Solving Your Business Problems with Real Solutions through Consulting, Training & Auditing
ID (Intrusion Detection)
What is
Intrusion Detection (ID)?What is host-based intrusion detection?
Host-based ID involves loading a piece or pieces of software on the system to
be monitored. The loaded software uses log files and/or the system's auditing
agents as sources of data. In contrast, a network- based ID system monitors the
traffic on its network segment as a data source. Both network-based and
host-based ID sensors have pros and cons, and in the end, you'll probably want
to use a combination of each. The person responsible for monitoring the IDS
needs to be an alert, competent System Administrator, who is familiar with the
host machine, network connections, users and their habits, and all software
installed on the machine. This doesn't mean that he or she must be an expert on
the software itself, but rather needs a feel for how the machine is supposed to
be running and what programs are legitimate. Many break-ins have been contained
by attentive Sys Admins who have noticed something "different" about
their machines or who have noticed a user logged on at a time atypical for that
user.
Host-based ID involves not only looking at the communications traffic in and out
of a single computer, but also checking the integrity of your system files and
watching for suspicious processes. To get complete coverage at your site with
host-based ID, you need to load the ID software on every computer. There are two
primary classes of host-based intrusion detection software: host
wrappers/personal firewalls and agent-based software. Either approach is much
more effective in detecting trusted-insider attacks (so-called anomalous
activity) than is network-based ID, and both are relatively effective for
detecting attacks from the outside.
Host wrappers or personal firewalls can be configured to look at all network
packets, connection attempts, or login attempts to the monitored machine. This
can also include dial-in attempts or other non-network related communication
ports. The best known examples of wrapper packages are TCPWrappers (
What is network based intrusion detection?
A network-based ID system monitors the traffic on its network segment as a
data source. This is generally accomplished by placing the network interface
card in promiscuous mode to capture all network traffic that crosses its network
segment. Network traffic on other segments, and traffic on other means of
communication (like phone lines) can't be monitored. Both network-based and
host-based ID sensors have pros and cons. In the end, you'll probably want a
combination of both.
Network-based ID involves looking at the packets on the network as they pass by
some sensor. The sensor can only see the packets that happen to be carried on
the network segment it’s attached to. Packets are considered to be of interest
if they match a signature. Three primary types of signatures are string
signatures, port signatures, and header condition signatures.
String signatures look for a text string that indicates a possible attack. An
example string signature for UNIX might be "cat "+ +" > /.rhosts"
, which if successful, might cause a UNIX system to become extremely vulnerable
to network attack. To refine the string signature to reduce the number of false
positives, it may be necessary to use a compound string signature. A compound
string signature for a common Web server attack might be "cgi-bin" AND
"aglimpse" AND "IFS".
Port signatures simply watch for connection attempts to well-known, frequently
attacked ports. Examples of these ports include telnet (TCP port 23), FTP (TCP
port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143). If any of these
ports aren’t used by the site, then incoming packets to these ports are
suspicious.
Header signatures watch for dangerous or illogical combinations in packet
headers. The most famous example is Winnuke, where a packet is destined for a
NetBIOS port and the Urgent pointer, or Out Of Band pointer is set. This
resulted in the "blue screen of death" for Windows systems. Another
well-known header signature is a TCP packet with both the SYN and FIN flags set,
signifying that the requestor wishes to start and stop a connection at the same
time.
Well-known, network-based intrusion detection systems include AXENT (
I have often heard that the best approach to computer security is to use a layered approach. Can you describe this approach and how an IDS fits in?
The layered approach can best be compared as an analogy of weathering out a
winter storm. Many people know the feeling of being stuck at home during a
winter blizzard. The things one does in a winter storm are to heat some soup,
turn up the furnace, snuggle up under the blankets, and start a fire in the
fireplace. All of these things lead to a warm and secure feeling while waiting
for the storm to pass. It's this utilization of separate things in the household
that results in an overall approach that gives us that warm and fuzzy feeling in
a winter storm. Thus, computer security is the most effective when multiple
layers of security are used within an organization.
The most common misconception is that a firewall will secure your computer
facilities and additional steps don't need to be taken. A firewall is just one
component of an effective security model. Additional components or layers should
be added to provide an effective security model within your organization. The
security model that will protect your organization should be built upon the
following layers:
Using multiple layers in a security model is the most effective method of
deterring unauthorized use of computer systems and network services. Every layer
provides some protection from intrusion, and the defeat of one layer may not
lead to the compromise your whole organization. Each layer has some
inter-dependence on other layers. For example, the intrusion detection systems
and the incident response plan have some interdependencies. Although they can be
implemented independently, it's best when they're implemented together. Having
an intrusion detection system that can alert you to unauthorized attempts on
your system has little value unless an incident response plan is in place to
deal with problems. The most important part of overall security organization is
the security policy. You must know what you need to protect and to what degree.
All other layers of the security model follow logically after the implementation
of the organization security policy.
In summary, an intrusion detection system is just one component of an effective
security model for an organization. The overall security integrity of your
organization is dependent upon the implementation of all layers of the security
model. The implementation of the layered approach to security should be
undertaken in a logical and methodical manner for best results and to ensure the
overall sanity of the security personnel.
Peter Watson
Senior Security Architect
Purolator Courier Corp.
The Importance of Intrusion Protection
Evolution
When we talk about Intrusion Detection Systems (IDS), management automatically assumed it is THE solution to all network, organization and social problems. Most people deal with this technology like it is a monolithic solution. This is not a good way to consider any security technology, it does not work like that. The majority fails to recognize that IDS' initial design and function is to protect the organization's vital information from an outsider.
However, this is now slowly changing, as more organizations want to monitor their "networks" because studies shows the majority of all losses in the commercial sector involve insiders. They now want to use the IDS in any of the following combinations: To track down insiders, catch them in the act, get the evidence needed for prosecution, fire them or take them to court for indictment.
Another factor to consider is technology is still at its infancy and intrusions get missed due to its immaturity. RAID'99 identified that in order to reach its full potential as a forensic tool, IDS' role must evolve to include better logging and a collections of forensic tools to use the information as evidence (
http://www.raid-symposium.org/).New attack techniques are coming out each month and the IDS technology must adapt to these rapid changes. The list of all known attacks constantly changes rendering codifying the statistical "signature" of a new attack a daunting task for R&D labs.
Current Network Intrusion Detection System (NIDS) products (first generation) use a predominantly passive approach to collect data via protocol analysis by watching traffic on the network. Most IDS have been built on signature-base and anomaly detection, providing the capability to look for set "patterns" in packets, but they can also be tuned to look for things you should never see. The addition of specific string search signature (i.e. look for confidential), logging and TCP reset features has greatly enhance the IDS capability as a detection and protection tool.
The work done by Common Vulnerabilities and Exposures (CVE) Editorial Board is a result of a collaborative effort, which will advance and standardize attack names and definitions across vendors. Since its implementations (1999), a large number of organizations have declared that they are working to make their product or database CVE-compatible. This list can be viewed at
http://cve.mitre.org.Tomorrow's IDS
Due to the inability of NIDS to see all the traffic on switched Ethernet, many companies are now turning to Host-based IDS (second generation). These products can use far more efficient intrusion detection techniques such as heuristic rules and analysis. Depending on the sophistication of the sensor, it may also learn and establish user profiles as part of its behavioral database. Charting what is normal behavior on the network would be accomplished over a period of time.
Strength and Limits facing IDS
Strength
Limits
As part of the Total Defense Strategy of an organization, they offer additional protection and deterrence against:
Total Defense Strategy
IDS is just another tool part of a good security architecture and Multi-Layered Defense Strategy. It has its strengths and weaknesses, which must be assessed and weighed before a decision is made to deploy one on your network. The decision can be made after you test two or three against your baseline in a lab environment. This way, you measure as accurately as possible its effects against your network (i.e. workload, detection accuracy, etc.). You may also want to check some IDS lab studies. In November 1999, one was published by Network computing at
http://www.nwc.com/1023/1023f1.htmlThe power of IDS is that it demonstrates a positive degree of readiness, which may be critical for long term success. If your business depends on networking, IDS is good business and well worth the return.
Guy Bruneau
DND CIRT
What open standards exist for Intrusion Detection?
Last updated 4/8/2000
There are no fully mature open standards for ID at present. However, we are getting close.
The Internet Engineering Task Force (IETF) is the body which develops new Internet standards. They have a working group to develop a common format for IDS alerts. The group has worked through the requirements phase, and the design is substantially fleshed out, though details continue to change. Preliminary implementation work is probably possible, though implementations would have to change as the standard is finalized. The design involves sending XML based alerts over an HTTP like communications format. A lot of attention has been paid to the needs of IDS analysis, and to making the protocol work through firewalls in a straightforward way.
More contributors are always welcome. IETF working groups are open to any technically competent individual who wishes to contribute. Individuals represent their own views on the best way to solve the problem, rather than the agenda of their employer.
The charter of the working group is at
http://www.ietf.org/html.charters/idwg-charter.htmland the mailing list archive is at
http://www.semper.org/idwg-public/All the working group's documents can be reached via
http://www.silicondefense.com/idwg/There is also an effort by the ISO's T4 committee to develop an Intrusion Detection Framework. The status of that effort is presently unknown, and attempts by the FAQ item author to reach prominent figures in that effort were unsuccessful.
The Common Intrusion Detection Framework (CIDF) was an attempt by the US govt's Defense Advanced Research Projects Agency (DARPA) to develop an IDS interchange format for use by DARPA researchers. CIDF was not intended as a standard that would influence the commercial marketplace; it was a research project. CIDF development is presently dormant. CIDF used a Lisp like format to exchange information about intrusion related events, and defined a large set of primitives for use in those messages. More information can be found at the CIDF web site at
http://www.gidos.org/
Stuart Staniford-Chen
President, Silicon Defense
What is a honeypot and how is it used?
What is a honeypot? Why do I need one?
A "honeypot" is a tool that can help protect for network from unauthorized access. The honeypot contains no data or applications critical to the company but has enough interesting data to lure a hacker. A honeypot is a computer on your network the sole purpose is to look and act like a legitimate computer but actually is configured to interact with potential hackers in such a way as to capture details of their attacks. Honeypots are known also as a sacrificial lamb, decoy, or booby trap. The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems. The longer the hacker stays using the honeypot, the more will be disclosed about their techniques. This information can be used to identify what they are after, what is their skill level, and what tools do they use. All this information is then used to better prepare your network and host defenses.
The honeypot can be used to augment the deployment of an IDR system. Some of the problems with commercial IDR include inability for detection of low level attacks, techniques or tools that are new or not previously known, or use of techniques that may appear as legitimate user activity. To a certain extent, the honeypot is also subject to missing new attacks. However, the honeypot is uniquely capable of letting you know that some hacker is in your network doing things they have no business doing. The honeypot may spot them because as far as other security measures (including IDR) are concerned they are legitimate users.
Phil Bandy, Michael Money & Karen Worstell
SRI Consulting
If someone from a large organization called and asked you for advice on what he or she should do first to get started on ID, what one thing would you recommend?
The best place to start really depends upon the organization and the necessity for keeping its information secure. One good starting place is to look at the impact of past intrusions. If the company has been subject to recent intrusions and hacking activity, they will be cognizant of the risks out of necessity. Studying past intrusions and the company’s response will be helpful in framing the business case for intrusion detection products. For example, intrusion detection products would have caught the intrusion sooner saving $X.XX and the embarrassment of the intrusion in the press.
The cost of prior intrusions will be beneficial in the preparation of a preliminary cost benefit analysis. The cost of an intrusion may include production downtime, negative public relations that may affect a company’s stock price, sabotage of critical information leading to bad decisions, or unauthorized access or theft of confidential information leading to the loss of a competitive advantage. The cost also includes the expenses associated with investigation, legal, forensic and management reporting.
The understanding of the benefits of intrusion detection has to be developed with a general familiarity with the intrusion detection products currently in the market. The goals and objectives of the intrusion detection products need to be understood. Understanding the relation between the business case objectives and those of specific products helps articulate what is possible to achieve and will also pave the way for selecting products that meet company IDS needs. Unfortunately, there are not many textual reference books available on intrusion detection. Web sites, white papers, product brochures and intrusion detection conferences will provide a good starting point for assembling this information. Discussing intrusion detection with other organizations that have implemented intrusion detection may prove to be very helpful.
The next step is to translate this material for management. White papers and presentations are good mechanisms to increase management’s awareness and understanding of intrusion detection. The objective is to establish a good business case for using intrusion detection. The costs of recent break-ins by intrusions into the company will help support the business case even if only at the anecdotal level. Certainly, recent related cases from the media would help reinforce the need for intrusion detection. Management will be more likely to take action when the business case is strongly articulated and clearly related to the benefits of intrusion detection products.
Phil Bandy, Michael Money & Karen Worstell
SRI Consulting
Why is intrusion detection required in today’s computing environment?
Intrusion detection is needed in today’s computing environment because it is impossible to keep pace with the current and potential threats and vulnerabilities in our computing systems. The environment is constantly evolving and changing fueled by new technology and the Internet. To make matters worse, threats and vulnerabilities in this environment are also constantly evolving. Intrusion detection products are tools to assist in managing threats and vulnerabilities in this changing environment.
Threats are people or groups who have the potential to compromise your computer system. These may be a curious teenager, a disgruntled employee, or espionage from a rival company or a foreign government. The hacker has become a nemesis to many companies.
Vulnerabilities are weaknesses in the systems. Vulnerabilities can be exploited and used to compromise your system. New vulnerabilities are discovered all of the time. Every new technology, product, or system brings with it a new generation of bugs and unintended conflicts or flaws. Also the possible impacts from exploiting these vulnerabilities is constantly evolving. In a worst-case scenario, an intrusion may cause production downtime, sabotage of critical information, theft of confidential information, cash, or other assets, or even negative public relations that may affect a company’s stock price.
Intrusion detection products are tools that can assist in protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. Intrusion detection capabilities can help a company secure its information. The tool could be used to detect an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop the exploit from use by future intruders. The correction should be applied across the enterprise to all similar platforms. Intrusion detection products can become a very powerful tool in the information security practitioner’s tool kit.
Phil Bandy, Michael Money & Karen Worstell
SRI Consulting
Are there limitations of Intrusion Signatures?
Matthew Richard
April 5, 2001
Introduction
Many corporate networks and corporate security policies rely heavily on intrusion detection to alert administrators of intrusion. With all of the features of modern intrusion detection systems there are some tragic flaws inherent in their design. These weaknesses apply to Snort and all other signature based intrusion detection engines. Snort is singled out in this paper because of its popularity and its familiarity amongst the SANS community.
What is Snort
Snort is an intrusion detection system written by Martin Roesch. Snort is was written as an open source project and is available for free under the GNU public license. The software is based upon a signature comparison engine optimized for speed. Snort offers many features that make it an ideal choice in the battle against Internet intruders. Here is a description of Snort from the Snort website:
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture.
The power of Snort
Snort was written to take advantage of a highly modularized design. The application can take advantage of several different pre-processors to normalize, filter, and categorize data. Snort also has very powerful post-processors, or output plug-ins, that can be used to log the data generated by Snort in several different ways. Because Snort is an open source project and that it has many users its signature database is updated often and are simple to update.
How Signatures Work
Understanding how signatures work is essential to understanding how to defeat them. When Snort is given an incoming packet from the packet capture driver it compares that packet to its database of known signatures. The signature has some key aspect of the packet that it is compared against to look for a match. If a match occurs than Snort sends the output to a standard output mechanism or to one of the configured post-processor output plug-ins. For example if Snort received the following packet then it would compare it against its database:
03/21-13:02:34.978853 10.1.114.88:1272 -> 10.1.114.220:54320
TCP TTL:128 TOS:0x0 ID:48408 IpLen:20 DgmLen:44 DF
******S* Seq: 0x2BC3D9 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
and match it to rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 54320 (msg: "BACKDOOR SIG - BO2K";)
This event would trigger an alert message. Most signatures do not just look for what port a packet is to or from, but it also examines part of the payload. As new security holes and exploits are found new signatures are written to counteract the danger.
The problem with signatures
What Snort and other signature based intrusion detection systems count on is that malicious traffic will have unique patterns to it that can be matched against rules in the database. For example Snort uses the following rule to look for the SubSeven Trojan:
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;)
alert
The important part of this rule to note is that Snort is looking for the hex signature "0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a" that is located anywhere in the payload of the packet.
It then seems obvious that there are many ways of circumventing this signature. The first thing that we could do is vary the destination port. This is usually undesirable though since the infected machine is probably using the default port for SubSeven to make it easier to scan for. If the attacker knows what port SubSeven should be running on then they could quickly and easily scan large blocks of addresses for machines listening on that port. The next evasion technique that an attacker could use would be change or scramble the content that the sensor is looking for. This could be accomplished by using some very simple form of encryption. Here is how a simple packet encryption might work:
1st byte of the packet payload is the value to be added to every subsequent byte. If we use 3 then our payload of "0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a" becomes "31 3d 8e 85 83 7f 81 63 63 65 31 3e" which does not mach any of the known signatures. The attacker has now evaded our intrusion detection system. Another twist of this technique could incorporate public key/ private key encryption. The private key for the server and the public key for the client could be sent or bundled with the original install. This would render all communication between the 2 hosts unintelligible and undetectable by intrusion detection systems.
How did that go again?
New techniques are also being developed to change how the executable code that runs Trojans and other applications looks. As reported in a recent ZDNET article:
During a seminar last week at the CanSecWest conference in Vancouver, British Columbia, a hacker named "K2" revealed a program he created that can camouflage the tiny programs that hackers generally use to crack through system security.
According to K2 himself, "This is a way to keep the exploits brand-new, all the time.
" This raises the possibility that there is not enough time to update the signatures for an IDS as the signatures change. Already freely available to hackers are tools to "repack" the executables that they use. This repacking changes the executable so that it is no longer recognizable to anti-virus and intrusion detection engines.Attacks on services
Snort and other intrusion detection systems do excel in detecting attacks on services that require an exploit that cannot be encrypted. Attacks like this would include buffer overflows, directory traversal, and scanning attempts. These types of attacks rely on existing flaws within the victim machine. These flaws can typically only be exploited using a certain attack mechanism that will have a certain signature. In these cases signature based intrusion detection does very well at detecting these patterns and alerting or stopping them.
The problem with intrusion detection as it relates to attacks on services is that it may take some time for a new exploit to become known. After the exploit is known then a new signature can be written for it and distributed. This leaves many systems vulnerable to unknowing attack for a certain period of time. It is possible that a well-executed attack will leave no trace of intrusion thereby rendering all of the effort placed into intrusion detection wasted. IDS are also hurt by a lack of supporting data for attacks that were not immediately recognized. The author of Stick, Cortez Giovanni says:
Also, most IDS do not start recording an attack until an alarm is triggered. This means that the original flaw that allowed access will not be recorded. Some IDS buffer that data, so that the IDS will have the last X number of bytes before the alarm to see what occurred before it. Regardless, IDS do not usually record packet in great detail due to the recording requirements on IO and remote management.
Denial of Service
Although denial of service attacks are typically associated with individual machines or networks, it is also possible to apply denial of service techniques against signature based intrusion detection systems. Jerry Marsh states one such possible technique in an article he wrote:
many NIDS systems work by alerting someone when suspected exploits are happening. As was demonstrated at the October 2000 Monterey SANS conference, this can be thwarted by information overload. In this example the attacker created so many "noise" attack attempts that people watching for attacks were overloaded. The real attack was injected in the middle of the noise and completed before it could be determined what the real target was.
This is just one method of implementing a denial of service attack against an intrusion detection system.
Another possible method of implementing a denial of service against an IDS would be to exhaust the resources of that IDS. This denial of service would flood the IDS with traffic that will generate alerts until the IDS runs out of resources. This would cause the IDS to have an incomplete log of the events that took place. Here is the post of an author who claims to have written a tool to automatically overwhelm IDS systems.
The tool uses the Snort rule set and produces a C program via lex that when compiled will produce an IP packet capable of triggering that rule from a spoofed IP range (or all possible IP addresses) into a target IP range. A function is produced for each rule and a loop then executes these rules in a random order. The tool currently produces these at about 250 alarms per second. A Linux based snort will hit 100% CPU and start dropping packets. The stress on recording and disk IO is another problem. ISS Real Secure dies two seconds after the attack begins. This was tested numerous times. Other IDS and even sniffers (especially with DNS lookups) had problems of their own.
Conclusion
Although signature based IDS do provide a useful service to let an administrator know that he/she has been or is being attacked they should not be relied upon. It is far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of defense against intruders. Some recommendations that have been given by Lawrence R. Halme and R. Kenneth Bauer in their article "AINT Misbehaving: A Taxonomy of Anti-Intrusion Techniques" are to use the following practices in conjunction with intrusion detection:
Intrusion detection should be part of a defense in depth strategy and no single tool or technology should be relied upon exclusively.
References
[1] Srisuresh, P. and M. Holdrege. "IP Network Address Translator (NAT) Terminology and Considerations." RFC 2663. August 1999.
http://www.geektools.com/rfc/rfc2663.txt (20 Mar. 2001)[2] "What is Snort."
http://www.snort.org/what_is_snort.htm (2 Apr. 2001)[3] Lemos, Robert. "New cloaked code threat to security." April 2, 2001.
http://www.zdnet.com/zdnn/stories/news/0,4586,5080532,00.html (3 Apr. 2001)[4] Marsh, Jerry. "Myths Managers believe about Security." January 25, 2001.
http://www.sans.org/infosecFAQ/start/myths.htm (2 Apr. 2001)[5] Giovanni, Cortez. "Fun with Packets: Designing a Stick."
http://www.eurocompton.net/stick/ (2 Apr. 2001)[6] Halme, Lawrence R. and Bauer, R. Kenneth. "AINT Misbehaving: A Taxonomy of Anti-Intrusion Techniques."
http://www.sans.org/newlook/resources/IDFAQ/aint.htm (2 Apr. 2001)[7] Posting on Snort users mailing list by Cortez Giovanni.
Copyright RAR Enterprises, Inc. 1993 - 2005.
Last revised: January 19, 2005
.