RE: Anomaly Based Network IDS

• Previous message: Christian Kreibich: "Re: ssh and ids"
• In reply to: Wozny, Scott (US - New York): "RE: Anomaly Based Network IDS"
• Next in thread: Drew Copley: "RE: Anomaly Based Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Wozny, Scott (US - New York)" <swozny@deloitte.com>
Date: Thu, 24 Jun 2004 08:00:08 +0200

Hi All,

an IDS should be featured with many detection-capabilities.
Just think if you are using an anomaly based IDS only? What will it tell
you in case of a attacks or compromises?
1) In the case of an unknown attack you will just see an alert, that
there is something strange happening. You neither know what its going on
nor for what kind of signs you have to look if there is an successful
compromise.
2) It may happen, that the anomaly based IDS has overseen the successful
exploit, but captured the "backdoor". Not to bad, however, you still
don't know how the attacker was able to defeat your security. And you
still don't know the vulnerability which was exploited and how to fight
against it.

As Scott says, anomaly based IDS is a real opportunity.
In my eyes it is foolish just depending on anomaly based IDS - anomaly
based intelligence is just a very useful add-on to signature-based IDS.

christian

On Tue, 2004-06-22 at 23:32, Wozny, Scott (US - New York) wrote:
> Semantics aside I find the smoke and mirrors aspect of this technology
> fascinating. The bottom line is this. The heart of anomaly based IDS
> is to tell you that your network traffic patterns (from what you're
> feeding the device) are noticeably different today than they were
> yesterday (or an hour ago or 5 minutes ago or whatever). While this is
> an interesting value proposition it's an addition to, not a replacement
> for, classical signature based IDS (or IPS if you're brave) that those
> in the trenches rely upon every day to tell them who is knocking at
> their doors and who brought in an infected laptop from home that's
> raising hell on the intranet. If an exploit is released for a
> vulnerability that isn't known in the security community (specifically
> the signature-based vendors) yet then anomaly based IDS does have a real
> opportunity to be your first warning that something is amiss. But keep
> in mind that YOU need to tell it how sensitive to be to change and YOU
> need to tell it how loud to yell when it sees something it finds odd and
> YOU are going to need to baby-sit it.
>
> My 2 cents,
>
> Scott
>
> -----Original Message-----
> From: Drew Copley [mailto:dcopley@eEye.com]
> Sent: Tuesday, June 22, 2004 2:18 PM
> To: Aaron Jordan; focus-ids@securityfocus.com; secdistlist@dauncey.net
> Subject: RE: Anomaly Based Network IDS
>
>
>
>
> > -----Original Message-----
> > From: Aaron Jordan [mailto:aaronj0rdan23@hotmail.com]
> > Sent: Friday, June 18, 2004 2:14 PM
> > To: focus-ids@securityfocus.com; secdistlist@dauncey.net
> > Subject: Re: Anomaly Based Network IDS
> >
> > My company uses Lancope's StealthWatch for anomaly based
> > network IDS. We
> > are quite pleased with its ability to detect zero-day
> > undocumented attacks
> > on our network.
>
> Guys, as a "bugfinder", I have to tell you this... this vendor
> is misleading you in regards to "zero day".
>
> From their site, the first bullet point they have up?
>
> "Defeat Zero-Day Attacks"
>
> That is extremely misleading.
>
> Here's an unbiased article:
> Crying wolf: False alarms hide attacks
> http://www.nwfusion.com/techinsider/2002/0624security1.html
>
> But, that guy was not even trying to address a claim like
> "defeat zero day attacks". This crafty claim... for one
> thing, it is extremely unlikely they have ever even found
> one single zero day attack.
>
> [Unless they count putting in bugs in their own products,
> then "finding" it.]
>
> "Zero Day" attacks... "zero day" means a newly discovered
> security vulnerability not yet shown to the public. It is
> impossible to know what it may be. Anyone that has spent much
> time looking at past security bugs knows they could be anything.
>
> "Day One" attacks would involve security vulnerabilities just
> released to the public. It used to be something like "Day Forty"
> or so that an unknown vulnerability would become a worm. No one
> uses this terminology, exactly, and today the time from bug
> release to attacks is extremely non-static.
>
> Very rarely unfixed bugs which have been disclosed through Full
> Disclosure have been called - with some right - "zero day".
>
> The number of actual "zero day" that anyone is actually familiar
> with are extremely small. A webdav issue in IIS was being used
> against Navy servers early last year. This year a spyware distributor
> just of late who obviously bought some zero day and has been
> using it. That is about it.
>
> Obviously, it is very likely that there is some zero day "floating
> around"... in fact, every single bug finder that posts to Bugtraq
> or Full Disclosure or NTBugtraq has "zero day".
>
> Because that is what their bugs are before they disclose them to anyone.
>
>
> There is a trend, there are more bugfinders today then there was
> yesterday... but when I say "bugfinders" I do not mean "everyday QA".
> There
> are hundreds, not thousands. And when I say "hundreds", I include
> those that do not have much experience and whose skills are
> lacking -- but they have potential.
>
> People can be trained to find security vulnerabilities. An
> accomplished assembly language programmer could easily break into
> the world of cracking and hacking and learn his way around after
> a few years. Very ambitious individuals could learn their way
> around. But, the field is well hidden from public view -- the
> "script kiddy" is the glamorous hacker of media fame... and even
> when one does understand this is the "core", one is a long way
> >from spending endless nights trying to find a high quality security
> bug which has been missed by teams of QA and devel working for
> years.
>
> These things said... someone with a "zero day" attack has an
> unknown attack. A "golden key" to the systems, I like to say. There
> are possibilities to find large classes of "zero day" attacks. We
> do this in SecureIIS and have instituted the same functionality
> in our upcoming Blink. We have had a lot of "zero day" with which
> to test and design and develop these products.
>
> Rule based API guards can do a lot to protect against true
> zero day attacks. Class based protection schemes can do a lot
> against true zero day attacks. More importantly, these schemes
> can help secure systems against new variants of known vulnerabilities
> including every manner of virus or trojan... which is the most
> common type of attack, and therefore, the most plausible.
>
> It is true the real "nightmare scenarios" of computer security
> do involve zero day. There are likely some nightmare scenarios
> of this caliber going on right now. I know I am aware of some over
> the years. But, these scenarios almost always involve extremely
> important "target" systems such as military, diplomatic, primary
> routing systems, or extremely senstive corporate systems.
>
> A very likely scenario, however, is a zero day worm which is
> wildly propagated in the next few years... one made by individuals
> who really want to destroy systems, like the Witty Worm of late.
>
> But, this does not remove the fact that you need to be up on
> everyday attacks which do not utilize "zero day".
>
> Merely writing a new trojan or doing a "new hacking attack" is
> a far cry from the true and generalized definition of the term
> "zero day". If marketers are trying to pass off such definitions
> as accurate, they are being highly deceptive.
>
> > We're easily able to see into our network to
> > examine what
> > is actually happening on it versus what should be happening on it.
> >
> > We evaluated a few of the other products in this space and
> > decided on this
> > one since it was the easiest to use.
> >
> > --my $.02
> >
> > AJ
> > "802.3"
> >
> > _________________________________________________________________
> > Is your PC infected? Get a FREE online computer virus scan
> > from McAfee(r)
> > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> > --------------------------------------------------------------
> > -------------
> >
> > --------------------------------------------------------------
> > -------------
> >
> >
>
> ------------------------------------------------------------------------
> ---
>
> ------------------------------------------------------------------------
> ---
>
>
>
>
> This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
>
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

• Previous message: Christian Kreibich: "Re: ssh and ids"
• In reply to: Wozny, Scott (US - New York): "RE: Anomaly Based Network IDS"
• Next in thread: Drew Copley: "RE: Anomaly Based Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]