Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES
Assessment Planning Assessment Execution Assessment Evaluation Assessment Reporting Conclusion Agenda
Assessment Planning Determining Scope and Boundaries What authority do you have How far can you go CyberCom and DISA coordination needed External and/or Internal Network Assessment Obtaining Leadership Insight
Assessment Planning Data Gathering What is network architecture internal dmz public facing IP Is there an IDS and IPS Is HBSS installed Polices, processes, and procedures for: Network level security: FW, routers, IDS, IPS STIGS Server and application security: FW, proxy s STIGS What is event handling and incident response policy, processes, notification, triage, containment
DOD HBSS CLIENT COMPONENTS Asset Configuration Compliance Module (ACCM) Gathers detailed asset inventory on all hosts and provides nearreal time situational awareness of asset inventory Antivirus/Antispyware (AV/AS) Protect assets from SPAM and Malware (e.g. viruses, trojan horses, worms, bots, and rootkits) by filtering e mail. Identify unsafe websites during searches.
DOD HBSS CLIENT COMPONENTS McAfee Agent (MA) Provides local management of all HBSS products collocated on the host Runs silently in the background to gather information and events from managed systems Sends collected data to the epo server Manages modules and software updates of other HBSS products on the host system Enforces policies on the host machines Asset Baseline Monitor (ABM) Generates snapshots of asset configurations to facilitate detection of changes made to authorized baselines
DOD HBSS CLIENT COMPONENTS Device Control Module (DCM) Prevents unauthorized USB and flash media devices from being plugged into End Point systems Allows restrictions and/or exceptions based on specific hardware ids, vendor ids and serial numbers Host Intrusion Prevention System (HIPS) Enforces security policy Adds a robust layer of protection to the MA end point asset that includes known and unknown buffer overflow exploit protection, prevention of malicious code installation/execution, and identification of activities that deviate from DoD or organizational policy Firewall
DOD HBSS CLIENT COMPONENTS Rogue System Detection RSD Agents actively monitor the network for DHCP requests and send this information to its server Systems unknown to the server or that haven't checked in within a defined period of time are marked as "Rogue" Policy Auditor (PA) Scans remote computers to determine compliance with defined policies Identifies host vulnerabilities on the network
Intrusion Detection Ability to detect actions that attempt to compromise the confidentiality, integrity or availability of a system Common types of Intrusion Detection Network Based (Network IDS) Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic Network IDS, using either a network tap, span port, or hub collects packets that traverse a given network Captured data, the IDS system processes and flags any suspicious traffic Does not actively block network traffic Is passive, only gathering, identifying, logging and alerting SNORT example
Common types of Intrusion Detection Host Based (HIDS) Host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device Usually has an agent installed, monitors and alerts on local OS and application activity Agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity IDS is passive, only gathering, identifying, logging, and alerting. Examples of HIDS: OSSEC Open Source Host based Intrusion Detection System Tripwire AIDE Advanced Intrusion Detection Environment Prelude Hybrid IDS
Intrusion Detection Techniques Misuse detection Catch the intrusions in terms of the characteristics of known attacks or system vulnerabilities Anomaly detection Detect any action that significantly deviates from the normal behavior
Misuse Detection Based on known attack actions Feature extract from known intrusions Integrate the Human knowledge. The rules are pre defined Disadvantage: Cannot detect novel or unknown attacks
Anomaly Detection Based on the normal behavior of a subject Significant deviation from the normal behavior is considered intrusion Anomaly Detection Dis Advantage Based on audit data collected over a period of normal operation. When a noise(intrusion) data in the training data, it will make a mis classification How to decide the features to be used. The features are usually decided by domain experts. It may be not completely
Intrusion Prevention Intrusion prevention gathers and identifies data and behavior, with the added ability to block (prevent) unwarranted activity Performed at the Network, Host, and Physical level
Assessment Execution External IP Perform low and slow first NOC Observation Have internal team onsite with network monitoring (NOC) while performing low and slow Is IDS and IPS working Is staff handling event or is it a non event
Assessment Execution Perform intense/insane NOC Observation Have internal team onsite with network monitoring (NOC) while performing low and slow Is IDS and IPS working Is staff handling event or is it a non event
Assessment Execution Internal Perform low and slow Perform intense NOC Observation Have internal team onsite with network monitoring (NOC) while performing low and slow Is IDS and IPS working Is staff handling event or is it a non event
Assessment Evaluation Review IDS and IPS logs for your activities Review HBSS events, logs, and alerts Assess responsiveness of staff to activities you executed Compare actions taken to policies and procedures, and notification thresholds
Identify what is working well Identify what needs improvement Assessment Reporting Plan for revisit and continuous improvement
Conclusion Risk Based Assessments vs. Gotcha You Questions