Intrusion Detection (part 2)
Host Based Intrusion Detection and Prevention Systems or HIPS are systems that runs on a single client machine and are dedicated to protecting that object from internal and external threats. It monitors it’s own processes and looks for anomalies, but this creates a paradoxical situation. How can a subject detect an object that can alter the subjects root code, and prevent object detection? To get around this the subject should implement hardware controls that enforce software intrusion polices. Take for example, Motorola’s DroidX. The DroidX implements an amazing HIPS system by using a separate chip to completely white list and enforce all operating system processes. To prevent tampering of ROM code, they enforce code with IBM’s eFuse. The eFuse is a great piece of security hardware. It can detect boolean logic anomalies, blow the fuse, and physically re-route logic until the fuse is replaced. This allows Motorola to keep control over their device’s operating system, which is fundamental for security. Next, the DroidX sandboxes all applications, reviews and then blacklists bad programs from their development community. This creates for a locked-down host environment which is still open to development and customization, by layering multiple intrusion methodologies.
Network Based Intrusion Detection and Prevention Systems (NIDPS) should be stand-alone devices attached directly to a network whose purpose is to monitor network through put for any suspicious traffic by analyzing protocol activity. These NIDPS can be hardware directly installed on the network, software based solutions running on a client computer or even implemented from a management server. It is most commonly deployed in between individual objects and networks, such as in proximity to firewalls, routers, VPN servers, or wireless networks. “A typical example is a system that watches for large number of TCPconnection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A NIDS mayrun either on the target machine who watches its own traffic (usuallyintegrated with the stack and services themselves), or on an independentmachine promiscuously watching all network traffic (hub, router, probe).Note that a "network" IDS monitors many machines.”(LinuxSecurity.com)
A popular NIDPS client is Snort which utilizes blacklisting. If you decide to use this avenue of network protection, I advise you include the Emerging Threats (ET) rule set, which is an open source signature project built for Snort. However, it would be best practice to use a layered approach, and also implement a whitelisted perimeter to your network, such as a firewall or input scrubbing solution. Another, completely inverse, approach would be to use Savant’s system which primarily uses heuristics and whitelisting. This is a more corporate solution to NIDPS than Snort, and may be cumbersome in places where users expect freedom on the network (such as Universities, Libraries, or public networks). Savant uses a system which applies a key to each allowed application on each end system. If an unauthorized program tries to run it is quarantined. Savant’s system is deployable in a number of configurations which allow system administrators flexibility in deciding what is and is not allowable. A defense in depth approach is always the end goal, so it couldn’t hurt to set up a DPI (deep packet inspection) point, and have a black list running for known common attacks as well.
Wireless Intrusion Detection Systems (WIPS) are network-type monitors which scans all wireless activity and analyze it to identify suspicious activity involving the wireless network protocols themselves. These can be deployed locally to the area of the wireless network, and should consider attack vectors before implementation. If wireless networks are implemented, then solid defense in depth theories say WIPS is a must!
Network Behavior Analysis Systems (NBAS) are prevalent in corporations and distributed systems that have extremely large user groups. They apply heuristic methodologies to detect generated anomalies in traffic, such as denial of service attacks, malware, and policy violations. These systems evolved from software designed to prevent distributed denial of service attacks and are relatively new within the IDPS framework. NBAS are popular with web applications, which are available to many users, as well as a variety of threats. Using heuristic methods to profile connections on benign data, such as IP addresses, pages requested, and time of response, they can tell a genuine user from a malicious user. The true goal with such systems is to detect malicious users (possibly before they perform malicious acts) and/or prevent automated attacks. Unfortunately, due to the scale of such a system it often misses one time attacks or throws false positives at good users.
These four primary types of IDPS Systems each offer vastly different detection, logging, gathering and prevention capabilities. The National Institute of Standards and Technology state that a combination of these four kinds of systems is the best choice for a full featured intrusion prevention solution. Scarfone and Mell, the authors of the report, then go on to say in their Guide To Intrusion Detection and Prevention Systems (IDPS) that ,“Each technology type offers benefits over the others, such as detecting some events that the others cannot and detecting some events with significantly greater accuracy than the other technologies. In many environments, a robust IDPS solution cannot be achieved without using multiple types of IDPS technologies. For most environments, a combination of network-based and host-based IDPS technologies is needed for an effective IDPS solution. Wireless IDPS technologies may also be needed if the organization determines that its wireless networks need additional monitoring or if the organization wants to ensure that rogue wireless networks are not in use in the organization’s facilities. NBA technologies can also be deployed if organizations desire additional detection capabilities for denial of service attacks, worms, and other threats that NBAs are particularly well-suited to detecting. Organizations should consider the different capabilities of each technology type along with other cost-benefit information when selecting IDPS technologies.”(NIST 800-94)
In the event of the IDPS not being successful in preventing an intrusion, there must be steps taken and a plan in place in case of a viral/malware outbreak, in the form of a manual intrusion response. A manual intrusion response consists of an incident response strategy, made up of procedural steps to be taken during the outbreak. This strategy is “as important as having IT security policy formulated” according to Rajdeep Chakraborty, a Microsoft MVP of Consumer Security, and Senior Consultant at Deliotte, (Malware Incident Response, Chakraborty) These steps are Assessment, Preparation, Response, Analysis, Reassessment, Remediation, and Reporting. Assessment contains a group of steps including collecting samples, making random checks, and assessing severity of the outbreak. Preparation includes formulating a rapid action team, identifying the worst hit areas, identifying infected systems and communicating to software vendors if need be. The Response stage includes communicating with all Infrastructure management and Support Teams via email about the outbreak, removing the infected systems from the network, takeing down any infected servers, and containment. Next analysis of the network and the infected systems must occur, reassessment of security policy and procedures, remediation on damage, as well as for the time spent and clients and servers damaged in the attack, and finally the proper reporting of the incident for future use. All of these steps involve accruing specific and unspecified costs for the subject. Offsetting these costs is why IDPS is so important, so that the outbreak itself can be prevented or minimized.
As I have shown here, I believe that the adage “detect, remove, prevent” should instead be “secure yourself, watch your enemy, and evolve your strategies”. Based on my research into currently available IDPS technology, I feel that a combination of all possible defenses used concurrently will provide the best defense against intrusion. In a day and age where malicious attacks can come from anywhere, at any time, we need to take security seriously and invoke defense in depth methodologies. Using a combination of HIPS, NIPS, white listing, black listing, and heuristic technologies provides the most robust security options to combat intrusions. I believe that the predominant philosophies pertaining to intrusion detection and prevention will shift to a more tiered approach in the near future due to the hard work of security professionals. Continuing the process of research and analysis into intrusion detection and prevention will evolve and improve our abilities to tackle such issues in the future, saving incalculable time and money.
Works Cited
Schneier-Ranum Face Off - Is AntiVirus Dead? Schneier, Bruce Ranum, Marcus http://searchsecurity.techtarget.com/magazinePrintFriendly/0,296905,sid14_gci1373562,00.html
Network Intrusion Detection – Graham, Robert http://www.linuxsecurity.com/resource_files/intrusion_detection/network-intrusion-detection.html
Malware Incident Response Outbreak Scenario - Chakraborty, Rajdeep
http://www.malwareinfo.org/files/MalwareIncidentResponse.pdf
Guide to Intrusion Detection and Prevention Systems (IDPS) – Scarfone, Karen. Mell, Peter.
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Malware at Midyear A Summary – Paget, Francois
http://blogs.mcafee.com/mcafee-labs/malware-at-midyear-a-summary
Is Antivirus Dead – Miliefsky, Gary
Hakin9 Magazine September 2010
Deploying and Utilizing Intrusion Detection Using Snorby – Morin, Joshua
Hakin9 Magazine October 2010
Imperva Next Generation Web Application Firewalls NG-WAF
http://www.wit.co.th/pdf/imperva/WP_Next_Generation_WAFs.pdf
Promotional Material - Savant Technologies
www.savantprotection.com
eFuse Design and Reliability, Tonti, William R.
http://paris.utdallas.edu/ssiri08/Tonti_SSIRI_eFuse_V2.pdf