securityfocus.com Incidents list."1

1Richard Bejtlich

In addition to detection, these large-scale intrusion detection networks also play a crucial role in response. As they collect data and the information passes a certain threshold, they can create automated or semi-automated reports and send them to the responsible party for an IP address. For instance, on February 28, 2002, IP address 217.128.207.17 from the abo.wanadoo.fr domain was detected sending 33,995 packets. Now, that certainly warrants sending a note, though sending a note to Wanadoo asking them to quit ftp scanning is a bit like sending a note to Bin Laden asking him to stop terrorism—at best, they don't care. However, many people do care, and the note from Dshield might be the first hint a system administrator gets to help him realize he has a problem. Below is a note from another satisfied customer: "Thank you for the notification of illicit activity coming from a computer in the University of XXXXX XXXXXX domain. This was a faculty member's computer that was found to have the "mummy" virus when the eSafe virus scanner was ran on the computer. We have attempted to disinfect this computer to prevent the unauthorized intrusions to your and other networks. Again thanks for the notification; and if there is anything else we can do, please let me know." By the way, I am a bit skeptical about the particulars in the report. The mummy virus is an MSDOS Jerusalem variant, so this sounds like an excuse to cover some mischief, but as long as the behavior changes, it is another win for these new defense systems. To date, only Aris has a business model to support what it is doing, so it is not clear that these first implementations of large-scale intrusion detection will survive long term. I certainly hope they are an emerging trend. I would like to close the chapter and the book with a quick review of the anti-virus industry, a discussion of hardware-based and program-based intrusion detection, and finally, some of the changes in auditing.

Emerging Techniques

Current intrusion-detection systems are fairly limited. Network-based systems are not well suited to detect the insider threat, mobile code, intelligence-gathering viruses, modem-based attacks, or runs along the trust model. Host-based systems can detect these attacks, but they suffer from two big problems: the cost of deployment and the system overhead "tax." There is a lot of money to be made by the company that can build and market the better mousetrap. The enterprise security consoles we have discussed are one technology poised to collect some of this money—after all, what security guy is not going to want a cockpit? Curiously, the market

sector that appears to have snatched defeat from the jaws of victory is the anti-virus arena.

Virus Industry Revisited

I have watched in amazement as NAI and Symantec, two companies in exactly the right place to take advantage of the gap between the increasing threat and existing response, have failed to take total control of the host-based intrusion detection market. Even if anti-virus makers do not want anything to do with the intrusion-detection market sector, they are already intersecting with it. These Trojans all have a network signature, SubSeven, and netbus and all the rest. Anti-virus companies can detect all of these and remove them as well! Well, maybe not. The first clue I had that anti-virus could be evaded was when one of my students realized he had accidentally downloaded a Trojan when he saw "notepad.exe" go by after having clicked on a download page. After some investigation, he determined it was QAZ. And yet, his antivirus didn't pick it up. But how is this possible with a well known Trojan? Well, it turns out that the attacker community can "pack" the Trojan with any number of tools. For more information

on this, go to http://rr.sans.org/malicious/trojan_war.php.

However, do not count out the anti-virus industry. It can detect the work of many of the more

popular packers and certainly can detect the Trojan when it becomes active on the network if you also have a personal firewall packaged with your anti-virus. Well, you can if the malicious code doesn't disable the firewall and/or anti-virus software as one of its first orders of business, but the companies are working on defending against this as well.

Symantec's Internet Security product that combines anti-virus with a personal firewall is not a bad product, but it could have been a killer application. Anti-virus companies are poised to be the 800-pound gorillas in intrusion detection. An anti-virus company could excel in this industry because of the following eight reasons:

●No security tool has better desktop penetration than anti-virus software.

●Intrusion-detection tools often have fewer than 500 signatures; virus software can detect more than 20,000.

●Virus software comes with implementations for firewalls, server systems, or the desktop.

●These tools can identify, contain, eradicate, and recover with minimal user intervention.

●Anti-virus companies have fully solved the issue of updating a user's signature table with a variety of painless options.

●Many large organizations have site licenses with these software companies and are pretty satisfied.

●Anti-virus companies are already oriented to very fast turnaround of a signature table when a new exploit is detected.

●These software companies often have companion products with security capabilities.

The match is so perfect that I cannot understand why we aren't seeing these products dominate the industry. It would be so easy to make the changes to the NAI or Symantec personal firewalls to let them serve as network intrusion detection systems, but with every software release, they seem to move further and further away from providing a tool that is industrial strength.

Next, we will discuss intrusion detection in hardware. Cisco, more than any other company, has been intentionally pursuing putting intrusion detection in the network itself, so that you have

hardware-based intrusion detection solutions.

Hardware-Based ID

There are three serious challenges to network-based intrusion detection:

●Encrypted packets that foil string matching

●Fast networks beyond the speed of the sensor

●Switched networks

We discuss intrusion detection in the switch shortly. Encryption is an interesting problem. It is good if your organization is doing it and having the key escrowed. Encryption is a bad thing if someone is using it to evade your detection system. How do you know if a bit stream is encrypted? You test for randomness, of course. This is easy to do, but expensive in terms of CPU cycles. There is an argument that this should be done in hardware. I am not sure this is valid; general-purpose computers keep getting faster and faster. With that said, there are places where applying hardware to the problem makes a lot of sense. One of the best applications is faster nets.

The perfect place for Cisco SecureIDS is on a card placed in a Cisco router or switch. This, however, is just a toaster without a power supply. The really interesting advances come by doing limited intrusion detection as a software process in the router or switch. This is a desperately needed future trend. One advantage of this is that you finally achieve real-time, or wire speed. In all other solutions (except intrusion detection in the firewall), you detect the intrusion right after the packet has flown by. In this case, you can literally stop it or divert it to a honeypot. The capability to do this seems to be at hand with the Policy Feature Card that is

available for the Catalyst 6000 switches. I am not sure why they built the card, perhaps to provide a product to compete with TopLayer, the application layer switch that well-funded intrusion detection analysts turn to when they have the need for speed. Perhaps they project advances in the QoS market that I just do not see on the horizon. However, the ability to filter, mark a packet, application switch, or failover switch inside the network fabric at the rate of 5 million packets per second at layer 3— much more at layer 2—opens a number of possibilities for detection and protection. This would include many of the auto-response capabilities such as dropping a connection, rate limiting, copying traffic to a more powerful IDS or binary logger, or switching the connection to a honeypot. Like large-scale intrusion detection systems, it will be a

while before we really know what to do with tools like this, but learning should be a lot of fun.

Program-Based ID

I just cannot get over the size of programs today. I used to own a computer called a Commodore 64. The 64 stood for the amount of RAM, 64K. The implication is that the programs had to load and run in that memory space. There is an important lesson to be learned by comparing the functionality of the Commodore 64 to my 400Mhz Pentium II with 1024MB of RAM. The applications that ran on the Commodore had about the same functionality as my Microsoft Office suite. However, these programs are huge! If we are going to tolerate bloatware, and it is clear we will, we might as well start asking for some security in the programs.

At the seminal conference for intrusion detection SANS' ID'99, I was fortunate enough to break away for an hour to have lunch with Simson Garfinkle, who is writing software designed for special-security applications. A lot of security software, especially vulnerability-testing programs, can be used for malicious purposes. He wants to protect his intellectual property from intrusion (software piracy), and he also wants to ensure the software cannot be misused without it being clear and obvious which copy of the software is the origin.

Can software prevent or detect that it is being copied or misused? For a while, this was a big issue for computer games, at least the copy-protection aspect. It doesn't seem to be such a hot topic today. None of the games my son has bought require a dongle. One of the forensics tools I use, Expert Witness, has some degree of license protection built in with a hardware dongle. Microsoft must have some scheme with its strange orange sticker on the CDs, the long pin numbers, and its techniques for phoning home and inspecting the network for license violations. Simson, however, was taking the issue a lot more seriously than any of these companies appear to be. He was proposing a series of countermeasures, including encrypting segments of the programs and chaining checksums.

Let's take this a step further. Could a critical program detect that it is under attack? Suppose sendmail or Bind had a static library of security functions. The program could then detect an unauthorized entity is trying to access it, or that the input it is receiving is actually binary code. It could then block the attack and raise an alarm. Programs could even develop profiles about their uses so that they can detect that someone "out of profile" is accessing their files and take some preprogrammed action. Still another way to do intrusion detection at the program level is to put a wrapper around the program, which is most certainly an emerging trend.

The first wrapper was Wietse Venema's TCP Wrapper program, which was a wonderful security tool for years—although perhaps xinetd with ICMP support is more appropriate today. But, the concept has been extended. You might want to check out immunix (www.immunix.org). I would expect that, for Internet facing applications, this will be an emerging theme to the point that

eventually, sound practice will be to chroot it, wrap it, or both.

Smart Auditors

This emerging trend was in the book the first go around and it didn't happen. I put it in again in the second edition and there was some progress—not enough for me to get hired by Miss Cleo—but I am sticking with this as an emerging trend! According to Alan Kay, the best way to predict the future is to invent it, and by the time this book is in your hands, SANS should be engaged in helping to establish pragmatic tools and resources for auditors. Auditors are already smart—that is why they do the auditing and you do the sweating. Auditors are starting to understand security technology and practices at a rapid rate. The days are gone and will not