1 IDIC – SANS GIAC LevelTwo ©2000, 2001 1 Network Based Intrusion Detection Tutorial 1 Introduction to the basic approaches and issues of Intrusion Detection Hello! Welcome to the first half of our network based intrusion detection tutorial, where we will introduce you to the basic approaches of intrusion detection. In this section, we will discuss a rule- based analysis process by going through the topics listed on your next slide. At the end of the section we will talk about some of the methods currently used to perform intrusion detection. 2 IDIC - SANS GIAC LevelTwo ©2000, 2001 2 • False positives, False negatives • EOI, dictionary signatures, profile changes • Severity = (criticality + lethality) – countermeasures (system + network) • Long term conditions Before We Begin We will begin our discussion by talking about false positives and false negatives, which are ever present factors in the life of an intrusion analyst. We will then discuss the notion of Events of Interest (EOI), and their relevance to the event analysis process. We will also go over techniques for judging the severity of a particular event. Additionally, we will propose a way to handle long term conditions that might result from a prolonged exposure to attacks. 3 IDIC - SANS GIAC LevelTwo ©2000, 2001 3 Sources of Data All data: observable or not Collectable Events of Interest There are very few situations in which we are able to collect all the data. We need to develop techniques that allow us to routinely locate Events of Interest (EOI) in the data we are able to collect, so that we know where to focus our attention. 4 IDIC - SANS GIAC LevelTwo ©2000, 2001 4 False Positives and Negatives False positives False negatives All Data Real EOI False positives are “false alarms.” The detects match only some of the criteria for indicators of possible intrusion. False positives tend to wear down incident handling resources and make us slower to react in the future. False negatives are the actual intrusions and intrusion attempts that we do not detect. These can allow an adversary to establish a significant presence in our information systems before we begin to react. 5 IDIC - SANS GIAC LevelTwo ©2000, 2001 5 What Are Events Of Interest • Since we can’t collect, store, or analyze all possible events, we focus our collection efforts on stuff that might prove useful, EOI. – Dictionary: known attack signatures, known attackers – Short term significant changes in system or user profile The reality of limited computing and personnel resources is such that we cannot collect, store, and analyze all possible events. Therefore, analysts tend to focus their collection efforts on events that might prove useful – Events of Interest (EOI). Unfortunately, focusing helps reduce the false alarms or false positives, but increases the chance of missing an EOI. One of the ways to help ensure that an EOI is not missed is to compare suspicious events against a dictionary of known attacks or attackers. You can’t afford not to test against a dictionary! Another way to widen our field of vision is to monitor for changes in system or user profiles. Consider the following example: You have noticed an increase in the number of probes and intrusion attempts at your site. DNS and mail relay systems are always high profile targets, so you are watching them closely. You see a series of FTPs at 5:30 A.M. Looking across three months history, there are no other FTPs. That is a short term significant change in system profile. 6 IDIC - SANS GIAC LevelTwo ©2000, 2001 6 Attack Metrics • Severity is defined by the criticality of the target and lethality of the attack, and the effectiveness of system and network countermeasures • Impact is calculated by the analyst • Delays in detection and reaction can increase severity and impact • Long term condition: green, yellow, red Story: ICMP D.O.S. and the new Captain One day I found our network being pounded by an ICMP attack. The packets were coming in so furiously I could barely read my console. I went to our new Captain, requesting permission to block web traffic long enough to get the bandwidth I needed to put filters in place. His response was: “Tell everybody to turn off their computers.” This over-reaction created a self-imposed denial of service at the Naval Surface Warfare Center, compounding the severity of the situation. With intrusion, we are not dealing with nature or randomness. We are dealing with deliberate actions from rational people. Be wary of simply reacting as some ID products (and people) do. Metrics can help you triage, which is why we will spend some time in the next series of slides talking about a formal approach to assigning severity metrics to events of interest. 7 IDIC - SANS GIAC LevelTwo ©2000, 2001 7 Severity at a Glance No Risk Compromise, Core System Compromise, Non-core System Risk Recon Probe Non-targeted Ineffective Script Exploit Targeted Exploit Are non-targeted exploits for vulnerabilities that do not exist within your computer systems actually no risk? The question kind of reminds me of a Zen Koan: “if a vulnerability is never targeted, is it really a vulnerability?” When we study risk more formally, we will learn that part of the equation is our level of certainty, how sure we are that none of our systems have the vulnerability. We tend to be on the conservative side. In the examples that will follow, we consider non-targeted non-vulnerable exploits to be of no risk only if they are also blocked by a firewall or a filtering router. In fact, there is a sense in which this is negative risk. The attacker using a non-targeted script exploit against a well-secured site is at a higher risk than the site, since they will be reported. If the attacker succeeds in breaking in and doing damage somewhere else, the odds are at least fair they can be tracked down. 8 IDIC - SANS GIAC LevelTwo ©2000, 2001 8 Severity is best viewed from the target(s) of interest POV • Criticality of target (DNS Server) • Lethality of attack (slammer) vs. • Known countermeasures (firewall/system) (Critical + Lethal) - (System + Net Countermeasures) = Severity There are two questions we need to answer in Intrusion Detection. They are: “Am I OK for now; are my defenses sufficient for the moment?” and, “Am I holding up well for the long term?” Severity is an effort to provide a metric for the first question. In a large scale attack, it is important to develop a process for triage, which attacks do you respond to and why. The formula shown on the slide covers the primary dimensions you want to consider. How critical is the system, how lethal is the attack, what countermeasures are in place? 9 IDIC - SANS GIAC LevelTwo ©2000, 2001 9 Severity: Criticality •5 point scale • 5 points: firewall, DNS server, core router • 4 points: e-mail relay/exchanger • 2 points: user Unix desktop system • 1 point: MS-DOS 3.11 If a desktop system is compromised, it is bad in the sense that time and work could be lost. Also, that system could be used as a springboard to attack other systems. However, if an organization’s Domain Name System (DNS) server or electronic mail relay is compromised, it is a much more serious problem. In fact, if an attacker can take over a site’s DNS server, they may be able to manipulate trust relationships and thereby compromise most or all of a site’s systems. 10 IDIC - SANS GIAC LevelTwo ©2000, 2001 10 Severity: Lethality •5 point scale • 5: attacker can gain root across net • 4: total lockout by denial of service • 3: user access, e.g. sniffed password • 2: confidentiality attack, e.g. null session • 1: attack is very unlikely to succeed, e.g., wiz in 1999 The lethality of an exploit is the likelihood that the attack will do damage. Generally speaking, attack software is either application or operating system specific. A Macintosh desktop system isn’t vulnerable to a tooltalk buffer overflow or an rcp.statd attack. A Sun Microsystems box running unpatched Solaris might quickly become the wholly owned property of hacker incorporated if hit with the same attacks. For example, in 1997, the IMAP exploit virtually consumed unprotected Linux systems across the Internet. A fragment of that code is shown below: /* * IMAPd Linux/intel remote xploit by savage@apostols.org * 1997-April-05 * * Workz fine against RedHat and imapd distributed with pine * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and * the rest of ToXyn !!! * * usage: * $ (imap 0; cat) | nc victim 143 *| * +--> usually from -1000 to 1000 (try in steps of 100) * * [ I try 0, 100 and 200 - so1o ] */ #include <stdio.h> [...]... 2001 15 Earlier in the course, we talked about the Intrusion Detection Working Group (IDWG) and its efforts to define formats and procedures for information sharing between intrusion detection systems and components In their Intrusion Detection Message Exchange Format (IDMEF) specifications, IDWG introduced the notion of impact, which is defined as the “evaluated impact of the event on the system.” (http://www.silicondefense.com/idwg/draft-ietf-idwg-idmef-xml-02.txt)... sector centers can raise the alert level in their sectors can raise the alert level in their sectors on their own on their own * *President can raise the alert level in all President can raise the alert level in all sectors to Yellow at any time sectors to Yellow at any time Orange Orange Full heightened alert; Full heightened alert; mandated defensive and mandated defensive and reconstitution provisions... capability (software and personnel) in standby mode * *Review and update INFOCON ORANGE and INFOCON RED contingency plans Review and update INFOCON ORANGE and INFOCON RED contingency plans Owners and Operators: Owners and Operators: * *Report new Category I,I,II, and III incidents immediately to Sector Center Report new Category II, and III incidents immediately to Sector Center * *Further increase... moments to examine the network traces on this slide This seems to be a probe to the telnet port of a mail relay system We have been told that this site employs a variant of the bastion host architecture, but the mail relay is not screened for incoming packets The target is well patched and maintained, and we are told that the targeted system is a Unix mail server What do you think the severity of this... Center How does one Owners and Operators: How does one Owners and Operators: * *Round -the- clock staffing of Sector Center ever get back Round -the- clock staffing of Sector Center ever get back * *Report new Category I Iand IIIIincidents within 24 hrs to Sector Center Report new Category and incidents within 24 hrs to Sector Center to Green? to Green? * *Increase physical security including: Increase physical... be 4 The system is well patched and runs PortSentry IDS software, so the system countermeasures could be 5 Due to the lack of a firewall on the network, we will assign 2 to network countermeasures Of course, the exact values are somewhat subjective, and require detailed knowledge of the organization involved, but our ballpark figures should be applicable in most situations As for the impact, the exploit... through long-term conditions of heightened alert 23 Intrusion Detection Tutorial Topics to cover • Current Methods • Indications and Warnings • Correlation (cooperating sensors) IDIC - SANS GIAC LevelTwo ©2000, 2001 24 We will continue our discussion of intrusion detection analysis techniques by looking at some of the current methods of performing intrusion detection In the section following this one,... than seconds at a time? How would the event’s impact be affected? What if these messages spanned over a period of several days? Clearly, there is a need to take into account the length of time during which the system was exposed to the attacker’s actions This serves as a leadin from detect-by-detect severity to more of an overall picture In the next slide we will begin to consider long term conditions... green and yellow? In an attempt to bring structure to the hectic world of long term defensive operations, we define four alert levels that describe the state of the organization’s defense mechanisms and personnel Much like in the military, these “INFOCON” states are labeled using colors, ranging from green (relative peace), to yellow (constant probes), to orange (heightened alert), all the way to red... frequency of software backups Increase frequency of software backups * *Prepare to use backup power (e.g., alert diesel vendors to possible demand) Prepare to use backup power (e.g., alert diesel vendors to possible demand) State/Federal Assistance: State/Federal Assistance: * *Deploy selected National Guard and Reserve units to: Deploy selected National Guard and Reserve units to: - -Augment owner/operator . Network Based Intrusion Detection Tutorial 1 Introduction to the basic approaches and issues of Intrusion Detection Hello! Welcome to the first half of our network. by the criticality of the target and lethality of the attack, and the effectiveness of system and network countermeasures • Impact is calculated by the