1 / 25

Advanced Intrusion Defense

Advanced Intrusion Defense. Joel Snyder Opus One. Acknowledgements. Massive Support from Marty Roesch, Ron Gula, Robert Graham Products from ISS, Cisco, and Tenable Cash and Prizes from Andy Briney and Neil Roiter. http://infosecuritymag.techtarget.com/.

phuong
Download Presentation

Advanced Intrusion Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Intrusion Defense Joel Snyder Opus One

  2. Acknowledgements Massive Support from Marty Roesch, Ron Gula, Robert Graham Products from ISS, Cisco, and Tenable Cash and Prizes from Andy Briney and Neil Roiter http://infosecuritymag.techtarget.com/

  3. IDS saw a packet aimed at a protected system IDS magic decoder technology correctly identifies this as “Back Orifice!” This is an IDS alert…

  4. Last time I checked, FreeBSD 4.9 was not one of the supported platforms for BackOrifice… This IDS alert ain’t no good

  5. IDS developers will jump down your throat “False Positive” means the IDS cried wolf when there was nosuchattack Usually the result of poorly written signatures Instead, let’s invent a complex multisyllable term:“non-contextual alert” Please don’t call that a False Positive

  6. IF the IDS knew that the destination system was not running Windows… IF the IDS knew that the destination system was not running Back Orifice… IF the IDS knew that there was no such destination system… IF the IDS knew that the destination system was more hops away then TTL allowed… The IDS lacks “context”

  7. IF IF IF the IDS knew more… • THEN the IDS could tell the IDS operator more about this attack • Ron Gula (Tenable) says that alerts are “raw intelligence.” They are data, but are not information yet. We need to turn them into “well-qualified intelligence” to start a war.

  8. Target-based IDS Sensor The sensor has knowledge about the network The sensor has knowledge about the hosts Target-based Event Correlation The output of the sensor is compared to knowledge of vulnerabilities Roesch: “Target-Based IDS” Target-based IDS has two components

  9. Target-based IDS sensor • Network Flight Recorder (NFR) and Internet Security Systems (ISS) claim to be shipping IDS sensors that have target-based IDS technology in them • Sourcefire is working on putting this into its sensor • Other vendors may be including this technology (but I don’t know about them)

  10. Target-based IDS Consoles • Information Security asked me to look at three “Target-based IDS” consoles • Internet Security Systems “Fusion” • Cisco “Cisco Threat Response” • Tenable Security “Lightning Console”

  11. IDS sensors generate enormous dinosaur-sized piles of alerts;alerts are sent to the IDS console Operator gets enormous dinosaur-sized headache looking at hundreds of thousands of alerts Start with a normal IDS… … and add brains!

  12. Knowledge Somehow figure out lots of information about What systems are out there What software they are running What attacks they are vulnerable to Process Evaluate each alert with the additional contextual knowledge and decide To promote the alert To demote the alert That we don’t know Brains=knowledge + process

  13. Approach 1: ISS Fusion • NetMgr schedules scanning using ISS Scanner • Scan info, including ports & vulnerabilities, flow into SiteProtector • Sensor alerts also flow into SiteProtector • Fusion reads alerts and assigns priorities for the operator

  14. Variation 2: Tenable Lightning • NetMgr schedules “active scans” using Nessus or NeWT • Results are sent to Lightning Console • Passive scan results are collected by NeVO • Passive results are sent to Lightning

  15. What is “Passive Scanning?” By simply watching the traffic fly by, you can learn a great deal • TCP connections have “fingerprints” • Fingerprints are useful for identifying the TCP stack (hence: the O/S) involved • Existence proof • Applications (client & server) have “banners” • Banners can reveal application names, version numbers, and patch levels

  16. Tenable (continued) • IDS sensors send alerts to console (Bro, Snort, ISS, Enterasys, NAI) • Lightning compares every alert to the known vulnerability database, rejecting all that don’t match an identified vulnerability

  17. Approach 3: Cisco CTR • IDS sensors send alerts to their native console • Copies of alerts also go to CTR • CTR investigates alerts • Alerts plus investigation are available to operator

  18. If you scan before… You can’t verify that an attack actually succeeded Your scan will always be out of date If you scan/verify after… You can verify that an attack did something You might be a day late (and a dollar short) to catch things You potentially can create a DoS condition Scan before vs after

  19. Yes, but… Be careful what you wish for All products had a significant reduction in IDS alerts Caveats CTR - rolling window of only 1000 events! Lightning - only shows events with matched vulnerabilities! Do they work?

  20. When you scan is important How you scan is important Where you scan is important Caveats Scanning after the fact can be a problem Scanning before the fact can be a problem Passive scanning can miss things Active scanning can miss things What about scanning?

  21. It could… But none of the products I looked at have a feedback loop to the IDS! Why don’t the scanners tell the IDS what ports to look on? Why don’t the scanners tell the IDS what signatures to ignore? Can this quiet my IDS down?

  22. YES! “I already have an IDS and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!” “I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.” NO! “If I get this, my IDS will be a self-tuning smooth-running no-maintenance machine.” “I have no network security policy that says what to do when an alert occurs.” Is this right for you?

  23. Advanced Intrusion Defense Joel Snyder Opus One jms@opus1.com

  24. Questions? Submit your questions to Joel by clicking on the Ask A Question link on the lower left corner of your screen.

  25. More information Thank you for participating in this SearchSecurity webcast. For more information on intrusion defense, visit our Featured Topic: http://www.searchSecurity.com/featuredTopic/IntrusionDefense

More Related