Embed Size (px)
Citation preview
2
Agenda: IDS
Why are we looking at IDS? The 5 “Ws” of IDS Analysis The IDS Analysis Cycle
3
IDS Has Little to Do With Intrusions
External network
Intern
al Net
DM
Z
Internal Net
router/firewall
Intern
al Net
Enterprises wantto understandand blocksecurityproblems ontheir networks.
On eachnetwork,“intrusion” canmean somethingvery different
Port Scanhere: ho-hum
Port Scanhere: Uh-oh!
4
Intrusion Detection Systems IdentifySecurity Problems on Your Networks
External network
Intern
al Net
Intern
al Net
Management Network
DM
Z
IDS(passive)
IDS(passive)
5
Intrusion Prevention Systems BlockSecurity Problems on Your Networks
External network
Intern
al Net
Intern
al Net
Management Network
DM
ZIPS
(active)
6
There are at least 4 types of IDS/IPSproducts out there
Signature-based: look for specific trafficthat matches specific descriptions, or is“out of spec” in some particular way
Rate-based: watch flows andconnections and limit ormodify TCP/UDP to pre-determined norms or toguarantee response time
Anomaly-based: observedeviations from “baseline”normal traffic and block oralert
Wireless: have specific knowledge of RFand RF behaviors; looking for wireless-specific issues
Niche:
7
Network Intrusion Analysis CombinesTechnology With Methodology
You must have some ofboth before you can evenstart
Suggested reading:“Network IntrusionDetection, 3/e” byNorthcutt & Novak
8
Before You Start, Consider the FiveWs
Where is everything?
What do I care about?
Who is responsible? Whodo I tell?
When do we do analysis?
Why are we doing this?
Yes, this sounds dulland uninteresting.
But if you don’t do it,then you’ll neverknow what to do withthe data your IDSgives you
9
Where Is Everything on YourNetwork?
You can’t watch all ports onall devices connected to thenetwork• Even if you had infinite CPU
time...
So you need to know whateach device is doing andwho is taking care of them
Mapping yournetwork is part ofyour preparation forIDS analysis
W#1
10
Map Your Network at Three Levels(at Least!) Physical layer topology
helps to understand whatwires and bridges go where
Network layer topologyidentifies systems androuting paths
Application layer topologyshows you what business-critical resources arepresent
W#1
11
Applications Are Hard to Map butCritical to Understand
Physical layer topology helpsto understand what wiresand bridges go where
Network layer topologyidentifies systems androuting paths
Application layertopology shows youwhat business-critical resources arepresent
WWW WWW
Oracle RADIUS
LDAP LDAP
WWW WWW
Oracle
Oracle
Load Balancer
W#1
12
What Do I Care About? Once you have mapped your network, you
have two main questions to ask:
What is visible to myIDS/IPS?• Generally, certain
inside-to-inside flowswill not be visible
• Also, certain outside-to-inside flows might notpass a sensor
• That whole encryptionthing
Which network elementsare important to me?• Physical• Network• Application
W#2
13
Spend Time on Critical andImportant Systems
Quick: your IPS says thatsomeone is trying SQLattacks on “imprimo.”
Do you care?
Quick: your IPS says thatsomeone is trying SQLattacks on system “repono.”
Do you care?
Answer: No. It’s a printer. It doesn’t run SQL. No one cares about it
anyway.
Answer: Yes! It’s an SQL server. It’s behind the firewall. It generates my
paycheck.
W#2
14
Who Is Responsible?
System MgmtResponsibility
Who takes care of thenetwork?
Who takes care of theservers and routers?
Who takes care of theapplications?
W#3
IncidentResponsibility
Who do I tell?• What are they
responsible for doing?• What if they don’t do
it?• Then what do I do?• (or do I even care?)
15
When Do We Do Analysis?
Immediately?
W#4
Are we concernedabout catchingsomeone in the act?
Do we want to knowquickly if there is aproblem on our net?
Are we looking forlong-term trends?
Do we do this forforensics and tuning ?
Daily?
Weekly? Monthly?Quarterly? Annually?
Never?
16
Your Analysis Timeframe StronglyInfluences What You Do
W#4
ImmediateAlert system &
network mgrsReact or traceback?Start loggingGet on the phone
DailySuccessful?Prioritize 1/2/3A trend? History?Patch? Update
firewall rules?Surveillance?
TrendingWhat’s abnormal? Normal?Getting worse? Better?Forensics?
17
Why Are We Doing This?
W#5
You must be doing Intrusion Detectionanalysis and Intrusion Prevention for a reason
What is it?
What did your business case say? Avoid common exploits? Look for
internal worms and malware? Discover misbehaving users and
systems? Find out how you were broken?
Who? Why? When? Tool for your application and
network managers? Tool forsecurity manager?
18
A Policy Covers the Five Wsand You Need a Policy This is even more important than the policy that you
didn’t write to go along with your firewall
Where is everything? What do I care about? Who is responsible? Who do I tell? When do we do analysis? Why are we doing this?
“Policies don’t work”– Marcus Ranum,Seven Things I’ve Learned
19
Your Policy Will Determine How YouDo Analysis and Use Your IPS
Immediate alerting
Correlation
Surveillance
Forensics
You want to know the momentthat something is up so that youcan react immediately.
You watch breakins and attempts tounderstand the motivation, method,and goals of the attacker.
You instruct the IDS to watchcertain things more carefully tocollect data on an object or suspectof interest.
You use IDS to help understandwhat happened after a securityincident or to show traffic flows andlong-term statistics
20
The Analysis CycleGives a Framework
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
21
Analysis IsAlways Grounded in Policy
As you dive in, rememberPaul Proctor’s rule: “Whenyou first start operating anIDS, you will find manythings you do not expect.Be prepared.”
Which implies, perhaps,that policy is alsogrounded in analysis
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
22
Construct your 3 maps(physical, network,application)
Identify key resources
Link to responsible peoplewithin your organization
Some of this will comefrom policy
The 1st Step Is Identificationand Mapping
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
For each stepin the cycle,identify thetools your IDShas to supportthis step
23
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyBreak Down the DataInto Manageable Chunks
You will have dozens orperhaps hundreds of events(or thousands, if youhaven’t tuned) to lookthrough
Looking at them allrequires mental disciplineand an ability to prioritize
24
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyDefine the Incident andUnderstand What It Means
What kind of incident?• Attack on a host?• DoS attack?• Information probe?
What does the eventmessage mean?What happened?Who was the source?
25
Research Is an IntegralPart of Defining an Incident
Reference materials• Stevens Vol. 1, 3
Web RamblingYour brain and youranalyst (paper orelectronic) notebook
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
26
Qualify the Incident
Is it applicable to us?Do we care about it?Have I seen it before?Have I seen thisattacker before?
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
This is the mostimportant and
time-consumingpart of analysis
27
Qualification MeansAnswering a Lot of Questions Does this host actually
exist?• Attacks on non-existent
hosts are pretty low priority
Is this host vulnerable tothe attack?
Go back to your “IdentifyResources” maps andstart talking to theresponsible people
Key conclusion: Withouta comprehensive map,you cannot do usefulanalysis. Informationgathering is painful, butthere are tools to help.
28
Northcutt Advises Prioritizing YourIncidents and Events
Criticality: How bad will it hurt?• 5: Firewall, DNS, router• 4: Email gateway/server• 3: Executive’s desktop• 2: User desktop• 1: MS-DOS 3.11 running soda machine
Lethality: How likely to dodamage?• 5: Multi-system root access• 4: Single-system root• 3: DoS total lockout• 2: User-level access• 1: Unlikely to succeed
System Countermeasures• 5: Totally patched, modern O/S,
internal firewall• 3: Older O/S, partially patched• 1: Unpatched/Unmanaged
Network Countermeasures• 5: Validated, restricted firewall• 4: Firewall, plus some
unprotected connections• 2: Permissive firewall• 1: No firewall
severity = (criticality + lethality) – (sys + net countermeasures)
29
You Might Want to AnswerTwo More Questions
“Did the event cause a statechange?”
Is the behavior of the targetsystem different after theevent than before the event?
“Is there something elsegoing on here?”
What other correlation canwe make between thisattacker, the attackedsystem, and the type ofincident with pastincidents?
30
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyCommunicateand Validate the Incident
Share information:something of interestmight be correlatedFind out: was theattack successful?
31
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyFeedback Completesthe Analysis Cycle
Firewall adjustmentsIPS adjustmentsUpdate maps withcontact informationand patch detailsLog incident andresultsVerify against policy
32
Action Items: Making your IDS Useful
Follow the “5 Ws” and prepare backgroundinformation on the network
Identify tools within your IDS to help eachstep in the Analysis Cycle
Set aside 2 to 3 hours each week to practiceand get into the swing of tuning andanalyzing events
