Breakout Session 4: Host-Based Intrusion Detection Host-Based Intrusion Prevention and Detection Combined Notes and Summary Session facilitators: RuthAnne Bevier, Walter Dykas, Lynda McGinley The breakout session discussions supported the workshop goals by topical discussions around the focus areas: 1. Host-Based Intrusion Detection and Response Tools and techniques describing a reactive posture and post-event ability to detect and respond to attempted or successful intrusions. The events are primarily ill-intentioned, but could include approved, but possibly unannounced penetration testing. Communication and protocol was often cited as a deficiency during a multi-site or multi-system intrusion event. 2. Host-Based Intrusion Prevention and Testing Tools and techniques to supporting a preventative posture and pre-event actions. In some cases these, tools and techniques could be used during an event to prevent additional intrusion or system compromise. For each focus area, common areas included: 1. Technical tools and processes, practices These are presented as things needed to support either a reactive or defensive posture. The technical tools, supporting processes, and practices needed for network and system security described here are “host-based” using or managing system-level information as opposed to network-specific information such as from networkintrusion detection systems and concerned with multiple hosts and network layer data anomalies. The use of technical tools assumes the ability to acquire relevant skills and training for the tools of choice in order the tools can be used to fullest potential. 2. Non-technical policies, processes, and training: This focus area is primarily people related, a “soft security” area. Policies and documented processes ensure consistency and effective implementation of preventative and reactive measures. Inter/Intra-site communication would generally fall in this area and was cited frequently in the workshop as a shortfall in intrusion response. From the host-based sessions discussions, security practices should target and be organized around the following kinds of people: 1. System administrators, normally technical and support functions The general concern was system administrators need greater support in implementing tools, policy, and training to ensure the users they are supporting are cognizant of and supportive of security controls and consequent limitations. Staff with technical security responsibilities need additional training and access to current information on technical tools and techniques. There is high concern with the lack of ability to protect all systems and infrastructure with an inability to rapidly assess and resolve new vulnerabilities across a large number of systems diverse in configuration, technology, and geographic location. 2. General users, such as administrative, research, and collaborators This group may be the first line of defense to intrusions, but are typically the least trained and supportive to security-related practices. Security is perceived as an impediment to research where research (intuitively open access and collaborative) is considered contradictory to security (intuitively closed and isolated). Striking an educated balance between the two extremes will ensure research is accomplished at the same time the infrastructure on which the research depends is protected. 3. Management, or those that make and enforce security policy In many cases, the success a site or facility security posture is due to the proactive management support. The lack of support for user requirements and specific user actions vis-à-vis an approved acceptable use policy (AUP), is a precursor to a security failure. Security events are typically the exploitation of known and patchable vulnerabilities that could be prevented. The following are loosely (re)organized notes of the host-based intrusion prevention/detection breakout sessions. Many sessions participants had a technical background with the majority having computer or network technical support as their primary job function as opposed to primarily management. A minority of participants had a security (system, network, computer, etc.) role as a primary job function (either as management or as technical support). Because of their expertise, interest, or through their technical support role had either assumed or been assigned a security responsibility in addition to other responsibilities. The following are primarily technical tools, processes, and practices that are used or have been reviewed by the session participants for the purpose of preventing, testing, detecting, or responding to host-based intrusions. Many of the tools are either Unix-like (e.g., operating systems like Unix, Linux, AIX, HP-UX, etc.) or Windows (e.g., Microsoft operating systems like WinXP, Win2000, etc.). There are examples of tools or techniques that exist in both operating system domains. Summary of Host-Based Tools, Techniques, and Practices Tools Automation Alarm Reduction Intrusion Signatures General Specifics Unix-like Tools for Intrusion Prevention and Testing Unix-like Tools and Practices for Intrusion Detection and Response Using a centralized syslog server requires configuring client to generate appropriate data should monitor both activity (e.g., login) successes and failures for openSSL, configuring syslog below debug level won't give enough helpful info a primary challenge is to develop automated analyses to prioritize alerts consider setting all machines to log at *debug, but for large numbers of systems be prepared to manage and monitor the significant amount of logs. Tripwire is a change-auditing solution that increases control of IT operations for servers and network devices http:// ww.tripwire.com/ tripwire management console monit a tool for monitoring changes to binaries http://osx.freshmeat.net/projects/monit/ logtool command-line program that will parse ASCII logfiles into a more palatable format http://xjack.org/logtool/ chrootkit Utility to check for root kits, updated on irregular basis for new rootkit signatures rkhunter useful tool to check for trojans, rootkits, and other security problem http://freshmeat.net/projects/rkhunter/ isatable (proxy server) Mandrake Linux specific tool Swatch — generic security log monitoring tool set [reference] /sec — security expert correlate logs — written in lisp reference site: log analysis.org Practices for Unix-like systems frequently performing 'tail' on logs include router logs in system log analysis develop intrusion signatures with automated scripts or log correlation stateful firewall such as iptables that can be configured to deny, allow, and log similar to Windows OS based host firewalls Windows-like Tools for Intrusion Detection and Response Windows personal firewalls can log (e.g., ZoneAlarm) as well as block inbound or outbound suspicious activity XP firewall (mostly for SP2) can log much information, but much is meaningless; additional tools or training is needed to make good use of the tool psloglist PsLogList retrieves message strings from a computer that is monitored. psloglist and other Windows OS tools are available at http://www.sysinternals.com/sysinternals also available: filemon, regmon, ttymon for monitoring changes to files, registry, and tty connections Microsoft port reporter A Microsoft tool inserted as a logging service for Windows that logs TCP/IP port usage http://www.microsoft.com/downloads/ snare A system-level agent for Windows OS systems that can collects, filters and forwards windows event logs to a Snare server or to any remote syslog host http://www.intersectalliance.com/projects/SnareWindows/ ePolicy Orchestrator (McAfee VirusScan) A tool that provides detection and prevention capability against malicious code for Windows OS. The ePolicy Orchestrator provides a centralized management solution that manages and aggregates attack data from each system. The product is primarily for Windows OS, but other OS solutions are available (e.g., Macintosh, Linux, Solaris) TrendMicro anti-virus at the gateway and on individual systems A tool that provides similar capability as many standalone system-level malicious code prevention and detection solutions for Windows systems. Other operations systems are supported variously. Windows-like Tools for Intrusion Prevention and Testing ISS/scanner for vulnerability testing ISS/scanner is a network-based tool for assessing configuration or software defects. System-level tools and tools specific for databases and servers are available. ISS/scanner is an industry standard for vulnerability testing. Expensive for some sites to obtain and maintain. Microsoft Baseline Security Analyzer (Microsoft) General Tools and Practices for Most OS perl - the scripting Swiss knife for everything; for cross-platform portability shell commands and scripting: allow for greater solution portability just as does perl Patch management server and system agent tools available to maintain software updates. Some tools are pull from the system by the user; other tools are can be configured to allow centralized management and pushing patches to the local system as a means of implementing a site patching policy. Big Fix: an agent-based patch utility; more information at: http://www.bigfix.com/ Microsoft software management server Microsoft Windows Update RedHat Patch Server Authentication management tools pam module crack, john the ripper, and others for password checking DNS servers to monitor and watch for suspicious queries packetshaper tool to assist analysis of firewall and IDS log rainbow tables tables of pre-computed LM hashes for NT passwords (available on DVD); these are available to potential hackers, so you may have use them too lightning console is web-based console to assist managing and aggregation of a variety of logs including scanning and IDS process accounting process accounting is the method of recording and summarizing commands executed on Linux strace on Linux and other OS strace is a standard system call trace, i.e., a debugging tool which prints out a trace of all the system calls made by a another process/program; also partially available for Windows OS; use and reporting be automated to provide some detection features like Windows malicious code detection. lsof lsof is an open-source, host-level intrusion-detection tool that helps determine what processes have certain files open; as might rootkits or other trojans; use and reporting be automated to provide some detection features like Windows malicious code detection. General Practices and Processes — How to Use and Configure and Tune the Tools know your site to be able to find information about people and systems quickly localize your tools so they are accessible from anywhere for use or updating Site dependencies need to be considered when evaluating tools, resources, and policies, including local versus centralized system administration, operating system experience, technical expertise of users, and technical staff. If centralized system management is possible, consider push out scripts looking for suspicious directories, filenames, or to update configurations and software. Additional logging practices and concepts log aggregation: multiple system report 10 most frequent and 10 least frequent look for network chat, port scanning, address scanning, odd cross network/organization activity; sysadmin activity where there is no local sysadmin, centralized logging provides broader monitoring coverage user interaction: multiple system reports, trending site dependent: multiple system reports moving data somewhere you can analyze it and where the data could be protected from malicious changes consider network IDS, look at end point before and after encryption snort looking at its own traffic. network IDS — mrtg/rrd tools consider logging system alarms to check for logging system failures such as dropped logs, locked system the site or institution should set a standard for log retention, possibly would need to include the instantiation legal organization system time synchronization is critical for post even analysis; an institution’s infrastructure systems should synchronized together and to external time standard Special Concepts and Practices burglar alarms kernel hacking for honeypot tools log all (bash) shell changes consider modifying system level code such as bash and sshd to monitor for suspicious activity and provide more information to the syslog create bastion hosts or login gateways to provide another layer of defense and management for monitoring and patch management. honey tokens should not be used in any normal operation and would trigger an alert to system operator or security monitoring devices References Abe Singer book on managing syslogs (should be released soon) Sysinternals site for security freeware http://www.sysinternals.com/ Dykas notes McGinley notes Virginia notes