> Focus > Full Story
Who goes there?
intrusion detection procedure is vital to any organization
that wants to keep unwanted access at bay. Awareness and
policy guidelines can do the trick. by Rakesh Raghudharan
intrusion detection to be meaningful, response to intrusion
detection must be swift. When a breach is detected, one
must know how to react. That is the aim of an incident response
procedure. The reaction to an incident aims to protect and
restore the normal operating condition of computers, services
Purpose of the incident response procedure
Even with a solid security policy, educated users, and a
solid system administration an emergency response team is
useful. There must be a proper planing for disaster and
the following issues should be addressed:
Who is on "Firecall", how should they react
to a serious security breach?
If internal personnel are not expert enough, an "emergency
standby" contract could be outsourced to a specialized
Decide in advance who will be in charge in the event
of a security incident. Determine the chain of command
(define processes & responsibility).
For responding to intrusions, one of the security policy's
primary purposes is to document the threats that the corporate
intend to guard against and the actions it intends to take
in response to a successful attack. Response procedures
describe how the response policies will be implemented throughout
the organization, eg, who to notify, at what point in the
response procedure, and with what types of information.
From these procedures, all concerned parties are able to
determine what operational steps they need to take to comply
with the corporate policies. One can thus respond in a manner
that upholds the security objectives for the organization's
information and networked systems.
Policies and supporting procedures that are documented,
communicated, and enforced prepare the corporate to respond
to intrusions in a timely, controlled manner. This gives
the ability to exercise corporate procedures and eliminate
potential errors or omissions in advance of an intrusion.
During or after an attack on a system, the corporate does
not want to determine what actions to take, what data to
gather, and how to protect its data, systems, and networks
from further damage. Having documented plans, conducted
training and tested procedures in advance will allow staff
members to efficiently coordinate their activities when
responding to an intrusion. Without the knowledge conveyed
through training and test exercises, users may inadvertently
expose parts of the organization to security threats. For
example, users might reveal sensitive information if they
contact the wrong person when observing an intrusion.
Types of intrusion response
There are number intrusion response mechanisms, some of
which are listed below:
Notification by E-mail, pager etc
Terminating the suspicious session
Disabling the users
Shutting down the system
Executing a predefined command procedure
To ward off intrusions
Pure information gathering: Try and gather contact
information (like name and e-mail address), unique identifiers
(like social security number), and demographic information
(like zip code, age, or income level).
Finger the attacking host machine: Some finger daemon implementations
have a bug in which sending too much data will overflow
the input buffer resulting in a way to gain access to the
attacking host system (Daemon service-finger, port number-79,
Reverse denial of service attack: Use the IP verify
unicast reverse-path interface command on the input interface
on the router at the upstream end of the connection. This
feature examines each packet received as input on that interface.
If the source IP address does not have a route in the CEF
(Cisco Express Forwarded) tables that points back to the
same interface on which the packet arrived, the router drops
Ping of Death: It is possible to crash, reboot or
otherwise kill a large number of attacking systems by sending
a ping of a certain size from a remote machine. This is
an easy way, mainly because this can be reproduced very
easily, and from a remote machine and because the security
administrator needs to know nothing about the machine other
than its IP address. It's very easy to strike back, as some
systems don't like being pinged with a packet greater than
65536 bytes (as opposed to the default 64 bytes). This strike
back technique is not limited to Unix, but is applicable
to Macs, NetWare, printers, routers etc...
SYN Flood: As with many other DoS attacks the SYN
flood doesn't do any physical damage for the information
in the machine. Nor does it make any damage to physical
devices. The nature of DoS attacks are to deny something
from users or other machines/processes. The attacker can
deny access to the port 80 where the http server resides
in a vulnerable machine. This is also possible with the
mail server, FTP, Telnet and SSH.
The strike back would be to increase the kernel maximum
number of half-open connections allowed (SO_MAXCONN) higher
number than the default value. A program could scan the
syn packets that do not get followed with ACK and clean
the half-open connections by sending a TCP RST(reset) packet.
This frees the port and allows connections to happen again.
Prepare for an intrusion
These are some of the guidelines that should be followed
while preparing for an intrusion:
Establish policy and warning banners
Develop management support for intrusion handling capability
Select intrusion handling team members and organize
team in the following pattern
Business unit managers
Update organization's DRP (Disaster Recovery Process)
to include computer intrusion handling.
Develop an emergency communication's plan.
Train the intrusion handling team
l Develop interfaces to law enforcement and Computer
Emergency Response Teams.
Incident detection assessment
If an intrusion has occurred, the following issues should
be addressed immediately. Has the attacker successfully
penetrated the systems, and can he re-enter at will? Where
have intruders been detected? What is the extent of the
damage? What is the principal danger posed, is it the availability,
information privacy, information integrity, or adverse publicity?
Incident detection should be the identification of the source
of threat e.g. accidental administrator damage, accidental
disclosure of internal or confidential documents, attack
from the Internet, attack from the telephone network, and
attacks from inside the corporate network.
Some general guidelines for identification would also include,
Notify the appropriate personnel
Determine severity--whether an event is actually an
intrusion or an incident
Identify and control access to all evidence
Coordinate with the ISP
The containment process will include:
Taking two system backups, one as a working copy for
Surveying the situation
Review evidence collected so far
The concerned machine can be isolated from the network,
An immediate copy of all logs/data could be made to
tape or other offline storage
Determine whether to continue operations or not
This process lists down the real causes of the intrusion
and follows the guidelines like;
Determine cause and symptoms of the attack
Perform vulnerability analysis
Remove cause of the incident
Restore from a clean backup
recovery process deals with the validation of the system
i.e. to fix weakness found in the system and to restore
data/program/services. This process also ensures the monitoring
of the systems before connecting it back to the main network.
The integral part of this process would be to conduct a
"lessons learned" session, which would provide
the whole team an inside look at what actually went wrong.
Document a response
Steps in such a procedure should include:
Analyzing all available information to characterize
an intrusion, including assessing the damage and extent
of an intrusion and an intruder's activities.
Communicating with all parties the need to be aware
of an intrusion and participate in handling it, taking
into account that an intruder may be able to access
and monitor corporate means of communication.
Collecting and protecting information associated with
Containing an intrusion and determining what action
needs to be taken.
Eliminating an intruder's means of access and any related
Returning your systems to normal operation.
Following up including performing a post mortem review
of events as they occurred and reviewing your policies
Document roles, responsibilities, and authority of all staff
involved in executing the response procedure. Identify who
performs each activity, when, and under what conditions.
Ensure that the corporate intrusion response procedure is
consistent and integrated into its business continuity and
disaster recovery processes.
Corporate configuration redundancy policy
a critical machine is compromised as a result of an intrusion,
having redundant equipment in place enables the corporate
to restore service quickly while preserving all of the evidence
on the compromised machine and to perform ongoing analysis.
Ensure that this policy is consistent with corporate business
Train designated staff
and conduct periodic training about corporate response policies
and procedures. This training should be mandatory for all
new employees and should review specific policies and procedures
relevant to the employee's knowledge and responsibilities.
Test the effectiveness of the training and each employee's
readiness. Conduct practice drills (eg: responding to break-ins
and viruses) that tests procedures and executes operational
activities, making sure all staff members are aware of their
roles and responsibilities. Conduct post-mortem meetings
with trainees. Provide remedial training as required. Regularly
conduct mandatory security awareness refresher training
for designated staff.
Highlight recent changes in policies or procedures and summarize
recent incidents and intrusions. Make this subject a recurring
topic at executive and management-level staff meetings to
maintain awareness. Obtain information from the local law
enforcement about preserving the chain of custody for evidence.
Ensure that your system and network administrators, intrusion
response staff, and their managers are aware of this information.
To stay current with the fast rate of technological change,
ensure that system and network administration staff set
aside time to maintain and update the knowledge and skills
they need in technical topics required for implementing
corporate policies and procedures.
order for intrusion detection and response systems to be
of significant utility in the vast majority of modern information
technology environments, they must be capable of handling
large numbers of events from large numbers of systems. Modern
information processing involves WANs (Wide Area Networks)
and a widely distributed global information infrastructure.
Performance requirements are also increasing as processing
and communications speed increase.
Many of today's intrusion response systems are incapable
of handling the load of even one fast PC operating over
a high-speed LAN. By contrast, most current intrusion detection
and response systems are designed to detect intrusions at
the system level. In most cases where network-based solutions
have been implemented, they involve primarily the collection
of monitoring data from individual systems and intrusion
analysis of that data on a system-by-system level.
Evidence Collection and handling
intrusion handling and response procedure would only add
value to the corporate, if an efficient mechanism for evidence
collection and handling exists. The evidence collection
process lists down the collection of data and certain guidelines
Write-protect the hard drive
Make a mirror image backup of the hard drive
Use reliable storage media to store evidence
Verify system information like date and time
Document all findings
The general guidelines for evidence handling are:
The computer used to produce the evidence should have
been used in the regular course of business
The computer used to produce the evidence should have
been operating properly
If such a computer was not operating properly, the evidence
is admissible if the non-operation of the computer was
not such to affect the accuracy of computer records
The evidences must be accessible so as to be usable
for subsequent reference
Improve detection mechanisms
Update corporate detection mechanisms, like intrusion detection
systems and other types of intrusion reporting tools, to
ensure that similar attacks are detected by these mechanisms
in the future. Perform the following analysis and take appropriate
Determine if detection mechanisms need to be configured
differently (such as adding in new attack patterns to
be detected, or changing logging options).
Determine if detection mechanisms need to be placed
in a new or additional location on your network that
was previously insufficiently covered.
Review available information on vulnerabilities, patches,
and new versions of your detection mechanism software,
ensuring that your configurations are up to date.
Review and update the conditions under which your detection
mechanisms generate alerts to system and network administrators
and the forms in which the alert is made (e-mail, phone,
pager, printouts, etc).
Corporate security policy considerations
The organization's networked systems security policy should
Regular checks for the presence of system and network
Timely evaluation and selective installation of patches
and other corrections that the staff need to operate
That the corporate stay informed about the constantly
changing sequence of new alerts, security bulletins,
and advisories, particularly as they affect corporate
protection and detection mechanisms. This can be very
resource-intensive, so that the corporate need to be
selective regarding information sources that it reviews
That roles and responsibilities are clearly assigned
within the organization to perform regular checks, install
patches, and to stay current with new information
That password transmission across an untrusted network
be protected by encrypting passwords or by using some
other secure authentication technologies such as one-time
passwords using challenge-response approaches or security
eradication of the root causes of an intrusion is a long-term
goal that can only be achieved by implementing an ongoing
security improvement process. In response to a specific
intrusion, the corporate needs to ensure that the affected
systems are protected against the same or similar types
of access and attacks in the future. j
Rakesh Raghudharan is doing his 2nd year PGDTM at Symbiosis
Institute of Telecom Management (SITM)
to Windows 9x from DSL and Cable Modems
availability of affordable high speed Internet service to
the public has resulted in an exodus from traditional modem
connectivity. This is an environment where dynamic IP addressing
provides an insecure path to unprotected systems. It is
becoming disturbingly common to hear of incidents where
'Net connected systems have been accessed by persons unknown.
The Openness of Windows 9x
within Windows 9x were designed to provide ease of use and
sharing of information (security was certainly not the priority).
One of these features is file and printer sharing - a feature
requiring utilization of NetBIOS. Improperly administered
shares may present a moderate risk in the user's LAN. However,
this risk can escalate quickly when connected to the Internet.
DSL and cable modem service can enable other users on a
common subnet or segment to access these shared resources
as easily as clicking on Network Neighborhood. All too often
shares are not password protected. Malicious activity including
installation of BackOrifice, Netbus or other such programs
can ensue and ultimately breach security of other connected
systems - i.e.: secured remote access sessions with enterprise
DSL and Cable Modem Network Characteristics
and cable modem networks can vary in design and configuration.
A fundamental difference between the two is that DSL networks
are switched and users do not share transport media. It
is possible for users to see other systems in their subnet,
however the traffic is limited to resource broadcasts.
Cable modem networks, on the other hand, can be viewed as
a LAN. Many users may share a common segment and thus may
not only see other user's resource broadcasts, but the actual
data streams as well. This may not always be the case, however,
if the ISP has implemented enhanced filtering technique
such as DOCSIS (Data On Cable Service Interface Specification).
The important thing that one must understand is that the
access network does not protect a system from attack. The
user must take measures to secure their computer.
Protecting the system
a full time Internet connected Windows 9x system does not
have to be a daunting task. Key considerations that should
be addressed are:
Determine whether file and print sharing is really needed.
Most systems don't require it. It is recommended that
NetBIOS be unbound from TCP/IP (effectively disabling
Windows SMB file and print sharing).
Install a software or appliance based firewall. Functionality
and performance will vary between various products.
Some firewalls will provide NAT (Network Address Translation)
services which fits well with multiple users sharing
one Internet connection. However be aware that NATs
do not provide firewall services. A growing number of
personal firewall products are readily available. Concept,
method and features vary so an evaluation of needs should
be conducted before selecting a product.
Confirm that the 'protected' system is in fact protected.
Intrusion testing tools can be run against the connection.
The ISP can be contacted and asked to provide details
of the connection - i.e.: Is traffic filtering provided
on UDP/TCP ports 137, 138 and 139 to prevent accidental
Windows file and print sharing? Is DOCSIS implemented
on a cable system? A network sniffer can be used to
analyze traffic type at the connection point.