P2L4 Intrusion Detection

Question 1

Defense in Depth

Answer 1

Need multiple layers of defense mechanisms. Prevent, Detect, Survive

Question 2

Firewall

Answer 2

Prevention Mechanism

Question 3

Intrusion Examples

Answer 3

• Remote root compromise
• Web Server Defacement
• Packet Sniffer
• Copying database containing CC numbers
  etc

Question 4

Intrusions Steps

Answer 4

1. Target Acquisition & Info gathering
2. Initial Access
3. Privilege Escalation
4. Info Gathering or system exploit
5. Maintain access (backdoors etc)
6. Cover tracks (remove evidence of attack or install root kit

Question 5

Backdoor inserts backdoors into other programs during compilation

Answer 5

Compiler Backdoor

Question 6

Backdoor can only be used by person who created it , even if discovered by others

Answer 6

Asymmetric Backdoor

Question 7

Backdoor hard to detect because it modifies machine code

Answer 7

Object Code Backdoor

Question 8

Primary Assumptions design of IDS

Answer 8

System activities are observable

Normal and intrusive activities have distinct evidence

Question 9

Components of IDS

Answer 9

Algorithmic:
- Features - capture intrusion evidence
- Models - piece evidence together
System Architecture:
- Several components: data processor, knowledge base, decision engine, alarm generation, and responses

Question 10

IDS modeling and analysis approaches

Answer 10

• Misuse detection (aka signature-based)

- Anomaly detection

Question 11

IDS deployment approaches

Answer 11

• Host-based

- Network-based

Question 12

IDS development and maintenance

Answer 12

• Hand-coding of “expert knowledge”

- Learning based on data

Question 13

Anomaly Detection

Answer 13

• Collect data relating to behavior of legitimate users over a period of time. Build a model on this.
• Analyze current observed data to determine whether is legitimate (fits model)
• Statistical Approach

Question 14

Misuse / Signature Detection

Answer 14

• Use set of known malicious data patterns relating to legitimate users over time
• Current behavior is analyzed to determine if it is legitimate.
  *Can only detect known attacks/intrusions
  Example: Virus scanner
  -Knowledge Based Approach

Question 15

Machine Learning Approaches

Answer 15

• Detects attacks similar to past attacks.
• Flexible and adaptable.
• Training data must normal, otherwise false alarms.
  Types:
  Bayesian Networks - Conditional probabilities (ex how likely this happens when this other thing happens)
  Markov Models - Model of states (ex: real website names vs random botnet names)
  Neural Network - Simulates how human brain operates.
  Clustering - Group data into similar clusters to identify common characteristics

Question 16

Network Based IDS

Answer 16

Passively monitors traffic at selected points
May examine network, transport, and/or app level protocol activity
Comprised of sensors, servers, and mgmt console
Analysis of traffic patterns done at sensor, mgmt server or combo of two

Question 17

Misuse Signature Intruder Detection

Answer 17

Run through a signature mapping to identify and flag intrusion attempts.

Question 18

Rule Based Detection

Answer 18

SNORT.

Set of specific rules that identify known penetrations or suspicious behavior.

Question 19

Host based IDS

Answer 19

Sits on the hosts, monitors activity on the host.

ptrace - traces operating system events

Question 20

Inline Sensors

Answer 20

Type of NIDS
Performs both intrusion detection and prevention.
Must be placed a network point where traffic passes through it
Can be standalone, or combination of firewall and NIDS

Question 21

Passive Sensor

Answer 21

Monitors copy of traffic

More efficient

Question 22

Firewall vs Network IDS

Answer 22

Firewall
- Active Filtering
- Fail-close (when firewall fails external network is closed to internal network, internal network is safe)
Network IDS
- Passive Monitoring
- Requires CPU intensive analysis
- Fail-open (fails to protect network and network is open to intrusion)

Question 23

Common place for NDIS Sensor and why?

Answer 23

Just inside the external firewall

• Sees attack from outside
• Highlights issues with external firewall performance
• Sees attack on web server or ftp in DMZ
• Can also see outgoing traffic and analyze for detection

Question 24

Alternative place for NDIS sensor and why?

Answer 24

Outside external firewall

• Detects all attacks originated from internet
• Does not rely on firewall, so can see attacks that firewall misses or drops

Question 25

Yet another place for NDIS sensor and why?

Answer 25

Inside Internal firewall

• Monitors all internal traffic increasing possibility of detecting attack
• Detected unauthorized activity by authorized users

Question 26

One more option for NDIS sensor and why

Answer 26

In front of particular system or subnet

• Detects targeted attacks against sensitive systems
• Allows focusing limited resources on assets of greatest value

Question 27

SNORT

Answer 27

• Open source
• Highly configurable
• Lightweight
• Can be deployed on most nodes
• Performs real time packet analysis and detects attacks/probes based on rules

Question 28

SNORT 4 components

Answer 28

Decoder - Decodes network/transport/app layer packets
Detection Engine - Compares decoded packet against a rule
Log - Log if packet matches rule, logs packet in human readable format
Alert - send alert

Question 29

Snort Configuration

Answer 29

In passive mode:
Monitors traffic
Not in transmission path
Not an inline sensor

Question 30

Honeypots

Answer 30

Decoy systems designed to lure attackers away from critical systems.
Observer what attackers are trying to do
Develop strategy to respond to attack

Question 31

Types of Honeypots

Answer 31

High or Low interaction

Question 32

Low interaction honeypot

Answer 32

Does not execute full version of all services
Less realistic
Sufficient for use as a component in a distributed IDS to warn of attack

Question 33

High interaction honeypot

Answer 33

• Replicates real system and full operating system
• More realistic target, attacker can’t tell
• Challenging to emulate a real system

Question 34

Honey Pot Deployment options

Answer 34

• Outside external firewall (less risk for internal network, but cannot trap internal attackers)
• In DMZ inside external firewall ( DMZ is not fully accessible, can’t attract interesting attacks )
• Inside internal network (catch internal attacks or misconfigured firewall, but compromised honeypot can attack internal systems also must open up internal firewall huge risk)

Question 35

Ways to evaluate IDS

Answer 35

True Positive Rate (correct alert)
False Negative Rate (intrusions we missed)
False Positive Rate (false alert but no intrusion)
True Negative Rate (correctly classify normal actives)
Bayesian Detection Rate (Given an IDS alert, how likely is it not an intrusion?)