|
 |
myNetWatchman is a service that automatically aggregates
the firewall logs from a very large number of computers, analyzes
these logs for evidence of hacker or worm attacks, and notifies
the ISPs where attacks are coming from. As such, it provides
a vital level of internetwork security.
I've Been Attacked. Now What?
Not long ago many Fortune 500 companies shunned Internet
connectivity because it was "insecure". Despite
this emphatic position, few could ever explain what exactly
was "insecure" about it. I assumed it was exposure
to the hordes of sophisticated (and not so sophisticated)
hackers bent on breaking into systems. The reality is that
few attacks are launched directly from a hacker's system since
they know they would be easily caught using standard backtracing
methods.
The primary issue is not that hackers troll the Internet,
but rather that the Internet is chock full of insecure systems
which are easily (or already!) compromised, providing means
for hackers to perform untraceable, indirect attacks.
The only profound way to improve Internet security is to:
- Reduce the number compromised hosts
- Minimize the amount of time that a system remains in a
compromised state
Basically, in order to protect ourselves, we need to ensure
that others are protected. When we discover that someone is
obviously exposed, we should let them know and guide them
to the information they need to get protected.
Every time your firewall or intrusion detection system logs
an event, don't assume the source is the actual hacker. Think
of it as a cry for help from a likely victim whose system
has been compromised and is just being controlled by
a hacker. It's easy to ignore attacks because they don't present
an immediate threat--after all, we have a firewall. However,
every compromised system is a real and immediate threat to
the underlying Internet infrastructure since these systems
could be used to attack others and/or to launch distributed
denial-of-service attacks (DDoS), potentially incapacitating
large portions of the Internet.
We've already seen examples of how DDoS attacks can impact
our ability to use the Internet as evidenced by the Ebay,
CNN, and Yahoo attacks that occurred in 2000. These are not
isolated incidents, we only hear about the most sensational
ones.
In light of these threats, I strongly believe that ALL attack
events should be relentlessly pursued. However, to realistically
achieve this goal, three major challenges must be overcome:
- Minimize effort required to report events.
Backtracing attack events to their source and emailing the
responsible party is extremely labor intensive. Many ISPs
have their own reporting preferences that aren't immediately
obvious. Tracking down foreign sources (e.g. Korea, Taiwan,
China, etc...) are even more challenging due to the frequent
lack of backtrace data (e.g. DNS, Whois, etc.).
- Avoid false reports. Personal firewalls
are essential, however, they are notorious for generating
"attacks" that are completely bogus. ISP abuse
departments are already overwhelmed with SPAM complaints.
The last thing we need to do is flood them with port scan
complaints that aren't real or aren't serious enough to
warrant escalation. Ideally, we need to focus on attacks
that clearly indicate a compromised host, or a hacker who
is doing very broad port scans over hundreds, thousands
or even millions of addresses.
Problem is, a single firewall log doesn't provide enough
perspective to differentiate between false and real attacks
and they can never indicate the breadth of the attack.
- Provide aggregated attack report to responsible
party. Depending on the type of attack, an ISP
or system owner often needs supporting evidence from multiple
sources before action is warranted. However, even if many
people report the same source IP address, the responsible
party may lack the tools to correlate this information and
recognize a pattern. Ideally we need to combine multiple
evidence sources into a single incident e-mail escalation.
This minimizes the number of individual email reports and
enables immediate action by the recipient.
Our Solution
myNetWatchman overcomes these challenges by leveraging a
cooperative network of agents, as follows:
Internet users (such as yourself) use myNetWatchman software
(or the WebAgent browser form) to forward firewall log records
to the myNetWatchman server. The server aggregates the data,
backtraces the activity to its source, filters false alarms,
and automatically sends escalation e-mails to the responsible
party. The server also gathers response e-mails from the responsible
party allowing you to monitor the progress of each incident.
Very often the responsible party is alerted within 1-3 minutes
of when you report an event.
myNetWatchman is free service (to individuals) which we will
ultimately fund through subscription services to ISPs, corporations
and other organizations. Here is a break down of the features:
|
Automated attack reporting |
Our automated agent software sends your
attack data to our server with zero-effort |
|
Comprehensive backtracing |
We perform all backtracing for you. No
more waiting on WHOIS servers or sending e-mails to
addresses that bounce |
|
False alarm filtering |
With over 500 active agents sending real-time
log records to the myNetWatchman server, we have a unique
perspective on what is a real attack and what is likely
a false positive. |
|
Incident aggregation/escalation |
We aggregate attack data from all agents
and send a single, consolidated escalation to the responsible
party--you don't have to lift a finger AND we reduce
the volume of individual messages going to the service
providers overloaded with SPAM complaints |
|
Incident tracking |
Your personal status page shows you the
escalation status of all incidents for which you provided
supporting evidence. You can see log detail submitted
by other agents, and the full detail of all email exchanges
with the responsible party |
|
Reports/Statistics |
We provide global reports that track
top attack ports, port targets growing in popularity,
suspected new trojan ports, attack sources by top-level
domain, etc. |
NetKB Knowledgebase |
Incident details provide port-by-port
hotlinks to NetKB content detailing registered services
that use that port, known vulnerabilities, known trojans,
and/or security advisories |
Here are several reports that demonstrate myNetWatchman results:
Report |
Description |
|
Closed Incidents |
Our escalation e-mails get results.
Note the "response" codes "Customer Warned",
"Customer Terminated".
More importantly, note "Compromised Host Cleaned"...these
are systems that where hacked and then used to port
scan...our agents picked it up and we sent prompt alerts.
Drill down into these incidents to see typical "thank
yous" we get. |
|
Personal Attack
Report |
Shows you the attacks you've reported
in the last 24 hours, the number of other agents that
have reported the same attacker, the escalation status,
and response status. |
|
Example Incident Report |
When you drill down into a specific
incident, this is an example of what you'll see. Your
attack data is analyzed and associated with the issue
associated with the port and protocol you reported (Sun
Remote Procedure Call (RPC), in this case).
Links to NetworkICE's advICE and the myNetWatchman knowledgebase
(netKB) are provided. Drill down on these to learn about
the vulnerabilities associated with this port and to
find links to related security advisories.
Drill down into Incident Activity to see the detailed
e-mail exchanges with the responsible party. |
|
Top Port Targets |
With TCP and UDP alone there are over
125,000 possible ports that attackers could target...learning
about all of them would take a lifetime. This report
shows you the popular targets (using real attack data)
so you can focus your energies on the ports that hackers
are actually targeting.
Drill down on the port number to see specific incidents
using this port.
Drill down on "More Info" to learn about
this port, known vulnerabilities, and how to protect
yourself. |
Become a myNetWatchman Agent
|
