200 likes | 347 Views
Intrusion Detection Methods. “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”. The Seven Fundamentals. What are the methods used How are IDS Organized What is an intrusion
E N D
Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
The Seven Fundamentals • What are the methods used • How are IDS Organized • What is an intrusion • How do we trace and how do they hide • How do we correlate information • How can we trap intruders • Incident response
The Emergency Action Card When a computer security incident occurs, and you are not prepared, follow these ten steps: Emergency Step 1. Remain calm. Even a fairly mild incident tends to raise everyone's stress level. Communication and coordination become difficult. Your calm can help others avoid making critical errors. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 2. Take good notes. Make sure you answer the four Ws - Who, What, When, and Where- and, for extra credit, How and Why. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 3. Notify the right people and get help. Begin by notifying your security coordinator and your manager and asking that a coworker be assigned to help coordinate the incident handling process. Get a copy of the corporate phonebook and keep it with you. Ask your helper to keep careful notes on each person with whom he or she speaks and what was said. Make sure you do the same. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 4. Enforce a "need to know" policy. Tell the details of the incident to the minimum number of people possible. Remind them, where appropriate, that they are trusted individuals and that your organization is counting in their discretion. Avoid speculation except when it is required to decide what to do. Too often the initial information in an incident is misinterpreted and the "working theory" has to be scrapped. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 5. Use out of band communications. If the computers may have been compromised, avoid using them for incident handling discussions. Use telephones and faxes instead. Do not send information about the incident by electronic mail, talk, chat, or news; the information may be intercepted by the attacker and used to worsen the situation. When computers are being used, encrypt all incident handling e-mail. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 6. Contain the problem. Take the necessary steps to keep the problem from getting worse. Usually that means removing the system from the network, though management may decide to keep the connections open in an effort to catch an intruder. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 7. Make a backup of the affected system(s) as soon as practicable. Use new, unused media. If possible make a binary, or bit-by-bit backup. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 8. Get rid of the problem. Identify what went wrong if you can. Take steps to correct the deficiencies that allowed the problem to occur. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 9. Get back in business. After checking your backups to ensure they are not compromised, restore your system from backups and monitor the system closely to determine whether it can resume its tasks. http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 10. Learn from this experience, so you won't get caught unprepared the next time an incident occurs. http://www.sans.org/newlook/publications/incident_handling.htm
Incident response • The real-time decisions and actions of asset managers that are intended to minimize incident related effects on their assets and to mitigate residual security risk based on available evidence from the incident.
Soft factors Management policies Organizational structure Administrative procedures Hard factors IDS Traps Trace back tools Incident Response factors
Response • Human initiated response • Automatically initiated response • Coordinated Human & Automatic response
Factors influencing Response • Passive factors • What assets have been affected or damaged by the incident • How did the incident occur • How was it detected • How trustworthy is the incident related information
Factors influencing Response • Active factors • What would the effect of altering the target system’s functionality • What would the effect of initiating trace backs and traps • What would the effect of doing nothing • How legal is the response
Robin Hood and Friar Tuck !X id1 id1: Friar Tuck... I am under attack! Pray save me! id1: Off (aborted) id2: Fear not, friend Robin! I shall rout the Sherif of Nottingham's men! id1: Thank you, my good fellow! Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system. http://www.tuxedo.org/~esr/jargon/
Examples • Real secure + Firewall-1 • Snort + IP-tables