What about the Snort ruleset? It is open and can be examined and has been subjected to exhaustive public review—are these rules uncertain? To be sure, there are great advantages to public review (and you can bet that more than one or two of those rules finds its way into other IDS systems), but the fact that it is open means an attacker can be aware of it and modify the attack just enough to evade the rule.
Oh yeah, the scariest three words to an intrusion-detection analyst. They are when the gruff old decision-maker who has to make a hard call looks you in the eye and asks, "Are you sure?"
Risk
Risk happens. It is ridiculous to say I don't want any risk in a given situation. Rather, we manage risk. I heard on TV once that the space shuttle often has backup systems for its backup systems. A shuttle flight is an exercise in strapping yourself to a rocket and heading for space. Space is an environment where any number of things can kill you: radiation, heat, cold, vacuum, and finally the reentry. If you approach a reentry with too steep an angle, the mistake will crash you; and if your angle is too shallow, it will bounce you into space. That is a lot of risk, which is one of the reasons astronauts get all the free Tang they can drink.
If you really think it through, the whole process is nuts and no sane person would do it. NASA actually has go/no go criteria. If anything is wrong, they do not go ahead with the launch, even though there are backup systems. This is judged an unacceptable risk. Other risks are considered acceptable, like the bit about strapping yourself to a rocket. With any risk, we must decide how we will deal with risk. We have three options for dealing with risk:
●Accept the risk as is.
●Mitigate or reduce the risk.
●Transfer the risk (insurance model).
Accepting the Risk
If we don't install a firewall and we connect to the Internet, in some sense we are as daring as the men and women who bolt themselves onto rockets; what we are doing is risky and we've chosen to accept that risk. If we have information assets of high value and we don't do auditing on these hosts or use some form of intrusion detection, we are again choosing to accept the risk.
The concept of accepting risk is simple enough, but there is another aspect of this we need to consider. The elementary school bus driver who drinks a few too many beers before picking up the kids with his school bus is accepting risk all right, but he is accepting risk he does not have a right to accept. The firewall administrator who was just testing some service and mistakenly left it in the system might have caused the organization to accept a risk that it would not choose to accept. After all, why did it go through the trouble to buy and set up a firewall? One of the interesting problems of information security is that it is quite possible for an individual to accept a risk for an organization that he is not authorized to accept. I would like to illustrate this point with an intrusion-detection story.
Last week, we detected systems initiating file transfers from a site that we monitor. It was just odd enough that we decided to look into it a bit further. When we examined the payload of the ftps, it was clear each of these systems was sending a bit of information about itself. We weren't sure what the information was until we saw a couple instances of "Preferred Customer." It seemed like it had to be the registration field for Microsoft Office products. Our suspicions were quickly confirmed. A member of Human Resources had sent a memo as an attachment to
an email message to all the senior managers of the organization. It was the fact they were senior managers that alerted me to further investigate the ftp sessions; these folks didn't even read their own email! They had a secretary screen their mail, print it, and put the important messages in their inbox. The email message sent by Human Resources was infected with a macro virus that sent information out of the organization. It apparently didn't do any serious harm. From an information warfare perspective, however, I was appalled, because it gives a clear potential infection vector into this organization, which could be exploited at a later time. This support employee, by just failing to maintain current virus software, accepted a high degree of risk for the entire organization. As Jimmy Kuo, a research fellow at NAI would say, "You are only as good as your last update." How about one more example?
The same week we detected many more systems initiating file transfers than usual from the same site we monitor. We found five in one day. When we pulled the payload, we found they were all going to the same IP address, the same user ID, and the same password. They were downloading files to the desktop systems. In this case, it turned out to be a shareware program, PKZip. Now, this is no Trojan; this is no sneak attack. A paragraph on the shareware web site stated that when PKZip was installed it came with a bonus component that downloaded ads. None of the five users gave a second thought to what they were actually doing; they just wanted PKZip. So what's the problem? Well, so long as the software is just downloading ads, there isn't a problem. However, keep in mind that many sites configure their firewalls so that if a connection is initiated from the inside, it passes through the firewall without any problems. This means there are several potential attacks from such a behavior.
Trojan Version
We have seen several examples of Trojan versions of legitimate software, such as the Trojan ICQs and Internet Relay Chat (IRCs). The user would not be aware that the program was actually uploading sensitive data from the system, or downloading tools that could be used to attack his organization's network from the inside.
In the same vein, what if the advertisement company hired a malicious individual, or an expert in economic espionage? Think about what he could accomplish with robot code that downloaded arbitrary files every time a system was booted! If this seems like science fiction, consider the use of netbugs (www.bugnosis.org) and spyware that is so common today.
Malicious Connections
There are a number of DNS attacks, but the idea in DNS cache poisoning is to manipulate the DNS system so that the client system goes to a malicious server rather than to the actual server. This is often done when a client answers a question, within a query.
The problem is complex; users of desktop Windows systems do not generally know what connections their systems are making. I honestly didn't know that software programs on my Windows system could connect to the Internet without me clicking on them. Several years back, I bought a software package, McAfee Office, primarily to get the Pretty Good Privacy (PGP) that comes with it, but decided to play with most of the software. One of the programs was called GuardDog, which is a security program for Windows systems. I installed it, and imagine my surprise when I booted my computer and it barked at me, to warn me that one of the programs on my system was trying to connect to the Internet. It was Real Audio; I didn't have the time to set up monitors and traps in my home lab to track it, so I just uninstalled it. Later, it turned out they were collecting information on users. Today, I use application-aware personal firewalls such as ZoneAlarm and Norton Internet Security.
We have gone through some important information, so let's take a second to summarize some points. In the preceding two examples, macro virus and PKZip, users' desktops initiated connections to the Internet without the users knowing about the connections. Both cases have the potential for harm to the organization, although mercifully the only real damage in these examples was my blood pressure shooting through 200. In both cases, one by inaction, one by action, the users make a personal decision to accept a risk that affects the entire organization.
Expanding Our View of Intrusion Detection
Neil Johnson, a researcher and faculty member at George Mason University, presented a really wonderful paper on intrusion detection and recovery against watermarked images at the SANSFIRE 2000 conference. If you spend a lot of time and money creating graphics, you might want to put a copyright seal on these graphics in some way. There are tools to do this. Then, it is possible to use World Wide Web worm technology to search the Internet looking for graphics to see whether your seal turns up on some server that didn't license the graphic. Neil explained this and demonstrated both attacks and the recovery techniques. Now, you might be thinking, what do watermarks have to do with intrusion detection?
As we continue our study of risk and its application in the field of intrusion detection, keep in mind that the dangerous enemy is not the one aimlessly running three-year- old canned attacks! The dangerous enemy is the one who knows what he wants and uses a hard-to-detect technique to get it. USA Today ran a story in the wake of 9/11/2001 that Bin Laden used steganography to send messages related to the attack. There are more pragmatic examples. In the case of a graphics company, its images are its crown jewels. To the company, this is the nightmare scenario: an attacker who can remove the proof that it is the owner of the images and possibly even brand the images under another company's name.
Mitigating or Reducing the Risk
What if we decide that even though it is risky to strap ourselves to a rocket, the end result of doing so is worthwhile? Perhaps our objective is greater than just a free drink of Tang; perhaps we have an opportunity to be the first human to set foot on Mars. The enterprise is still very risky, but we are certain that this is something we want to do. In this case, if we aren't foolhardy, what we do is try to find ways to make the endeavor less risky; we reduce the risk. Have you ever thought about intrusion attacks against laptop computers? Most professionals carry them these days. They often have sensitive information about their organization on them. We have already mentioned information-gathering malicious code, but that can be directed against any system. How specifically are laptops vulnerable to attack? What can you do to mitigate their vulnerability?
Network Attack
If the organization uses Internet service providers (ISPs) to connect for email rather than secured dial-in, there is an opportunity to attack the organization's systems while they are on the net. They are outside the firewall and so the normal screening protections against NetBIOS and other Windows attacks that desktop systems enjoy inside the firewall are not available to them.
Snatch and Run
I really hate putting my laptop on the X-ray machine conveyor belt at airport security checks. If I don't make it through the metal detector, this is a golden opportunity for someone to steal it because I am physically separated from my briefcase in a dynamic, crowded environment. Worse, I only have one shoe on because thanks to the terrorist that tried to blow up the airplane with his shoes, mine are being inspected. Further, if someone does walk off with my laptop if I rush after them, I run the risk of getting shot by the National Guard with the M16s. There are also the situations when I get to my destination: Do I leave it in my hotel room when I go to dinner, or lug it?
I don't know whether you are worried about the information that professionals in your organization put on laptops. After all, it is just stuff such as your design and business plans, sales and marketing information, perhaps a bid work-up or two. I write this tongue and cheek, but if you interview the folks who lug these laptops around, you might find that they do not often perceive the information on them as sensitive and needing protection.
I do know my situation. In writing, teaching, and reviewing I often find myself working with proprietary information. I have signed several Non Disclosure Agreements and have always
tried to be careful with that information. If a large security and network company decides I have not protected its information properly, I have to face its army of lawyers (alone). So I am inspired to do the best job I can to protect my laptop; I look for tools to mitigate the risk. Because I know that connecting to the Internet is risky, what are some of the tools that help protect my system?
I have looked at several tools. ZoneAlarm is free for personal use and works well. A lot of my friends swear by BlackIce, and the traces it creates have nice fidelity; but, it has steadily dropped in quality since the company was acquired. I have found the Norton Internet Security tool actually runs on XP, which is a plus. PGP appears to have a personal firewall, but my boss installed it on his XP and lost his ability to connect to the Internet. I went through that with Windows ME when I installed PGP. In both cases the culprit was the PGPNet product. With the ME computer, I thought about it for a while, I knew I needed PGP, but was pretty sure I didn't need ME so I just wiped out that system and rebuilt it as a Windows 2000 system. PGP also comes with PGPdisk that protects sensitive files should the laptop ever be stolen or suffer an intrusion, or you can use the Microsoft Encrypting File System on Windows 2000 and XP. Although PGP has a disk overwrite, data-destruction routine, I find BC Wipe from http://www.jetico.sci.fi to be a better tool for my purposes. There, that is my personal example of
implementing countermeasures to mitigate risk.
Transferring the Risk
Last week, when I wasn't dealing with outbound ftps, I was dealing with flood damage. The toilet upstairs got stopped up (with a little help from my teenager). The chain that drops the stopper just happened to chink and not drop the stopper flush to seal the water. So, the water filled the toilet bowl and poured over onto the bathroom floor and began its journey in search of sea level. But wait, there's more! This happened to be the day the city decided to flush the fire hydrants, which stirs up all kinds of rust, so it wasn't clear water pouring through the house; it was blood red. When my wife got home, the water was pouring from the dining room chandelier like a fountain. The plaster ceiling had huge cracks and the wooden floor had already warped in two places. The water continued on, accumulating until the ceiling of my wife's sewing room collapsed, spewing rusty water and soggy ceiling tile on her machine and the projects below. My wife called me at work, asking where she should begin. "Turn off the water, move away from the dining room, I'm on my way," I answered.
I use the same incident-handling technique for everything. As I hung up the phone, it hit me that this had to be 20 to 30 thousand dollars worth of damage. I was very sad as I drove home and then busy as we tried to salvage what we could of my wife's sewing room. It wasn't until later at night that it hit me. I have insurance! In fact, I have insurance with a good company, one that has always treated me well. I always knew owning a home had risks that were beyond what I could financially accept. There just aren't good enough home firewalls to expect them to defend against toilets that get jammed and stuck on a day that the city is purging the fire hydrants. Like most homeowners, we had chosen to transfer the risk. So I called Travelers. They came over, were very sympathetic, and said they were going to take care of us. Sure enough, I was only out $100 for the deductible; and the job would have been done except that no one told my wife the five little words you never say to a contractor. Still, even after a "while you are at it," it only cost me an extra $2,500 and now I have crown moldings on the ceiling, something I am sure I always wanted.
So how does this notion of transferring risk apply to information assurance and intrusion detection? In the first place, there is a direct correspondence. Several agencies, including Lloyds and IBM, are now offering hacker insurance. They usually require the organization to do its part before insuring them, and their part is likely to include firewalls, vulnerability assessments, and intrusion detection, at least it would if I were offering such insurance.
We have discussed uncertainty and how it applies to risk. We have proposed that some risks we are willing to accept (whether or not we are authorized to do so), and other risks we are not willing to accept. In the last case, we need to either mitigate the risk or transfer it. Now, we need to deal with the issue of what agent is going to potentially do us harm; we call this the