1. Intrusion Detection
CTO Forum
November 9, 2001
Tom Casey
Tcasey@pec.com
703.679.4900

2. 2
Agenda
• Risks Associated with E-business
• Elements of an Intrusion Detection Strategy
• Misuse and Anomaly Detection
• Application, Host, and Network Based Tools
• Active and Passive Response
• Intrusion Detection System Architecture
• Technical and Legal Issues
• Commercial and Open Source ID systems

3. 3
Reported Incidents Increasing
Number of Incidents Reported
0
5000
10000
15000
20000
25000
30000
35000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
*2001
Years
NumberofIncidents
*Q1-Q3 2001Cert.org Statistics October 15, 2001
34,754
21,756
2,412
132

4. 4
Risks Associated with E-business
• Defaced Websites
• Denial of Service/DDOS
• Theft of Company Proprietary Information
• Theft of Customer Information
• Downtime = Loss of Revenue
• Negative Press = Negative Public Image
• Internal and External Threats

5. 5
History of Intrusion Detection
• Intrusion Detection (ID) defined:
– Process of monitoring computer networks and systems for
violations of security policy
• First ID System--manual “system audits”
• 1980, ID was born
– First document need for automated audit trail review to
support security goals
• Growth of Internet

6. 6
The Importance of Intrusion Detection
• A perfectly secure system is a myth
– Firewalls and filtering routers aren’t enough to protect
electronic assets
• Effective audit information analysis required a tool
• An IDS is one of many components supporting a
robust security architecture-”Defense in Depth”
– Firewalls, VPN, Virus Protection, Vulnerability Assessments
etc.
• Protect valuable information resources from internal
and external threats

7. 7
An IDS can accomplish the following
• Prevents and/or mitigates the damage resulting from
intrusion
• Identifies a precursor of more serious activity
• Identifies perpetrators
• Discovers new attack patterns

8. 8
Elements of a Complete Intrusion
Detection Strategy
• Policy!
– Policy is living, constantly evolving
– ID configuration/design must support policy
• Intrusion Detection System (IDS) architecture
• Institutionalized Incident Response
– Responses map to policy
– Working with law enforcement
– CERTs
• Trained security personnel
• Awareness Programs - Support from Users

9. 9
Time Line of an Attack
Probing:
•Port Sweeps
•Address sweeps
•Doorknob Ratting
Break-in:
•Operating System Bugs
•Sniffed Passwords
•Social Engineering
•Back Door
Malicious Actions:
•Steal Data or Programs
•Hop to other systems
•Install Back Door
•Setup Sniffer
•Steal CPU time

10. 10
Misuse Detection
• Misuse, signature/pattern-matching
• Reliably detecting “known” use patterns
• Detects only known intrusions
• Difficult handling large volumes of data
• Does not handle uncertainty

11. 11
Anomaly Detection
• Anomaly Detection
• Establish profile of “normal” user behavior
• Patterns of abnormality, rare, unusual behavior
• Accommodate adaptations to changes in user
behavior
• Statistical and Quantitative analysis
• Assumes users exhibit predictable, consistent
patterns of system usage

12. 12
Anomaly Detection (con’t.)
User Normal Behavior Anomaly in User Behavior
System
Administrator
Secretary
Programmer
•Log in as root
•Edit user’s access permissions
•Run system configuration/
monitoring tools
•Logged in locally during company
working hours
•Uses office automation software
(word processing, etc)
•Reads and sends emails
•Logged in from early morning
to late night
•Uses software development
tools
•Browses Internet more often in
the evening then the daytime
•Becomes a programmer
•Accesses Software Development tools
•Accesses Software project sources
•Logs in from a remote host
•Assumes the role of a manager
•Logs in as a human resources manager
•Gains access to personnel database

13. 13
Intrusion Detection Tools
• Application-based
– Collects information and detects intrusion at the application layer
– Placement: E-commerce Server, WebServer
• Host-based
– Agent software on host
– Monitors: event logs, critical system files, registry settings, etc
– Alerts management console, reacts actively and/or passively
depending upon policy
• Network-based
– Operates at the network level
– Detects DOS or dangerous payloads before the reach destination
– Dedicated host, two interfaces: Management and Stealth

14. 14
Active Responses
• User driven
• Automatic Responses
• System takes action to block the progress of attack
– Closing holes, shutting down services, logging an intruder
– Block IP address(es)
• Collect more information (honey pots)

15. 15
Passive Responses
• System logs and reports problem
• Alarms and notification
– visual, audible, email paper
• SNMP traps
• Archiving and reporting

16. 16
IDS Architecture Recommendations
• Network based
– At Internet connection points
– Key internal network segments
– In the DMZ
– Just inside the Firewall (Intranet)
– Behind WAP server, WAN router, modem pool
• Host-based
– Servers containing critical data
– Domain servers
• Optimum Architecture: Combine misuse and
anomaly detection

17. 17
Sample IDS Architecture
Firewall
Internet Router
Web
Server(S)
DMZ Services
Email
Relay
Border
Directory
Host IDS Agent
Domain
Controller
Personnel
Database
User
Workstations
User
Workstations
IDS Central
Management
Console
Network Sensor
Network Sensor
Network Sensor
User
WorkstationsStealth Mode
Customer
Database
Corporate Private Network
Web
Server(s)
File and
Print Server

18. 18
Technical Issues
• Scalability
– Scaling over space as the network grows
• Management
– Network Management
– Sensor Controls
– Investigative Support
– Performance Loads
– User Interface
• Reliability
– Quality of analysis engines
– Response mechanisms

19. 19
Technical Issues (con’t)
• Analysis
– Difficulties categorizing attacks/threats
– False positives/negatives (tuning anomaly detection
engines)
– Trend analysis, event correlation, data mining
• Interoperability
– Tools to collect information from: multiple abstraction layers,
hardware, software
– Audit trail standards
• Integration
– Intrusion detection in a Switched Environment
– Intrusion detection in a Crypto Environment

20. 20
Legal Issues
• Legislation
– Computer fraud and abuse statutes
– Electronic Communications Privacy Act Sec 2510
• System logs are circumstantial evidence
– Requires proof of authenticity
– Testimony of responsible parties
– Expert to explain log file contents
– Maintaining redundant event log records
• Electronic Monitoring
– System admin monitoring vs. Law enforcement monitoring
• Cyber Forensics

21. 21
Commercial and Open Source
• Leading Commercial Vendors
– Internet Security Systems (ISS): RealSecure
– NetworkICE: BlackICE
– Enterasys System: Dragon
– Cisco Secure Systems: IDS
– NFR: Network Intrusion Detection
• Open Source
– Snort.org
• Managed Security Providers (MSPs)
– Leverage the MSPs’ security expertise
– Ideal for Small/Mid-sized business
– Leverage MSP experience with other customers
– Focus your staff and resources on your core business activities
– 24X7X365 Monitoring and Notification

22. 22
Current and Future Trends in IDS
• Protocol Scanners
• “Meta” Detection
– Interoperability
– Centralized Administration, Management, and Reporting
• IDS Appliances
– No general purpose OSes to configure and maintain
– No patches/Drivers to install
– Facilitates: accuracy, speed, and remote management
– 100 Gigabit Detection

23. 23
References
• Internet Security Systems: www.iss.net
• Enterasys Networks: www.enterasys.com
• Cisco Systems: www.cisco.com
• Snort: www.snort.org
• NFR Security www.nfr.com
• CERT @ Carnegie Melon: www.cert.org
• Sans Institute: “The Twenty Most Critical
Internet Security Vulnerabilities”
http://www.sans.org/top20.htm
• Computer Security Institute: "2001 Computer Crime
and Security Survey"
http://www.gocsi.com/prelea/000321.html

24. Web-Enabling Government SM