1 Intrusion Detection - The Big Picture - SANS GIAC © 2000 1 Intrusion Detection The Big Picture Stephen Northcutt S. Northcutt – v1.0 – Jul 2000 Edited by J. Kolde – v1.1 – Aug 2000 2 Intrusion Detection - The Big Picture - SANS GIAC © 2000 2 Pagers and Cell Phones The high rate of slide delivery means that distractions will cause your fellow students to miss material. If you are a “high interrupt” person, please consider moving to the back of the room or disabling your pagers and phones. Questions are fine anytime. In this course we’ll be covering the following types of security tools and countermeasures: • firewalls • host-based intrusion detection • network-based intrusion detection • vulnerability scanners • honeypots We’ll also touch on incident response and discuss less technical issues of information security, such as risk assessment and how to justify these tools to management. 3 Intrusion Detection - The Big Picture - SANS GIAC © 2000 3 Frequently Referred to URLs •SANS – www.sans.org • NSWC CD2S web page – www.nswc.navy.mil/ISSEC – click on forms to get the knowledge-based risk assessment forms for WinNT, Unix, Win95, Mac 8.X, etc. The SANS website is home to GIAC, the Global Incident Analysis Center, and to the SANS training materials, with courses like this one available online. 4 Intrusion Detection - The Big Picture - SANS GIAC © 2000 4 More URLs • SHADOW & CIDER – www.nswc.navy.mil/ISSEC/CID •Coast – ftp://coast.cs.purdue.edu •SecurityFocus – www.securityfocus.com •Snort – www.snort.org (Win32 version at www.datanerds.net/~mike/snort.html) SHADOW and CIDER are free intrusion detection system projects. The Coast archive is Gene Spafford’s security tool archive. SecurityFocus is home of the Bugtraq mailing list, and has a good vulnerability database and tool archive. Snort is currently the most popular free network intrusion detection system “as seen on GIAC”. 5 Intrusion Detection - The Big Picture - SANS GIAC © 2000 5 URLs Continued • DTK Deception Toolkit – www.all.net •CIDF – www.gidos.org – www.isi.edu/gost/brian/cidf/ •Tripwire – ftp://coast.cs.purdue.edu/pub/tools/unix/Tripwire – www.Tripwiresecurity.com/ •SPI – ciac.llnl.gov/cstc/ Fred Cohen’s DTK (Deception Toolkit) is an excellent tool kit for building honeypots. CIDF is the Common Intrusion Detection Framework, a standards initiative by the IETF’s Intrusion Detection working group, designed to improve IDS interoperability. Tripwire is the de facto standard in file and registry integrity checking. SPI does integrity checks for US government systems. 6 Intrusion Detection - The Big Picture - SANS GIAC © 2000 6 Even More URLs • Vulnerability Scanners – Saint: wwdsilx.wwdsi.com/saint/ – Nessus: www.nessus.org – Nmap: www.insecure.org/nmap/ – Cerberus: www.cerberus- infosec.co.uk/cis.shtml • Phonesweep – www.sandstorm.net SAINT and NESSUS are general vulnerability scanners. Nmap does stealthy port scanning, OS identification and too many other functions to list. CIS is a vulnerability scanner for improving the security of Windows NT machines. They were all free last time we looked. (Editor’s note: nmap was ported to Windows NT in July 2000 by eEye Digital Security. The Windows version can be downloaded from http://www.eeye.com. – JEK) Phonesweep is a ‘wardialer’ or modem-finding tool. 7 Intrusion Detection - The Big Picture - SANS GIAC © 2000 7 URLs URLs URLs • NukeNabber (from Puppet’s Place) – www.dynamsol.com/puppet/ • Legion (detect unprotected shares) – Rhino9 has disbanded; you will need to do a net search. NOTE: Appendix A has a glossary NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which will notify you of attempted connections to user-defined ports. Legion can be quite hard to find. Most other vulnerability scanners also now look for unprotected shares. In the back of your materials are additional references. (Editor’s note: for students taking this course online, the Glossary is included as a separate download file. – JEK) 8 Intrusion Detection - The Big Picture - SANS GIAC © 2000 8 Goal of This Course To understand how the primary components of intrusion detection capability (such as vulnerability assessments, firewalls, network- and host- based IDS systems) work together to provide information assurance. 9 Intrusion Detection - The Big Picture - SANS GIAC © 2000 9 GIAC Tracks • Information Security KickStart • Security Essentials Certification • Firewalls and Perimeter Protection • Intrusion Detection In-Depth • Advanced Incident Handling and Hacker Exploits • Windows NT and Windows 2000 Security •Unix Security • Systems and Network Auditing Clearly, there will be some repetition between the classes. These classes have been designed to be very high content. There is more material than people can normally absorb in a single sitting; when we repeat, this is done to help the student learn as much of the total material as possible. 10 Intrusion Detection - The Big Picture - SANS GIAC © 2000 10 Introduction • Introductory Example - Mitnick Attack • Is There a Business Case for Intrusion Detection? • What We Will Cover in This Course Let’s get started then. In our introductory section, we are first going to show you a real attack, so we can see the type of things an attacker does in the real world, and we’ll discuss how the security components of this course could have detected or prevented it. We’ll then take a step back and put our business hats on when we examine the question of a business case for intrusion detection. Because the fact is, this stuff costs money and even with free tools, it takes up valuable time. So we’ll see how to decide on it’s worth to your organization. Finally, we’ll look at how we are going to divide up the rest of the course. [...]... was > $1 Million/day Is there a business case for intrusion detection? Intrusion Detection - The Big Picture - SANS GIAC © 2000 26 One of the threads we want to stay aware of during the course is whether or not the cost and effort of intrusion detection is “worth it” The staggering Acceptable Daily Loss figure above is based on the assumption that the order of magnitude of the loss figure can be predicted... Detection Techniques Could Have Detected The Attack? Intrusion Detection - The Big Picture - SANS GIAC © 2000 20 Detecting the attack is one thing Most intrusion detection systems would also have detected the recon probes before the attacker went in for the kill Early warning is much better than real-time or after the fact notification of system compromise (The problem is, a recon probe is often hard... introduction to Intrusion Detection than the Mitnick Attack? Intrusion Detection - The Big Picture - SANS GIAC © 2000 11 We start by examining the intrusion by possibly the world’s most infamous computer criminal, Kevin Mitnick, on the system of Tsutomu Shimomura This system compromise and the subsequent successful pursuit of Mitnick have been described in several books and elsewhere, but the technical... bother? • Intrusion detection is expensive • Intrusion detection is complicated • Intrusion detection can’t possibly detect everything • We’ve gotten along this far without it and we seem to be OK Intrusion Detection - The Big Picture - SANS GIAC © 2000 29 Sometimes it seems Inertia is the most powerful force in the universe It’s often worth creating a file of news clippings to break down the “it couldn’t... also useful to get an intrusion detection system for an evaluation period so you can show management some of the real stats of attacks on their networks Let’s look at some business reasons for intrusion detection 29 Value/Acceptable Loss Threats Countermeasures Intrusion Detection - The Big Picture - SANS GIAC © 2000 30 There are risk theories we will cover in this course that allow the calculation of... costly • There has to be a balance between the cost of improving protection and the value of what you are defending Intrusion Detection - The Big Picture - SANS GIAC © 2000 34 The threats are real The CD Universe attack was a classic example of an outside attack, while the Barings bank was an excellent example of insider abuse Most companies undervalue their information assets, but at the same time there... Case for Intrusion Detection? • What We Will Cover in This Course Intrusion Detection - The Big Picture - SANS GIAC © 2000 25 In the next section, we have a brief look at how we justify the cost of intrusion detection to management Many technical people tend to switch off at the first mention of business cases and cost benefit analysis Don’t! A well-thought-out plan that details and justifies the probable... A is talking to B B Intrusion Detection - The Big Picture - SANS GIAC © 2000 12 A trust relationship existed between two machines, both administered by the good guy (One was an office machine, the other a home machine.) Administrators often set up these sort of relationships, usually as a convenience In this particular example, the systems are Unix and the trust relationship is the use of “r” utilities... Attacker Intrusion Detection - The Big Picture - SANS GIAC © 2000 15 Having guessed the next sequence number, and assuming A has sent the SYN/ACK back to B, the attacker completes the connection establishment by sending a final ACK, still with B’s source address Now the attacker has a connection to A, that A believes is from it’s trusted friend B That trust is exploited to gain further access To maintain the. .. example, the trust relationship could have only been set up yesterday, and hasn’t been spotted by the weekly vulnerability scan yet Machine B could be outside the firewall or the intrusion detection systems not programmed to detect rhost compromise By using different types of tools together, we greatly increase the chances of one of them preventing or detecting the attack 23 Mitnick Attack: Bottom Line There . 1 Intrusion Detection - The Big Picture - SANS GIAC © 2000 1 Intrusion Detection The Big Picture Stephen Northcutt S. Northcutt. divide up the rest of the course. 11 Intrusion Detection - The Big Picture - SANS GIAC © 2000 11 What better introduction to Intrusion Detection than the Mitnick