4 - 1 Information Risk Management - SANS ©2001 1 Risk Management The Big Picture – Part IV Network-based Intrusion Detection In our next section we are going to introduce network-based intrusion detection. The detect engine in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these work quite well. We will begin with a single attack, just to see how one might work and how we might detect it. Then we will explore the range of tools and show you how you can get in the game with a very low investment, possibly even free. 4 - 2 Information Risk Management - SANS ©2001 2 Need for Network-based Intrusion Detection • Most attacks come from the Internet • Detecting these attacks allows a site to tune defenses • If we correlate data from a large number of sources we increase our capability The statistic that 90% of all attacks are perpetrated by insiders is dead wrong. While insider attacks may cause more damage (because the attacker knows the system assets and what to target), insider threats are usually addressed by traditional security and audit mechanisms. An insider has a much greater chance of being caught and prosecuted or dealt with administratively IF DETECTED, since you know where they live. The greatest threat in terms of financial loss is insiders. Period, no questions. That said, the greatest number of threats is via Internet attacks. A huge percent of these are stopped by firewalls. Successful attacks often do not cause as much harm as an insider, because an insider knows exactly where the crown jewels, the strategic information assets of an organization, are. Having said all that we are going to really concentrate on internet-based attacks in this section. Are they relevant? Oh my yes! The number one reason is the sheer numbers. If your site is subjected to thousands and thousands of attacks, even if poorly targeted, if you don’t have effective perimeters, than your systems will eventually fall when the correct exploit hits your system. However, the situation is even worse. It turns out that a small number of problems, things we know we should correct, like file sharing or proper permissions, account for a vast number of system compromises. In fact, firewalls themselves, which are an amazingly effective perimeter, contribute to the problem. The people protected by the firewall think everything is OK since the firewall stops the attacks and then they get lax, drop their defenses, someone makes a small misconfiguration of the firewall and boom, the site is dealing with a major compromise. Finally, the sophistication of network-based attacks continues to increase. The Unix worms of mid-2001 demonstrated that by using toolkits essentially any successful exploit can serve as the foundation of another worm - thus increasing the attack effect hundreds of times higher than one or even a group of attackers could achieve, since every compromised host becomes a new attacker. Now we look at a single attack, in this case a denial of service, or availability attack called winnuke. This is one of the classics and it was so aggravating that it resulted in creating the first wave of Windows personal firewalls including Nukenabber, the software that served as TCPwrappers for Windows systems. 4 - 3 Information Risk Management - SANS ©2001 3 Inside a Network Attack WinNuke, (also called OOBNuke), uses TCP 139 and OOB Data, even if NetBIOS is not enabled. It results in the “Blue Screen of Death”. Patches/service packs are available OOB stands for Out Of Band and is actually misnamed; it should say “Urgent mode”, which is Urgent bit set in the TCP header flags and the urgent pointer. Some people call this famous attack an Out of Band attack, however, it is better known as Winnuke. If you are interested in the classic Windows attacks, you might want to visit: http://www.winplanet.com/features/reports/netexploits/index2.html On to Winnuke, older unpatched Windows systems, 3.11, 95 can be crashed by a single, specially formatted packet. The packet has to be sent to a listening port such as TCP port 139, the NetBIOS Session service, but any listening ports will do. Hey, quick review, how do you know which ports are listening on your Windows system? How do you know what programs are responsible for those ports? How do you know what users are the owners of those programs? If you don’t know the answer to all three of these questions, you really should redo the previous section on host-based intrusion detection, If you have a Win95 system, you should get the patch, available at: http://support.microsoft.com/support/kb/articles/Q168/7/47.asp 4 - 4 Information Risk Management - SANS ©2001 4 Nuke’eM Screen So how do we create this weird packet? Generally by using a special tool as we see on this slide, which is a screen shot of version 1.1 of Windows Nuke’eM. This application has a single purpose, to establish a connection with the TCP three-way handshake and then hit the remote system with the illegal packet. It doesn’t take any particular skill to run it, as you see, all we did was enter the IP address of a target system. 4 - 5 Information Risk Management - SANS ©2001 5 Lockdown Screen On this slide you see a screenshot of a personal firewall called Lockdown that is both detecting the attack and acting as a perimeter system to protect the client. Let’s sum up what we have seen as we looked at a single network attack, winnuke. We have identified a vulnerability, a flaw in the Windows implementation of networking. We have described the flaw technically and demonstrated there are attacker tools to take advantage of the threat. Finally, we have seen a detection and protection tool in operation. Actually, this is another example of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and right and Microsoft responded with a patch, but instead of fixing the problem, they released a quick hack. The attackers countered with a modification of their attack tools almost instantly. Today, you can download a patch that actually corrects the problem and that URL has been provided to you. Anyone can do intrusion detection and if you start practicing today, you will be ready to take the advanced Intrusion Detection In Depth course pretty soon. So let’s go through the steps to begin doing network intrusion detection. This is certainly NOT the only way, but it is an approach for you to consider. 4 - 6 Information Risk Management - SANS ©2001 6 Network Intrusion Detection 101 Generally when we think of personal firewalls we think of a perimeter defense, or a protect function. What about detect? It turns out that some personal firewalls have the capability to do more than just detect attacks, they can log the attack, which allows the analyst to study the attributes of an attack. In fact, personal firewalls and Small Office Home Office (SOHO) firewalls are becoming part of some of the most important sensor networks available anywhere. The first step is to turn on logging! In general, the more places you log, the better off you are when a weird event occurs. 4 - 7 Information Risk Management - SANS ©2001 7 Enable Logging The engine settings are managed from the tools menu. Take a minute and look around at the options. However, while you are there, be sure to enable logging. The logs are stored by default in Program files, Network Ice, Black Ice’s directory and as you see on the slide have the handy prefix. 4 - 8 Information Risk Management - SANS ©2001 8 Our First False Positive Yup, bootp, actually, DHCP, Dynamic Host Configuration Protocol is a normal occurrence on this home network. We reconfigure so often and most of our machines are both mobile and wireless, that static IP addresses are out of the question. So perhaps we don’t want to alert when that happens. We simply select an attack we don’t want to see, right click, and select ignore. Using the tools we have discussed, especially after you complete the training on networking and TCP/IP that is coming up in this course, you will be equipped to really start drilling down into network intrusion detection. Sometimes graphics tools can help us know where to look for an anomalous event. 4 - 9 Information Risk Management - SANS ©2001 9 Visualization Tools - BID Port Scan The intense activity shown on your slide was the result of someone probing this network. This gives us an idea where we might want to look in order to find the evidence file. As a helpful hint, find the approximate time and if you are looking for a scan, look for the biggest file. We hope you have enjoyed your introduction to network intrusion detection. We have learned about a couple of new tools that you can use to start investigating suspicious network traffic. As we move through the remainder of this section of the course, we will learn more about the tools and techniques used in network intrusion detection. Most of these tools, whether for Unix or Windows, depend on a simple utility called libpcap or winpcap. 4 - 10 Information Risk Management - SANS ©2001 10 FW Analysis/Display Station Collect Data Analyze Data Display Information Most Network-Based Intrusion Detection Systems Unix or Windows are libpcap based Libpcap-based Systems The first network-based intrusion detection systems we look at are libpcap-based. These include: Shadow, Snort, NetRanger, and NFR. Libpcap is a packet capture library designed to get the data from the kernel space and pass it to the application. There are implementations for Windows (winpcap-based - the Windows version of libpcap) and Unix. It is reliable and has the big advantage of being free. A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is designed to be stupid. It lives outside the firewall. If it should fail, no information about the site will be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection systems. Most IDS have a lot of information about how sites are configured, how firewalls are set up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should a Shadow sensor fail, all they get are the logs. You can still run Snort though on the inside, simply feed it the TCPdump Shadow files. We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and make them less valuable targets. The sensor is the attacker’s first target. [...]... icon, it’s hard to get to the raw data to verify or report the detect This is the more detailed log file Notice the rule that found the detect is displayed at the top Then summary information about the packet is given The trace begins with the content of the detect RPC (Remote Procedure Call) attacks like this are part of the Top Ten list (www.sans.org/topten.htm) Notice all the zeros? RPC packets are... Aug 2000 v1.2 – edited by J Kolde, format grayscale for b/w printing – 23 Nov 2000 v1.3 – rewrite, Stephen Northcutt, Apr 28, 2001; edited F Kerby 03 May 2001 v1.4 – edited/formatted by J Kolde – 8 May 2001 v1.4a – edited/formatted by J Kolde – 26 May 2001 v1.4b – edited/formatted by D Tuttle – 24 July 2001 v1.5 – updates and added exercises by E Cole – 10 Aug 2001 v1.6 – updated E Cole – 1 Nov 2001... attacks are directed at these systems • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look Information Risk Management - SANS ©2001 20 What do web servers, DNS servers, and mail relays have in common? You cannot hide them if you want your site to communicate with the rest of the world They are also important systems Therefore it makes sense... get the right value While it’s possible to get the right entry from the registry, it’s easier to just try the various possibilities and testing the configuration 4 - 15 IDSCenter IDS Rules Setup Information Risk Management - SANS ©2001 16 The IDS Rules Setup screen allows for the specification of the Snort configuration file which contains the definitions of patterns to match It also displays the current... reports to the analyst console as well So we see the need for both capabilities: Host and networkbased intrusion detection for even smaller organizations As the size and value of the organization increases, the importance of additional countermeasures increases as well 4 - 34 Course Revision History Information Risk Management - SANS ©2001 v1.0 – S Northcutt – Jul 2000 v1.1 – edited by J Kolde – Aug 2000... organization Information Risk Management - SANS ©2001 34 The sensor outside the firewall is positioned to detect attacks that originate from the Internet DNS, email, and web servers are the target for about a third of all attacks directed against a site These systems have to be able to interact with Internet systems and can only be partially screened Since their overall risk is high, they should be equipped... data is not available As the cooperating Computer Incident Response Teams (CIRTs) share they share summary data This is important both to protect their interests, many of these are commercial organizations, and the data simply must be reduced However, it leaves the entire system vulnerable to spoofing, double counting, and a number of other problems 4 - 29 Deception Can Drive the Picture S S CIRT Meta... Information Risk Management - SANS ©2001 22 RealSecure’s biggest claim to fame is its ease of configuration and use Events are displayed as red, yellow, or green icons on the GUI, depending on their priority and the reporting tools are extensive You can tell an operator to simply ‘call me when you see red’ You can get the full system as a time-limited evaluation version, and then simply upgrade the license... time the characters “wiz” are seen in the body of the message – CERN HTTP buffer overflow: lights off every time a URL is > X characters Information Risk Management - SANS ©2001 23 Other detects like SYN flood also have very high false positive rates, since it can be triggered by as few as 3-5 connection attempts in a second - a common occurrence with over-eager mail servers and other common events The. .. if fed up to the CIRTs, could give them a false picture of what is happening I leave it as an exercise to the Information Warrior to create a powerful scenario from this “architecture” Information Risk Management - SANS ©2001 29 You can think of this as doing analysis by trouble tickets The data has to be at least partially sanitized or people are not willing to share This means much of the raw data . 4 - 1 Information Risk Management - SANS ©2001 1 Risk Management The Big Picture – Part IV Network-based Intrusion Detection In our. Notice the rule that found the detect is displayed at the top. Then summary information about the packet is given. The trace begins with the content of the