Network Security Monitoring COEN 250 Indicators and Warnings

Network Security Monitoring COEN 250

Indicators and Warnings n Indicator ¨ “an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”* n Indications and Warnings ¨ “the strategic monitoring of world military, economic, and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U. S. interests”** * Do. D Dictionary of Military Terms ** U. S. Army Intelligence, Document on Indicators in Operations Other Than War

Indicators and Warnings n Indicators generated by an Intrusion Detection System (IDS) are alerts ¨ Examples: n n n Warnings ¨ n Web server initiates outbound FTP to a site in Russia Spike in ICMP messages Result of analyst’s interpretation of indicator Escalation of warning Conclusion that warning warrants further analysis ¨ Conclusion that warning is indeed an incident ¨ n Triggers Incident Response

Intrusion Detection Systems n Intrusion Detection ¨ Process of monitoring events occurring in a computer system or network ¨ Analyzing them for signs of possible incidents n Incident ¨ Violation or imminent threat n computer security policies n acceptable use policies n standard security practices ¨ Arise from n Malware n Attacks n Honest errors of violation of

Intrusion Detection Systems n Intrusion Detection System ¨ Software that automatizes the detection process n Intrusion Prevention System ¨ Additionally has the capacity to stop some possible incidents

Intrusion Detection Systems n Key functions of IDS Technology ¨ Recording information related to observed events ¨ Notifying security administrators of important observed events ¨ Producing reports n IDPS technology can be augmented by human analysis

Intrusion Detection Systems n Key functions of IPS technology ¨ IPS stops attack itself n Terminate network connection n Terminate user session n Block access to target from ¨ ¨ n offending user account IP address Block all access to target ¨ IPS changes security environment n IPS changes configuration of other security controls to disrupt attack ¨ ¨ ¨ Reconfiguring a network device Altering a host based firewall Apply patches to a host it detects is vulnerable

Intrusion Detection Systems n Key functions of IPS technology ¨ IPS n changes attack’s contents Remove or replace malicious portions of an attack ¨ n Remove an infected file attachment from e-mail, but allow e-mail sans attachment to reach destination IPS acts as proxy and normalizes incoming requests

Intrusion Detection Systems n Current IDPS technology has false positives and false negatives. n Attackers use evasion techniques ¨ E. g using escaping

Intrusion Detection Systems Common Detection Methodologies n Signature Based Detection ¨ Signature is a patterns corresponding to a known threat. ¨ Examples Telnet attempt with user name “root” n e-mail with “You received a picture from a *” n OS system log entry indicating that host’s auditing has been disabled n

Intrusion Detection Systems Common Detection Methodologies n Signature-Based Detection ¨ Very effective against known threats ¨ Basically ineffective against unknown threats ¨ Subject to evasion by polymorphic attacks

Intrusion Detection Systems Common Detection Methodologies n Anomaly-Based Detection ¨ Relies on defining normal activity against observed events ¨ Identifies significant deviations n Anomaly-Based IDPS has profiles ¨ Representing normal n Users n Hosts n Network connections n Applications ¨ Developed behavior of actors and activities through observation over time

Intrusion Detection Systems Common Detection Methodologies n Anomaly-Based Detection Profile Examples: ¨ Amount of email a user sends ¨ Bandwidth of web activities ¨ Number of failed login attempts for a host ¨ Level of processor utilization for a host

Intrusion Detection Systems Common Detection Methodologies n Anomaly-Based Detection ¨ Can be effective at detecting unknown threats ¨ Depend on accuracy of profiles n n n Inadvertent inclusion of malicious activity in a profile Dynamic profiles can be subverted by an attacker increasing slowly activity Static profiles generate false positives if usage patterns differ ¨ Subject to stealth attacks ¨ Make it difficult for human analyst to find reason for an alert

Intrusion Detection Systems Common Detection Methodologies n Stateful Protocol Analysis ¨ Sometimes known as “deep packet inspection” ¨ Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations ¨ “Stateful” refers to IDPS capability of understanding protocols

Intrusion Detection Systems Common Detection Methodologies n Stateful Protocol Analysis ¨ Can identify unexpected sequences of commands ¨ Allows tracking of authenticators for each session n Helpful for human analysis of suspicious activity ¨ Typically includes reasonableness check for individual commands n E. g. minimum and maximum length of arguments

Intrusion Detection Systems Common Detection Methodologies n Stateful Protocol Analysis ¨ Uses protocol models based on standards But most standards are underspecified n Many implementations are not completely compliant n ¨ Very resource intensive ¨ Cannot detect attacks that do not violate a protocol ¨ Detects protocol bending attacks

Intrusion Detection Systems Network Based IDPS n Wireless IDPS n Network Behavior Analysis (NBA) n Host-Based IDPS n

Intrusion Detection Systems Components n Sensors / Monitors ¨ n Agent ¨ n Used for network activity monitoring Used for host-based IDPS Management Server Centralized component that receives data from agents and monitors ¨ Perform correlation: ¨ n n Database server ¨ n Matching event information from different monitors Repository for previously recorded event information Console ¨ Interface for IDPS

Network Monitors n Deployment ¨ Depends n on monitoring zones Perimeter ¨ External firewall through boundary router to internet DMZ n Wireless n Intranet(s) n

Network Monitors n Data Collection Tools ¨ Hubs ¨ SPAN (Switched Port Analyzer) ¨ TAPs (Test Access Port) ¨ Inline Devices

Network Monitors n Sensor Management ¨ Console access n Hard to manage ¨ In-band remote access n Potential for loss of data confidentiality n Not functioning during a successful Do. S attack ¨ Virtual LAN n Potential for loss of data confidentiality n Not functioning during a successful Do. S attack ¨ Out-of-band remote access n E. g. modem

Intrusion Detection Systems Networks n Security Capabilities ¨ Information Gathering n OS identification of hosts n General characteristics of networks ¨ Logging n to confirm alerts n to investigate incidents n to correlate events with other sources n need to be protected against an attacker n need to deal with clock drift

Intrusion Detection Systems Networks n Security Capabilities ¨ Detection Capabilities n Typically require tuning and customization Thresholds ¨ Blacklists and Whitelists ¨ Alert Settings ¨ IDPS code viewing and editing ¨ ¨ Prevention Capabilities n Vary with technology / field

Intrusion Detection Systems Management n Implementation ¨ Architecture Design n Placement of sensors n Reliability of sensors n Location of other components n System interfaces ¨ ¨ ¨ Systems to which IDPS provide data Systems which IDPS resets for prevention Systems that manage IDPS components § Patch management software § Network management software

Intrusion Detection Systems Management n Implementation ¨ Component n Testing and Deployment Consider deployment in a test environment ¨ E. g. to prevent surge of false positives IDPS deployment usually interrupts networks or systems for component installation n Configuration typically a major effort n

Intrusion Detection Systems Management n Implementation ¨ Securing IDPS components n IDPS are often targeted by attackers ¨ ¨ n Because of effects on security Because of sensitive data collected by IDPS System hardening ¨ ¨ Usual means Separate accounts for each IDPS user and administrator Configure firewalls, routers, etc to limit direct access to IDPS components Protect IDPS management communication § Physically § Logically § Encryption § Strong Authentication

Intrusion Detection Systems Management n Operations and Maintenance ¨ Typically GUI, but sometimes command lines ¨ Typical capabilities n Drill down n Reporting functions n Database open to scripted searches ¨ Need for ongoing solution maintenance n Monitor IDPS components for operational and security issues n Periodic test of proper functioning n Regular vulnerability assessments n Receipt of notifications of security problems from vendor n Receipt of notifications for updates

Intrusion Detection Systems Management n Operations and Maintenance ¨ Acquiring and Applying Updates Of signature files n Of IDPS software components n

Intrusion Detection Systems Management n Building and maintaining personnel skills ¨ Basic security training ¨ Vendor training ¨ Product documentation ¨ Technical support ¨ Professional services (consulting by vendors) ¨ User communities

Network Based IDPS n Typical components ¨ Appliance n Specialized hardware and sensor software / firmware ¨ Host-based n Only software

Network Based IDPS Architecture and Sensor Locations n Inline ¨ All traffic monitored must pass through it ¨ Typically placed where firewalls etc. would be placed ¨ Either hybrid devices ¨ Or placed on the more secure side

Network Based IDPS Architecture and Sensor Locations n Passive ¨ Monitors a copy of actual network traffic n n n Spanning Port Network Tap IDS Load Balancer ¨ ¨ Receives copies of traffic from several sensors Aggregates traffic from different networks Distributes copies to one or more listening devices Typically not capable of prevention

Network Based IDPS n Typical detection capabilities ¨ Application layer reconnaissance and attacks n Typically analyze several dozen application protocols n Detect Banner grabbing ¨ Buffer overflows ¨ Format string attacks ¨ Password guessing ¨ Malware transmission ¨

Network Based IDPS n Typical detection capabilities ¨ Transport n Detects ¨ ¨ ¨ Port scanning Unusual packet fragmentation SYN floods ¨ Network n layer reconnaissance and attacks Detects ¨ ¨ Spoofed IP addresses Illegal IP header values

Network Based IDPS n Typical detection capabilities ¨ Unexpected application services n Detects ¨ ¨ ¨ n Uses ¨ ¨ ¨ Tunneled protocols Backdoors Hosts running unauthorized application services Stateful protocol analysis Anomaly detection Policy violations n Detects ¨ ¨ Use of inappropriate Web sites Use of forbidden application protocols

Network Based IDPS n Detection Accuracy ¨ High degree of false n Difficulty based on ¨ ¨ positives and false negatives Complexity of activities monitored Different interpretation of meaning of traffic between IDPS sensor and client / server ¨ Cannot deal with encrypted n VPN, HTTP over SSL, SSH ¨ Have limited capacity n Number of connections n Depth of analysis n Longevity of connections network traffic

Network Based IDPS n Attacks on network based IDPS ¨ DDo. S attacks generate unusually large volumes of traffic ¨ Generate loads of anomalous traffic to exhaust IDPS resources ¨ Blinding Generates many IDPS alerts n Real attack is separate, but contemporary n

Network Based IDPS n Prevention capabilities ¨ Passive sensors only n Ending current TCP session ¨ Session sniping: sending resets to both partners ¨ Inline only n Perform inline firewalling n Throttle bandwidth usage n Alter malicious content ¨ Both passive and inline n Reconfigure other network security devices n Run a third party program or script

Wireless IDPS n Wireless attacks typically require proximity to access points or stations ¨ Typically, need access to radio link between stations and access points n Many WLANs are configured with no or weak authentication

Wireless IDPS n Components ¨ Same as for network-based n Consoles n Database servers n Management servers n Sensors ¨ ¨ IDPS These function differently than for wired IDPS § Needs to monitor two bands (2. 4 GHz and 5 GHz) § Divided into channels Sensor only models a single channel § Channel scanning (monitor a channel for seconds at most)

Wireless IDPS n Wireless sensors ¨ Dedicated sensors n Typically completely passive n Fixed or mobile ¨ Bundled with an access point ¨ Bundled with a wireless switch ¨ Host-based IDPS sensor to be installed on a station

Wireless IDPS

Wireless IDPS n Sensor Locations ¨ Physical n security Often deployed in open locations because of greater range than in closed locations ¨ Sensor range ¨ Cost ¨ AP n and wireless switch locations Consider bundling or collocation

Wireless IDPS n Security capabilities ¨ Information n Identifying WLAN devices ¨ n gathering Typically based on SSIDs and MAC addresses Identifying WLANs ¨ Keep track of observed WLANs identified by SSID ¨ Logging capability

Wireless IDPS n Security capabilities ¨ Detection n Events capability Unauthorized WLANs and WLAN devices ¨ Poorly secured WLAN devices § A station is using WEP instead of WPA 2 ¨ Unusual usage patterns ¨ The use of (active) wireless network scanners ¨ Denial of service (Do. S) attacks and conditions ¨ Impersonation and man-in-the-middle attacks ¨

Wireless IDPS n Detection accuracy ¨ Usually n quite high due to limited scope Tuning and Customization ¨ Specify authorized WLANs, access points, stations ¨ Set thresholds for anomaly detection ¨ Some use blacklists and whitelists

Wireless IDPS n Wireless IDPS cannot detect: ¨ Attacker passively monitoring traffic ¨ Attackers with evasion techniques n Attacker can identify IDPS product ¨ ¨ n Physical survey Fingerprinting by prevention actions Attacker takes advantage of product’s channel scanning scheme ¨ ¨ Short bursts of attack packages on channels not currently monitored Attack on two channels at the same time

Wireless IDPS n Attacks on wireless IDPS ¨ Same DDo. S techniques ¨ Physical attacks n Jamming

Wireless IDPS n Prevention capabilities ¨ Wireless prevention n Terminate connections between rogue or misconfigured stations and rogue or misconfigured access point ¨ Send discontinue messages to endpoints ¨ Wired prevention n Block network activity involving a particular station or access point

Network Behavior Analysis (NBA) n Examines ¨ Network traffic or ¨ Statistics on network traffic n Identifies unusual traffic flows

Host Based IDPS n Monitors a single host and events occuring within that host ¨ Wired network traffic ¨ Wireless network traffic ¨ System logs ¨ Running processes ¨ File access and modification ¨ System and application configuration changes

Host Based IDPS n Components and architectures ¨ Agents n n (typically detection software) Monitor activity on a single host Transmit date to management servers Agents can be implemented as dedicated appliances Monitors: ¨ ¨ ¨ Servers Clients An application service ( application based IDPS)

Host Based IDPS

Host Based IDPS n Agent locations ¨ Commonly deployed to critical hosts ¨ But could be in a majority of systems including laptops and desktops

Host Based IDPS n Host architecture ¨ Agents often alter internal architecture of hosts n Done by a shim Layer of code placed between existing layers of code ¨ Shim intercepts data when it is passed between different layers ¨ Shim analyzes data and determines whether data is allowed or not ¨

Host Based IDPS n Security capabilities ¨ Logging ¨ Detection n Code analysis ¨ ¨ Code behavior analysis in a sandbox Buffer overflow detection through detecting tell-tale sequences of instructions or memory accesses System call monitoring § Keylogger § COM object loading § Driver loading Application and library lists

Host Based IDPS n Security capabilities ¨ Detection n Network traffic analysis ¨ n Network traffic filtering ¨ n ¨ ¨ n Host based IDPS contains a host based firewall File system monitoring ¨ n Basically the same a network or wireless IDPS would do File integrity checking File attribute checking File access attempts Log analysis of OS and application logs Network configuration monitoring

Host Based IDPS n Technology limits ¨ Alert generation delays ¨ Centralized reporting delays ¨ Host resource usage ¨ Conflicts with existing security controls ¨ Rebooting hosts to update IDPS

Host Based IDPS n Prevention capabilities Code analysis ¨ Network traffic filtering ¨ File system monitoring ¨ n n n Removable media restrictions Audio-visual device monitoring Automatic host hardening Process status monitoring Network traffic sanitization