Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.” 1 The Seven Fundamentals 1. 2. 3. 4. 5. 6. What are the methods used How are IDS Organized What is an intrusion How do we trace and how do they hide How do we correlate information How can we trap intruders 7. Incident response 2 The Emergency Action Card When a computer security incident occurs, and you are not prepared, follow these ten steps: Emergency Step 1. Remain calm. Even a fairly mild incident tends to raise everyone's stress level. Communication and coordination become difficult. Your calm can help others avoid making critical errors. 3 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 2. Take good notes. Make sure you answer the four Ws - Who, What, When, and Where- and, for extra credit, How and Why. 4 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 3. Notify the right people and get help. Begin by notifying your security coordinator and your manager and asking that a coworker be assigned to help coordinate the incident handling process. Get a copy of the corporate phonebook and keep it with you. Ask your helper to keep careful notes on each person with whom he or she speaks and what was said. Make sure you do the same. 5 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 4. Enforce a "need to know" policy. Tell the details of the incident to the minimum number of people possible. Remind them, where appropriate, that they are trusted individuals and that your organization is counting in their discretion. Avoid speculation except when it is required to decide what to do. Too often the initial information in an incident is misinterpreted and the "working theory" has to be scrapped. 6 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 5. Use out of band communications. If the computers may have been compromised, avoid using them for incident handling discussions. Use telephones and faxes instead. Do not send information about the incident by electronic mail, talk, chat, or news; the information may be intercepted by the attacker and used to worsen the situation. When computers are being used, encrypt all incident handling e-mail. 7 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 6. Contain the problem. Take the necessary steps to keep the problem from getting worse. Usually that means removing the system from the network, though management may decide to keep the connections open in an effort to catch an intruder. 8 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 7. Make a backup of the affected system(s) as soon as practicable. Use new, unused media. If possible make a binary, or bit-by-bit backup. 9 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 8. Get rid of the problem. Identify what went wrong if you can. Take steps to correct the deficiencies that allowed the problem to occur. 10 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 9. Get back in business. After checking your backups to ensure they are not compromised, restore your system from backups and monitor the system closely to determine whether it can resume its tasks. 11 http://www.sans.org/newlook/publications/incident_handling.htm Emergency Step 10. Learn from this experience, so you won't get caught unprepared the next time an incident occurs. 12 http://www.sans.org/newlook/publications/incident_handling.htm Incident response • The real-time decisions and actions of asset managers that are intended to minimize incident related effects on their assets and to mitigate residual security risk based on available evidence from the incident. 13 Incident Response factors • Soft factors – Management policies – Organizational structure – Administrative procedures • Hard factors – IDS – Traps – Trace back tools 14 Incident Response Process ID Process onse Resp ted Initia R es Com ponse plet ed Incident Detected em d st re Sy st o e R th i tw c ra tem e t I n Sy s 15 Response • Human initiated response • Automatically initiated response • Coordinated Human & Automatic response 16 Factors influencing Response • Passive factors – What assets have been affected or damaged by the incident – How did the incident occur – How was it detected – How trustworthy is the incident related information 17 Factors influencing Response • Active factors – What would the effect of altering the target system’s functionality – What would the effect of initiating trace backs and traps – What would the effect of doing nothing – How legal is the response 18 Robin Hood and Friar Tuck !X id1 id1: Friar Tuck... I am under attack! Pray save me! id1: Off (aborted) id2: Fear not, friend Robin! Sherif of Nottingham's men! I shall rout the id1: Thank you, my good fellow! Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system. 19 http://www.tuxedo.org/~esr/jargon/ Examples • Real secure + Firewall-1 • Snort + IP-tables 20