1. KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT390-01 Intrusion Detection and Incidence Response Instructor – Jan McDanolds, MS, Security+ Contact Information: AIM – JMcDanolds Email – jmcdanolds@kaplan.edu Office Hours: Tuesday, 7:00 PM ET or Wednesday, 8:00 PM ET

2. UNIT 8 Chapter 7 – Maximizing Your IDS Download Chapter 7 in the Wiley ebook – Doc Sharing, Document Sharing Categories, IT390_eBook_Files – list will display Correlating data from multiple sources Investigation Verifying and testing “The holy grail, so to speak, of monitoring and detection is to be able to demonstrate from the point at which an attacker’s packets entered the external perimeter of your network exactly what was done, when and how.”

3. UNIT 7 REVIEW REVIEW of Chapter 6 - Deploying IDS Selecting the best product for your needs Establishing goals Identifying specific objectives Determining requirements Planning for deployment of your intrusion detection system Monitoring alerts generated by your system Fine-tuning the system to your environment Each IDS provides default rule groups – the configuration of these groups depends on the individual goals for your IDS

4. UNIT 7 REVIEW Unit 7 Review Quick Check #1 Name two objectives (goals) for your IDS #2 What is one important rule for monitoring and managing alerts from your IDS? #3 Snort has a large number of rules that are updated by the VRT (Sourcefire Vulnerability Research Team) as well as info on malware. What is new in May/June 2012? http://www.snort.org/vrt http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012- 06-05.html

5. UNIT 8 Chapter 7 Correlating Data From Multiple Sources Building a database Push information to a central database Different sources have different types of data to be stored Data fields commonly used include event date and time, event type, importance rating (e.g., priority, severity, impact, confidence), and prevention action performed (if any). Specific types of IDPSs log additional data fields, such as network-based IDPSs performing packet captures and host-based IDPSs recording user IDs, packet payloads, etc. Evaluate the vendor’s implementation (if available) or use scripting language like Perl to parse the text file and push to Oracle Vendors may use dashboard software to coordinate information

6. UNIT 8 Correlating Data From Multiple Sources IDEP – IETF standards drafts http://datatracker.ietf.org/wg/idwg/

7. UNIT 8 Correlating Data From Multiple Sources Identifying data sources Table 7-1

8. UNIT 8 Correlating Data From Multiple Sources Additional sources: Implementing a key logging for critical hosts to provide information not obtained from another source Others:

9. UNIT 8 Investigation The Example Attack – page 197 (pg 9 in.pdf) An external attacker managed to execute a buffer overflow against the DNS server. This gave root access to the DNS server. The DNS server access was used to transfer tools used to collect password information from the local subnet. The password information was used to log into the web server. The web server’s access to the internal network for connectivity was used to gain entry to the internal network.

10. UNIT 8 Example Attack Path of attack. Investigation

11. UNIT 8 Investigation Border router – discards unwanted traffic and logs via syslog to IDS sensor 1. Forwarded to IDS console using SSH. Firewall – forwarding logs to IDS sensor 3. Hosts – hosts in DMZ are running HIDs. HIDS alerts are transmitted to the IDS console via encrypted communications. Also all DMZ hosts forward copies of logs to IDS sensor 2 via syslog down an SSH pipe – include OS, app and target-based logs.

12. UNIT 8 Investigation Detection The attacker manages to access the database server before the attacker is detected. Suspicious activity between the web server and the database is detected. The passing of shell commands is detected. IDS sensor 3 alert: “unusual connectivity to database server!” The attempted connection is to an unusual port on the web server (port 41449). Inspection of the logs with a filter for the port. Observation of the addition of two new users – one with admin rights. Identification of dsniff (d sniff) indicates password compromise. Verified using syslog files on DNS server. Review of IP address on Whois and ARIN.

13. UNIT 8 Verification and Testing It will be tested by you or an attacker… Duplicate your production environment for testing Flooding attack – use of Stick or Snot, etc. Intrusion Detection-- Fun with Packets: Designing a Stick “The paper outlines a denial-of-service attack against not the computer network, but the human processes that support intrusion detection.” http://www.packetnexus.com/docs/kb/985039466_3025.php Host IDS Evasions Revisited http://www.snort.org/assets/164/sf_HTTP_IDS_evasions.pdf

14. UNIT 8 Verification and Testing Use of attack tools for accuracy testing Attack testing: buffer overflows, DoS, DDoS, back doors, Trojans, etc. Use of vulnerability scanning software Vulnerability scanning software best used to test scalability Example: http://www.secpoint.com/penetrator.html http://sectools.org/tag/web-scanners/ Evasion testing Whisker Http://www.iss.net/security_center/reference/vuln/HTTP_WhiskerScan.htm Fragrouter http://www.sans.org/security-resources/idfaq/fragroute.php Host IDS Evasions Revisited http://www.snort.org/assets/164/sf_HTTP_IDS_evasions.pdf

15. UNIT 8 Web Readings Guide to Intrusion Detection and Prevention Systems by NIST Special Publication 800-94 – 127 pages “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.” This publication discusses the following four types of IDPS technologies: -Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity -Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves -Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems) -Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

16. UNIT 8 Web Readings SANS article Measuring Effectiveness in Information Security Controls by Manuel Humberto Santander Peláez “How can we show the effectiveness of those controls? One way is to perform a risk analysis process to determine the controls to be implemented. The risk analysis process defines the critical variables that, when monitored, shows the risk exposure level and then determine the metrics that will measure the effectiveness of the controls. This paper shows a proposal on how to measure the effectiveness of implanted information security controls as part of the corporate Information Security process.”

17. UNIT 8 Readings Unit 8 Readings: Chapter 7 Wiley ebook From Doc Sharing Maximizing Your IDS ALSO Web Readings from NIST and SANS

18. UNIT 8 Unit 8 Assignment Cisco icons in Doc Sharing. Review the rubric to see the point totals.

19. UNIT 8 Unit 8 Assignments Download chapter from Doc Sharing Read chapter and web readings Post to Discussion Attend Seminar Complete Assignment – review rubric Email any questions: JMcDanolds@kaplan.edu Or you can call me 641-649-2980