Intrusion Detection Systems and Good Security Practice

1
Intrusion Detection Systems and Good Security
Practice

• K778 Security, Privacy and Trust

2
Introduction

• Security risk due to internet connectivity
• Good Security Practices
• Intrusion Attempts - Opportunistic/Targeted
• Assertion Good Security Practice protects
  against Opportunistic attacks
• Intrusion Detection Systems
• Hypothesis IDS can detect Opportunistic attacks
  and some Targeted attacks, therefore should be
  part of Good Security Practice
• Experiment
• Questions

Introduction
3
2001 CSI/FBI Survey

• Survey of 538 organizations
• 91 detected security breach last year
• 90 reported vandalism
• 64 acknowledged financial loss
• 36 Reported intrusions to authorities

Introduction
4
Riptech Internet Security Threat Report Q3-4 2001

• Empirical analysis of 300 companies, 25 countries
• 63 attacks Nimda, code red worms. Not included
  in remaining statistics
• 43 had attack that would have been severe
  without intervention
• 39 deliberate, 61 opportunistic
• Average 25 attempts/company/week
• Less 1 of all attacks severe, immediate threat
• Large firms, high tech, financial services,
  media, energy higher frequency of attack

Introduction
5
CERT/CC Incidents
Introduction
6
Web Site Defacements
Introduction
7
New Sport?

• Alldas defacement web site

Introduction
8
Partial Explanation
Introduction
9
Pressure on Security Officer

• Only Secure computer is in a locked room
  disconnected from network and turned off.
• Internet connectivity vital for e-Commerce
• Trade off between security practices, business
  practices, applications, connectivity and security

GSP
10
SANS/FBI Top 20
GSP
11
Good Security Practices

• Microsoft
• CERT

GSP
12
Good Security Practices

• System
• Install latest patches
• Remove unrequired software
• Secure file system
• Application
• Install latest patches
• Remove unrequired software
• Control access
• Environment
• Filter, block unnecessary ports services
• Control access

GSP
13
Intrusion Attempts

• Intrusion Attempt, Attack A set of events or
  activities taken by an attacker to achieve
  intrusion goal
• Vulnerability A weakness that could be exploited
  to gain unauthorized access, disrupt processing
  or penetrate an operation
• Exploit A technique used to achieve intrusion
  goal via a specific vulnerability

IA
14
Vulnerabilities

• Advisories
• Vendor, e.g. Microsoft
• Third party, e.g. CERT
• Database -CVE
• Testing tools
• Nessus
• Nmap

IA
15
Exploits

• Published lists
• packetstorm
• Tools and techniques
• Same as Vulnerability testing!

IA
16
Attackers

• From an Information Week survey of 2700 security
  professionals greater than 10 identified the
  following as suspected sources of security
  breaches in 1999
• Computer hackers and terrorists
• Authorised users and employees
• Contract service providers
• Foreign governments
• Unauthorized users and employees
• Former employees
• Suppliers
• Sustomers

IA
17
Proposed Classification

• Intrusion Attempts
• Targeted Attacker has targeted a system or
  organization, and uses a set of exploits to
  achieve goal
• Typically scans vertically
• Will be stealthy
• More persistent
• Opportunistic Attacker has set of exploits and
  is looking for any system to hack
• Typically scans horizontally
• Speed is main criteria
• Looking for single point of failure

IA
18
Exposure Framework
Vulnerabilities
Unpublished
Assertion
Fix or Mitigating Action
Published
Unpublished
Exploits
19
Window of Opportunity
Vulnerabilities
Unpublished
Assertion
Fix or Mitigating Action
Published
Unpublished
Exploits
20
Intrusion Detection Systems

• Anomaly System has no knowledge of specific
  attacks, but has learned normal behavior, and
  test against that
• Neural networks, statistical and data mining
  techniques
• Misuse Use a database of known attack
  signatures, and tests activities against the
  database
• Most commercial systems based on signature
  analysis

IDS
21
Hypothesis

• Assertion Since Opportunistic attacks are based
  upon published exploits, rules or signatures can
  be developed for these exploits, therefore an IDS
  performing signature analysis can reliably detect
  Opportunistic attacks
• This is not sufficient justification to add this
  tool to Good Security Practices
• Hypothesis An IDS performing signature analysis
  can detect some Targeted attacks, therefore
  should be part of Good Security Practice
• If the Security Officer is alerted that a
  targeted attack is in progress, then the SO will
  take escalated actions. This is justification to
  add this tool to Good Security Practices

Hypothesis
22
Experimental Questions

• Opportunistic attacks are able to be flagged
• Some targeted attempts in the category of
  reconnaissance and vulnerability identification
  can be flagged
• Can the rate of false positives be controlled?

Experiment
23
Experiment

• Two systems gathering data
• Protected Only opportunistic
• Unprotected Opportunistic and targeted
• Workstation with scanning tool kit
• All network traffic to offline database
• Offline IDS analysis

Experiment
24
Conclusion

• Good Security Practice is minimum for Security
  Officer to take, any less is negligent
• If Signature based IDS has low false positives
  and captures some targeted attempts then it
  should be part of Good Security Practice
• If Signature based IDS fails, then monitor
  research only

Experiment
25
Questions?
Questions