intrusion detection network forensics
Download
Skip this Video
Download Presentation
Intrusion Detection & Network Forensics

Loading in 2 Seconds...

play fullscreen
1 / 55

Intrusion Detection Network Forensics - PowerPoint PPT Presentation


  • 203 Views
  • Uploaded on

Intrusion Detection & Network Forensics. Marcus J. Ranum [email protected] Chief Technology Officer Network Flight Recorder, Inc. An ounce of prevention is worth a pound of detection. Why Talk about IDS?. Emerging new technology Very interesting ...but... About to be over-hyped

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Intrusion Detection Network Forensics' - larue


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
intrusion detection network forensics

Intrusion Detection&Network Forensics

Marcus J. Ranum

[email protected]

Chief Technology Officer

Network Flight Recorder, Inc.

why talk about ids
Why Talk about IDS?
  • Emerging new technology
    • Very interesting

...but...

    • About to be over-hyped
  • Being informed is the best weapon in the security analyst’s arsenal
    • It also helps keep vendors honest!
what is an intrusion
What is an Intrusion?!
  • Difficult to define
    • Not everyone agrees
    • This is a big problem
      • How about someone telnetting your system?
        • And trying to log in as “root”?
      • What about a ping sweep?
      • What about them running an ISS scan?
      • What about them trying phf on your webserver?
        • What about succeeding with phf and logging in?
what is ids
What is IDS?
  • The ideal Intrusion Detection System will notify the system/network manager of a successful attack in progress:
    • With 100% accuracy
    • Promptly (in under a minute)
    • With complete diagnosis of the attack
    • With recommendations on how to block it

…Too bad it doesn’t exist!!

objectives 100 accuracy and 0 false positives
Objectives: 100% Accuracy and 0% False Positives
  • A False Positive is when a system raises an incorrect alert
    • “The boy who cried ‘wolf!’” syndrome
  • 0% false positives is the goal
    • It’s easy to achieve this: simply detect nothing
  • 0% false negatives is another goal: don’t let an attack pass undetected
objectives prompt notification
Objectives: Prompt Notification
  • To be maximally accurate the system may need to “sit on” information for a while until all the details come in
    • e.g.: Slow-scan attacks may not be detected for hours
    • This has important implications for how “real-time” IDS can be!
    • IDS should notify user as to detection lag
objectives prompt notification cont
Objectives: Prompt Notification (cont)
  • Notification channel must be protected
    • What if attacker is able to sever/block notification mechanism?
    • An IDS that uses E-mail to notify you is going to have problems notifying you that your E-mail server is under a denial of service attack!
objectives diagnosis
Objectives: Diagnosis
  • Ideally, an IDS will categorize/identify the attack
    • Few network managers have the time to know intimately how many network attacks are performed
  • This is a difficult thing to do
    • Especially with things that “look weird” and don’t match well-known attacks
objectives recommendation
Objectives: Recommendation
  • The ultimate IDS would not only identify an attack, it would:
    • Assess the target’s vulnerability
    • If the target is vulnerable it would notify the administrator
    • If the vulnerability has a known “fix” it would include directions for applying the fix
  • This requires huge, detailed knowledge
ids pros
IDS: Pros
  • A reasonably effective IDS can identify
    • Internal hacking
    • External hacking attempts
  • Allows the system administrator to quantify the level of attack the site is under
  • May act as a backstop if a firewall or other security measures fail
ids cons
IDS: Cons
  • IDS’ don’t typically act to prevent or block attacks
    • They don’t replace firewalls, routers, etc.
  • If the IDS detects trouble on your interior network what are you going to do?
    • By definition it is already too late
paradigms for deploying ids
Paradigms for Deploying IDS
  • Attack Detection
  • Intrusion Detection
attack detection

Desktop

IDS

WWW

Server

Firewall

Attack Detection

DMZ

Network

Internal

Network

Internet

Router

w/some

screening

IDS detects (and counts) attacks against

the Web Server and firewall

attack detection15
Attack Detection
  • Placing an IDS outside of the security perimeter records attack level
    • Presumably if the perimeter is well designed the attacks should not affect it!
    • Still useful information for management (“we have been attacked 3,201 times this month…)
    • Prediction: AD Will generate a lot of noise and be ignored quickly
intrusion detection

Desktop

IDS

WWW

Server

Firewall

Intrusion Detection

DMZ

Network

Internal

Network

Internet

Router

w/some

screening

IDS detects hacking activity WITHIN

the protected network, incoming or outgoing

intrusion detection17
Intrusion Detection
  • Placing an IDS within the perimeter will detect instances of clearly improper behavior
    • Hacks via backdoors
    • Hacks from staff against other sites
    • Hacks that got through the firewall
  • When the IDS alarm goes off, it’s a red alert
attack vs intrusion detection
Attack vs Intrusion Detection
  • Ideally do both
  • Realistically, do ID first then AD
    • Or, deploy AD to justify security effort to management, then deploy ID (more of a political problem than a technical one)
  • The real question here is one of staffing costs to deal with alerts generated by AD systems
ids data source paradigms
IDS Data Source Paradigms
  • Host Based
  • Network Based
host based ids
Host Based IDS
  • Collect data usually from within the operating system
    • C2 audit logs
    • System logs
    • Application logs
  • Data collected in very compact form
    • But application / system specific
host based pro
Host Based: Pro
  • Quality of information is very high
    • Software can “tune” what information it needs (e.g.: C2 logs are configurable)
    • Kernel logs “know” who user is
  • Density of information is very high
    • Often logs contain pre-processed information (e.g.: “badsu” in syslog)
host based con
Host Based: Con
  • Capture is often highly system specific
    • Usually only 1, 2 or 3 platforms are supported (“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”)
  • Performance is a wild-card
    • To unload computation from host logs are usually sent to an external processor system
host based con cont
Host Based: Con (cont)
  • Hosts are often the target of attack
    • If they are compromised their logs may be subverted
    • Data sent to the IDS may be corrupted
    • If the IDS runs on the host itself it may be subverted
network based ids
Network Based IDS
  • Collect data from the network or a hub / switch
    • Reassemble packets
    • Look at headers
  • Try to determine what is happening from the contents of the network traffic
    • User identities, etc inferred from actions
network based pro
Network Based: Pro
  • No performance impact
  • More tamper resistant
  • No management impact on platforms
  • Works across O/S’
  • Can derive information that host based logs might not provide (packet fragmenting, port scanning, etc.)
network based con
Network Based: Con
  • May lose packets on flooded networks
  • May mis-reassemble packets
  • May not understand O/S specific application protocols (e.g.: SMB)
  • May not understand obsolete network protocols (e.g.: anything non-IP)
  • Does not handle encrypted data
ids paradigms
IDS Paradigms
  • Anomaly Detection - the AI approach
  • Misuse Detection - simple and easy
  • Burglar Alarms - policy based detection
  • Honey Pots - lure the hackers in
  • Hybrids - a bit of this and that
anomaly detection
Anomaly Detection
  • Goals:
    • Analyse the network or system and infer what is normal
    • Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal”
    • If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)
anomaly detection cont
Anomaly Detection (cont)
  • Typical anomaly detection approaches:
    • Neural networks - probability-based pattern recognition
    • Statistical analysis - modelling behavior of users and looking for deviations from the norm
    • State change analysis - modelling system’s state and looking for deviations from the norm
anomaly detection pro
Anomaly Detection: Pro
  • If it works it could conceivably catch any possible attack
  • If it works it could conceivably catch attacks that we haven’t seen before
    • Or close variants to previously-known attacks
  • Best of all it won’t require constantly keeping up on hacking technique
anomaly detection con
Anomaly Detection: Con
  • Current implementations don’t work very well
    • Too many false positives/negatives
  • Cannot categorize attacks very well
    • “Something looks abnormal”
    • Requires expertise to figure out what triggered the alert
    • Ex: Neural nets can’t say why they trigger
anomaly detection examples
Anomaly Detection: Examples
  • Most of the research is in anomaly detection
    • Because it’s a harder problem
    • Because it’s a more interesting problem
  • There are many examples, these are just a few
    • Most are at the proof of concept stage
misuse detection
Misuse Detection
  • Goals:
    • Know what constitutes an attack
    • Detect it
misuse detection cont
Misuse Detection (cont)
  • Typical misuse detection approaches:
    • “Network grep” - look for strings in network connections which might indicate an attack in progress
    • Pattern matching - encode series of states that are passed through during the course of an attack
      • e.g.: “change ownership of /etc/passwd” -> “open /etc/passwd for write” -> alert
misuse detection pro
Misuse Detection: Pro
  • Easy to implement
  • Easy to deploy
  • Easy to update
  • Easy to understand
  • Low false positives
  • Fast
misuse detection con
Misuse Detection: Con
  • Cannot detect something previously unknown
  • Constantly needs to be updated with new rules
  • Easier to fool
burglar alarms
Burglar Alarms
  • A burglar alarm is a misuse detection system that is carefully targeted
    • You may not care about people port-scanning your firewall from the outside
    • You may care profoundly about people port-scanning your mainframe from the inside
    • Set up a misuse detector to watch for misuses violating site policy
burglar alarms cont
Burglar Alarms (cont)
  • Goals:
    • Based on site policy alert administrator to policy violations
    • Detect events that may not be “security” events which may indicate a policy violation
      • New routers
      • New subnets
      • New web servers
burglar alarms cont39
Burglar Alarms (cont)
  • Trivial burglar alarms can be built with tcpdump and perl
  • Netlog and NFR are useful event recorders which may be used to trigger alarms

http://www.nswc.navy.mil/ISSEC/Docs/loggingproject.html

ftp://coast.cs.purdue.edu/pub/tools/unix/netlog/

http://www.nfr.net/download

burglar alarms cont40
Burglar Alarms (cont)
  • The ideal burglar alarm will be situated so that it fires when an attacker performs an action that they normally would try once they have successfully broken in
    • Adding a userid
    • Zapping a log file
    • Making a program setuid root
burglar alarms cont41
Burglar Alarms (cont)
  • Burglar alarms are a big win for the network manager:
    • Leverage local knowledge of the local network layout
    • Leverage knowledge of commonly used hacker tricks
burglar alarms pro
Burglar Alarms: Pro
  • Reliable
  • Predictable
  • Easy to implement
  • Easy to understand
  • Generate next to no false positives
  • Can (sometimes) detect previously unknown attacks
burglar alarms con
Burglar Alarms: Con
  • Policy-directed
    • Requires knowledge about your network
    • Requires a certain amount of stability within your network
  • Requires care not to trigger them yourself
honey pots
Honey Pots
  • A honey pot is a system that is deliberately named and configured so as to invite attack
    • swift-terminal.bigbank.com
    • www-transact.site.com
    • source-r-us.company.com
    • admincenter.noc.company.net
honey pots cont
Honey Pots (cont)
  • Goals:
    • Make it look inviting
    • Make it look weak and easy to crack
    • Instrument every piece of the system
    • Monitor all traffic going in or out
    • Alert administrator whenever someone accesses the system
honey pots cont46
Honey Pots (cont)
  • Trivial honey pots can be built using tools like:
    • tcpwrapper
    • Burglar alarm tools (see “burglar alarms”)
    • restricted/logging shells (sudo, adminshell)
    • C2 security features (ugh!)
  • See Cheswick’s paper “An evening with Berferd” for examples
honey pots pro
Honey Pots: Pro
  • Easy to implement
  • Easy to understand
  • Reliable
  • No performance cost
honey pots con
Honey Pots: Con
  • Assumes hackers are really stupid
    • They aren’t
hybrid ids
Hybrid IDS
  • The current crop of commercial IDS are mostly hybrids
    • Misuse detection (signatures or simple patterns)
    • Expert logic (network-based inference of common attacks)
    • Statistical anomaly detection (values that are out of bounds)
hybrid ids cont
Hybrid IDS (cont)
  • At present, the hybrids’ main strength appears to be the misuse detection capability
    • Statistical anomaly detection is useful more as backfill information in the case of something going wrong
    • Too many false positives - many sites turn anomaly detection off
hybrid ids cont51
Hybrid IDS (cont)
  • The ultimate hybrid IDS would incorporate logic from vulnerability scanners*
    • Build maps of existing vulnerabilities into its logic of where to watch for attacks
  • Backfeed statistical information into misuse detection via a user interface

* Presumably, a clueful network

admin would just fix the vulnerabilty

books
Books
  • Internet Security and Firewalls: Repelling the Wily Hacker, by Bill Cheswick and Steve Bellovin, from Addison Wesley
  • Internet Firewalls, by Brent Chapman and Elizabeth Zwicky
slide53
URLs
  • Spaf’s Security Page
    • http://www.cs.purdue.edu/people/spaf
  • Mjr’s home page
    • http://www.clark.net/pub/mjr
  • Hacker sites: the fringe
    • http://www.lopht.com
    • http://www.digicrime.com
addresses
Addresses
addresses55
Addresses
  • Firewalls Wizards mailing list
    • [email protected]: subscribe firewall-wizards
      • http://www.nfr.net/forum/firewall-wizards.html
    • Searchable online archive on
      • http://www.nfr.net/firewall-wizards/
ad