Risk Management The Big Picture – Part IV

In our next section we are going to introduce network-based intrusion detection. The detect engine in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these work quite well. We will begin with a single attack, just to see how one might work and how we might detect it. Then we will explore the range of tools and show you how you can get in the game with a very low investment, possibly even free.

---

Risk Management The Big Picture – Part IV Network-based Intrusion Detection Information Risk Management - SANS ©2001 1 In our next section we are going to introduce network-based intrusion detection. The detect engine in this case is either a firewall, a personal firewall, or an intrusion detection system. All of these work quite well. We will begin with a single attack, just to see how one might work and how we might detect it. Then we will explore the range of tools and show you how you can get in the game with a very low investment, possibly even free. 4-1 Need for Network-based Intrusion Detection • Most attacks come from the Internet • Detecting these attacks allows a site to tune defenses • If we correlate data from a large number of sources we increase our capability The statistic that 90% of all attacks are perpetrated by insiders is dead wrong. Information Risk Management - SANS ©2001 2 While insider attacks may cause more damage (because the attacker knows the system assets and what to target), insider threats are usually addressed by traditional security and audit mechanisms. An insider has a much greater chance of being caught and prosecuted or dealt with administratively IF DETECTED, since you know where they live. The greatest threat in terms of financial loss is insiders. Period, no questions. That said, the greatest number of threats is via Internet attacks. A huge percent of these are stopped by firewalls. Successful attacks often do not cause as much harm as an insider, because an insider knows exactly where the crown jewels, the strategic information assets of an organization, are. Having said all that we are going to really concentrate on internet-based attacks in this section. Are they relevant? Oh my yes! The number one reason is the sheer numbers. If your site is subjected to thousands and thousands of attacks, even if poorly targeted, if you don’t have effective perimeters, than your systems will eventually fall when the correct exploit hits your system. However, the situation is even worse. It turns out that a small number of problems, things we know we should correct, like file sharing or proper permissions, account for a vast number of system compromises. In fact, firewalls themselves, which are an amazingly effective perimeter, contribute to the problem. The people protected by the firewall think everything is OK since the firewall stops the attacks and then they get lax, drop their defenses, someone makes a small misconfiguration of the firewall and boom, the site is dealing with a major compromise. Finally, the sophistication of network-based attacks continues to increase. The Unix worms of mid-2001 demonstrated that by using toolkits essentially any successful exploit can serve as the foundation of another worm - thus increasing the attack effect hundreds of times higher than one or even a group of attackers could achieve, since every compromised host becomes a new attacker. Now we look at a single attack, in this case a denial of service, or availability attack called winnuke. This is one of the classics and it was so aggravating that it resulted in creating the first wave of Windows personal firewalls including Nukenabber, the software that served as TCPwrappers for Windows systems. 4-2 Inside a Network Attack WinNuke, (also called OOBNuke), uses TCP 139 and OOB Data, even if NetBIOS is not enabled. It results in the “Blue Screen of Death”. Patches/service packs are available OOB stands for Out Of Band and is actually misnamed; it should say “Urgent mode”, which is Urgent bit set in the TCP header flags and the urgent pointer. Information Risk Management - SANS ©2001 3 Some people call this famous attack an Out of Band attack, however, it is better known as Winnuke. If you are interested in the classic Windows attacks, you might want to visit: http://www.winplanet.com/features/reports/netexploits/index2.html On to Winnuke, older unpatched Windows systems, 3.11, 95 can be crashed by a single, specially formatted packet. The packet has to be sent to a listening port such as TCP port 139, the NetBIOS Session service, but any listening ports will do. Hey, quick review, how do you know which ports are listening on your Windows system? How do you know what programs are responsible for those ports? How do you know what users are the owners of those programs? If you don’t know the answer to all three of these questions, you really should redo the previous section on host-based intrusion detection, If you have a Win95 system, you should get the patch, available at: http://support.microsoft.com/support/kb/articles/Q168/7/47.asp 4-3 Nuke’eM Screen Information Risk Management - SANS ©2001 4 So how do we create this weird packet? Generally by using a special tool as we see on this slide, which is a screen shot of version 1.1 of Windows Nuke’eM. This application has a single purpose, to establish a connection with the TCP three-way handshake and then hit the remote system with the illegal packet. It doesn’t take any particular skill to run it, as you see, all we did was enter the IP address of a target system. 4-4 Lockdown Screen Information Risk Management - SANS ©2001 5 On this slide you see a screenshot of a personal firewall called Lockdown that is both detecting the attack and acting as a perimeter system to protect the client. Let’s sum up what we have seen as we looked at a single network attack, winnuke. We have identified a vulnerability, a flaw in the Windows implementation of networking. We have described the flaw technically and demonstrated there are attacker tools to take advantage of the threat. Finally, we have seen a detection and protection tool in operation. Actually, this is another example of threat, countermeasure, and counter-countermeasure. Winnuke was dropping systems left and right and Microsoft responded with a patch, but instead of fixing the problem, they released a quick hack. The attackers countered with a modification of their attack tools almost instantly. Today, you can download a patch that actually corrects the problem and that URL has been provided to you. Anyone can do intrusion detection and if you start practicing today, you will be ready to take the advanced Intrusion Detection In Depth course pretty soon. So let’s go through the steps to begin doing network intrusion detection. This is certainly NOT the only way, but it is an approach for you to consider. 4-5 Network Intrusion Detection 101 Information Risk Management - SANS ©2001 6 Generally when we think of personal firewalls we think of a perimeter defense, or a protect function. What about detect? It turns out that some personal firewalls have the capability to do more than just detect attacks, they can log the attack, which allows the analyst to study the attributes of an attack. In fact, personal firewalls and Small Office Home Office (SOHO) firewalls are becoming part of some of the most important sensor networks available anywhere. The first step is to turn on logging! In general, the more places you log, the better off you are when a weird event occurs. 4-6 Enable Logging Information Risk Management - SANS ©2001 7 The engine settings are managed from the tools menu. Take a minute and look around at the options. However, while you are there, be sure to enable logging. The logs are stored by default in Program files, Network Ice, Black Ice’s directory and as you see on the slide have the handy prefix. 4-7 Our First False Positive Information Risk Management - SANS ©2001 8 Yup, bootp, actually, DHCP, Dynamic Host Configuration Protocol is a normal occurrence on this home network. We reconfigure so often and most of our machines are both mobile and wireless, that static IP addresses are out of the question. So perhaps we don’t want to alert when that happens. We simply select an attack we don’t want to see, right click, and select ignore. Using the tools we have discussed, especially after you complete the training on networking and TCP/IP that is coming up in this course, you will be equipped to really start drilling down into network intrusion detection. Sometimes graphics tools can help us know where to look for an anomalous event. 4-8 Visualization Tools - BID Port Scan Information Risk Management - SANS ©2001 9 The intense activity shown on your slide was the result of someone probing this network. This gives us an idea where we might want to look in order to find the evidence file. As a helpful hint, find the approximate time and if you are looking for a scan, look for the biggest file. We hope you have enjoyed your introduction to network intrusion detection. We have learned about a couple of new tools that you can use to start investigating suspicious network traffic. As we move through the remainder of this section of the course, we will learn more about the tools and techniques used in network intrusion detection. Most of these tools, whether for Unix or Windows, depend on a simple utility called libpcap or winpcap. 4-9 Libpcap-based Systems Collect Data FW Analyze Data Display Information Analysis/Display Station Most Network-Based Intrusion Detection Systems Unix or Windows are libpcap based Information Risk Management - SANS ©2001 10 The first network-based intrusion detection systems we look at are libpcap-based. These include: Shadow, Snort, NetRanger, and NFR. Libpcap is a packet capture library designed to get the data from the kernel space and pass it to the application. There are implementations for Windows (winpcap-based - the Windows version of libpcap) and Unix. It is reliable and has the big advantage of being free. A sensor is distinguished by how much on-board policy information it has. The Shadow sensor is designed to be stupid. It lives outside the firewall. If it should fail, no information about the site will be lost. This is one of the characteristics that sets Shadow apart from most intrusion detection systems. Most IDS have a lot of information about how sites are configured, how firewalls are set up, hosts that you are watching out for, and attacks that you are particularly concerned about. Should a Shadow sensor fail, all they get are the logs. You can still run Snort though on the inside, simply feed it the TCPdump Shadow files. We’d like to see more vendors take measures to make their sensors attack-resistant, or stealthy, and make them less valuable targets. The sensor is the attacker’s first target. 4 - 10 Network Intrusion Detection With Snort Information Risk Management - SANS ©2001 11 This page intentionally left blank. 4 - 11 Snort Design Goals • Low cost, lightweight • Suitable for monitoring multiple sites/sensors • Low false alarm rate • Efficient detect system • Low effort for reporting Information Risk Management - SANS ©2001 12 Snort was designed to supplement and be run in parallel with other sensors, such as Linux firewalls. It has rules for packet content decodes, and also packet headers. This means it can detect data-driven attacks like buffer overflows and attacks on vulnerable URLs and scripts (like RDS and phf). So if you use Shadow and Snort, you have a good pattern matcher. It is free, scalable, and very good at detecting stealthy recon efforts and probes. Its focus on the early warning to be gained from spotting the recon phase is very valuable, since the actual attack can happen in seconds and be all over by the time you notice it started. It is also a good system to learn and experiment with, since it is easy to modify, being all modular open-source with lots of community developed enhancements. 4 - 12 Snort [**] RPC Info Query [**] 06/29-00:15:29.137285 211.72.115.100:623 -> z.y.w.98:111 TCP TTL:46 TOS:0x0 ID:29416 DF *****PA* Seq: 0x1EDB7784 Ack: 0xD4A024FE Win: 0x7D78 TCP Options => NOP NOP TS: 86724706 118751139 80 00 00 28 08 70 BB FF 00 00 00 00 00 00 00 02 ...(.p.......... 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ Information Risk Management - SANS ©2001 13 The Snort detects are displayed in log files like this separated by blank lines. For this primer, we will primarily focus on the various detects. An advantage of Snort is that this trace is easy to cut and paste into an email to send to your CIRT. This is better than several commercial tools that, while they show an easy to understand colorful icon, it’s hard to get to the raw data to verify or report the detect. This is the more detailed log file. Notice the rule that found the detect is displayed at the top. Then summary information about the packet is given. The trace begins with the content of the detect. RPC (Remote Procedure Call) attacks like this are part of the Top Ten list (www.sans.org/topten.htm). Notice all the zeros? RPC packets are padded to 32-bit words, often to carry a field that only has a choice of single integer, so the zeros are an indication of RPCs. 4 - 13 Configuring Snort With IDSCenter • Graphical User Interface – Simplifies The Configuration Of Snort – Simplifies Set Up Of Alerts – Simplifies Monitoring Snort Log Files And Alerts Information Risk Management - SANS ©2001 14 While Snort is a very powerful Network Intrusion Detection System (NIDS), it requires a little effort to configure it properly. IDSCenter simplifies this process by providing the type of graphical user interface that Windows users are accustomed to. Using simple techniques it is possible to specify the location of the various executable and configuration files used by Snort. Once the appropriate settings have been made, IDSCenter also provides easy access to the rule set that determine what alerts Snort will generate. IDSCenter also provides a simple method to specify and setup the various types of alerts that should be generated by Snort. It is available from http://idsc.emojo.com/idscenter/index.cfm. 4 - 14 IDSCenter General Setup Information Risk Management - SANS ©2001 15 IDSCenter’s General Setup screen always checks for the specification of the Snort version, executable location, process priority, and network considerations. If you have multiple interfaces defined, the Network Interface number may require some experimentation to get the right value. While it’s possible to get the right entry from the registry, it’s easier to just try the various possibilities and testing the configuration. 4 - 15 IDSCenter IDS Rules Setup Information Risk Management - SANS ©2001 16 The IDS Rules Setup screen allows for the specification of the Snort configuration file which contains the definitions of patterns to match. It also displays the current configuration and will open it up for editing if required 4 - 16 IDSCenter Log/Alerts Setup Information Risk Management - SANS ©2001 17 This screen controls the location, type, and detail level that will be generated by Snort’s alert mechanism. Snort provides for the capability to log locally, to a syslog server, the NT Event Logs, and to various databases. Considerable flexibility is provided in the amount of detail that will be logged. 4 - 17 IDSCenter Alert Viewer Information Risk Management - SANS ©2001 18 The Alert Viewer screen provides for an easy way to see the alerts that Snort has generated. It also provides an easy way to get additional information about a given alert by entering the message’s IDS number and querying the arachNIDS Intrusion Event database. 4 - 18 TCPdump • Libpcap • Always available • Compiles on many Unix platforms • Runs on Windows 9x and NT • High fidelity • Same program for data collection and first order analysis Information Risk Management - SANS ©2001 19 TCPdump is a tool for network monitoring and data acquisition. The original distribution is available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. TCPdump uses libpcap, a system- independent interface for user-level packet capture. The Windows version, WinDump, is available from http://netgroup-serv.polito.it/windump/install/default.htm. Libpcap is the de facto standard for Unix-based intrusion detection systems. It is a software interface for acquiring the collected information from the interface card and providing it to the IDS application. Shadow uses TCPdump as its underlying packet capture mechanism, as does Snort, which is the current favorite on incidents.org. Snort includes packet decodes and pattern matching and you can use the same filters for either TCPdump or Snort. Let’s take a look at a sample filter and see what we learn. 4 - 19 Core_Hosts Filter • DNS, Web, and mail servers draw a lot of fire; about 20% of all our attacks are directed at these systems • If you lose control of DNS, they own you • Worth the time to give connection attempts to these systems an extra look Information Risk Management - SANS ©2001 20 What do web servers, DNS servers, and mail relays have in common? You cannot hide them if you want your site to communicate with the rest of the world. They are also important systems. Therefore it makes sense to tune your intrusion detection system to look at these. As we move to a real world filter, let us warn you in advance, the language is a bit odd. However, we can take it one step at a time and everything will work out. There are many, many protocols, but three, TCP, UDP, and ICMP do most of the work from a computer system’s point of view. So most of the filters will start with a protocol. TCP and UDP use numerical ports to identify which service is requested. For instance, TCP destination port 80 is the port number a web server uses. A popular technique is to write a filter that monitors your “core hosts” or those hosts that are the most important to your organization. 4 - 20