topic 1. at the end of the lesson, the students are able to: explain different terminologies used...
Post on 19-Dec-2015
213 views
TRANSCRIPT
2
OBJECTIVES At the end of the lesson, the students
are able to: explain different terminologies used in
IDS make comparisons between different
types of IDSs explain the roles of IDS
mms©
5
TRENDS Over past 20 years
attackers have gained in intensity and frequency
Tools have evolved Today’s attacker is motivated by profit
Where is the money? In the applications!
©2009 KRvW Associates, LLC
6
GENERAL ATTACK TYPES Network and OS-level
Port-scanning and probing – stealth technique
Vulnerability scanningVulnerability exploits
Application attacksSpecific to application layerWeb apps commonOWASP Top-10
Are you under attack?How do you know?
©2009 KRvW Associates, LLC
7
NETWORK AND OS-LEVEL ATTACK Port-scanning and probing
Remote inventory of all doors and windows what’s available?
The key is to avoid detection Stealth technique
Vulnerability scanning What are the weak points?
Bad locks, unlocked doors, unpatched servers, misconfigurations
Inventory of weaknesses Vulnerability exploits
Now we know the weak points Exploit them
Kick door in, pick the lock, buffer overflow, malware©2009 KRvW Associates, LLC
8
APPLICATION ATTACKS Go for flaws in business software Specific to application
XSS (Cross-site Scripting)SQL injectionCSRF (Cross-Site Request Forgery)AuthenticationAccess controlAd infinitum (~ “to infinity”)
©2009 KRvW Associates, LLC
9
APPLICATION ATTACKS XSS (Cross-site Scripting)
a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
CSRF (Cross-Site Request Forgery) a one-click attack or session riding and abbreviated as
CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
10
OWASP TOP 10 The Open Web Application Security Project (OWASP) Top Ten
Project provides a minimum standard for web application security.
It lists the top ten most critical web application security vulnerabilities, representing a broad consensus. 1. Injection 2. Cross Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Failure to Restrict URL Access 8. Unvalidated Redirects and Forwards 9. Insecure Cryptographic Storage 10. Insufficient Transport Layer Protection
Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
11
THREATS Intrusion
Successful attempts of an intruder gaining access to machines they would otherwise have no access to
Destruction: After intrusion, any loss of data/information Malicious code
E.g. virus, worm, etc. Denial-of-service (DoS)
Services provided by your website becomes inaccessible due to too many requests from other sources
Forgery Websites claiming to be someone they are not, (e.g. e-banking
systems) in order to gain information they should not have (e.g. username and passwords)
Spamming More of an inconvenience than a threat, spam is usually described
as unsolicited email, or email that you have not requested or do not want
Mailbombs Large amounts of email coming from one source causing DoS on
mail servers Hack threat
Scanning activities. People looking for a way in to your system.mms©
13
PASSIVE ATTACKS Learn or make use of information from
the system but does not affect system resources
Eavesdropping, monitoring, or transmissions
Two types:1. Release of message contents2. Traffic analysis
14
PASSIVE ATTACKS Release of message contents for a
telephone conversation, an electronic mail message, and a transferred file are subject to these threats
15
PASSIVE ATTACKS Traffic analysis
Encryption masks the contents of what is transferred so even if obtained by someone, they would be unable to extract information
16
ACTIVE ATTACKS Involve some modification of the data
stream or the creation of a false stream
Four categories:1. Masquerade2. Replay3. Modification4. Denial of service
18
ACTIVE ATTACKS Replay involves the passive capture of a
data unit and its subsequent retransmission to produce an unauthorized effect.
19
ACTIVE ATTACKS Modification of messages means that
some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect.
20
ACTIVE ATTACKS Denial of service (DoS) prevents or
inhibits the normal use or management of communications facilities
disable network or overload it with messages
21
INTRUDERS Intruders: Intruders are attackers who try to find the way to hack
information by breaking the privacy of a network like LAN or internet.
Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types:
1. An authorized user with limited permissions. 2. A user with full permissions but misuses his powers.
Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured. Someone who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection.
IDS can also be system-specific using custom tools and honey pots. In the case of physical building security, IDS is defined as an alarm system designed to detect unauthorized entry.
22
WEBSITE DEFACEMENT ~ attack on a website that changes the visual appearance of the
site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.
A message is often left on the webpage stating his or her pseudonym and the output from "uname -a" and the "id" command along with "shout outs" to his or her friends.
Sometimes, the Defacer makes fun of the system administrator for failing to maintain server security.
Most times - harmless, but can sometimes be used as a distraction to cover up more sinister actions such as uploading malware.
A high-profile website defacement was carried out on the website of the company SCO Group following its assertion that Linux contained stolen code. The title of the page was changed from "Red Hat v. SCO" to "SCO vs. World," with various satirical content following.
[Linux news documenting SCO defacement]
24
SIGNS OF INTRUSION Unaccountable disk utilization Unaccountable file system modification Unaccountable CPU utilization Network saturation Unknown process using sockets Abnormal network/system activity
mms©
26
WHAT IS INTRUSION DETECTION Simply ~ knowing you are under attack But it’s not that simple… How do you know? It might not be obvious
©2009 KRvW Associates, LLC
27
INTRUSION DETECTION SYSTEM
generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.
used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
28
INTRUSION DETECTION SYSTEM An IDS is a device (or application) that monitors network and/or system
activities for malicious activities or policy violations and produces reports to a Management Station.
Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.
Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.
In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.
IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
[Guide to IDPS, NIST, 2007]
29
INTRUSION DETECTION Assume the behavior of the intruder differs
from the legitimate user Statistical anomaly detection
Collect data related to the behavior of legitimate users over a period of time
Statistical tests are used to determine if the behavior is not legitimate behavior
Rule-based detection Rules are developed to detect deviation from
previous usage pattern Expert system searches for suspicious behavior
30
INTRUSION DETECTION Audit record
Native audit records All OSs include accounting software that collects
information on user activity Detection-specific audit records
Collection facility can be implemented that generates audit records containing only that information required by the IDS
31
TERMINOLOGIES Intrusion detection system (IDS)
~ a software, hardware or combination of both
Used to detect intruder activitySnort – an open source IDSAn IDS may have different capabilities
depending upon how complex and sophisticated the components are
IDS appliances that are a combination of hw & sw are available from many companies
IDS may use signatures, anomaly-based techniques or both.
32
TERMINOLOGIES Network IDS (NIDS)
Capture data packets traveling on the network media (cables, wireless) and match them to a database of signatures.
Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database.
One major use of Snort is as a NIDS.
33
TERMINOLOGIES Host IDS (HIDS)
Host-based IDS are installed as agents on a host.
Can look into system and application log files to detect any intruder activity.
Two types: Reactive – they inform you only when something
has happened. Proactive – they can sniff the network traffic
coming to a particular host on which the HIDS is installed and alert you in real time.
34
TERMINOLOGIES Signatures
~ the pattern you look for inside a data packet. Used to detect one or multiple types of attacks,
e.g. the presence of “scripts/iisadmin” in a packet may indicate intruder activity
May present in different parts of a packet depending upon the nature of the attack, e.g. in the IP header, transport layer header (TCP or UDP header) and/or application layer header or payload
Some vendor-specific IDS need updates from vendor to add new signatures when a new type of attack is discovered.
Snort allows you to update signatures yourself.
35
TERMINOLOGIES Alerts
~ any sort of user notification of an intruder activity.
to inform security administrator when IDS detects an intruder
Can be in the forms of pop-up windows, logging to a console, sending emails, etc.
Stored in log files or DBs – for later analysis by experts
36
TERMINOLOGIES Logs
Log messages are usually saved in filesCan be saved either in text or binary
format.The binary files can be viewed later using
Snort or tcpdump program.Barnyard – can also be used to analyze
binary log files generated by SnortLogging in binary format is faster because it
saves some formatting overhead. In high-speed Snort implementations, logging in binary mode is necessary.
37
TERMINOLOGIES False positive / False alarms
~ alerts generated due to an indication that is not an intruder activity, e.g. misconfigured internal hosts may sometimes broadcast messages
that trigger a rule resulting in generation of a false alert. some routers, e.g. Linksys home routers, generate lots of UPnP
(Universal Plug and Play) related alerts False positive errors will lead IDS users to ignore its output, as
it will classify legitimate actions as intrusions. If too many false positives are generated, the operators will
come to ignore the output of the system over time, which may lead to an actual intrusion being detected but ignored by the users.
The occurrences of this type of error should be minimized (it may not be possible to completely eliminate them) so as to provide useful information to the operators.
To avoid false alarms, you have to modify and tune different default rules. In some cases you may need to disable some rules.
38
TERMINOLOGIES False negative / miss
occurs when an action proceeds even though it is an intrusion.
False negative errors are more serious than false positive errors because they give a misleading sense of security.
By allowing all actions to proceed, a suspicious action will not be brought to the attention of the operator.
The IDS is now a liability as the security of the system is less than it was before the intrusion detector was installed
39
TERMINOLOGIES Sensor
The machine on which an IDS is running is also called the sensor – it is used to “sense” the network.
40
TYPES OF IDS
Network IDS (NIDS)
Host-based IDS (HIDS)
Protocol-based IDS (PIDS)
Application Protocol-based IDS (APIDS)
Hybrid IDS
41
TYPES OF IDS NIDS
independent platform which identifies intrusions by examining network traffic and monitors multiple hosts.
gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap.
Network “camera” monitors from afar Where is the camera located? What is it pointed at?
An example of a NIDS is Snort.
42
TYPES OF IDS HIDS
consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/ACL databases) and other host activities and state.
“Camera” located on each computer Collects system-level log data, on the system What do they see?
An example of a HIDS is OSSEC.
43
TYPES OF IDS PIDS
consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system).
For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect.
Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
44
TYPES OF IDS APIDS
consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols.
For example; in a web server with database this would monitor the SQL protocol specific to the middleware/ business-login as it transacts with the database.
45
TYPES OF IDS Hybrid IDS
combines two or more approaches. Host agent data is combined with network
information to form a comprehensive view of the network.
An example of a Hybrid IDS is Prelude.
46
IDS COMPONENTS1. Sensors – generate security events2. Console - monitor events and alerts and
control the sensors3. Central Engine - records events logged by
the sensors in a database and uses a system of rules to generate alerts from security events received.
There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.
47
PASSIVE SYSTEM VS. REACTIVE SYSTEM In a passive system
The IDS sensor detects a potential security breach, logs the information and signals an alert on the console and/or owner.
In a reactive system, a.k.a. intrusion prevention system (IPS) the IDS responds to the suspicious activity
by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.
48
POSITIVE VS. NEGATIVE VALIDATION Positive
Assume everything is dangerous/harmful unless proven safe
NegativeAssume everything is safe unless proven
dangerousE.g. anti virus
Which do you prefer?
Almost all IDS is based on (-) approach
©2009 KRvW Associates, LLC
49
IDS VS. FIREWALLS Though both relate to network security, but different. Firewall
looks outwardly for intrusions in order to stop them from happening.
limits access between networks to prevent intrusion and do not signal an attack from inside the network.
A system which terminates connections is called an IPS, and is another form of an application layer firewall.
IDS evaluates a suspected intrusion once it has taken place
and signals an alarm. also watches for attacks that originate from within a
system by examining network communications, identifying
heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators.
50
ROLES OF IDS IDS is an important component of
defensive measures protecting computer systems and networks from abuse.
[John Mc Hugh, Alan Christie, and Julia Allen,
“Defending Yourself: The Role of Intrusion Detection Systems”,
IEEE Software, 2000.]
52
THE PURPOSE OF IDS To detect misuse
Identify malicious or suspicious activities To detect anomaly
Note activity that deviates from normal behaviour
To conduct forensics To record and analyze network traffic To protect intellectual property To respond to the activity
mms©
53
WHY DO WE NEED IT? To initiate sound, business-like incident
response processMinimize damageMaintain evidenceProtect the businessCriminal prosecution
IDS need to enable these things
©2009 KRvW Associates, LLC
54
WHAT CAN IDS REALISTICALLY DO Monitor and analyze user and system activities Auditing of system and configuration
vulnerabilities Assess integrity of critical system and data
files Recognition of pattern reflecting known attacks Statistical analysis for abnormal activities Data trail, tracing activities from point of entry
up to the point of exit Installation of decoy servers (honey pots) Installation of vendor patches (some IDS)
mms©
56
EVADING DETECTION Attackers don’t want to get caught ~ bypass detection by creating different
states on the IDS and on the targeted computer.
The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.
Discuss:Ways to evade/defeat the IDS? i.e. to avoid
being detected
57
EVADING DETECTION They will use techniques to try to confuse your IDS
Packet fragmentation (e.g. fragroute) – time-outs [link]
Insertion/evasion attacks Requires complete reassembly of packets and knowledge of
end system exception handling Encryption DDoS attack (CPU, memory, bandwidth, false positives) Polymorphism Data encoding Javascript obfuscation Source spoofing Distributed sources Stealth probes
58
PACKET FRAGMENTATION we can manually
redefine the fragments (in a packet), put a fragment 100 (IP) with a bogus port 80.
IDS assume port 80 is safe, and let it through.
But when the packet is reassembled, it is actually on port 443, and contains the nasty data/program xyzzy.
Port 443IP
TCP
Data
[xyzzy]
1
2
3
4
59
WHAT ABOUT INSIDER MISUSE? If your attacker works for you Signature systems not likely to yield
good results Anomaly systems If attacker knows how IDS is deployed, it
can likely be fooled
©2009 KRvW
60
POLICY COPS Internal NIDS can spot forbidden traffic
AIM, Skype, VPNFile/system sharing
This can alert security team to policy violations
Beware of cultural impact You do have a written policy, right?
General counsel coordinationExpectation of privacy
©2009 KRvW
61
NIDS EXAMPLES Snort
Sorcefire Open source,
commercially supported
Bro (freeware) Cisco Secure IDS Cyclops
Dragon Sensor NetDetector – Cisco RealSecure
Network – IBM Shoki (freeware) SecureNet IDS SecurityMetrics
©2009 KRvW
62
HIDS EXAMPLES GFI Events Manager RealSecure Server Sensor Symantec Host IDS Swatch CSA Storm Watch SNIPS Sourcefire RUA Snare Agents NetIQ Security Manager
©2009 KRvW
63
NIPS EXAMPLES Network Security
Platform (McAfee) RealSecure Guard IntruPro-IPS IPS-1 (Checkpoint) DefensePro UnityOne Strata Guard
Snort Inline StoneGate IPS iPolicy Intrusion
Prevention Wall Netscreen SecureNet IPS DeepNines SES Sourcefire IPS
©2009 KRvW
64
HIPS EXAMPLES McAfee HIPS RealSecure Server
Sensor Dragon IP DefenseWall HIPS Primary Response Cisco Security
Agent Host Intrusion
Prevention Service
Threat Sentry Proventia
Desktop WehnTrust System Safety
Monitor Prevx ABC AppDefend Third Brigade
©2009 KRvW
65
SUMMARY IDS is only one piece of the whole
security puzzle IDS must be supplemented by other
security and protection mechanisms They are very important parts of your
security architectures but does not solve all your problems
The usage of different types of IDS depends on the type of the user/organization
Different types of IDS has its own strengths and weaknesses
66
REFERENCES Guide to Intrusion Detection and Prevention Systems (IDPS),
NIST CSRC special publication SP 800-94, released 02/2007 Whitman, Michael, and Herbert Mattord. Principles of
Information Security. Canada: Thomson, 2009. Pages 290 & 301
"Symantec Internet Security Threat Report: Trends for July-December 2007 (Executive Summary)" (PDF). Symantec Corp.. April 2008. pp. 1–3. Retrieved May 11, 2008.
Shiflett, Chris (December 13, 2004). "Security Corner: Cross-Site Request Forgeries". php|architect (via shiflett.org). Retrieved 2008-07-03.
Acknowledgement: Parts of the course materials are the courtesy of Mrs. Madihah Mohd Saudi and Dr. Solahuddin Shamsuddin; and Ken van Wyk, KRvW Associates, LLC @ Adastra “Intrusion Detection and Prevention In-Depth” professional course (25-27 May 2009, KL)