Intrusion Detection | Security+ Certification Exam Cram 2 (Exam Cram SYO-101)

Although it is possible for human monitoring to identify real-time intrusion events within small, tightly controlled networks, it is more likely that a human administrator will monitor alerts and notifications generated by intrusion-detection systems (IDSs). These software and hardware agents can monitor network traffic for patterns that may indicate an attempt at intrusion, called an attack signature , or can monitor server-side logs for improper activity or unauthorized access.

Intrusion generally refers to unauthorized access by outside parties, whereas misuse is typically used to refer to unauthorized access by internal parties.

Methods of Intrusion Detection

Intrusion detection may be managed by two basic methods: knowledge-based and behavior-based detection . Knowledge-based detection relies on the identification of known attack signatures and events that should never occur within a network. Behavior-based detection involves the use of established usage patterns and baseline operation to identify variations that may pinpoint unauthorized access attempts.

Knowledge-Based IDS

The most common form of IDS detection involves knowledge-based identification of improper, unauthorized, or incorrect access and use of network resources. The identification of known attack signatures allows for few false alarmsa known attack pattern is almost always a good sign of a danger to the network. Because the signature identifies a known method of attack, you can use detailed planning to counter and recover from the attack.

Internet Control Message Protocol (ICMP) abuse and port scans represent known attack signatures. The Ping utility uses ICMP and is often used as a probing utility prior to an attack or may be the attack itself. If a host is being bombarded with ICMP echo requests or other ICMP traffic, this behavior should set off the IDS. Port scans are a more devious form of attack/reconnaissance used to discover information about a system. Port scanning is not an attack but is often a precursor to such activity. Port scans can be sequential, starting with port 1 and scanning to port 65535, or random. A knowledge-based IDS should recognize either type of scan and send an alert.

Knowledge-based IDS may also monitor for patterns of access that have been established as never being appropriate within the monitored network (for example, communications directed at common ports used by services, such as unauthorized FTP or Web servers running on local systems).

Knowledge-based IDS has several limitations, including the following:

The maintenance of the knowledge library to include newly identified signatures can become a complex and time-consuming task.
Knowledge-based detection of internal misuse is difficult because most misuse involves an improper utilization of a normal form of access or privilege.
As new exploits are identified, it will take some time before an identified signature for the attack can be prepared and distributed. During this time, knowledge-based IDS cannot identify attacks of the new type.
Knowledge-based IDS is closely tied to the technologies used within a particular network. As new technologies are integrated, or evolutionary changes are made to the network environment, knowledge-based systems may be unable to provide support for all potential avenues of attack created by the changes.

Behavior-Based IDS

One of the most common workstation-level compromise-detection methods involves a user noticing an unusual pattern of behavior, such as a continually operating hard drive or a significantly slowed level of performance. The ability to detect anomalies from normal patterns of operation makes it possible to identify new threats that may bypass knowledge-based IDS. Highly secure environments may use complex patterns of behavior analysis, in some cases, learning individual usage patterns of each user profile so that variations can be identified.

Here are some common features of behavior-based IDS solutions:

They can identify new forms of vulnerability.
They are more flexible as networks evolve .
They can be used to identify internal misuse through the recognition of actions outside of the normal patterns of access or authorized events outside of normal profile usage, such as the access of protected files during off-business hours.

Although more flexible than knowledge-based IDS, behavior-based detection has several limitations, including the following:

The most common drawback to behavior-based IDS is the high incidence of false alarms. Because anything falling outside of the established behavior profile is considered a potential sign of attack, any action that varies from the norm may generate an alert.
Behavior profiles must be regularly updated to include changes in technology, changes in network configuration, and changes to business practices that may affect the normal order of operations. In systems that maintain detailed user access profiles, even a simple promotion within the business structure might require administrative action to update the usage profile of the user involved.
Because of the need for periodic updates to behavior profiles, behavior-based IDS might not provide identification of threats during the update cycle and may even identify an ongoing attack pattern as part of the normal pattern of use, thus creating a potential area for later exploitation.

Intrusion-Detection Sources

Whether knowledge based or behavior based, intrusion detection relies in the capability to monitor activity, identify potential risks, and alert the appropriate responsible parties. Monitoring may be performed on the network itself or on a host system, based on the security needs mandated by business requirements.

Network-Based IDS

Network-based IDS solutions monitor all network traffic to identify signatures within the network packets that may indicate an attack. The types of signatures include the following:

String signatures Identify text strings used in common attacks, such as the code transmitted by Code Redinfected systems.
Port signatures Used to identify traffic directed to ports of common services not running on the identified host as well as ports used by well-known exploits such as the Blade Runner and SubSeven Trojan horse services.
Header signatures Used to detect the presence of conflicting or inappropriate packet headers, such as the SYN packets that might indicate a flood attack.

Figure 7.1 details a simplified network-based IDS solution monitoring traffic that passes through an organization's firewall to the systems within the protected network.

Figure 7.1. An idealized example displaying a network-based IDS solution.

graphics/07fig01.gif

During normal operation, a network interface card (NIC) will only register packets that are directed to its address. To capture raw packets directed at any host within a network, you must have a NIC that supports promiscuous mode.

Table 7.1 details some of the strengths of network-based IDS solutions.

Table 7.1. Strengths of Network-Based IDS

Strength	Description
Low cost of ownership	Because a single network-based IDS can be used to monitor traffic passing through the entire network, the number of systems required remains small while providing adequate network coverage.
Pre-host detection	Network-based IDS solutions can be used to detect attacks that cannot be easily identified by the host, such as denial of service (DoS) attacks that target the host's ability to connect to a network. An IDS placed outside of a firewall or within a DMZ can identify patterns of failed attempts as well as successful intrusions.
Real-time detection	Network-based IDS solutions analyze network traffic as it occurs, allowing alerts to be generated while the attack is underway. This also makes it harder for an attacker to cover his tracks, because network monitoring can capture not only the packets detailing the access attempt, but also those that detail the attacker's attempts to remove evidence of the attack.
Environment independent	Because network-based IDS solutions analyze raw data packets, they are more adaptable to a wide variety of network and technology configurations.

Host-Based IDS

Host-based IDS solutions involve processes running on a host that monitor event and applications logs, port access, and other running processes in order to identify signatures or behaviors that indicate an attack or unauthorized access attempt. Some host-based IDS solutions involve the deployment of individual client applications on each host, which relay their findings to a central IDS server responsible for compiling the data to identify distributed trends.

Table 7.2 details some of the strengths of host-based IDS solutions.

Table 7.2. Strengths of Host-Based IDS

Strength	Description
Low number of false positives	Because host-based IDS solutions analyze logged events, both success and failure events may be monitored and alerts generated only after a proper threshold has been achieved.
Auditing change monitoring	Host-based IDS solutions can monitor individual processes on each host, including changes to the auditing process itself.
Non-network attack detection	Host-based IDS solutions can be used to monitor events on standalone systems, including access from the keyboard.
Encrypted communication monitoring	Some attacks use encrypted or encapsulated data communications, bypassing network-based IDS.
Cost savings by directed monitoring	Unlike network-based IDSs, which must observe all data traffic across the monitored network, host-based solutions require no additional hardware purchasing and may be deployed on just those systems that require ID.
Single-point monitoring	Within large, switched networks, network-based IDS solutions may be inadvertently or purposefully bypassed by using a secondary access route. Host-based IDS solutions are not limited to a particular communications path for detection.

Layered Intrusion Detection

In most network-deployment scenarios, a layered intrusion-detection approach is required to provide protection against all forms of attack. Through user training, host-based and network-based IDS solutions, and the hardening of services and systems to exclude known vulnerabilities, a unified solution to many developing security requirements can be formed .

Honeypots and Honeynets

Honeypots are systems configured to simulate one or more services within an organization's network, and they are intentionally left exposed to network access as a means to attract would-be attackers . For instance, a honeypot can be used to identify the level of aggressive attention directed at a network should an administrator suspect an attack or potential attack. Honeypots are also used to study and learn from an attacker's common methods of attack. When an attacker accesses a honeypot system, her activities are logged and monitored by other processes so that the attacker's actions and methods may be later reviewed in detail. The honeypot system also serves to distract the attacker from valid network resources. This is important information that is used for legal action as well as to gain knowledge of method attacks that can be used in later attack situations.

Honeynets are collections of honeypot systems interconnected to create functional-appearing networks that may be used to study an attacker's behavior within the network. Honeynets use specialized software agents that create normal-seeming network traffic. Honeynets and honeypots can be used to distract attackers from valid network content, to study the attacker's methods, and to provide an early warning of attack attempts that may later be waged against the more secured portions of the network. See www.honeynet.org for more information.

An exposed server that provides public access to a critical service, such as a Web or email server, may be configured to isolate it from an organization's network and to report attack attempts to the network administrator. Such an isolated server is referred to as a bastion host , named for the isolated towers that were used to provide castles of advanced notice of pending assault.

Incident Handling

When IDS solutions alert responsible parties of a successful or ongoing attack attempt, it is important to have previously documented plans for responding to incidents. Several forms of response can be derived from the analysis and identification of attack attempts, including the following:

Deflection Redirecting or misdirecting an attacker to secured segmented areas, allowing them to assume they have been successful while preventing access to secured resources. Honeypots and honeynets are examples of deflection solutions.
Countermeasures Intrusion Countermeasure Equipment (ICE) can be used in some scenarios to provide automatic response in the event of intrusion detection. ICE agents may automatically lock down a network or increase access security to critical resources in the event of an alert; however, false positives could create problems for legitimate users in such a scenario.
Detection After identification of an attack, forensic analysis of affected systems can yield information about the identity of the attacker. This information may then be used to direct the attention of the proper authorities to the source of the attack.

Post-attack analysis of successful intrusions should be used to harden systems against further intrusion attempts that use the same methodology. Via honeypot systems, planning can be used to configure access restrictions as well as modify the network to make it appear less desirable to potential attackers.