Tracking the hardware network address of Ethernet devices can be a daunting task for an enterprise network operations group. The ability to track Ethernet (or MAC) addresses can have tremendous value for tracking changes to the network, user activity and access control. This situation can be exacerbated in a dynamic IP address environment.

Over the years I've spoken with many different customers who used scripts and other techniques to crawl switches, sniffers, agents  to scour their network to keep their list of MAC addresses up to date. Each of these usually worked well, but the data ended up in only one organization's solution and often, these solutions didn't detect changes in real time. 

This blog entry describes the various methods that can be used with a Tenable Unified Security Monitoring solution to collect and track Ethernet address information from scans, network monitoring devices and log analysis tools.

Scanning and Credentialed Audits

Nessus vulnerability scans will discover the Ethernet address of a remote host under the following conditions:

• the host is in the same collision domain as the scanner AND  an ARP 'ping' is enabled
• the remote host is Windows AND it can be queried for its MAC address through SMB (plugin #10150)
• the host is being scanned with credentials AND it is a Linux or Windows computer
• Plugin #10551 attempts to enumerate all network interfaces via SNMP
• Plugin #33276 (Enumerate MAC Addresses vis SSH) logs the MAC address from credentialed UNIX scans

It's important to realize in these audits that sometimes a host may have multiple addresses if it is running more than one hardware or virtual interface. Also, for credentialed testing, Nessus only logs the Ethernet address of the primary network interface. Below is a screen shot from a Nessus Client showing the scan results of plugin 10150:

If you run a tool like the Security Center, the MAC addresses obtained by Nessus scans can be used for filtering and asset list creation. For example, you could use the MAC prefix assigned to Cisco devices to automatically create a dynamic asset list of all Cisco devices. Below is a zoomed in screen shot of MAC addresses being displayed under the Security Center:

As you can see, not all IP addresses have had their MAC addresses identified. This could be because the device was in a different VLAN, wasn't scanned with credentials, or was not a Windows, OS X or Linux device. MAC addresses can also be used in a search field so that you can immediately discover the vulnerabilties and configuration of a host with with just its MAC address.

Passive Network Monitoring

The Passive Vulnerability Scanner (PVS) will log the MAC address of any "New Host" that is discovers. This is an excellent way to look for changes in DMZs, server farms and other locations where you don't normally get a new host that often. 

Below is a screen shot of some New_Host event logs from the PVS as seen under the Log Correlation Engine:

When reporting a new host, the PVS will log the Ethernet address of the IP packets it sees. If your PVS is deployed on the perimeter of your network, such as if it were monitoring all inbound and outbound traffic, then the MAC address logged will likely be that of your firewall, router or NAT device. Deploying the PVS on the span port of a core switch or router is an effective method for sniffing unique MAC addresses.

Log Analysis

If your network generates logs from the use of DHCP, arpwatch, the Passive Vulnerability Scanner and other sources that contain Ethernet addresses, the Log Correlation Engine (LCE) can be used to parse these and generate alerts when new hardware addresses become active. For example, consider the following arpwatch logs:

Jun 23 19:05:45 localhost arpwatch: new station 192.168.20.207 0:c:29:dc:e7:ad
Jun 23 19:05:45 localhost arpwatch: new station 192.168.20.12 0:11:43:fd:73:33

Not only is arpwatch letting us know it found a new host, it has also logged the MAC address.

The new_mac.tasl TASL script for the Log Correlation Engine will automatically track a wide variety of log sources from various Unix, Windows and network devices. When it gets a log, it will extract the MAC address and then compare it to a list of previously discovered MAC addresses and issue an alert if a new one has been found. Below is a screen shot of what this looks like when viewed under the Security Center:

Notice that the original log message is retained and that the vendor prefix of the MAC address has been used to identify the vendor. This can help identify if there was a new VM, a new router or simply a new laptop that has been added to the network.

Tenable has also extended this concept further with automatic recognition of usernames and associating them to their MAC addresses. The user_to_mac.tasl TASL script watches DHCP logs as well as authentication logs to build and associative array of usernames and MAC addresses. We've blogged about this concept in depth previously. The feature is extremely useful to detect changes in a user's behavior, such as logging in from another user's computer or using a new laptop.

For More Information

The following previous blog posts will likely be of interest to readers:

• Auditing and Finding Virtual Machines
• Wireless SSID Enterprise Discovery
• Improper Network Segmentation Testing With Nessus
• Access Point Detection
• Asking Vista for its List of Network Interfaces

Tenable Network Security has released PatchDiff2 for the IDA disassembler. PatchDiff2 can be used to compare the differences in patches provided by vendors in order to understand what has been modified and where previous security holes existed. In some cases, such as the recent MS08-030 release and re-release for Windows XP, a tool like PatchDiff2 can show that a patch update didn't actually modify anything.

PatchDiff2 is provided FREE to the community in the hope that it will help research engineers to better analyze patches.

Tasks performed by PatchDiff2 include:

• Display the list of identical functions
• Display the list of matched functions
• Display the list of unmatched functions (with the CRC)
• Display a flow graph for identical and matched functions

The main PatchDiff web page, which includes a download, is located here.

A demonstration video is also available:

Episode #66 of IT Radio's Risky Business is now online. This installment features a discussion of smart phone security, wireless complacency issues, forensics for mobile devices and a discussion of this week's information security news stories. Tenable's Chief Security Officer, Marcus Ranum, is also interviewed regarding the effectiveness (or lack thereof) of penetration testing. including some of the negative impact it can have on employee morale.

• The MP3 audio stream can be downloaded here.
• To play the recording in your browser, visit the show link here.

Digital Bond has recently announced control system configuration audit policies that are being developed for the Nessus vulnerability scanner. These policies can be used to audit operating systems running a variety of control system applications and components. The initial list includes:

• Telvent OASyS DNA Realtime Server (7.5) - Windows Server 2003
• Telvent OASyS DNA Historian (7.5) - Windows Server 2003
• Telvent OASyS DNA XOS (7.5) - Windows XP
• Telvent OASys DNA Engineering Station (7.5) - Windows Server 2003
• Siemens Spectrum Power TG SCADA Host (8.2) - Red Hat Linux
• Siemens Spectrum Power TG SCADA Workstation (8.2) - Windows XP
• Siemens Siemens Spectrum Power TG Web Console (8.2) - Windows Server 2003
• SNC-Lavalin ECS GENe SCADA - Red Hat Linux
• ABB Ranger RDAS (2003) - Tru64 UNIX
• ABB Ranger RAS (2003) - Tru64 UNIX
• ABB Ranger Web Server (2003) - Tru64 UNIX
• ABB Ranger Workstation (2003) - Windows XP
• OSIsoft PI (3.4) - Windows Server 2003
• Audit templates for custom applications used by Bandolier project partners

These audit policies will be available in July to subscribers of Digital Bond's online resources, which include SCADA network IDS signatures, rights to edit and modify a heavily populated SCADA security Wiki (the SCADApedia), and many extremely useful presentations and white papers. If you are responsible for security or continuity of control system networks, Digital Bond's online resources are tremendously valuable. If you are interested in working with Digital Bond to develop audit policies for control systems applications that are not on the above list, please contact them.

Digital Bond developed the original SCADA vulnerability plugins for the Nessus scanner and recently received funding to perform in-depth best-practice configuration hardening research for a wide variety of control system applications. This project is known as Bandolier. Unlike CIS and FDCC which focus on common IT desktop and server technology, developing best practice guidelines for control systems is more difficult because there is a smaller user base, a larger set of technologies and a large variation in how technologies get deployed into production.

Many of the Windows based control system applications make use of the DCOM technology and run by default as "Administrator". Many of the audit recommendations for these applications allow users to configure their system so that they do not need to run as an Administrator and also tighten the permissions about who can communicate via DCOM.

Control System Auditing and Monitoring

These audit policies can fit into a variety of uses:

• Perform non-intrusive audits of existing control systems
• Use audit results to demonstrate to an auditor that your control systems are configured against industry best practices
• Audit control systems before they get deployed
• Develop IT strategies to move your control systems from a unmanaged or unhardened state to a more secure state
• Analyze the control systems of a potential acquired asset in a merger
• Prepare for incident response in a control system environment by understanding the configuration of the involved servers

The polices developed by Digital Bond work with Nessus Direct Feed subscriptions and also with Security Center deployments. By combining the audit policies from Digital Bond with the vulnerability and patch audits available with Nessus, an enterprise involved with control system monitoring is better prepared to mitigate risk and conform to compliance reporting requirements.

Enterprise Monitoring

In previous blogs, Digital Bond has discussed how they simply categorize configuration settings as compliant or non-compliant. There has been some discussion in the SCADA community that this may be overly simplistic, and that ratings should use scoring systems such as CVSS.

While the discussion is interesting, Tenable and Digital Bond are presently evaluating configuration audit results based on whether the settings have been set within parameters or not. Other tools such as the  Security Center can perform asset based analysis of systems and classes of vulnerabilties and mis-configurations. This provides a more granular analysis to the enterprise of their risk level.

Organizations can also extend this type of control system monitoring with Tenable's Passive Vulnerability Scanner and Log Correlation Engine. Both products allow for continuous passive monitoring of network traffic and system logs to look for unauthorized change, suspicious activity, compromised systems and access control violations.

A video demonstration of an audit policy developed by Digital Bond used with a Security Center, Nessus, a Passive Vulnerability Scanner and the Log Correlation Engine is available online here.

For More Information

The following links and previous blog entries are available for further information about SCADA and control system auditing:

• Digital Bond website 
• Nessus 3 SCADA plugins   
• Control System Auditing video  (Just click and watch, no registration required!)
• Bandolier -- Tru64 and Nessus Compliance Checks
• Bandolier -- Internal Severity Ratings
• Bandolier -- The Real World
• Bandolier -- Introduction to Compliance Checks

Many SIM, NIDS and NBAD solutions have some sort of "blacklist" functionality which highlights when systems on your network interact with IP addresses that have been identified as being associated with scanning, virus propogation, SPAM originators and so on. These solutions typically take one or more lists of potentially "bad" IP addresses and then scour your netflow, IDS, firewall or other types of logs and to see if there are any correlations. This blog entry will focus on how these types of events can be analyzed.

Why Do Blacklist Correlation?

On any given day, you may be able to count all of the individual network sessions in and out of your network in the millions. Auditing these can be very difficult. If you know ahead of time where users are supposed to be going, you can use a firewall to filter this access. If you don't you can try to use a network IDS/IPS to look into these sessions and find evidence of foul play and policy abuse.

However with a blacklist, someone else has done the work for you. All you need to do is sit back and wait for your network to be connected to by one of these "bad guys" on the black list, or worse, wait for one of your systems to connect to these IP addresses.

Tenable runs our technology at a variety of locations and we often have access to our systems during customer evaluations. For a given network, if we aggregate network IDS/IPS events and there are perhaps 10,000 to 1,000,000 events per day, a heavy day of blacklist correlation could mean 10 to 30 hits. The effort required to analyze a blacklist interaction is very minimal and often of very useful value. And if you have a solution like the Log Correlation Engine, you can do this type of correlation on any log source you have including netflow, sniffed network traffic, firewall accept events and so on.

Where do Blacklists come from?

There are many sources of lists of "bad" IP addresses. At Tenable, we've enabled the Log Correlation Engine to work with published black lists from the Internet Storm Center, Arbor Networks, the Emerging Threats project and a few other. These sites have a variety of different techniques they use to aggregate information about potential:

• large scale scanners
• botnet command and control nodes
• malware payload distributors
• SPAM sending sources
• phishing sites

Some of these blacklists rely on input from sensors from all over the world. For example, if someone sends their logs to the Internet Storm Center, the sources of their activity are correlated with other submissions and the top sources of abuse are published. Sometimes, when a specific worm or trojan is analyzed, the IP addresses it communicates with are published and these are added to these lists as well.

Accuracy

Being limited to an IP address, there are often false positives where there is more than one function at that node. For example, a botnet that is receiving commands over IRC may result in having an IRC server IP address being placed onto a blacklist. Anyone that used IRC and connected to this server would then be seen communicating with a blacklisted IP address, even though the botnet is likely limited to a few specific IRC channels.

Similarly a web server may be identified as distributing malware or be a known phishing site, but if the IP address actually hosts many virtual web servers, then traffic going to those other web sites could be flagged as suspicious, even though they all travel to the same IP address.

The quality of being on a list or off a list is also something that changes over time. A hostile host could be scanning a site for several days or weeks before there is enough activity for it to be listed on someone's blacklist. For example, in the screen shot below, the last 5 days of all normalized events from a smaller university are shown:

Reading from left to right, there has been some sort of Snort based detection of malware (the SnortET-Malware_Activity events), but within the last day, there was a variety of logged network traffic with one hit of a connection to a known scanning source IP address as tracked by Arbor Networks. This would be the Blacklist_Arbornetworks_Top_Attack_Source event, as well as the Outbound_Blacklist_Communication event.

Compromise Detection

When looking for a compromise, any type of outbound connectivity from your network (the "good guys") to a blacklisted IP address should be investigated. A wide variety of trojans, malware and other types of backdoors will reach out to one or more hosts to receive instructions.

This outbound connection to a blacklisted IP address should be treated much more seriously than being scanned by a known blacklisted IP address. Imagine you are in charge of security for a large network and a blacklisted IP address scans you. Your SIM or NBAD may see 1000s of connections and lots of scanning events, but they will all be "inbound" to your network. However, if your systems are compromised, you may see an outbound connection. Consider the below example screen shot from a Log Correlation Engine monitoring netflow:

In this image (which was over a 48 hour period), there were a variety of blacklist events in the past (reading left to right), but the last few events also included 4 Outbound_Blacklist_Communication events. All of the previous events included connections "from" the bad guys to our network. They may be hostile and should be investigated, but at least the good guys didn't connect back. However, these last four events were "outbound" in nature. For some reason, hosts on the monitored network reached out to these "blacklisted" sites.

Since there are only 4 events, analyzing them can be accomplished in short order.When this occurs, you should attempt to see if this connection is a false positive or if the system is indeed compromised. If you are collecting logs from other sources (NIDS, firewall, anti-virus, .etc) you may be able to correlate the outbound blacklist connection with other types of activity. When trying to discriminate between a harmless false positive alerts and a compromise, keep the following in mind:

• If you have collected web proxy logs, these should contain information about the visited domain name and web URIs involved.
• If the system in question is not a desktop or user workstation, yet it is sending mail, browsing the web and doing chat, this is a good indication that you have a compromised server. One of the techniques our Security Center customers use is to create asset lists of various servers and then use these as a report or filter to analyze blacklist connections quickly.
• Even if the system is a desktop, even power users don't surf the net 24x7. Analyzing how much traffic is normally sent can show "off hours" activity from a host.
• Keep in mind the protocol you are dealing with. If you run FTP servers on your network and configure them such that the server connects to the client to transfer data, you may get a valid outbound connection on some high port. Although highly interesting (why is a blacklisted IP address talking with your FTP server) its likely not a compromise.

If you don't have access to any other corroborating logs, you can still do some interesting analysis with the original netflow or network session data. In this redacted screen shot below, we list each network session from hosts on a network that have made a connection to a known blacklist source:

Host 208.87.149.250 was listed by Arbor Networks as an attack source. At one of our monitoring sites, we saw several hosts connect to this IP address. Reading through the logs (which came from the Log Correlation Engine's network monitor agent), the first session transfered 1363 bytes, but less than a day later, a different host (perhaps the same host with a new DHCP lease which LCE could have figured if it was collecting DHCP logs) attempts two connections, both of which time out. This could indicate that the blacklisted host at the target IP has been taken offline and is no longer available. If this is the case, then that first host that was able to transfer 1363 bytes could have been infected or have received some sort of hostile communication.

Lastly, if no additional log sources are available, bringing in vulnerability, asset and configuration data can help. If the source system looks like a desktop and is not running the latest web browser patch, it may be vulnerable to a variety of client-side web exploits. If the system is a server, and it has made an outbound connection, perhaps it has been compromised. Servers generally don't  "surf" the network and if it has made such a connection either this is "normal" or it just started. If it just started, then trying to figure out when it happened and maybe why it occurred could be interesting.

Scan And Generic Activity Detection

Besides looking for compromised systems, tracking blacklist connections can be useful on many levels:

Follow On Traffic - Some SIMs and NBAD solutions can correlate blacklist connection events with various types of NIDS events. For example, the Log Correlation Engine can look for hosts that have been attacked, and then interact with a blacklisted IP address which produce logs such as:

Compromised_System_Blacklist_Connection - source host 24.3.2.1 has connected to host 77.3.43.112 on port 80 with a blacklist event of Blacklist-BleedingSnort_Botnet_Source. Within the last five minutes, the source host was targeted with 24 critical IDS attacks. This could indicate that the system has been compromised and is participating in a botnet. Time of activity was 10/03/2007 09:11:45

SPAM - If you receive a correlation with connections from a known "spammer", you should check to make sure that each of the target mail servers are indeed authorized mail servers AND they have anti-SPAM filtering in place. On the other hand, if your computers are making connections to a known SPAM source, this could indicate that you have one or more systems on your network that have been compromised and are being used to send SPAM. This could also mean that one of your users has happened to send mail to a server that was blacklisted for sending SPAM.

Large Network Scans - Although your SIM, NBAD or NIDS may detect port scans and scanning activity, correlating these events with blacklist source IP addresses can easily identify probes and potential worm infection events. If you can recognize these types of scans, including the target ports, you may be able to further analyze this and compare what the worm was probing for with known vulnerabilities on your network.

Phishing - Some blacklist sites track IP addresses that have been associated with phishing scams. If you see many users visit one of these IP addresses, it could indicate a scam that has targeted your network.

Botnet Command and Control - Some blacklist sites (such as Emerging Threats) identify IP addresses that are used to manage various types of botnets.

For More Information

This blog entry is second in a series of "Event Analysis Training" entries. The previous blog entry and several other event analysis links are listed below:

• Event Analysis Training -- Working With Emerging Threats Alerts
• Passive SPAM Traffic Analysis
• Zombies and Botnets -- Detecting Crowd Surges