ACS Seminar on Internet computing Internet Security Issues by yurtgc548

VIEWS: 4 PAGES: 20

									Intrusion Detection Methods
 “Intrusion detection is the process of
 identifying and responding to malicious
 activity targeted at computing and
 networking resources.”




                                  1
The Seven Fundamentals
1.   What are the methods used
2.   How are IDS Organized
3.   What is an intrusion
4.   How do we trace and how do they hide
5.   How do we correlate information
6.   How can we trap intruders
7. Incident response
                                  2
  The Emergency Action Card
  When a computer security incident occurs, and you are not
  prepared, follow these ten steps:


  Emergency Step 1.
  Remain calm.
  Even a fairly mild incident tends to raise
  everyone's stress level. Communication and
  coordination become difficult. Your calm can
  help others avoid making critical errors.




                                                             3
http://www.sans.org/newlook/publications/incident_handling.htm
   Emergency Step 2.
  Take good notes.
  Make sure you answer the four Ws - Who, What,
  When, and Where- and, for extra credit, How
  and Why.




                                                             4
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 3.
  Notify the right people and get help.


  Begin by notifying your security coordinator
  and your manager and asking that a coworker
  be assigned to help coordinate the incident
  handling process. Get a copy of the corporate
  phonebook and keep it with you. Ask your
  helper to keep careful notes on each person
  with whom he or she speaks and what was said.
  Make sure you do the same.




                                                             5
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 4.
  Enforce a "need to know" policy.
  Tell the details of the incident to the
  minimum number of people possible. Remind
  them, where appropriate, that they are
  trusted individuals and that your
  organization is counting in their discretion.
  Avoid speculation except when it is required
  to decide what to do. Too often the initial
  information in an incident is misinterpreted
  and the "working theory" has to be scrapped.




                                                             6
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 5.
  Use out of band communications.
  If the computers may have been compromised,
  avoid using them for incident handling
  discussions. Use telephones and faxes
  instead. Do not send information about the
  incident by electronic mail, talk, chat, or
  news; the information may be intercepted by
  the attacker and used to worsen the
  situation. When computers are being used,
  encrypt all incident handling e-mail.




                                                             7
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 6.
  Contain the problem.
  Take the necessary steps to keep the problem
  from getting worse. Usually that means
  removing the system from the network, though
  management may decide to keep the connections
  open in an effort to catch an intruder.




                                                             8
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 7.
  Make a backup of the affected system(s) as
  soon as practicable.
  Use new, unused media. If possible make a
  binary, or bit-by-bit backup.




                                                             9
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 8.
  Get rid of the problem.
  Identify what went wrong if you can. Take
  steps to correct the deficiencies that
  allowed the problem to occur.




                                                             10
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 9.
  Get back in business.
  After checking your backups to ensure they
  are not compromised, restore your system from
  backups and monitor the system closely to
  determine whether it can resume its tasks.




                                                             11
http://www.sans.org/newlook/publications/incident_handling.htm
  Emergency Step 10.
  Learn from this experience, so you won't get
  caught unprepared the next time an incident
  occurs.




                                                             12
http://www.sans.org/newlook/publications/incident_handling.htm
Incident response
• The real-time decisions and actions of
  asset managers that are intended to
  minimize incident related effects on their
  assets and to mitigate residual security risk
  based on available evidence from the
  incident.


                                    13
Incident Response factors
• Soft factors             • Hard factors
   – Management policies      – IDS
   – Organizational           – Traps
     structure                – Trace back tools
   – Administrative
     procedures




                                         14
Incident Response Process
                           Incident
                           Detected


     Com ponse
              ed




                                                   Resp ted
         plet




                                                    Initia
      R es




                                                         onse
                            ID
                         Process

                                               w ith
             S y s to




                                             ct m
            R
                st re




                                            a
                                          er ste
                 e
                  em d




                                        t
                                      In Sy

                                                       15
Response
• Human initiated response
• Automatically initiated response
• Coordinated Human & Automatic response




                               16
Factors influencing Response
• Passive factors
  – What assets have been affected or damaged by
    the incident
  – How did the incident occur
  – How was it detected
  – How trustworthy is the incident related
    information


                                     17
Factors influencing Response
• Active factors
  – What would the effect of altering the target
    system’s functionality
  – What would the effect of initiating trace backs
    and traps
  – What would the effect of doing nothing
  – How legal is the response


                                        18
Robin Hood and Friar Tuck


!X id1
id1: Friar Tuck... I am under attack!           Pray save me!
id1: Off (aborted)
id2: Fear not, friend Robin!         I shall rout the
Sherif of Nottingham's men!
id1: Thank you, my good fellow!



Each ghost-job would detect the fact that the other had been
killed, and would start a new copy of the recently slain program
within a few milliseconds. The only way to kill both ghosts was
to kill them simultaneously (very difficult) or to deliberately
crash the system.
                                                  19
                                 http://www.tuxedo.org/~esr/jargon/
Examples
• Real secure + Firewall-1
• Snort + IP-tables




                             20

								
To top