advanced intrusion defense
Skip this Video
Download Presentation
Advanced Intrusion Defense

Loading in 2 Seconds...

play fullscreen
1 / 25

Advanced Intrusion Defense - PowerPoint PPT Presentation

  • Uploaded on

Advanced Intrusion Defense. Joel Snyder Opus One. Acknowledgements. Massive Support from Marty Roesch, Ron Gula, Robert Graham Products from ISS, Cisco, and Tenable Cash and Prizes from Andy Briney and Neil Roiter.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Advanced Intrusion Defense' - phuong

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
advanced intrusion defense

Advanced Intrusion Defense

Joel Snyder

Opus One


Massive Support from Marty Roesch, Ron Gula, Robert Graham

Products from ISS, Cisco, and Tenable

Cash and Prizes from Andy Briney and Neil Roiter

this is an ids alert
IDS saw a packet aimed at a protected system

IDS magic decoder technology correctly identifies this as “Back Orifice!”

This is an IDS alert…
please don t call that a false positive
IDS developers will jump down your throat

“False Positive” means the IDS cried wolf when there was nosuchattack

Usually the result of poorly written signatures

Instead, let’s invent a complex multisyllable term:“non-contextual alert”

Please don’t call that a False Positive
the ids lacks context
IF the IDS knew that the destination system was not running Windows…

IF the IDS knew that the destination system was not running Back Orifice…

IF the IDS knew that there was no such destination system…

IF the IDS knew that the destination system was more hops away then TTL allowed…

The IDS lacks “context”
if if if the ids knew more
IF IF IF the IDS knew more…
  • THEN the IDS could tell the IDS operator more about this attack
  • Ron Gula (Tenable) says that alerts are “raw intelligence.” They are data, but are not information yet. We need to turn them into “well-qualified intelligence” to start a war.
roesch target based ids
Target-based IDS Sensor

The sensor has knowledge about the network

The sensor has knowledge about the hosts

Target-based Event Correlation

The output of the sensor is compared to knowledge of vulnerabilities

Roesch: “Target-Based IDS”

Target-based IDS has two components

target based ids sensor
Target-based IDS sensor
  • Network Flight Recorder (NFR) and Internet Security Systems (ISS) claim to be shipping IDS sensors that have target-based IDS technology in them
  • Sourcefire is working on putting this into its sensor
  • Other vendors may be including this technology (but I don’t know about them)
target based ids consoles
Target-based IDS Consoles
  • Information Security asked me to look at three “Target-based IDS” consoles
    • Internet Security Systems “Fusion”
    • Cisco “Cisco Threat Response”
    • Tenable Security “Lightning Console”
start with a normal ids
IDS sensors generate enormous dinosaur-sized piles of alerts;alerts are sent to the IDS console

Operator gets enormous dinosaur-sized headache looking at hundreds of thousands of alerts

Start with a normal IDS…

… and add brains!

brains knowledge process

Somehow figure out lots of information about

What systems are out there

What software they are running

What attacks they are vulnerable to


Evaluate each alert with the additional contextual knowledge and decide

To promote the alert

To demote the alert

That we don’t know

Brains=knowledge + process
approach 1 iss fusion
Approach 1: ISS Fusion
  • NetMgr schedules scanning using ISS Scanner
  • Scan info, including ports & vulnerabilities, flow into SiteProtector
  • Sensor alerts also flow into SiteProtector
  • Fusion reads alerts and assigns priorities for the operator
variation 2 tenable lightning
Variation 2: Tenable Lightning
  • NetMgr schedules “active scans” using Nessus or NeWT
  • Results are sent to Lightning Console
  • Passive scan results are collected by NeVO
  • Passive results are sent to Lightning
what is passive scanning
What is “Passive Scanning?”

By simply watching the traffic fly by, you can learn a great deal

  • TCP connections have “fingerprints”
    • Fingerprints are useful for identifying the TCP stack (hence: the O/S) involved
    • Existence proof
  • Applications (client & server) have “banners”
    • Banners can reveal application names, version numbers, and patch levels
tenable continued
Tenable (continued)
  • IDS sensors send alerts to console (Bro, Snort, ISS, Enterasys, NAI)
  • Lightning compares every alert to the known vulnerability database, rejecting all that don’t match an identified vulnerability
approach 3 cisco ctr
Approach 3: Cisco CTR
  • IDS sensors send alerts to their native console
  • Copies of alerts also go to CTR
  • CTR investigates alerts
  • Alerts plus investigation are available to operator
scan before vs after
If you scan before…

You can’t verify that an attack actually succeeded

Your scan will always be out of date

If you scan/verify after…

You can verify that an attack did something

You might be a day late (and a dollar short) to catch things

You potentially can create a DoS condition

Scan before vs after
do they work
Yes, but…

Be careful what you wish for

All products had a significant reduction in IDS alerts


CTR - rolling window of only 1000 events!

Lightning - only shows events with matched vulnerabilities!

Do they work?
what about scanning
When you scan is important

How you scan is important

Where you scan is important


Scanning after the fact can be a problem

Scanning before the fact can be a problem

Passive scanning can miss things

Active scanning can miss things

What about scanning?
can this quiet my ids down
It could…

But none of the products I looked at have a feedback loop to the IDS!

Why don’t the scanners tell the IDS what ports to look on?

Why don’t the scanners tell the IDS what signatures to ignore?

Can this quiet my IDS down?
is this right for you

“I already have an IDS and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!”

“I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.”


“If I get this, my IDS will be a self-tuning smooth-running no-maintenance machine.”

“I have no network security policy that says what to do when an alert occurs.”

Is this right for you?


Submit your questions to Joel by clicking on the Ask A Question link on the lower left corner of your screen.

more information

More information

Thank you for participating in this SearchSecurity webcast. For more information on intrusion defense, visit our Featured Topic: