18.2. Attacks, Detection, and Prevention The security administrators we observed face two broad categories of attack: autonomous software such as worms and viruses that spread from machine to machine, and human-directed intrusions in which an attacker tries to compromise machines manually or by using semi-automated tools. While most virus attacks appear to have the goal of disrupting computer operations, most human-directed attacks aim to gain control of machines. These privileges are then used to attack other machines, steal data or computational resources, and occasionally destroy data. Some attackers appear to do little damage, instead concentrating on obtaining access to as many systems as possible to gain recognition from their peers. When discovered and blocked by security administrators, however, attackers sometimes strike back and try to damage the administrators' data and machines. We saw security administrators using a variety of tools for detecting and preventing attacks. These tools include:
Global intrusion detection tools These monitor network traffic to analyze and report suspicious patternsfor example, Bro.[5] [5] Bro Intrusion Detection System; http://bro-ids.org.
Scanning tools These probe machines remotely for known vulnerabilities in their installed softwarefor example, Nessus.[6] [6] Nessus Open Source Vulnerability Scanner Project ; http://www.nessus.org.
File/host integrity tools These run locally to check for compromised states; such tools include: Virus detection and repair toolsfor example, Symantec AntiVirus .[7] [7] Symantec AntiVirus; http://www.symantec.com.
Change management tools that track and compare system configuration information, including file organization, and that alert administrators when unauthorized changes occurfor example, Tripwire.[8] [8] Tripwire Change Auditing Solutions; http://www.tripwire.com.
Rootkit hunters (a rootkit is a prepackaged set of programs and/or files used to exploit a vulnerability and gain control of a machine), etc.
Communication tools These are used to coordinate work and share information between administrators, such as email, phone, instant messaging, and chat rooms.
Samples of code Such code exploits vulnerabilities and runs in a secure setting (e.g., VMWare) to better understand attacks.
Honeypots These are tools that emulate information system resources to attract attacks and capture attack datafor example, Sebek.[9] [9] Sebek Open Source Honeypot; http://www.honeynet.org/tools/sebek.
Public information sources These contain data about vulnerabilities and attacks, including mailing lists and web sites such as FIRST (Forum of Incident Response and Security Teams[10]), bugtraq ,[11] unisog ,[12] CERT (Computer Emergency Readiness Team[13], [14]), and SANS (SysAdmin, Audit, Network, Security[15]). [10] Forum of Incident Response and Security Teams (FIRST) ; http://www.first.org.
[11] SecurityFocus.com, bugtraq; http://www.securityfocus.com/archive/1.
[12] University Security Operations Group, unisog; http://www.dshield.org/mailman/listinfo/unisog.
[13] Computer Emergency Readiness Team (CERT) ; http://www.cert.org.
[14] J. H. Allen, The CERT Guide to System and Network Security Practices (Reading, MA: Addison Wesley, 2001).
[15] The SysAdmin, Audit, Network, Security (SANS) Institute; http://www.sans.org.
Administrators spend considerable time on prevention, researching new vulnerabilities and finding vulnerable machines. When faced with an automated attack, work becomes much more hectic as compromised machines are detected and isolated from the network to prevent the attack from spreading. Human-directed attacks are sometimes stopped in the same way, but occasionally security personnel will allow an attacker to continue in a controlled manner in order to trace the attack back to its source. In the next section, we describe security administrators and their work in more detail based on our studies. |
