Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
   Home
   Archives
 About Us
   Advertise
 Feedback
 Subscribe

Home > Focus > Full Story

Focus: Intrusion detection

Halt! Who goes there?

An intrusion detection procedure is vital to any organization that wants to keep unwanted access at bay. Awareness and policy guidelines can do the trick. by Rakesh Raghudharan

For intrusion detection to be meaningful, response to intrusion detection must be swift. When a breach is detected, one must know how to react. That is the aim of an incident response procedure. The reaction to an incident aims to protect and restore the normal operating condition of computers, services and information.

Purpose of the incident response procedure

Even with a solid security policy, educated users, and a solid system administration an emergency response team is useful. There must be a proper planing for disaster and the following issues should be addressed:

  • Who is on "Firecall", how should they react to a serious security breach?
  • If internal personnel are not expert enough, an "emergency standby" contract could be outsourced to a specialized company.
  • Decide in advance who will be in charge in the event of a security incident. Determine the chain of command (define processes & responsibility).

For responding to intrusions, one of the security policy's primary purposes is to document the threats that the corporate intend to guard against and the actions it intends to take in response to a successful attack. Response procedures describe how the response policies will be implemented throughout the organization, eg, who to notify, at what point in the response procedure, and with what types of information. From these procedures, all concerned parties are able to determine what operational steps they need to take to comply with the corporate policies. One can thus respond in a manner that upholds the security objectives for the organization's information and networked systems.

Policies and supporting procedures that are documented, communicated, and enforced prepare the corporate to respond to intrusions in a timely, controlled manner. This gives the ability to exercise corporate procedures and eliminate potential errors or omissions in advance of an intrusion.

During or after an attack on a system, the corporate does not want to determine what actions to take, what data to gather, and how to protect its data, systems, and networks from further damage. Having documented plans, conducted training and tested procedures in advance will allow staff members to efficiently coordinate their activities when responding to an intrusion. Without the knowledge conveyed through training and test exercises, users may inadvertently expose parts of the organization to security threats. For example, users might reveal sensitive information if they contact the wrong person when observing an intrusion.

Types of intrusion response

There are number intrusion response mechanisms, some of which are listed below:

  • Notification by E-mail, pager etc
  • Terminating the suspicious session
  • Disabling the users
  • Shutting down the system
  • Executing a predefined command procedure

To ward off intrusions

Pure information gathering: Try and gather contact information (like name and e-mail address), unique identifiers (like social security number), and demographic information (like zip code, age, or income level).

Finger the attacking host machine: Some finger daemon implementations have a bug in which sending too much data will overflow the input buffer resulting in a way to gain access to the attacking host system (Daemon service-finger, port number-79, description-FINGER).

Reverse denial of service attack: Use the IP verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection. This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF (Cisco Express Forwarded) tables that points back to the same interface on which the packet arrived, the router drops the packet.

Ping of Death: It is possible to crash, reboot or otherwise kill a large number of attacking systems by sending a ping of a certain size from a remote machine. This is an easy way, mainly because this can be reproduced very easily, and from a remote machine and because the security administrator needs to know nothing about the machine other than its IP address. It's very easy to strike back, as some systems don't like being pinged with a packet greater than 65536 bytes (as opposed to the default 64 bytes). This strike back technique is not limited to Unix, but is applicable to Macs, NetWare, printers, routers etc...

SYN Flood: As with many other DoS attacks the SYN flood doesn't do any physical damage for the information in the machine. Nor does it make any damage to physical devices. The nature of DoS attacks are to deny something from users or other machines/processes. The attacker can deny access to the port 80 where the http server resides in a vulnerable machine. This is also possible with the mail server, FTP, Telnet and SSH.

The strike back would be to increase the kernel maximum number of half-open connections allowed (SO_MAXCONN) higher number than the default value. A program could scan the syn packets that do not get followed with ACK and clean the half-open connections by sending a TCP RST(reset) packet. This frees the port and allows connections to happen again.

Prepare for an intrusion

These are some of the guidelines that should be followed while preparing for an intrusion:

  • Establish policy and warning banners
  • Develop management support for intrusion handling capability
  • Select intrusion handling team members and organize team in the following pattern
  • Business unit managers
  • System administrators
  • High-tech investigator
  • Corporate counsel
  • Update organization's DRP (Disaster Recovery Process) to include computer intrusion handling.
  • Develop an emergency communication's plan.
  • Train the intrusion handling team
  • l Develop interfaces to law enforcement and Computer Emergency Response Teams.

Incident detection assessment

If an intrusion has occurred, the following issues should be addressed immediately. Has the attacker successfully penetrated the systems, and can he re-enter at will? Where have intruders been detected? What is the extent of the damage? What is the principal danger posed, is it the availability, information privacy, information integrity, or adverse publicity?

Incident detection should be the identification of the source of threat e.g. accidental administrator damage, accidental disclosure of internal or confidential documents, attack from the Internet, attack from the telephone network, and attacks from inside the corporate network.

Some general guidelines for identification would also include,

  • Notify the appropriate personnel
  • Determine severity--whether an event is actually an intrusion or an incident
  • Identify and control access to all evidence
  • Coordinate with the ISP

Containment

The containment process will include:

  • Taking two system backups, one as a working copy for forensics
  • Surveying the situation
  • Review evidence collected so far
  • Restore information
  • The concerned machine can be isolated from the network, or shutdown
  • Change passwords
  • An immediate copy of all logs/data could be made to tape or other offline storage
  • Determine whether to continue operations or not

Eradication

This process lists down the real causes of the intrusion and follows the guidelines like;

  • Determine cause and symptoms of the attack
  • Improve defenses
  • Perform vulnerability analysis
  • Remove cause of the incident
  • Restore from a clean backup

Recovery

The recovery process deals with the validation of the system i.e. to fix weakness found in the system and to restore data/program/services. This process also ensures the monitoring of the systems before connecting it back to the main network. The integral part of this process would be to conduct a "lessons learned" session, which would provide the whole team an inside look at what actually went wrong.

Document a response

Steps in such a procedure should include:

  • Analyzing all available information to characterize an intrusion, including assessing the damage and extent of an intrusion and an intruder's activities.
  • Communicating with all parties the need to be aware of an intrusion and participate in handling it, taking into account that an intruder may be able to access and monitor corporate means of communication.
  • Collecting and protecting information associated with an intrusion.
  • Containing an intrusion and determining what action needs to be taken.
  • Eliminating an intruder's means of access and any related vulnerability.
  • Returning your systems to normal operation.
  • Following up including performing a post mortem review of events as they occurred and reviewing your policies and procedures.

Document roles, responsibilities, and authority of all staff involved in executing the response procedure. Identify who performs each activity, when, and under what conditions. Ensure that the corporate intrusion response procedure is consistent and integrated into its business continuity and disaster recovery processes.

Corporate configuration redundancy policy
If a critical machine is compromised as a result of an intrusion, having redundant equipment in place enables the corporate to restore service quickly while preserving all of the evidence on the compromised machine and to perform ongoing analysis. Ensure that this policy is consistent with corporate business continuity policy.

Train designated staff
Create and conduct periodic training about corporate response policies and procedures. This training should be mandatory for all new employees and should review specific policies and procedures relevant to the employee's knowledge and responsibilities. Test the effectiveness of the training and each employee's readiness. Conduct practice drills (eg: responding to break-ins and viruses) that tests procedures and executes operational activities, making sure all staff members are aware of their roles and responsibilities. Conduct post-mortem meetings with trainees. Provide remedial training as required. Regularly conduct mandatory security awareness refresher training for designated staff.

Highlight recent changes in policies or procedures and summarize recent incidents and intrusions. Make this subject a recurring topic at executive and management-level staff meetings to maintain awareness. Obtain information from the local law enforcement about preserving the chain of custody for evidence. Ensure that your system and network administrators, intrusion response staff, and their managers are aware of this information. To stay current with the fast rate of technological change, ensure that system and network administration staff set aside time to maintain and update the knowledge and skills they need in technical topics required for implementing corporate policies and procedures.

Scalability
In order for intrusion detection and response systems to be of significant utility in the vast majority of modern information technology environments, they must be capable of handling large numbers of events from large numbers of systems. Modern information processing involves WANs (Wide Area Networks) and a widely distributed global information infrastructure. Performance requirements are also increasing as processing and communications speed increase.

Many of today's intrusion response systems are incapable of handling the load of even one fast PC operating over a high-speed LAN. By contrast, most current intrusion detection and response systems are designed to detect intrusions at the system level. In most cases where network-based solutions have been implemented, they involve primarily the collection of monitoring data from individual systems and intrusion analysis of that data on a system-by-system level.

Evidence Collection and handling
The intrusion handling and response procedure would only add value to the corporate, if an efficient mechanism for evidence collection and handling exists. The evidence collection process lists down the collection of data and certain guidelines like:

  • Partition Information
  • Application Files
  • Registry
  • Swap Files
  • Hidden Files
  • Deleted Files
  • Keyword Search
  • Write-protect the hard drive
  • Make a mirror image backup of the hard drive
  • Use reliable storage media to store evidence
  • Verify system information like date and time
  • Document all findings

The general guidelines for evidence handling are:

  • The computer used to produce the evidence should have been used in the regular course of business
  • The computer used to produce the evidence should have been operating properly
  • If such a computer was not operating properly, the evidence is admissible if the non-operation of the computer was not such to affect the accuracy of computer records
  • The evidences must be accessible so as to be usable for subsequent reference

Improve detection mechanisms

Update corporate detection mechanisms, like intrusion detection systems and other types of intrusion reporting tools, to ensure that similar attacks are detected by these mechanisms in the future. Perform the following analysis and take appropriate actions.

  • Determine if detection mechanisms need to be configured differently (such as adding in new attack patterns to be detected, or changing logging options).
  • Determine if detection mechanisms need to be placed in a new or additional location on your network that was previously insufficiently covered.
  • Review available information on vulnerabilities, patches, and new versions of your detection mechanism software, ensuring that your configurations are up to date.
  • Review and update the conditions under which your detection mechanisms generate alerts to system and network administrators and the forms in which the alert is made (e-mail, phone, pager, printouts, etc).

Corporate security policy considerations

The organization's networked systems security policy should require:

  • Regular checks for the presence of system and network vulnerabilities.
  • Timely evaluation and selective installation of patches and other corrections that the staff need to operate securely.
  • That the corporate stay informed about the constantly changing sequence of new alerts, security bulletins, and advisories, particularly as they affect corporate protection and detection mechanisms. This can be very resource-intensive, so that the corporate need to be selective regarding information sources that it reviews regularly.
  • That roles and responsibilities are clearly assigned within the organization to perform regular checks, install patches, and to stay current with new information
  • That password transmission across an untrusted network be protected by encrypting passwords or by using some other secure authentication technologies such as one-time passwords using challenge-response approaches or security tokens

Conclusion

Complete eradication of the root causes of an intrusion is a long-term goal that can only be achieved by implementing an ongoing security improvement process. In response to a specific intrusion, the corporate needs to ensure that the affected systems are protected against the same or similar types of access and attacks in the future. j

Rakesh Raghudharan is doing his 2nd year PGDTM at Symbiosis Institute of Telecom Management (SITM)

Risk to Windows 9x from DSL and Cable Modems
The availability of affordable high speed Internet service to the public has resulted in an exodus from traditional modem connectivity. This is an environment where dynamic IP addressing provides an insecure path to unprotected systems. It is becoming disturbingly common to hear of incidents where 'Net connected systems have been accessed by persons unknown.

The Openness of Windows 9x
Features within Windows 9x were designed to provide ease of use and sharing of information (security was certainly not the priority). One of these features is file and printer sharing - a feature requiring utilization of NetBIOS. Improperly administered shares may present a moderate risk in the user's LAN. However, this risk can escalate quickly when connected to the Internet. DSL and cable modem service can enable other users on a common subnet or segment to access these shared resources as easily as clicking on Network Neighborhood. All too often shares are not password protected. Malicious activity including installation of BackOrifice, Netbus or other such programs can ensue and ultimately breach security of other connected systems - i.e.: secured remote access sessions with enterprise networks.

DSL and Cable Modem Network Characteristics
DSL and cable modem networks can vary in design and configuration. A fundamental difference between the two is that DSL networks are switched and users do not share transport media. It is possible for users to see other systems in their subnet, however the traffic is limited to resource broadcasts.

Cable modem networks, on the other hand, can be viewed as a LAN. Many users may share a common segment and thus may not only see other user's resource broadcasts, but the actual data streams as well. This may not always be the case, however, if the ISP has implemented enhanced filtering technique such as DOCSIS (Data On Cable Service Interface Specification). The important thing that one must understand is that the access network does not protect a system from attack. The user must take measures to secure their computer.

Protecting the system
Protecting a full time Internet connected Windows 9x system does not have to be a daunting task. Key considerations that should be addressed are:

  • Determine whether file and print sharing is really needed. Most systems don't require it. It is recommended that NetBIOS be unbound from TCP/IP (effectively disabling Windows SMB file and print sharing).
  • Install a software or appliance based firewall. Functionality and performance will vary between various products. Some firewalls will provide NAT (Network Address Translation) services which fits well with multiple users sharing one Internet connection. However be aware that NATs do not provide firewall services. A growing number of personal firewall products are readily available. Concept, method and features vary so an evaluation of needs should be conducted before selecting a product.
  • Confirm that the 'protected' system is in fact protected. Intrusion testing tools can be run against the connection.
  • The ISP can be contacted and asked to provide details of the connection - i.e.: Is traffic filtering provided on UDP/TCP ports 137, 138 and 139 to prevent accidental Windows file and print sharing? Is DOCSIS implemented on a cable system? A network sniffer can be used to analyze traffic type at the connection point.

Page 1 2

<<

- <Back to Top>-  
© Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD