1 / 28

FUTURE DIRECTION

FUTURE DIRECTION. SAK 5514. Increasing Threat. Increasing Threat. Attackers can coordinate a fast scan. Scan very slowly. Modulating the technique to be almost undetectable. Cyber-Terrorism. Main theme of all advanced denial of service is Internet Relay Chat (IRC)

osborn
Download Presentation

FUTURE DIRECTION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FUTURE DIRECTION SAK 5514

  2. Increasing Threat

  3. Increasing Threat Attackers can coordinate a fast scan. Scan very slowly. Modulating the technique to be almost undetectable.

  4. Cyber-Terrorism • Main theme of all advanced denial of service is Internet Relay Chat (IRC) - Groups of hackers fighting for control of IRC chat rooms developed the denial-of-service tools.

  5. Large-Scale Compromise • A number of vulnerabilities in Microsoft's Internet Explorer have been reported. • These attacks are at the bottom of the food chain in some sense—PCs—many of which are -dial up connections -government facilities - corporations -educational institutions -homes with broadband connectivity.

  6. Improved Targeting • Techniques to maximize results using broadcast packets when possible. • Avoidance of dangerous IP address ranges. • Sharing reconnaissance data between scanning organizations minimizes the footprint.

  7. Defending Against the Threat • This section is discussing the natural limits and then considers the development of skills and tools for defenders. • The below are the limits that ought to slow them down a bit. -The current DDoS type attack tools like Leaves and litmus have their command and control via Internet Relay Chat.

  8. -The money is primarily going into the defensive side of the house.

  9. Analysts Skill Set • Intrusion-detection systems have the problem that cannot detect new attacks because there is no signature for them. • The recommending is coping strategies like a box recording all traffic. - it is possible to go back after the NID - examine the stimulus that lead to the activity reported by the NID. - to keep a cache of at least several days of raw data

  10. In the future, as console solutions are fielded, it might be possible to do much of this with canned searches. • The advantages of personal firewalls on the host computers of security-aware employees are enormous and really add to the network-based data.

  11. Improved Tools • Dragon could have been a contender. • SiteProtector is just too new to be evaluated. -The author prediction is that the answer ill come down to the skills versus tools argument. • Snort is the most widely deployed sensor on the planet and the Snort ruleset and language are the most commonly read and written.

  12. Defense in Depth How firewall working • serves as an effective noise filter, stopping many attacks before they can enter your network. • Within your internal net, the router or switch can be configured to watch for signs of intrusion or fraud. • When a detect occurs, the switch either can block the session and seal off the host or just send a silent alarm.

  13. Implement Defense in Depth in today and near future • The five rules of the road are as follows: - Squelch all outgoing ICMP error unreachable messages. - Split horizon DNS. - Proxy when possible - Network Address Translation (NAT). - Implement auto-response.

  14. Defense in depth includes -configuration management -personal firewalls, anti-virus -content scanning at the perimeter -operating system patches -an active vulnerability scanning program.

  15. Large-Scale Intrusion Detection • Three large-scale intrusion detection efforts: a) Aris by SecurityFocus.com b) MyNetWatchman c) Dshield used to discover the Ramen, Lion, and Leaves worms. • These works by providing reporting software to hundreds or even thousands of clients. • These clients range from Check Point firewalls and Linksys cable routers to personal firewalls.

  16. The data is sent to a central site that allows it to be examined for trends. • collect data and the information passes a certain threshold • Can create automated or semi-automated reports and send them to the responsible party for an IP address.

  17. By Richard Bejtlich: • "I make optimum use of my network intrusion detection system (NIDS) by asking four questions: a) What could cause suspicious traffic to be generated? b) What events could my NIDS miss? c) How does real Internet behavior differ from textbook descriptions? d) Should I share events with the security community?

  18. Emerging Techniques • Current intrusion-detection systems are fairly limited. • Network-based systems are not well suited - to detect the insider threat, - to detect mobile code, - to detect intelligence-gathering viruses, - to detect modem-based attacks, or - runs along the trust model.

  19. Host-based systems - can detect these attacks, but they suffer from two big problems: • the cost of deployment. • the system overhead "tax."

  20. Virus Industry Revisited • No security tool has better desktop penetration than anti-virus software. • Intrusion-detection tools often have fewer than 500 signatures. • Virus software comes with implementations for firewalls, server systems, or the desktop. • These tools can identify, contain, eradicate, and recover with minimal user intervention.

  21. Anti-virus companies have fully solved the issue of updating a user's signature table with a variety of painless options. • Many large organizations have site licenses with these software companies and are pretty satisfied. • Anti-virus companies are already oriented to very fast turnaround of a signature table when a new exploit is detected. • These software companies often have companion products with security capabilities.

  22. Hardware-Based ID • There are three serious challenges to network-based intrusion detection: - Encrypted packets that foil string matching - Fast networks beyond the speed of the sensor - Switched networks

  23. Program-Based ID • Simson Garfinkle, who is writing software designed for special-security applications. • To protect his intellectual property from intrusion (software piracy) • To ensure the software cannot be misused without it being clear and obvious which copy of the software is the origin.

  24. The program could then detect an unauthorized entity is trying to access it. • It could then block the attack and raise an alarm. • Programs could even develop profiles about their uses. • Intrusion detection at the program level is to put a wrapper around the program.

  25. Smart Auditors • According to Alan Kay, the best way to predict the future is: - is to invent it - SANS should be engaged in helping to establish pragmatic tools and resources for auditors.

  26. Emerging Trend • Is for auditors to understand security-assessment tools and to be able to operate them. • Auditors can visit your site, plug in, and, while they are interviewing you, run an assessment tool. • System administrators when we are audited, knowledgeable, equipped auditors could be one of the most effective countermeasures against the increasing threat.

More Related