It would be nice if most intrusions were detected, but they are not.
Let's take a quick look at some practical facts.
- Determined intrusion attempts are usually successful.
- Most intrusions happen from the inside by insiders.
- Intrusions can happen from the outside without having an interactive session on an inside system.
- Most intrusions are neither detected nor prevented.
Those are depressing facts. Unfortunately it gets worse.
Dealing with Complexity
There are a wealth of tools, techniques, experts, courses, and books that are focused on intrusion detection. Yet, despite all of these resources, most Internet sites have no intrusion detection infrastructure and are only prepared to notice generic intrusion attempts. There are a number of reasons for this dichotomy.
- Fundamentally, intrusion detection is not as easy as it looks.
- It requires a significant amount of configuration and testing time to deploy intrusion detection software that works well and most organizations do not adequately budget for and plan the time to do it.
- Most intrusion systems require software development to make them work in your environment. Many organizations do not have adequate development skills and even if they do, those resources are often dedicated to other priorities.
- Successful intrusion detection environments can only be built by experts with a detailed understanding of the exact resources that are deployed. Finding people who are genuine experts on many different services, protocols, applications, vendors, and operating systems is extremely difficult.
- The only way to develop a detailed understanding of what is 'normal' in your environment and the thresholds and conditions that would identify abnormal behavior is through an iterative process of capturing and analyzing production quality network traffic. Again, this requires a lot of time and effort.
- There are dozens of incredibly easy-to-use tools that will look for or attempt to exploit hundreds of intrusion vulnerabilities. Many of these tools are not detected by intrusion systems and many have detection avoidance mechanisms built into them (e.g., packet fragmentation, protocol tunneling, and URL encoding).
If you have been involved with working on an intrusion detection system, you understand these challenges and difficulties. Let's take a quick look at some ways to make things better.
There are a myriad of ways in which intrusions happen. However, some ways are more prevalent than others. Many organizations make the mistake of trying to go from having essentially no intrusion detection to comprehensive intrusion detection in one big step. It doesn't work. Successful IDS deployments are an evolutionary process.
The best way to immediately improve your intrusion detection system is to focus on common problems first because, unfortunately, most existing intrusion detection packages do not cover many of these areas.
Of course, the single most frequent intrusion type is the email virus. There is no need to belabor this point.
- ADVICE: You should have virus detection software on every single system and you should update the virus database daily.
- ADVICE: You should check both incoming and outgoing email and attachments for problems and you should scan every single writeable media daily.
Web Server Infrastructure
One of the most common and easy to duplicate types of intrusions is exploiting well-known web server distribution files. Every web server distribution (Microsoft IIS, Apache or iPlanet/Netscape) comes with a collection of files used by the server itself, management software, example programs and configuration scripts. Over time, people figure out that some of these files are actually exploitable and can yield data or access to the web server system. These vulnerabilities are normally exploited by simply knowing the correct URL to plug into your browser.
There is a class of programs that look for these well-known files called CGI-scanners. These programs poke at the web server, using standard HTTP requests, looking for these files. Some of these scanners are dumb (they simply issue a request for every single exploitable file) and some of them are quite smart (e.g., if it discovers it is an Apache web server it does not look for IIS files). The better CGI-scanner programs look for hundreds of files (e.g., Whisker).
- ADVICE: You should get a CGI-scanner and run it against your own web site. You should run this program every time you update your web server and you should periodically get updated versions of the exploit database that the program uses.
- ADVICE: You should have an automated way to check your web server log files to see if anybody is running a CGI-scanner against you.
Another intrusion area that is usually ignored is the rootkit. A rootkit is a collection of programs, techniques, papers and references that show how to exploit, break into, or disable a system. There are different rootkits for almost every operating system (e.g., Linux, FreeBSD, Solaris or Windows). Even though most technical people have heard of rootkits, very few have actually taken the time to download, review, and understand the details of the kits applicable to their environment. Very few non-technical people have even heard of rootkits and they don't understand the inherent and obvious danger of these distributions.
- ADVICE: Download the rootkits for each of the various operating systems you deploy and review them to see what is applicable to your environment.
- ADVICE: Try the programs and exploits on your own systems and make sure you know how you might prevent, detect, or react to each one.
One final area that is often completely ignored when designing an intrusion detection system is modems. Modems are potentially the single easiest way to get access to private, internal information because they typically bypass every security mechanism you have and they exist on critical systems such as routers, firewalls, printers and desktop systems. Your own administrators and vendor support staff often use them to remotely manage or monitor important services. These modem-based services are often not using any type of encryption, they often do not require any authentication other than dialing the number, and the actions are almost never logged.
- ADVICE: Periodically call (i.e., dial or 'war dial') all your phone numbers to create an inventory of which ones have modems attached to them and the type of service they offer.
The Last Word
Effective intrusion detection is difficult. In most organizations, it is a project that takes several years to get right, with much of the time dedicated not to technology, but to understanding what is 'normal' traffic for the environment. While the finish line is far away, it is easy to get started in the right direction. By focusing on the basics and addressing the common intrusion areas first, you will be able to quickly make progress in detecting the root cause for many successful intrusions.
Brad Johnson is vice president of SystemExperts Corporation (www.systemexperts.com), a provider of network security consulting services.