Intrusion detection and scanners

Intrusion detection

• try to identify unauthorized or malicious traffic

• intrusion detection system

  • monitors events
  • logs related data
  • analyzes data
  • reports events requiring human attention

• may monitor processes, programs, commands, data at rest, network packets

• need to collect evidence for a forensic process

• intrusion prevention system

  • includes active responses
  • alter packets, strip out malware, reset TCP connections, terminate processes
  • real-time

• understand network-based IDS vs host-based IDS, and different types of data they collect

• see Figure 11.1, page312 to understand IDS event outcomes and metrics

• understand the example, below the figure, to see why alarm precision is helpful

• understand that false positives keeps security experts busy (but wasting time) — frustrating to deal with

• false negatives are of course also harmful

Approaches to intrusion detection

• see Table 11.1, page 314
• signature-based
  • signatures usually automatically updated from vendor
  • may look at behavior (effects of the attack) as well
• specification-based
  • define what is allowed for a protocol or application
• anomaly-based
  • measure normal behavior
  • classify anything else as an anomaly
  • often uses machine learning
  • challenges
    • feature selection
    • intruder-free training
    • session creep (intruders slowly adding themselves)

Sniffers

• to look at network traffic, need to capture packets and examine them at line speed
• helpful even outside of intrusion detection
• also used by attackers!
• understand difference between a hub and a switch, and how this affects traffic seen by a host
• network cards can be put into promiscuous mode to sniff traffic

Vulnerability assessment tools

• explore weaknesses in your systems so that you can modify / update them for increased security
• vulnerability assessment — examines systems for vulnerability
• penetration testing — tries to exploit a vulnerability
• can be used for both defense and offense
• make sure you get authorization to do any kind of vulnerabilty assessment or penetration testing
• make sure you follow responsible disclosure when finding a vulnerability
• port scanning is a common assessment tool -remote OS fingerprint is also a common assessment tool
• see example of what nmap can do
• see example of what Nessus can do

Vulnerability disclosure process

• Coordinated Vulnerability Disclosure Process

• Read the USENIX Security Ethical Considerations and Proactive Harm Prevention guidelines

• Read a case study in responsible disclosure

Extra Reading

• 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms — interviews with analysts, discussing burnout from false alarms, with most alarms caused by legitimate behavior.

• Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues — interview study with analysts identifying a wide range of technical and non-technical issues in SOCs.

• Watch Can Vulnerability Disclosure Processes Be Responsible, Rational, and Effective?

• Ethical Hacking for Boosting IoT Vulnerability Management: A First Look into Bug Bounty Programs and Responsible Disclosure