Shoe Bombers on the Network Part One : Detection Mechanisms

Richard Reid will forever be infamously known as “The Shoe Bomber.” Thanks to the Al Qaeda agent’s failed attempt to destroy American Airlines Flight 63 on December 22, 2001 we have adjusted our airport check-in procedures to include taking off our shoes for a security scan. As I pondered how I might explain the complexities of network security without breaking into incomprehensible techno-babble, I thought the story surrounding our shoes at the airport might make an effective backdrop.

The Timeline

Below is a brief recap of the events that occurred connected to the shoe bombing attempt.

Zero Day minus one (December 21, 2001): Richard Reid arrives at Charles De Gaul International airport in Paris to board AA 63 to Miami, Florida. Airport security is suspicious of Reid because of an airline ticket paid in cash and no checked baggage. They questioned him for so long he missed his flight.

Zero Day (December 22, 2011): Reid boards AA 63 to Miami. 90 minutes into the flight a flight attendant responds to a “smell of matches” from another passenger. The flight attendant warns Reid that smoking is not allowed on the flight. A few moments later the sulfuric smell is noted again and Reid is hunched over in his chair. The flight attendant approaches Reid again and notices he is attempting to light a fuse connected into the shoe that he is holding in his lap. The crew and passengers restrain Reid and dowse the bomber with water and an onboard fire extinguisher.

Day 2 (December 24, 2001): Random chemical testing of shoes begins in select US airports. Voluntary shoe removal was encouraged (but not required.)

Day 1,691 (August 9, 2006): London authorities arrest 25 suspected terrorist planning to detonate IED on transatlantic flights.

Day 1,692 (August 10, 2006): TSA mandates mandatory screening of all shoes to detect improvised explosive devices (see: in response to heightened threat level created by London arrests.

The Parallels

Using these events, let’s look at how the lessons we learned in physical security shine light on how we can detect threats in network monitoring.

Examining the Composition

One school of detecting threats relies on examining the characteristics of the agent. In physical security, examples include analyzing patterns in DNA, fingerprints, chemical composition and physical parameters. In network security it consists largely in examining patterns in data transmissions or computer files.

Signature Based Detection

Immediately following the attempted bombing attack, airport security began applying chemical swabs to a sampling of shoes that caused a visible chemical reaction when exposed to the specific composition of the explosive materials.

In network security, methods to detect attacks that rely on knowing the specific composition of an attack are collectively known as “signature based detection.” Signature detection is often preferred in both physical and network security because it gives a concrete answer into what the exploit is. The chemical swab turning colors confirms the presence of explosives and would give cause for purposeful incident response. In network security exact patterns for attacks such as “Conflicker worm” or “Webserver Vulernability X” can be created to inform operators of the exact attack type. Signatures for detecting threats are limited in detecting immerging and unknown threats because they require examination of the exploit to create the signature (you can’t match a fingerprint until it is on file.) This makes signature based detection an impotent approach against early attackers but becomes increasingly effective as the exploit vector ages.

Heuristic Detection

The device in Richard Reid’s shoe did not contain any metal and would not throw immediate flags in either the walkthrough metal detectors of the conveyor x-ray machines. This is one factor that kept TSA from requiring shoe removal for the next five years (the other was the impact on check-in speed.) As a perceived threat in 2006 prompted security officials to ramp up detection, they required shoes to be scanned in the x-ray machine. They relied on the training of scanner operators to notice characteristics that may indicate a problem. Examples are deep cuts in heels, foreign objects in the shoe and unsuspected density in the scanner.

In network security, looking for threats by identifying potentially (though not necessarily) malicious characteristics is known as “heuristic detection.” This type of detection relies on variable or partial signature matches. Heuristic detection is unable to provide the concrete exploit explanation that signature based detection can. It often flags good traffic as bad (false positives) creating additional and unprofitable work.

Behavioral Detection

The second school of detecting threats focuses on the behavior of the agent. This is referred to as behavioral detection.

Anomaly Detection

On December 21st, the Parisian airport security personnel noticed some abnormal behavior in Reid. It was strange that he had purchased an airline ticket that cost more than $2,000 in cash. Nearly all transatlantic airline tickets purchased in Paris are paid for with credit cards. Authorities were also concerned that the bomber was headed for a multi-week transatlantic trip without any checked baggage. They also noted that Reid’s passport had no stamps on it (he had it replaced a couple weeks earlier at the British Embassy claiming it had run through the washing machine.) There was nothing inherently nefarious about these activities; they were just different from what was observed as normal by most travelers in Paris.

Detecting threats by observing activity that is a deviation from normal (baseline) behavior is known as “anomaly detection.”  In network security, examples of anomalies include computers using or hosting new network services, exceeding normal bandwidth usage or communicating with new types of external servers. This detection approach provides the earliest opportunity for detecting an immerging or advanced threat but requires skilled operators and deep data/intelligence visibility to effectively foil the attack. In part three of this series :“Data Visibility”, we’ll discuss in greater detail what kept anomaly detection from stopping Reid in his tracks 24 hours before boarding AA 63 and how the lessons learned foiled the follow-on attack four years later.

Suspicious Activity

A second component of behavioral detection is observing suspicious activity. Ultimately, it was flight crew and passengers observing increasingly strange behavior from Richard Reid that led to the plot being foiled. The flight attendant began to become suspicious when a match was smelled. The hunching over of the would-be bomber and finally the exposed fuse coming out of his shoe led the observers to conclude he posed an imminent threat. Like anomaly detection, suspicious activity is able to stop new attacks.

In network security, suspicious activity can include scanning for hosts on the network (often a sign of a network work), communicating with known “bad” external hosts (such as botnets) or attempting excessive, unnecessary connections to network resources (an indicator of a denial of service attack.) While a signature may not yet exist, incident response can begin immediately because there is no good reason for the activity (much like trying to light your shoe on fire.) This allows for much quicker response times when handling immerging threats. It also decreases the time it takes for network analysts to be aware of a problem on the network.

Wrap up

In this first installment, we’ve looked at the methods used for detecting threats on the network (and at the airport.) The detection methods are grouped into two schools: signature and behavioral. Signature based detection focuses on the characteristics of the agent while behavioral detection analyzes the activities of the agent. In the next installment of this series we will take a look at the different types of payloads that can be delivered through network attacks.