Ayoi’s

Last few days, one of my colleagues in his email pointed out one of the articles in securityfocus.com where really attract my attention. His email titled was “scary”

After reading the whole article, I do agree on the author views and opinions. In fact, most of his points in that article already mentioned by Mr Betjlich in his books, Tao of Network Security Monitoring - Beyond the Intrusion Detection and Extrusion Detection - Security Monitoring for Internal Intrusion. That’s why I always recommend these two books to those who have any interest or plan to be in this security industry especially for future Security Analyst. Let me quote few of the interesting points in the article followed by my comment.

“The highly publicized network intrusion seemingly underscores the claim by many hackers that most, if not all, network security defenses are useless and that defenders are far better off not wasting money on an intrusion detection systems (IDS), intrusion prevention systems (IPS) or an antivirus solutions. A skilled attacker, the mantra goes, can easily bypass these defenses. ”

If you read the books that I’ve mentioned above, you’ll noticed that Security is defined as the process of maintaining an acceptable of perceived RISK where RISK = Threat x Vulnerability x Asset Value. Usually we will put a lot of efforts in reducing the RISK by reducing or eliminating the Vulnerability factor. However this effort will be undermined by the Characteristics of the Intruder where some of them are smarter than the defender (you) and they are unpredictable hence every network eventually will be compromised. Once we have this kind of perception, then perhaps we might religiously follows the security processes (assessment, protection, detection and response) as we realized that Security Management by Belief only leads to failure.

“The biggest problem by far is that the majority of these devices output logs that quickly become ignored after they are installed. This is due to a lack of training for personnel who need to not only be able to interpret the logs, but also verify the accuracy of them. That verification is done by comparing the logged alerts to the actual traffic itself. Unfortunately, too many IT security analysts lack the knowledge to do just that. “

“ Now system administrators and IT security analysts alike should both have a very good understanding of the TCP/IP protocol suite. By studying and understanding these protocol blueprints, the analyst will come away with the knowledge of what normal protocol behavior looks like.”

I have to agree on this point. Especially for local security scene. Looking for a capable Security Analyst is like searching Cinderella without having the benefit of her glass shoe. I’m not claiming that I am a good analyst that should be the role model (as there are many better analyst out there) but from my observation during the interviews that I’ve conducted for some times and also from my observation on our current team, the obvious thing is they lack of the fundamental knowledge not only on security but on networking as well. As example, from 6 or 10 candidates that I’ve interviewed recently, only one manage to answer when I ask about TCP handshake. And even that he only stressed on the tcp control flags exchange. If you don’t have this kind of knowledge then how can you identify when is the exact time the intruder establish connection to the victim? The difference between SYN flood attacks and NMAP -sS? People performing port scanning? Who is performing scanning and who is responding?  How to trace the communication using the sequence numbers? And of cause if you are using snort for your detection engine, then how can you create / fine tune the snort rules or understand the reason why the alerts triggered?

“Having the knowledge to understand how a protocol such as DNS behaves would also allow you to spot a hacker removing documents from your network. After all, it would be rather unusual to see a prolonged series of packets on UDP/TCP Port 53 with a size of 1540 bytes. So we know that if a network gets hit with a zero-day hack or other such stealthy vector that we should still hopefully be able to uncover the attack by the hackers desire to move data from the network.

This investigative approach presumes that the corporate network is logging all traffic. Recording all data traffic is almost a necessity, as it is rather hard to confirm the veracity of any IDS or IPS alert if you have no packets to look at.”

Definitely. There is not much you can see and derived from snort syslog output. Only the src and dest IPs and ports with the alert messages. How can you perform your analysis? How do you know the alerts really indicate something malicious is happening or the alerts are false positives? I know there are limitations on efforts of having all types of data to be stored. But to avoid this kind of confusion, at least we have session data stored for analysis.

“A lot can be done, however, by stressing the basics and leveraging existing knowledge. There is nothing magical or secretive in these methods. Even though the attacker may be very good, what comes in, must eventually come out. That is where you can almost certainly find them. Hackers that proclaim that they can come and go silently like the wind and bypass all network defenses are a threat only in the movies.“

Intruders Who Can Communicate with Victims Can Be Detected - How true it is. Even every compromise phases indicates that intruders activities can be viewed / monitored / detected. Intrusion is not magic. Intruders behaviour, methods can be studied and understood. Provided that the defender knows what they are looking at, what they are looking for and where to look. The only time when the intrusion occurred undetected is when the alerts are not monitored properly or analyst failed to understand the decision making logic of the detection systems.

Again let me put these three scenarios on the needs of collecting the right information and having the skilled analyst

*Without IDS*
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS  and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

*With IDS without proper Collection Process *
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS  so no blocking actions, the attack patterns didn’t match any rules in IDS  and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

*With IDS with proper Collection Process *
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS  so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data that collected. Update the signatures and perhaps feed it to IPS and IDS  plus the information gathered can be used for legal purposes
~ No one is judged anymore by how they prevent incidents. Everyone gets hacked. Instead, organizations are judged by how they detect, respond, and recover ~

The article title is “Catch Them If You Can” and you can read it here.

What do you think?

Comments RSS