Avatar

Intelligence Gathering 101

Traffic analysis is rapidly becoming critical for threat analysis and incident response teams, and a choke point on their capability to be effective. Performing analysis on incoming threats requires security professionals to have monitoring tools that can give them an understanding of the information coming and going into their environment. This understanding needs to consider syntax, grammar and context. For example, to gather intelligence from a phone conversation between an employee and a 3rd party, you need to not only know who they are calling, but also be fluent in the language they are speaking. In technical terms, this means being able to understand the content of traffic at the so-called “application layer.” Without tools that grant security professionals this capability, we have the equivalent of a room full of security personnel trained in speaking Chinese listening to conversations in Arabic.

Unknown Unknowns

To security professionals, popular application layer protocols used by common desktop applications like web browsers are akin to English. HTTP is over twenty years old, and very much a lingua franca for the technologies around us. There is a plethora of devices and utilities (both open and closed source) that provide automated deep introspection into these protocols. They are very well understood and, even when encrypted, their use can be identified on the network. However, there are new protocols in the wild today used by modern web browsers that most security professionals don’t even know exist, and only a few traffic analysis utilities can analyze. Obviously this blind spot is a serious blow to security operation center (SOC) engineers and traffic monitoring technicians. But, what is even more alarming is that some of these protocols are already deployed throughout the latest versions of all popular web browsers. HTTP/2 is supported by more than 70% of all web browsers currently in use and is already bigger than IPv6! [https://w3techs.com/technologies/comparison/ce-http2,ce-ipv6]

QUIC, an Introduction

The Quick UDP Internet Connections protocol (QUIC) [https://www.chromium.org/quic]  was initially implemented by Google in 2012 and was announced as an experimental project in 2013. Although worked on and championed by several other parties, it was included in the release of Chrome 29 on August 20, 2013, and has been supported as a standard communications protocol for certain websites ever since. QUIC is in many ways a natural evolution from prior technologies. It builds upon some of the advancements made by the traditional Transmission Control Protocol (TCP) and Multipath Transmission Control Protocol (MPTCP) standards and is now under discussion at the IETF [https://tools.ietf.org/html/draft-hamilton-early-deployment-quic-00].

Unlike the traditional HTTP over TCP model, the QUIC protocol uses the UDP standard to transmit data without the use of TCP ports, making it much harder for firewalls to block. Additionally, QUIC sessions are stream-based and multiplexed by default, making the task of tracking sessions more complicated for security and monitoring tools by an order of magnitude. Beyond this, the implementation of QUIC published by Google is bonded with HTTP/2. This protocol communicates using frames that are not human readable to transmit HTML and is also capable of multiplexing its sessions.

quic-1

quic-2

QUIC and HTTP/2 don’t open one connection for each request, but multiplex, sharing it between the different requests to a server.

It is already possible to browse google websites on an unmodified chrome browser with TCP disabled! If you thought your transparently redirecting HTTPS proxy was seeing all your web traffic you might be surprised to find it isn’t seeing QUIC traffic at all!

Get the full story

Cisco security consultants Carl Vincent and Kate Pearce will be giving an in-depth presentation detailing the security risks presented by the lack of support within network analysis utilities for these protocols at Black Hat 2016 entitled: HTTP/2 & QUIC – TEACHING GOOD PROTOCOLS TO DO BAD THINGS. Attendees will learn the details of how these new systems are implemented, as well as obtain prototype applications that can help network defenders study the protocols in question so they can begin building detection and protection strategies into their products and network defense strategies. If avoiding blind spots in your security monitoring solutions is your professional responsibility, it’s a presentation you can’t afford to miss.

Learn more about Cisco’s Security Services portfolio here.

 

 

 



Authors

Carl Vincent

Senior Security Consultant

Security Business Group