What is an Intrusion?An intrusion is somebody attempting to break into ormisuse your system. The word “misuse” can reflectsomething severe as stealing confidential data to somethingminor such as misusing your email system for spam.Intrusion can be defined as any set of actions that attemptto compromise the integrity, confidentiality or availability of resource.In the context of info systems, intrusion refers to anyunauthorized access, unauthorized attempt to access ordamage or malicious use of info resources.
WHO ARE INTRUDERS?• Outsiders. Intruders from outside the network. They may attempt to go around the firewall to attack machines on the internal network.• Insiders. Intruders that legitimately use your internal network. These include users who misuse privileges or who impersonate higher privileged users.
HOW DO INTRUDERS GET INTO THE SYSTEM? • Physical intrusion. • System intrusion. • Remote intrusion.
WHAT IS AN INTRUSION DETECTION SYSTEM?• The main function of an IDS is to warn about suspicious activity taking place, but not to prevent them.• An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker.
Intrusion Detection Systems (IDS)IDS designed to detect security breaches.IDS designed to aid in mitigating damage caused by hacking.Basic intent behind IDS: spot something suspicious onNW/system and sound alarm.May look for data bits that indicate questionable activity ormonitor system logs.Events that sound alarm – may not be an intrusion; anyabnormal activity may trigger, depending on configuration.
Intrusion Detection Systems (IDS)All IDS have three things in common: Sensors: collect tfc and user activity data and sends to analyzer. Analyzer: Looks for suspicious activity. Administrator Interface: If analyzer detects suspicious activity, sends an alert to the Admin Interface.
Intrusion Detection Systems (IDS)Why use an IDS:To detect attacks and other security violations that are notprevented by other security measures,To detect and deal with the preambles to attacks (commonlyexperienced as network probes and other “doorknob rattling”activities),To document the existing threat to an organizationTo act as quality control for security design and administration,especially of large and complex enterprisesTo provide useful information about intrusions that do takeplace, allowing improved diagnosis, recovery, and correction ofcausative factors.
Intrusion Detection Systems (IDS)IDS can be configured for: Watch for attacks Parse audit logs Terminate a connection Alert an admin as attacks are happening Protect system files Expose a hacker’s techniques Throw up vulnerabilities that need to be addressed Possibly help to track down hackersTwo main type of IDS: NIDS HIDS
Network Intrusion Detection Systems (NIDS)Uses sensors to monitor all NW tfcCannot see the activities within the computer itself.
Host based Intrusion Detection Systems (HIDS)Installed on indl workstns / serversWatches for abnormal activityNIDs understands and monitors NW tfc, HIDs monitors thecomputer only on which it is installed.Gen, HIDS installed on critical servers only due to administrativeoverheads.
Types of HIDS/NIDSSignature based Pattern matching Stateful matchingAnomaly based Statistical anomaly based Protocol anomaly based Tfc anomaly basedRule based
Types of HIDS/NIDSKnowledge or Signature based IDSKnowledge is gained by sensors about how specific attacks arecarried out.Each identified attack has a signatureEg of a signature:A pkt having the same source and destination address (LandAttack)A TCP header of a pkt in which all values are set to 1s (xmasattack).Once these type of attack discovered, vendors wrote signaturesthat looks specially for pkts with same source and destinationaddresses or with TCP headers flag set to all 1s.
Types of HIDS/NIDSKnowledge or Signature based IDSMost popular IDS today.Effectiveness depends on regularly updating signature database.May not be able to uncover new types of attacks.
Types of HIDS/NIDSState based IDSWhat is a state?Every change that an OS experiences (user log on, opening ofaplns, user data input, etc), is a state transition.Gen happens continuously in any system.So again, what is a state?A snapshot of an OS’s values in volatile and non-volatile memorylocations.In a state based IDS:Initial state is the state prior to attack execution.Compromised state is the state after successful penetration.The IDS has rules as to which state transitions should triggeralarm.
Types of HIDS/NIDSAn example of State based IDS •A remote user connects to a system •Sends data to an apln (data exceeds alloted buffer for this empty variable). •The data is executed and overwrites the buffer and possibly other memory segments. •A malicious code executes.State based IDS looks for activity between initial andcompromised state and sends alert if any state transitionsequence matches its preconfigured rules.Requires frequent signature updates.
Types of HIDS/NIDSStatistical Anomaly based IDSA behavior based system (also called heuristic IDS).Does not use a signature database.Initially put in a learning mode wherein the IDS learns the `normal’NW activities.The longer it is in learning mode, more accurate profile of anormal state is built up.After a profile is built, all future activities are compared to this`normal’ profile.If an activity exceeds a predefined `normal’ threshold, the alert istriggered.
Types of HIDS/NIDSStatistical Anomaly based IDS - BenefitsCan react to 0 day attacksAlso capable of detecting the low and slow attacksStatistical Anomaly based IDS – ProblemsMay provide overwhelming number of false positives.If an attacker discovers an IDS on a NW, will try to detect type sothat he can circumvent it.With a behavior based IDS, attacker will try to integrate activitiesin the `normal’ NW usage.If an attack was underway when the IDS was in learning mode,an attack will never be detected.Sends generic alerts compared to specific alerts thrown up bysignature based IDS.
Types of HIDS/NIDSStatistical Anomaly based IDSStrength of this IDS lies in determining actual thresholds of normalactivity.Once an attack is iden, the IDS can: Send an alert to the admin’s console. Send an email to a preconfigured address. Kill the connection of the detected attack Reconfigure a router/firewall to stop any further similar attacks.
Types of HIDS/NIDSProtocol Anomaly based IDSThese IDS have specific knowledge of each protocol they willmonitor.A protocol anomaly pertains to the format and behavior of aprotocol..The IDS builds a model of each protocol’s `normal’ usageEg of protocol anomaly:Data Link Layer: ARP attack where bogus data is inserted in anARP table.NW Layer: ICMP can be used in a Loki Attack to move data fromone place to another.
Types of HIDS/NIDSTraffic Anomaly based IDSDetects changes in NW tfc patternsTfc patterns may change during DoS attacks or when a newservice is introduced on the NW.The IDS learns the normal tfc pattern and sets a threshold.0 day attacks can be detected.
Types of HIDS/NIDSRule based IDSA signature based IDS is very straightforward –if a pkt has same source/destination address, send alert.A statistical anomaly based IDS is also straightforward –X logs in his system at 8 AM and logs off at 5 PM everyday. If helogs on at 10 PM, it is an anomaly and an alert is sent.Rule based IDS gen used in expert systems (ArtificialIntelligence).An expert system has:A knowledge baseAn inference engineRule based programming.
Types of HIDS/NIDSRule based IDSRule based programming refers to - IF situation THEN action.The rules are applied to facts (data that comes in from a sensor).Rule based IDS gathers data from sensors/logs, the inferenceengine uses its pre-programmed rules on it. If characteristics ofthe rule is met – an alert is triggered.Eg of a rule based IDS:IF a root user creates file1 AND creates file2 SUCH THAT they are in thesame directory AND the root user opens tool1 TRIGGER send alert.
IDSPlacement of sensorsOutside the FW- detect attacksInside the FW – to detect actual intrusionsHighly sensitive subnetsDMZsNW Tfc:Every vendor’s IDS product has a threshold.If NW tfc exceeds the threshold, all pkts may not be examinedand attacks may go unnoticed.In high tfc environments multiple sensors reqd to be placed toensure all pkts are investigated.
WHAT IS IPS?• Intrusion Prevention System (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful.
Intrusion Prevention Systems (IPS)The bad guys are always one step ahead of the securityprofessionals.Security professionals try and come up with innovative means todetect and prevent attacks.IPS is a preventive device rather than a detective device (IDS).An IPS combines the prevent action of a FW with the in depthpkt analysis function of an IDS.
CLASSIFICATION OF IPS• Broadly classified into two categories – Host IPS (HIPS) – Network IPS (NIPS)
HOST-IPS• HIPS is installed directly on the system being protected• It binds closely with the operating system kernel and services, it monitors and intercepts system calls to the kernel in order to prevent attacks as well as log them.• It prevents the system from generic attacks for which no “signature” yet exists.
NETWORK-IPS• Has two network interfaces, one designated as internal and one as external.• Packets passed through both interfaces and they determined whether the packet being examined poses a threat.• If it detects a malicious packet, an alert is raised, the packets are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination.
INLINE NETWORK IPS• It is configured with two NICs, one for management and one for detection.• NIC that is configured for detection usually does not have an IP address assigned .• It works by sitting between the systems that need to be protected and the rest of the network.• It inspects the packet for any vulnerabilities that it is configured to look for.
LAYER SEVEN SWITCHES• Placing these devices in front of your firewalls would give protection for the entire network.• However the drawbacks are that they can only stop attacks that they know about.• The only attack they can stop that most others IPS can’t are the DoS attacks.
APPLICATION FIREWALLS• These IPSs are loaded on each server that is to be protected.• These types of IPSs are customizable to each application that they are to protect.• It profiles a system before protecting it. During the profiling it watches the user’s interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like.• The drawback is that when the application is updated it might have to be profiled again so that it does not block legitimate use.
HYBRID SWITCHES• They inspect specific traffic for malicious content as has been configured .• Hybrid switch works in similar manner to layer seven switch, but has detailed knowledge of the web server and the application that sits on top of the web server.• It also fails , if the user’s request does not match any of the permitted requests.
DECEPTIVE APPLICATIONS• It watches all your network traffic and figures out what is good traffic.• When an attacker attempts to connect to services that do not exist, it will send back a response to the attacker• The response will be “marked” with some bogus data. When the attacker comes back again and tries to exploit the server the IPS will see the “marked” data and stop all traffic coming from the attacker.
HoneypotsA system set up as a sacrificial lamb on a NW.Not locked down.Modified operational data kept on system to lure hackers to thissystem rather than going to an actual operational system.Enables admin to know what types of attacks are occurring.May also help to track down an intruder.More the time spent by the hacker on a honeypot, more info canbe gained about his techniques.
HoneypotsLegal issues with a honeypotEnticement versus entrapment.