![Page 2: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/2.jpg)
2
Agenda: IDS
Why are we looking at IDS? The 5 “Ws” of IDS Analysis The IDS Analysis Cycle
![Page 3: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/3.jpg)
3
IDS Has Little to Do With Intrusions
External network
Intern
al Net
DM
Z
Internal Net
router/firewall
Intern
al Net
Enterprises wantto understandand blocksecurityproblems ontheir networks.
On eachnetwork,“intrusion” canmean somethingvery different
Port Scanhere: ho-hum
Port Scanhere: Uh-oh!
![Page 4: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/4.jpg)
4
Intrusion Detection Systems IdentifySecurity Problems on Your Networks
External network
Intern
al Net
Intern
al Net
Management Network
DM
Z
IDS(passive)
IDS(passive)
![Page 5: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/5.jpg)
5
Intrusion Prevention Systems BlockSecurity Problems on Your Networks
External network
Intern
al Net
Intern
al Net
Management Network
DM
ZIPS
(active)
![Page 6: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/6.jpg)
6
There are at least 4 types of IDS/IPSproducts out there
Signature-based: look for specific trafficthat matches specific descriptions, or is“out of spec” in some particular way
Rate-based: watch flows andconnections and limit ormodify TCP/UDP to pre-determined norms or toguarantee response time
Anomaly-based: observedeviations from “baseline”normal traffic and block oralert
Wireless: have specific knowledge of RFand RF behaviors; looking for wireless-specific issues
Niche:
![Page 7: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/7.jpg)
7
Network Intrusion Analysis CombinesTechnology With Methodology
You must have some ofboth before you can evenstart
Suggested reading:“Network IntrusionDetection, 3/e” byNorthcutt & Novak
![Page 8: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/8.jpg)
8
Before You Start, Consider the FiveWs
Where is everything?
What do I care about?
Who is responsible? Whodo I tell?
When do we do analysis?
Why are we doing this?
Yes, this sounds dulland uninteresting.
But if you don’t do it,then you’ll neverknow what to do withthe data your IDSgives you
![Page 9: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/9.jpg)
9
Where Is Everything on YourNetwork?
You can’t watch all ports onall devices connected to thenetwork• Even if you had infinite CPU
time...
So you need to know whateach device is doing andwho is taking care of them
Mapping yournetwork is part ofyour preparation forIDS analysis
W#1
![Page 10: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/10.jpg)
10
Map Your Network at Three Levels(at Least!) Physical layer topology
helps to understand whatwires and bridges go where
Network layer topologyidentifies systems androuting paths
Application layer topologyshows you what business-critical resources arepresent
W#1
![Page 11: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/11.jpg)
11
Applications Are Hard to Map butCritical to Understand
Physical layer topology helpsto understand what wiresand bridges go where
Network layer topologyidentifies systems androuting paths
Application layertopology shows youwhat business-critical resources arepresent
WWW WWW
Oracle RADIUS
LDAP LDAP
WWW WWW
Oracle
Oracle
Load Balancer
W#1
![Page 12: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/12.jpg)
12
What Do I Care About? Once you have mapped your network, you
have two main questions to ask:
What is visible to myIDS/IPS?• Generally, certain
inside-to-inside flowswill not be visible
• Also, certain outside-to-inside flows might notpass a sensor
• That whole encryptionthing
Which network elementsare important to me?• Physical• Network• Application
W#2
![Page 13: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/13.jpg)
13
Spend Time on Critical andImportant Systems
Quick: your IPS says thatsomeone is trying SQLattacks on “imprimo.”
Do you care?
Quick: your IPS says thatsomeone is trying SQLattacks on system “repono.”
Do you care?
Answer: No. It’s a printer. It doesn’t run SQL. No one cares about it
anyway.
Answer: Yes! It’s an SQL server. It’s behind the firewall. It generates my
paycheck.
W#2
![Page 14: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/14.jpg)
14
Who Is Responsible?
System MgmtResponsibility
Who takes care of thenetwork?
Who takes care of theservers and routers?
Who takes care of theapplications?
W#3
IncidentResponsibility
Who do I tell?• What are they
responsible for doing?• What if they don’t do
it?• Then what do I do?• (or do I even care?)
![Page 15: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/15.jpg)
15
When Do We Do Analysis?
Immediately?
W#4
Are we concernedabout catchingsomeone in the act?
Do we want to knowquickly if there is aproblem on our net?
Are we looking forlong-term trends?
Do we do this forforensics and tuning ?
Daily?
Weekly? Monthly?Quarterly? Annually?
Never?
![Page 16: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/16.jpg)
16
Your Analysis Timeframe StronglyInfluences What You Do
W#4
ImmediateAlert system &
network mgrsReact or traceback?Start loggingGet on the phone
DailySuccessful?Prioritize 1/2/3A trend? History?Patch? Update
firewall rules?Surveillance?
TrendingWhat’s abnormal? Normal?Getting worse? Better?Forensics?
![Page 17: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/17.jpg)
17
Why Are We Doing This?
W#5
You must be doing Intrusion Detectionanalysis and Intrusion Prevention for a reason
What is it?
What did your business case say? Avoid common exploits? Look for
internal worms and malware? Discover misbehaving users and
systems? Find out how you were broken?
Who? Why? When? Tool for your application and
network managers? Tool forsecurity manager?
![Page 18: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/18.jpg)
18
A Policy Covers the Five Wsand You Need a Policy This is even more important than the policy that you
didn’t write to go along with your firewall
Where is everything? What do I care about? Who is responsible? Who do I tell? When do we do analysis? Why are we doing this?
“Policies don’t work”– Marcus Ranum,Seven Things I’ve Learned
![Page 19: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/19.jpg)
19
Your Policy Will Determine How YouDo Analysis and Use Your IPS
Immediate alerting
Correlation
Surveillance
Forensics
You want to know the momentthat something is up so that youcan react immediately.
You watch breakins and attempts tounderstand the motivation, method,and goals of the attacker.
You instruct the IDS to watchcertain things more carefully tocollect data on an object or suspectof interest.
You use IDS to help understandwhat happened after a securityincident or to show traffic flows andlong-term statistics
![Page 20: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/20.jpg)
20
The Analysis CycleGives a Framework
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
![Page 21: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/21.jpg)
21
Analysis IsAlways Grounded in Policy
As you dive in, rememberPaul Proctor’s rule: “Whenyou first start operating anIDS, you will find manythings you do not expect.Be prepared.”
Which implies, perhaps,that policy is alsogrounded in analysis
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
![Page 22: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/22.jpg)
22
Construct your 3 maps(physical, network,application)
Identify key resources
Link to responsible peoplewithin your organization
Some of this will comefrom policy
The 1st Step Is Identificationand Mapping
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
For each stepin the cycle,identify thetools your IDShas to supportthis step
![Page 23: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/23.jpg)
23
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyBreak Down the DataInto Manageable Chunks
You will have dozens orperhaps hundreds of events(or thousands, if youhaven’t tuned) to lookthrough
Looking at them allrequires mental disciplineand an ability to prioritize
![Page 24: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/24.jpg)
24
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyDefine the Incident andUnderstand What It Means
What kind of incident?• Attack on a host?• DoS attack?• Information probe?
What does the eventmessage mean?What happened?Who was the source?
![Page 25: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/25.jpg)
25
Research Is an IntegralPart of Defining an Incident
Reference materials• Stevens Vol. 1, 3
Web RamblingYour brain and youranalyst (paper orelectronic) notebook
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
![Page 26: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/26.jpg)
26
Qualify the Incident
Is it applicable to us?Do we care about it?Have I seen it before?Have I seen thisattacker before?
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
Policy
This is the mostimportant and
time-consumingpart of analysis
![Page 27: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/27.jpg)
27
Qualification MeansAnswering a Lot of Questions Does this host actually
exist?• Attacks on non-existent
hosts are pretty low priority
Is this host vulnerable tothe attack?
Go back to your “IdentifyResources” maps andstart talking to theresponsible people
Key conclusion: Withouta comprehensive map,you cannot do usefulanalysis. Informationgathering is painful, butthere are tools to help.
![Page 28: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/28.jpg)
28
Northcutt Advises Prioritizing YourIncidents and Events
Criticality: How bad will it hurt?• 5: Firewall, DNS, router• 4: Email gateway/server• 3: Executive’s desktop• 2: User desktop• 1: MS-DOS 3.11 running soda machine
Lethality: How likely to dodamage?• 5: Multi-system root access• 4: Single-system root• 3: DoS total lockout• 2: User-level access• 1: Unlikely to succeed
System Countermeasures• 5: Totally patched, modern O/S,
internal firewall• 3: Older O/S, partially patched• 1: Unpatched/Unmanaged
Network Countermeasures• 5: Validated, restricted firewall• 4: Firewall, plus some
unprotected connections• 2: Permissive firewall• 1: No firewall
severity = (criticality + lethality) – (sys + net countermeasures)
![Page 29: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/29.jpg)
29
You Might Want to AnswerTwo More Questions
“Did the event cause a statechange?”
Is the behavior of the targetsystem different after theevent than before the event?
“Is there something elsegoing on here?”
What other correlation canwe make between thisattacker, the attackedsystem, and the type ofincident with pastincidents?
![Page 30: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/30.jpg)
30
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyCommunicateand Validate the Incident
Share information:something of interestmight be correlatedFind out: was theattack successful?
![Page 31: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/31.jpg)
31
Identifyresources
Defineattack
Qualifyapplicability
Validatesuccess
Breakdown
ResearchInteract
Respondappropriately
Feedback
PolicyFeedback Completesthe Analysis Cycle
Firewall adjustmentsIPS adjustmentsUpdate maps withcontact informationand patch detailsLog incident andresultsVerify against policy
![Page 32: How to Make Your IDS Useful - Opus One®opus1.com/www/presentations/smartdefense-ids.pdf · Why Are We Doing This? W#5 You must be doing Intrusion Detection analysis and Intrusion](https://reader033.vdocuments.site/reader033/viewer/2022060313/5f0b6af47e708231d4306b53/html5/thumbnails/32.jpg)
32
Action Items: Making your IDS Useful
Follow the “5 Ws” and prepare backgroundinformation on the network
Identify tools within your IDS to help eachstep in the Analysis Cycle
Set aside 2 to 3 hours each week to practiceand get into the swing of tuning andanalyzing events