Docstoc

Incident Response

Document Sample
Incident Response Powered By Docstoc
					    Lesson 8
    Intrusion
Detection Systems
                                     Overview


    •   History
    •   Definitions
    •   Common Commercial IDS
    •   Specialized IDS




UTSA IS 6353 ID &Incident Response
                          Why Even Bother?
      • “One of the problems with anomaly
        detection is that even the current best
        research systems have something like a
        75% success rate.”
                                       Marcus Ranum
                             Network Flight Recorder



UTSA IS 6353 ID &Incident Response
               Intrusion Detection Defined
      • The process of monitoring the events
        occuring in a computer system or network
        and analyzing them for signs of intrusions,
        defined as attempts to compromise the
        confidentiality, integrity, availability, or to
        bypass the security mechanisms of a
        computer or network.


UTSA IS 6353 ID &Incident Response
               General Thoughts about ID

                        • No Defense is Impenetrable
                            – Vulnerabilities exist to bypass system security
                              precautions
                            – Automated tools exist to find and exploit vulnerabilities
                        • A methodology to detect and report suspicious
                          host and network activity must be implemented
                        • IDS Goal: to characterize attack manifestations
                          to positively identify all true attacks without
                          falsely identifying non-attacks
                        • ID is an instance of the general signal detection
                          problem

UTSA IS 6353 ID &Incident Response
                                     Why use ID?
    • Increase the perceived risk of discovery and
      punishment
    • To detect attacks not prevented by other means
    • Detect and deal with probing
    • Document existing threats
    • QC for security design and admin
    • Forensics for improved security or prosecution

UTSA IS 6353 ID &Incident Response
                                     Goals of IDS
      • Accountability - “I can deal with security
        attacks that occur on my systems as long as
        I know who did it (and where to find
        them.)”
      • Response - “I don’t care who attacks my
        system as long as I can recognize that the
        attack is taking place and block it.”


UTSA IS 6353 ID &Incident Response
                                 History of ID
      • 1980 - John Anderson’s: Computer Security
        Threat Monitoring and Surveillance
      • 1987 - Dorothy Denning: An Intrusion
        Detection Model
           – Laid groundwork for commercial products
      • First IDS, circa 1993: USAF ASIM



UTSA IS 6353 ID &Incident Response
        Generic Intrusion Detection Model

                                                                      Design
                                                     Activity
                                                                      New
                                                     Profile
                                                                      Profiles

              Event                     Update
                                                                 Create Anomaly
             Generator                  Profile                  Records
                                        State

                                                     Rule Set/          Define
                                                     Detection          new &
                                                      Engine            modify
                                  Audit trails,                         existing
                                  network packets                       rules
 CLOCK
UTSA IS 6353 ID &Incident Responseapplication logs
                  Model Components
      • Rule Set - inference         • Activity Profile -
          engine decides             • Maintains state of
          whether an intrusion         system or network
          has occurred                 being monitored
      •           or                    – Feedback critical
      • Generic detector                – No architectural
          examing events and              limitations
          state data using              – Rule base can learn if
                                          programmed
          models, rules, patterns
          and statistics to flag
          intrusive behavior
UTSA IS 6353 ID &Incident Response
                                     Haystack
                                     Canonical 9-track Tape
                                     Audit trail




   Preprocessor                                          Statistical Analysis
                                                                         Z-248 PC



        Audit
        Data
                                                               Reports
          Unisys 1100

UTSA IS 6353 ID &Incident Response
           Intrusion Detection Expert System (IDES)

            Audit Records              Receiver


                                        Audit           Expert System
           Active Data Collector
                                        Data

                   Active
                    Data

                                                           Anomaly
                                                            Data
           Profile Updater           Anomaly Detector


                                                        Security Admin
                   Profile
                    Data                                   Interface
UTSA IS 6353 ID &Incident Response
        Multics Intrusion Detection and Alerting
                    System (MIDAS)
       Command                        Audit
        Monitor                      Records


                    Preprocessor



     Network Interface
                                         Multics


        Fact Base          Statistical Data Base

                                                   System Security
                    Rule Base                          Monitor
UTSA IS 6353 ID &Incident Response   Symbolics
      Network Security Monitor (NSM)
   Network Traffic


                                      Object Detector        Report
    Packet Catcher           Filter
                                       & analyzer           Generator



                                          Traffic
                                          Archive


  Network Profile – which systems normally connect to which others using what service.
  During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly
           identified over 300 intrusions, only 1% had been detected by admins.
UTSA IS 6353 ID &Incident Response
                    Distributed IDS (DIDS)

  Monitored                             Unmonitored          Monitored
                                           host
    Host              DIDS Director                            Host




     Unmonitored            Monitored          LAN Monitor
        host                  Host




UTSA IS 6353 ID &Incident Response
          Cooperating Security Monitors (CSM)


        Command
                                       User
         Monitor                     Interface


                                                 Other
           Local
                                      CSM        CSM’s
            IDS



          Intruder
          Handler

UTSA IS 6353 ID &Incident Response
                         Current IDS Trends
      •   Immature
      •   Manpower intensive
      •   High false alarm rates
      •   Dynamic to the point of instability
      •   Quietly Evolving




UTSA IS 6353 ID &Incident Response
                                     Type of IDS
      • Signature based system
           – Attack description that can be matched to sense
             attack manifestations
      • Anomaly based detectors
           – equate “unusual” or “abnormal” as intrusions




UTSA IS 6353 ID &Incident Response
                          IDS Classification
      Can base classification on what they sense
           – Network based systems (NIDS)
                 • Sense packets on a network segment
                 • Easy to deploy, but they suffer throughout problems
           – Host-based systems (HIDS)
                 • Inspect audit or log data
                 • Can affect performance on host
           – Hybrids
                 • Combine the best of both

UTSA IS 6353 ID &Incident Response
                                                                  Intrusion Detection
                                                                  System--Network Based
                           Adversary                              “A Layer in the Defense”

                                                                   INTERNET




                                                       External
                                                       ROUTER
               FIREWALL




                                                                   Intrusion
                                                                   Detection
                                                                    System
                                       DMZ Server(s)




                INTERNAL
                NETWORK
                                                                                 Other
                                                                                Network
                                                                                Defense
                                                                                 Tools


UTSA IS 6353 ID &Incident Response
                         Network Based IDS
   • Some detect intrusions after the bad guy is inside….but
     at least you know
   • Others detect attacks (attack detect systems)
   • Location in architecture determines which one you have
   • Number of IDSes in architecture can add protetection
   • Balance comes between being inundated with false
     alarms or alert conditions requiring action
   • Ideal NIDs installation: start buy adding as few sensors
     as possible
UTSA IS 6353 ID &Incident Response
           IDS Correlation: Signature & Behavior




UTSA IS 6353 ID &Incident Response   Ref: Avi Chesla, ISSA Journal Nov 2005
                              Host based IDS
   • Setup a HIDs like a selective burglar alarm
   • Deploy HIDs on critical servers devoid of
     interactive users
   • Configuration options
        – Critical file modification
        – When log files get smaller
        – Process table grows larger than normal or too fast


UTSA IS 6353 ID &Incident Response
          What the different levels of IDS do
   • Host-based Intrusion Detection
        – Will catch users logged directly into a system
        – Will miss network actions (the network as a whole)
   • Network-based Intrusion Detection
        – Will miss individual actions on the host the user is
          logged directly into.
        – Will be able to see attacks on multiple hosts (“door
          knob rattling”).
        – Where do you place the IDS? On the LAN or on the
          outside of the router (the connection to the Internet)?
UTSA IS 6353 ID &Incident Response
                  Five Functional Areas of HIDS

                                     Log/Event Monitoring


                                                            File Integrity
    Policy
                                                            Checking
    Compliance




                                                            Network Traffic
          System                                            Monitoring
          Monitoring


UTSA IS 6353 ID &Incident Response
                                McAfee HIPS




UTSA IS 6353 ID &Incident Response
        And what about IDS and the PSTN?
      • Two aspects
           – Detection of intrusions into the IP network
             from the PSTN
           – Detection of intrusions into the PSTN and its
             systems
      • Do you
           – Have a separate system, or
           – Feed current IDS with data from the PSTN?


UTSA IS 6353 ID &Incident Response
                          Strengths of IDSes
  • Monitor and analysis of system events and user
    behaviors
  • Testing security states of system configurations
  • Recognizing known attack patterns
  • Recognizing anomalies
  • Measuring security policy enforcement
  • Managing Data Flow

UTSA IS 6353 ID &Incident Response
                       Weaknesses of IDSes
      • Compensating for weak or missing security
        mechanisms
      • Instantaneous detection, reporting, and
        attack response
      • Detecting newly published attacks
      • Compensating for info source fidelity
      • Reducing manpower needs

UTSA IS 6353 ID &Incident Response
                IDS Adjusted Expectations
      • Consider a building with motion detectors
           – Works great when building is empty
           – But if activated during day many false positives
           – Building managers don’t expect them to work
             during the day
      • Its possible to set up network-based IDS
        (NIDS) and a host-based IDS (HIDS) to
        limit false positives

UTSA IS 6353 ID &Incident Response
                   Monitoring and the Law
      • Issue is expectation of privacy – does the
        individual have one?
      • You generally need to inform individuals using
        the system that their actions are subject to
        monitoring.
           – Government systems have the warning banner.
           – This advice also issued by CERT (CA-92:19) for
             anybody wanting to monitor keystrokes.
      • Note that it is considered not enough to notify all
        authorized users (when they are issued their initial
        password for example), it must be displayed each
        time at login.
UTSA IS 6353 ID &Incident Response
                                     IDS Fad
      • “ People buy the hottest IDS tool that will
        be very good about telling them about DOS
        in the network, but is useless detecting
        problems inside the host.”
                           • Matt Bishop, UC Davis




UTSA IS 6353 ID &Incident Response
                                     Summary



 • Detection of Incidents
 • Basic IDS Model-History
 • IDS Types and Classification


UTSA IS 6353 ID &Incident Response

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:7/1/2012
language:
pages:33