Intrusion detection isn’t just software—it means monitoring your network to discover attacks. Sometimes that infiltration comes from places you’d never expect.
Who's Lookin' At You?
Intrusion detection isn’t just software—it means monitoring your network to discover attacks. Sometimes that infiltration comes from places you’d never expect.
- By Roberta Bragg
- 02/01/2000
The process of monitoring a network with the goal of
discovering an attack is called intrusion detection. It
involves four basic efforts:
- Examining packets entering or traveling across your
network for known attack patterns.
- Monitoring or comparing known sensitive areas (system
files and registries) to known uncompromised snapshots.
- Evaluating network systems for evidence of compromised
attack, such as promiscuous network cards or the existence
of known executable files or services.
- Examining entry point systems such as mail servers
and Web servers for the existence of viral agents, Trojans
in email attachments, or Web page scripts.
You may want to install an intrusion detection product
or a suite of them. Many products claim to be intrusion
detection panaceas, and some are very good. This isn’t
a review of them. Instead, I’ll provide an overview of
the process of establishing and maintaining an intrusion
detection system. Although I recommend that you purchase
and install some kind of commercial system, merely doing
that isn’t enough. You can’t rely on that system to always
detect and stop attacks in progress or to find compromised
systems. Intrusion detection systems aren’t products you
set up and ignore. You must also respond to alerts, look
for evidence of attacks the system failed to recognize,
and constantly update it.
Source of Attacks
Where does your network connect to the external world?
Through Internet access? Dial-out modems? Direct lines
to business partners? Users log off their workstations
at night and servers get secured, right? At major choke-points,
host-type intrusion detection systems can be used. These
systems protect a particular system from common types
of attacks. Specialized systems scan email for viruses;
monitor Web servers and generic systems; or look for critical
file exploits, system file changes, system configuration
changes, Trojan horses, buffer overflows, and registry
modifications. The point here is to attempt to catch and
thwart the attack just as it breaches your defenses. A
good place for an intrusion detection system is between
your firewall and your network.
Attacks can come from internal or external sources; external
attacks may breach perimeter detection. Network intrusion
detection systems are designed to look for suspicious
activity on your network, including devices such as routers
and switches. These systems look for things such as network
cards set to promiscuous mode (explained shortly), abnormal
amounts of traffic, and, by sampling packets on your network,
attack patterns.
Types of Attacks
In addition to complex denial-of-service or penetration
strikes (which require a sophisticated understanding of
transport protocols at the packet level), consider the
prospect of viral and Trojan horse attacks. A virus is
code that changes something in your system; a Trojan horse
masquerades as something innocent. Both can easily be
attached to ordinary email. They rapidly infiltrate the
network or arrive in software and, theoretically, attack
our systems from Web pages with embedded scripts. Both
often infiltrate our systems as a result of a little social
engineering—the email attachment that masquerades as a
game or the utility disk a friend passes along.
| Finding
a Compromised Server |
| Are you running an IIS Web
server? The possibility of compromise
via vulnerabilities in IIS Web servers
that have Microsoft Data Access Components
(MDAC) installed has been widely discussed
since April 1998. Even so, there have
been many reports recently about this
type of attack succeeding on commercial
Web sites. Web sites have been defaced
and attacks identified by a search of
the IIS logfiles, which turns up a POST
access to the file “/msadc/msadcs.dll.”
(Note: If you use Microsoft Remote Data
Services or RDS, the post may be legitimate.)
Apparently, those responsible for Web
servers aren’t listening. For more information
on this attack and how to prevent its
success (securing or disabling RDS), read
the following Microsoft articles:
|
|
|
What to Protect
Primary points of attack in vulnerable systems include
mail servers, Web servers, and other access paths to your
network. Additional systems that may require scrutiny
are servers with sensitive information. Is it realistic
to protect every access point? Well, do you have locks
on every window in your house? If you allow modems on
desktop systems, place some kind of personal intrusion
detection system on these workstations.
| Cheap
Detection Tools |
| It may seem a daunting task,
this process of intrusion detection. Not
only do we have to see attacks in progress,
but we must be able to find compromised
systems on our network. Several new, inexpensive
tools are now available to help you.
AntiSniff, available from LØpht
Heavy Industries (www.lOpht.com),
can identify systems on your network
with network cards operating in promiscuous
mode. Normally, operating network cards
reject packets not addressed to them
or not part of a broadcast. Network
cards in promiscuous mode allow the
examination of all packets traveling
across a network segment. A malicious
user could apply this information to
attack other systems on your network.
By examining these packets, he might
be able to find system and service information
and passwords. By finding a system with
a network card in promiscuous mode,
AntiSniff points out a possibly compromised
system. You’ll need to access and perhaps
shut down and examine the system immediately
to prevent further penetration.
To protect your network against BackOrifice
attacks, you can use Network Flight
Recorder’s (www.nfr.com)
BackOfficer. BackOfficer looks like
a BackOrifice server to the BackOrifice
client. When installed on a system in
your network, it attracts BackOrifice
clients doing ping sweeps looking for
installations of BackOrifice Server.
You can thus determine the source of
the attack, record the information for
possible legal recourse, and send a
message to hackers to warn them off.
While many BackOffice Server installations
are known to the hacker installing them,
many aren’t. By installing this listening
system, you can detect and protect against
BackOrifice attacks.
Another useful tool is Jammer (http://jammer.comset.net/index.html),
which detects invasions by BackOrifice
and NetBus. It’s a low-level network
sniffer that captures all incoming and
outgoing network traffic. As a real-time
packet analyzer, it seeks a NetBus or
BackOrifice client trying to log on
to your computer. It can determine a
hacker’s BackOrifice password, send
a message to the hacker, send a message
to the systems administrator, and log
the hacker’s IP. At the very least,
the hacker’s ISP can be contacted. (Or
if it’s an IP on your internal network,
you can seek out the source of trouble.)
Jammer also monitors ports and will
identify connections. It monitors your
registry and notifies you of attempts
to modify the registry. (Most Trojan
programs modify the registry to start
themselves at system startup.)
Finally, a good source of information
on BackOrifice attacks—or on cleaning
up after one—can be found at www.nwInternet.com/~pchelp/bo.
|
|
|
Set Up and Monitoring
The true value of intrusion detection systems is twofold.
First, few of us know about all possible attacks and how
to protect against them. A good intrusion detection system
helps educate you, giving you a way to protect your systems
without being a security guru. Second, the type and number
of attacks can change constantly. Let the intrusion detection
company be responsible for staying current on that. Choose
a product that’s updateable and a company with the resources
to constantly be on the lookout for new attack signatures.
This can include inexpensive products available to run
on personal systems. Desktop anti-viral products are one
such example. If these products are used religiously and
updated regularly, they can reliably detect viral intrusions
at the desktop level.
While a more sound approach may include some kind of
system-level viral protection, such as an email scanner,
this may not be possible for many small companies. One
of the largest threats to systems administrator sanity
in recent months has been the BackOrifice Trojan. Users
can be tricked into installing the server side of this
product on their machines, thereby allowing anyone with
the BackOrifice client to administer the infected machine
remotely. Most anti-viral agents can now locate and remove
BackOrifice from systems; in addition, other products
can act as a BackOrifice server and detect attempted connections
to infected machines.
By the way, be sure to obtain training on the use of
intrusion detection systems. Proper installation and management
is essential. Any system will find false positives on
occasion; you’ll need to know how to separate the true
from the false.
| When
to Invite a Trojan Horse In |
| Hackers and commercial operations
alike are making beautiful wooden horses
these days and leaving them at our doors.
These horses (also known as products)
are so wonderful that we gladly roll them
into our networks, only to regret it later.
Some are malicious programs; others are
simply super-utilities that send back
private information without our knowledge.
In November, news sources (www.zdnet.com/zdtv/cybercrime/
chaostheory/story/0,3700,2386995,00.html)
carried the story that RealNetworks’
RealJukebox was sending back personal
information (number of songs saved,
musical tastes, type of MP3 player installed
and more) to RealNetworks. Notification
of other, similar escapades surfaced.
How did they do it? Embedded in their
product code was the ability to uniquely
identify each user with a Globally Unique
ID, or GUID. Each time users ran the
product while on the Internet, their
system would be scanned and information
uploaded to RealNetworks. Once caught,
RealNetworks made a patch and a new
version of the system available for
download.
Recently, reasonably sane and respected
individuals wrote in Windows NT Magazine
that BackOrifice is, indeed, a useful
remote administration tool and can find
its place in your network. After all,
they say, what’s the difference between
this product and other remote administration
tools like PCAnywhere or Microsoft’s
System Management Server? Come on, they
opined, it’s smaller and it’s free.
I’m not going to argue this point,
but my strong recommendation against
blindly using this product as a remote
administration tool is based on the
stated objectives of its authors. They
widely promote the use of this tool
by anyone to control anyone else’s machine.
The authors also provide the source
code, thus allowing others to mutate
it into forms that might be harder to
control. In addition, visitors to the
BackOrifice Web page are encouraged
to develop or use code developed by
others as plug-ins to the BackOrifice
product.
Visit www.cultdeadcow.com
and read the many documents there. You’ll
especially love the “Ninja Strike Force—Our
Power Cannot Be Contained” credo. While
you’re there, examine the “BUTT Plugs”
page and read about the third-party
add-ons developed by others. There’s
“Butt Trumpet,” which emails the IP
of the infected system to a specified
email address. Saran Wrap and Silk Rope
install BackOrifice and then another
product. (“Here’s a game for you to
play…”) and a link to goodies from Netninja
(www.netninja.com).
Netninja produces the plug-ins Bored,
which allows you to turn the compromised
machine into a dumb terminal, and SpeakEasy,
which has an embedded IRC plug-in that
contacts an IRC server and broadcasts
the IP address of the compromised machine.
Of course, just because someone says
he’s my friend (commercial software)
doesn’t mean he’s not stealing my secrets
behind my back (witness what RealAudio
did). However, if Dracula appears at
my window, I’m not going to invite him
in.
|
|
|
Maintaining Vigilance
So your system’s up and you’re ready to respond. What
next? I assume you’re taking steps already to protect
yourself from attack, and that you’re monitoring alerts
from your systems and know what to do. I’m even going
to assume that you’re not relying on a single system but
are using other tools as well. You’re also educating users
on how to avoid manipulation, right? So can you relax
now? To ensure the reliability of your intrusion detection
system, start with the following steps.
- Ensure integrity—An intrusion
detection system is a great big challenge to any hacker
worth his salt. First, he knows you have something to
protect. Second, if he can compromise the intrusion
detection system, he thinks he’s home free. It’s like
snipping the wires for the alarm system on the movie
star’s house. Regularly ensure that your intrusion detection
software hasn’t been compromised. Audit all critical
systems files, especially operating system files, on
a regular basis. Look for directory and files changes
that can’t be accounted for. Some intrusion detection
systems have such audit features.
- Continue auditing efforts—Regularly
inspect all system logs and review notifications from
system monitoring mechanisms. Look for unexpected behavior
from processes. To do this, you need to understand the
normal behavior of processes running on your systems.
In a stable system, is a process suddenly creating access
violations or shutting down? Is it not performing scheduled
activities? Are there unknown processes running? (You
should understand all processes running on your systems.)
- Question the existence of hardware—Was
it always there? When was it installed? What’s it doing
there? An additional hub where none should be can mean
a rogue system. A small black box could be an office
UPS system added by office personnel to protect a desktop
system—or an unauthorized router connecting intruders
or masking intrusions.
- Look for signs of unauthorized
access—Look for things where they shouldn’t be.
Suspect workstations that are turned on when employees
are absent, especially if sick or on vacation.
- Review user reports of unusual
events—Don’t pass off this good source of information
as “stupid user events.” Users may not know intimate
details of the system, but they usually know what’s
normal activity for their software and hardware.
- Assume that someone has broken
in—The objective of a software test is not to
find that the software is flawless, but to find errors.
The objective of intrusion detection is to find evidence
of a break-in—before any system is compromised, one
hopes, but realistically, after the fact. If you assume
someone’s already in, you won’t stop in your relentless
crusade to throw the bums out. All’s quiet on the intrusion
detection system front? Use alternative tools and methodologies
to look for evidence of successful attacks.
| Intrusion
Detection Products: |
| Product |
Description |
More
Information |
|
Intruder Alert
Net Prowler
|
Host-based system. Bundled with NetProwler,
consulting services, and training, for
$19,195.
Network-based system
|
Axent Technologies,
Inc.
www.axent.com |
| Cisco Secure
Intrusion Detection System (formerly NetRanger) |
Sensors (appliances)
monitor Cisco routers for policy compliance
and/or network traffic for suspicious
activity. They report to the Director,
a management system. Call company for
pricing. |
Cisco Systems,
Inc.
www.cisco.com |
| Centrax |
Host- and network-based.
Starts at $2,500. |
CyberSafe Corp.
www.cybersafe.com |
| RealSecure |
Host- and network-based,
with three modules: Engine ($8,995), Agent
($750, and Manager (call company for pricing). |
Internet Security
Systems, Inc.
www.iss.net |
|
CyberCop Monitor
CyberCop Sting
WebShield SMTP
|
Network-based. Monitor and Sting are
part of CyberCop Intrusion Protection
Suite, which begins at $9,398 for 254
nodes.
Honey Pot. Emulates network on a single
machine (NT, Solaris, Cisco routers).
Attracts attackers and logs their activity.
Scans email. Contact company for pricing.
|
Network Associates, Inc.
www.nai.com |
|
NFR Intrusion Detection Appliance (IDA)
NFR BackOfficer Friendly
|
Enterprise-level management, upgradeable,
scriptable. Many attack signatures provide
by LØpht Heavy Industries. $3,400.
Detects BackOrifice on your network.
Acts as a BO server.
|
Network Flight
Recorder, Inc.
www.nfr.com |
| BlackICE Pro |
Single systems
or network version. Detects and backtracks
intrusions, stops intrusions, and reports
suspicious events to ICEcap server for
analysis and review. Enterprise ICE Pac,
which includes BlackICE Pro, BlackICE
Sentry, and ICEcap Management Console,
costs $89.50 per node for 1,000 nodes.
A single system version of BlackICE is
$39.95. |
Network ICE
Corp.
www.networkice.com |
| Dragon IDS |
Network anomaly
monitoring software. Call company for
pricing. |
Network Security
Wizards
www.network-
defense.com |
| Kane Security
Monitor |
Scans NT event
logs in an enterprise looking for unauthorized
and suspicious activity. Single server/single
workstation pack: $1,495. |
RSA Security
www.intrusion.com |
| Sophos Anti-Virus |
Network anti-virus.
Starts at $595 for 10-user license. |
Sophos, Inc.
www.sophos.com |
| ScanMail for
Microsoft Exchange |
Scans email.
ScanMail for Exchange with eManager is
$6,250 for 250 users. |
Trend Micro,
Inc.
www.antivirus.com |
|
|
Finding, installing, and setting up good intrusion detection
software doesn’t mean you can relax. Intrusion detection
means much more. Remember to sniff packets for patterns,
keep an eye on sensitive areas like the registry, evaluate
network systems for evidence of comprised attacks, and
continually monitor entrance points. As with all network
security, you’ll need to continue eternal vigilance. Intrusion
detection is merely another method of helping you monitor
the gates.