Cyber Hyper Detective

Worms and viruses are cacophonous beasts that signal their intentions by spraying packets over a network in search of new machines to infect. Mirage Networks’ CounterPoint is an unassuming box that’s particularly well suited to detecting and thwarting RPTs (rapidly progressing threats), whether they’re worms, viruses or other intrusions into a corporate computer network. It differs from many intrusion detection schemes by a number of impressive features: It can completely divert an intruder’s bytes into a black hole, slow conversation between intruder and network targets to a digital crawl, and even simulate a Windows XP workstation so that the traffic between the intruder and simulated workstation can be monitored for forensically useful patterns.

These activities are accomplished without the box being in the direct path of data transmission between the intruding source machine and its target—specifically, introducing no latency into the overall network transmissions. CounterPoint also doesn’t rely on a database of malevolent IP packet signatures or operating system-dependent agents running on each network device. Instead, it depends on a set of user-modifiable behavioral rules that characterize threats experienced in typical networks.

RPT monitoring is done from a real-time display that divides the network into segments of interest, such as laptops, desktops or devices in a particular building, or other user-oriented physical categories. The segments must first be set up; then CounterPoint’s “Main Control Panel” shows the particular threats ranked according to sorting criteria of the customer’s choosing. Also shown are icons for the detection rules that were used to identify the threat. For a particular threat of interest, you can go into the segments and get additional data on the traffic between different devices—what rules were broken, what actions were taken, and the recent history of the particular outbreak of traffic.

[click for larger image] CounterPoint’s Main Control Panel The top panel triangles quickly summarize current threats, while the Information panel lets you drill down into the details of traffic between devices.

Logging data can be provided by a variety of mechanisms such as e-mail SMTP alerts and SNMP messages, as well as an interface to a customer-provided syslog server. This data can be fed into an application such as Lotus, Internet forensic websites around the world and other third-party analytical tools for event aggregation, archiving and post-event analysis. A customer thus knows immediately what’s going on, and has supporting data to help understand the event that happened in a network segment, as well as integration into third-party analytical tools for long-term forensics and analysis.

The CounterPoint detection rules are organized from wizards rather than an explicit programming language. Out-of-the-box rules detect TCP, UTP, ICMP and SMTP mass mailers—the domain that Mirage Networks considers rapidly propagating threats. Customization allows you to exclude or include certain ports, test packet flags, and change the thresholds of packet counter quantity and rate of arrival that constitutes a threat.

Emptiness Is an Asset
All of this technology is used in yet another way—what Mirage Networks calls “hyper detection.” Most companies have unused address space where no devices are connected to their network. The CounterPoint appliance can listen to these address spaces and respond as if machines were in residence. A hacker could be lured into believing that real machines are present, a kind of spoofing activity that could make him decidedly grumpy. The simulated machines have the personalities of the major operating systems, as well as a user-customized personality.

The CounterPoint appliance doesn’t go so far as simulating a running application; rather, it confines the simulation to approximately the TCP/IP header level, delivering an authentic signature of the simulated OS but not responding to ports or services that might be available from an application. The goal? To give out enough information to confuse a hacker scanning for vulnerable systems or operating environments. You may also opt to slow down the hacker by introducing long delays in the simulation responses to gain more information about his mode of operation or impede his reconnaissance.

No Maybes About It
Because the CounterPoint appliance doesn’t use a database of virus and worm signatures, the notion of false positive doesn’t quite apply: False positives often turn out to be a box that the customer neglected to mention as an important generator of data—for example, another DNS server on the network.

Another apparent false positive can occur when a customer adds a new main server to the network without first updating the configuration within the CounterPoint appliance. Of course, CounterPoint detects the new server’s activity, thus effectively alerting the administrators that configuration is necessary. Since one of its modes of operation is to scan unused address space, and since the number of real applications that also scan unused address space is extremely low, the likelihood of a false positive is commensurately low.

Fractional packets tend to be the bane of signature-based systems because such a system’s job is to reassemble the fractional packets and make some sense out of them. One way hackers try to confuse such systems is to design packet fragments that discombobulate the reassembly logic, a strategy often used for denial of service attacks. CounterPoint doesn’t much care what the content of the packet is. It cares only about the packet’s arrival frequency, where it’s coming from, and where it’s trying to go.

This agnostic attitude also makes the CounterPoint appliance usable for monitoring the newer protocols of cell phones and VOIP—or any packet style yet to be invented.

Now You See It …
Surprisingly, this appliance can mitigate threats without inserting itself into the network’s flow of data. When CounterPoint detects activity that indicates a device on a network is acting in a threatening manner, it can be put into a mode that harmlessly diverts the activity. This is accomplished by using the Address Resolution Protocol (ARP) to substitute the MAC address of the CounterPoint appliance for the MAC address of the receiving or targeted device.

Deciding what to do with the threatening packets comes next. A typical response would be to instantly drop those packets, thus isolating the threatening device from the rest of the network. With fine-tuning, you can choose what traffic to send on and what to completely isolate.

This all works because of what’s known as a “gratuitous” ARP message. When a customer’s device normally comes online, it sends out a made-up ARP message that says, “I am MAC address X, and I have IP address Y.” When the threat is detected, this message tells all devices on the network, including the intruder, “Oh, no! IP address Y is at this new MAC address (namely, a pseudo address of the CounterPoint appliance).” Since the ARP protocol is generally stateless, these messages will be accepted by the threatening device.

For a laptop gone mad, infected and sending out malevolent packets or otherwise scanning the network, CounterPoint sends these made-up ARP messages. The scurrilous traffic generated by the laptop is summarily co-opted and snared. Any other devices on the network, such as switches or other computers, also see these made-up ARP messages and correspondingly adjust their communication until the user decides to close the decoy operation down.

The CounterPoint appliance can selectively send out the made-up MAC addresses—only to the devices to which the threat is communicating. For a massive outbreak, CounterPoint can broadcast ARP reset messages to every device on a network to ensure that the threatening device is completely isolated and can talk to no other machine. Mirage Networks has made sure that all the TCP/IP protocol stacks of the various major operating systems respond appropriately to made-up ARP messages.

Fast, Fast Relief
Installing CounterPoint in a relatively simple network might take between 30 minutes to a day, depending on the number of devices, their geographical locations and other physical considerations. Installation time also lengthens according to the number of devices excluded from CounterPoint’s watchful eye, since those devices need to be specifically enumerated in the management GUI. Typical excluded devices are DNS servers, mail servers, Web servers and other boxes that have naturally high traffic levels.

A CounterPoint appliance can handle 32 separate VLANs on the typical Cisco switch, and manage, mitigate and detect independently on each VLAN. The Cisco switch is configured for SPAN (Switched Port Analyzer), which means you’re telling the Cisco box to look at all of its traffic and direct a copy of the traffic of all the VLANs that the user elects to make visible to one of the Cisco ports. CounterPoint plugs into that port and may write back to it to take a mitigation or notification action as appropriate. In case a network uses older switching equipment that can’t SPAN or mirror, the appliance can plug into a read/write switch port and operate in broadcast mode with some degradation in detection but full functionality in mitigation. None of these methods require significant network re-architecture.

Each CounterPoint appliance has four gigabit-ready ports that can attach to four stacked Cisco switches in a typical wiring closet. The appliance is flexible enough, however, to attach to various places in the network: the distribution layer, the access layer or even the core. Mirage Networks has installed CounterPoint for customers with tens of thousands of devices, as well as for small enterprises with about 400 to 500 devices. Each appliance is rated at a best-practice number of 1,000 devices to allow for traffic spikes.

Worm writers want their noxious work to spread fast; CounterPoint detects and thwarts this devilish desire.