1. Intrusion Detection
Chapter 12

2. Learning Objectives
Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products
Detail the differences between host-based and network-based intrusion detection
Identify active detection and passive detection features of both host- and network-based IDS products
continued…

3. Learning Objectives
Explain what honeypots are and how they are employed to increase network security
Clarify the role of security incident response teams in the organization

4. Intrusion Detection System (IDS)
Detects malicious activity in computer systems
Identifies and stops attacks in progress
Conducts forensic analysis once attack is over

5. The Value of IDS
Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers)
Expands available options to manage risk from threats and vulnerabilities

6. Negatives and Positives
IDS must correctly identify intrusions and attacks
True positives
True negatives
False negatives
IDS missed an attack
False positives
Benign activity reported as malicious

7. Dealing with False Negatives and False Positives
Obtain more coverage by using a combination of network-based and host-based IDS
Deploy NICS at multiple strategic locations in the network
False positives
Reduce number using the tuning process

8. Types of IDS Network-based (NIDS) Host-based (HIDS)
Monitors network traffic
Provides early warning system for attacks
Host-based (HIDS)
Monitors activity on host machine
Able to stop compromises while they are in progress

9. Network-based IDS
Uses a dedicated platform for purpose of monitoring network activity
Analyzes all passing traffic
Sensors have two network connections
One operates in promiscuous mode to sniff passing traffic
An administrative NIC sends data such as alerts to a centralized management system
Most commonly employed form of IDS

10. NIDS Monitoring and Management Interfaces

11. NIDS Architecture
Place IDS sensors strategically to defend most valuable assets
Typical locations of IDS sensors
Just inside the firewall
On the DMZ
On the server farm segment
On network segments connecting mainframe or midrange hosts

12. Connecting the Monitoring Interface
Using Switch Port Analyzer (SPAN) configurations, or similar switch features
Using hubs in conjunction with switches
Using taps in conjunction with switches

13. SPAN
Allows traffic sent or received in one interface to be copied to another monitoring interface
Typically used for sniffers or NIDS sensors

14. How SPAN Works

16. Limitations of SPAN
Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link
Switch may offer limited number of SPAN ports or none at all

17. Hub
Device for creating LANs that forward every packet received to every host on the LAN
Allows only a single port to be monitored

18. Using a Hub in a Switched Infrastructure

19. Tap
Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures

21. NIDS Signature Types Signature-based IDS Port signature
Header signatures

22. Network IDS Reactions TCP resets IP session logging
Shunning or blocking

23. Host-based IDS Primarily used to protect only critical servers
Software agent resides on the protected system
Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity
Use of resources can have impact on system performance

24. HIDS Method of Operation
Auditing logs (system logs, event logs, security logs, syslog)
Monitoring file checksums to identify changes
Elementary network-based signature techniques including port activity
Intercepting and evaluating requests by applications for system resources before they are processed
Monitoring of system processes for suspicious activity

25. HIDS Software Host wrappers Agent-based software
Inexpensive and deployable on all machines
Do not provide in-depth, active monitoring measures of agent-based HIDS products
Agent-based software
More suited for single purpose servers

26. HIDS Active Monitoring Capabilities
Log the event
Alert the administrator
Terminate the user login
Disable the user account

27. Advantages of Host-based IDS
Verifies success or failure of attack by reviewing HIDS log entries
Monitors use and system activities; useful in forensic analysis of the attack
Protects against attacks that are not network based
Reacts very quickly to intrusions
continued…

28. Advantages of Host-based IDS
Not reliant on particular network infrastructure; not limited by switched infrastructures
Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure

29. Passive Detection Systems
Can take passive action (logging and alerting) when an attack is identified
Cannot take active actions to stop an attack in progress

30. Active Detection Systems
Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic
Options
IDS shunning or blocking
TCP reset
Used in networks where IDS administrator has carefully tuned the sensor’s behavior to minimize number of false positive alarms

32. TCP Reset

33. Signature-based and Anomaly-based IDS
Signature detections
Also know as misuse detection
IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures
Anomaly detection
Baseline is defined to describe normal state of network or host
Any activity outside baseline is considered to be an attack

34. Intrusion Detection Products
Aladdin Knowledge Systems
Entercept Security Technologies
Cisco Systems, Inc.
Computer Associates International Inc.
CyberSafe Corp.
Cylant Technology
Enterasys Networks Inc.
Internet Security Systems Inc.
Intrusion.com Inc. family of IDS products
continued…

35. Intrusion Detection Products
NFR Security
Network-1 Security Solutions
Raytheon Co.
Recourse Technologies
Sanctum Inc.
Snort
Sourcefire, Inc.
Symantec Corp.
TripWire Inc.

36. Honeypots
False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks
Simulate unsecured network services
Make forensic process easy for investigators

37. Commercial Honeypots
ManTrap
Specter
Smoke Detector
NetFacade

38. Open Source Honeypots BackOfficer Friendly BigEye Deception Toolkit
LaBrea Tarpit
Honeyd
Honeynets
User Mode Linux

39. Honeypot Deployment Goal Options
Gather information on hacker techniques, methodology, and tools
Options
Conduct research into hacker methods
Detect attacker inside organization’s network perimeter

40. Honeypot Design Must attract, and avoid tipping off, the attacker
Must not become a staging ground for attacking other hosts inside or outside the firewall

41. Honeypots, Ethics, and the Law
Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host
Honeypot does not convince one to attack it; it merely appears to be a vulnerable target
Doubtful that honeypots could be used as evidence in court

42. Incident Response
Every IDS deployment should include two documents to answer “what now” questions
IDS monitoring policy and procedure
Incident response plan

43. IDS Monitoring
Requires well-documented monitoring procedures that detail actions for specific alerts

44. Information Security Incident Response Team (SIRT)
Responsible for assigning personnel to assemble resources required to handle security incidents

45. Typical SIRT Objectives
Determine how incident happened
Establish process for avoiding further exploitations of the same vulnerability
Avoid escalation and further incidents
Assess impact and damage of the incident
Recover from the incident
continued…

46. Typical SIRT Objectives
Update procedures as needed
Determine who was responsible
Involve legal counsel and law enforcement officials, as appropriate

47. Chapter Summary Two major types of intrusion detection Honeypots
Network-based IDS (monitor network traffic)
Host-based IDS (monitor activity on individual computers)
Honeypots
Incident response