragmentation, etc will simply remove the opportunity for almost all covert channels.

You will, of course, still need the forensic approach above if you want to increase your confidence but as you find each possible channel you'll probably only need to modify your normalization to remove it.


-J

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------