Practical Intrusion Analysis

Transcription

1 Practical Intrusion Analysis PREVENTION AND DETECTION FOR THE TWENTY-FIRST CENTURY Ryan Trost TT Ar Addison-Wesley Upper Saddle River, NJ Boston Indianapolis * San Francisco New York Toronto Montreal London Munich Paris Madrid Capetown Sydney Tokyo Singapore * Mexico City

2 Contents Preface Network Overview Key Terms and Concepts Brief History of the Internet Layered Protocols TCP/IP Protocol Suite Internet Protocol Addressing IPv6 Summary IP Addresses Infrastructure Monitoring Network-Analysis Tools Packet Sniffing Accessing Packets on the Network SPANs (Port Mirroring) Network Taps To Tap or to SPAN Defense-in-Depth Summary XV I VII

3 Chapter 3 Intrusion Detection Systems 53 IDS Groundwork 54 From the Wire Up 55 DoS Attacks 55 IP Fragmentation 57 TCP Stream Issues 58 Target-Based Reassembly 59 Two Detection Philosophies: Signature and Anomaly Based 60 Snort: Signature-Based IDS 61 Two Signature Writing Techniques 67 Bro: An Anomaly-Based IDS 74 Similarities Between the Systems 82 Summary 85 Chapter 4 Lifecycle of a Vulnerability 87 A Vulnerability Is Born 87 FlashGet Vulnerability 88 Collecting a Sample Packet Capture 90 Packet Analysis and Signature-Writing 95 Signature Tuning 100 Detection Tuning 100 Performance Tuning 101 Advanced Examples 104 CitectSCADA ODBC Server Buffer Overflow: Metasploit 104 FastStone Image Viewer Bitmap Parsing 109 Libspf2 DNS TXT Record Size Mismatch 114 Summary 117 Chapter 5 Proactive Intrusion Prevention and Response via Attack Graphs I 19 Topological Vulnerability Analysis (TVA) 121 Overview of Approach 121 Illustrative Example 122 Limitations 125 Attack Modeling and Simulation 126 Network Attack Modeling 126 Attack Simulation 130 Optimal Network Protection 134 Vulnerability Mitigation 135 Attack Graph Visualization 137 Security Metrics 139 viii

4 Intrusion Detection and Response 141 Intrusion Detection Guidance 141 Attack Prediction and Response 144 Summary 147 Acknowledgments 147 Endnotes 148 Chapter 6 Network Flows and Anomaly Detection 151 IP Data Flows 152 NetFlow Operational Theory 153 A Matter of Duplex 155 Cisco IOS NetFlow and Flexible NetFlow 156 sflow: More Data, But Less Frequency 159 Internet Protocol Flow Information Export (IPFIX) 161 It's a Virtual World 162 Endless Streams of Data 164 Behavioral Analysis and Anomaly Detection 167 Compare and Contrast 172 IDS and NetFlow 172 Signature Updates 173 IDS System Resources 174 Syslog and NetFlow 178 Technology Matrix 180 Summary 182 Endnotes 183 Chapter 7 Web Application Firewalls 185 Web Threat Overview 186 WhyaWAF? 189 WAF Protection Models 191 Positive Security Model 191 Negative Security Model 192 Virtual Patching Model 193 Output Detection Model/Content Scrubbing 194 WAF Policy Models 195 Learning 195 Vulnerability Assessment Feedback 195 Manual Entry 195 ix

5 ModSecurity 196 ModSecurity Rule Sets 196 VA+WAF 201 VA+WAF Example: WhiteHat Security and F5 Networks 201 WAFs and PCI Compliance 203 WAF Realities 203 IDS/IPS!= WAF 204 False Positives 205 Misconfigured WAFs 205 WAFs Do Not Fix Bad Logic 205 WAFs!= Bad Code Patch 206 Summary 206 References 207 Chapter 8 Wireless IDS/IPS 209 Why a Wireless IDS? 209 Wireless Intrusion Detection/Prevention Realities 212 Types of Wireless IDSs/IPSs 213 Overlay 213 Combined AP/WIDS 214 Combined AP/WIDS/Access Controller 215 Wireless IDS Events 215 Unauthorized Activity 216 Active Recon/Cracking 217 DoS Attacks 221 Intrusion Prevention Techniques 224 Limitations 224 Isolation 225 WEP Cloaking (WEP Chaffing) 228 Location Detection 229 Honeypot 231 Other Wireless Threats 233 Legacy Wireless Technology 233 Bluetooth 233 Sniffers 233 Summary 234 Endnote 234

6 Chapter 9 Physical Intrusion Detection for IT 235 Origins of Physical Security 236 Assumed, Yet Overlooked 236 A Parallel Universe to IT Security 239 Physical Security Background 241 Common Physical Access Control Components 243 This Is Not Your Father's CCTV 255 Old Habits Die Hard 259 Convergence of Physical and Logical Security 260 How Convergence Works 261 HSPD-12: Convergence Trial by Fire 265 A Look at Some Vendor Offerings 266 Intrusion Detection Examples in a Converged Environment 270 Summary 274 Endnotes 274 Chapter 10 Geospatial Intrusion Detection 275 Current Uses of Geocoding 278 Introduction to Geographic Information Systems 279 GIS Basic Functions 282 Framework for Cooperation 282 Map Projection 283 Raster Versus Vector 285 Vector Data Model 287 Spatial Point Pattern Analysis 288 Classes of Spatial Analysis 289 Point Intensity 290 Point Process Statistics 290 Dynamics of a Professional Attack 293 Cornerstone Theory 295 Example of Attack Steps and Methods 296 Geocoding Techniques 299 Geocoding Limitations 315 Accuracy 316 GeoLocation Intelligence Vendors 317 xi

7 Case Study of Geographic Intrusion Detection 320 Case Outline 322 Breakdown of the Steps 322 Summary 344 Endnotes 345 References 346 Chapter 11 Visual Data Communications 347 Introduction to Visualization 348 Developing a Visualization Strategy 355 User Audiences 356 Statistical Graphing Techniques 361 Technological Considerations 365 Scalability 365 Installation and Support 366 Data Management 368 Security Event Visualization 370 Example Graphs 371 Starlight Visual Information System 378 ETRI: VisNet and VisMon 381 Use-Case: Security Audit 385 Summary 387 Terminology 388 Endnotes 390 Reference 390 Chapter 12 Return on Investment: Business Justification 391 Not If, But When 393 Compliance Plays a Role 394 CoBIT Framework 394 ISO 27001/27002 Frameworks 395 ITIL Framework 396 Health Insurance Portability and Accountability Act of 1996 (HIPAA) 397 Payment Card Industry Data Security Standard (PCI-DSS) 398 Federal Information Security Management Act of 2002 (FISMA)/National Institute of Standards and Technology 399 Security Breaches 400 Breach Costs 401 Security Investment Within the Organization 402 xii

8 Data Breaches and the Law ROI as a Unifying Benchmark Cost Breakdown Cost-Benefit Analysis: Building an Economic Model Gain from Investment Cost of Investment Return on Investment Net Present Value Internal Rate of Return ROI Versus NPV Versus IRR Security Investment: Should Security Operations Be Outsourced? Benefits of MSSPs Downfalls of MSSPs The Financial Aspect of an MSSP Cyber Liability Insurance (CLI) CLI Coverage Types Privacy Liability Insurance Network Security Liability Insurance Property Loss Insurance Loss of Revenue Insurance Cyber Extortion Insurance Notification Costs Insurance Regulatory Defense Insurance Media Liability Insurance CLI Underwriting Process Summary Endnotes Appendix Bro Installation Guide Compiling and Building Options Operations Use References Index 441 xlii