What is an intrusion?◦ Trespassing◦ Joyriding◦ Password guessing attack◦ Rootkit◦ Virus / malware
(attempted) violation of a policy In this course we will focus on IT security
related intrusions
3
We assume that a system / policy is not 100% secure◦ Monitor behavior to detect intrusions Network or host based? Signature or anomaly based? Passive / interval or active / real-time? Centralized, distributed or hybrid?
4
Passive “NIDS” In most cases using a
span/mirror port Monitors many hosts E.g. Snort, Bro,
Suricata, Prelude(hybrid)
5
1 2 3
1 2 3
servers
NIDS
ids
Active NIDS a.k.a. NIPS,P = prevention
Inline with uplink Can interrupt streams
or control e.g.firewall filters
9
1 2 3
servers
NIDS
“HIDS” In most cases an extra
host application Works on one host Active, blocks
known attacks E.g. OSSEC, Prelude
(hybrid), anti-virus
10
HIDS
servers
HIDS
HIDS
Honey pot Looks like a interesting
real system Should not contain
interesting data Active + interactive:
trick the attacker Access to honey pot
is always suspected
11
real servers
HIDS
honey pot
Well-known example: anti-virus Uses known policy violations for detection Policy violation alert Frequent updates required in most cases Does it work? Unknown policy violations may also exist…
12
signatures unknown violations
http://victim/cgi/../../windows/system32/cmd.exe?/c+dir+c:\
http://victim/cgi/%252E%252E%252F%252E%252E%252Fwindows/system32/cmd.exe?/c+dir+c:\
http%3A%2F%2Fvictim%2Fcgi%2F..%2F..%2Fwindows%2Fsystem32%2Fcmd.exe%3F%2Fc%2Bdir%2Bc%3A%5C
Nice OT project? IDS evasion techniques!
13
Well-known example: credit card fraud teams Uses known good behavior Behavior not good alert Does it work? Good behavior must be known first◦ What happens if your dad or friends use your
computer?
14
Mostly called Intrusion Detection System (IDS)◦ Setup = IDS, engine = signature and / or anomaly based◦ Problem alert in database / email / text message◦ Response is manual action◦ Admin checks alerts every: Morning
Week
Month
Never?
◦ Real-life examples IDS flooded during penetration tests
Your experiences?
15
Mostly called Intrusion Prevention System (IPS)◦ Setup = IPS and / or host based, engine = signature
and / or anomaly based◦ Problem automatic action Drop TCP session Add block rule to firewall Lock user account◦ Take action before system compromise◦ What about false positives?◦ Real-life examples IPSs blocking source IPs during penetration test Company proxies / mobile gateways
16
Does an IDS onlyconsist of the bluepart or is the greenpart also included?
Is the number offalse positives reported?
Is the follow-upreported?
Techies’ toy or business tool?
17
data source
signatures behavior
alerts
interpretation
follow-up
machines
men
Local sensors:◦ Collection of data◦ Analyzing data and creating alerts◦ Interpretation of alerts Mainly manual action◦ Follow-up◦ 10 locations = 10 IDS sensors = 10 teams
Lots of expertise required on each site:◦ Especially for alert interpretation
Points of attention:◦ It’s a challenge to correlate data from different
sources
18
Distributed sensors:◦ Collection of data◦ 10 locations = 10 sensors
Centralized expert group:◦ Analyzing data and creating alerts◦ Interpretation of alerts◦ Coordination of follow-up◦ 10(+) locations, 1 x interpretation + follow-up
Points of attention:◦ Secure transmission of alerts from local sensors to
central location◦ Bandwidth and processing power on central site
19
Confusion matrix:◦ We want 100% TP (= 0% FP), 100% TN (= 0% FN)
20
detection result
real
ity
true
true
false
false
true positiveTP
true negativeTN
false negativeFN
false positiveFP
problem!
annoying
P(H|E) = probability of attack (H) with a given detection engine (E)
P(E|H) = probability of detecting given an actual attack
P(H) = probability of an attack P(E) = probability of detecting a new attack
(alert) when an actual attack is performed P(E) = P(E|H) x P(H) + P (E|!H) x P(!H) ◦ We need to calculate P(E) first
22
Question: what’s the chance of E (= alert, true or false) given H (= we’re under attack)?
Chance of alert when attacked P(E|H) = 95% = 0.95◦ This is a magic percentage that the IDS vendor tells us
Chance of attack P(H) = 1/10k = 0.0001◦ E.g. statistics of network traffic or assumption
Chance of alert P(E) = P(E|H) x P(H) + P (E|!H) x P(!H) = 0.95 x 0.0001 + (1 – 0.95) x (1 – 0.0001) = 0.05009
23
P(H|E) = 0.95 x 0.0001 / 0.05009 = 0.001897 So: 95% reliable detection engine:◦ Results in ~0.2% reliable detection◦ Results in ~499 false positives per true positive (= 100 –
0.2%) This is a problem in the real IDS world◦ Many many false positives
Can only be solved by:◦ High P(E|H) (= detection reliability), > 99% Is this possible with unknown threats?
◦ High P(H) (= chance of attack) You don’t want this: this is a really hostile network!
◦ Note that P(E) is a result of P(E|H) end P(H) and cannot be influenced by factors other than the above
24
IDS tested during security tests For the OT course, the focus is on usability Lab assignments includes many tests to verify
the effectives for real-life situations / threats and detection rules
25
An IDS is an enormous protocol parser◦ Protocol parsing is prone to errors
Most IDSs are written in C/C++◦ For speed and / or as a result of legacy
Risks◦ Parser bugs + C/C++ = dangerous ingredients◦ Add “if(ip.source == attacker) no alert”◦ Use IDS as a stepping stone to hack other systems◦ Sniff confidential data
26
An IDS is an interesting tool An IDS is needs specific tuning◦ Profile for situation A most probably doesn’t work for
situation B Many (many) false positives◦ By design◦ Alert doesn’t mean unsafe!
Many (many) false negatives◦ We’re not aware of all the bad things in the world◦ No alert doesn’t mean safe!
Use it to detect well-known attacks Don’t trust on it to detect specific attacks◦ Unless you’ve created specific, highly effective detection
rules
27
Detecting attacks is already a problem from a theoretical point of view
Detecting attacks in real-life is even more challenging
So how can we keep our systems secure? Focus of OT lab assignments:◦ Performing attacks on real-life systems and applications Understand theory and apply it by using popular tools
◦ Detection of the attacks you’ve performed (if possible) Understand theory and apply it by using popular tools and
writing custom detection rules◦ Prevention of the attacks you’ve performed Understand theory and apply it by e.g. hardening systems
28