1. KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Intrusion Detection and Incidence Response Course Name – IT390-01 Intrusion Detection and Incidence Response Instructor – Jan McDanolds, MS, Security+ Contact Information: AIM – JMcDanolds Email – jmcdanolds@kaplan.edujmcdanolds@kaplan.edu Office Hours: Tuesday, 8:00 PM ET or Thursday, 8:00 PM ET

2. UNIT 2 Agenda for Unit 2 Overview of Unit 1 Chapter 1 in Intrusion Prevention Fundamentals – Cisco book Chapter 1 Implementing Intrusion Detection System – Wiley ebook Unit 2 – Reading: Chapter 2 in Cisco book Signatures: types, triggers and actions

3. UNIT 1 – CHAPTER 1 Intrusion Prevention Overview Why is an IPS is necessary? Technology adoption – client-server, Internet, wireless connectivity, mobile computing Target value – information theft, zombie acquisition Attack characteristics – delivery mechanism, attack complexity, attack target and attack impact

4. UNIT 1 Intrusion Detection Technology versus Intrusion Prevention System Intrusion Detection System (IDS) – an intrusion monitoring system that passively monitors network traffic looking for malicious activity. Intrusion Prevention Systems (IPS) – an intrusion monitoring system that examines network traffic while it acts as a forwarding device for that traffic. Two types: Host and Network

5. UNIT 1 Attack Examples Review attacks - See pages 17 to 22 Year Delivery Mechanism Complexity Target Impact Replacement Login The Morris Worm CIH Virus Loveletter Worm Nimda SQL Slammer Why do we need to study these?

6. UNIT 2 Intrusion Detection Technology Technology designed to monitor computer activities for the purpose of finding security violations. IDS is similar to an alarm system. An alarm means there is some sort of potential malicious activity (fire, break-in, etc). Example: When a fire alarm goes off, it does not put out the fire. If there are people in the building, the alarm alerts them to leave. If there is a sprinkler system, it may have already activated due to heat or smoke. The two systems may not even be connected. Alarm systems for buildings would not be effective if fire sensors were the only triggers. Sensors on windows and doors protect against a physical intrusion. Carbon monoxide sensors warn of hazardous gas. False alarms are common. Burnt toast in the faculty lounge or smoke in the chemistry lab may trigger an alarm, but do not set off the sprinkler system.

7. UNIT 2 Intrusion Detection Technology (cont.) IDS systems use rules (dynamic or static) to allow or deny (block) activity. This is similar to a lock on a door, similar but not the same as a firewall. Example: The activity from an IP address indicates it is attempting to scan for open ports. One of the ports it is scanning is FTP - listen on port 21. The IDS has a rule indicating that any outside scan for port 21 should be blocked. The IDS dynamically logs the IP address indicating any activity from this address should be blocked. All packets from this IP address are dropped. Examples: TCP Kill with Linux – using tcpkill not netstat http://www.cyberciti.biz/howto/question/linux/kill-tcp-connection-using-linux-netstat.php Windows Firewall http://windows.microsoft.com/en-US/windows-vista/Understanding-Windows-Firewall-settings Open a port in Windows Firewall http://windows.microsoft.com/en-US/windows-vista/Open-a-port-in-Windows-Firewall

8. UNIT 2 Intrusion Detection Technology (cont.) Physical Intrusion Detection Example: ADT http://www.adt.com/commercial-security/products/intrusion-detection “Our intrusion detection systems are designed to help protect your people and property. After all, while your property is valuable, nothing is more precious than the lives of your employees, customers, and clients.” Intrusion Detection Service Features: Burglar alarm system monitoring (off site) Hold-up and panic button/signal monitoring Critical condition monitoring

9. UNIT 2 Intrusion Detection Technology (cont.) SecureWorks – Dell Company http://www.secureworks.com/services/managed_ids_ips “Network Intrusion Detection and Prevention (IDS/IPS) devices can provide a highly effective layer of security designed to protect critical assets from cyber threats. Organizations can detect attempts by attackers to compromise systems, applications and data by deploying network IDS; however, keeping the devices tuned and up-to- date so they are effective is a challenge for many organizations. Dell SecureWorks team of security device management experts can help alleviate this burden and enable more effective operation.” Managed IDS/IPS service provides Expert signature tuning Real-time threat monitoring and response Integrated Counter Threat Unit intelligence On-demand security and compliance reporting Auditable and accurate change management

10. UNIT 2 Intrusion Detection Technology (cont.) SecureWorks “Malicious attacks that use encryption can easily bypass firewalls and network intrusion prevention systems. Host intrusion prevention provides another layer of defense to protect your infrastructure from internal and external attacks that use encryption techniques. However, host intrusion prevention systems (HIPS) are complex and difficult to configure. If implemented incorrectly, HIPS can cripple an application on the host server.” “Dell SecureWorks' Host Intrusion Prevention System (Host IPS) service is a fully managed service that decrypts and inspects encrypted traffic to prevent external and internal attacks on your critical servers in real time.” http://www.secureworks.com/services/host_intrusion_prevention / Host Intrusion Prevention-Host IPS

11. UNIT 2 Issue with Zero-Day “Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero- day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack. Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS vendor's zero-day signatures. The company was also able to do the same with signatures from Cisco, Juniper Networks, and McAfee, he says, although they will only demonstrate their research on TippingPoint's IPS in its Thursday morning session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook." The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn't have otherwise been known about yet. "The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," Graham says.” http://www.darkreading.com/security/security-management/208804656/index.html

12. UNIT 2 Chapter 2 in Cisco book Unit 2 – Reading: Chapter 2 Signatures: types, triggers and actions What is a signature? http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-one Signature Basics: A network IDS signature is a pattern that we want to look for in traffic. Examples: Connection attempt from a reserved IP address. Packet with an illegal TCP flag combination. Email containing a particular virus. DNS buffer overflow attempt contained in the payload of a query. Denial of service attack on a POP3 server caused by issuing the same command thousands of times. File access attack on an FTP server by issuing file and directory commands to it without first logging in.

13. UNIT 2 Signatures and Actions Signatures: types, triggers and actions Signature types: atomic and stateful Signature triggers: pattern detection, anomaly-based detection, behavior-based detection Signature actions: generating an alert, dropping, logging, resetting TCP connection, blocking future activity, allowing (page 45)

14. UNIT 2 Six Integral Steps to Selecting the Right IPS for Your Network (Opus article) Step 1: Why am I buying an IPS? Every IPS has a different set of design goals and features targeted to address a limited set of questions. Step 2: Determine the Level of Security and Coverage you require Three approaches in current IPS products: signature-based (including protocol anomaly) IPS, rate-based IPS, and behavioral IPS Step 3: Determine Your Performance Requirements Step 4: Determine Your Form Factor Requirements IPS is not a product; IPS is a function and a technology…many kinds of devices including standalone IPS appliances, inside of firewalls and switches, and in other types of security appliances, such as SSL VPNs. Step 5: Determine your Management Requirements Step 6: Evaluate an IPS

15. UNIT 2 Readings Unit 2 Readings: Chapter 2 in Intrusion Prevention Fundamentals ALSO Web Readings listed (Black Hat – How to Hack IPS Signatures and Opus white paper – Six Integral Steps)

16. UNIT I Unit 2 Assignment Essay on 5 actions: “Our text describes 5 actions an IPS is capable of performing (drop, log, block, reset, and allow). In a 2-3 page paper, using good APA formatting, briefly review each of the 5 actions. Next, create a hypothetical situation where each action (one situation for each action) is implemented. For each situation explain why the action is the correct choice for the situation.” Page 45 – Intrusion Prevention Fundamentals

17. UNIT I Unit 2 Assignments Download chapters from Doc Sharing Read chapters and web readings Post to Discussion Attend Seminar Complete Assignment Email any questions: JMcDanolds@kaplan.edu Or you can call me 641-649-2980