Intrusion Detection Methods Intrusion detection is the process

  • Slides: 20
Download presentation
Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious

Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources. ”

The Seven Fundamentals 1. 2. 3. 4. 5. 6. What are the methods used

The Seven Fundamentals 1. 2. 3. 4. 5. 6. What are the methods used How are IDS Organized What is an intrusion How do we trace and how do they hide How do we correlate information How can we trap intruders 7. Incident response

The Emergency Action Card When a computer security incident occurs, and you are not

The Emergency Action Card When a computer security incident occurs, and you are not prepared, follow these ten steps: Emergency Step 1. Remain calm. Even a fairly mild incident tends to raise everyone's stress level. Communication and coordination become difficult. Your calm can help others avoid making critical errors. 3 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 2. Take good notes. Make sure you answer the four Ws -

Emergency Step 2. Take good notes. Make sure you answer the four Ws - Who, What, When, and Where- and, for extra credit, How and Why. 4 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 3. Notify the right people and get help. Begin by notifying your

Emergency Step 3. Notify the right people and get help. Begin by notifying your security coordinator and your manager and asking that a coworker be assigned to help coordinate the incident handling process. Get a copy of the corporate phonebook and keep it with you. Ask your helper to keep careful notes on each person with whom he or she speaks and what was said. Make sure you do the same. 5 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 4. Enforce a "need to know" policy. Tell the details of the

Emergency Step 4. Enforce a "need to know" policy. Tell the details of the incident to the minimum number of people possible. Remind them, where appropriate, that they are trusted individuals and that your organization is counting in their discretion. Avoid speculation except when it is required to decide what to do. Too often the initial information in an incident is misinterpreted and the "working theory" has to be scrapped. 6 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 5. Use out of band communications. If the computers may have been

Emergency Step 5. Use out of band communications. If the computers may have been compromised, avoid using them for incident handling discussions. Use telephones and faxes instead. Do not send information about the incident by electronic mail, talk, chat, or news; the information may be intercepted by the attacker and used to worsen the situation. When computers are being used, encrypt all incident handling e-mail. 7 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 6. Contain the problem. Take the necessary steps to keep the problem

Emergency Step 6. Contain the problem. Take the necessary steps to keep the problem from getting worse. Usually that means removing the system from the network, though management may decide to keep the connections open in an effort to catch an intruder. 8 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 7. Make a backup of the affected system(s) as soon as practicable.

Emergency Step 7. Make a backup of the affected system(s) as soon as practicable. Use new, unused media. If possible make a binary, or bit-by-bit backup. 9 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 8. Get rid of the problem. Identify what went wrong if you

Emergency Step 8. Get rid of the problem. Identify what went wrong if you can. Take steps to correct the deficiencies that allowed the problem to occur. 10 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 9. Get back in business. After checking your backups to ensure they

Emergency Step 9. Get back in business. After checking your backups to ensure they are not compromised, restore your system from backups and monitor the system closely to determine whether it can resume its tasks. 11 http: //www. sans. org/newlook/publications/incident_handling. htm

Emergency Step 10. Learn from this experience, so you won't get caught unprepared the

Emergency Step 10. Learn from this experience, so you won't get caught unprepared the next time an incident occurs. 12 http: //www. sans. org/newlook/publications/incident_handling. htm

Incident response • The real-time decisions and actions of asset managers that are intended

Incident response • The real-time decisions and actions of asset managers that are intended to minimize incident related effects on their assets and to mitigate residual security risk based on available evidence from the incident.

Incident Response factors • Soft factors – Management policies – Organizational structure – Administrative

Incident Response factors • Soft factors – Management policies – Organizational structure – Administrative procedures • Hard factors – IDS – Traps – Trace back tools 14

Incident Response Process 15

Incident Response Process 15

Response • Human initiated response • Automatically initiated response • Coordinated Human & Automatic

Response • Human initiated response • Automatically initiated response • Coordinated Human & Automatic response

Factors influencing Response • Passive factors – What assets have been affected or damaged

Factors influencing Response • Passive factors – What assets have been affected or damaged by the incident – How did the incident occur – How was it detected – How trustworthy is the incident related information

Factors influencing Response • Active factors – What would the effect of altering the

Factors influencing Response • Active factors – What would the effect of altering the target system’s functionality – What would the effect of initiating trace backs and traps – What would the effect of doing nothing – How legal is the response

Robin Hood and Friar Tuck !X id 1: Friar Tuck. . . I am

Robin Hood and Friar Tuck !X id 1: Friar Tuck. . . I am under attack! Pray save me! id 1: Off (aborted( id 2: Fear not, friend Robin! Sherif of Nottingham's men! I shall rout the id 1: Thank you, my good fellow! Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system. 19 http: //www. tuxedo. org/~esr/jargon/

Examples • Real secure + Firewall-1 • Snort + IP-tables

Examples • Real secure + Firewall-1 • Snort + IP-tables