1 1 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Intrusion Detection The Big Picture – Part VI Stephen Northcutt This page intentionally left blank. 2 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 2 Intrusion Detection Roadmap What are the pieces and how they play together •Honeypots • Firewalls –Proxy, State Aware, Filtering Routers • Risk Assessment and Auditing –Introduction to Risk Management –Knowledge-Based Risk Assessment –Online Auditing Tools This page intentionally left blank. 3 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 3 Seven Most Important Things to Do if Security Matters • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response You will notice that I have never read a slide to you in the entire time together, so please bear with me. • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response So here on this slide we have another big picture view of information security. Students that complete Information Security KickStart and Security Essentials certification are well on their way to accomplish each of these. This is by no means the only way to approach building a security capability, but it is a comprehensive high level view. 4 4 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Theory of Risk Assessment It is critical to have an understanding of risk management to properly choose and deploy intrusion detection and response assets. To manage risk, one must be able to assess it. In this section of the course we will cover the basic theory of risk assessment. We will also talk about three methods of risk assessment: qualitative, quantitative, and knowledge-based (also known as best practices). 5 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 5 The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model) Whether or not we explicitly choose, we have exactly three options and we do choose between: acceptance, mitigation, and transference. When we accept the risk, this means we make no changes in policy or process. This decision means that we judge the risk of a given threat to be inconsequential in the greater scheme of things. If we feel the threat is significant and could cause harm to our business or enterprise, then we have the option of taking action to protect operations by reducing the risk. A firewall or system patch are obvious examples of risk mitigation. Transferring the risk is sometimes a workable technique. The classic example is to buy insurance. This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real world example of this is hacker insurance. The insurance company still expects you to have a firewall and patches, but insures should these fail. 6 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 6 Risk Management Questions • What could happen? (what is the threat) • If it happened, how bad could it be? (impact of threat) • How often could it happen? (frequency of threat - annualized) • How reliable are the answers to the above three questions? (recognition of uncertainty) In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we analyze the risk to better understand it. What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy feeling? If the threat is successful, how bad will it hurt? What is the probable extent of the damage? How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi, Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often. But, if something can damage us on a daily basis, this is a significant problem. Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new program or operating system vulnerabilities are discovered weekly? 7 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 7 Uncertainty Uncertainty is the central issue of risk management! (What would happen to James Bond if his luck failed in those stunts he does?) Have you ever wondered why Bond (James Bond) never gets shot, can jump off of an airplane without a parachute and live, and never loses at cards? It is simple! He read the script! In fact he may have had a hand in writing it. Since they follow the script, the stunts he does are closer to professional wrestling because he certainly knows he is going to get the bad guy – and the girl. He wouldn’t look half so composed if he was uncertain as to what was going to happen. Uncertainty then, is the heart of risk management. 8 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 8 Risk Requires Uncertainty If you have reason to believe there is no uncertainty, there is no risk. For example, jumping out of an airplane two miles up without a parachute isn’t risky; it is suicide. For such an action there is a 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive. Probability ranges between 0.0 and 1.0 though people often express it as a per cent. Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of jumping out of an airplane without a chute you are committing suicide, but you aren’t doing anything risky. Risk involves uncertainty. Let’s tie this back to the information assurance world. If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will happen over the course of a year. In the same way that gravity is the compelling reason jumping from a plane sans chute is near-certain death, the continuous probing and poking of exposed systems on the Internet is the compelling reason the box will be compromised. So what? How bad can a compromise be? Well, once they compromise the box they have the ability to manipulate your organization’s trust model. If you have valuable assets, that may be what happens. Or they may just create weird system domains and hit systems all over the Internet, giving your organization a bad name. 9 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 9 What is an Unacceptable Risk? • You can define the threat. • If it happened, it would be bad. (high impact) • If one shot didn’t kill you, and then it hit you again and again. (frequent threat) • There is high certainty the threat exists, it is high impact, and potentially could occur multiple times. So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To be an unacceptable risk, it has to be a defined threat. They will compromise the DNS server, most likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model and had several days to work without being detected - such as over the Christmas holidays - they could make considerable headway at owning the entire organization’s information assets. You might never get them dislodged. What if they chose simply to use your box to attack others? People are usually forgiving if it only happens once, but there are domains that have been compromised a number of times. These are not usually respected and may even be blocked. One of the classics is the Brazilian Research Network. This loose group of addresses has been the source of hundreds and hundreds of attacks against Internet hosts. The price? Besides being a standing joke, legitimate users continue to find their access blocked. 10 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 10 Single Loss Expectancy (SLE - one shot) • Asset value x exposure factor = SLE • Exposure factor: 0 - 100% of loss to asset • Example Nuclear bomb/small town ($90M x 100% = $90M) How much financial loss am I willing to accept in a single event? It all comes down to money in the end. When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the information resource asset. Example: a company’s top salesman accounts for 25% of their $40 million in revenue, or $10 million. His client contact list and fee schedule is stored on his laptop and is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the competition ($1 million) and possibly more if they can finesse the information. So we find we can calculate a minimum approximate SLE, but there is uncertainty as to a maximum value. Another example: an author takes a royalty of $100,000 to write a book. He receives partial payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and the data is not recoverable? 25,000 x 80% or $20,000, unless he has been sending chapters in as they are done. [...]... intrusion detection revisited “How to use Risk Assessment tools!” Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 24 This page intentionally left blank 24 Intrusion Detection Roadmap Using What We Have Learned • Business Case for Intrusion Detection – How all these Capabilities Work Together • Future Directions – Intrusion Detection in the Network – Program-Based Intrusion Detection Intrusion. .. are now familiar with these core technologies and how they play together: – Host- and Network-Based Intrusion Detection – Vulnerability Scanners and Honeypots – Firewalls Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 27 In a sense, this is the section that everything points to Intrusion detection is expensive; it has a cost It is wise to consider the cost and the benefits before embarking... one another The main difference is that in the SBS booklet the detailed information is shown up front, and is in the help files on the NSWC checklist 22 Windows NT Form Summary • Benefits – Reasonably good tool for minimal OS security – Good form “layout” • Limits – Needs a list of applicable patches – Where to get them – Tool to determine patch status Intrusion Detection - The Big Picture – SANS GIAC... know the big picture – and rightfully so There is more than just the initial outlay for the hardware and software There is maintenance, training, and the employees’ time Management knows the purchase is just the tip of the iceberg Their job is to manage risk - all kinds of risk, not just cyber intrusions When you tell your management you need an IDS, they are wondering if they really need it They are... case for Intrusion Detection Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 26 Imagine you are speaking to your boss and you are telling her the organization needs an intrusion detection system What if she replies loudly as shown on the slide How do you answer? Does this mean the manager doesn’t understand? There are a couple things to consider We have been talking about the big picture ... You have spent the day learning about the big picture The real question is, can you explain it to your management? Can you show them how the technologies we have talked about play together? 27 Business Case For Intrusion Detection (2) • We have been introduced to a basic risk assessment process; can we apply this process to the business case for intrusion detection? – If there is a big picture can... all accesses are enabled In the section entitled "ADDITIONAL COMMENTS AND EXPLANATIONS", describe (1) how the audit information is collected, (2) who reviews the audit logs, and (3) the frequency of said review Include the signature(s) of those conducting the review ( ) There are no Anonymous users ( ) All accounts are password protected Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 20... by other means In the absence of indications to the contrary, the Information System is operating at an acceptable risk (accreditable) when all of the leftmost countermeasures are marked 'True' Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 19 The person that knows security and risk in general (often an auditor or security officer) reads the items to the person more familiar with the. .. report Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 31 This is not unlike the steps we go through to develop a knowledge-based risk assessment As always, we want to identify the threats that are arrayed against our organization We compare the effectiveness of the threat against the value of the assets it can affect We do research to find out the known vulnerabilities and then evaluate the. .. model Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 32 The cyberscape shown on the slide above is a tool that can be used to simplify information warfare scenarios The key point for our purposes is to help us consider the entire world our systems exist in Generally, unless we are playing at the information warfare level, the detection system outside the firewall is as far out into the . 1 1 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Intrusion Detection The Big Picture – Part VI Stephen Northcutt This. blank. 2 Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 2 Intrusion Detection Roadmap What are the pieces and how they play together •Honeypots •