Incident Detection

Heart Attack: Detecting Heartbleed Exploits in Real-Time

The OpenSSL Heartbleed vulnerability is proving to be one of the bigger vulnerabilities the security community has seen. As vendors and administrators scramble to patch their systems and users struggle to identify what sites are safe to use, hackers are taking full advantage of the vulnerability.

Tripwire’s VERT team has quickly deployed the most robust coverage for detecting the vulnerability through IP360, PureCloud and SecureScan. What if we also want to monitor and be able to identify when the exploit is being used against us? Using  a combination of an IDS and Tripwire Log Center allows us to do just that.

Heartbleed & Honeypot

There are several versions of the Heartbleed exploit actively in the wild, some are simply being used to test if systems are vulnerable, as well as more robust versions available in Metasploit and other frameworks. To watch potential exploits come through I have left a honeypot website purposely vulnerable to the Heartbleed bug, with a script that loads fake password and other random seemingly juicy data files into RAM.

I have the system running SNORT as my IDS with the rules they have provided as well as a few others that are more sensitive to some of the existing tools people are using to test for the vulnerability.  To test my setup I send an exploit to the server which is successful and able to read data out of the systems RAM.

Heartbleed Exploit Detection
Successful Heartbleed Exploit Attempt

The exploit successfully triggers an alert by SNORT which logs the attempt, as well as passes the attempt to Tripwire Log Center.

Snort Detecting Heartbleed

Tripwire Log Center provides an easy way to create correlation rules for Heartbleed related events from IDS/IPS and other systems.

Heartbleed Correlation

I can now easily act on these alerts and correlate them to other events in my environment. Tripwire Log Center also provides the ability to generate reports on these events for easy information sharing across the organization.

Reporting on Heartbleed in TLC

In addition to alerts and reports on the exploits initiated against me I can also execute additional scripts and functions. I can run additional lookups on the IP address that is targeting the system, identify geography, if it is coming from Tor, a hosting provider, or a known bot. I can also then correlate this with other attacks from the same origin, or group the specific exploits to identify patterns. All of this information can provide additional context of the attack that will be highly relevant to any incident response team

Intelligent Vulnerability Management

To get a better picture of the Heartbleed vulnerability in our environment, we can use the full Tripwire suite. Tripwire IP360 provides reporting on the state of the vulnerability in your environment. Tripwire Log Center provides a guard dog on your network looking for indicators of Heartbleed exploits in real-time from IDS and other systems.

If we bring the two products together as well, when a Heartbleed exploit against a host is detected targeting a host, Tripwire Log Center can lookup vulnerability data on that host to better understand the risk. If the system attacked is vulnerable you can fire off alerts to your team, or activate scripts to automate remediation and counter measures in real-time.

Tripwire Suite

In addition there was a window before detection for the Heartbleed exploit was available. The exploit left no trace on most systems given the nature of the vulnerability, so how do you know if your systems were compromised?

Tripwire Enterprise provides information on system state and can quickly tell you what has changed in your environment, if by chance keys were compromised or an attacker gained access to the systems, Tripwire Enterprise would identify any changes.


Previous post

KATU Interview on Heartbleed

Next post

Zero Day Exploit Targeting Internet Explorer (CVE-2014-1776) No Patch Available

Ken Westin

Ken Westin

Your Pundit of Paranoia