Intrusion Detection Systems (IDS) Adli Wahid Role of Detection in Security • Part of security monitoring o Violation of security policies o Indicators of compromise o Threat drive or Vulnerability driven o What’s happening on the network? • Rules o Detection is based on rules • Action • What do we do when detection happens? • Alert and Investigate • Drop / Block Perspective – Adversary Tactics and Techniques • Mitre Att&ck Framework https://attack.mitre.org • Tactics – what are the goals of the adversary? • Technique – how do they do it? • SubJect to: o Resources o Platforms • Can we used this knowledge for detection? o Observe Adversaries Behaviour o Techniques, Tactics and Procedures (TTPs) o Deploy in prevention, detection, response Your Adversaries Motives Infrastructure Targets Behaviour Your Assets Your Systems Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Making Your Infrastructure Forensics Ready • Detecting known or potentially malicious activities • Part of the incident response plan • If your infrastructure is compromised o Can you answer the questions: what happened and since when? o Can we ‘go back in time’ and how far back? • What information you you need to collect and secure? • Centralized logging Intrusion Detection Systems • An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system Different types of Intrusion Detection Systems • Host Based • Network Based IDS Technology landscape Preventive Real Time Host Based IDS • A host-based IDS is capable of monitoring all or parts of the dynamic behavior and the state of a computer system, based on how it is configured. o which program accesses what resources o state of a system o not been changed by intruders • Monitoring Dynamic Behaviour • Who is doing what in a system • Monitoring State • Detect modifications Host Based IDS (2) • Techniques o System Integrity Check o Alerting o Vulnerability Detection o Configuration assessment o Rootkit detection o Security Policy Source: https://wazuh.com o Active Response • OpenSCAP • OpenSCAP is an OVAL (Open Vulnerability Assessment Language) and XCCDF (Extensible Configuration Checklist Description Format) interpreter used to check system configurations and to detect vulnerable applications. Examples • OSSEC o https://www.ossec.net • Wazuh o https://www.wazuh.com • Some other interesting projects o OSQuery - https://www.osquery.io/ o Loki - https://github.com/Neo23x0/Loki o Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon oKey component – agent or log/data shipper Network Based IDS • Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. o performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. oDetection Method o Signature based o Anomaly based • Examples (Free / Open Source) o SNORT o Suricata o Zeek (Bro) Limitations • Noise • False Positives • Signature management o Outdated o 0-days • Can’t compensate for weak authentication / identification • Encrypted packets How to monitor the network? • Network TAPs o A network tap is a hardware device which provides a way to access the data flowing across a computer network o The network tap has (at least) three ports: an A port, a B port, and a monitor port o Network Taps are fully passive device § Pros § Passive / Fail Safe § Exact duplicate of network traffic § Cons § Expensive § Require physical infrastructure Port Mirroring / SPAN Port • Also known as SPAN (Switch Port Analyzer) • A SPAN is a dedicated port on a managed switch that takes a mirrored copy of network traffic off the switch to be sent to a monitoring device • Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port • Pros • Low cost, easy to deploy • Feature available in most switch • Cons • Potential packet loss • Utilise switch resources • Attacker can disable SPAN/Mirror Port Caveats of IDS • "Alert Fatigue", • can be a daunting task and quickly fill an analysts plate combing through false positives trying to find that one good alert. • Administrators fail to keep alerts relevant • IDS is seen as a system with many of false positives • No maintenance is devoted towards managing it, can be spotty coverage • Rules/signatures are not up to date • Analysts fail to understand rules • Don't have proper training on how to validate rules • Are not kept in the loop on specific rules that are of high importance • Organization can't respond to problems generated by IDS • Response policies are not in place • System administrators don't know where to look for issues • Security organization isn't empowered to respond to issues Suricata Suricata Intrusion Detection System • Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. • It is open source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). • Suricata is developed by the OISF • The Suricata source code is licensed under version 2 of the GNU General Public License Suricata - History • Beta release – Dec 2009 • First standard release – July 2010 • Features o Multi-threading o Automatic protocol detection o JSON standard outputs o file matching, logging, extraction, md5 checksum calculation o DNS logger o etc In a nutshell • The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing • Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats • With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless Rules Management • It is important to have rules that are up-to-date • Management of rules is being done by suricata-update • Within the configuration file there are variables for default-rules-path and rule-files: • By default all rules are merged into a single file suricata.rules • Rules can be enabled and disabled • /etc/suricata/enabled.conf • /etc/suricata/disabled.conf Rules/Suricata • Actions (i.e. alert or drop) are decided by rules • In most occasions people are using existing rulesets • Emerging Threats • Talos/Cisco • https://github.com/suricata-rules/suricata-rules Rules Format • A rule/signature consists of the following: o The action, that determines what happens when the signature matches o The header, defining the protocol, IP addresses, ports and direction of the rule. o The rule options, defining the specifics of the rule drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) Rules – Action • What happens if signature matches • Options o Pass o Drop (IPS mode) o Reject o Alert alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) Rules - Protocol drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:troJan-activity; sid:2008124; rev:2;) • 4 protocols o tcp (for tcp-traffic) o udp o icmp o ip (ip stands for ‘all’ or ‘any’) • And some application layer protocols* o Dns, http, smb, ssh, smtp, imap, tls , etc Rules - Source and destination • drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0- 9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) • Source and Destination of traffic • IP address / Block • Domain names • Can be set as: • Variables – defined in /etc/suricata.yaml • IP address (v4/v6) format • ‘any’ • Negation i.e. ! can be used as well Rules - Ports (source and destination) • drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:troJan-activity; sid:2008124; rev:2;) • Port number(s) can be applied to source and destination traffic • Port helps to determine which application