Cybersecurity - Intrusion Detection

Intrusion Detection

Intrusion

  • A significant security problem for networked systems is hostile or unwanted trespass by users or software.
    • User trespass: Unauthorized logon or an authorized user acquiring privileges or performing actions beyond authorization.
    • Software trespass: Virus, worm, or Trojan horse.

Intruders

  • Cyber criminals: Individuals or organized crime groups motivated by financial reward.
  • Activists: Individuals (insiders) or members of larger groups (outsiders) motivated by social or political causes (hacktivists); skill level varies.
  • State-sponsored organizations: Government-sponsored hackers conducting espionage or sabotage (Advanced Persistent Threats - APTs).
  • Others: Hackers/crackers motivated by technical challenge or peer-group esteem.

Intrusion Examples

  • Remote root compromise of an e-mail server.
  • Defacing a web server.
  • Guessing and cracking passwords.
  • Copying a database containing credit card numbers.
  • Viewing sensitive data (payroll records, medical information) without authorization.
  • Running a packet sniffer to capture usernames and passwords.
  • Using a permission error on an anonymous FTP server to distribute pirated software/music.
  • Dialing into an unsecured modem for internal network access.
  • Posing as an executive to reset an e-mail password via help desk.
  • Using an unattended, logged-in workstation without permission.

Intruder Behavior (Hacking Steps)

  • Target Acquisition and Information Gathering
  • Initial Access
  • Privilege Escalation
  • Information Gathering or System Exploit
  • Maintaining Access
  • Covering Tracks
Target Acquisition and Information Gathering
  • Explore corporate website for information on corporate structure, personnel, key systems, web server and OS details.
  • Gather information on the target network using DNS lookup tools (dig, host) and WHOIS database.
  • Map network for accessible services using tools like NMAP.
  • Send query emails to customer service, review response for mail client, server, OS details, and responder information.
  • Identify potentially vulnerable services, e.g., vulnerable web CMS.
Initial Access
  • Brute force (guess) a user's web content management system (CMS) password.
  • Exploit vulnerability in web CMS plugin to gain system access.
  • Send spear-phishing email with link to web browser exploit to key people.
Privilege Escalation
  • Scan system for applications with local exploit.
  • Exploit any vulnerable application to gain elevated privileges.
  • Install sniffers to capture administrator passwords.
  • Use captured administrator password to access privileged information.
Information Gathering or System Exploit
  • Scan files for desired information.
  • Transfer large numbers of documents to external repository.
  • Use guessed or captured passwords to access other servers on the network.
Maintaining Access
  • Install remote administration tool or rootkit with backdoor for later access.
  • Use administrator password to later access network.
  • Modify or disable anti-virus or IDS programs running on the system.
Covering Tracks
  • Use rootkit to hide files installed on the system.
  • Edit log files to remove entries generated during the intrusion.

Intrusion Detection

  • Security Intrusion: A security event or combination of events where an intruder gains or attempts to gain unauthorized access to a system (or system resource).
  • Intrusion Detection: A security service monitoring and analyzing system events to provide real-time or near real-time warning of unauthorized access attempts.

Logical Components of IDS

  • Sensors: Collect data.
  • Analyzers:
    • Receive input from sensors or other analyzers.
    • Determine if an intrusion has occurred.
    • Provide evidence supporting the conclusion.
    • Provide guidance on actions to take.
  • User interface: Enables user to view output or control the system.

Placement

  • IDS inspects inbound and outbound network traffic for suspicious patterns.
  • IDS checks traffic for signatures matching known intrusion patterns, signaling an alarm when a match is found.

How it Works

  • A firewall is in place between the internet and an enterprise network.
  • Network traffic goes through the firewall into an IDS.
  • The IDS preprocessor prepares the data for analysis.
  • Signature file comparison: Incoming traffic is compared against a signature file database. If a match is identified action rules are run to determine if an alarm is necessary.
  • Anomaly detection: Connections are monitored using stateful protocol analysis. If anomalies are detected an alarm notifies the admin and the offending packet is dropped, effectively shutting down connections from that IP source.

Classification

  • Host-based IDS (HIDS): Monitors a single host's characteristics and events within that host (process identifiers, system calls) for suspicious activity.
  • Network-based IDS (NIDS): Monitors network traffic for particular network segments/devices, analyzes network, transport, and application protocols to identify suspicious activity.
  • Distributed or hybrid IDS: Combines information from multiple sensors (host and network-based) in a central analyzer for better intrusion identification and response.
Network-Based Intrusion Detection Systems (NIDS)
  • Placed on the network in promiscuous mode, listening for patterns indicative of intrusion.
  • Detects malicious activity such as Denial-of-Service attacks, port scans, or attempts to crack computers by monitoring network traffic.
Host-Based Intrusion Detection Systems (HIDS)
  • Include auditing for events occurring on a specific host.
  • Less common due to the overhead of monitoring each system event.

Analysis Approaches

  • Signature Recognition (Misuse Detection): Identifies events indicating misuse of a system resource.
  • Anomaly Detection: Detects intrusion based on fixed behavioral characteristics of users and components.
  • Protocol Anomaly Detection: Models are built to explore anomalies in how vendors deploy the TCP/IP specification.
Anomaly Detection
  • Collecting and processing sensor data from the normal operation of the monitored system.
    • Statistical: Analysis using univariate, multivariate, or time-series models of observed metrics.
    • Knowledge based: Expert system classifies observed behavior according to rules that model legitimate behavior.
    • Machine-learning: Automatically determines a suitable classification model from training data using data mining techniques.
Signature (Heuristic) Detection
  • Signature approaches:
    • Match known malicious data patterns against data on a system or in transit over a network.
    • Widely used in antivirus products, network traffic scanning proxies, and NIDS.
    • Advantage: Low cost in time and resource use.
  • Rule-based Heuristic identification
    • Using rules for identifying known penetrations or exploiting known weaknesses.
    • Rules are specific to the machine and OS.

Host-based Intrusion Detection (HIDS)

  • Add a specialized layer of security software to vulnerable or sensitive systems (database servers, admin systems).
  • Can detect both external and internal intrusions.
Data Sources and Sensors
  • System call traces (DLL, etc.)
  • Audit (log file) records
  • File integrity checksums (periodic scans of critical files)
  • Registry Access (Windows specific)
Anomaly HIDS
  • In addition to audit and accounting records, system call traces are useful.
  • Examples:
    • Ubuntu Linux System Calls (accept, access, etc.)
    • Key Windows DLLs and Executables (comctl32, kernel32, etc.)
Signature or Heuristic HIDS
  • AV and anti-malware products.
  • Commonly used on Windows systems.
  • Use a database of file signatures (patterns of data in known malicious software).
  • Use heuristic rules to characterize known malicious behavior.
  • Efficient at detecting known malware, but not zero-days.

NIDS (Network Based IDS)

  • Monitors traffic at selected points on a network or interconnected networks.
  • Examines traffic packet by packet in real time (or close to real-time) to detect intrusion patterns.
  • May examine network-, transport-, and/or application-level protocol activity.
  • Examines packet traffic directed toward potentially vulnerable computer systems on a network.
  • Included in perimeter security infrastructure of an organization (Firewall).
Types of Network Sensors
  • Inline
  • Passive
NIDS Sensor Deployment
  • Various deployment locations:
    • (1): Outside the external firewall: sees attacks penetrating perimeter defenses, highlights firewall policy problems, sees attacks targeting web/ftp servers; may recognize outgoing traffic from compromised servers.
    • (2): Inside the external firewall: documents attacks originating on the internet, documents attack types, higher processing burden.
    • (3): Inside the internal firewall: monitors a large amount of network traffic, detects unauthorized activity by authorized users.
    • (4): On network segments with critical systems: detects attacks targeting critical systems/resources, allows focusing of limited resources.
NIDS Sensor Deployment Scenarios
  • (1): Sees attacks originating from the outside world, that penetrate the network’s perimeter defenses (external firewall).
  • (2): Documents number of attacks originating on the Internet that target the network. Documents types of attacks originating on the Internet that target the network.
  • (3): Monitors a large amount of a network’s traffic, thus increasing the possibility of spotting attacks. Detects unauthorized activity by authorized users within the organization’s security perimeter.
  • (4): Detects attacks targeting critical systems and resources. Allows focusing of limited resources to the network assets considered of greatest value.
Signature Detection
  • Application layer reconnaissance and attacks: DNS, Finger, FTP, HTTP, Internet Message Access Protocol (IMAP), Internet Relay Chat (IRC), Network File System (NFS), Post Office Protocol (POP), rlogin/rsh, Remote Procedure Call (RPC), Session Initiation Protocol (SIP), Server Message Block (SMB), SMTP, SNMP, Telnet, and Trivial File Transfer Protocol (TFTP).
  • Transport layer reconnaissance and attacks: unusual packet fragmentation, scans for vulnerable ports, and TCP-specific attacks such as SYN floods.
  • Network layer reconnaissance and attacks: IPv4, IPv6, ICMP, and IGMP, spoofed IP address.
  • Unexpected application services: a host running an unauthorized application service.
  • Policy violations: inappropriate Web sites and use of forbidden application protocols.
Anomaly Detection Techniques
  • Denial-of-service (DoS) attacks
  • Scanning
  • Worms

Logging of Alerts

  • Timestamp
  • Connection or session ID
  • Event or alert type
  • Rating (priority, severity, impact, confidence)
  • Network, transport, and application layer protocols
  • Source and destination IP addresses
  • Source and destination TCP or UDP ports, or ICMP types and codes
  • Number of bytes transmitted over the connection
  • Decoded payload data (application requests/responses)
  • State-related information (authenticated username)

Tools

  • Snort
SNORT
  • Open-source network intrusion detection system capable of real-time traffic analysis and packet logging.
  • Performs protocol analysis and content searching/matching.
  • Detects attacks and probes (buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting).
  • Uses a flexible rules language and modular plug-in architecture.
  • Uses:
    • Straight packet sniffer like tcpdump.
    • Packet logger (for network traffic debugging).
    • Network Intrusion prevention system.
SNORT Rules
  • Differentiate between normal Internet activities and malicious activities
  • Must be contained on a single line, the Snort rule parser does not handle rules on multiple lines
  • Two logical parts:
    • Rule header: Identifies rule's actions such as alerts, log, pass, activate, dynamic, etc.
    • Rule options: Identifies rule's alert messages
Rule Actions and IP Protocols
  • The rule header stores the complete set of rules to identify a packet, and determines the action to be performed or what rule to be applied
  • The rule action alerts Snort when it finds a packet that matches the rule criteria
  • Three available actions in Snort:
    • Alert - Generate an alert using the selected alert method, and then log the packet
    • Log-Log the packet
    • Pass Drop (ignore) the packet
  • Three available IP protocols that Snort supports for suspicious behavior:
    • TCP
    • UDP
    • ICMP
Direction Operator and IP address
  • Indicates the direction of interest for the traffic; traffic can flow in either single direction or bi-directionally
  • Identifies IP address and port that the rule applies to
  • Use keyword "any" to define any IP address
  • Use numeric IP addresses qualified with a CIDR netmask
Port Numbers
  • Port numbers can be listed in different ways, including "any" ports, static port definitions, port ranges, and by negation
  • Port ranges are indicated with the range operator

Other Tools

  • IBM Security Network Intrusion Prevention System.
  • OSSEC (http://www.ossec.net).
  • Peek & Spy (http://networkingdynamics.com).
  • Cisco Intrusion Prevention Systems (http://www.cisco.com).
  • INTOUCH INSA-Network Security Agent (http://www.ttinet.com).
  • AIDE (Advanced Intrusion Detection Environment) (http://aide.sourceforge.net).
  • SilverSky (https://www.silversky.com).
  • SNARE (System intrusion Analysis & Reporting Environment) (http://www.intersectalliance.com).
  • IDP8200 Intrusion Detection and Prevention Appliances (https://www.juniper.net).
  • Vanguard Enforcer (http://www.go2vanguard.com).