1 / 96

To Intrusion Detection Analysts

To Intrusion Detection Analysts. “Folks! You are the trackers of the 21 st century. The signs are there, plain as day. It is up to you to find them and give the interpretation.” Stephen Northcutt et.al. .

mirari
Download Presentation

To Intrusion Detection Analysts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. To Intrusion Detection Analysts “Folks! You are the trackers of the 21st century. The signs are there, plain as day. It is up to you to find them and give the interpretation.” Stephen Northcutt et.al.

  2. Among the hottest 8 categories of IT jobsReference: eWeek 2nd August 2007….1 • Web Security Manager: • Role:Design, implement and maintain security measures to support the information and data security needs of the company's Web sites and applications. Research and evaluate new or improved security measures to protect the network from hackers, cyberterrorists, and any number of viruses and worms determined to penetrate the corporate firewall. • Killer Management Trait:Master the art of paranoia. Get in tight with security vendors and engineers.

  3. Among the hottest 8 categories of IT jobsReference: eWeek 2nd August 2007….2 Manager, IT Security • Role: Develop and manage all elements of information systems security including disaster recovery, database protection and software development. Manage IT security analysts to ensure that all applications are functional and secure. Work with Web Security Manager to find potential vulnerabilities within the network as well as external threats. • Killer Management Trait: Attention to detail is at a premium. Must have a wide range of expertise in terms of operating systems, encryption and wireless technologies. The buck stops with you whenever data is compromised.

  4. Intruders Intruder: A non-authorized user of a computer system. TYPES of Intruders: • Masquerader:penetrates a system’s Access Control list to exploit a legitimate user’s account; usually an outsider • Misfeasor:A legitimate user, who accesses resources, he is not authorized to access; an insider • Clandestine User:seizes supervisory control and uses it to access resources and to evade audit; may be an outsider/insider Reference: Anderson J.,” Computer Security Threat Monitoring and Surveillance,” James P. Anderson Co., April 1980

  5. Intruders and Attacks • Two types of Intruders: (i) Sophisticated (ii) Foot soldiers, ready to spend hours in searching for weaknesses, by using tools developed by sophisticated users • Attacks: (i) Benign (ii) Serious ( Three levels: Unauthorized Access, Unauthorized Modification, Denial of Service) • Intrusion Detection – According to the Wikipedia intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource • An Intrusion Detection System (IDS): Designed to detect intruders

  6. A Brief History of IDS • 1980: James P. Anderson,” Computer security, Threat Monitoring and Surveillance,” James P. Anderson & Co., 1980: A study for USAF • 1986: USNavy’s Space and Naval Warfare System Command (SPAWARS) funded research: Dorothy Denning,” An Intrusion detection Model,” Proceedings of the 1986 IEEE Symposium on Security and Privacy, May 1986, pp. 119-131 • 1986-92 1985: US Navy funds development of Intrusion Detection Expert System (IDES) at Stanford Research Institute (SRI International) based on Denning’s paper • 1987: First Annual ID Workshop at SRI

  7. A Brief History of IDS .. continued • 1989: Todd Heberlin, a student of Univ of California, Davis: writes Network Security Monitor to be run on Sun UNIX workstation • 1992: Commercial products: Computer Misuse Detection System (CMDS) by Screen Applications International Corp (SAIC) --based on navy work • 1992: Commercial products: STALKER -- based on Haystack labs work done for USAF. • 1994: Network IDS called ASIM developed at Air Force Cryptological Support Center -- commercial company Wheelgroup formed by scientists of the Center

  8. A Brief History of IDS .. continued 2 • 1997: CISCO acquires Wheelgroup and incorporates the technology of IDS in its routers • 1997: RealSecure for Windows NT by Internet Security Systems • 1999: Presidential Decision Directive # 63: Established Federal ID Network (FIDNet) to detect attacks on Govt infrastructure

  9. Classification of IDSs • Statistical Anomaly Detection: • Threshold Detection: Count the occurrences of anomalous events. If the number crosses a threshold intrusion alert. • Profile – based: The regular profiles of use of the systems by users/ groups/ applications are created. Similarly a profile of the use of various system resources can be created. If the usage is different intrusion alert. • Learning based system, which continuously updates the profile -- may be able to detect a new type of attack;

  10. Classification of IDS continued • Statistical Anomaly Detection: continued -- more false positives (false alerts) and false negatives ( attacks, which are not detected); -- a careful hacker may be able to avoid detection by slowly “training” the system to consider the anomalous situation as the normal state • Signature-based(or misuse-based) Detection: -- reduces false positives and false negatives; -- cannot detect a new type of attack

  11. Intrusion Process • Reconnaissance • Intrusion • Exploitation • Reinforcement • Consolidation • Pillage Problems Caused by Intrusion • Loss of business (through DoS etc) • Loss of (i) integrity of data (ii) privacy (iii) personal data (iv) faith in business process • Legal Liability

  12. Intrusion Detection Systems

  13. “Malware payloads have been boring…….. Payloads can be malign and I expect that we’ll see more devious payloads over the next few years.” - Bruce Schneier author of Applied Cryptography FIREWALLS up to slide

  14. Firewall: a definition • A Firewall is a set of related hardware and/or software, which protects the resources of a private network from intruders. • watch single point rather than every PC A firewall provides strict access control between the protected systems and the outside world. Two jobs in general: 1. Packet filtering 2.Application Proxy Server

  15. Packet-Filtering Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet,usually for both directions. • The rules are mainly based on the IP and transport (TCP or UDP) header, including • source and destination IP address, • IP protocol field, • TCP/UDP port number.

  16. Application Proxy Server Acts as a relay of application-level traffic. Users contact the gateway using a TCP/IP application (such as FTP or Telnet) with the information of the remote host to be accessed. The gateway will contact the application on the remote host and convey TCP segments containing the application data between the two endpoints.

  17. Firewall Limitations Firewall can not • protect against attacks that bypass the firewall (e.g. dial-up modem) • protect against the transfer of virus-infected files • prevent people walking out with disks Firewall may not protect against internal threats, such as a bad employee

  18. Packet Filtering : Advantages and Disadvantages Advantages: Fast, Flexible, and Inexpensive Disadvantages: • Lack the ability to provide detailed audit- information about the traffic they transmit; • Vulnerable to attack. Firewall can become a bottleneck for a big system.  Multiple firewalls in parallel, divided by function?

  19. Firewalls Types of Filtering Policy • Deny everything, not specifically allowed • Allow everything not specifically denied Structure • All packets into and out of the protected network must pass through the firewall • Firewall cannot be penetrated.

  20. FIREWALLS: the common architecture • The most common firewall architecture contains at least four hardware components: • an (exterior) router, • a secure server (called a Bastion Host), • an exposed network (called a Perimeter Network), • an (interior) filtering router.

  21. Firewall: an example • Screened subnet type of firewall:

  22. Firewall: an example(continued) • Exterior Router: uses packet filtering to eliminate packets coming from the external world that have a source address that matches that of the internal network. • The interior router does the bulk of the access control work. It filters packets on • address • protocol and • port numbers to control the services that are accessible to and from the interior network.

  23. Bastion Host • a secure server, specifically designed and configured to withstand attacks. • generally hosts a single application, for example a proxy server, and all other services and end-user-software are removed or limited to reduce the threat to the computer. • provides an interconnection point between the enterprise network and the outside world for some restricted services. • Runs an IDS on the host; regular security audit • user accounts, especially root or administrator accounts, are locked down; authentication used for logging; encrypted storage

  24. Bastion Host ….2 • Some of the services that are restricted by the interior gateway may be essential for a useful network. Those essential services are provided through the bastion host in a secure manner. The bastion host provides some services directly, such as • Web server • Domain Name System server, • E mail services, • anonymous File Transfer Protocol • proxy server • Honeypot • VPN server

  25. Multiple Bastion Hosts .3Reference: http://www.yourdictionary.com/computer/bastion-host as of 24 Oct 2009

  26. Bastion Host ….4 • When the bastion host acts as a proxy server, internal clients connect to the outside world through the bastion hosts and external systems respond back to the internal clients through the host. • An Enterprise: bastion hosts are the only host computers that are allowed to be addressed directly from the public network; • designed to screen the rest of the enterprise network from security exposure.

  27. Public Internet Firewall Locations Authentication Server R R R Remote Client Corporate Intranet R A S R Extranet Links With Trading Partners R R R Remote Access Server Remote Access R Typical Enterprise Network Topology (without VPN)

  28. Network Address Translator • NA(P)T: network address (and port) translator are not firewalls, but can prevent all incoming connections

  29. NAT

  30. IPS vs IDS • NEW: IPS: Intrusion Prevention Systems • IDS: Intrusion Detection Systems: IDS devices sit on a monitor port and simply report problems. • While an IPS device takes action, IDS products usually just send an alert to an IT staff person, who must then evaluate the alert and take action. • PROBLEM with IPS: • Costly • need to be periodically tuned so that good traffic is not inadvertently dumped.

  31. IPS devices • operate inline, often at wire speed, • tuned to drop bad traffic from the network. • most IPS devices must be used in conjunction with a firewall at the perimeter. • process packet contents, not just the headers, • track the state of network connections fast and thwart DoS (denial-of-service) attacks by quickly identifying malicious connections. (through fast identification, statistical pattern analysis and re-routing suspect traffic to a mitigation engine, which examines the traffic carefully): However no method can eliminate the problem of bandwidth starvation to valid users

  32. Another method of classification IDS IPS TRIPWIRE/ Advanced Intrusion Detection Environment (AIDE) Host-based Network-based SNORT References: for AIDE: http://www.cyberciti.biz/faq/debian-ubuntu-linux-software-integrity-checking-with-aide/ (as of Nov. 09, 09) For Lak: http://lak-ips.sourceforge.net/ (as of Nov. 09, 09) For Sechost IPS: http://sourceforge.net/projects/sechost/ (as of Nov. 09, 09) For WHIPS: http://sourceforge.net/projects/whips/ (as of Nov. 09, 09)

  33. Components of a Network-based IDS • Data Collection System: • The data collection points: to be properly chosen: • No unnecessary data to be collected • No useful data may be missed For a Distributed IDS: The data collection points may be located all over the system. Data collected through multiple and properly-placed promiscuous sensors; • Analyzer: Using the data, the analyzer detects whether an intrusion has taken place. The analyzer: usually a central node, to which data from different collection points is brought. (Firewall: to deny access to a particular service or host by checking each packet against a set of rules)

  34. Components of a Network-based IDS ….2 • Alert Generation System • ALERT NOTIFIER and Command/Console Manager • RESPONSE Subsystem: shutting down a connection or a port or reconfiguring a router • Database

  35. Accessing the packets • OLD Nets without modern network switch: • Every packet on the network arrived at every network card. • Put the card in the promiscuous mode. • tcpdump through the operating system could capture every packet. • Now a segment/ link carries only the packets from or to the hosts connected to that segment.

  36. Accessing the packets …. continued On a fully switched network, tcpdump is able to log: • Traffic from and to the host • Broadcast traffic. • SOLUTIONS: • Use a SPAN ( Switched Port Analyzer) port. • Use hardware taps. • SPAN ports: used for port mirroring or port monitoring.

  37. Accessing the packets …. continued 2 • A SPAN port: can be configured to mirror transmitted and/or received traffic from/to another port or set of ports of the switch. • Precaution: The SPAN port bandwidth: sufficient to mirror the traffic in the other ports, it is configured to mirror.

  38. Data Format • The collected data: Log Files - usually in the tcpdump format (http://www.tcpdump.org) • For IDS systems to exchange information:Internet Engineering Task Force (IETF) Intrusion Detection Working Group (IDWG) (http://www.ietf.org/html.charters/idwg-charter.html) has proposed: • RFC 4765: Intrusion Detection Message Exchange Format (IDMEF) • RFC 4766: Intrusion Detection Message Exchange Requirements • RFC 4767: Intrusion Detection Exchange Protocol (IDXP)

  39. RFC 4765: Intrusion Detection Message Exchange Format • RFC 4765 • defines data formats and exchange procedures for sharing information of interest to Intrusion Detection and Response Systems and to the management systems that may need to interact with them. • describes a data model to represent information exported by IDSs and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) • Develops an XML Document Type Definition and provides examples.

  40. RFC 4766: Intrusion Detection Message Exchange Requirements RFC 4766: specifies requirements for a communication protocol for communicating IDMEF. These requirements are used: • to evaluate existing communication protocols; • to work out the need for a new communication protocol and • to evaluate new proposed solutions References: 1. IDMEF (Intrusion Detection Message Exchange Format) RFC 4765, March 2007, Category: Experimental, http://www.ietf.org/rfc/rfc4765.txt, as of Nov 09, 2009 2. Intrusion Detection Message Exchange Requirements,RFC 4766, March 2007, Category: Informational, http://www.rfc-archive.org/getrfc.php?rfc=4766, as of Nov 09, 2009

  41. RFC 4767: Data Exchange Protocol • IDXP: • an application-level protocol for exchanging data between intrusion detection entities. • supports mutual-authentication, integrity, and confidentiality over a connection-oriented protocol. • provides for the exchange of IDMEF messages, unstructured text, and binary data. Reference: IDXP (Intrusion Detection Exchange Protocol ), RFC 4767, March 2007, Category: Experimental, http://www.ietf.org/rfc/rfc4767.txt, as of Nov 09, 2009

  42. Reading Log files • Log files can be created • by general Internet performance study tools or • by scanning tools Most of the Internet performance tools are free ware. Some of the scanning tools are also available free.

  43. ID Analysis methods • Practical Method: Issues of interest: • Network or system log: trace of an event of interest: Using the log, one can find the -- False Positives (false alerts) -- False Negatives (the events of interest that are missed) -- False Interpretation generated by an IDS. A dangerous tendency of assuming familiarity with things that we do not know is the root cause of false solutions. • Source of detection (e.g. Snort IDS) • Probability that the source address was spoofed. (collateral/third party effects)

  44. ID Analysis methods (continued)Reference: http://www.sans.org/resources/tcpip.pdf for information on TCP/IP in a flyer format. • Description of attack and attack mechanism: Look for signatures of well-known attacks. Ask: • Is this a stimulus or response? • What service is being targeted? • Known exposures or vulnerabilities of the service? • DoS • serious/benign • pillage/consolidation/reinforcement/exploitation/ reconnaissance • Evidence of active targeting • Defensive Recommendations

  45. Formats of some well-known Packets/Frames (Slides 17-26)

  46. TCP Segment: Format (16 bits) (16 bits) u (32 bits) ^ (32 bits) (16 bits) (4 bits) (6 bits) (6 bits) (16 bits) (16 bits) (if any) The Header is of 20-60 bytes in size.

  47. TCP Segments: Flags Out of the last 4 flags, normally only one is ON at a time.

  48. 0 • Flags : 3 bits: The first bit: Reserved; • The second bit: DF; The third bit: MF • Last 2 bits of Service Type: Explicit Congestion • Notation Field

  49. Data Link layer: Physical Network Example : Ethernet (IEEE 802.3) 1973 Bob Metcalfe’s PhD thesis at Harvard univ on Ethernet. Protocol: Carrier Sense Multiple Access/Collision Detect (CSMA/CD) XEROX PARC Research Lab 1978 XEROX-Intel- Digital request IEEE to standardize Ethernet

  50. IEEE 802.3 Standard Dest add Src add data preamble type CRC 8 6 6 2 46B – 1500B 4 bits 368-12,000 FRAME 16 bits CRC – Cyclic Redundancy Check Example of an address: called the Hardware / Physical / MAC address: 98:BD:BC:34:E5:2A

More Related