C. Universal Threat Management C.4. Defenses

Size: px

Start display at page:

Download "C. Universal Threat Management C.4. Defenses"

Austin Owens
8 years ago
Views:

1 UTM I&C School Prof. P. Janson September 2014 C. Universal Threat Management C.4. Defenses 1 of 20

2 Over vulnerabilities have been found in existing software These vulnerabilities are under constant attacks 24x7 plus criminals are targeting naïve users with social engineering & spam 2 of 20

3 What means exist to prevent, detect, recover from attacks? 3 of 20

4 Intrusion defenses Figures Approaches Prevention Surveillance Detection Correction Tools Information sources 4 of 20

5 Intrusion surveillance: monitoring, reporting, and logging = Security Information & Event Management (SIEM) Needs to be secured Distributed vs. centralized Control center Control center 5 of 20

6 Intrusion detection Recommendation = run from CD-ROM to ensure integrity against disabling malware Intrusion symptoms Methods taxonomy Practical tools Filtering Challenge Digital forensics 6 of 20

7 Intrusion symptoms Symptoms of data exfiltration Swells in Data in unusual places Specific file requests Database read volume HTML response sizes Outbound network traffic Symptoms of data alteration / intrusion / infection / repudiation Suspicious changes in registry or system files Anomalous system patching (attacker locking system against other attackers) Symptoms of abuse Anomalies in DNS requests Web requests with unhuman behavior Port-application traffic mismatches Availability / performance (DoS / smokescreen for more pernicious attacks) Symptoms of identity theft Anomalies in Privileged account activity Geographical origin activity Other log-in activity Mobile device profile changes 7 of 20

8 Methods taxonomy Host- & network-based intrusion detection systems Call- & traffic-based intrusion detection systems Real-time & off-line intrusion detection systems Signature- & anomaly-/behavior-based intrusion detection systems 8 of 20

Host- & network-based intrusion detection systems (HIDS & NIDS) Complementary methods Different focus NIDS Focus on events inside network Traffic at network nodes e.g.

9 Host- & network-based intrusion detection systems (HIDS & NIDS) Complementary methods Different focus NIDS Focus on events inside network Traffic at network nodes e.g. routers HIDS Focus on events around the network Events at attached hosts e.g. servers & clients Traffic in/out System calls Critical file events Malware detection NIDS HIDS HIDS 9 of 20

10 Call- & traffic-based intrusion detection systems Complementary methods Different focus Traffic-based systems focus on traffic-related events Packet type, size, volume, sequence, source, destination, etc. Traversing network nodes in NIDS Entering and leaving systems in HIDS Call-based systems focus on system calls in HIDS System call types, sequences, arguments, results, etc. 10 of 20

11 Real-time prevention & off-line detection of intrusions Complementary methods Different timescale Off-line IDSs collect + log events as they happen but analyze logs off line May detect but cannot block attacks On-line IDSs collect + log events as they happen and analyze logs continuously May detect and block attacks 11 of 20

12 Signature- & anomaly-/behavior-based intrusion detection systems How to separate the wheat (legitimate activities) from the chaff (attacking activities) Complementary methods Different approaches Attacks as well as legitimate activities can be identified by signatures Characteristic events, packet sequences, sizes, volumes, origins, etc. in traffic-based IDSs Characteristic system calls, sequences, arguments, etc. in call-based IDSs 12 of 20

13 Signature- & anomaly-/behavior-based intrusion detection systems Signature-based IDSs try to recognize attacks + flag them while ignoring everything else Raise alarms when recognizing something matching signature of known attack Suffer from initial false negatives = failing to recognize new attacks Must maintain up-to-date cumulative black-lists of attack signatures Anomaly-/behavior-based IDSs try to recognize legitimate activities and flag everything else Raise alarms when recognizing something not matching signature of legitimate activity Suffer from initial false positives = failing to recognize new legitimate activities Must maintaining up-to-date dynamic white-lists of legitimate activity signatures 13 of 20

14 Practical tools Malware scanners (Critical system) file monitors Honeypots 14 of 20

15 Malware (detection) scanners vs. (prevention) filters Malware filters use black-listed signatures to prevent malware infiltration from outside Filter may fail => malware may still infect network New malware => no signature yet Filter signature file out of date Malware imported over unfiltered path e.g. XCS or a USB key brought by careless employee Malware scanners use black-listed signatures to detect malware that escaped filters 15 of 20

16 Critical system file monitors Many attacks are stealth / hidden, especially latest, long-term APAs But extremely difficult / impossible to completely hide all traces of an attack => Monitor critical system files System registries System user accounts System and other hidden files Network, host, server, middleware, and application configuration files Network, host, server, middleware, application and any other event recording logs Tools maintain and monitor cryptographically signed hashes of critical system files 16 of 20

17 Honeypots (honey nets, honey tokens, honey files) Honeypots = fake networks, systems, servers, containers, applications, accounts (e.g. ) Attract attackers by faked name, purported function, pretended content Designed to be attacked and let attacks proceed under close monitoring Ultimate honeypot is powerful server Bearing many unused IP addresses Advertising applications / ports Mimicking real server Any IP packet or port scan landing there is suspect = Darknet / Internet Background Noise (IBR) (~ 1 PB / month!!) 17 of 20

18 Filtering challenge: false positives & false negatives Key challenge of IDSs is filtering reams of alerts Mostly benign Some unjustified = false positives Some missed = false negatives Two quality parameters: Precision = no. of true positives / no. of true positives + false positives (% unwanted items) Recall = no. of true positives / no. of true positives + false negatives (% missed items) Best IDSs interoperate with others => perspective view of things Comparing agreeing alerts to filter out benign alerts Comparing disagreeing alerts to disambiguate false positives and false negatives 18 of 20

19 Digital forensics Classical forensics search for transfer of matter or traces between suspect, victim and environment Digital forensics search for transfers of information (loads and stores) Always write-protect => copy => archive any storage device under investigation Any attack is very likely to leave visible traces in or around systems they target Cradle-to-grave encryption of all information => the end of digital forensics Ethical and legal issue whether suspect can be forced to surrender crypto keys (comparable to search-warrant but harder to enforce) 19 of 20

20 Incident response / recovery Isolate affected systems Report intrusion to management and nearest CERT Correct damage always have BCR plan Restore system beware of infected back-ups Restart operations Analyze evidence to understand attack computer forensics Upgrade defenses to prevent repetition 20 of 20

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use