Incident Response by dffhrtcv3


									    Lesson 8
Detection Systems

    •   History
    •   Definitions
    •   Common Commercial IDS
    •   Specialized IDS

UTSA IS 6353 ID &Incident Response
                          Why Even Bother?
      • “One of the problems with anomaly
        detection is that even the current best
        research systems have something like a
        75% success rate.”
                                       Marcus Ranum
                             Network Flight Recorder

UTSA IS 6353 ID &Incident Response
               Intrusion Detection Defined
      • The process of monitoring the events
        occuring in a computer system or network
        and analyzing them for signs of intrusions,
        defined as attempts to compromise the
        confidentiality, integrity, availability, or to
        bypass the security mechanisms of a
        computer or network.

UTSA IS 6353 ID &Incident Response
               General Thoughts about ID

                        • No Defense is Impenetrable
                            – Vulnerabilities exist to bypass system security
                            – Automated tools exist to find and exploit vulnerabilities
                        • A methodology to detect and report suspicious
                          host and network activity must be implemented
                        • IDS Goal: to characterize attack manifestations
                          to positively identify all true attacks without
                          falsely identifying non-attacks
                        • ID is an instance of the general signal detection

UTSA IS 6353 ID &Incident Response
                                     Why use ID?
    • Increase the perceived risk of discovery and
    • To detect attacks not prevented by other means
    • Detect and deal with probing
    • Document existing threats
    • QC for security design and admin
    • Forensics for improved security or prosecution

UTSA IS 6353 ID &Incident Response
                                     Goals of IDS
      • Accountability - “I can deal with security
        attacks that occur on my systems as long as
        I know who did it (and where to find
      • Response - “I don’t care who attacks my
        system as long as I can recognize that the
        attack is taking place and block it.”

UTSA IS 6353 ID &Incident Response
                                 History of ID
      • 1980 - John Anderson’s: Computer Security
        Threat Monitoring and Surveillance
      • 1987 - Dorothy Denning: An Intrusion
        Detection Model
           – Laid groundwork for commercial products
      • First IDS, circa 1993: USAF ASIM

UTSA IS 6353 ID &Incident Response
        Generic Intrusion Detection Model


              Event                     Update
                                                                 Create Anomaly
             Generator                  Profile                  Records

                                                     Rule Set/          Define
                                                     Detection          new &
                                                      Engine            modify
                                  Audit trails,                         existing
                                  network packets                       rules
UTSA IS 6353 ID &Incident Responseapplication logs
                  Model Components
      • Rule Set - inference         • Activity Profile -
          engine decides             • Maintains state of
          whether an intrusion         system or network
          has occurred                 being monitored
      •           or                    – Feedback critical
      • Generic detector                – No architectural
          examing events and              limitations
          state data using              – Rule base can learn if
          models, rules, patterns
          and statistics to flag
          intrusive behavior
UTSA IS 6353 ID &Incident Response
                                     Canonical 9-track Tape
                                     Audit trail

   Preprocessor                                          Statistical Analysis
                                                                         Z-248 PC

          Unisys 1100

UTSA IS 6353 ID &Incident Response
           Intrusion Detection Expert System (IDES)

            Audit Records              Receiver

                                        Audit           Expert System
           Active Data Collector


           Profile Updater           Anomaly Detector

                                                        Security Admin
                    Data                                   Interface
UTSA IS 6353 ID &Incident Response
        Multics Intrusion Detection and Alerting
                    System (MIDAS)
       Command                        Audit
        Monitor                      Records


     Network Interface

        Fact Base          Statistical Data Base

                                                   System Security
                    Rule Base                          Monitor
UTSA IS 6353 ID &Incident Response   Symbolics
      Network Security Monitor (NSM)
   Network Traffic

                                      Object Detector        Report
    Packet Catcher           Filter
                                       & analyzer           Generator


  Network Profile – which systems normally connect to which others using what service.
  During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly
           identified over 300 intrusions, only 1% had been detected by admins.
UTSA IS 6353 ID &Incident Response
                    Distributed IDS (DIDS)

  Monitored                             Unmonitored          Monitored
    Host              DIDS Director                            Host

     Unmonitored            Monitored          LAN Monitor
        host                  Host

UTSA IS 6353 ID &Incident Response
          Cooperating Security Monitors (CSM)

         Monitor                     Interface

                                      CSM        CSM’s


UTSA IS 6353 ID &Incident Response
                         Current IDS Trends
      •   Immature
      •   Manpower intensive
      •   High false alarm rates
      •   Dynamic to the point of instability
      •   Quietly Evolving

UTSA IS 6353 ID &Incident Response
                                     Type of IDS
      • Signature based system
           – Attack description that can be matched to sense
             attack manifestations
      • Anomaly based detectors
           – equate “unusual” or “abnormal” as intrusions

UTSA IS 6353 ID &Incident Response
                          IDS Classification
      Can base classification on what they sense
           – Network based systems (NIDS)
                 • Sense packets on a network segment
                 • Easy to deploy, but they suffer throughout problems
           – Host-based systems (HIDS)
                 • Inspect audit or log data
                 • Can affect performance on host
           – Hybrids
                 • Combine the best of both

UTSA IS 6353 ID &Incident Response
                                                                  Intrusion Detection
                                                                  System--Network Based
                           Adversary                              “A Layer in the Defense”



                                       DMZ Server(s)


UTSA IS 6353 ID &Incident Response
                         Network Based IDS
   • Some detect intrusions after the bad guy is inside….but
     at least you know
   • Others detect attacks (attack detect systems)
   • Location in architecture determines which one you have
   • Number of IDSes in architecture can add protetection
   • Balance comes between being inundated with false
     alarms or alert conditions requiring action
   • Ideal NIDs installation: start buy adding as few sensors
     as possible
UTSA IS 6353 ID &Incident Response
           IDS Correlation: Signature & Behavior

UTSA IS 6353 ID &Incident Response   Ref: Avi Chesla, ISSA Journal Nov 2005
                              Host based IDS
   • Setup a HIDs like a selective burglar alarm
   • Deploy HIDs on critical servers devoid of
     interactive users
   • Configuration options
        – Critical file modification
        – When log files get smaller
        – Process table grows larger than normal or too fast

UTSA IS 6353 ID &Incident Response
          What the different levels of IDS do
   • Host-based Intrusion Detection
        – Will catch users logged directly into a system
        – Will miss network actions (the network as a whole)
   • Network-based Intrusion Detection
        – Will miss individual actions on the host the user is
          logged directly into.
        – Will be able to see attacks on multiple hosts (“door
          knob rattling”).
        – Where do you place the IDS? On the LAN or on the
          outside of the router (the connection to the Internet)?
UTSA IS 6353 ID &Incident Response
                  Five Functional Areas of HIDS

                                     Log/Event Monitoring

                                                            File Integrity

                                                            Network Traffic
          System                                            Monitoring

UTSA IS 6353 ID &Incident Response
                                McAfee HIPS

UTSA IS 6353 ID &Incident Response
        And what about IDS and the PSTN?
      • Two aspects
           – Detection of intrusions into the IP network
             from the PSTN
           – Detection of intrusions into the PSTN and its
      • Do you
           – Have a separate system, or
           – Feed current IDS with data from the PSTN?

UTSA IS 6353 ID &Incident Response
                          Strengths of IDSes
  • Monitor and analysis of system events and user
  • Testing security states of system configurations
  • Recognizing known attack patterns
  • Recognizing anomalies
  • Measuring security policy enforcement
  • Managing Data Flow

UTSA IS 6353 ID &Incident Response
                       Weaknesses of IDSes
      • Compensating for weak or missing security
      • Instantaneous detection, reporting, and
        attack response
      • Detecting newly published attacks
      • Compensating for info source fidelity
      • Reducing manpower needs

UTSA IS 6353 ID &Incident Response
                IDS Adjusted Expectations
      • Consider a building with motion detectors
           – Works great when building is empty
           – But if activated during day many false positives
           – Building managers don’t expect them to work
             during the day
      • Its possible to set up network-based IDS
        (NIDS) and a host-based IDS (HIDS) to
        limit false positives

UTSA IS 6353 ID &Incident Response
                   Monitoring and the Law
      • Issue is expectation of privacy – does the
        individual have one?
      • You generally need to inform individuals using
        the system that their actions are subject to
           – Government systems have the warning banner.
           – This advice also issued by CERT (CA-92:19) for
             anybody wanting to monitor keystrokes.
      • Note that it is considered not enough to notify all
        authorized users (when they are issued their initial
        password for example), it must be displayed each
        time at login.
UTSA IS 6353 ID &Incident Response
                                     IDS Fad
      • “ People buy the hottest IDS tool that will
        be very good about telling them about DOS
        in the network, but is useless detecting
        problems inside the host.”
                           • Matt Bishop, UC Davis

UTSA IS 6353 ID &Incident Response

 • Detection of Incidents
 • Basic IDS Model-History
 • IDS Types and Classification

UTSA IS 6353 ID &Incident Response

To top