$30 off During Our Annual Pro Sale. View details »

The Kitchen's Finally Burned Down: DLP Security Bakeoff

The Kitchen's Finally Burned Down: DLP Security Bakeoff

(As presented by Zach Lanier and Kelly Lum at Black Hat Asia 2016)

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. For instance, Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass -- or worse.

This talk will discuss our previous and current research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.

Zach Lanier

March 24, 2016
Tweet

More Decks by Zach Lanier

Other Decks in Technology

Transcript

  1. THE KITCHEN'S FINALLY BURNED DOWN: DLP SECURITY BAKEOFF BLACK HAT

    ASIA 2016 ZACH LANIER & KELLY LUM
  2. AGENDA ▸ DLP overview ▸ Targets / Component breakdown ▸

    Assessment criteria/Methodology ▸ Findings (by target) ▸ Conclusion / Q&A
  3. WHO ARE *WE*? ▸ Zach Lanier, Director of Research at

    Cylance ▸ Old net, web/app, mobile/embedded security research/pen test type ▸ Co-author, "Android Hacker's Handbook" (Wiley, April 2014) ▸ Kelly Lum, Security Engineer at Tumblr ▸ “There’s a bird. Bird. A bird.” ▸ Adjunct professor of Application Security at NYU
  4. WHY DLP? ▸ Used to be a hot-button topic ▸

    Panacea to solve all data leakage woes ▸ “Keeps honest people from doing dumb things” ▸ Data breaches and “files falling off the back of a digital truck” spurred DLP
  5. WHY WE CHOSE TO LOOK AT DLP ▸ Curious about

    attack surface, reliability, etc. ▸ Like other security products, DLP agents/appliances often have high privileges or are “ideally” situated (i.e. see all the traffic, monitor/access all the things) ▸ Testing the “security of security products” is always interesting ▸ Big vendor buys small vendor, integrates then shelves them…meaning security is often overlooked

  6. PREVIOUS (NOT US) RESEARCH ▸ A bunch of blog posts

    and whitepapers by Securosis ▸ “Defeating DLP”, Matasano, BlackHat USA 2007 ▸ “Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP”, Andrew Gavin, DEFCON 19 ▸ Many others...
  7. DLP ARCHITECTURE EXAMPLE

  8. DLP ARCHITECTURE EXAMPLE

  9. DLP WORKFLOW EXAMPLE - TREND MICRO

  10. TARGETS

  11. ROUND ONE: "BIG"* VENDORS Trend Micro DLP Management Appliance 5.6

    Linux DLP Endpoint Agent 5.6 Windows Sophos Astaro UTM Appliance 9.201 Linux Sophos Enterprise Console 5.2.1r2 Windows Sophos Endpoint Security N/A Windows Websense TRITON Management Server 7.8.3 Windows Data Protector Endpoint Agent 7.8.3 Windows, Linux, OS X Data Security Protector Appliance 7.8.3 Linux OpenDLP OpenDLP 0.5.1 Linux Vendor Product Version OS * - and an open source product, for good measure
  12. TREND MICRO ▸ Windows endpoint agent - monitoring and policy

    enforcement on client machines ▸ Acts like a “legitimate” rootkit and hides itself ▸ Network agent - virtual appliance; monitors network traffic ▸ Remote crawler - for digital assets on machines not on corporate network ▸ Management server - Linux-based virtual appliance
  13. WEBSENSE ▸ TRITON management server - unified management console; Apache

    Coyote on Windows, backed by MSSQL DB ▸ Windows, OS X, Linux endpoint agents ▸ File and network drivers ▸ Can also monitor clipboard operations ▸ Linux-based “Protector” appliance ▸ Restricted “admin” shell ▸ Crawler agents can index/identify sensitive documents
  14. SOPHOS ▸ Enterprise Management Console - fat/native, Windows-based unified management

    console ▸ Whole lotta .NET… ▸ Sophos endpoint security - antivirus + DLP + … (Windows, OS X, Linux)
  15. OPENDLP ▸ Typically Linux virtual appliance ▸ Apache + a

    lot of Perl ▸ Windows agent ▸ File system crawler and document parser (PCRE-based) ▸ SSHFS-based crawler ▸ And some Metasploit modules (wtf?)
  16. ON THE UBIQUITY OF KEYVIEW… ▸ “kvoop” binary (“KeyView OOP”)

    showed up a lot ▸ Part of KeyView Filter SDK, used for parsing and normalizing various data and document formats ▸ Used in numerous DLP products, messaging servers, and "big data" platforms ▸ e.g. “EPClassifier” in Websense spawns kvoop processes to handle documents
  17. BECAUSE "PR" AND "LEGAL", THE VENDORS/ PRODUCT NAMES (FOR OUR

    SECOND ROUND OF RESEARCH) HAVE BEEN CHANGED FOR THE PURPOSES OF THIS PRESENTATION DISCLAIMER :(
  18. ROUND TWO: NICHE/SMALL(ER) VENDORS Alpha Alpha DLP Management Virtual Appliance

    Linux Alpha DLP Endpoint Agent Windows Bravo Bravo DLP Management Server Windows Bravo DLP Endpoint Agent Windows, OS X Charlie Charlie DLP Management Virtual Appliance Linux Charlie DLP Agent Windows, Linux, OS X Dingus Dingus DLP Central Console Virtual Appliance Linux Dingus Network DLP Virtual Appliance Linux Dingus DLP Endpoint Agent Windows Vendor Product OS
  19. ALPHA DLP ▸ An amalgamation of everything you hate: ▸

    Previously OSS product, closed after acquisition! ▸ Admin panel entirely in Flash! ▸ Windows agent is a horrifying Frankenstein of: ▸ .NET...Java....and Erlang. ▸ Uses Action Message Format for communications! ▸ Backend: Apache + Jetty + MySQL
  20. BRAVO DLP ▸ Windows-based management console (MMC snap-in) ▸MS SQL

    DB backend ▸ Windows-based content monitoring server (separate service from management console) ▸ Windows endpoint agent ▸All sorts of drivers (NDIS, TDI, FS, etc.) and hooks ▸OS X endpoint agent ▸Similar to Windows agent, but with less support for certain operations ▸Tons of open source / free libs ▸Boost, FreeDCE, etc.
  21. CHARLIE DLP ▸ Linux (Ubuntu) virtual appliance ▸ Windows endpoint

    agent ▸File monitor / scanner service ▸Clipboard monitor ▸Net traffic / URL monitoring ▸ Linux endpoint agent (Ubuntu/Debian) ▸File monitor / scanner daemon ▸GNOME / KDE notification tray thing ▸ OS X endpoint agent ▸Didn't really evaluate this ▸Also does a bunch of MDM-type stuff, but didn't look at this
  22. DINGUS DLP (WHICH IS A TOTALLY HYPOTHETICAL VENDOR/PRODUCT) ▸ Linux

    (CentOS) virtual appliance (management) ▸ Dingus Network DLP Appliance ▸Linux (CentOS) virtual appliance ▸In-line, tap/SPAN, etc. to monitor (or proxy) traffic ▸ Windows endpoint agent ▸Usual rigamarole - monitor clipboard, filesystem, network traffic/URLs, etc.
  23. ASSESSMENT CRITERIA/ METHODOLOGY

  24. METHODOLOGY Network Appliance Parsers (docs and configuration) Invalid/mangled files Update/Deployment

    mechanism Protocol analysis; crypto/signing Operating System Configuration auditing Hardening practices Endpoints/Agents Parsers (docs and configuration) Invalid/mangled files Update/Deployment mechanism Protocol analysis; crypto/signing Drivers and Services Hardening practices/config Fuzzing (i.e. IOCTLs, network, etc.) Management Server Web Server/Web App OWASP Top 10 type stuff Database Configuration auditing Sensitive data storage Operating System Configuration auditing Hardening practices Target Component Test(s)
  25. FINDINGS

  26. GENERAL OBSERVATIONS ▸ Little to no hardening on (Linux) appliances

    ▸ Many services run as root ▸ Lack of exploit mitigations (beyond intrinsic/baseline OS mitigations) ▸ Highly privileged endpoint agent software out of the box (root, LOCALSYSTEM) ▸ General absence of security best practices ▸ Comms encryption, webappsec101, etc. ▸ Occasional bug inheritance ▸Outdated JREs, FreeDCE, etc.
  27. FINDINGS - TREND MICRO

  28. TREND MICRO - XSS

  29. TREND MICRO - CSRF

  30. TREND MICRO - PLAINTEXT CRAWLER COMMS

  31. FINDINGS - SOPHOS

  32. SOPHOS MANAGER/ENDPOINT: WHAT WE DIDN’T FIND ▸ Majority of code

    implemented in .NET ▸ Utilizes most of the MS core libraries, which means: ▸ DB best practices ▸ Contextualized Input/Output ▸ Standardized Encryption Libraries
  33. SOPHOS/ASTARO UTM: NOT A WHOLE LOT… ▸ Most services chroot’ed

    (eh…), drop privs ▸ Web app fairly clean (just a few really low impact “issues”) ▸ Tight network- and login-access control restrictions
  34. FINDINGS - OPENDLP

  35. OPENDLP - CSRF

  36. FINDINGS - WEBSENSE

  37. ON WEBSENSE POLICIES... ▸ Websense DLP policy objects include keywords,

    regexes, etc. ▸ Regex entries are actually Python pickled objects ▸ TRITON management server encrypts, bundles policies/files, pushes to agents and appliances
  38. WEBSENSE PROTECTOR & ENDPOINT - CODE EXEC Say a local

    admin on TRITON server replaces “.pic” file with custom pickled objects… Our awful
 pickle POC;
 after
 overwriting a
 “legitimate”
 policy file Reverse shell from Protector
 after policy update
  39. FINDINGS - ALPHA DLP

  40. ALPHA DLP - SERVER/ ADMIN FINDINGS ▸ The Good: ▸

    No CSRF ▸ No obvious XSF ▸ Proper use of Hibernate - no SQLi ▸ The Bad: ▸ No authentication on MySQL database ▸ User hashes are not salted ▸ Frequent crashes
  41. ALPHA DLP - AGENT FINDINGS ▸ Heavy use of marshalling

    between Java and Erlang ▸ Potential heap corruption? ▸ Packaged an oooooold JRE
 
 
 ▸ Path manipulation in accessing Erlang rules ▸ No assembly signing on .NET assemblies… #waitforit
  42. ALPHA DLP - AGENT MODIFICATION

  43. FINDINGS - BRAVO DLP

  44. BRAVO DLP ▸ Probably the most complex/sophisticated of all the

    ones we analyzed ▸ Also the one we most heavily reversed ▸ tl;dr - Spent too much time, found very little, got lazy moved on ▸ Use of DCERPC for agent<->server comms is...good? ▸ Benefit from NTLMSSP and "packet privacy" (encrypted) ▸ Except for OS X agent, which is all plaintext comms
  45. FINDINGS - CHARLIE DLP

  46. CHARLIE DLP - MANAGEMENT SERVER ▸ No anti-CSRF tokens ▸

    Pretty much all operations are done REST-fully ▸ Example: CSRF an admin, delete policy by ID
  47. CHARLIE DLP - MANAGEMENT SERVER ▸ Unauthenticated registration of new

    (or arbitrary) endpoint agents via SOAP API ▸ Also injecting CDATA with JS rendered in admin console Super amazing JS alert() skillz
  48. FINDINGS - DINGUS DLP

  49. BECAUSE "PR" AND "LEGAL", THE FOLLOWING VENDOR, DESPITE BEING REDACTED,

    SHOULD BE CONSIDERED *TOTALLY HYPOTHETICAL* (ALSO, WE HAND DREW SOME SCREENSHOTS BECAUSE, AGAIN, *TOTALLY HYPOTHETICAL*) ADDITIONAL DISCLAIMER :(
  50. DINGUS - NETWORK DLP APPLIANCE ▸ Support account that's TOTALLY

    not a backdoor ▸ Reverse SSHes to some Eastern European- based SSH proxy ▸ Same (non-password protected) DSA key across every appliance ▸ Allows "support" to log in as root on appliance ▸ Invoked from web UI ▸ Combined with CSRF = reverse tunnel wherever
  51. DINGUS - NETWORK DLP APPLIANCE CSRF + command injection Note

    the semicolon
  52. DINGUS - NETWORK DLP APPLIANCE CSRF + command injection

  53. DINGUS - NETWORK DLP APPLIANCE Numerous whitelisted (NOPASSWD) sudoers entries

    for apache arbitrary package
 installation, anyone?
  54. DINGUS DLP - CENTRAL CONSOLE ▸ Unauthenticated DB management script

    ▸ Clear DB, rebuild, update, etc.
  55. DINGUS - NETWORK DLP/CENTRAL CONSOLE ▸ Synchronization channel is just

    straight up plaintext PostgreSQL comms...with simple auth ▸ Just username + DB name (HYPOTHETICAL example: appliance:appliance) ▸ Pushes ACLs and rules down to appliance from Console (Yes, that is a hand drawn Wireshark “screenshot”)
  56. A NOTE ON DLP BYPASSES

  57. EVASION IS INEVITABLE ▸ Unsupported or obscure file formats, protocols,

    or unexpected network behavior ▸ Think: fragment/datagram reassembly ordering ▸ Obfuscated or encrypted files ▸ Steganography, anyone? ▸ How many of your users have elevated (admin, sudo/root) privileges? ▸ e.g. disable endpoint agents
  58. ▸ Defenses add weaknesses ▸ "Caveat emptor" ▸ Every new

    piece of infrastructure is additional attack surface ▸ Security companies should know better ▸ If a scanner can find it, what’s your excuse? ▸ Know what/who you’re defending against ▸ An advanced insider probably has own abilities BLACK HAT ASIA TAKEAWAYS
  59. QUESTIONS? george.sims@jukt-micronics.com @aloria zach@n0where.org @quine