Intrusion Detection The Big Picture

Trang 2

Pagers and Cell Phones

The high rate of slide delivery means that distractions

will cause your fellow students to miss material If

you are a “high interrupt” person, please consider

moving to the back of the room or disabling your

pagers and phones Questions are fine anytime.

In this course we’ll be covering the following types of security tools and countermeasures:

• firewalls

• host-based intrusion detection

• network-based intrusion detection

• vulnerability scanners

• honeypots

We’ll also touch on incident response and discuss less technical issues of information security, such

as risk assessment and how to justify these tools to management

Trang 3

Frequently Referred to URLs

• SANS

– www.sans.org

• NSWC CD2S web page

– www.nswc.navy.mil/ISSEC

– click on forms to get the knowledge-based

risk assessment forms for WinNT, Unix, Win95, Mac 8.X, etc.

The SANS website is home to GIAC, the Global Incident Analysis Center, and to the SANS training

materials, with courses like this one available online

Trang 4

SHADOW and CIDER are free intrusion detection system projects.

The Coast archive is Gene Spafford’s security tool archive

SecurityFocus is home of the Bugtraq mailing list, and has a good vulnerability database and tool

archive

Snort is currently the most popular free network intrusion detection system “as seen on GIAC”

Trang 5

Fred Cohen’s DTK (Deception Toolkit) is an excellent tool kit for building honeypots.

CIDF is the Common Intrusion Detection Framework, a standards initiative by the IETF’s Intrusion

Detection working group, designed to improve IDS interoperability

Tripwire is the de facto standard in file and registry integrity checking

SPI does integrity checks for US government systems

Trang 6

Even More URLs

SAINT and NESSUS are general vulnerability scanners Nmap does stealthy port scanning, OS

identification and too many other functions to list CIS is a vulnerability scanner for improving the

security of Windows NT machines They were all free last time we looked (Editor’s note: nmap

was ported to Windows NT in July 2000 by eEye Digital Security The Windows version can be

downloaded from http://www.eeye.com – JEK)

Phonesweep is a ‘wardialer’ or modem-finding tool

Trang 7

URLs URLs URLs

• NukeNabber (from Puppet’s Place)

– www.dynamsol.com/puppet/

• Legion (detect unprotected shares)

– Rhino9 has disbanded; you will need to do

a net search.

NOTE: Appendix A has a glossary

NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which will

notify you of attempted connections to user-defined ports

Legion can be quite hard to find Most other vulnerability scanners also now look for unprotected

shares

In the back of your materials are additional references (Editor’s note: for students taking this

course online, the Glossary is included as a separate download file – JEK)

Trang 8

Goal of This Course

To understand how the primary

components of intrusion detection

capability (such as vulnerability

assessments, firewalls, network- and

host- based IDS systems) work

together to provide information

assurance.

Trang 9

GIAC Tracks

• Information Security KickStart

• Security Essentials Certification

• Firewalls and Perimeter Protection

• Intrusion Detection In-Depth

• Advanced Incident Handling and Hacker Exploits

• Windows NT and Windows 2000 Security

• Unix Security

• Systems and Network Auditing

Clearly, there will be some repetition between the classes These classes have been designed to be

very high content There is more material than people can normally absorb in a single sitting; when

we repeat, this is done to help the student learn as much of the total material as possible

Trang 10

Introduction

• Introductory Example - Mitnick Attack

• Is There a Business Case for Intrusion

Detection?

• What We Will Cover in This Course

Let’s get started then In our introductory section, we are first going to show you a real attack, so we

can see the type of things an attacker does in the real world, and we’ll discuss how the security

components of this course could have detected or prevented it

We’ll then take a step back and put our business hats on when we examine the question of a business

case for intrusion detection Because the fact is, this stuff costs money and even with free tools, it

takes up valuable time So we’ll see how to decide on it’s worth to your organization

Finally, we’ll look at how we are going to divide up the rest of the course

Trang 11

What better introduction to

Intrusion Detection than the Mitnick Attack?

We start by examining the intrusion by possibly the world’s most infamous computer criminal, Kevin

Mitnick, on the system of Tsutomu Shimomura This system compromise and the subsequent

successful pursuit of Mitnick have been described in several books and elsewhere, but the technical

details described come from Shimomura’s original posting on the comp.security.misc newsgroup, 25

Jan 1995

The obvious first question is why we are bothering with an attack which is over 5 years old, when

several new attacks are discovered every week

First, because it uses well-known techniques like SYN flooding and IP Spoof to accomplish trust

hijacking The second, more disturbing point is that little has changed since late 1994 These attacks

still work on many systems and so are still common attacks today

Trang 12

Two Systems, Trust

Relationship

A trusts B

A is talking to B

A trust relationship existed between two machines, both administered by the good guy (One was an

office machine, the other a home machine.) Administrators often set up these sort of relationships,

usually as a convenience

In this particular example, the systems are Unix and the trust relationship is the use of “r” utilities

But similar trust relationships exist in other systems (for example, Windows “shares”) The attacker

is going to pretend to be one side of the trust relationship using a technique called IP Spoof to appear

to be computer B and then take advantage of the trust relationship

Trang 13

Enter the Badguy(tm)

Attacker

Attacker probes to determine

The attack started when the attacker detected a trust relationship was in place between two systems

of interest The trust relationship in particular was that A allows B to make rshellconnections,

providing a remote shell service

The badguy™ uses finger, showmount, rpcinfo, and so forth to ferret out the trust

relationship It should be noted there is often a recon phase for complex attacks

If these recon probes can be detected, they can provide a valuable early-warning function

Trang 14

Set Up the Attack

SYN Attack to B renders B unable

to reply to A

Attacker

Attacker predicts the sequence

number A will expect

“IP Spoof”

A trusts B

A is talking to B

After the recon phase, the initial attack occurs

He first gags B with a flood of SYN packets, a technique that involves bombarding B with TCP

connection requests until B is too busy to respond to anyone (A SYN packet is the first part of

TCP’s three-part handshake for connection establishment, which goes SYN, SYN/ACK, ACK)

Next, he sends a connection request (SYN) to A,spoofing the source address so the packet is

apparently from B Since A allows connections from B, it will reply with a SYN/ACK packet that

gives an initial sequence number for the connection This reply goes to B, which would usually deny

sending it and close the connection with a RST packet, but because it’s been gagged, it can’t reply

Since the attacker hasn’t seen the reply, he must predict the sequence number if he is to continue the

connection Sequence number prediction code has been widely available on the Internet for a

number of years

Trang 15

Make ‘A’ Defenseless

to warn A

Having guessed the next sequence number, and assuming A has sent the SYN/ACK back to B, the

attacker completes the connection establishment by sending a final ACK, still with B’s source

address

Now the attacker has a connection to A, that A believes is from it’s trusted friend B That trust is

exploited to gain further access

To maintain the hijacked connection and continue successfully masquerading as B, the attacker must

keep B gagged, since every reply from A goes back to B, not the attacker, and B would refute the

connection if it could

Trang 16

Finish the Job

Now, the attacker goes in for the kill to crack open A’s security He sends an rshellcommand to

add the string “++” to the file “/.rhosts”

This string is a wild-card which says “trust as root all users on all systems”

Once /rhosts has been modified the attacker can stop the masquerade, and stop gagging B, and he

simply logs in directly as root

Game Over

Fortunately, Shimomura noticed the attack Would you notice a similar one on your system?

Trang 17

What Common Tools Could Have Prevented

The Attack?

“An ounce of prevention is worth a pound of cure.” This statement was probably coined by an

ancient incident handler

Of the 3 parts of the security cycle “Prevention-Detection-Response”, prevention can be the most

cost-effective

Trang 18

Network Vulnerability Scanner

Vulnerability scanners can probe a network or host to identify problems that, if fixed, can prevent an

attack from succeeding

The fact that A trusts B isn’t a vulnerability in itself, but may be a violation of your organization’s

Trang 19

Firewalls

Many attack attempts fail to penetrate well-configured

firewalls, especially if they have a

“deny everything not specifically allowed” policy.

Cat “+ +” > /rhosts

Violation, the “R”

Protocols are not allowed

Firewalls or filtering routers can be configured not to let “risky” services pass into the protected

network This is normally by blocking access to the ports used by those services

Most firewall administrators would call letting inbound connections to the “r” services through a

firewall very risky indeed There are more secure replacements available for these services, like

SSH for remote shells

Many firewalls would also stop the spoofed packets from the attacker, correctly noticing that packets

from machine B shouldn’t be originating from outside the firewall (assuming both A and B were

inside the firewall) Similarly, responsible egress filtering on the part of the attacker’s organization

or ISP would also have blocked the spoofed packets

The firewall wouldn’t have protected from the attack if B had been outside the firewall, and hence

connections pretending to be from B would have been allowed through

Trang 20

What Intrusion Detection Techniques Could Have Detected

The Attack?

Detecting the attack is one thing Most intrusion detection systems would also have detected the

recon probes before the attacker went in for the kill Early warning is much better than real-time or

after the fact notification of system compromise

(The problem is, a recon probe is often hard to distinguish from a legitimate query The bad guys’

recon techniques are becoming stealthier, which is both good and bad Harder to spot, but if you can

spot it, it’s easier to recognize as hostile, since legitimate users don’t sneak about.)

Trang 21

The Intrusion Detection System knows that “+ +” and rhosts together do not bode well and raises an

alarm

But a simple pattern-matching system could miss the attack if the string crossed packet or fragment

boundaries, or was padded with characters the shell would ignore, e.g “./rg^Hhosts”

Trang 22

/.rhosts has changed

critical file *ALERT*

A

Host-based systems can detect that a critical file has been changed and raise an alarm; they may even

be able to evaluate the risk, since the based systems can have greater operating system and

host-specific ‘inside’ knowledge

Unfortunately, like the network intrusion detection, a host-based intrusion detection system will only

spot the attacks it has been programmed to recognize

Trang 23

Mitnick Example - Lessons

Learned

• We can remove the vulnerability by

running scanners and fixing problems

• We can prevent such attacks as they

occur with firewalls

• We can detect such attacks with both

network-based and host-based intrusion

detection systems

We have seen how this historical attack could have been prevented or detected while in progress by

the various types of security tools discussed

We also see that each of the types of tool could also have missed the attack For example, the trust

relationship could have only been set up yesterday, and hasn’t been spotted by the weekly

vulnerability scan yet

Machine B could be outside the firewall or the intrusion detection systems not programmed to detect

rhost compromise

By using different types of tools together, we greatly increase the chances of one of them preventing

or detecting the attack

Trang 24

There is More to Intrusion Detection

Than a Single Product!

Mitnick Attack: Bottom Line

Because this attack occurred so long ago, we can use it as a useful minimum benchmark for current

security systems If your system can’t detect a 5 year old blatant attack, how will it handle more

recent, more subtle attacks? Many salespeople will tell you things like “that attack is purely

theoretical, never happens in the real world, so our product doesn’t need to detect it” or “Our OS is

immune to sequence number prediction, because it picks a random number between 0 and 16 to add

to it’s initial sequence number” Let the buyer beware

If a vendor promises to sell you a silver bullet for intrusion detection, show them the door

Trang 25

Introduction

• Introductory Example - Mitnick Attack

• Is There a Business Case for Intrusion

Detection?

• What We Will Cover in This Course

In the next section, we have a brief look at how we justify the cost of intrusion detection to

management

Many technical people tend to switch off at the first mention of business cases and cost benefit

analysis Don’t!

A well-thought-out plan that details and justifies the probable costs and shows the expected benefits

will go a lot further than flashy demonstrations of cool tech, or FUD* attempts “The hackers are

coming, the hackers are coming!” (As many vendors have discovered to their cost.)

Your management might not agree with your figures, but they’ll be a lot happier to back your plan if

you can show you’ve at least considered the business issues

*FUD = Fear, Uncertainty, and Doubt

Tiêu đề	Intrusion detection the big picture
Tác giả	Stephen Northcutt
Người hướng dẫn	J. Kolde
Trường học	SANS Institute
Chuyên ngành	Cybersecurity
Thể loại	bài luận
Năm xuất bản	2000
Thành phố	Not Applicable

Định dạng
Số trang	35
Dung lượng	532,79 KB