Showing posts sorted by relevance for query "attack indication system". Sort by date Show all posts
Showing posts sorted by relevance for query "attack indication system". Sort by date Show all posts

Monday, January 15, 2007

Operational Traffic Intelligence System Woes

Recently I posted thoughts on Cisco's Self-Defending Network. Today I spent several hours on a Cisco Monitoring, Analysis and Response System (MARS) trying to make sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data for a client. I am disappointed to report that I did not find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 experience very productive. This post tries to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major deficiencies I see in products like MARS.

Note: I call this post Operational Traffic Intelligence System Woes because I want it to apply to detecting and resisting intrusions. As I mentioned earlier, hardly anyone builds real intrusion detection systems. So-called "IDS" are really attack indication systems. I also dislike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term intrusion prevention system ("IPS"), since anything that seeks to resist intrusion could be considered an "IPS." Most available "IPS" are firewalls in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sense that anything that denies activity is a policy enforcement system. I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term traffic intelligence system (TIS) to describe any network-centric product which inspects traffic for detection or resistance purposes. That includes products with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 popular labels "firewall," "IPS," and "IDS."

Three main criticisms can be made against TIS. I could point to many references but since this is a blog post I'll save that heavy lifting for something I write for publication.

  1. Failure to Understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Environment: This problem is old as dirt and will never be solved. The root of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue is that in any network of even minimal size, it is too difficult for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TIS to properly model cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 states of all parties. The TIS can never be sure how a target will decipher and process traffic sent by an intruder, and vice versa. This situation leaves enough room for attacks to drive a Mac truck, e.g., cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can fragment at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP / TCP / SMB / DCE-RPC levels and confuse just about every TIS available, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target happily processes what it receives. Products that gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r as much context about targets improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no perfect solutions.

  2. Analyst Information Overload: This problem is only getting worse. As attackers devise various ways to exploit targets, TIS vendors try to identify and/or deny malicious activity. For example, Snort's signature base is rapidly approaching 10,000 rules. (It's important to realize Snort is not just a signature-based IDS/IPS. I'll explain why in a future Snort Report.) The information overload problem means it's becoming increasingly difficult (if not already impossible) for security analysts to understand all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack types cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might encounter while inspecting TIS alerts. SIM/SEM/SIEM vendors try mitigate this problem by correlating events, but at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I want to know why a product is asking me to investigate an alert. That requires drilling down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual alert level and understanding what is happening.

  3. Lack of Supporting Details: The vast majority of TIS continue to be alert-centric. This is absolutely crippling for a security analyst. I am convinced that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of TIS developers never use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products on operational networks supporting real clients with contemporary security problems. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did, developers would quickly realize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products do not provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of detail needed to figure out what is happening.


In brief, we have TIS that don't/can't fully understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environment, reporting more alerts than an analyst can understand, while providing not enough details to satisfy operational investigations. I did not even include usability as a critical aspect of this issue.

How does this apply to MARS? It appears that MARS (like ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r SIM/SEM/SIEM) believes that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "more is better" approach is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way to address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lack of context. The idea is that collecting as many input sources as possible will result in a system that understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 environment. This works to a certain limited point, but what is really needed is comprehensive knowledge of a target's existence, operating system, applications, and configuration. That level of information is not available, so I was left with inspecting 209 "red" severity MARS alerts for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 7 days (3099 yellow, 1672 green). Those numbers also indicate information overload to me. All I really want to know is which of those alerts represent intrusions? MARS (and honestly, most products) can't answer that question.

The way I am usually forced to determine if I should worry about TIS alerts is manual inspection. The open source project Sguil provides session and full content data -- independent of any alert -- that lets me know a lot about activity directly or indirectly related to an event of interest. With MARS and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like, I can basically query for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r alerts. Theoretically NetFlow can be collected, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default configuration is to collect NetFlow for statistical purposes while discarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual records.

If I want to see full content, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 closest I can get is this sort of ASCII rendition of a packet excerpt. That is ridiculous; it was state-of-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-art in 1996 to take a binary protocol (say SMB -- not shown here but common) and display cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet excerpt in ASCII. That level of detail gives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst almost nothing useful as far as incident validation or escalation.

(Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re an alternative? Sure, with Sguil we extract cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire session from Libpcap and provide it in Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real/Wireshark, or display all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content in ASCII if requested by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst.)

The bottom line is that I am at a loss regarding what I am going to tell my client. They spent a lot of money deploying a Cisco SDN but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir investigative capabilities as provided by MARS are insufficient for incident analysis and escalation. I'm considering recommending augmentation with a separate product that collections full content and session data, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MARS as tip-off for investigation using those alternative data sources.

Are you stuck with similar products? How do you handle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation? Several of you posted ideas earlier, and I appreciate hearing more.


Copyright 2007 Richard Bejtlich

Thursday, May 05, 2005

Risk, Threat, and Vulnerability 101

In my last entry I took some heat from an anonymous poster who seems to think I invent definitions of security terms. I thought it might be helpful to reference discussions of terms like risk, threat, and vulnerability in various documents readers would recognize.

Let's start with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 text we read:

"Risk is a function of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of a given threat-source's exercising a particular potential vulnerability, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resulting impact of that adverse event on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization. To determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential vulnerabilities and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 controls in place for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT system."

The document outlines common threats:

  • Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r such events.

  • Human Threats Events that are eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

  • Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage.


I see no mention of software weaknesses or coding problems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. So how does NIST define a vulnerability?

"Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system's security policy."

The NIST pub's threat-vulnerability pairings table makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two terms very clear:



SP 800-30 talks about how to perform a risk assessment. Part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process is threat identification and vulnerability identification. Sources of threat data include "history of system attack, data from intelligence agencies, NIPC, OIG, FedCIRC, and mass media," while sources of vulnerability data are "reports from prior risk assessments, any audit comments, security requirements, and security test results."

The end of SP 800-30 provides a glossary:


  • Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

  • Threat-source: Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r (1) intent and method targeted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

  • Threat Analysis: The examination of threat-sources against system vulnerabilities to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats for a particular system in a particular operational environment.

  • Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system's security policy.


For those of you Microsoft-only shops, consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir take on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 The Security Risk Management Guide. Chapter 1 offers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se definitions:

  • Risk: The combination of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of an event and its consequence. (ISO Guide 73)

  • Risk management: The process of determining an acceptable level of risk, assessing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current level of risk, taking steps to reduce risk to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 acceptable level, and maintaining that level of risk.

  • Threat: A potential cause of an unwanted impact to a system or organization. (ISO 13335-1)

  • Vulnerability: Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.


Microsoft cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n offers separate appendices with common threats and vulnerabilities. Their threats include catastrophic incidents, mechanical failures, malicious persons, and non-malicious persons, all with examples. Microsoft's vulnerabilities include physical, natural, hardware, software, media, communications, and human. Microsoft clearly delineates between threats and vulnerabilities by breaking out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two concepts.

I'd like to add that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comment on my earlier posting said I should look up "threat" at dictionary.com. I'd racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r not think that "security professionals" use a dictionary as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "professional" understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir terms. Still, I'll debate on those grounds. The poster wrote that dictionary.com delivers "something that is a source of danger" as its definition. Here is what that site actually says:

  1. An expression of an intention to inflict pain, injury, evil, or punishment.

  2. An indication of impending danger or harm.

  3. One that is regarded as a possible danger; a menace.


Remember what we are debating here. I am concerned that so-called "security professionals" are mixing and matching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "threat" and "vulnerability" and "risk" to suit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir fancy.

Here's vulnerability, or actually "vulnerable":

  1. Susceptible to physical or emotional injury.

  2. Susceptible to attack: “We are vulnerable both by water and land, without eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fleet or army” (Alexander Hamilton).

  3. Open to censure or criticism; assailable.

  4. Liable to succumb, as to persuasion or temptation.


You'll see both words are nouns. But -- a threat is a party, an actor, and a vulnerability is a condition, a weakness. Threats exploit vulnerabilities.

Finally, risk:

  1. The possibility of suffering harm or loss; danger.


Risk is also a noun, but it is a measure of possibility. These are three distinct terms. It is not my problem that I define cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m properly, in accordance with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who think clearly! I am not inventing any new terms. I'm using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m correctly.

I'd like to thank Gunnar Peterson for reminding me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIST and Microsoft docs.

Friday, September 26, 2008

VizSec and RAID Wrap-Up

Last week I attended VizSec 2008 and RAID 2008. I'd like to share a few thoughts about each event.

I applaud cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference organizers for scheduling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se conferences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same city, back-to-back. That decision undoubtedly improved attendance and helped justify my trip. Thank you to John Goodall for inviting me to join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VizSec program committee.

I enjoyed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VizSec keynote by Treemap inventor Ben Shneiderman. I liked attending a non-security talk that had security implications. Sometimes I focus so strictly on security issues that I miss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wider computing field and opportunities to see what non-security peers are developing.

I must admit that I did not pay as much attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 series of speakers that followed Prof Shneiderman as I would have liked. Taking advantage of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site's wireless network, I was connected to work cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire day doing incident handling. I did manage to speak with Raffy Marty during lunch, which was (as always) enlightening.

One cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me I noticed at VizSec was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 limitation of tools and techniques to handle large data sets. Some people attributed this to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Prefuse visualization toolkit used by many tools. Several attendees said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y turn to visualization approaches because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir manual analysis methods fail for large data sets. They don't need visualization tools which also croak when analyzing more than several hundred thousand records.

I also noticed that many visualization work for security tends to focus on IP addresses and ports. That is nice if you are limited to analyzing NetFlow records or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r session data, but most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excitement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days exists as log files, URLs, or layer 7 content. Perhaps just when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 researchers have figured out a great way to show who is talking to who, it won't matter much anymore. Clients will all be talking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 action will be within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud -- beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inspection of most clients.

One presentation which I really liked was Improving Attack Graph Visualization through Data Reduction and Attack Grouping (.pdf) by John Homer, Xinming Ou, Ashok Varikuti and Miles McQueen. I thought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir paper addressed a really practical problem, namely reducing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of attack paths to those most likely (and logically) used by an intruder. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speaker was unnecessarily criticized by several participants. I could see this approach being used in operational networks to assist security staff make defensive and detective decisions.

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I participated in a poster session by virtue of being a co-author of Towards Zero-Day Attack Detection through Intelligent Icon Visualization of MDL Model Proximity with Scott Evans, Stephen Markham, Jeremy Impson and Eric Steinbrecher. Scott and Stephen work at GE Research, and I plan to collaborate with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for our internal security analysis.

Following VizSec I attended two days of RAID, or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 11th Recent Advanced in Intrusion Detection conference. Five years ago I participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 6th RAID conference and posted my thoughts. In that post I noted comments by Richard Steinnon, months after his 2003 comments that IDS was "dead":

"Gateways and firewalls are finally plugging cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 holes... we are winning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arms race with hackers... cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS is at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of life."

I found those comments funny on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own, and in light of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent story Intrusion-prevention systems still not used full throttle: survey:

Network-based intrusion-prevention systems are in-line devices intended to detect and block a wide variety of attacks, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equipment still is often used more like an intrusion-detection system to passively monitor traffic, new research shows...

[Richard] Stiennon -- who created some controversy five years ago while a Gartner ananlyst when he declared IDSs "dead” -- says this Infonetics survey gives him fuel to fan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flames of criticism once again.

“IDS should be dead because it’s still a failed technology,” Stiennon says, expressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 view that simply logging alerts about attacks is almost always a pointless exercise. “IPS equipment should be doing more to block attacks.”


The fundamental problem was, is, and will continue to be, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

If you can detect an attack with 100% accuracy, of course you should try to prevent it. If you can't, what else is left? Detection.

I continue to consider so-called "intrusion detection systems" to really be attack indication systems. It's important to try to prevent what you can, but to also have a system to let you know when something bad might be happening. This subject is worthy of a whole chapter in a new book, so I'll have to wait to write that argument.

Overall, I felt that a lot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RAID talks were divorced from operational reality. Several attendees addressed this subject with questions. Too many researchers appear to be working on subjects that would never see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 light of day in real networks.

Monday, November 26, 2007

Controls Are Not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Solution to Our Problem

If you recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inspiration for this post title and graphic, you'll understand my ultimate goal. If not, let me start by saying this post is an expansion of ideas presented in a previous post with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 succinct and catchy title Control-Compliant vs Field-Assessed Security.

In brief, too many organizations, regulators, and government agencies waste precious time and resources devising and auditing "controls," regardless of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se controls have or do not have on security. They are far too input-centric; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should become more output-aware. They obsess over recording conditions cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y believe may be helpful while remaining ignorant of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "score of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game." They practice management by belief and disregard management by fact.

Let me provide a few examples from one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 canonical texts used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 control-compliant crowd: NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems (.pdf). The following is an example of a control, taken from page 140.

SI-3 MALICIOUS CODE PROTECTION


The information system implements malicious code protection.

Control: Supplemental Guidance: The organization employs malicious code protection mechanisms at critical information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, remote-access servers) and at workstations, servers, or mobile computing devices on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. The organization uses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious code protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses, spyware) transported: (i) by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., USB devices, diskettes or compact disks), or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r common means; or (ii) by exploiting information system vulnerabilities. The organization updates malicious code protection mechanisms (including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest virus definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures. The organization considers using malicious code protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendor for workstations). The organization also considers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 receipt of false positives during malicious code detection and eradication and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resulting potential impact on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 availability of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information system. NIST Special Publication 800-83 provides guidance on implementing malicious code protection.

Control Enhancements:
(1) The organization centrally manages malicious code protection mechanisms.
(2) The information system automatically updates malicious code protection mechanisms.


At first read one might reasonably respond by saying "What's wrong with that? This control advocates implementing anti-virus and related anti-malware software." Think more clearly about this issue and several problems appear.

  • Adding anti-virus products can introduce additional vulnerabilities to systems which might not have exposed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves without running anti-virus. Consider my post Example of Security Product Introducing Vulnerabilities if you need examples. In short, add anti-virus, be compromised.

  • Achieving compliance may cost more than potential damage. How many times have you heard a Unix administrator complain that he/she has to purchase an anti-virus product for his/her Unix server simply to be compliant with a control like this? The potential for a Unix server (not Mac OS X) to be damaged by a user opening an email through a client while logged on to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server (a very popular exploitation vector on a Windows XP box) is practically nil.

  • Does this actually work? This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question that no one asks. Does it really matter if your system is running anti-virus software? Did you know that intruders (especially high-end ones most likely to selectively, steathily target cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very .gov and .mil systems required to be compliant with this control) test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir malware against a battery of anti-virus products to ensure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir code wins? Are weekly updates superior to daily updates? Daily to hourly?


The purpose of this post is to tentatively propose an alternative approach. I called this "field-assessed" in contrast to "control-compliant." Some people prefer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "results-based." Whatever you call it, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea is to direct attention away from inputs and devote more energy to outputs. As far as mandating inputs (like every device must run anti-virus), I say that is a waste of time and resources.

I recommend taking measurements to determine your enterprise "score of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game," and use that information to decide what you need to do differently. I'm not suggesting abandoning efforts to prevent intrusions (i.e., "inputs.") Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, don't think your security responsibilities end when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottle is broken against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bow of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ship and it slides into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sea. You've got to keep watching to see if it sinks, if pirates attack, how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lifeboats handle rough seas, and so forth.

These are a few ideas.

  1. Standard client build client-side survival test. Create multiple sacrificial systems with your standard build. Deploy a client-side testing solution on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, like a honeyclient. (See The Sting for a recent story.) Vary your defensive posture. Measure how long it takes for your standard build to be compromised by in-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-wild Web sites, spam, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r communications with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside world.

  2. Standard client build server-side survival test. Create multiple sacrificial systems with your standard build. Deploy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as a honeynet. Vary your defensive posture. Measure how long it takes for your standard build to be compromised by malicious external traffic from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside world -- or better yet -- from your internal network.

  3. Standard client build client-side penetration test. Create multiple sacrificial systems with your standard build. Conduct my recommendation penetration testing activities and time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result.

  4. Standard client build server-side penetration test. Repeat number 3 with a server-side flavor.

  5. Standard server build server-side penetration test. Repeat number 3 against your server build with a server-side flavor. I hope you don't have users operating servers as if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were clients (i.e., browsing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web, reading email, and so forth.) If you do, repeat this step and do a client-side pen test too.

  6. Deploy low-interactive honeynets and sinkhole routers in your internal network. These low-interaction systems provide a means to get some indications of what might be happening inside your network. If you think deploying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 external network might reveal indications of targeted attacks, try that. (I doubt it will be that useful due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall attack noise, but who knows?)

  7. Conduct automated, sampled client host integrity assessments. Select a statistically valid subset of your clients and check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m using multiple automated tools (malware/rootkit/etc. checkers) for indications of compromise.

  8. Conduct automated, sampled server host integrity assessments. Self-explanatory.

  9. Conduct manual, sampled client host integrity assessments. These are deep-dives of individual systems. You can think of it as an incident response where you have not had indication of an incident yet. Remote IR tools can be helpful here. If you are really hard-core and you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, resources, and cooperation, do offline analysis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drive.

  10. Conduct manual, sampled server host integrity assessments. Self-explanatory.

  11. Conduct automated, sampled network host activity assessments. I questioned adding this step here, since you should probably always be doing this. Sometimes it can be difficult to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results, however automated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data collection. The idea is to let your NSM system see if any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic it sees is out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ordinary based on algorithms you provide.

  12. Conduct manual, sampled network host activity assessments. This method is more likely to produce results. Here a skilled analyst performs deep individual analysis of traffic on a sample of machines (client and server, separately) to see if any indications of compromise appear.


In all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se cases, trend your measurements over time to see if you see improvements when you alter an input. I know some of you might complain that you can't expect to have consistent output when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat landscape is constantly changing. I really don't care, and neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r does your CEO or manager!

I offer two recommendations:

  • Remember Andy Jaquith's criteria for good metrics, simplified here.


    1. Measure consistently.

    2. Make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m cheap to measure. (Sorry Andy, my manual tests violate this!)

    3. Use compound metrics.

    4. Be actionable.


  • Don't slip into thinking of inputs. Don't measure how many hosts are running anti-virus. We want to measure outputs. We are not proposing new controls.


Controls are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution to our problem. Controls are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem. They divert too much time, resources, and attention from endeavors which do make a difference. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 indications I am receiving from readers and friends are true, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas in this post are gaining traction. Do you have ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ideas?

Friday, October 27, 2006

Response to Daily Dave Thread

I don't subscribe to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Daily Dave (Aitel) mailing list, but I do keep a link to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 archives on my interests page. Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offensive security world's superstars hang out on that list, so it makes for good reading.

The offensive side really made an appearance with yesterday's thread, where Dave's "lots of monkeys staring at a screen....security?" thread says:

My feeling is that IDS is 1980's technology and doesn't work anymore. This makes Sourcefire and Counterpane valuable because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y let people fill cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 checkbox at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lowest possible cost, but if it's free for all IBM customers to throw an IDS in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price of that checkbox is going to get driven down as well.

First, it's kind of neat to see anyone speaking about "IDS" instead of "IPS" here. I think this reflects Dave's background working for everyone's favorite three letter agency. The spooks and .mil types (like me) tend to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last people to even think about detection cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days.

Second, it seems to be popular to think of "IDS" as strictly a signature-based technology, as Gadi Evron believes:

IDS devices are signature based and try to detect bad behaviour using, erm, a sniffer or equivalent.

That's hasn't been true for a while, even if you're talking about Snort. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are tons of signatures, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're certainly not just for content matching. If you're thinking about Bro, signatures aren't really even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main issue -- protocol anomaly detection is.

Python demigod Dave posts anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r message that is a little worrisome:

Making IDS part of a defense in depth strategy is giving it some credit for actually providing defense, which it doesn't do. The people who win cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS game are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who spend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least money on it. This is why security outsourcing makes money - it's just as worthless as maintaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS yourself, but it costs less. Likewise, Snort is a great IDS solution because it does nothing but it does it cheaper.

The technology curve is towards complex, encrypted, asynchronous protocols. The furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r into time you look, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chances are that sniffing traffic is an answer to anything.

The market is slowly realizing this technology's time has past, but in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meantime lots of people are making giant bus-loads of cash. Good for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. But IDS technology isn't relevant to a security discussion in this day and age and it's not going to be anytime soon.


I will agree that many commercial managed security monitoring services are worthless, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are ticket- and malware-oriented. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that Snort "does nothing" is just wrong. Hopefully Dave is just being inflammatory to spur discussion. Sure, Snort is not going to detect an arbitrary outbound encrypted covert channel using port 443. That doesn't mean Snort isn't useful for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hundreds of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attack patterns still seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild.

Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 posters to this thread are offensive, I doubt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have read any of my books. For example, reverse engineering guru Halvar Flake follows up with this insight:

I still agree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of replacing an IDS with just a large quantity of tapes on which to archive all traffic. IDSs will never alert you to an attack-in-progress, and by just dumping everything onto a disk somewhere you can at least do a halfways-decent forensics job cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reafter. Since everybody and his dog is doing cryptoshellcode cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days you won't be all-knowing, but at least you should be able to properly identify which machine got owned first.

Welcome to network security monitoring, albeit at least a decade late. The fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 criminal underground is using covert and encrypted channels now doesn't mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y weren't used 10 plus years ago, when smart people in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spook and .mil worlds needed a way to gain some sort of awareness of network activities by more dangerous adversaries.

Most respected IDS old-school critic Tom Ptacek isn't convinced:

I am waiting for someone to tell me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story about how an IDS saved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bacon. I'm not interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story about how it found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guy with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spyware infection or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bot installation; secops teams find those things all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir firewall logs and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't
freak out about it when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do.


The last times I manned a console full-time as a "SOC monkey," for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force in 1998-2001 and at Ball Aerospace in 2001-2002, we found intrusions all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time. I expect several people in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 #snort-gui channel where I idle on irc.freenode.net also have stories to share. I'll have more to say on this later.

Tom continues:

This "signature" vs. "real intrusion detection" thing is a big red herring. Intrusion detection has been an active field of research for over 15 years now and apart from Tripwire I can't point to anything operationally valuable it has produced.

This sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Snort is worthless" argument Dave proposed. Finally:

Halvar, when you figure out how to parallelize enough striped tape I/O to keep up with a gigE connection, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, Halvar, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I will respect you.

This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r common argument. Most every detection critic argues cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir pipes are too big to do any useful full content collection. Let's just say that is not a problem for everyone. Many, many organizations connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet using OC-3s (155 MBps), fractional OC-3s, T-3s (45 Mbps) and below. Full content collection, especially at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 frac OC-3 (say 60 Mbps) and lower, is no problem -- even for commodity hardware, if you use Intel NICs, a solid OS, and fast, large hard drives. Even if you drop some small percentage of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic, so what? What are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 odds that you drop everything that is relevant to your investigation, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time?

What if your pipes really are too big for full content collection, say in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network? I would argue that's not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 place to do full content collection, but let's say you are told to "do something" about detection in a high-bandwidth environment. That's where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r NSM data types come into play -- namely session data and statistical data. Can't save every packet, or you don't want to? Save sessions describing who talked to who, when, using what protocols and services, and how much data was transferred. That is absolute gold for traffic analysis, and it doesn't matter if it's encrypted. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least you can profile cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic statistically.

The root of this problem with this discussion is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 narrow idea that a magic box can sit on an arbitrary network and tell you when something "bad" happens. That absolutely won't be possible, at least not for every imaginable "bad" case. The "IDS" has been pigeonholed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "firewall" has -- as a product and not a real system.

A standard "IDS" isn't an "intrusion detection system" at all; it's an attack indication system. Snort gives you a hint that something bad might be happening. You need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of your NSM data to determine what is going on. You can also start with non-alert NSM data (as described in this war story) and investigate intrusions.

Similarly, a firewall isn't necessarily stopping attacks; it should be enforcing an access control policy.

A real detection system identifies deviations from policy, and perhaps should be called a network policy violation detector. A real network policy enforcement system prevents policy violations. The point is that neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r has to be boxed into an appliance and sold as a "NPVD" or "NPES". (As you can see, acronyms which tend to accurately describe a system's functionality are completely marketing-unfriendly.)

I'll conclude by saying that I agree with Dave about "monkeys" staring at screens. Many of those sorts of analysts are not doing NSM-centric work that would truly discover intrusions. Yes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network is a tough place to detect. However, I've argued before that in an age of ubiquitous kernel-mode rootkits, NSM is needed more than ever. If you can't trust a rootkit-controlled host to tell you what's happening, why would you ignore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network? Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic could be covert, encrypted, and so forth, but if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pattern of activity isn't normal you can verify that at least something suspicious is happening.

It's time for anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r book.

Wednesday, September 06, 2006

Comment on Draft NIST Publications

Thanks to SANS I read this FCW story about new NIST draft publications, specifically Draft Special Publication 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems (.pdf). I am worried about this document because it seems to imply that detection and prevention are equivalent functions. Recent Dark Reading stories like IDS/IPS: Too Many Holes? and IPS Technology: Ready for Overhaul have been critical of both technologies, but especially IPS.

Despite some vendor claims to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrary, customers realize that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same inspection logic used to "detect intrusions" is supposed to be applied to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "prevent intrusions" problem. Since so-called "intrusion prevention" products were sold as devices that overcame "false positive" problems, many customers are disappointed are end up running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "IPS" in detect only mode. From this perspective, it makes sense for NIST to lump IDS and IPS in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same category.

From an operational and consequences-based perspective, IDS and IPS are completely different. Management generally permits an IDS team with passive sensors to do just about anything it wants, shy of using RST tricks to deny traffic. Management does not take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same approach with IPS, since an IPS is just a smarter firewall. One bad IPS rule and business traffic is interrupted.

While on this subject, I consider it unfortunate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms IDS and IPS even exist. Neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual function of eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r device. IDS as used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of people seldom "detects intrusions." Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology is an Attack Indication System.

IPS is even more poorly named. An IPS is just a layer 7 firewall, so I would just as soon call an IPS a smarter firewall.

Finally, I read this press release:

[McAfee] announced that it has been selected to be deployed as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard network intrusion prevention solution for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Air Force. The Air Force will use McAfee® IntruShield Network Intrusion Prevention System (IPS) and McAfee IntruShield Security Manager appliances to provide comprehensive and proactive protection for its worldwide non-classified and classified networks. The task order was awarded by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force's Combat Information Transport System (CITS) program office to prime contractor Booz Allen Hamilton under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Air Force NETCENTS contract.

I'm guessing this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of ASIM?

Wednesday, September 05, 2007

United Kingdom v China

In Japan v China I asked "Any guesses which will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next country to reveal its fight against Chinese intelligence services?" Thanks to China targets UK with high-tech spy ring and China v cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 West: an ongoing digital struggle we have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first article:

Several recent attempts to hack into British Government computer networks have been traced to China, Whitehall sources said today.

The attacks are part of a pattern in which China and Russia are switching from “old-fashioned espionage” techniques to electronic hacking into government computers to gain Britain’s military secrets, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sources added.

The growing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365at from hacking was underlined yesterday when President Bush said he might raise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensitive issue with Beijing when he meets President Hu Jintao, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese leader, in Sydney tomorrow for an Asia-Pacific Economic Cooperation (Apec) summit.

Asked to respond to allegations that China’s People’s Liberation Army had hacked into a computer system in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 office of Robert Gates, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Defence Secretary, Mr Bush said: “I’m very aware that a lot of our systems are vulnerable to cyber attack from a variety of places.”

He acknowleged he did not have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence “at my fingertips” on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest hacking allegations, but he said: “In terms of whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or not I’ll bring this up to countries ... from which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may have been an attack, I may.”


From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second article:

Mr Preatoni, who founded Zone-h.org, which monitors digital attacks, said that he was told three years ago of an attack on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 European Parliament’s computer network that originated from hackers based in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Jiangsu Province of China. The attack appeared too sophisticated to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work of script kiddies and cyber gangsters. To Mr Preatoni’s thinking, it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first clear indication of a state-sponsored Chinese hack.

Like those who attacked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hackers who targeted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 European Parliament picked as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir weapon of choice a Trojan – a program, often attached to an e-mail, that attempts to take control of part of a computer network after being downloaded. This particular Trojan was programmed to look for Microsoft Excel and PowerPoint files, along with e-mails and “.doc” files on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Parliament web servers, Mr Preatoni said...

What worries Mr Preatoni are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks that go undetected. “We think that governments have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most sophisticated cyber defences on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planet,” he said. “This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong assumption. In my work with governments, I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same problems as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business world in securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir networks. There’s a lack of expertise. The machines aren’t properly administered. There are budget cuts. They face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same problems as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate world. They are hit by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same vulnerabilities.”
(emphasis added)

Now who is next?

Thursday, August 23, 2007

Experts: IDS is here to stay

Imagine my surprise when I read Experts: IDS is here to stay:

Conventional wisdom once had it that intrusion prevention systems (IPS) would eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for intrusion defense systems (IDS). But with threats getting worse by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day and IT pros needing every weapon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can find, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS is alive and well.

"IPS threatened to hurt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS market but IDS is better equipped to inspect malware," said Chris Liebert, a security analyst with Boston-based Yankee Group Research Inc. "IPS specializes in blocking, so each still have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own uses, and that's why IDS is still around."

IDS is now part of a larger intrusion defense arsenal that includes vulnerability management and access control technology. In fact, one analyst believes standalone IDS products will still be in demand five years from now while IPS technology will likely be folded in firewall products.

"In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long term, I do not think IPS devices will remain as separate products," said Eric Maiwald, a senior security analyst for Midvale, Utah-based Burton Group. "We see this happening already. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major firewall vendors offer some amount of IPS functionality in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is much firewall-like capability in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPS products."

IDS products will probably remain as separate devices because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to monitor happenings on a network and monitor actions of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r policy enforcement points, he said.
(emphasis added)

Wow, imagine that. Anyone who's read my books or this blog for any amount of time knows I've advocated this position for years. What's an "IPS" anyway? It's a filtering device, aka "firewall." What's an "IDS"? It's an attack or incident indication system. The two functions are completely different and should be separate. It's too late for me to say any more now, but I wanted to note this article before I forget I read it.

Tuesday, October 07, 2003

Sourcefire Redefines Intrusion Detection

This morning Marty Roesch, CTO and founder of Sourcefire, launched a new road show, sponsored by IBM, to describe his company's Real-time Network Awareness technology. Here are my notes on Marty's talk, which he began by noting that "Sourcefire is a security company," not just an IDS company. What follows are Marty's main points, regardless of whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r I agree or not. Any personal commentary is specifically noted.

  • Company

  • As a company, Sourcefire is firing on all cylinders. After being founded in Mar 01, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y shipped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir first IDS appliance in Nov 01, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 100th in Aug 02, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 1000th in Jun 03, and will ship cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 2000th shortly. Projecting forward, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 #3 IDS vendor in terms of shipped units by year's end. Marty's estimates 100,000 installations of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source version of Snort.

  • Sourcefire received about $7.65 million in funding in Feb 02, and anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r $11 million in Feb 03. $8 million is cash in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bank. They were cash flow positive in Q3 of 03 and will be profitable in late Q1 of 04. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last year, sales increased from $2.1 million to $23.2 million.

  • In Feb 02 Sourcefire employed 4 people. Within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last year cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've grown from 22 to 90 employees, supporting 300 customers.


  • Detection Theory

  • IDS is "an automated system that monitors traffic on a network and based on defined rules/policies alerts administrators to possible intrusions, misuses, or defined malicious behavior."

  • The "fundamentall mission" of IDS is data reduction, which is accomplished via stateful packet inspection and protocol anomaly detection.

  • IDS provides awareness (how is my network/security architecture working, and are policies enforced?) and analysis (when intrusions occur, what happened and how can I prevent future trouble?)

  • "Classic IDS" does not "protect" networks. (Amen!)

  • Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendors hype "sensing technology," when data management is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real issue. Sourcefire has spent 5-6 man-years of research and development solving this issue.

  • Most IDS' operate in a "contextual vacuum," unaware of network architecture, assets, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir criticality. (My comment: without context, human analysts collect and analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data necessary to make decisions manually.)


  • Network Awareness

  • Active vulnerability assessment tools are limited. Their "intermittent picture" missies laptops, multi-OS systems, and assets reconfigured by intruders to be hidden. Scanning for all active services takes too long, so not all protocols, ports, and services are found. Active scanning disrupts availability and consumes bandwidth.

  • Passive discovery sees everything active on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. It is "persistent" and "real-time," "all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time." It transforms traditional IDS into a "target-based IDS" by eliminating "nontextuals," or alerts without context.

  • Passive discovery also performs vulnerability and protocol/port/service profiling, change detection, and policy compliance monitoring. Using confidence models (percentages based on observed traffic, or decaying half-life models when nothing else is seen), one can answer questions like "What hosts run SSH on ports ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than 22 TCP?" or "What hosts run vulnerable SSH services?"

  • Taken furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, upon seeing an attack, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS can report if it sees a new protocol/port/service in time X, perhaps indicating installation of a back door.

  • An IDS supplemented by RNA technology is "self-tuning." Admins can assign priorities to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir assets and tell an RNA-assisted Intrusion Prevention System (IPS) which actions to take against various threats. Response range from simply alerting, to updating a policy on an access control device, to blocking packets or whole sessions.


  • The Next Generation

  • Next generation technology offers control (via firewall and traffic filter integration) and monitoring (via threat detection and policy enforcement).

  • The "Sourcefire Insight System" consists of (1) "IDP" (intrusion detection and prevention -- thanks Yen-Ming!) capable of IDS, threat monitoring, policy enforcement, and intrusion prevention; combined with (2) RNA, offering asset profiling, vulnerability assessment, behavioral analysis, network mapping, and policy enforcement, and (3) a console, doing correlation, policy optimization, and sensor management. An "inline" IDP to provide its own access control (like IPS) is being researched.

  • The Sourcefire console has two models, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $18,000 box handling 40 million events and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ~$60,000 box handling 200 million events. Both use a proprietary embedded database that could handle 30,000 events per second before keeling over during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MSBlaster attacks.

  • RNA technology is designed to be lightweight so as to facilitate embedding it elsewhere. Upcoming platforms will offer two network ports, and future boxes will have 6 six to seven.


Following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prepared talks, Marty gave a live demo of a beta version of RNA watching traffic from Sourcefire to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. It could profile 40 unique services now. Visibility to hosts behind NAT and proxies is an issue, but research continues to address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues. The product's visualization features actually looked useful, unlike ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r more expensive products I've seen. He showed nodes in cone trees, and hinted hyberbolic trees like those of CAIDA's walrus are forthcoming.

Overall, I highly recommend you sign up to see Marty speak. It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clearest indication that Gartner has no clue regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of IDS! If Gartner had done its homework, it might have read Ron Gula's 1999 paper on "Passive Vulnerability Detection," which explains many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concepts put to operational use in RNA today. Ron's current implementation is NeVO.

Monday, June 21, 2010

All Aboard cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM Train?

It was with some small amusement that I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following two press releases recently:

First, from May, NetWitness® and ArcSight Partner to Provide Increased Network Visibility:

NetWitness, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world leader in advanced threat detection and real-time network forensics, announced certification by ArcSight (NASD: ARST) of compliance with its Common Event Format (CEF) standard. ArcSight CEF certification ensures seamless interoperability and support between NetWitness’ industry-leading threat management solution and ArcSight’s security information and event management (SIEM) platform.

Let me parse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market-speak. This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r indication that an ArcSight user can click on an event in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIM console and access network traffic captured by NetWitness.

Second, from June, Solera Networks™ and Sourcefire™ Announce Partnership:

Solera Networks, a leading network forensics products and services company today announced its partnership with Sourcefire, Inc. (Nasdaq:FIRE), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creators of SNORT® and a leader in intelligent Cybersecurity solutions. Solera Networks can now integrate its award-winning network forensics technology directly into Sourcefire’s event analysis. The integration enhances Sourcefire’s packet analysis functionality to include full session capture, which provides detailed forensics for any security event. The partnership enables swift incident response to any security event and provides full detail in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interest of understanding “what happened before and after a security event?”

Martin Roesch, founder and CTO of Sourcefire. “There is a powerful advantage in being able to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full content of every attack on your network. Network forensics from Solera Networks compliments Sourcefire’s IPS and RNA products by letting you see everything that led up to and followed a successful prevention of an attack.


This press release is a little clearer. This is an indication that a Sourcefire user can click on an event in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourcefire console and access network traffic captured by Solera.

This second development is interesting from a personal level, because it shows that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Model has finally been accepted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 developer (Marty Roesch) of what is regarded as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most popular intrusion detection system (Snort).

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, after over eight years of evangelizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to collect NSM data (at its core, full content, session, statistical, and alert data) in order to detect and respond to intrusions, we see Sourcefire partnering with Solera to pair full content network traffic with Snort alert data. It's almost enough to bring a tear to my eye. "Yo Adrian! I did it!"