Chapter 5: Detecting Attack Traces | Protect Your Information with Intrusion Detection (Power)

Overview

"By discovering the enemy's dispositions and remaining invisible ourselves, we can keep our forces concentrated, while the enemy's must be divided."

Sun Tzu, "The Art of War."

We already know how to detect attack indications within the controlled resources. We also know what methods can be used to detect security policy violations within the controlled area. These topics were covered in Chapter 4. Now we will look at how to detect these violations.

When detecting attack traces, it is necessary to take into account the following aspects [Firth1-97]:

Integrity control for programs, data files and other information resources to be protected
An analysis of user and process activity, along with a network-traffic analysis within the controlled system
Control over physical attacks on the information-system elements, including mobile storage media (such as a mobile rack)
Suspicious activity investigation performed by administrators or other reliable sources (CIRT, for example)

According to this classification, actions related to intrusion detection described in Table 5.1 can be performed in both the automatic and manual modes (Fig. 5.1).

Table 5.1. Factors Related to Intrusion Detection
Factor	Actions

Data-integrity control	Viewing unexpected changes to files and folders
Control over user and process activity, including control over network traffic	Analysis of log files, including those of operating systems, DBMS, user programs and network applications Analysis of alerts and system messages from network-monitoring systems and system-monitoring tools (including OS built-in monitoring tools) Analysis of suspicious behavior of the active processes
Control over physical forms of intrusion	Detecting unknown or unauthorized devices (modems, for example) connected to the controlled system Detecting traces of unauthorized access to physical resources
Investigating incidents	Analysis of the user reports and data from external sources on the behavior of the system, processes, programs and network events.

click to expand
Fig. 5.1. Methods of analyzing attack information

However, I should mention that the last two rows of Table 5.1 go beyond the scope of this book.

Automatic analysis can also be classified into two categories — universal and specialized. Universal analysis is performed using the built-in tools supplied with the software. This group of tools includes, for example, Network Monitor or Event Viewer, used to view Windows NT/2000/XP log files. Specialized analysis is carried out using special tools intended for detecting security policy violations. This group of tools includes, for example, Snort, Tripwire, System Scanner and others.

Manual methods are free, if you do not consider the salary of the specialist performing the analysis and other parameters comprising the Total Cost of Ownership (TCO). However, they can not guarantee rapid detection of intrusions, to say nothing of taking appropriate counter-measures. Furthermore, these methods are not effective when dealing with networks that are distributed over a large area. Nonetheless, the use of these methods is sometimes justified. This is the case, for example, when performing an analysis of remote affiliates, network segments and hosts that are not of critical importance, or when purchasing an automated intrusion detection system is within the means of your budget. These methods are also of value after an automated analysis has already been run since, despite all of the provided by these methods, some attacks are very difficult to detect without manual analysis and human intuition. In this case, however, the amount of data that needs to be processed manually is significantly smaller than the initial data amount. As stated in [Allen1-99], the complete automation of the intrusion detection process still remains an unattainable dream. In practically all known incidents that have been reported and in which the intruder was traced, security specialists used manual methods, based on the high level of care and concentration that are characteristic of the IDS operators, or on additional custom software that enhances the security system's functionality. Finally, manual analysis is to be preferred for security professionals, since it allows them to improve their skills and knowledge.

The universal automated methods used in the initial stages are more efficient than manual methods. However, even these methods are not capable of detecting security policy violations within a reasonable time. Instead, these methods can simplify the processing of large amounts of information, perform filtering, and select data sets for subsequent manual analysis. But manual processing is still necessary.

The final option for performing the actions described in Table 5.1 is applying specialized systems that differ from the universal ones in the use of logic. Usually, these systems have quite a large database of security policy violations (attack indications or vulnerabilities) that can be detected within the information sources using specific methods (systems detecting abuses or abnormalities).

However, you must not draw the conclusion that only specialized systems are capable of performing the task and, therefore, are the best choice. Based on the messages generated by these tools, one can overlook or misinterpret some events. Therefore, you should not limit yourself solely to the messages generated by even the most advance intrusion detection system. You still have to perform manual analyses of data gathered not only by intrusion detection system, but also by other tools (network sniffers, for example).