Intrusion-Detection Systems Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018)

Objectives Explain how intrusion-detection systems work Implement strategies for preventing intrusion Identify and describe several popular intrusion-detection systems Define the term honeypot Identify and describe at least one honeypot implementation

Introduction What is an IDS? An Intrusion-Detection System (IDS) is a system that is designed to detect signs that someone (or something) is attempting to breach a system, and to alert the system administrator that suspicious activity is taking place.

Introduction Why do we use IDSs? Intrusion-detection systems enable system administrators to detect possible attacks to the network.

Preemptive Blocking (as a primitive form of intrusion detection/prevention) Sometimes called banishment vigilance Attempts to detect impending intrusions through examining their footprinting (c.f., a virus’s signature) Weaknesses? Susceptible to false positives May block legitimate traffic (i.e., false positive, or mistakenly identifying a legitimate packet as part of a threat) When an IP address is blocked, the attacker can switch to different IP addresses. Explain what false positives are and what false negatives are.

True/False Positive/Negative ?

IDS Detection Methodologies Signature-based detection - Compares known threat signatures to observed events to identify incidents Anomaly-based detection - Compares definitions of what activity is considered normal against observed events to identify significant deviations Stateful protocol analysis - compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) Date Published: February 2007  Supersedes: SP 800-31 (November 2001) Author(s) Karen Scarfone (NIST), Peter Mell (NIST)

Anomaly Detection Anomaly Detection Q: Examples of anomalous behavior? Any activity that does not match normal use is noted and saved in a log. Normal usage profiles are kept and updated and then compared to the user’s, the group’s, or the system’s behavior. Most IDSs work this way. Based on heuristics, and not on signatures or pre-stored patterns  can detect previously unknown threats Q: Examples of anomalous behavior?

Anomaly Detection Different ways an anomaly may be detected: Threshold monitoring Resource profiling User/group work profiling Executable profiling

Types of Anomaly Detection Threshold monitoring Defines acceptable behaviors Presets acceptable behavior levels – the threshold Monitors the exceeding of these thresholds Q: Example thresholds? Weaknesses? Can be difficult to set up the thresholds Difficult to set times for monitoring behavior (i.e., When? How often?) Susceptible to false positives and negatives List pros and cons of this type of anomaly detection.

Questions: Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false positives? Give an example. Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false positives? Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false negatives? Give an example. Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false negatives? List pros and cons of this type of anomaly detection.

Types of Anomaly Detection Resource Profiling Measures system-wide resource use to develop a historic usage profile. Abnormal readings can indicate illicit activity. c.f., threshold monitoring Q: What are the differences between resource profiling and threshold monitoring as means of anomaly detection?

Types of Anomaly Detection User/Group Work Profiling Each user/group’s typical activities are stored in its work profile. Activities not typical of that user or group are suspected. Changes in work patterns need to be updated in the respective profiles. Weaknesses? Dynamic user base could be difficult to profile. Examples?

Types of Anomaly Detection User/Group Work Profiling Q: Compare work profiling with other methods, such as threshold monitoring and resource profiling.

Types of Anomaly Detection Executable Profiling Measures and monitors how programs use system resources Helpful in detecting many types of malware attacks Profiles how system objects (files and printers) are normally used Enables the IDS to identify activity that might indicate an attack

IDS Components Activity Administrator Sensor (or agent) – collects data and passes it to the analyzer for analysis Analyzer Alert – a message from the analyzer sent to the administrator Manager (or management server) – part of the IDS (e.g., a console)

IDS Components Notification – the method by which the IDS manager notifies the operator Operator -- administrator Event – an occurrence of a suspicious activity Data source – the raw data used by the IDS Database server -- a repository for event information recorded by sensors, agents, and/or management servers

IDS Components

IDS vs IPS source: https://www.youtube.com/watch?v=dYQMzyfFrTE

IDS vs IPS Intrusion Detection System Intrusion Prevention System Passive Logs the activity Alerts an administrator (perhaps) Active Takes steps to prevent an attack in progress Problem of false positives Intrusion Detection/Protection System (IDPS)

Snort Possibly the most well-known open source IDS Available on multiple platforms including: UNIX, Linux, and Windows Three modes of operation: Sniffer Packet logger Network intrusion-detection Discuss the three modes of operation with the following three slides.

Snort Modes Packet Sniffer Mode Monitors all traffic coming and going on a computer (i.e., host-based IDS) A good way to check encryption (because the console displays a continuous stream of the contents of all packets coming across that machine) Helps determine potential sources of problems Discuss the differences between sniffer mode and packet logging. You might also include other examples of sniffer programs that are on the market.

Snort Modes Packet Logger Mode Similar to sniffer mode Packet contents are written to a text file Contents can be searched for specific items Discuss the differences between sniffer mode and packet logging. You might also include other examples of sniffer programs that are on the market.

Snort Modes Network Intrusion-Detection Mode Uses a heuristic approach to detect anomalous traffic (i.e., network-based IDS) Rules-based Command-line-based interface Need to know commands and what they do Explain that Snort’s network intrusion-detection learns from experience and can modify rules based on certain behavior. This is what is meant by heuristic. Also point out that it is command-line-based; therefore, administrators must be familiar with documentation and the commands used in Snort. This is not intuitive.

Cisco Intrusion-Detection and Prevention Past models Cisco IDS 4200 Series Sensors Cisco Catalyst 6500 Series Intrusion-Detection System Services Module (IDSM-2) Current system offering Cisco Next-Generation IPS Solution There are a number of products in this group Firepower 4100 series – smaller networks Firepower 8000 series Firepower 9000 series – large-scale networks Discuss these Cisco IDS implementations and refer to the figure on how they might be deployed on the network.

Understanding and Implementing Honeypots A honeypot is a single machine set up to appear to be an important (and possibly vulnerable) server All traffic to the machine is suspicious; no legitimate users should connect Honeypots can be configured to emulate many server services Honeypots can help track and catch hackers Provide an introduction and discussion of what honeypots are used for and how they can benefit administrators in the fight to know how hackers work and where they go when they connect to a system.

Specter A software honeypot solution Can simulate AIX, Solaris, Unix, Linux, and Mac OS X Works by appearing to run a number of services common to network servers SMTP, FTP, TELNET, FINGER, POP3, IMAP4, HTTP, SSH, DNS, SUN-RPC, NETBUS, SUB-7, BO2K, GENERIC TRAP You may provide additional examples of other services that can be emulated.

Specter Can be set up in one of five modes: Open Secure Failing Strange Aggressive Fake password files can also be configured: Easy Normal Hard Fun Warning Describe each mode of operation for Specter: Open – Behaves like a badly configured server. Secure – Behaves like a secure server. Failing – Behaves like a server with hardware and software problems. Strange – Behaves in unpredictable ways. Aggressive – This system will try to actively trace the origin of the connection of the intruder. Also, types of intruders for each type of server configuration might be mentioned. Outline each type of password configuration, its benefits, and possible drawbacks, if any.

Summary A variety of intrusion-detection systems are available Should be used with firewalls Can run at the perimeter and internally as sensors Ideally implemented on every server Free IDS solutions are available Honeypots entice hackers to a fake server