Advanced Intrusion Defense - PowerPoint PPT Presentation

Advanced intrusion defense
1 / 25

  • Uploaded on
  • Presentation posted in: General

Advanced Intrusion Defense. Joel Snyder Opus One. Acknowledgements. Massive Support from Marty Roesch, Ron Gula, Robert Graham Products from ISS, Cisco, and Tenable Cash and Prizes from Andy Briney and Neil Roiter.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Advanced Intrusion Defense

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Advanced intrusion defense

Advanced Intrusion Defense

Joel Snyder

Opus One



Massive Support from Marty Roesch, Ron Gula, Robert Graham

Products from ISS, Cisco, and Tenable

Cash and Prizes from Andy Briney and Neil Roiter

This is an ids alert

IDS saw a packet aimed at a protected system

IDS magic decoder technology correctly identifies this as “Back Orifice!”

This is an IDS alert…

This ids alert ain t no good

Last time I checked, FreeBSD 4.9 was not one of the supported platforms for BackOrifice…

This IDS alert ain’t no good

Please don t call that a false positive

IDS developers will jump down your throat

“False Positive” means the IDS cried wolf when there was nosuchattack

Usually the result of poorly written signatures

Instead, let’s invent a complex multisyllable term:“non-contextual alert”

Please don’t call that a False Positive

The ids lacks context

IF the IDS knew that the destination system was not running Windows…

IF the IDS knew that the destination system was not running Back Orifice…

IF the IDS knew that there was no such destination system…

IF the IDS knew that the destination system was more hops away then TTL allowed…

The IDS lacks “context”

If if if the ids knew more

IF IF IF the IDS knew more…

  • THEN the IDS could tell the IDS operator more about this attack

  • Ron Gula (Tenable) says that alerts are “raw intelligence.” They are data, but are not information yet. We need to turn them into “well-qualified intelligence” to start a war.

Roesch target based ids

Target-based IDS Sensor

The sensor has knowledge about the network

The sensor has knowledge about the hosts

Target-based Event Correlation

The output of the sensor is compared to knowledge of vulnerabilities

Roesch: “Target-Based IDS”

Target-based IDS has two components

Target based ids sensor

Target-based IDS sensor

  • Network Flight Recorder (NFR) and Internet Security Systems (ISS) claim to be shipping IDS sensors that have target-based IDS technology in them

  • Sourcefire is working on putting this into its sensor

  • Other vendors may be including this technology (but I don’t know about them)

Target based ids consoles

Target-based IDS Consoles

  • Information Security asked me to look at three “Target-based IDS” consoles

    • Internet Security Systems “Fusion”

    • Cisco “Cisco Threat Response”

    • Tenable Security “Lightning Console”

Start with a normal ids

IDS sensors generate enormous dinosaur-sized piles of alerts;alerts are sent to the IDS console

Operator gets enormous dinosaur-sized headache looking at hundreds of thousands of alerts

Start with a normal IDS…

… and add brains!

Brains knowledge process


Somehow figure out lots of information about

What systems are out there

What software they are running

What attacks they are vulnerable to


Evaluate each alert with the additional contextual knowledge and decide

To promote the alert

To demote the alert

That we don’t know

Brains=knowledge + process

Approach 1 iss fusion

Approach 1: ISS Fusion

  • NetMgr schedules scanning using ISS Scanner

  • Scan info, including ports & vulnerabilities, flow into SiteProtector

  • Sensor alerts also flow into SiteProtector

  • Fusion reads alerts and assigns priorities for the operator

Variation 2 tenable lightning

Variation 2: Tenable Lightning

  • NetMgr schedules “active scans” using Nessus or NeWT

  • Results are sent to Lightning Console

  • Passive scan results are collected by NeVO

  • Passive results are sent to Lightning

What is passive scanning

What is “Passive Scanning?”

By simply watching the traffic fly by, you can learn a great deal

  • TCP connections have “fingerprints”

    • Fingerprints are useful for identifying the TCP stack (hence: the O/S) involved

    • Existence proof

  • Applications (client & server) have “banners”

    • Banners can reveal application names, version numbers, and patch levels

Tenable continued

Tenable (continued)

  • IDS sensors send alerts to console (Bro, Snort, ISS, Enterasys, NAI)

  • Lightning compares every alert to the known vulnerability database, rejecting all that don’t match an identified vulnerability

Approach 3 cisco ctr

Approach 3: Cisco CTR

  • IDS sensors send alerts to their native console

  • Copies of alerts also go to CTR

  • CTR investigates alerts

  • Alerts plus investigation are available to operator

Scan before vs after

If you scan before…

You can’t verify that an attack actually succeeded

Your scan will always be out of date

If you scan/verify after…

You can verify that an attack did something

You might be a day late (and a dollar short) to catch things

You potentially can create a DoS condition

Scan before vs after

Do they work

Yes, but…

Be careful what you wish for

All products had a significant reduction in IDS alerts


CTR - rolling window of only 1000 events!

Lightning - only shows events with matched vulnerabilities!

Do they work?

What about scanning

When you scan is important

How you scan is important

Where you scan is important


Scanning after the fact can be a problem

Scanning before the fact can be a problem

Passive scanning can miss things

Active scanning can miss things

What about scanning?

Can this quiet my ids down

It could…

But none of the products I looked at have a feedback loop to the IDS!

Why don’t the scanners tell the IDS what ports to look on?

Why don’t the scanners tell the IDS what signatures to ignore?

Can this quiet my IDS down?

Is this right for you


“I already have an IDS and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!”

“I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.”


“If I get this, my IDS will be a self-tuning smooth-running no-maintenance machine.”

“I have no network security policy that says what to do when an alert occurs.”

Is this right for you?

Advanced intrusion defense

Advanced Intrusion Defense

Joel Snyder

Opus One



Submit your questions to Joel by clicking on the Ask A Question link on the lower left corner of your screen.

More information

More information

Thank you for participating in this SearchSecurity webcast. For more information on intrusion defense, visit our Featured Topic:

  • Login