Transcript Guarding Against Network Intrusions

Chapter 4
Guarding Against Network
Intrusions
TRADITIONAL RECONNAISSANCE
AND ATTACKS
Sequential steps in directed
attacks
Reconnaissance to learn about the
target.
The attacker performs reconnaissance to
learn as much as possible about target
before the actual attack.
 pings and traceroutes can be used to
discover IP addresses and map the
network around the target.
 Pings are ICMP echo request and echo
reply messages that verify a host’s IP
address and availability.

Traceroute is a network mapping utility that takes
advantage of the time to live (TTL) field in IP
packets.
 Port scans can reveal open ports.
Ex: port 80 (HTTP), port 21 (FTP), port 23 (Telnet),
port 25 (SMTP).
 NMAP scanner can discover the operating system
running on a target.
 Knowledge of a target’s operating system can
help an attacker identify vulnerabilities and find
effective exploits.

Vulnerability scanning tests a target for
the presence of vulnerabilities.
 Vulnerability scanners typically contain a
database of known vulnerabilities that is
used to craft probes to a chosen target.

Compromise the target



The attacker attempts to compromise the
target through one or more methods like
password attacks.
If an attacker can obtain the password
file from the target, numerous passwordcracking tools are available to carry out a
brute-force password attack.
Default accounts and passwords intended to
set up the equipment will help intruders an
easy way to access the target.
Another common attack method is an
exploit attack code written to take
advantage of a specific vulnerability.
 Vulnerabilities are published through
security bulletins by several organizations
such as CERT ,MITRE and Microsoft.
 The severity of vulnerabilities is reflected
in the industry-standard Common
Vulnerability Scoring System (CVSS).

According to Symantec in 2007
 3% of vulnerabilities were highly severe
 61% were medium-severe
 36% were low-severe
Buffer overflows have been the most
common type of vulnerability.
 Buffer overflows arises when a program
has allocated a fixed amount of memory
space for storing data but receives more
data than expected.

The extra data will overwrite adjacent
parts of memory which could mess up
other variables or pointers.
 If an attacker crafts the extra data
carefully that benefits the attacker to
compromise the target.
 An attacker might overwrite the return
pointer in a stack, causing the program
control to jump to malicious code
inserted by the attacker.
•
SQL injection is a type of vulnerability
relevant to Web servers with a database
backend.
 An SQL injection vulnerability can arise if
user input is not properly filtered for string
literal escape characters ,it helps the
attacker manipulate the application running
on the database
 Servers have been attacked and
compromised by toolkits designed to
automate customized attacks.
Ex: MPack toolkit in Russia(2007)

Different exploits can be written and
loaded into Metasploit and then directed
at a chosen target.
 Metasploit is a popular Perl based tool for
developing and using exploits with an
easy-to-use Web or command-line
interface
• A common social engineering attack is
phishing.

Phishing starts with a spam message
that appears to be from a legitimate bank
or ecommerce business.
 The message provokes the reader into
visiting a fraudulent Web site pretending to
be a legitimate business.
 The fraudulent site might even have links
to the legitimate Web site ,thus tricked
into submitting valuable personal
information such as account numbers,
passwords.

Another social engineering attacks are
spam messages that entice the reader into
opening an email attachment.

Cover up and maintain covert control
After a successful attack, intruders want to
maintain remote control and evade
detection.
 Remote control can be maintained if the
attacker has managed to install any of a
number types of malicious software
 Intruders might change the system logs on
the target, which will likely contain
evidence of their attack.


A rootkit is a stealthy type of malicious
software designed to hide the existence of
certain processes or programs from
normal methods of detection.
Ex . kernel-mode FU rootkit that manipulates
kernel memory in Windows 2000, XP, and
2003.
 Intrusion Detection Systems (IDSs) are designed
to listen to network traffic and look for signs of
suspicious activities.

The intruder want to conceal the
communications between himself and the
compromised target from IDSs.
 Concealment methods are
 Tunneling -is a commonly used method to place
packets of one protocol into the payload of
another packet. Here the exterior packets serves
a vehicle to carry and deliver the “ interior ”
packet intact.
 Encryption is another obvious concealment
method.
 Fragmentation of IP packets is another means to
conceal the contents of messages from IDSs

MALICIOUS SOFTWARE
Malicious software which includes viruses
and worms.
 Viruses are pieces of code attached to a
normal file or program.
 Worms are standalone automated
programs.
 Viruses need a human action to spread
 Worms look for vulnerable targets across
the network and transfer a copy of
themselves.

An important feature of viruses and
worms is their capability to carry a
payload — malicious code that is
executed on a compromised host.
 Worms are popular delivery vehicles
because of their ability to spread by
themselves and carry anything in their
payload.
 The second class includes Trojan horses
and rootkits , they are characterized by
attempts to conceal themselves.

Trojan horses are a type of malware that
appears to perform a useful function but
hides a malicious function.
 Rootkits are hiding the presence of files
or processes from normal means of
detection.
 Rootkits are often installed as drivers
or kernel modules.


•
•
Third class includes remote access
Trojans (RATs) and bots.
RAT is sometimes interpreted as remote
administration tool because it can be
used for legitimate purposes by systems
administrators.
Ex:
Back Orifice, Netbus, and Sub7.
Bots are remote-control programs
installed covertly on innocent hosts.
 All bots under control of the same bot
herder form a botnet.
 One of the most publicized bots is the
Storm worm.
 Another major class of malware is
designed for data theft. This class includes
keyloggers and spyware.
 Keyloggers are planted by criminals on
unsuspecting hosts to steal passwords
and other valuable personal information.

Spyware is designed to monitor and
report user activities for the purposes of
learning personal information without the
user’s consent.
 Spyware might or might not display an
end-user license agreement (EULA)
before installation.

Lures and “ Pull ” Attacks
Sending malware through email can only
be seen as an attack attempt.
 The Web has become the primary vector
for infecting computers.
• Web-based attacks have significant
advantages for attackers.
• They are stealthier and not as “ noisy ” as
active attacks, making it easier to
continue undetected for a longer time.

A visitor will be attacked only once,
which makes the attack harder to detect.
 Web server can serve up different
attacks, depending on the visitor’s
operating system and browser.
 A phishing site is typically disguised as a
legitimate financial organization or
ecommerce business.
 Another attack is a malicious site
 that attempts to download malware
through a visitor’s browser, called a
drive-by download.


Pull-based attacks must attract visitors
to the malicious site while avoiding
detection by security researchers.
DEFENSE IN DEPTH
Defense-in-depth strategy is to hinder
the attacker as much as possible with
multiple layers of defense.
 A combination of multiple layers will
be more effective against unpredictable
attacks than will a single defense
optimized for a particular type of attack.
 Defense in depth is to involve people,
technology, and operations.

Include firewalls, IDSs, routers with ACLs,
antivirus software, access control, spam
filters etc..
 Preventive activities include vulnerability
assessments, software patching, system
hardening (closing unnecessary ports),
and access controls.

PREVENTIVE MEASURES
Access Control




Authentication of users
Authorization of their privileges
Auditing to monitor and record user actions
Authentication is the process of
verifying a user’s identity.
Ex.Password or PIN ,Smart card or token
finger print, retinal pattern, or biometric identifier

A combination of two factors, such as
a password and a fingerprint, called
two-factor (multifactor) authentication.
 Authorization is the process of
determining what an authenticated user
can do.


Ex. Permissions like read , write , execute

Auditing is necessary to ensure that users
are accountable. (Ex. Log file)
Vulnerability Testing and Patching
Vulnerabilities are being discovered
constantly in different ways and reported
confidentially to the vendor.
 Vulnerability testing is an exercise to probe
systems for known vulnerabilities.

Closing ports:

Port numbers 1 to 1023 are well known
and assigned by the Internet Assigned
Numbers Authority (IANA) to
standardized services running with root
privileges.
Port numbers 1024 to 49151 are used by
various applications with ordinary user
privileges.
 It is good practice to close ports that
are unnecessary, because attackers can use
open ports.
Firewalls :
• A firewall selectively allows or blocks
incoming and outgoing traffic.
• Various types of firewalls: packet-filtering
firewalls, stateful firewalls, and proxy
firewalls.

Packet-filtering firewalls analyze packets
in both directions and either permit or
deny passage based on a set of rules.
Antivirus and Antispyware Tools:

Challenges faced by antivirus software:
• Malware tactics are sophisticated and constantly
evolving.
• Even the operating system on infected hosts cannot
be trusted.
• Malware can exist entirely in memory without affecting
files
• Malware can attack antivirus processes.
• Users can be annoyed and turn the antivirus off.
Detection can be Signature based or
behavior based.
 It is analyzed for unique characteristics
that can be described in a signature.
 Behavior-based detection looks at what
malware tries to do.
 We must define what is suspicious
behavior, or what is normal behavior.

Spam Filtering
Spam is unsolicited, sent in bulk, and
commercial in nature.
 Spam is a popular vehicle to distribute
malware and lures to malicious Web sites.
 Spam filters work at an enterprise
level and a personal level.
 Bayesian filtering is one of the more
popular techniques. An incoming
message is parsed into tokens, and
calculates token probabilities based on
Bayes ’ theorem

Honeypots
The basic idea of a honeypot is to learn
about attacker techniques by attracting
attacks to a seemingly vulnerable host.
 Requirements:
• A honeypot should not be used for
legitimate services or traffic.
• A honeypot should have comprehensive
and reliable capabilities for monitoring
and logging all activities.
• A honeypot should be isolated from
the real network.

Network Access Control

The general idea of Network Access
Control (NAC) is to restrict a host from
accessing a network unless the host can provide
evidence of a strong security posture.
INTRUSION MONITORING AND
DETECTION
Host-Based Monitoring
 Host-based IDS runs on a host and
monitors system activities for signs of
suspicious behavior.
Draw backs:• Visibility is limited to a single host
• IDS process consumes resources and
reduces the performance of the host.
• Attacks will not be seen until they have
already reached the host.
Traffic Monitoring
Network-based IDSs typically monitor
network packets .
 Advantages over host based Detection

• Network-based IDSs can see traffic for a population of
hosts
• They can recognize patterns shared by multiple hosts.
• They have the potential to see attacks before they
reach the hosts
Signature-Based Detection (SBD)
SBD depends on patterns that uniquely
identify an attack.
 The central issue is how to define
signatures.
Ex: Snort
Drawbacks:
•
•
•
New attacks can be missed if a matching signature is not
known.
Signatures require time to develop for new attacks.
New signatures must be distributed continually.
Behavior Anomalies
A behavior-based IDS recognize new
attacks without a known signature.
 The critical issue is how to define
normal behavior and suspicious behavior.
 Major challenges:
•
•
•
Normal behavior is based on past behavior hence
past behavior must be available for training the IDS.
IDS approach must be adaptive because behavior change
over time.
Anomalies are just unusual events, not necessarily be
malicious.
Intrusion Prevention Systems
 An intrusion prevention system (IPS )
automatically reconfiguring firewalls to
block an attack.
REACTIVE MEASURES
Quarantine :
Logically disrupting the connectivity between
hosts or networks as a means to impede the
malware from spreading further.
Traceback:
Problems faced in tracing the attacker:
Source address in IP packets can be easily spoofed
• Routers are stateless by design and do not keep records
of forwarded packets.
• Attackers can use a series of intermediary hosts
(called stepping stones or zombies ) to carry out their
attacks.
•
Conclusions:






To guard against network intrusions, we must
understand the variety of attacks.
Direct attacks are prevalent but Pull attacks are
much more difficult to uncover.
Defense in depth is a most practical defense
strategy.
One of the essential defenses is intrusion
detection .
Host-based and network-based intrusion
detection systems have their respective
strengths and weaknesses.
Research continues to be needed to improve
intrusion detection.
End of Chapter 4