Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 2 Intrusion Detection Roadmap - 3 What are the pieces and how they play together • Vulnerability Scanners • Response, automa
Trang 11
Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001
Intrusion Detection The Big Picture – Part V
Stephen Northcutt
This page intentionally left blank
Trang 2Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 2
Intrusion Detection Roadmap - 3
What are the pieces and how they play together
• Vulnerability Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation - Chain of Custody
• Threat Briefing - Know Your Enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
In the next section, we are going to talk about vulnerability scanners and assessment tools, which
are one of the best ways to rapidly assess your security They are hard to break down into functional
classifications the way we did with firewalls, proxies, packet filtering, and statefully aware Perhaps
the most logical breakdown is commercial tools like ISS, NAI and the free, source-code tools, like
nmap and Nessus Another breakdown is system scanner tools that run as a program to inspect the
operating system configuration, and network scanner tools that work across the network There are
also tools that scan telephone lines for active modems For this course, we are focused on the
network-based scanning tools and telephone scanners since they are the most applicable to
intrusion detection
So, in this section we will cover the following topics:
• What are they generally
• Saint
• Nessus
• ISS Real Secure
• Scanning for modems - Phone Sweep
• Red Teaming
• Scanner warning
Trang 3Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 3
Vulnerability Scanners
What are they generally
• Target, scanners must only scan
systems you own
• Scan, “test for services”, multiple ports
on multiple machines
– May have knowledge of vulnerabilities and
test to see if the vulnerability is present
• Report, provide results in a clear,
understandable fashion
The cardinal rule of scanning or vulnerability assessment is to be certain to only scan systems that
you own and are authorized to scan Otherwise, you will be setting off someone else’s intrusion
detection capability and that is hardly a good idea
If you are shopping for a scanning toolset, it is reasonable to assume that either of the big three (ISS,
NAI, Symantec) scan for the same number of vulnerabilities They will all come up with false
positives that have to be investigated manually Before you plunk your money down, there are four
things you really want to consider:
• How is the product licensed? Is this flexible enough for your planned growth? Can it be
upgraded easily?
• How interoperable is the product? Is it fully Common Vulnerabilities and Exposures
(CVE) compliant?
• Can you easily compare the results of a scan today with the results of one four weeks ago,
or is this a manual process?
• Does your manager like the report output!
Trang 4Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 4
SARA (Security Auditor’s Research Assistant)
• Where to get it
– http://www-arc.com/sara/index.shtml
• What does it do?
– Vulnerability scanner, web-based interface,
based on Satan, community-donated modules
– Has some capability to determine probable
trust relationships
SARA is a follow-on to SAINT, which was a follow-on to SATAN It runs pretty well and is worth
trying if you are in a Unix shop Though it is pretty safe as scanners go, be sure and test it in a lab,
or off-hours on a non-critical network before unleashing it on your network It is fairly lightweight
compared to other products, but may be a great way to get started
Trang 5• What does it do?
– Vulnerability scanner, more
heavy-handed than Saint in our experience
SARA was a free tool and so is Nessus This tool is better in the hands of someone that is
technically sophisticated It is already a powerful scanner based on community-donated plug-ins It
was also the fastest scanner in the Top Ten scanner evaluations
Trang 6Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 6
Nmap
Nmap is my personal favorite It is the most commonly used scanning tool on planet Earth, bar
none It has a large number of scan modes and has a unique capability of operating system
detection Different operating systems have made divergent choices in building their network
stacks, especially in areas that are not defined by RFC standards documents, or for fields that are
reserved for the future OS detection tools intentionally send packets that write into reserved fields
or use illegal values in an effort to identify the operating system
(Editor’s note: Nmap is available from: www.insecure.org – Unix version; www.eeye.com –
Windows version – JEK)
At this point we have briefly discussed three commercial tools and three freeware tools If you run
Unix tools (and all KickStart students are supposed to have access to Linux and Windows), the free
tools - especially nmap - may be a great way for you to start After all, in an organization of any
size, you have plenty to find and fix before you need a top-of-the-line commercial scanner
Now, let’s think about phone scanning for a minute Ever get a phone call, pick up the phone and
no one was there? You might have been scanned
Trang 7Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 7
Phone Scanning for Vulnerability
Detection
• Response for successful intrusion
detection is not clear.
– Defensive posture is difficult to maintain.
– Generally not criminal to call phone
numbers.
• Intrusion detection may not be possible.
• Scanning works - attackers use it!
• Threat of scanning acts as a deterrent.
Special thanks to Simson Garfinkle and the folks at Sandstorm (www.sandstorm.net) for the
permission to use the PhoneSweep slides
Firewalls are not perfect we said, but when they fail it is more likely that they fail because of what
the folks on the inside do, as opposed to the firewall having a technical problem We already talked
about users bringing up services on ports that are expected to be open for other reasons Various
multimedia programs such as napster and gnutella make it easy to get files through a site’s defenses
and there are manuals on how to do this on the Internet One other way that users can cause firewalls
to fail is by hooking their system up to a modem
Next Sunday, take a minute to do some research Pull the color ads in your area for the consumer
electronic stores such as Circuit City and the like Check out the computers What do they all have?
Trang 8Well, what I notice about the ads (besides a price that is wrong by $400, because nobody in their
right mind is going to sign a contract with Microsoft Networks or CompuServe), is all the computers
have modems
Eventually, someone, somewhere is going to hook that modem up Modems have a “dial on
demand” mode, but they also have an auto-answer mode This would be useful if you wanted to be
able to access your computer at work from your computer at home to download files
The screen shot you see is for ToneLoc, probably the most popular wardialer It will scan a range of
phone numbers looking for a modem on auto-answer These systems can then be targeted
Trang 9Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 9
Mitigating the War Dialer Threat
• Intrusion Detection Response:
– Monitor call logs at phone switch.
– Set up monitored modems on special
phone numbers (honeypot).
• Scanning Response:
– Proactively scan your own phone numbers.
– Take action when modems are found.
Your facility almost certainly has and will be scanned The question is, what action are you willing
to take? The logical countermeasure is to scan your own phone lines on a regular basis Now, this is
simple in theory, complex in practice Your organization may have a person in charge of phones and
they may be able to help you Be aware that Heating, Ventilation, And Cooling (HVAC - some folks
say Heating, Ventilation, Air Conditioning) and alarm systems may be active on your phone system,
and these numbers should be avoided ToneLoc and most other scanners allow you to avoid number
ranges
Trang 10Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 10
PhoneSweep: Commercial Scanner
• A Telephone Scanner, not a War Dialer
Many organizations are uncomfortable using hacker code to attack their own sites because of the risk
of embedded malicious code Also, the documentation on some underground code is not the best
Technical support can be dicey from hacker locations These are some of the factors that cause some
organizations to prefer commercial software with phone support, printed manuals…and someone to
sue if things go wrong
Trang 11Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 11
Select Modems
An example of a commercial scanner is PhoneSweep shown on this slide Notice that it can run
multiple modems in parallel; it turns out that phone scanning is really slow!
Trang 12Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 12
Specify Dialing Times
(PhoneSweep relies on the system clock for accurate time & day of the week.)
hours outside Business Hours
With a commercial tool, you tend to get more flexibility in settings For instance, you might want to
consider scanning at night in case people leave their modems on auto-answer when they leave work
It is nice to have this capability, but scanning when you are not there can be dangerous Another
high end feature to look for is the ability to detect fax machines
Trang 13Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 13
Telephone Scanning Summary
• Any large site probably has modems
that they do not know about
• Remember the “Legion” slide
• Slow, slow, slow, think seriously about
the parallel modem option
• Doesn’t seem to distinguish between
faxes and modems as well as I had
hoped
To summarize the phone scan section, this is something you should seriously consider doing
Remember that example in the firewalls section, of the facility that was compromised because of a
user accessing the Internet via a modem and ISP? Unfortunately, phone scanning will only detect
modems on auto-answer Many organization have digital phones, and so analog lines require special
permission; this certainly limits how many numbers you need to test Commercial tools have some
significant advantages On the other hand, ToneLoc is simple and very well tested!
Trang 14Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 14
How to Do a Vulnerability Scan
• Get permission, explain what you are
doing, “finding our vulnerabilities before
attackers do”
• Put out the word ahead of time,
publish your phone number; people
don’t like surprises
We will close this section with a discussion of the general principles of scanning Note well,
vulnerability scanning can be hazardous to your career The difference between a hacker and a
penetration tester is permission! Be certain that you have it If you are just starting a scanning
program in your organization, you probably want written permission
Things can go very wrong when you are scanning I have crashed a number of systems - I’ve
already mentioned the mockup of a Navy warship – and my friend John Green has a whole Navy
base to his credit! We both did this with simple vulnerability assessment tools People will be a lot
more forgiving if you warn them ahead of time and make sure it is easy for them to find you If you
are not in the office or people do not know how to contact you, then you could create a serious
problem for your organization and therefore yourself
Trang 15Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 15
How to Do a Scan (2)
• Click target selection, choose a system,
tell it to expand to the subnet
• Heavy scan, but do not allow Denial of
Service scan (at least at first)
• Only scan when you are in the
office by the phone
• Fix the red “priority” problems first
There is no point in configuring the scanner to hit all of your addresses unless you are in a small
organization Do a subnet at a time, a workgroup at a time, whatever makes sense This way you
don’t have an overwhelming number of vulnerabilities to fix
If you do scan the whole facility, you will have a huge list of problems and everyone will talk about
fixing them, but it never gets past the promises stage This is very dangerous After you run the scan
on a large scale, you get a huge printout of all the problems and some of them are flagged as “very”
serious, some “just” serious and so forth You present it to management, tell them it is the end of life
as we know it if they aren’t fixed They agree, they task people, there are meetings, everyone agrees
to get things fixed and you run into deadlines and emergencies and they never get fixed Now you
can’t play that card again - after all, the organization is still in business! If you run another scan, no
one will take it that seriously
Therefore – scan a small section Start with your own shop Fix the problems, and move on
There is another approach, called the Top Ten Project A number of scanners, including SARA and
Nessus, have scanning modes that only look for the Top Ten vulnerabilities This way, you only
have to deal with the most serious problems first For more information, please see
www.sans.org/topten.htm
Trang 16Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 16
Warning!!!
Vulnerability scanners may be hazardous to your career
• Be very sure you are authorized
• People really prefer to be warned
• Scanners sometimes crash systems
• Don’t jump to conclusions about
how vulnerable a system is until
you know the tool very well
In the previous example, it isn’t that you were wrong when you went to management and told them
they were vulnerable The problem is that attackers often leave a low footprint - you can be
compromised and not realize it
Anyway, to summarize this section, a vulnerability scanner is a great way to find many of the holes
that external and internal attackers would exploit, given the opportunity However, scanners are
prone to false positives and can break things Be conservative; start the tool at low power and run it
on a low number of systems until you are very familiar with its effects
Trang 17Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 17
Intrusion Detection Roadmap
What are the pieces and how they play together
• Vulnerabilty Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation- Chain of Custody
• Threat Briefing - Know your enemy
Trang 18Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 18
Response and Incident Handling
Intrusion response, or the response to intrusions, is an interesting problem The fundamental
concept to understand is that you will respond Your system will respond The question is, will it be
a good response?
Let’s start at the beginning A packet comes to your firewall, one of three things will happen:
• The packet will be allowed to pass
• The packet will not be allowed to pass, and the firewall will notify the sender (most likely
with an ICMP “administratively prohibited” message)
• The packet will not be allowed to pass and the firewall will NOT notify the sender This is
known as the “silent drop”
More complex responses are also possible There is a tool called a RST kill A RESET (RST) is the
signal to abort a TCP connection A firewall or intrusion detection system can forge a RST and send
it to one or both sides of the TCP connection if it sees evidence of an attack
Trang 19Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 19
Automated Response
• Commercial IDS can be connected
to routers/firewalls and take
The intrusion detection system can detect a signature, and if that connection matches a known
attack signature, it can order the firewall to drop the connection and block that IP address Further,
it could refuse to allow a route from the attacking IP address
Shunning is the notion of blocking an IP address and/or an IP address family from then on It
doesn’t matter what service they wish to connect to, they are not welcome
The logic for doing this is obvious; attacks happen so fast, a computer has a much better opportunity
to respond than a person Also, while we have have an attack signature to recognize this attack, we
may not for the next attack – so it’s best to block while we can
It takes a LOT of smart software to do this in a heuristic manner, that can calculate the probability a
connection is spoofed, and what the cost to the organization of blocking it might be If you run
auto-response software, attackers can toy with you using spoofed packets
Trang 20In a 24x7 manned response center, an obvious solution to the high risk of auto-response would be to
offer the detect and from one to N recommended responses to a trained incident handler and allow
them to make the decision on what to do next This is known as “person in the loop”.
Let’s go back to the fundamental concept, you will respond The question is whether you will
respond well If the packet penetrates your firewall, and it penetrates your system defenses, and if it
is successful, you are generally dealing with an incident - but computer incident handling is a much
broader field than Computer Network Attacks (CNA) Incidents are any situation where harm or the
threat of harm affects information processing resources This includes hacker attacks, malicious
code, fires, floods and other weather events, and sometimes even software and hardware
configuration problems