Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Survival Time on the Internet SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Survival Time on the Internet

I have been asked many by people if I really believed the survival time graph on the ISC site was truly an accurate representation of how long a new system had once connected.  The answer to this is yes for most home users and systems that are internet facing.  It can be longer depending on the system,  what sits in front of it and what it is used for.  The survival time is currently around 4 minutes for unpatched systems.  That is not much time at all and the window has shrunk over the past couple of years.  If you want to do your own experiment by  placing a sacrificial system out there, its really a fun thing to do!  Don't patch the system and see how long it takes before it receives its first probes and actually becomes compromised.  Just  make sure you monitor and its not used against others.  If you really want to do this, I'd advise checking out the Honeynet Project.

The battle, in my experience, is waged between the admins and management who want to get this system up and working and security who is saying not until its been patched and its security posture confirmed.  More than once, I've dealt with a compromise of a system that was place on the network before it was hardened.  I got the same answer every time "We needed it working ASAP".  However, more time was spent playing clean up from it than if it was just done right the first time. 

What I'm really curious about are any experiences that you have had for survival time on the internet that you can share.  Please feel free to sanitize them as necessary and let us know if they can be posted.  What was placed on the network and why?  What was the impact, if any, to other systems?  How long was the system out there before it was compromised.  Also, if you have been able to use the survival time graph as a method of showing why its important to properly secure a system first, please let us know that too.

Lorna

165 Posts
ISC Handler
Aren't most of the probes for listening ports? I've noticed that my NetGear router does not open *any* ports by default, which means any Windows device using this router is automatically behind a decent firewall unless they go in and open up some ports. If this is true, how does that affect someone in terms of being able to patch Windows in time? [I can't check -- all Linux here for quite some time ;-)]
Anonymous
One think that Thorsten's otherwise well written piece omits, which is glaring, is that many of those "unsuccessful" attacks may be for unknown vulnerabilities, which the honeypot does not emulate. As fo the "I'm NATed, so I'm safe", response (which we hear a lot), it totally fails to address any DNS or IP level hijack, drive-by, or iFrame.
While these do require that you actually go somewhere other than Windows Update, some of those places have been quite common (Doplhin Stadium, FE).
Last, but by no means least, most users only run Windows Update, instead of Microsoft update and al the updaters for their third party apps (Adobe and Quicktime/iTunes being recent attack vectors), so Office and other stuff remains vulnerable, even if the system is patched.
ByrneIT

8 Posts

Sign Up for Free or Log In to start participating in the conversation!