How to Make Your IDS Useful. Joel M Snyder Senior Partner Opus One jms@opus1.com

Transcription

1 How to Make Your IDS Useful Joel M Snyder Senior Partner Opus One jms@opus1.com

2 Agenda: IDS Why are we looking at IDS? The 5 Ws of IDS Analysis The IDS Analysis Cycle 2

3 IDS Has Little to Do With Intrusions Port Scan here: ho-hum Internal Net External network Internal Net router/ firewall DMZ Enterprises want to understand and block security problems on their networks. On each network, intrusion can mean something very different Internal Net Port Scan here: Uh-oh! 3

4 Intrusion Detection Systems Identify Security Problems on Your Networks External network DMZ Internal Net Internal Net IDS (passive) IDS (passive) Management Network 4

5 Intrusion Prevention Systems Block Security Problems on Your Networks External network IPS (active) DMZ Internal Net Internal Net Management Network 5

6 There are at least 4 types of IDS/IPS products out there Signature-based: look for specific traffic that matches specific descriptions, or is out of spec in some particular way Anomaly-based: observe deviations from baseline normal traffic and block or alert Niche: Wireless: have specific knowledge of RF and RF behaviors; looking for wirelessspecific issues Rate-based: watch flows and connections and limit or modify TCP/UDP to predetermined norms or to guarantee response time 6

7 Network Intrusion Analysis Combines Technology With Methodology You must have some of both before you can even start Suggested reading: Network Intrusion Detection, 3/e by Northcutt & Novak 7

8 Before You Start, Consider the Five Ws Where is everything? What do I care about? Who is responsible? Who do I tell? When do we do analysis? Why are we doing this? Yes, this sounds dull and uninteresting. But if you don t do it, then you ll never know what to do with the data your IDS gives you 8

9 W#1 Where Is Everything on Your Network? You can t watch all ports on all devices connected to the network Even if you had infinite CPU time... So you need to know what each device is doing and who is taking care of them Mapping your network is part of your preparation for IDS analysis 9

10 W#1 Map Your Network at Three Levels (at Least!) Physical layer topology helps to understand what wires and bridges go where Network layer topology identifies systems and routing paths Application layer topology shows you what businesscritical resources are present 10

11 W#1 Applications Are Hard to Map but Critical to Understand Physical layer topology helps to understand what wires and bridges go where Network layer topology identifies systems and routing paths Application layer topology shows you what businesscritical resources are present WWW Oracle WWW Oracle Oracle Load Balancer WWW LDAP RADIUS WWW LDAP 11

12 W#2 What Do I Care About? Once you have mapped your network, you have two main questions to ask: What is visible to my IDS/IPS? Generally, certain inside-to-inside flows will not be visible Also, certain outside-toinside flows might not pass a sensor That whole encryption thing Which network elements are important to me? Physical Network Application 12

13 W#2 Spend Time on Critical and Important Systems Quick: your IPS says that someone is trying SQL attacks on imprimo. Quick: your IPS says that someone is trying SQL attacks on system repono. Do you care? Answer: No. It s a printer. It doesn t run SQL. No one cares about it anyway. Do you care? Answer: Yes! It s an SQL server. It s behind the firewall. It generates my paycheck. 13

14 W#3 Who Is Responsible? System Mgmt Responsibility Who takes care of the network? Who takes care of the servers and routers? Who takes care of the applications? Incident Responsibility Who do I tell? What are they responsible for doing? What if they don t do it? Then what do I do? (or do I even care?) 14

15 W#4 When Do We Do Analysis? Immediately? Are we concerned about catching someone in the act? Daily? Weekly? Monthly? Quarterly? Annually? Never? Do we want to know quickly if there is a problem on our net? Are we looking for long-term trends? Do we do this for forensics and tuning? 15

16 W#4 Your Analysis Timeframe Strongly Influences What You Do Immediate Alert system & network mgrs React or traceback? Start logging Get on the phone Daily Successful? Prioritize 1/2/3 A trend? History? Patch? Update firewall rules? Surveillance? Trending What s abnormal? Normal? Getting worse? Better? Forensics? 16

17 Why Are We Doing This? You must be doing Intrusion Detection analysis and Intrusion Prevention for a reason What is it? W#5 What did your business case say? Avoid common exploits? Look for internal worms and malware? Discover misbehaving users and systems? Find out how you were broken? Who? Why? When? Tool for your application and network managers? Tool for security manager? 17

18 A Policy Covers the Five Ws and You Need a Policy This is even more important than the policy that you didn t write to go along with your firewall Where is everything? What do I care about? Who is responsible? Who do I tell? When do we do analysis? Why are we doing this? Policies don t work Marcus Ranum, Seven Things I ve Learned 18

19 Your Policy Will Determine How You Do Analysis and Use Your IPS Immediate alerting You want to know the moment that something is up so that you can react immediately. Correlation You watch breakins and attempts to understand the motivation, method, and goals of the attacker. Surveillance Forensics You instruct the IDS to watch certain things more carefully to collect data on an object or suspect of interest. You use IDS to help understand what happened after a security incident or to show traffic flows and long-term statistics 19

20 The Analysis Cycle Gives a Framework Respond appropriately Feedback Identify resources Policy Breakdown Validate success Define attack Interact Research Qualify applicability 20

21 Analysis Is Always Grounded in Policy Respond appropriately Feedback Identify resources Policy Breakdown As you dive in, remember Paul Proctor s rule: When you first start operating an IDS, you will find many things you do not expect. Be prepared. Validate success Interact Which implies, perhaps, that policy is also grounded in analysis Qualify applicability Define attack Research 21

22 The 1st Step Is Identification and Mapping Respond appropriately Identify resources Policy Feedback Construct your 3 maps (physical, network, application) Breakdown Validate success Identify key resources Link to responsible people within your organization Define attack For each step in the cycle, identify the tools your IDS has to support this step Interact Some of this will come from policy Qualify applicability Research 22

23 Break Down the Data Into Manageable Chunks Respond appropriately Identify resources Policy Feedback Validate success Interact You will have dozens or perhaps hundreds of events (or thousands, if you haven t tuned) to look through Looking at them all requires mental discipline and an ability to prioritize Breakdown Define attack Research Qualify applicability 23

24 Define the Incident and Understand What It Means Respond appropriately Identify resources Policy Feedback Validate success Interact What kind of incident? Attack on a host? DoS attack? Information probe? What does the event message mean? What happened? Who was the source? Breakdown Define attack Research Qualify applicability 24

25 Research Is an Integral Part of Defining an Incident Respond appropriately Identify resources Policy Feedback Validate success Reference materials Stevens Vol. 1, 3 Web Rambling Your brain and your analyst (paper or electronic) notebook Breakdown Define attack Interact Research Qualify applicability 25

26 Qualify the Incident Policy Respond appropriately Identify resources Feedback Validate success Is it applicable to us? Do we care about it? Have I seen it before? Have I seen this attacker before? Breakdown Define attack Interact Qualify applicability Research This is the most important and time-consuming part of analysis 26

27 Qualification Means Answering a Lot of Questions Does this host actually exist? Attacks on non-existent hosts are pretty low priority Is this host vulnerable to the attack? Key conclusion: Without a comprehensive map, you cannot do useful analysis. Information gathering is painful, but there are tools to help. Go back to your Identify Resources maps and start talking to the responsible people 27

28 Northcutt Advises Prioritizing Your Incidents and Events severity = (criticality + lethality) (sys + net countermeasures) Criticality: How bad will it hurt? 5: Firewall, DNS, router 4: gateway/server 3: Executive s desktop 2: User desktop 1: MS-DOS 3.11 running soda machine System Countermeasures 5: Totally patched, modern O/S, internal firewall 3: Older O/S, partially patched 1: Unpatched/Unmanaged Lethality: How likely to do damage? 5: Multi-system root access 4: Single-system root 3: DoS total lockout 2: User-level access 1: Unlikely to succeed Network Countermeasures 5: Validated, restricted firewall 4: Firewall, plus some unprotected connections 2: Permissive firewall 1: No firewall 28

29 You Might Want to Answer Two More Questions Did the event cause a state change? Is there something else going on here? Is the behavior of the target system different after the event than before the event? What other correlation can we make between this attacker, the attacked system, and the type of incident with past incidents? 29

30 Communicate and Validate the Incident Respond appropriately Identify resources Policy Feedback Validate success Share information: something of interest might be correlated Find out: was the attack successful? Breakdown Define attack Interact Research Qualify applicability 30

31 Feedback Completes the Analysis Cycle Respond appropriately Identify resources Policy Feedback Validate success Interact Firewall adjustments IPS adjustments Update maps with contact information and patch details Log incident and results Verify against policy Breakdown Define attack Research Qualify applicability 31

32 Action Items: Making your IDS Useful Follow the 5 Ws and prepare background information on the network Identify tools within your IDS to help each step in the Analysis Cycle Set aside 2 to 3 hours each week to practice and get into the swing of tuning and analyzing events 32

33 Thanks! Joel Snyder Senior Partner Opus One