1 / 20

Intrusion Detection Methods

Intrusion Detection Methods. “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”. The Seven Fundamentals. What are the methods used How are IDS Organized What is an intrusion

alyssa-duke
Download Presentation

Intrusion Detection Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”

  2. The Seven Fundamentals • What are the methods used • How are IDS Organized • What is an intrusion • How do we trace and how do they hide • How do we correlate information • How can we trap intruders • Incident response

  3. The Emergency Action Card When a computer security incident occurs, and you are not prepared, follow these ten steps: Emergency Step 1. Remain calm. Even a fairly mild incident tends to raise everyone's stress level. Communication and coordination become difficult. Your calm can help others avoid making critical errors. http://www.sans.org/newlook/publications/incident_handling.htm

  4. Emergency Step 2. Take good notes. Make sure you answer the four Ws - Who, What, When, and Where- and, for extra credit, How and Why. http://www.sans.org/newlook/publications/incident_handling.htm

  5. Emergency Step 3. Notify the right people and get help. Begin by notifying your security coordinator and your manager and asking that a coworker be assigned to help coordinate the incident handling process. Get a copy of the corporate phonebook and keep it with you. Ask your helper to keep careful notes on each person with whom he or she speaks and what was said. Make sure you do the same. http://www.sans.org/newlook/publications/incident_handling.htm

  6. Emergency Step 4. Enforce a "need to know" policy. Tell the details of the incident to the minimum number of people possible. Remind them, where appropriate, that they are trusted individuals and that your organization is counting in their discretion. Avoid speculation except when it is required to decide what to do. Too often the initial information in an incident is misinterpreted and the "working theory" has to be scrapped. http://www.sans.org/newlook/publications/incident_handling.htm

  7. Emergency Step 5. Use out of band communications. If the computers may have been compromised, avoid using them for incident handling discussions. Use telephones and faxes instead. Do not send information about the incident by electronic mail, talk, chat, or news; the information may be intercepted by the attacker and used to worsen the situation. When computers are being used, encrypt all incident handling e-mail. http://www.sans.org/newlook/publications/incident_handling.htm

  8. Emergency Step 6. Contain the problem. Take the necessary steps to keep the problem from getting worse. Usually that means removing the system from the network, though management may decide to keep the connections open in an effort to catch an intruder. http://www.sans.org/newlook/publications/incident_handling.htm

  9. Emergency Step 7. Make a backup of the affected system(s) as soon as practicable. Use new, unused media. If possible make a binary, or bit-by-bit backup. http://www.sans.org/newlook/publications/incident_handling.htm

  10. Emergency Step 8. Get rid of the problem. Identify what went wrong if you can. Take steps to correct the deficiencies that allowed the problem to occur. http://www.sans.org/newlook/publications/incident_handling.htm

  11. Emergency Step 9. Get back in business. After checking your backups to ensure they are not compromised, restore your system from backups and monitor the system closely to determine whether it can resume its tasks. http://www.sans.org/newlook/publications/incident_handling.htm

  12. Emergency Step 10. Learn from this experience, so you won't get caught unprepared the next time an incident occurs. http://www.sans.org/newlook/publications/incident_handling.htm

  13. Incident response • The real-time decisions and actions of asset managers that are intended to minimize incident related effects on their assets and to mitigate residual security risk based on available evidence from the incident.

  14. Soft factors Management policies Organizational structure Administrative procedures Hard factors IDS Traps Trace back tools Incident Response factors

  15. Incident Response Process

  16. Response • Human initiated response • Automatically initiated response • Coordinated Human & Automatic response

  17. Factors influencing Response • Passive factors • What assets have been affected or damaged by the incident • How did the incident occur • How was it detected • How trustworthy is the incident related information

  18. Factors influencing Response • Active factors • What would the effect of altering the target system’s functionality • What would the effect of initiating trace backs and traps • What would the effect of doing nothing • How legal is the response

  19. Robin Hood and Friar Tuck !X id1 id1: Friar Tuck... I am under attack! Pray save me! id1: Off (aborted) id2: Fear not, friend Robin! I shall rout the Sherif of Nottingham's men! id1: Thank you, my good fellow! Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system. http://www.tuxedo.org/~esr/jargon/

  20. Examples • Real secure + Firewall-1 • Snort + IP-tables

More Related