Advanced intrusion defense
1 / 25

Advanced Intrusion Defense - PowerPoint PPT Presentation

  • Uploaded on

Advanced Intrusion Defense. Joel Snyder Opus One. Acknowledgements. Massive Support from Marty Roesch, Ron Gula, Robert Graham Products from ISS, Cisco, and Tenable Cash and Prizes from Andy Briney and Neil Roiter.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Advanced Intrusion Defense' - phuong

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Advanced intrusion defense

Advanced Intrusion Defense

Joel Snyder

Opus One


Massive Support from Marty Roesch, Ron Gula, Robert Graham

Products from ISS, Cisco, and Tenable

Cash and Prizes from Andy Briney and Neil Roiter

This is an ids alert

IDS saw a packet aimed at a protected system

IDS magic decoder technology correctly identifies this as “Back Orifice!”

This is an IDS alert…

This ids alert ain t no good

Last time I checked, FreeBSD 4.9 was not one of the supported platforms for BackOrifice…

This IDS alert ain’t no good

Please don t call that a false positive

IDS developers will jump down your throat supported platforms for BackOrifice…

“False Positive” means the IDS cried wolf when there was nosuchattack

Usually the result of poorly written signatures

Instead, let’s invent a complex multisyllable term:“non-contextual alert”

Please don’t call that a False Positive

The ids lacks context

IF supported platforms for BackOrifice…the IDS knew that the destination system was not running Windows…

IF the IDS knew that the destination system was not running Back Orifice…

IF the IDS knew that there was no such destination system…

IF the IDS knew that the destination system was more hops away then TTL allowed…

The IDS lacks “context”

If if if the ids knew more
IF IF IF the IDS knew more… supported platforms for BackOrifice…

  • THEN the IDS could tell the IDS operator more about this attack

  • Ron Gula (Tenable) says that alerts are “raw intelligence.” They are data, but are not information yet. We need to turn them into “well-qualified intelligence” to start a war.

Roesch target based ids

Target-based IDS Sensor supported platforms for BackOrifice…

The sensor has knowledge about the network

The sensor has knowledge about the hosts

Target-based Event Correlation

The output of the sensor is compared to knowledge of vulnerabilities

Roesch: “Target-Based IDS”

Target-based IDS has two components

Target based ids sensor
Target-based IDS sensor supported platforms for BackOrifice…

  • Network Flight Recorder (NFR) and Internet Security Systems (ISS) claim to be shipping IDS sensors that have target-based IDS technology in them

  • Sourcefire is working on putting this into its sensor

  • Other vendors may be including this technology (but I don’t know about them)

Target based ids consoles
Target-based IDS Consoles supported platforms for BackOrifice…

  • Information Security asked me to look at three “Target-based IDS” consoles

    • Internet Security Systems “Fusion”

    • Cisco “Cisco Threat Response”

    • Tenable Security “Lightning Console”

Start with a normal ids

IDS sensors generate enormous dinosaur-sized piles of alerts;alerts are sent to the IDS console

Operator gets enormous dinosaur-sized headache looking at hundreds of thousands of alerts

Start with a normal IDS…

… and add brains!

Brains knowledge process

Knowledge alerts;

Somehow figure out lots of information about

What systems are out there

What software they are running

What attacks they are vulnerable to


Evaluate each alert with the additional contextual knowledge and decide

To promote the alert

To demote the alert

That we don’t know

Brains=knowledge + process

Approach 1 iss fusion
Approach 1: ISS Fusion alerts;

  • NetMgr schedules scanning using ISS Scanner

  • Scan info, including ports & vulnerabilities, flow into SiteProtector

  • Sensor alerts also flow into SiteProtector

  • Fusion reads alerts and assigns priorities for the operator

Variation 2 tenable lightning
Variation 2: Tenable Lightning alerts;

  • NetMgr schedules “active scans” using Nessus or NeWT

  • Results are sent to Lightning Console

  • Passive scan results are collected by NeVO

  • Passive results are sent to Lightning

What is passive scanning
What is “Passive Scanning?” alerts;

By simply watching the traffic fly by, you can learn a great deal

  • TCP connections have “fingerprints”

    • Fingerprints are useful for identifying the TCP stack (hence: the O/S) involved

    • Existence proof

  • Applications (client & server) have “banners”

    • Banners can reveal application names, version numbers, and patch levels

Tenable continued
Tenable (continued) alerts;

  • IDS sensors send alerts to console (Bro, Snort, ISS, Enterasys, NAI)

  • Lightning compares every alert to the known vulnerability database, rejecting all that don’t match an identified vulnerability

Approach 3 cisco ctr
Approach 3: Cisco CTR alerts;

  • IDS sensors send alerts to their native console

  • Copies of alerts also go to CTR

  • CTR investigates alerts

  • Alerts plus investigation are available to operator

Scan before vs after

If you scan before… alerts;

You can’t verify that an attack actually succeeded

Your scan will always be out of date

If you scan/verify after…

You can verify that an attack did something

You might be a day late (and a dollar short) to catch things

You potentially can create a DoS condition

Scan before vs after

Do they work

Yes, but… alerts;

Be careful what you wish for

All products had a significant reduction in IDS alerts


CTR - rolling window of only 1000 events!

Lightning - only shows events with matched vulnerabilities!

Do they work?

What about scanning

When you scan is important alerts;

How you scan is important

Where you scan is important


Scanning after the fact can be a problem

Scanning before the fact can be a problem

Passive scanning can miss things

Active scanning can miss things

What about scanning?

Can this quiet my ids down

It could… alerts;

But none of the products I looked at have a feedback loop to the IDS!

Why don’t the scanners tell the IDS what ports to look on?

Why don’t the scanners tell the IDS what signatures to ignore?

Can this quiet my IDS down?

Is this right for you

YES! alerts;

“I already have an IDS and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!”

“I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.”


“If I get this, my IDS will be a self-tuning smooth-running no-maintenance machine.”

“I have no network security policy that says what to do when an alert occurs.”

Is this right for you?

Advanced Intrusion Defense alerts;

Joel Snyder

Opus One

[email protected]


Questions? alerts;

Submit your questions to Joel by clicking on the Ask A Question link on the lower left corner of your screen.

More information

More information alerts;

Thank you for participating in this SearchSecurity webcast. For more information on intrusion defense, visit our Featured Topic: