Contenu connexe Similaire à The Evolution of IDS: Why Context is Key (20) The Evolution of IDS: Why Context is Key1. The Evolution of IDS:
Why Context is Key
Dave Shackleford, Voodoo Security and SANS
Joe Schreiber, AlienVault
© 2014 The SANS™ Institute - www.sans.org
2. Introduction
• How has IDS/IPS changed in the
past 10 years?
• First, there’s been more of a move
to prevention vs. just passive
detection
• Second, IDS really doesn’t
function as a “standalone” tool
anymore (for most)
• The context of what is happening
in and around the environment is
key
© 2014 The SANS™ Institute - www.sans.org
2
3. Packets? What packets?
• Getting access to network traffic
was one of the first goals of
intrusion detection platforms
• Classic sniffers like TCPdump led
to the creation of Snort and Bro,
as well as commercial options
• Gaining access to the network
traffic itself was a challenge
– Promiscuous mode interfaces
– Dual-homed configs
– Finally, SPAN ports or taps
© 2014 The SANS™ Institute - www.sans.org
3
4. Aha. Now we’ve got packets!
• Packets! We have them!
• But…now what?
• For most, setting up IDS sensors led
to the realization that we needed
better knowledge of the environment
© 2014 The SANS™ Institute - www.sans.org
4
5. Patterns of packets make more
sense.
• We now can start to analyze
patterns of behavior
– Who is talking to who
– Types of traffic
– Source/destination ports
– Protocols
• Patterns of traffic ebbs and flows
are useful for volume analysis and
troubleshooting, too
© 2014 The SANS™ Institute - www.sans.org
5
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl
0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14
0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14
6. Patterns -> Blocking.
• Intrusion detection gave way to
blocking with intrusion prevention
systems
– This was driven by better
understanding of traffic patterns
and signature sets
• Most IDS and IPS platforms, even
in blocking mode, did not have
much understanding of context
– Most blocks were “point in time”
matches based on packet attributes
© 2014 The SANS™ Institute - www.sans.org
6
7. What do the patterns MEAN?
• IDS and IPS needed to evolve to
make better sense of what was
happening in the environment
• To that end, more data is needed
– Events from other network devices
– Events from scans and user
information
– Data from vulnerability scanners
and monitoring tools
• This is how we can start to build
context of what’s happening in
the environment.
© 2014 The SANS™ Institute - www.sans.org
7
8. Event Data, and Lots of It
© 2014 The SANS™ Institute - www.sans.org
8
[**] SQL Injection [**]
10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80
TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF
***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Traditional IDS and IPS alerts
are
often overwhelming
9. Event Data, and Lots of It (2)
© 2014 The SANS™ Institute - www.sans.org
9
Firewalls and routers are simple,
static filtering devices with no
understanding of context
10. Context + Alerting
• With event data from numerous
sources, you can start to build
context in the environment
– What systems communicate in a
given subnet?
– What known vulnerabilities are
there in the environment?
– What network devices does the
traffic pass through?
• The IDS/IPS by itself, however,
will still only report what it “sees”
© 2014 The SANS™ Institute - www.sans.org
10
11. Visibility: What IDS “Sees”
• Only traffic that passes by or through
the IDS/IPS is analyzed
– Subnets? Check.
– Source/Destination ports? Check.
– Applications or platforms in use? Nope.
© 2014 The SANS™ Institute - www.sans.org
11
12. Visibility: More Data = Better
• Attacks are no longer viewed as
discrete events at a “point in
time”
• More data adds context and tells a
better “security story”
– Passive scan data on OS,
applications
– Active scan data on vulnerabilities
– Behavioral trend data
– System logs and endpoint security
– User directory data
© 2014 The SANS™ Institute - www.sans.org
12
13. Hmmm. Too many alerts?
• Now we have to start paring down
alerts to get to *better* data
– Are there false positives we’ve
discovered?
– Can we prioritize some data?
– Can we start combining data types
into unique alert models?
• Data overload is a very common
problem with IDS/IPS sensors
© 2014 The SANS™ Institute - www.sans.org
13
14. Correlation -> BETTER alerts.
• Correlation makes a big difference
in how events are reported
• Not every unique event makes
sense to alert on
– Combinations of events
– Quantity of events
– Times of day or location
(source/destination)
• Having some context and
behavioral baseline can help
© 2014 The SANS™ Institute - www.sans.org
14
15. Correlation Examples
• High Severity Threat Targeting
Vulnerable Asset
– Goal: Identify threats in real time that
are likely to compromise a host.
Vulnerability data has shown the host
to be vulnerable to the inbound attack
being detected by NIPS.
– Trigger: Any event from a single IP
Address targeting a host known to be
vulnerable to the attack that is
inbound.
– Event Sources: NIPS events,
Vulnerability Assessment data
© 2014 The SANS™ Institute - www.sans.org
15
16. Correlation Examples
• Repeat Attack-Multiple Detection
Sources
– Goal: Find hosts that may be infected
or compromised detected by multiple
sources (high probability of true
threat).
– Trigger: Alert on ANY second threat
type detected from a single IP Address
by a second source after seeing a
repeat attack. (i.e. Repeat Firewall
Drop, followed by Malware Detected)
– Event Sources: Firewall, NIPS, Anti-
Virus, HIPS, Failed Login Events
© 2014 The SANS™ Institute - www.sans.org
16
17. The Keys to Context-Driven Threat
Assessment
1. Visibility: Know what you’re
protecting in the environment
2. Baselines: Understand the
behaviors of the assets in your
environment
3. Impact: Understand how threats
will impact assets
4. Intelligence: Incorporate threat
intelligence from
internal/external sources
5. Action: Prioritize security
response
© 2014 The SANS™ Institute - www.sans.org
17
18. Threat Intel -> Better Correlation.
• Threat intelligence is the set of
data collected, assessed, and
applied regarding:
– Security threats
– Threat actors
– Exploits
– Malware
– Vulnerabilities
– Compromise indicators
• When this data is incorporated,
much more accurate event
monitoring can take place
© 2014 The SANS™ Institute - www.sans.org
18
19. IDS…Where’s it going?
• Intrusion detection systems are
evolving today
– More context-aware
– More behavioral analysis
– Some “SIEM-like” capabilities, too
• Some IDS can now also integrate
with threat intelligence feeds, too
• IDS is not a “set and forget”
technology
– Tuning and correlation are required
© 2014 The SANS™ Institute - www.sans.org
19
21. Collaborative Threat Intelligence:
AlienVault Open Threat ExchangeTM
(OTX)
Coordinated Analysis, Actionable Guidance
• 200-350,000 IPs validated daily
• 8,000 collection points
• 140 countries
Join OTX: www.alienvault.com/open-threat-exchange
22. Questions?
Q@SANS.ORG
Three Ways to Test Drive
AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/ali
envault-usm-live-demo
Thank You!
© 2014 The SANS™ Institute - www.sans.org
22