Intrusion Detection

Chapter 12

Learning Objectives

Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products

Detail the differences between host-based and network-based intrusion detection

Identify active detection and passive detection features of both host- and network-based IDS products

continued…

Learning Objectives

Explain what honeypots are and how they are employed to increase network security

Clarify the role of security incident response teams in the organization

Intrusion Detection System (IDS)

Detects malicious activity in computer systems Identifies and stops attacks in progress Conducts forensic analysis once attack is

over

The Value of IDS

Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers)

Expands available options to manage risk from threats and vulnerabilities

Negatives and Positives

IDS must correctly identify intrusions and attacks True positives True negatives

False negatives IDS missed an attack

False positives Benign activity reported as malicious

Dealing with False Negatives and False Positives

False negatives Obtain more coverage by using a combination

of network-based and host-based IDS Deploy NIDS at multiple strategic locations in

the network False positives

Reduce number using the tuning process

Types of IDS

Network-based (NIDS)

Host-based (HIDS)

Network-based IDS

Uses a dedicated platform for purpose of monitoring network activity

Analyzes all passing traffic Sensors have two network connections

One operates in promiscuous mode to sniff passing traffic

An administrative NIC sends data such as alerts to a centralized management system

Most commonly employed form of IDS

NIDS Architecture

Place IDS sensors strategically to defend most valuable assets

Typical locations of IDS sensors Just inside the firewall On the DMZ On network segments connecting mainframe

or midrange hosts

Switch Port Analyzer (SPAN)

Allows traffic sent or received in one interface to be copied to another monitoring interface

Typically used for sniffers or NIDS sensors

How SPAN Works

Limitations of SPAN

Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link

Switch may offer limited number of SPAN ports or none at all

Hub

Device for creating LANs that forward every packet received to every host on the LAN

Allows only a single port to be monitored

Using a Hub in a Switched Infrastructure

Tap

Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures

NIDS Signature Types

Signature-based IDS Port signature Header signatures

Network IDS Reactions

TCP resets IP session logging Shunning or blocking

Host-based IDS

Primarily used to protect only critical servers Software agent resides on the protected system Detects intrusions by analyzing logs of operating

systems and applications, resource utilization, and other system activity

Use of resources can have impact on system performance

HIDS Method of Operation

Auditing logs (system logs, event logs, security logs, syslog)

Monitoring file checksums to identify changes Elementary network-based signature techniques

including port activity Intercepting and evaluating requests by

applications for system resources before they are processed

Monitoring of system processes for suspicious activity

HIDS Software

Host wrappers Inexpensive and deployable on all machines Do not provide in-depth, active monitoring

measures of agent-based HIDS products Agent-based software

More suited for single purpose servers

HIDS Active Monitoring Capabilities

Log the event Alert the administrator Terminate the user login Disable the user account

Advantages of Host-based IDS

Verifies success or failure of attack by reviewing HIDS log entries

Monitors use and system activities; useful in forensic analysis of the attack

Protects against attacks that are not network based

Reacts very quickly to intrusions

continued…

Advantages of Host-based IDS

Not reliant on particular network infrastructure; not limited by switched infrastructures

Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure

Passive Detection Systems

Can take passive action (logging and alerting) when an attack is identified

Cannot take active actions to stop an attack in progress

Active Detection Systems

Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic

Options IDS shunning or blocking TCP reset

Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms

TCP Reset

Signature-based andAnomaly-based IDS

Signature detections Also know as misuse detection IDS analyzes information it gathers and compares it to

a database of known attacks, which are identified by their individual signatures

Anomaly detection Baseline is defined to describe normal state of

network or host Any activity outside baseline is considered to be an

attack

Intrusion Detection Products

Aladdin Knowledge Systems Entercept Security Technologies Cisco Systems, Inc. Computer Associates International Inc. CyberSafe Corp. Cylant Technology Enterasys Networks Inc. Internet Security Systems Inc. Intrusion.com Inc. family of IDS products

Honeypots

False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks

Simulate unsecured network services Make forensic process easy for

investigators

Commercial Honeypots

ManTrap Specter Smoke Detector NetFacade

Open Source Honeypots

BackOfficer Friendly BigEye Deception Toolkit LaBrea Tarpit Honeyd Honeynets User Mode Linux

Honeypot Deployment

Goal Gather information on hacker techniques,

methodology, and tools Options

Conduct research into hacker methods Detect attacker inside organization’s network

perimeter

Honeypot Design

Must attract, and avoid tipping off, the attacker

Must not become a staging ground for attacking other hosts inside or outside the firewall

Honeypots, Ethics, and the Law

Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host

Honeypot does not convince one to attack it; it merely appears to be a vulnerable target

Doubtful that honeypots could be used as evidence in court

Incident Response

Every IDS deployment should include two documents to answer “what now” questions IDS monitoring policy and procedure

Requires well-documented monitoring procedures that detail actions for specific alerts

Incident response plan Responsible for assigning personnel to assemble

resources required to handle security incidents

Typical SIRT Objectives

Determine how incident happened Establish process for avoiding further

exploitations of the same vulnerability Avoid escalation and further incidents Assess impact and damage of the incident Recover from the incident

continued…

Chapter Summary

Two major types of intrusion detection Network-based IDS (monitor network traffic) Host-based IDS (monitor activity on

individual computers) Honeypots Incident response