b ace 99 assessment

&for System and NetworkSecurity Management

ASSESSMENT Intrusion Detection

An Introduction to

ICSA, Inc. For more information, call 888-396-8348 2

An Introduction to Intrusion Detection and Assessment

Participating Vendors:

Prepared by Rebecca Bace from Infidel, Inc. for ICSA, Inc.



Systems and networks are subject to electronic attacks. The increasingly frequent attacks on Internet-

visible systems are attempts to breach information security requirements for protection of data.

Vulnerability-assessment tools check systems and networks for system problems and configuration

errors that represent security vulnerabilities. Intrusion-detection systems collect information from a

variety of vantage points within computer systems and networks and analyze this information for

symptoms of security breaches. Both intrusion-detection and vulnerability-assessment technologies

allow organizations to protect themselves from losses associated with network security problems.

The market for intrusion-detection products, driven by reports of steadily increasing computer security

breaches, has grown from $40 million in 1997 to $100 million in 1998. Intrusion-detection is the

logical complement to network firewalls, extending the security management capabilities of system

administrators to include security audit, monitoring, attack recognition, and response.

Intrusion detection systems perform a variety of functions:

• Monitoring and analysis of user and system activity

• Auditing of system configurations and vulnerabilities

• Assessing the integrity of critical system and data files

• Recognition of activity patterns reflecting known attacks

• Statistical analysis for abnormal activity patterns

• Operating-system audit-trail management, with recognition of user activity reflecting policy

violations

Benefits of intrusion-detection and vulnerability-assessment products include the following:

• Improving integrity of other parts of the information security infrastructure

• Improved system monitoring

Executive Summary



• Tracing user activity from the point of entry to point of exit or impact

• Recognizing and reporting alterations to data files

• Spotting errors of system configuration and sometimes correcting them

• Recognizing specific types of attack and alerting appropriate staff for defensive responses

• Keeping system management personnel up to date on recent corrections to programs

• Allowing non-expert staff to contribute to system security

• Providing guidelines in establishing information-security policies

Unrealistic expectations about intrusion-detection and vulnerability assessment products must be cor-

rected: these products are not silver bullets and they

• cannot compensate for weak identification and authentication mechanisms

• cannot conduct investigations of attacks without human intervention

• cannot intuit the contents of your organizational security policy

• cannot compensate for weaknesses in network protocols

• cannot compensate for problems in the quality or integrity of information the system provides

• cannot analyze all of the traffic on a busy network

• cannot always deal with problems involving packet-level attacks

• cannot deal with modern network hardware and features



INTRODUCTION 9• Definitions 9

• About ICSA’s Intrusion Detection Systems Consortium 10

• About This White Paper Series 11

INTRUSION DETECTION OVERVIEW 11

• What Is Intrusion Detection? 11

• Vulnerability Assessment and Intrusion Detection 12

• Products Can Be Successfully Deployed in Operational Environments 12

• Table of Technology Features 13

WHERE INTRUSION DETECTION SYSTEMS, FILE INTEGRITY AND

VULNERABILITY ASSESSMENT PRODUCTS FIT IN NETWORK SECURITY

MANAGEMENT 14

• Network Security Management 14

• The Security Hierarchy 14

• Why Firewalls aren’t enough 14

• Who Guards the Guard? – Trust and Intrusion Detection 15

• System Security Management – a Process View 15

DEBUNKING MARKETING HYPE – WHAT INTRUSION DETECTION SYSTEMS

AND RELATED TECHNOLOGIES CAN AND CANNOT DO 16

• Realistic benefits 16

- They can lend a greater degree of integrity to the rest of your security infrastructure. 16

- They can make sense of often obtuse system information sources, telling you what’s really

happening on your systems. 17

- They can trace user activity from the point of entry to point of exit or impact 17

- They can recognize and report alterations to data files 17

Table of Contents



- They can spot errors of your system configuration that have security implications, sometimes

correcting them if the user wishes 17

- They can recognize when your system appears to be subject to a particular attack. 17

- They can relieve your system management staff of the task of monitoring the Internet

searching for the latest hacker attacks. 17

- They can make the security management of your systems by non-expert staff possible. 18

- They can provide guidelines that assist you in the vital step of establishing a security policy

for your computing assets. 18

• Unrealistic expectations 18

- They are not silver bullets 18

- They cannot compensate for weak identification and authentication mechanisms 18

- They cannot conduct investigations of attacks without human intervention 18

- They cannot intuit the contents of your organizational security policy. 19

- They cannot compensate for weaknesses in network protocols 19

- They cannot compensate for problems in the quality or integrity of information the system

provides 19

- They cannot analyze all of the traffic on a busy network 19

- They cannot always deal with problems involving packet-level attacks 19

- They cannot deal with modern network hardware and features 20

CASE STUDIES FOR INTRUSION DETECTION AND RELATED PRODUCTS 20

Case 1: Integrity Analysis 20

Case 2: Vulnerability Assessment 20

Case 3: Host-based Intrusion Detection 21

FREQUENTLY ASKED QUESTIONS 22

About Intrusion Detection 22

• What is an Intrusion Detection System? 22

• What does it do? 22

• But we already have a firewall – why do we need an intrusion detection system, too? 22



• What can an intrusion detection system catch that a firewall can’t? 22

• We’ve invested in a lot of security devices for our network resources: 23

About Vulnerability Assessment Products 23

• What are Vulnerability Assessment Products? 23

• How do they work? 23

• What is the value added in Vulnerability Assessment Products? 23

INTRUSION DETECTION AND VULNERABILITY ASSESSMENT:

TECHNICAL CONCEPTS AND DEFINITIONS 23

Intrusion Detection 23

Descriptors for Intrusion Detection Systems Features and Functions 24

• Monitoring Approach 24

• Timing of Information Collection and Analysis 26

• Location of Analysis 27

• Types of Analysis 28

• Responses to Detection of Misuse or Attack 29

• Management Functions and Deployment Issues 30

• System Integrity 31

• Other Features 31

Vulnerability Assessment 31

• Introduction 31

• Assessment approach 32

• Location of Analysis 34

• Reporting 34

• Deployment 34

• Responses 34

• Management Functions 35

• System Integrity 35



SUMMARY AND CONCLUSION 35

Wide range of goals for product users 36

Developments in Other Security Product Lines Will Increase The Importance of

Intrusion Detection 36

Capabilities for Intrusion Detection Products are improving 36

GLOSSARY 36

FOR FURTHER READING 38

ABOUT THE AUTHOR 38



INTRODUCTION

Intrusion detection systems help computer systemsprepare for and deal with attacks. They collect infor-mation from a variety of vantage points withincomputer systems and networks, and analyze thisinformation for symptoms of security problems.Vulnerability Assessment systems check systemsand networks for system problems and configu-ration errors that represent security vulnerabili-ties. Both intrusion detection and vulnerabilityassessment technologies allow organizations toprotect themselves from losses associated withnetwork security problems.

This document explains how intrusion detectionand vulnerability assessment products fit into theoverall framework of security products. It includescase histories outlining scenarios in which theproducts have been used by customer organiza-tions. Finally, the concepts and definitions sectionprovides information about product features,explaining why they represent effective counter-measures to hacking and misuse.

Protecting critical information systems and net-works is a complex operation, with many tradeoffsand considerations. The effectiveness of any securitysolution strategy depends on selecting the rightproducts with the right combination of featuresfor the system environment one wishes to protect.In this document, we provide the informationone needs in order to be a savvy consumer inthe areas of intrusion detection and vulnerabilityassessment.

DefinitionsIt is important the reader understand the followingterms used in this paper:

Network Security is the property of computersystems and networks that specifies that the systems

in question and their elements can be trusted toact as expected in safeguarding their owners’ andusers’ information. The goals of security includeconfidentiality (ensuring only authorized userscan read or copy a given file or object), control(only authorized users can decide when to allowaccess to information), integrity (only authorizedusers can alter or delete a given file or object),authenticity (correctness of attribution or descrip-tion), availability (no unauthorized user can denyauthorized users timely access to files or othersystem resources), and utility (fitness for a speci-fied purpose).

Intrusion Detection systems collect informationfrom a variety of system and network sources,then analyze the information for signs of intrusion(attacks coming from outside the organization)and misuse (attacks originating inside the organi-zation.)

Vulnerability Assessment (scanners) performsrigorous examinations of systems in order tolocate problems that represent security vulner-abilities.

Security vulnerabilities are features or errors insystem software or configuration that increasethe likelihood of damage from attackers, acci-dents or errors.

Security Policy is the statement of an organization’sposture towards security. It states what an organi-zation considers to be valuable, and specifies howthe things of value are to be protected. In practicaluse, security policies are coarse grained (i.e., gener-alized statements that apply to the organizationas a whole) and drive finer-grained procedures,guidelines, and practices, which specify how thepolicy is to be implemented at group, office, net-work, and system, and user levels.



IDSC members as of March 22, 1999 include:

AXENT Technologies, Inc.(www.axent.com)

BindView Development Corporation(www.bindview.com)

Centrax Corporation(www.centraxcorp.com)

IBM(www.ers.ibm.com)

Internet Security Systems, Inc.(www.iss.net)

Memco Software Inc.(www.abirnet.com)

Network Associates, Inc.(www.nai.com)

Qwest Communications International, Inc.(www.qwest.com)

Security Dynamics, Inc.(www.securitydynamics.com)

Tripwire Security Systems, Inc.(www.tripwiresecurity.com)

Security infrastructure is the complement ofmeasures, ranging from policy, procedures, andpractices to technologies and products that repre-sent an organization’s security initiative. The goalsof security counter-measures are to detect problems,to delay damage and to mitigate the effects oferror and attack. From this perspective, vulner-ability assessment and intrusion detection arenecessary parts of the security infrastructure butdo not, by themselves, represent a complete securityinfrastructure.

About ICSA’s Intrusion DetectionSystems ConsortiumICSA formed the Intrusion Detection SystemsConsortium (IDSC) in 1998 to provide productdevelopers an open forum within which theycould work towards common goals. These goalsinclude educating end-users, influencing industrystandards, and maintaining product and marketingintegrity.

Members meet on a quarterly basis and participatein ongoing discussions and cooperative projectssuch as this white paper. Membership is open toany commercial developer of intrusion detectionand vulnerability assessment products and services.See http://www.icsa.net/services/consortia/intrusion.

IDSC Mission Statement:

“The mission of the IDSC is to facilitate theadoption of intrusion detection products by definingcommon terminology, increasing market awareness,maintaining product integrity and influencingindustry standards.”1

1 Source: ICSA



About This White Paper SeriesThis is the first of a series of white papers on topicsrelating to intrusion detection products. Thesedocuments will help users and potential users tobecome familiar with intrusion detection andvulnerability assessment so that they can selectthose products that best meet their needs.

INTRUSION DETECTION OVERVIEW

Intrusion detection is an important security tech-nology market.According to industry estimates,the market for intrusion detection products hasgrown from $40 million in 19972 to $100 millionin 19983 . This market growth is driven by reportsof steadily increasing computer security breaches(22% rise from 1996 to 1998, with $136 millionin associated losses, according to a leading survey4).Intrusion detection is considered by many to bethe logical complement to network firewalls, ex-tending the security management capabilities ofsystem administrators to include security audit,monitoring, attack recognition, and response.

In this paper, we provide an overview of this secu-rity technology, expanding the traditional view ofintrusion detection systems to include vulnerabil-ity assessment. These technologies play a vital rolein modern system security management.

What Is Intrusion Detection?Intrusion detection systems help computer systemsprepare for and deal with attacks. They accomplishthis goal by collecting information from a varietyof system and network sources, then analyzingthe information for symptoms of security prob-

lems. In some cases, intrusion detection systemsallow the user to specify real-time responses tothe violations.

Intrusion detection systems perform a variety offunctions:

• Monitoring and analysis of user and systemactivity

• Auditing of system configurations andvulnerabilities

• Assessing the integrity of critical system anddata files

• Recognition of activity patterns reflectingknown attacks

• Statistical analysis for abnormal activitypatterns

• Operating system audit trail management,with recognition of user activity reflectingpolicy violations

Some systems provide additional features,including:

• Automatic installation of vendor-providedsoftware patches

• Installation and operation of decoy servers torecord information about intruders.

The combination of these features allows systemmanagers to more easily handle the monitoring,audit, and assessment of their systems and net-works. This ongoing assessment and audit activityis a necessary part of sound security managementpractice.

1 Source: Yankee Group

2 Source: Aberdeen Group

3 Source: “Third Annual CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, March, 1998.



Vulnerability Assessment andIntrusion DetectionVulnerability assessment products (also known asscanners) perform rigorous examinations of systemsin order to determine weaknesses that might allowsecurity violations. These products use two strat-egies for performing these examinations. First,passive, host-based mechanisms inspect systemconfiguration files for unwise settings, systempassword files for weak passwords, and other systemobjects for security policy violations. These checksare followed, in most cases, by active, network-based assessment, which reenact common intrusionscripts, recording system responses to the scripts.

The results of vulnerability assessment tools repre-sent a snapshot of system security at a point intime. Although these systems cannot reliably detectan attack in progress, they can determine thatan attack is possible, and furthermore, they cansometimes determine that an attack has occurred.Because they offer benefits that are similar tothose provided by intrusion detection systems,we include them in the sphere of intrusion detec-tion technologies and products.

Products Can Be Successfully Deployedin Operational EnvironmentsThe objective of intrusion detection and vulner-ability assessment is to make complex, tedious,and sometimes virtually impossible system securitymanagement functions possible for those whoare not security experts. Products are thereforedesigned with user-friendly interfaces that assistsystem administrators in their installation, con-figuration, and use. Most products include infor-mation about the problems they discover, includinghow to correct these problems, and serve as valu-able guidance for those whom need to improve

their security skills. Many vendors provide con-sulting and integration services to assist customersin successfully using their products to achievetheir security goals.



TYPE OF SYSTEM Intrusion Detection VulnerabilityAssessment

SYSTEM DESIGN FEATURES MonitoringApproach

Timing ofAnalysis

Type ofAnalysis

Targets and strategies

WHAT CAN IT DO?

“D” = Detects

“P” = Prevents

“R” = Repairs

“S” = SupportsType Examples of Security Problems

App

licat

ion

–Bas

ed

Hos

t-ba

sed

Tar

get-

base

d

Net

wor

k-ba

sed

Inte

grat

ed

Bat

ch/In

terv

al M

ode

Rea

l Tim

e

Sig

natu

re A

naly

sis

Inte

grity

Ana

lysi

s

Sta

tistic

al A

naly

sis

Hos

t-ba

sed

(pas

sive

)

Net

wor

k-ba

sed

(act

ive)

Pas

swor

d A

sses

smen

t

Unauthorized access to files and system resources D D D P P P

Violation of corporate system use policies D D D D P P P

Violation of corporate security policies D D D D D D D P P

Con

fiden

tialit

y

Weak or nonexistent passwords D D D D D D

Placement of trojan horses and malicious software D P D D D D P P P

Presence of trojan horses and malicious software D D D D

Network service-based attacks D D D D PInte

grity

CGI-based attacks D D D P P

Denial of service attacks D D D D P

Failure or misconfiguration of firewalls D D D P P

Attacks occurring over encrypted networks D D D D

Ava

ilabi

lity

Unusual activity or variations from normal use patterns D

Errors in system or network configuration D D D,P,R D,P,R

Liability exposure associated with attackers usingorganizational resources to attack others

P P P P P P P P P P P P P

Oth

er

Post-incident damage assessment S S S S S S S S S S S

Table of Technology FeaturesThis table outlines the features for Intrusion Detection and Vulnerability Assessment systems, outliningthe strengths and weaknesses of each. The specifics of each feature are explained in greater detail in theSection Intrusion Detection and Vulnerability Assessment: Technical Concepts and Definitions.

Technology Features of Intrusion Detection and Vulnerability Assessment



Figure 2 illustrates the existing elements of theinformation security market. Intrusion detectionand vulnerability assessment fit in the sectorlabeled “Assessment.”

Note that in monitoring and auditing the rest ofthe products in the matrix, intrusion detectionsupport all of the goals.

Why Firewalls aren’t enoughA common question is how intrusion detectioncomplements firewalls. One way of characterizingthe difference is provided by classifying securityviolation by source—whether they come fromoutside the organization’s network or from within.Firewalls act re as a barrier between corporate (inter-nal) networks and the outside world (Internet),and filter incoming traffic according to a securitypolicy.

This is a valuable function and would be sufficientprotection were it not for these facts:

1. Not all access to the Internet occurs throughthe firewall.

WHERE INTRUSION DETECTIONSYSTEMS, FILE INTEGRITY ANDVULNERABILITY ASSESSMENTPRODUCTS FIT IN NETWORKSECURITY MANAGEMENT

Network Security ManagementNetwork Security Management is a process in whichone establishes and maintains policies, procedures,and practices required for protecting networkedinformation system assets. Intrusion Detectionand Vulnerability Assessment products providecapabilities needed as part of sound NetworkSecurity Management practice.

The Security HierarchyThe following diagram outlines an InformationSecurity Hierarchy. It outlines the security measuresthat comprise the foundation for any securitytechnology.

Note that in order to achieve enterprise-widesecurity results, Layers 1-3 must exist in order forthe technologies and products in Layer 4 to beeffective.

Layer 4Information Security Technologies and Products

Layer 5Auditing, Monitoring, Investigating

Layer 3Information Security Awareness and Training

Layer 2Information Security Architecture and Processes

Layer 1Information Security Policy and Standards

▲Layer 6Validation

Source: GartnerGroup

Figure 1 - Information Security Hierarchy5

Figure 2 – Information Security Market6

Source: GartnerGroup

Firewalls

Anti-Virus

Enhanced User Authentication

Access Control and User Authentication

Cryptography

Assessment

Logging, Reporting, Alerting

Secure, Consolidated User Authentication

Certification

Physical Security

Management &Administration

Consulting

5 Source: Gartner Group, Conference Presentation, May, 1997.

6 Source: Gartner Group, Conference Presentation, May, 1997.



Users, for a variety of reasons ranging fromnaiveté to impatience, sometimes set up unautho-rized modem connections between their systemsconnected to the internal network and outsideInternet access providers or other avenues to theInternet. The firewall cannot mitigate risk asso-ciated with connections it never sees.

2. Not all threat originates outside the firewall.

A vast majority of loss due to security incidentsis traced to insiders. Again, the firewall onlysees traffic at the boundaries between the internalnetwork and the Internet. If the traffic reflectingsecurity breaches never flows past the firewall, itcannot see the problems.

As more organizations utilize strong encryptionto secure files and public network connections,the focus of adversaries will shift to those placesin the network in which the information ofinterest is not as likely to be protected: theinternal network. Intrusion detection systemsare the only part of the infrastructure that isprivy to the traffic on the internal network.Therefore, they will become even more impor-tant as security infrastructures evolve.

3. Firewalls are subject to attack themselves

Attacks and strategies for circumventingfirewalls have been widely publicized since thefirst firewalls were fielded. A common attackstrategy is to utilize tunneling to bypass firewallprotections. Tunneling is the practice of encap-sulating a message in one protocol (that mightbe blocked by firewall filters) inside a secondmessage7 .

Who Guards the Guard? – Trust andIntrusion DetectionAnother area of discussion when considering thevalue of intrusion detection systems is the needto monitor the rest of the security infrastructure.Firewalls, identification and authentication (I & A)products, access control products, virtual privatenetworks, encryption products, and virus scannersall perform functions essential to system security.Given their vital roles, however, they are also primetargets of attack by adversaries. On a less sinisternote, they are also managed by mere mortals, andtherefore subject to human error. Be it due tomisconfiguration, outright failure, or attack, thefailure of any of these components of the securityinfrastructure jeopardizes the security of the sys-tems they protect.

By monitoring the event logs generated by thesesystems, as well as monitoring the system activitiesfor signs of attack, intrusion detection systemsprovide an added measure of integrity to the restof the security infrastructure. Vulnerability assess-ment products also allow system management totest new configurations of the security infrastruc-ture for flaws and omissions that might lead toproblems.

System Security Management –A Process ViewSecuring systems is not a point fix. It is an ongoingprocess targeting a dynamic environment in whichnew threats arise daily. Figure 3 shows one viewof security management.

7 Bellovin, Steven M., and Cheswick, William R., Firewalls and Internet Security, Repelling the Wily Hacker, 1994, Addison-WesleyPublishing Company, p 76.



Figure 3 – A process view of system security management

Prevention covers those proactive measures takenby organizations to mitigate risks to their systemsecurity. Much of the classic, government-sponsoredwork in computer security addresses this area byfocusing on the design and implementation ofmore secure operating systems and applicationssoftware. Also covered in “Prevention” includessecurity policy formation, encryption, strongidentification and authentication, and firewalls.

Functions in the detection phase are primarilyprovided by intrusion detection systems, althoughvirus scanners also fall into this category. As pic-tured in the diagram, detection involves monitoringthe targeted system(s), analyzing the informationgathered for problems, then, based on the systemsettings, responding to the problems, reporting theproblems, or both.

The results of the detection process drive the othertwo stages of managing security, investigatingproblems that are discovered, documenting thecause of the problem, and either correcting theproblem or devising a means of dealing with itshould it occur again. A common vision for futureintrusion detection systems is that of performingthese last two stages automatically, or else per-forming the functions internal to detection sowell that the need for the last two stages is virtu-ally eliminated.

The combination of investigation and diagnosis/resolution phases is often called Incident Responseor Incident Handling. Organizations should specifypolicies, procedures, and practices to address thisarea, as it does the rest of security.

DEBUNKING MARKETING HYPE– WHAT INTRUSION DETECTIONSYSTEMS AND RELATED TECHNO-LOGIES CAN AND CANNOT DO

Every new market suffers from exaggeration andmisconception. Some of the claims made in mar-keting materials are reasonable and others aremisleading. Herewith, a primer on how to readintrusion detection marketing literature.

Realistic benefits

TTTTThey hey hey hey hey CCCCCANANANANAN lend a greater degree of lend a greater degree of lend a greater degree of lend a greater degree of lend a greater degree ofintegrity to the reintegrity to the reintegrity to the reintegrity to the reintegrity to the rest of your securityst of your securityst of your securityst of your securityst of your securityinfrastructure.infrastructure.infrastructure.infrastructure.infrastructure.Intrusion detection systems, because they monitorthe operation of firewalls, encrypting routers, keymanagement servers and files critical to othersecurity mechanisms, provide additional layers ofprotection to a secured system. The strategy of asystem attacker will often include attacking orotherwise nullifying security devices protectingthe intended target. Intrusion detection systemscan recognize these first hallmarks of attack, andpotentially respond to them, mitigating damage.In addition, when these devices fail, due to configu-ration, attack, or user error, intrusion detectionsystems can recognize the problem and notify theright people.

Prevention

Investigation

Diagnosis &Resolution

Incident Handling/

Response

Detection

▲

▲

▲

▲

Analyze

▲

▲

Report

▲

Respond

▲

Monitor

▲



TTTTThey hey hey hey hey CCCCCANANANANAN make sense of often obtuse make sense of often obtuse make sense of often obtuse make sense of often obtuse make sense of often obtusesystem information sourcesystem information sourcesystem information sourcesystem information sourcesystem information sources, telling yous, telling yous, telling yous, telling yous, telling youwhat’s what’s what’s what’s what’s really happening on your systems.happening on your systems.happening on your systems.happening on your systems.happening on your systems.Operating system audit trails and other systemlogs are a treasure trove of information aboutwhat’s going on internal to your systems. They arealso often incomprehensible, even to expert systemadministrators and security officers. Intrusion-detection systems allow administrators and man-agers to tune, organize, and comprehend whatthese information sources tell them, often revealingproblems before loss occurs.

TTTTThey hey hey hey hey CCCCCANANANANAN trace user activity from the point trace user activity from the point trace user activity from the point trace user activity from the point trace user activity from the pointof entrof entrof entrof entrof entry to point of exit or impacty to point of exit or impacty to point of exit or impacty to point of exit or impacty to point of exit or impactIntrusion-detection systems offer improvementsover perimeter protections such as firewalls. Expertattackers can often penetrate firewalls; therefore,the ability to correlate activity corresponding to aparticular user is critical to improving security.

TTTTThey hey hey hey hey CCCCCANANANANAN recognize and repor recognize and repor recognize and repor recognize and repor recognize and report alterationst alterationst alterationst alterationst alterationsto data fileto data fileto data fileto data fileto data filesssssPutting Trojan Horses in critical system files is astandard attack technique. Similarly, the alter-ation of critical information files to mask illegalactivity, damage reputations, or commit fraud iscommon. File integrity assessment tools utilizestrong cryptographic checksums to render thesefiles tamper-evident and, in the case of a problem,quickly ascertain the extent of damage.

TTTTThey hey hey hey hey CCCCCANANANANAN spot errors of your system spot errors of your system spot errors of your system spot errors of your system spot errors of your systemconfiguration that have security implications,configuration that have security implications,configuration that have security implications,configuration that have security implications,configuration that have security implications,sometimesometimesometimesometimesometimes correcting them if the users correcting them if the users correcting them if the users correcting them if the users correcting them if the userwishewishewishewishewishesssssVulnerability assessment products allow consistentauditing and diagnosis of system configurationsettings that might cause security problems.

These products offer extensive vendor supportand turnkey design so that even novice securitypersonnel can look for hundreds of problemsby pushing a button. Some of these product offer-ings even offer automated fixes for the problemsuncovered.

TTTTThey hey hey hey hey CCCCCANANANANAN recognize when your system recognize when your system recognize when your system recognize when your system recognize when your systemappears to bappears to bappears to bappears to bappears to be subject to a pare subject to a pare subject to a pare subject to a pare subject to a particular attack.ticular attack.ticular attack.ticular attack.ticular attack.Vulnerability assessment products also allow theuser of a system to quickly determine what attacksshould be of concern to that system. Again,strong vendor support allows novice securitypersonnel to reenact scores of hacker attacksagainst their system, automatically recording theresults of these attack attempts. These productsalso provide a valuable sanity check for thoseinstalling and setting up new security infrastruc-tures. It is far better for a system manager to deter-mine that his firewall is incorrectly configuredimmediately than to discover this after an attackerhas successfully penetrated it.

TTTTThey hey hey hey hey CCCCCANANANANAN relieve your system management relieve your system management relieve your system management relieve your system management relieve your system managementstaff of the task of monitoring the Internetstaff of the task of monitoring the Internetstaff of the task of monitoring the Internetstaff of the task of monitoring the Internetstaff of the task of monitoring the Internetsearching for the latesearching for the latesearching for the latesearching for the latesearching for the latest hacker attackst hacker attackst hacker attackst hacker attackst hacker attacks.s.s.s.s.Many intrusion detection and assessment toolscome with extensive attack signature databasesagainst which they match information from yoursystem. The firms developing these products haveexpert staffs that monitor the Internet and othersources for reports and other information aboutnew hacker attack tools and techniques. Theythen use this information to develop new signa-tures that are provided to customers for down-load from web sites, downloaded to customersvia encrypted e-mail messages, or both.



TTTTThey hey hey hey hey CCCCCANANANANAN make the security management make the security management make the security management make the security management make the security managementof your systems by non-experof your systems by non-experof your systems by non-experof your systems by non-experof your systems by non-expert staff possible.t staff possible.t staff possible.t staff possible.t staff possible.Some intrusion detection and assessment toolsoffer those with no security expertise the abilityto manage security-relevant features of your systemsfrom a user-friendly interface. These are window-based, point and click screens that step usersthrough setup and configuration in a logical,readily understood fashion.

TTTTThey hey hey hey hey CCCCCANANANANAN provide guideline provide guideline provide guideline provide guideline provide guidelines that assists that assists that assists that assists that assistyou in the vital step of eyou in the vital step of eyou in the vital step of eyou in the vital step of eyou in the vital step of establishing astablishing astablishing astablishing astablishing asecurity policsecurity policsecurity policsecurity policsecurity policy for your computing assets.y for your computing assets.y for your computing assets.y for your computing assets.y for your computing assets.Many intrusion detection and assessment productsare part of comprehensive security suites that includesecurity policy building tools. These provide youeasy-to-understand guidance in building your secu-rity policy, prompting you for information andanswers that allow you to articulate goals andguidelines for the use of your computer systems.

Unrealistic expectations

They are not silver bulletsThey are not silver bulletsThey are not silver bulletsThey are not silver bulletsThey are not silver bulletsSecurity is a complex area with myriad possibili-ties and difficulties. In networks, it is also a“weakest link” phenomenon—i.e., it only takesone vulnerability on one machine to allow an adver-sary to gain entry and potentially wreak havoc onthe entire network. The time it takes for this tooccur is also minuscule. There are no magic solu-tions to network security problems, and intrusiondetection products are no exception to this rule.However, as part of a comprehensive securitymanagement they can play a vital role in protectingyour systems.

TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT compensate for weak compensate for weak compensate for weak compensate for weak compensate for weakidentification and authentication mechanismsidentification and authentication mechanismsidentification and authentication mechanismsidentification and authentication mechanismsidentification and authentication mechanisms

Although leading-edge research in intrusion de-tection asserts that sophisticated statistical analysisof user behavior can assist in identification of aparticular person by observing their system activity,this fact is far from demonstrated. Therefore, wemust still rely on other means of identificationand authentication of users. This is best accom-plished by strong authentication mechanisms (in-cluding token-based or biometric schemes andone-time passwords). A security infrastructurethat includes strong I&A and intrusion detectionis stronger than one containing only one or theother.

TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT conduct inveconduct inveconduct inveconduct inveconduct investigations ofstigations ofstigations ofstigations ofstigations ofattackattackattackattackattacks without human inters without human inters without human inters without human inters without human interventionventionventionventionvention

In very secure environments, incidents happen.In order to minimize the occurrence of incidents(and the possibility of resulting damage) onemust perform incident handling. One must inves-tigate the attacks, determine, where possible, theresponsible party, then diagnose and correct thevulnerability that allowed the problem to occur,reporting the attack and particulars to authoritieswhere required. In some cases, especially those in-volving a dedicated attacker, finding the attacker,then pursuing criminal charges against the attackeris the only way to make the attacks cease. However,the intrusion-detection system is not capable ofidentifying the person at the other end of theconnection without human intervention. Thebest that it can do is identify the IP address of thesystem that served as the attacker’s point of entry—the rest is up to a human incident handler.



TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT intuit the contents of your intuit the contents of your intuit the contents of your intuit the contents of your intuit the contents of yourorganizationalorganizationalorganizationalorganizationalorganizational security policsecurity policsecurity policsecurity policsecurity policyyyyy.....Intrusion-detection expert systems increase in valuewhen they are allowed to function as both hacker/burglar alarms and policy-compliance engines.These functions can not only spot the high-schoolhacker executing the “teardrop” attack againstyour file server, but also spot the programmeraccessing the payroll system after hours. However,this policy compliance checking can exist only ifthere is a security policy to serve as a template forconstructing detection signatures.

TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT compensate for compensate for compensate for compensate for compensate forweakneweakneweakneweakneweaknessessessessesses s s s s in network protocolsin network protocolsin network protocolsin network protocolsin network protocolsTCP/IP and many other network protocols donot perform strong authentication of host source/destination addresses. This means that the sourceaddress that is reflected in the packets carrying anattack does not necessarily correspond to the realsource of the attack. It is difficult to identify whois attacking one’s system; it is very difficult to provethe identity of an attacker in a court of law—forexample, in civil or criminal legal processes.

TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT compensate for problems compensate for problems compensate for problems compensate for problems compensate for problemsin the quality or integrity of information thein the quality or integrity of information thein the quality or integrity of information thein the quality or integrity of information thein the quality or integrity of information thesystem providesystem providesystem providesystem providesystem providesssssIn other words, “garbage in garbage out” still applies.System information sources are mined from avariety of points within the system. Despite thebest efforts on the part of system vendors, manyof these sources are software-based; as such, thedata are subject to alteration by attackers. Manyhacker tools (for example “cloak” and “zap”) explic-itly target system logs, selectively erasing recordscorresponding to the time of the attack and cov-ering the intruders’ tracks. This argues for thevalue of integrated, sometimes redundant, informa-

tion sources; each additional source increases thepossibility of obtaining information not corruptedby an attacker.

TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT analyze all of the traffic on analyze all of the traffic on analyze all of the traffic on analyze all of the traffic on analyze all of the traffic ona busy networka busy networka busy networka busy networka busy networkNetwork-based intrusion detection is capableof monitoring traffic of a network, but only toa point. First, given the vantage point of network-based intrusion detection sources that rely onnetwork adapters set to promiscuous mode, notall packets are visible to the systems. Second,as traffic levels rise, the associated processing loadrequired to keep up becomes prohibitive and theanalysis engine either falls behind or fails. In fact,vendors themselves characterized the maximumbandwidth at which they had demonstrated theirproducts to operate without loss with 100%analysis coverage at 65 MBPS.

TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT always deal with problems always deal with problems always deal with problems always deal with problems always deal with problemsinvolving packetinvolving packetinvolving packetinvolving packetinvolving packet-level attack-level attack-level attack-level attack-level attacksssssThere are weaknesses in packet-capture-basednetwork intrusion detection systems. The heart ofthe vulnerabilities involves the difference betweenthe IDSs’ interpretation of the outcome of anetwork transaction (based on its reconstructionof the network session) and the destination nodefor that network session’s actual handling of thetransaction. Therefore, a knowledgeable adversarycan send series of fragmented and otherwisedoctored packets that elude detection, but launchattacks on the destination node. Worse yet, an ad-versary can use this sort of packet manipulationto accomplish a denial of service attack on theIDS itself by overflowing memory allocated forincoming packet queues.



TTTTThey hey hey hey hey CCCCCANANANANANNNNNNOOOOOTTTTT deal with modern network deal with modern network deal with modern network deal with modern network deal with modern networkhardware and featurehardware and featurehardware and featurehardware and featurehardware and featuresssssDealing with fragmented packets can also beproblematic. This problem has serious ramificationswhen one considers modern high-speed ATMnetworks that use packet fragmentation as ameans of optimizing bandwidth. Other problemsassociated with advances in network technologiesinclude the effect of switched networks onpacket-capture-based network intrusion detectionsystems. As the effect of switched networks is toestablish a network segment for each host, therange of coverage for a network intrusion systemis reduced to a single host. This problem can bemitigated in those switches offering monitoringports or spanning capability; however, these featuresare not universal in current equipment.

Case Studies for IntrusionDetection and Related Products

Case 1: Integrity AnalysisIn 1996, one of the early online web-based stocktrading sites was placed in full operation, and wasinfiltrated by an outside attacker. The trading systemconsisted of approximately twenty web serversconnected to a central database server. When thesystem manager realized that an attacker was onthe loose inside the firewall, and was actively logginginto the server, there was an understandableamount of alarm.

In situations like this, damage containment shouldbe the first priority. However, in this case, shuttingdown or disconnecting all the web servers fromthe Internet was not an acceptable option. First,doing so would constitute a “trading halt” event,and would cause the corporation to be fined in15-minute increments by the SEC. Second, thedamage to reputation caused by a shutdown

would be extremely high, as would the damageassociated with the possibility of word leakingout that an intruder had successfully broken intothe system.

Because the system manager had already deployeda product utilizing Integrity analysis, it was possibleto ascertain quickly which machines were compro-mised and to determine the scope of the infiltra-tion. The customer computed that they savedabout 260 hours of system administration time,in a case where each minute was valued at an ex-treme premium. Time is critical when an attackeris on the loose in your network.

This story ends happily. Only a fraction of themachines were compromised, and were promptlyshut down. The database server was found to beintact, which allowed the web site continue func-tioning on the remaining web servers. The systemadministration team conducted damage eradica-tion and recovery at a more leisurely pace.

Case 2: Vulnerability AssessmentA consulting company that does network design,security assessment and integration services isfrequently called in when a company is initiallyestablishing a network, restructuring an existingone or adding new and complex capabilities. Inthe words of their President, “Many companiesdo not realize that when Windows NT is installed‘out of the box,’ it’s designed to be wide open toallow for flexible network implementations.And it’s pretty difficult to get a global picture ofyour environment, because you have to go througha lengthy process of ‘machine by machine’, or‘share by share’, or ‘domain by domain.’ Theysimply do not have the training, background andexpertise to know what specific rights and permis-sions to turn off.



“We use a vulnerability assessment product com-bined with a network management product tohelp uncover information about user rights, per-missions, account access, account restrictions, andusers that have easily-guessed passwords.

“One eye-opening experience we found at a cus-tomer site was where someone with user privilegesgranted themselves administrator rights. Whenwe ran a user access report we found a user whohad used a hack to make himself an administrator.To make matters worse, the account was active,and it belonged to a former employee that hadbeen gone for two months.

“It would have taken us forever to find this situ-ation because it is extremely time consuming tomanually check each and every user account forsecurity violations. But it is much easier with avulnerability assessment product where informationacross an entire enterprise can be consolidatedinto one single report.”

Case 3: Host-based Intrusion DetectionIn December of 1998 a medium size Californiabank decided that they needed better control oftheir internal security. They needed both consis-tency in their security configurations as well asmonitoring for suspicious behaviors from autho-rized users inside the system. They selected ahost-based intrusion detection tool that also pro-vided host-based assessment.

The agents were deployed to 10 servers and ahandful of workstations. After installation, anaudit policy was deployed that reduced theamount of data collected to a reasonable level,and a detection policy was also established thatmatched the objective of monitoring for anoma-lous behavior. The security officer then used theassessment capabilities to bring all the servers up

to a consistent level of security configuration thatwas acceptable to the security officer.

Within 24 hours of beginning monitoring thesecurity officer observed irregular usage of 2 ad-ministrative accounts. They were being used toread mail and edit documents during regularworking hours. The security policy specified thatadministrative accounts were only to be used fortasks requiring administrative privilege and werenot to be used for daily activities such as readingmail. The employees who were using their adminaccounts were reprimanded and the activitystopped.

Within 48 hours of monitoring the security officerobserved an unauthorized account using thebackup software. The immediate security risk wasthat the backup software had privilege to read everyfile on the system bypassing all access control.The security officer called the account owner andquickly determined that the backup software hadbeen installed under the wrong account makingthis powerful software vulnerable to compro-mise. The software was re-installed under a better-protected account.

Within 72 hours of monitoring the security officerobserved regular account logins from a set ofthree accounts at 1:30 AM, 2:30 AM, and 3:30AM. All the indications were that this was an au-tomated program using these 3 accounts to loginat the same time everyday. By using the dataforensics capabilities of the intrusion detectiontool the security officer looked back over the last3 days to determine other accesses and executionsby these accounts during these times. The nexteffort was to talk to the account owners to deter-mine if they had knowledge of programs undertheir control during this time. Through a combi-nation of analyzing the data and interviewing theend-users it was determined to be MAPI interactive



logons for mail. This pattern is now recognized asauthorized.

FREQUENTLY ASKED QUESTIONS

About Intrusion Detection

What is an Intrusion DWhat is an Intrusion DWhat is an Intrusion DWhat is an Intrusion DWhat is an Intrusion Detection System?etection System?etection System?etection System?etection System?An intrusion detection system monitors computersystems, looking for signs of intrusion (unautho-rized users) or misuse (authorized users oversteppingtheir bounds).

What doeWhat doeWhat doeWhat doeWhat does it do?s it do?s it do?s it do?s it do?Intrusion Detection Systems monitor a variety ofinformation sources from systems, analyzing thisinformation in a variety of ways. The first, mostcommon, is that it compares this information tolarge databases of attack signatures, each reflectingan attempt to bypass or nullify security protections.The second is that it looks for problems relatedto authorized users overstepping their permissions(e.g., a shipping clerk searching executive payrollrecords). Finally, some intrusion detection systemsperform statistical analysis on the information,looking for patterns of abnormal activity thatmight not fall into the prior two categories (e.g.,accesses that occur at strange times, or an unusualnumber of failed logins.)

But we already have a firewall–why do weBut we already have a firewall–why do weBut we already have a firewall–why do weBut we already have a firewall–why do weBut we already have a firewall–why do weneed an intrusion detection system, too?need an intrusion detection system, too?need an intrusion detection system, too?need an intrusion detection system, too?need an intrusion detection system, too?The firewall is the security equivalent of a securityfence around your property and the guard post atthe front gate. It can keep the most unsavory ofcharacters out, but cannot necessarily tell what isgoing on inside the compound. Intrusion detectionsystems are the equivalent of multi-sensor videomonitoring and burglar alarm systems. They cen-

tralize this information, analyze it for patterns ofsuspicious behavior in much the same way aguard at a monitoring post watches the feedsfrom security cameras, and in some cases, dealswith problems they detect. Most loss due tocomputer security incidents is still due to insiderabuse. Intrusion detection systems, not firewalls,are capable of detecting this category of securityviolation.

Perhaps more importantly, firewalls are subject tocircumvention by a variety of well-known attacks.

What can an intrusion detection systemWhat can an intrusion detection systemWhat can an intrusion detection systemWhat can an intrusion detection systemWhat can an intrusion detection systemcatch that a firewall can’t?catch that a firewall can’t?catch that a firewall can’t?catch that a firewall can’t?catch that a firewall can’t?Firewalls are subject to many attacks. The twoconsidered most worrisome are tunneling attacksand application-based attacks.

Tunneling attacks arise due to a property of networkprotocols. Firewalls filter packets, and make pass/block decisions based on the network protocol.Rules typically check a database to determinewhether a particular protocol is allowed, if so, thepacket is allowed to pass. This represents a prob-lem when an attacker masks traffic that shouldbe screened by the firewall by encapsulating itwithin packets corresponding to another networkprotocol.

Application-based attacks refer to the practice ofexploiting vulnerabilities in applications by send-ing packets that communicate directly with thoseapplications. Therefore, one could exploit a problemwith Web software by sending an HTTP com-mand that exercises a buffer overflow in the webapplication. If the firewall is configured to passHTTP traffic, the packet containing the attackwill pass.



WWWWWe’ve invee’ve invee’ve invee’ve invee’ve invested in a lot of security devicested in a lot of security devicested in a lot of security devicested in a lot of security devicested in a lot of security devicesssssfor our network refor our network refor our network refor our network refor our network resourcesourcesourcesourcesources: s: s: s: s: WWWWWe have token-e have token-e have token-e have token-e have token-based Identification and Authentication,based Identification and Authentication,based Identification and Authentication,based Identification and Authentication,based Identification and Authentication,require our employeerequire our employeerequire our employeerequire our employeerequire our employees to encrs to encrs to encrs to encrs to encrypt their e-mail,ypt their e-mail,ypt their e-mail,ypt their e-mail,ypt their e-mail,have firewalls, require users to generatehave firewalls, require users to generatehave firewalls, require users to generatehave firewalls, require users to generatehave firewalls, require users to generategood passwords and change them often—good passwords and change them often—good passwords and change them often—good passwords and change them often—good passwords and change them often—why do we need intrusion detection, too?why do we need intrusion detection, too?why do we need intrusion detection, too?why do we need intrusion detection, too?why do we need intrusion detection, too?Even when you have a great existing securityinfrastructure, you still need the added assuranceintrusion detection systems provide. No matterhow well designed the security point products,they are still subject to failure, due to hardwareor software anomalies or user problems. Userssometime nullify the protection afforded by theproducts by disabling or bypassing them. Intru-sion detection systems, because they are capableof monitoring messages from the other pieces ofthe security infrastructure, are able to detect whenfailure occurs. In some cases, they can tell youwhat happens until someone can restore them toservice.

About Vulnerability Assessment Products

What are VWhat are VWhat are VWhat are VWhat are Vulnerability Asseulnerability Asseulnerability Asseulnerability Asseulnerability AssessmentssmentssmentssmentssmentProducts?Products?Products?Products?Products?Vulnerability Assessment Products, also known as“Vulnerability Scanners,” are software productsthat perform security audits on systems, searchingfor signs that the systems being scanned are vul-nerable to certain systems attacks.

How do they work?How do they work?How do they work?How do they work?How do they work?Vulnerability Assessment Products take two ap-proaches to locating and reporting security vul-nerabilities. The first approach, a “passive” scan,inspects system settings such as file permissions,ownership of critical files, path settings, etc., forconfigurations that experience has shown lead tosecurity problems. The second approach, an “active”scan, actually reenacts a series of known hacker at-

tacks, recording the results of the attacks. Someproducts also perform password cracking on pass-word files in order to discover bad/weak pass-words that might be easily guessed by hackers. Fi-nally, the products record their findings in a resultscreen and in a report mechanism.

What is the value added in VulnerabilityWhat is the value added in VulnerabilityWhat is the value added in VulnerabilityWhat is the value added in VulnerabilityWhat is the value added in VulnerabilityAsseAsseAsseAsseAssessment Products?ssment Products?ssment Products?ssment Products?ssment Products?Vulnerability Assessment Products are a valuablepart of any organization’s system security manage-ment program. They allow system managers tobaseline the security of a new system. They allowperiodic security audits to determine the securityhealth of a system at a given time. Many of themprovide the ability to perform “differential analysis”by archiving the results of scans, then comparingsubsequent scans to the archives, reporting whennew vulnerabilities or unexpected changes appear.

INTRUSION DETECTION ANDVULNERABILITY ASSESSMENT:TECHNICAL CONCEPTS ANDDEFINITIONS

The following terms explain the main conceptsin intrusion detection, and will help to standardizethe terminology and description of evolvingproducts.

Intrusion DetectionIntrusion Detection Systems are security manage-ment tools that:

• Collect information from a variety of systemsources,

• Analyze that information for patterns reflectingmisuse or unusual activity,



• In some cases, automatically respond todetected activity, and

• Report the outcome of the detection process.

Descriptors for Intrusion DetectionSystems Features and Functions

Monitoring ApproachMonitoring ApproachMonitoring ApproachMonitoring ApproachMonitoring ApproachApplication-basedApplication-based intrusion detection sensors col-lect information at the application level. Examplesof application-level include logs generated bydatabase management software, web servers, orfirewalls. With the proliferation of Web-basedelectric commerce, security will increasingly focuson interactions between users and applicationprograms and data.

Advantages of application-level monitoring:

• This approach allows targeting of finer-grained activities on the system (e.g. one canmonitor for a user utilizing a particular appli-cation feature.)

Disadvantages:

• Applications-layer vulnerabilities can under-mine the integrity of application-based moni-toring and detection approaches.

Host-basedHost-based intrusion detection agents (also calledsensors) collect information reflecting the activitythat occurs on a particular system. This informationis sometimes in the form of operating-systemaudit trails. It can also include system logs, otherlogs generated by operating system processes, andcontents of system objects not reflected in thestandard operating system audit and loggingmechanisms.

Advantages:

• Systems can monitor information access interms of “who accessed what”

• Systems can map problem activities to a specificuser id

• Systems can track behavior changes associatedwith misuse

• Systems can operate in encrypted environments

• Systems can operate in switched networkenvironments

• Systems can distribute the load associatedwith monitoring across available hosts onlarge networks, thereby cutting deploymentcosts

Disadvantages:

• Network activity is not visible to host-baseddetectors

• Running audit mechanisms can incur additionalresource overhead

• When audit trails are used as data sources,they can take up significant storage

• Operating system vulnerabilities can underminethe integrity of host-based agents and analyzers

• Host-based agents must be more platform-specific, which adds to deployment costs

• Management and deployment costs associatedwith host-based systems are usually greaterthan in other approaches

Target-Based ApproachesIntegrity analysis (see section 3.2.4.3) enables oneto implement a focused and effective monitoringstrategy for systems in which data integrity andprocess integrity are of primary concern. This ap-proach monitors specific files, system objects and



system object attributes for change, looking at theoutcome of attack processes rather than the detailsof the attack processes. Some systems use checksums(computations whose value depends on the originalconstitution of the system object) to detectbreaches of integrity.

Advantages:

• Because it does not depend on historicalrecords of behavior, integrity analysis may detectintrusions that other methodologies do not;

• This approach allows reliable detection of bothplacement and presence of attacks that modifythe system (e.g., Trojan horses);

• Because its footprints and intrusiveness are low,this approach can be useful for monitoringsystems with modest processing or communi-cations bandwidth;

• This approach is effective for determiningwhich files need to be replaced in order torecover a system, rather than reinstallingeverything from the original source or backup,as is often done.

Disadvantages:

• Depending on the number of files, systemobjects and object attributes for whichchecksums are computed, this approach maystill levy an appreciable processing load onlow-end systems;

• The approach is not well suited to real-timedetection processes, as it monitors for theoutcome of attacks, not for the attacks them-selves while they are in progress.

Network-basedNetwork-based intrusion detection sensors collectinformation from the network itself. This informa-tion is usually gathered by packet sniffing, usingnetwork interfaces set in promiscuous mode;

however, some agents are integrated in networkhardware devices.

Advantages:

• The data come without any special require-ments for auditing or logging mechanisms; inmost cases collection of network data occurswith the configuration of a network interfacecard.

• The insertion of a network-level agent does notaffect existing data sources.

• Network-level agents can monitor and detectnetwork attacks. (e.g., SYN flood and packetstorm attacks).

Disadvantages:

• Although some network-based systems caninfer from network traffic what is happeningon hosts, they cannot tell the outcome ofcommands executed on the host. This is anissue in detection, when distinguishing betweenuser error and malfeasance.

• Network-based agents cannot scan protocolsor content if network traffic is encrypted.

• Network-based monitoring and intrusiondetection becomes more difficult on modernswitched networks. Switched networks establisha network segment for each host; therefore,network-based monitors are reduced tomonitoring a single host. Network switchesthat support a monitoring or scanning portcan at least partially mitigate this issue.

• Current network-based monitoring approachescannot handle high-speed networks.

Integrated approachesSome intrusion detection products combine appli-cation, host, and network-based sensors.



Advantages:

• As agents at applications, host, and networklevels are used, the system can target activityat any or all levels.

• It is easier to see patterns of attacks over timeand across the network space; this is of valuein damage assessment and system recovery; italso aids in investigating the incident and pur-suing legal remedies (e.g. criminal prosecutions).

Disadvantages:

• There are no industry standards with regardsto interoperability of intrusion detectioncomponents; therefore it is difficult or impos-sible to integrate components from differentvendors.

• Integrated systems are more difficult to manageand deploy.

Timing of Information Collection andTiming of Information Collection andTiming of Information Collection andTiming of Information Collection andTiming of Information Collection andAnalysisAnalysisAnalysisAnalysisAnalysis

Once the location(s) of intrusion detection systemagents are established, the timing of the informationcollection and analysis are of interest.

Batch or Interval OrientedIn batch-oriented (also called interval-oriented)approaches, operating-system audit mechanismsor other host-based agents log event informationto files and the intrusion detection system peri-odically analyzes these files for signs of intrusionor misuse.

Advantages:

• They are well suited to environments in whichthreat levels are low and single-attack losspotentials high (e.g., financial institutions). Inthese environments, users are often more inter-ested in establishing accountability for problems

than immediately responding to suspected inci-dents. In this situation, batch-oriented analysiswill likely be combined with other investigativeprocess in order to identify the person respon-sible for the incident and support criminalprosecution for the incident.

• Batch mode analysis schemes impose less pro-cessing load on systems than real-time analysis,especially when collection intervals are shortand data volumes are therefore low.

• Batch-oriented collection and analysis of infor-mation are particularly well suited to organi-zations in which system and personnel resourcesare limited. Organizations that have no full-timesecurity personnel may find that real-timealarms generated by intrusion detection systemsare seldom used. In such circumstances, it makeslittle sense to tolerate the processing loadassociated with real-time analysis and alarms.

• Attacks on computer systems often involverepetitive attacks on the same targets. Forexample, an attacker may enter a system viaa password-grabbing attack, then install a Trojanhorse “back door” in order to return later andcontinue the attack. Batch-mode analysis canusually recognize such attack signatures.

• Many current legal practices relating to computerevidence were established with batch-modecollection and manual analysis in mind.Therefore, it may be easier to submit systemlogs collected and processed in batch mode asevidence.

Disadvantages of batch-mode analysis include thefollowing:

• Users will seldom see incidents before theyare complete.



• Therefore, there is virtually no possibility ofactively countering incidents as they happen inan attempt to minimize damage.

• The aggregation of information for batch-modeanalysis consumes more disk storage on theanalysis system. This can result in huge amountsof data for enterprise networks.

Real TimeReal time systems provide information collection,analysis, and reporting (with possible responses)on a continuous basis. The term “real-time” isused here as in process-control systems; that is,the detection process happens quickly enough tohinder the attack. Note that while this definitionapplies to systems that take milliseconds to per-form analysis, it can also describe systems that areslower. Real-time systems provide a variety ofreal-time alarms (many support off-site alarmingmechanisms such as email, pagers, and telephonemessaging), as well as automatic responses to attacks.Typical responses range from simple notificationto increasing the sensitivity of the monitoring,terminating the network connection from thesource of the attack or changing system settingsto limit damage.

Advantages:

• Depending on the speed of the analysis, attacksmay be detected quickly enough to allow systemadministrators to interrupt them;

• Depending on the speed and sensitivity of theanalysis, system administrators may be ableto perform incident handling (leading to recov-ery of system operations) more quickly;

• In cases that occur on systems where legalremedies are available, system administratorsmay be able to collect information that allows

more effective identification and prosecutionof intruders.

Disadvantages:

• They tend to consume more memory andprocessing resource on the analysis systemthan post facto systems;

• There are serious legal issues associated withautomated responses that attempt to harm theattacking systems, a feature associated withsome real-time systems;

• Configuration of real-time systems is critical;a badly formed signature can generate so manyfalse alarms that a real attack goes unnoticed.

Location of AnalysisLocation of AnalysisLocation of AnalysisLocation of AnalysisLocation of AnalysisAs in sensors, analysis functions can reside at host-level, at network-level, or both. Performinganalysis strictly at the host level has the advantageof minimizing network load. However, it hasthe disadvantage of not allowing the detectionof broad scale attacks targeting a network ofmachines (for instance, an attacker sequentiallyhopping through a network performing bruteforce password guessing against each host).

Consolidating raw data and performing analysisstrictly at the network level (in the case of systemswith sensors at both host and network levels)offer the capability to detect attacks that involvemore than one host on the network. The disad-vantage to this approach is that the network loadassociated with transferring raw host-level infor-mation to the analysis engine can be crippling.

As in sensor placement, the optimal strategy forperforming analysis of logs is one in which analy-sis is done at both host and network levels. Theanalysis done at the host level can be simple orextensive depending on the nature of the sensor



information generated in that host or the signa-ture against which the information is matched.The network-level analysis can take the resultsfrom the host-level analysis and use it to detectsigns of network-wide attack or suspicious behav-ior without incurring as heavy a network load.Furthermore, in larger networks, this sort ofapproach can be applied hierarchically. That is,groups of hosts can report to a network analysisengine, which in turn reports its results to anotheranalysis engine that collects results from a numberof other network analysis engines and so on. Thishierarchical structure lets intrusion-detectionproducts succeed even in larger organizations.

TTTTTypeypeypeypeypes of Analysiss of Analysiss of Analysiss of Analysiss of Analysis

Signature analysisSignatures are patterns corresponding to knownattacks or misuses of systems. They may be simple(character string matching looking for a single termor command) or complex (security state transitionwritten as a formal mathematical expression). Ingeneral a signature can be concerned with a pro-cess (the execution of a particular command) oran outcome (the acquisition of a root shell.)

Signature analysis is pattern matching of systemsettings and user activities against a database ofknown attacks. Most commercial intrusion detec-tion products perform signature analysis against avendor-supplied database of known attacks. Ad-ditional signatures specified by the customer canalso be added as part of the intrusion detectionsystem configuration process. Most vendors alsoinclude periodic updates of signature databases aspart of software maintenance agreements.

One advantage of signature analysis is that it allowssensors to collect a more tightly targeted set ofsystem data, thereby reducing system overhead.

Unless signature databases are unusually large (sayhundreds of thousands or millions of complexsignatures), signature analysis is usually more effi-cient than statistical analysis due to the absence offloating point computations.

Statistical analysisStatistical analysis finds deviations from normalpatterns of behavior. This feature, common inresearch settings, is found in few commercialintrusion detection products. Statistical profilesare created for system objects (e.g., users, files,directories, devices, etc.) by measuring variousattributes of normal use (e.g., number of accesses,number of times an operation fails, time of day,etc.). Mean frequencies and measures of variabil-ity are calculated for each type of normal usage.Possible intrusions are signaled when observedvalues fall outside the normal range. For example,statistical analysis might signal an unusual event ifan accountant who had never previously loggedinto the network outside the hours of 8 AM to6 PM were to access the system at 2 AM.

The advantages of statistical analysis are:

• The system may detect heretofore unknownattacks;

• Statistical methods may allow one to detectmore complex attacks, such as those thatoccur over extended periods.

Disadvantages of statistical analysis (at this time) are:

• It is relatively easy for an adversary to trickthe detector into accepting attack activity asnormal by gradually varying behavior overtime;

• The possibility of false alarms is much greaterin statistical detectors;

• Statistical detectors do not deal well withchanges in user activities (e.g., when the man-



ager assumes the duties of a subordinate in anemergency). This rigidity can be a problem inorganizations where change is frequent. Thiscan result in both false alarms and false nega-tives (missed attacks).

Integrity analysisIntegrity analysis focuses on whether some aspectof a file or object has been altered. This often in-cludes file and directory attributes, content anddata streams. Integrity analysis often utilizesstrong cryptographic mechanisms, called messagedigest (or hash) algorithms, which can recognizeeven subtle changes.

Advantages:

• Any successful attack where files were altered,network packet grabbers were left behind, orrootkits were deployed will be detected regard-less of whether or not the attack was detectedby signature or statistical analysis.

Disadvantages:

• Because current implementations tend to workin batch mode, they are not conducive toreal-time response.

ReReReReResponsesponsesponsesponsesponses to Ds to Ds to Ds to Ds to Detection of Misuse oretection of Misuse oretection of Misuse oretection of Misuse oretection of Misuse orAttackAttackAttackAttackAttackSome network-based intrusion detection systemspermit one to specify a desired reaction to a de-tected problem. This feature has captured theimagination of many in the security managementarena, especially as the frequency of denial-of-service attacks (saturation of system resources) hasincreased.

Alter the EnvironmentA typical response to a detected network attack isto take steps to alter the environment of the systemunder attack. This alteration can consist of termi-nating the connection used by the attacker andreconfiguring network devices to block further

access to the site from the same source address.The response mechanisms are intended to allowsystem administrators to take an active rolewithin their authority to minimize damage asso-ciated with a detected attack.

Although it is a popular topic of discussion, strikingback by attacking the source is ill advised at thispoint. TCP/IP, the basis for Internet communi-cations, allows spoofing of packet source address-ing; therefore, retaliation against the putativesource of an attack might in fact damage an inno-cent party whose IP address had been forged forthe attack.

Another valuable feature of intrusion detectionsystems is to drill down into information sourcesby setting agents and audit mechanisms to collectmore information about the connection in ques-tion. This can also include collecting informationthat allows playback of attacks. This responseallows the system administrator to collect infor-mation that supports more accurate judgementsabout the intent of the attacker. It also allowscollection of information that might assist lawenforcement or other investigators in identifyingthose responsible for the attack.

ValidationKnowledgeable attackers will often attempt totarget the intrusion detection sensors or theanalysis engine. In this case, a validation response,in which the sensors and/or analysis engine arequeried in order to determine whether they con-tinue to work properly, is suitable.

Real Time NotificationFinally, most real-time systems allow a systemadministrator to select a variety of alarm mecha-nisms to notify responsible parties of detectedattacks. The alarms can notify key personnel byemail or pager messages sent instantaneously withinformation about the problem. A message to the



system console is standard, and many systemsallow a variety of visual and auditory signals aspart of the alarm.

Management Functions and DManagement Functions and DManagement Functions and DManagement Functions and DManagement Functions and DeploymenteploymenteploymenteploymenteploymentIssueIssueIssueIssueIssuesssssCustomers need flexibility in adapting intrusion-detection systems to their own environments. Thefollowing features help to tailor these products tospecific needs.

ConfigurationNo two organizations are the same. Each has adifferent set of security and management concernsdriving security policy, a different set of hardwareand software platforms included in their systemsenvironment, a different set of users or a differentset of operational policies. Therefore, the first issuefacing a customer who acquires an intrusion detec-tion system is the installation and setup of thesystem.

Many products, especially those designed forWindows NT environments, are shipped withclear, concise directions and installation scriptsincluded. However, configuring these products isstill an involved process. Information that cus-tomers must enter range from the IP addresses ofthe systems protected by the product to the sortsof security violations or system activities that theproducts are to detect and report. This is when aclear, current set of site security policy, proce-dures, and practices pays off handsomely.

Audit Subsystem ManagementProducts that include host-level agents typicallyuse operating-system audit mechanisms. Theseproducts offer improved user interfaces to theoperating-system audit controls, allowing users tospecify what information is collected and how itis collected.

ReportingOne of the benefits of intrusion detection systemsis the demonstration of due diligence in systemsecurity management practice. A key to demon-strating this due diligence (e.g., to upper manage-ment, internal auditors and regulatory personnel)is to document the findings of intrusion-detectionproducts over a particular time interval.

Most intrusion-detection products have the abilityto easily generate reports; many offer the capabilityto export report data to databases for subsequentanalysis and archiving. Many offer multiple reportformats (e.g., hard copy, screen, and HTML),with features allowing the user to report differentlayers of detail depending on the intended recipientof the report.

ControlOnce the intrusion detection product is configuredto the system environment, the next issue is actuallyrunning the system. Rudimentary controls includestarting and stopping the system, establishing theschedule at which certain activities should takeplace, and specifying how alarms should behandled. In the control function, another criticalissue in intrusion detection products is addressed:the security and reliability of the intrusion detec-tion system itself. One way of addressing this isto require authentication before the system respondsto control or configuration commands. This re-duces the risk of an adversary gaining access to thesystem and shutting it down.

Proof of ValidityIn some cases, intrusion-detection systems areused to ensure the operation of other parts of thesecurity infrastructure (e.g., firewalls). In thisproof of validity, the intrusion-detection systemanalyses information from both inside and out-side the coverage area of the security mechanismin question, then compares results. The mecha-nism is proven valid when the intrusion-detection



system isolates evidence that an attack (sensed onthe outside) is blocked by the mechanism (thereforenot sensed on the inside).Vulnerability-assessmentproducts are often used as part of this validationprocess and they function in synergy with intrusion-detection systems.

System IntegritySystem IntegritySystem IntegritySystem IntegritySystem IntegrityGiven the role of intrusion-detection systems andthe sensitivity of the information they sometimescontain, system designers have devoted consider-able thought to the measures needed to protectthe system itself. A standard strategy of attackersis to determine what security mechanisms are inplace and then take steps to nullify or circumventthem. One can therefore assume that intrusion-detection systems will operate in a hostile threatenvironment. Consequently, many features areincluded in systems to minimize the chances thatthe system will be successfully defeated, or worseyet, will be used as a vehicle of attack.

Some vendors provide embedded license mecha-nisms to assure that only legitimate customers ofthe vendor can utilize the product. This reducesthe risk that if the software is successfully stolenfrom the vendor or customer, the adversary coulduse it to monitor other machines or probe themfor vulnerabilities.

Another protection strategy utilizes strong encryp-tion to secure communications between sensors,analysis engines, and control consoles. This lowersthe risk that an adversary might spoof the sensoroutput for a particular system in order to maskattack activity.

Some vendors use digital signature and messagedigest algorithms to protect signature databaseupdates from tampering by adversaries. This allowstime-sensitive distribution of new attack signaturesto customers without the risk of corruption.

Other FeatureOther FeatureOther FeatureOther FeatureOther FeaturesssssSome vendors offer decoy server software to allowmore accurate characterization of the threat levelsfor a customer’s system environment. A decoy serveris just that—a server that has no other purpose thanattracting hacker attention. It is equipped withsensitive agents that collect information about thehacker’s location, the path of the attack and thesubstance of the attack. The decoy collects andlogs this information to a secure location. Somedecoy servers also provide features that create “jail”environments to which hackers are redirected—environments in which their attacks cannot damageoperational systems.

Vulnerability AssessmentIntroductionIntroductionIntroductionIntroductionIntroductionVulnerability-assessment products (also known asscanners) are security management tools that:

• Conduct exhaustive checks of systems in anattempt to locate exposures to securityvulnerabilities;

• Report the number, nature, and severity ofthese exposures

• Allow a system administrator to determinethe security status of a system at a particulartime

• Allow security auditors to determine the effec-tiveness of an organization’s system securityadministration

• In some cases, once an incident occurs, allowinvestigators to determine the avenue of entryfor an intruder or attacker

Vulnerability assessment products complementintrusion-detection systems: they allow systemadministrators to be proactive in securing theirsystems by finding and closing security holes before



attackers can use them. Intrusion-detection systemsare by nature reactive: they monitor for attackerstargeting systems in hopes of interrupting theattacks before the system is damaged.

AsseAsseAsseAsseAssessment approachssment approachssment approachssment approachssment approachApplication-based AssessmentApplication-based assessment uses passive, non-invasive techniques to check settings and configu-rations within application packages for errorsknown to have security ramifications.

Host-based AssessmentHost-based assessment uses passive, non-invasivetechniques to check system settings and configu-rations for errors known to cause security problems.These checks typically encompass system internalsand include things such as file permissions andownership settings and whether operating-systembug patches have been applied.

Most vulnerability-assessment products performpassword analysis as part of their assessment Pass-word analysis consists of running password crack-ers against password files, utilizing a well-knownattack in order to quickly locate weak, non-existent,or otherwise flawed passwords.

Advantages:

• It yields a very accurate, host-specific pictureof security holes;

• It catches security holes that aren’t exposedduring a network-based assessment.

Disadvantages:

• The assessment methods are platform-specificand thus require precise configuration foreach type of host used by the organization

• Deployment and update often require muchmore effort than in network-based assessment

Target-based AssessmentTarget-based assessment (also known as file integrityassessment) uses passive, non-invasive techniquesto check the integrity of system and data files aswell as system objects and their attributes (e.g.,hidden data streams, databases, and registry keys).Target-based assessment products use crypto-graphic checksums (message-digest algorithms) tomake tampering evident for critical systems objectsand files. Message-digest algorithms are based onhash functions, which possess the property thatextremely subtle changes in the input to the func-tion produce large differences in the result. Thismeans that a change in a data stream fed to amessage digest algorithm produces a huge changein the checksum generated by the algorithm.These algorithms are cryptographically strong;i.e., given a particular output value, it is practi-cally impossible to come up with another inputto the algorithm that will product an identicaloutput. This eliminates a common attack againstrelatively simple CRC (cyclic redundancy code)checksums in which hackers mask alterations tofiles by altering the content of the file so that thesame checksum is generated for both the originaland the tampered file. 8

Target-based assessment products run in a closedloop, processing files, system objects, and systemobject attributes to generate checksums; they thencompare them to previous checksums, lookingfor changes. When a change is detected, the productsends a message to the intrusion-detection systemthat records the problem with a time stamp cor-responding to the probable time of alteration.This process can provide a one-record trigger foran intruder alert or it can serve as a milestone foran investigator performing a trace of the eventsleading to the alteration.



Network-based AssessmentNetwork-based vulnerability assessment uses active,invasive techniques to determine whether a givensystem is vulnerable to a set of attacks. In network-based assessment, a variety of attack scenarios arereenacted against the target system(s), and resultsanalyzed in order to determine the system’s vulner-ability to attack. In some cases, network assess-ment is used to scan for network-specific problems(e.g., port scanning.)

Network-based vulnerability assessment is oftenused for penetration testing (specifically, testing afirewall) and security auditing.

Advantages:

• It finds security holes on a variety of platformsand systems

• Because it is not as platform dependent as host-based vulnerability assessment, it is easy todeploy quickly

• As it does not assume host-level access, it iseasier to deploy from a political point of view

Disadvantages:

• As it does not consider platform-specific vul-nerabilities, it is often less accurate than host-based assessment

• It can affect network operations and performance

Integrated AssessmentIntegrated vulnerability assessment combinesboth active, network-based assessment with pas-sive, host-based assessment techniques, oftencombining them with a centralized managementfunction. We note here that Windows NT envi-ronments do not recognize as crisp a policyboundary between host and network-based access.

Advantage:

• It combines the host-based advantages ofimproved identification of platform-specificvulnerabilities with the network-based capabili-ties to identify problems across wide rangesof affected systems and networks.

Disadvantage:

• The effort required to deploy and maintainthe combined assessment engines is greater.

Location of AnalysisLocation of AnalysisLocation of AnalysisLocation of AnalysisLocation of Analysis

Collecting data is the first step in vulnerabilityassessment; data analysis is the second. In largecomplex network installations, it is helpful to or-ganize vulnerability assessment using a console-agent architecture. This architecture is particularlyhelpful where networks are heterogeneous, i.e.,with a wide range of operating system platforms.

Advantages:

• Centralized architectures can tailor agents tospecific operating system platforms, and varythe coverage and rigor of assessments basedon the threat environment

• Distributed architectures allow one to scanacross network or NT policy domains

Disadvantages:

• Distributed architectures require additionalremote privileges on the networks scanned

8 Garfinkel, Simson, and Spafford, Gene, Practical UNIX and Internet Security, Second Edition, Sebastopol, CA, O’Reilly andAssociates, 1996.



ReporReporReporReporReportingtingtingtingtingReporting in vulnerability assessment holds thekey to understanding and rectifying securityholes. Reporting provides the opportunity todocument the security health of the systemsscanned, to publish problems to an appropriatelevel of management so that resources and re-sponsibilities are assigned to fix them, and toeducate everyone in the organization about theimportance of system security and how to achieveit. Options provided include variable reportingformats (with HTML offering the ability toselectively “drill down” to a finer level of detail asdesired) and levels of detail, providing differentamounts of background information about thevulnerabilities and associated fixes.

DDDDDeploymenteploymenteploymenteploymenteploymentAlthough it is easy to understand the require-ments driving vulnerability-assessment products,and easier still to understand how the productsmight be used to support an organizational securitystrategy, perhaps the most critical features in select-ing a product are those regarding the deploymentof that product in an operational environment.

• Most products provide user-friendly installationfeatures, supported by automated scripts andstrong technical support.

• Configuration options for products vary widely.Look for features such as network mapping,menu-driven configuration of security checksand network coverage, and on-screen helpmechanisms.

• Most products allow system administrators toset up schedules for scanning, an option thatallows them to schedule assessments for hoursof low system utilization (e.g. outside businesshours).

• Regular updates to the security check databaseis critical as new security holes are discoveredevery day. Update processes that are automaticand data-driven minimize the time requiredto incorporate new updates.

• Look for products that provide support ofroutine, repeatable scanning. Some support thiswith differential scan capabilities, which allowusers to automatically compare results of suc-cessive scans, pointing out problems and in-consistencies that surface.

• Vulnerability-assessment products can providefeatures that should be used only with caution(e.g., security checks addressing networkdenial-of-service attacks).These checks, inreplicating the attacks, can crash targets.Products should inform users of this problemwhen they select the denial-of-service checks.

ReReReReResponsesponsesponsesponsesponsesssssOnce the user has run vulnerability-assessmenttools and spotted vulnerabilities, the user canspecify responses. The response options providedinclude the following:

• Alarm mechanisms allow the system to sendreal-time alerts via a variety of means (e.g.,SNMP, pager, email, etc.) of high-risk vulner-abilities that have been discovered.

• Report mechanisms allow the system to gen-erate organized reports itemizing the resultsof vulnerability assessments.

• Some products have the ability to respond todetected security holes by actively closingthem (by either amending file configurationsor settings or else applying security patches)rather than simply reporting their existence.



Management FunctionsManagement FunctionsManagement FunctionsManagement FunctionsManagement FunctionsAs in intrusion detection, vulnerability-assessmentproducts have various management functions:

Exporting data in a variety of formats (HTML,Crystal Reports, ODBC, MDB, etc.) allows systemadministrators and managers to utilize a varietyof reporting tools to further analyze the results ofthe vulnerability assessment.

Network mapping makes it much easier tospecify which hosts are to be scanned. With net-work mapping, one can do this selection by pointand click selection of targets. Without it, manuallyentering all the addresses of hosts to be scannedcan be an arduous, time-consuming process.

The capability to tailor the coverage of an assess-ment to a target is an important managementfunction. This might include the ability to config-ure which checks runs against which targets, toadd custom user-defined checks, and to configurecertain parameters for individual checks.

System IntegritySystem IntegritySystem IntegritySystem IntegritySystem IntegrityAs in intrusion detection, there are special securityconsiderations associated with the design, deploy-ment, and maintenance of vulnerability assessmentproducts.

• Protection issues: The database of securitychecks must be protected, so that it does notbecome a primer for attackers. This can beaccomplished by a variety of strategies; encryp-tion of contents is perhaps the most common.

When encryption is used, however, U.S. gov-ernment export control policy for encryptiontechnologies can affect those measures avail-able for products fielded outside the country.

• As new attacks surface daily, product vendorsmust provide means for customers to update

the lists of security checks performed by vul-nerability assessment products. This updateprocess must, itself, be protected. In distributedarchitectures, the communications betweenconsole and agent must be protected, andusing cryptographic techniques may providethis protection.

• As vulnerability assessment systems can them-selves be used by attackers to identify targets,there must be countermeasures to prevent thismalicious use. These measures can include thebroadcast of the identification of the sourceaddress of the scanning host to the target, andstrong licensing mechanisms that limit thecoverage of the scanner.

SUMMARY AND CONCLUSION

Wide range of goals for product usersUsers of intrusion detection products span publicand private institutions, running the gamut of in-dustries. The goals realized by users of intrusiondetection systems include:

• Support of internal audit

• Control of liability exposure

• Incident handling and investigative support

• Improved damage assessment and recovery

• Improved security management process

• Discovery of new problems/issues beforedamage occurs

• Documentation of compliance with legal andstatutory requirements

• Recovery of systems suffering security violations



Developments in Other SecurityProduct Lines will Increase theImportance of Intrusion DetectionEncryption is growing in popularity and productsincluding encryption features are becoming ubiq-uitous. As more organizations utilize these prod-ucts to secure their data as it travels over publicnetworks, adversaries will adapt their attack strat-egies to accommodate this. The predictable out-come is that attacks will shift to those areas inwhich data is not encrypted: the internal network.

At the same time, corporate employment practiceswill continue to focus on outsourcing, strategicpartnerships with other organizations, and tele-commuting. All of these typically involve remoteaccess to the internal network, thereby expandingthe security perimeter of the organization to areasnot physically protected.

Intrusion detection systems are the only part ofthe IDS/Firewall protection infrastructure privyto the traffic on the internal network. Therefore,they will become even more important as securityinfrastructures evolve.

Capabilities for Intrusion DetectionProducts are improvingThe capabilities for intrusion detection are grow-ing, as new products enter the marketplace, andexisting organizations expand their product offer-ings to allow additional sensor inputs, improvedanalysis techniques, and more extensive signaturedatabases.

Thanks to government and military interest inInformation Warfare, of which Intrusion Detectionis a vital defensive component, funding of researchefforts has skyrocketed, with no end in sight. Thisincreased activity will result in enhanced under-standing of the intrusion detection process and

new features in future products. Plans are afoot toembed intrusion detection products as standardcomponents of major governmental and financialnetworks.

As intrusion detection remains an active researcharea, look for future products to implement newtechniques for managing data and detecting sce-narios of interest. Also look for additional prod-ucts that function at application level and thatinteroperate with network management plat-forms. Finally, look for product features that areintegrated into a bevy of special purpose devices,ranging from bandwidth management productsto “black box” plug-ins for targeted environments.

GLOSSARY

ACTIVITY - Instantiations of the data source thatare identified by the analyzer as being of interestto the security administrator. Examples of this in-clude (but are not limited to) network sessions,user activity, and application events. Activity canrange from extremely serious occurrences (such asan unequivocally malicious attack) to less seriousoccurrences (such as unusual user activity that’sworth a further look).

AGENT - The ID component that periodicallycollects data from the data source, sometimesperforming some analysis or organization of thedata. Also known as SENSOR.

ANALYZER - The ID component that analyzes thedata collected by the sensor for signs of unautho-rized or undesired activity or for events thatmight be of interest to the security administrator.*

AUDIT LOG - The log of system events and activi-ties generated by the operating system.

DATA SOURCE - The raw information that an intru-sion detection system uses to detect unauthorized



or undesired activity. Common data sources include(but are not limited to) raw network packets, oper-ating system audit logs, application audit logs,and system-generated checksum data.

EVENT - A notification from an analyzer to thesecurity administrator a signature has triggered.An event typically contains information aboutthe activity that triggered the signature, as well asthe specifics of the occurrence.

FILE ASSESSMENT - A technology in which messagedigest hashing algorithms are used to render filesand directories tamper evident.

INCIDENT HANDLING - The part of the SecurityManagement Process concerning the investigationand resolution of security incidents that occur andare detected. Also known as INCIDENT RESPONSE.

INTRUSION DETECTION - The technology concernedwith monitoring computer systems in order torecognize signs of intrusions or policy violations.

MANAGER - The ID component from which thesecurity administrator manages the various com-ponents of the ID system. Management functionstypically include (but are not limited to) sensorconfiguration, analyzer configuration, event noti-fication management, data consolidation, andreporting.

MESSAGE DIGEST ALGORITHMS – Specialized cryp-tographic algorithms that are used to render filestamper-evident. The nature of message digestalgorithms dictates that if an input data file ischanged in any way, the checksum that is calculatedfrom that data file value calculated will change.Furthermore, a small change in the input data filewill result in a large difference in the result.

RESPONSE - The actions that an analyzer takeswhen a signature is triggered. Sending an eventnotification to the security administrator is a very

common response. Other responses include (butare not limited to) logging the activity, recordingthe raw data (from the data source) that causedthe signature to trigger, terminating a network,user, or application session, or altering network orsystem access controls.

SCANNING - The technology concerned with scan-ning computer systems and networks in orderto find security vulnerabilities. Also known asVULNERABILITY ASSESSMENT.

SECURITY ADMINISTRATOR - The human with respon-sibility for the successful deployment and opera-tion of the intrusion detection system. This personmay ultimately charged with responsibility forthe defense of the network. In some organizations,the security administrator is associated with thenetwork or systems administration groups. Inother organizations, it’s an independent position.

SENSOR - The ID component that periodicallycollects data from the data source. Also known asAGENT.*

SIGNATURE - A rule used by the analyzer to identifyinteresting activity to the security administrator.Signatures are the mechanism by which ID sys-tems detect intrusions.

SYSTEM LOG - The log of system events and ac-tivities, generated by a system process. The systemlog is typically at a greater degree of abstractionthan the operating system audit log.

VULNERABILITY ASSESSMENT - The technologyconcerned with scanning computer systems andnetworks in order to find security vulnerabilities.Also known as SCANNING.

* In many existing ID systems, the sensor and theanalyzer are part of the same component.



FOR FURTHER READING

The following list of recent articles about intrusiondetection and vulnerability assessment is derivedfrom the Computer Select Database for March1999. For further information about this valuableresource, call The Gale Group at 800-848-1472in the United States or Canada.

[Format shows Author, initial (year). Title. Pub-lication (date) volume (number): page (articlelength)]

Delmonico, D. (1998). Detect Network IntrudersBefore They Wreak Havoc. InternetWeek (Oct 5,1998) (735):38(1)

Scambray, J. & S. McClure (1998). Digital sentries.InfoWorld (May 4, 1998) 20(18):1(8) + extensiveproduct comparisons in several articles.

Hurwicz, M. (1998). Cracker tracking: tightersecurity with intrusion detection. Byte (May1998) 23(5):112C(5)

Null, C. (1998). Covering your assets, electroni-cally. LAN Times (April 27, 1998) 15(9):44(2)

Santalesa, R. (1998). Extra-Strength VulnerabilityDetection. Windows Sources (April 1998) 6(4):10(1)

The Following books were found by doing a simplesearch on Amazon.com (www.amazon.com)

Intrusion Detection: An Introduction to InternetSurveillance, Correlation, Traps, Trace Back, andResponse, Edward G. Amoroso(Preface)/Paperback/Published 1999 218 pages 1 edition (February 1999)Intrusion Net Books; ISBN: 0966670078

Intrusion Detection: Network Security Beyondthe Firewall, Terry Escamilla/Paperback/Published1998 416 pages (October 1998) John Wiley &Sons; ISBN: 0471290009

ABOUT THE AUTHORRebecca Bace is the President of Infidel, Inc., asecurity consulting firm headquartered in ScottsValley, California. Ms. Bace has worked as a man-ager and researcher in intrusion detection and net-work security since 1989, when she became theleader of the National Security Agency’s ComputerMisuse and Anomaly Detection Research program.This program funded many of the early researchefforts in intrusion detection and vulnerabilityassessment, including the work performed at theUniversity of California, Davis, and Purdue Uni-versity. In 1996, Ms. Bace went to Los AlamosNational Laboratory as Deputy Security Officerfor the Computing, Information, and Commu-nications Division. In 1998 she formed Infidel, astrategic consulting practice specializing in intru-sion detection and network security. She holds theM.E.S. in Electrical Engineering from LoyolaCollege. Ms. Bace is currently writing a bookon the history, theory, and practice of intrusiondetection, to be published in late 1999.

b ace 99 assessment

Documents