1 1 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Intrusion Detection The Big Picture – Part V Stephen Northcutt This page intentionally left blank. 2 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 2 Intrusion Detection Roadmap - 3 What are the pieces and how they play together • Vulnerability Scanners • Response, automated and manual – Manual Response • Emergency Action Plan, 7 Deadly Sins • Evidence preservation - Chain of Custody • Threat Briefing - Know Your Enemy – Ankle Biters – Journeyman Hackers/ Espionage – Cyberwar Scenario In the next section, we are going to talk about vulnerability scanners and assessment tools, which are one of the best ways to rapidly assess your security. They are hard to break down into functional classifications the way we did with firewalls, proxies, packet filtering, and statefully aware. Perhaps the most logical breakdown is commercial tools like ISS, NAI and the free, source-code tools, like nmap and Nessus. Another breakdown is system scanner tools that run as a program to inspect the operating system configuration, and network scanner tools that work across the network. There are also tools that scan telephone lines for active modems. For this course, we are focused on the network-based scanning tools and telephone scanners since they are the most applicable to intrusion detection. So, in this section we will cover the following topics: • What are they generally •Saint •Nessus • ISS Real Secure • Scanning for modems - Phone Sweep • Red Teaming • Scanner warning 3 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 3 Vulnerability Scanners What are they generally • Target, scanners must only scan systems you own • Scan, “test for services”, multiple ports on multiple machines – May have knowledge of vulnerabilities and test to see if the vulnerability is present • Report, provide results in a clear, understandable fashion The cardinal rule of scanning or vulnerability assessment is to be certain to only scan systems that you own and are authorized to scan. Otherwise, you will be setting off someone else’s intrusion detection capability and that is hardly a good idea. If you are shopping for a scanning toolset, it is reasonable to assume that either of the big three (ISS, NAI, Symantec) scan for the same number of vulnerabilities. They will all come up with false positives that have to be investigated manually. Before you plunk your money down, there are four things you really want to consider: • How is the product licensed? Is this flexible enough for your planned growth? Can it be upgraded easily? • How interoperable is the product? Is it fully Common Vulnerabilities and Exposures (CVE) compliant? • Can you easily compare the results of a scan today with the results of one four weeks ago, or is this a manual process? • Does your manager like the report output! 4 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 4 SARA (Security Auditor’s Research Assistant) • Where to get it – http://www-arc.com/sara/index.shtml • What does it do? – Vulnerability scanner, web-based interface, based on Satan, community-donated modules – Has some capability to determine probable trust relationships SARA is a follow-on to SAINT, which was a follow-on to SATAN. It runs pretty well and is worth trying if you are in a Unix shop. Though it is pretty safe as scanners go, be sure and test it in a lab, or off-hours on a non-critical network before unleashing it on your network. It is fairly lightweight compared to other products, but may be a great way to get started. 5 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 5 Nessus • Where to get it? –http://www.nessus.org • What does it do? –Vulnerability scanner, more heavy- handed than Saint in our experience SARA was a free tool and so is Nessus. This tool is better in the hands of someone that is technically sophisticated. It is already a powerful scanner based on community-donated plug-ins. It was also the fastest scanner in the Top Ten scanner evaluations. 6 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 6 Nmap Nmap is my personal favorite. It is the most commonly used scanning tool on planet Earth, bar none. It has a large number of scan modes and has a unique capability of operating system detection. Different operating systems have made divergent choices in building their network stacks, especially in areas that are not defined by RFC standards documents, or for fields that are reserved for the future. OS detection tools intentionally send packets that write into reserved fields or use illegal values in an effort to identify the operating system. (Editor’s note: Nmap is available from: www.insecure.org – Unix version; www.eeye.com – Windows version. – JEK) At this point we have briefly discussed three commercial tools and three freeware tools. If you run Unix tools (and all KickStart students are supposed to have access to Linux and Windows), the free tools - especially nmap - may be a great way for you to start. After all, in an organization of any size, you have plenty to find and fix before you need a top-of-the-line commercial scanner. Now, let’s think about phone scanning for a minute. Ever get a phone call, pick up the phone and no one was there? You might have been scanned. 7 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 7 Phone Scanning for Vulnerability Detection • Response for successful intrusion detection is not clear. – Defensive posture is difficult to maintain. – Generally not criminal to call phone numbers. • Intrusion detection may not be possible. • Scanning works - attackers use it! • Threat of scanning acts as a deterrent. Special thanks to Simson Garfinkle and the folks at Sandstorm (www.sandstorm.net) for the permission to use the PhoneSweep slides. Firewalls are not perfect we said, but when they fail it is more likely that they fail because of what the folks on the inside do, as opposed to the firewall having a technical problem. We already talked about users bringing up services on ports that are expected to be open for other reasons. Various multimedia programs such as napster and gnutella make it easy to get files through a site’s defenses and there are manuals on how to do this on the Internet. One other way that users can cause firewalls to fail is by hooking their system up to a modem. Next Sunday, take a minute to do some research. Pull the color ads in your area for the consumer electronic stores such as Circuit City and the like. Check out the computers. What do they all have? 8 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 8 War Dialers • Used by attackers to find dial-up modems. •Many programs, widely available – Toneloc, The Hacker’s Choice, etc. Well, what I notice about the ads (besides a price that is wrong by $400, because nobody in their right mind is going to sign a contract with Microsoft Networks or CompuServe), is all the computers have modems. Eventually, someone, somewhere is going to hook that modem up. Modems have a “dial on demand” mode, but they also have an auto-answer mode. This would be useful if you wanted to be able to access your computer at work from your computer at home to download files. The screen shot you see is for ToneLoc, probably the most popular wardialer. It will scan a range of phone numbers looking for a modem on auto-answer. These systems can then be targeted. 9 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 9 Mitigating the War Dialer Threat • Intrusion Detection Response: – Monitor call logs at phone switch. – Set up monitored modems on special phone numbers (honeypot). • Scanning Response: – Proactively scan your own phone numbers. – Take action when modems are found. Your facility almost certainly has and will be scanned. The question is, what action are you willing to take? The logical countermeasure is to scan your own phone lines on a regular basis. Now, this is simple in theory, complex in practice. Your organization may have a person in charge of phones and they may be able to help you. Be aware that Heating, Ventilation, And Cooling (HVAC - some folks say Heating, Ventilation, Air Conditioning) and alarm systems may be active on your phone system, and these numbers should be avoided. ToneLoc and most other scanners allow you to avoid number ranges. 10 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 10 PhoneSweep: Commercial Scanner • A Telephone Scanner, not a War Dialer –4 modems –System ID – Penetration – Repeatable scans – 80+ page manual –Supported Many organizations are uncomfortable using hacker code to attack their own sites because of the risk of embedded malicious code. Also, the documentation on some underground code is not the best. Technical support can be dicey from hacker locations. These are some of the factors that cause some organizations to prefer commercial software with phone support, printed manuals…and someone to sue if things go wrong. [...]... benefit – Military advantage – Personal advantage • Psychop – Disinformation – Perception management Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 25 Just today, I was trying to convince an organization not to put their personal names on their intrusion detection reports These analysts were proud of their ability and in a bit of competition They wanted the recognition So why can’t we... individuals have a lot of influence in their community 31 Know your enemy – ankle biters to full IW In • Government professional hacker, for ma t io nN ot Av a il ab le Government Hacker would be more indicative of motivation than skill level Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 32 Though we are playing for a bit of humor with the slide, information warfare – or using government... logic – virus, worms, trojan horse, logic bomb, file system encrypter, trapdoors Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 28 The potential impact of rigged hardware is interesting One company that builds PCs recently advertised very limited distance receiver/transmitters on the motherboard The idea was to speed up equipment inventory You walk down the hall transmitting a code and the. .. conclusions about how vulnerable a system is until you know the tool very well Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 16 In the previous example, it isn’t that you were wrong when you went to management and told them they were vulnerable The problem is that attackers often leave a low footprint - you can be compromised and not realize it Anyway, to summarize this section, a vulnerability... recovery plan; does it need updating? Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 34 Everything we do is dependent on computers This means that our infrastructure is vulnerable to a cyber-attack A well-executed attack could have very serious ramifications and could potentially spell disaster for an unprepared organization 34 Cyberwar Scenario Intrusion Detection - The Big Picture –. .. disabled by virus with major environmental damage (Jul 21-22) – Over 500 dead; $billions in damages to economy Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 36 From April to June there were some precursors, tests, even dress rehearsals In July the damage was done Many of the advanced attacks will probably require a dress rehearsal One attack that proved to be somewhat damaging to the United... has a lot of influence in community Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 31 One of the most interesting things about the hacker community is that the ones that rise to prominence are truly revered They have a profound degree of influence in these organizations and often have a following At the hacker conferences such as DefCon or Beyond Hope, the famous names are like rock ’n’... collection and stored out-of-band very valuable Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 23 Once evidence is turned over to law enforcement, they have chain of custody procedures The high risk for evidence is often where it is stored until law enforcement is called If there is no urgency (fires are urgent, Trojan software often isn’t), describe the scene in detail who, what, where,... or intrusion detection system can forge a RST and send it to one or both sides of the TCP connection if it sees evidence of an attack 18 Automated Response • Commercial IDS can be connected to routers/firewalls and take automated action – Drop connection – Shun IP address • Significant potential for denial of service Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 19 The intrusion detection. .. Person in the loop auto response options • Incident Handling – Emergency Action – 7 Deadly Sins – Chain of Custody – Forensics Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 20 In a 24x7 manned response center, an obvious solution to the high risk of auto-response would be to offer the detect and from one to N recommended responses to a trained incident handler and allow them to make the decision . 1 1 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Intrusion Detection The Big Picture – Part V Stephen Northcutt This. 2 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 2 Intrusion Detection Roadmap - 3 What are the pieces and how they play together • Vulnerability