HostBased Intrusion Detection

1
Host-Based Intrusion Detection
2
The Hackers Objective

• Rootkit
• A rootkit is often used to hide utilities used to
  abuse a compromised system
• These often include backdoors" which help the
  attacker access the system again easily

3
HIDS Implementations

• Chkrootkit
• A Virus Scanner just for rootkits
• New rootkits can specifically attempt to take
  measures to evade detection by chkrootkit
• Tripwire
• Capable of tracking all changes to file system
• Takes the game to a different level

4
How does Tripwire work?

• By comparing system files and directories against
  a previously stored "baseline database, Tripwire
  can find any additions, deletions, or changes to
  the file system
• This allows the system administrator to know
  everything necessary to track down the rogue
  changes

5
Baseline Database?

• Put every file in a database while system is in
  known pure state
• When checking file system integrity just check if
  every file on the file system is the same as the
  file in the database
• When making approved changes to file system
  Administrator must update the database

6
A copy of the entire file system?

• Hashing
• A hash function takes a message of any length as
  input and produces a unique fixed length string
  as output
• Think of it as a digital fingerprint
• the two most-commonly used hash functions are MD5
  and SHA-1

MD5("The quick brown fox jumps over the lazy
cog") 1055d3e698d289f2af8663725127bd4b MD5("
The quick brown fox jumps over the lazy dog")
9e107d9d372bb6826bd81d3542a419d6
7
What else can we track?

• File Information
• Owner
• Permissions
• Size
• Modification Time
• Type

8
Can we configure the baseline database?

• A subset of Property Masks
• - Ignore the following properties
• Record and check the following properties
• a Access timestamp
• g File owner's group ID
• l File is increasing in size (a "growing
  file")
• m Modification timestamp
• p Permissions and file mode bits
• t File type
• u File owner's user ID
• M MD5 hash value
• S SHA hash value
• A subset of Rule Attributes
• recurse
• severity
• Valid Policies
• /etc - ugm (recurse2)
• mask1 m
• /var - (mask1)

9
How do we test Integrity?

• Use policy to generate checking database while
  file system is in questionable state
• If there were no changes to the system then the
  baseline database and the checking database
  will be identical

10
How can we keep the HIDS safe?

• If the HIDS integrity is compromised then it will
  cease to be useful
• A HIDS should go to great lengths to prevent
  tampering of its own self
• Store the Database and Policy off the host
• Security vs. Access Tradeoff

11
Network Intrusion Detection
12
Three Major IDS Issues

• Incomplete Network Behavior Analysis
• Unidentified End-System Protocol Implementation
• Unidentified Network Topology

13
Incomplete Network Behavior Analysis

• The NIDS lacks complete analysis of behavior
  allowed by a particular protocol.
• End-systems are required to perform fragment
  reassembly while NIDS do not.
• Attacks in the form of fragmented IP datagrams

14
Unidentified End-System Protocol Implementation

• NIDS unable to determine how the victim will
  treat a given sequence of packets.
• Internet protocol specifications do not specify
  the complete behavior.
• Operating systems and applications implement
  different protocol subsets

15
Unidentified Network Topology

• NIDS unable to determine whether a given packet
  will ever be seen by end-system.
• TTL attacks ensure some packets will be received
  and some not, potentially evading the IDS.

16
Traffic Normalization

• Helps alleviate network traffic ambiguities.
• Normalizes traffic entering the network so it can
  be interpreted by IDS.
• Works similar to a firewall by monitoring
  incoming traffic.

17
Traffic Normalization

• A normalizer is a bump in the wire,'' the same
  box performing normalization can also perform
  firewall functionality.

18
Normalization Trade Offs

• Preservation of end-to-end semantics
• Impact of end-to-end performance
• Security transference

19
Stateholding

• Normalizers hold states to analyze traffic.
• Stateholding attacks force a normalizer to cope
  with uncomfortable states caused by attacker
  traffic.
• holding IP fragments for reassembly
• tracking unacknowledged TCP segments

20
NIDS Solutions

• Clear industry leader Sourcefire
• 3D Approach - Discover, Determine, Defend.
• Flagship open-source product Snort

21
Snort

• 1998, Martin Roesch, Sourcefire founder and CTO,
  wrote first version of Snort.
• Lightweight design to replace full commercial
  systems.
• Most widely deployed intrusion detection and
  prevention technology worldwide.

22
Snort

• Rule-driven language which combines signature,
  protocol and anomaly based inspection methods.
• Open source helps organizations tailor snort to
  their protocols and applications.
• Online community and training available.

23
Conclusion

• NIDS are complicated and often proprietary to
  each organization.
• NIDS are a growing field with clear business
  demand and importance.
• Questions?

24
Network Vulnerability Assessment

• The act of carefully examining a network with
  intent of identifying components that are
  susceptible to attack.
• This allows us to identify insecure features of
  the network so that we can evaluate the risk
  associated with these vulnerabilities.

25
What is Nessus?

• The worlds most popular vulnerability scanner
• A tool used by over 75,000 organizations
  worldwide
• Development began in 1998 by Renaud Deraison
• Goal was to create a free, powerful, up-to-date,
  easy-to-use remote security scanner

26
Nessus (contd)

• There are two pieces to the Nessus software
• The server (or daemon), nessusd, a
  unix/linux-only tool
• The client, nessus, a multi-platform tool used to
  manipulate and control the server

27
Nessus (contd)

• Three steps to using Nessus
• Port Scan determines which ports are open
• Exploitation attempts various exploits on the
  open ports
• Reporting reports results in various formats or
  saves in knowledge base

28
Nessus (contd)

• Attacks are scripted in the NASL language
• This attempts to exploit TFTP server by sending
  a small UDP packet
• if (huge)req '\x00\x01'crap(huge)'\0netascii
  \0'elsereq '\x00\x01Nessus'rand()'\0netasci
  i\0'sport rand() 64512 1024ip
  forge_ip_packet(ip_hl 5, ip_v 4, ip_tos0,
  ip_len20, ip_off0, ip_ttl64,
  ip_pIPPROTO_UDP,ip_src this_host())u
  forge_udp_packet(ipip, uh_sport sport,
  uh_dportport, uh_ulen 8 strlen(req),
  datareq)filter 'udp and dst port ' sport
  ' and src host ' get_host_ip() ' and
  udp810x00'

29
Nessus (contd)

• Additionally, Nessus can be instructed to go
  beyond testing and perform attacks such as
  dictionary and brute-force password attacks
• Safe checks can be turned off, allowing Nessus
  to attempt to crash machines as a form of
  resilience testing

30
Nessus (contd)

• Prior to 2005, Nessus was an open-source tool
• In 2005, the license was changed to a
  non-opensource license, but Nessus 3 remains free
  of charge
• Nessus 2 remains under the GPL license, and some
  developers have started independent projects
  based on Nessus (OpenVAS, Porz-Wahn)

31
Nessus (contd)

• How the licensing works
• The server (daemon) and clients are still free to
  download and use
• Up-to-date vulnerability checks are available
  immediately to Nessus subscribers, and to the
  public (freely) after 7 days

32
Nessus (contd)

• Future innovations
• In the past, the Nessus server (nessusd) has only
  been available for unix/linux machines
• Starting this year, Tenable Security is working
  on a Nessus server for Windows 2K/XP