DeepSec 2012 Talk: Passive IPS Reconnaissance and Enumeration – false positive (ab)use
Once you have a network, you will have intruders. You may already have been compromised. How do you know? Right, you use proper and hard to fool monitoring tools that will always detect good and evil. If you believe this statement, then you probably never heard of the dreaded false positive, commonly known as false alarm. Sometimes a search pattern triggers, but there is no attack. Getting rid of false positives is difficult. As a side effect security researchers have explored false positives as an attack vector. Arron ‘Finux’ Finnon is presenting a new look at intrusion detection/prevention systems (IDS/IPS) and new uses for false positives.
You can use false positives to better understand the security posture from an attacker’s point of view, and more importantly be used to discover security devices such as IPS. What makes this an interesting angle is this unique use of false positives. Basically your IPS reacts to injected data and reveals the defences to your adversaries. You can use a crafted e-mail to determine what e-mail filters are active (including the vendor). By using fake URL parameters your opponents can determine if an IPS protects your web server and if so what kind. This opens up a lot of creative ways to trick your infrastructure into leaking information about its defences.
While Arron’s presentation is a bit short on good news (there’s no real “out of the box” solution for the false positive behaviour, time and effort is needed to better mitigate the threat), you definitely should know about how your defences can be abused as probes. He will present the view at your intrusion prevention systems from the point of an IPS hacker, and he will introduce a very interesting open source project.
We recommend this talk for anyone dealing with security monitoring and intrusion detection/prevention. It doesn’t matter if you are not too deep into the technical details, unintended consequences are a classical way of introducing weak points into your perimeter or even into your own „green zone“. Don’t let this happen without being aware of what attackers can do.