POC: Wayne Campbell 402-293-3967 campbell_wayne@prc
description
Transcript of POC: Wayne Campbell 402-293-3967 campbell_wayne@prc
![Page 1: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/1.jpg)
POC: Wayne Campbell 402-293-3967 [email protected]
Traditional Indications and Warnings for Host
Based Intrusion Detection
![Page 2: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/2.jpg)
Intrusion Detection Systems
• Network Based– external threat– commonly used
• Host Based– internal threat– 2% of corporate America uses– FBI survey - 86% had attacks by employees
![Page 3: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/3.jpg)
Network Based IDS
• Packet Sniffer
• Signature or scenario based– historical protection– updated frequently
• Limited historical evidence
![Page 4: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/4.jpg)
Host Based IDS
• Site specific– up front work required
• Analysis of audit or log data
• Real time or batch analysis
• Distributed processing
![Page 5: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/5.jpg)
Indication and Warning Methodology
• Developed by military organizations
• Used to predict aggression by an enemy– extensive historical analysis– current trend analysis
• Repository of significant events
![Page 6: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/6.jpg)
I&W Recent History
• Cold War
• United States Development– sophisticated alert system for tracking– determination of critical events
• Continuous analysis by experts– events and possible actions– prioritized and weigh events
![Page 7: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/7.jpg)
I &W Warnings
• Multiple indicators are required to be triggered– sequence of events is irrelevant– indicators could set higher level indicators
• Warnings of potential– prediction, not fact– snap shoot in time, estimate
![Page 8: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/8.jpg)
I &W Warnings (cont'd)
• Strategic Decision Makers– experienced analyst– big picture view
• Defined/recommended actions– I & W data– supporting data
![Page 9: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/9.jpg)
War on Cyber Crime
• Use I&W techniques to predict behavior
• Techniques are used in post-attack research
• Post-mortem– determine attack characteristics– physical, social engineering, system level
• Security Indications and Warnings (SIW)
![Page 10: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/10.jpg)
Security Indications and Warnings
• Premise - historical events, can be used as indicators current of activity.
• Host-based Intrusion Detection– why? audit log analysis– network based possible
• Not scenario matching
![Page 11: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/11.jpg)
Indicators
• Event or group of events
• Historically important events
• Building blocks of SIW
• Non-critical events– alone inconsequential– example: large number of prints occurring
![Page 12: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/12.jpg)
Indicators (cont'd)
• Hierarchical– lowest level
• barriers
• boundaries
– mid level• gauges (counters)
– top level• criteria and indicators
![Page 13: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/13.jpg)
Event Categories
• Security Organization– written site policy– derived and stated
• Why? Ease of rule generation
• Suggested Minimum– Administrative Limited Usage– Role Specific Daily/Routine– Policy Limits
![Page 14: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/14.jpg)
Event Categories (cont'd)
• Prioritize events per category
• Cost vs. Performance– more events
• slower response (volume)
• costlier (time/resources)
– limited events• threats undetected
– balanced, manageable level
![Page 15: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/15.jpg)
Barriers
• A computer resource or process that when used, misused or compromised suggest that a security breach or operating system misuse may be occurring or has been attempted.– operating system specific– security relevant– example: .rhosts file
![Page 16: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/16.jpg)
Boundaries
• A computer resource or process that when used, misused or compromised indicates that the site’s security policy or normal operating procedures may have been violated.– operating system or application events– defined within site policy– example: accessing a restricted directory
![Page 17: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/17.jpg)
Barriers and Boundaries
• Clearly and unambiguously activated– computer trends– level of significance
• Response definition– barriers - may require aggressive actions– boundaries - further investigation
• Both need to be monitored
![Page 18: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/18.jpg)
Level of Significance
• All events are not created equal– weighing occurs naturally– importance defines significance
• Site defines and sets
• Unique or unusual events– quickly raise attention of security
• Example: production vs. development
![Page 19: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/19.jpg)
SIW Approach
• Security Policy
• Response definition
• Categorizing of events
• Prioritizing events
• Barriers and Boundaries
• Rule generation
• Levels of significance
![Page 20: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/20.jpg)
Policy Statement #1
• No user shall have direct access to the prices files for job proposal submissions; access to theses files is only permitted via the corporate directed tools.– all price files are in /proposal/prices– corporate tool is PropGen– price files have a “.ppf” extension
![Page 21: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/21.jpg)
Policy Statement #2
• No individual shall be able to assume another user’s identity on any production machine. On development machines, developers may assume the “root” role– IP range of dev. systems 192.12.15.[0-20]– no direct login as root is permitted– “root” can not change to a user’s ID
![Page 22: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/22.jpg)
Policy Statement #3
• No user shall attempt to obtain root or administrative privileges through covert means.– prohibits attempts to get administrative
privileges– stolen password– buffer overflows– operating system specific weaknesses
![Page 23: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/23.jpg)
Statement #1 Responses
• Assumptions– copying, removing of price file prohibited– reading of price files, except by PropGen is
prohibited.– accessing /proposal can be a sign of browsing
![Page 24: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/24.jpg)
Statement #1 Responses (cont'd)
• Alert messages– Attempt to copy sensitive price schedules– Attempt to delete sensitive price schedules– Illegal access of the price schedules– Unauthorized browsing of restricted resources
![Page 25: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/25.jpg)
Statement #2 Responses
• Assumptions– root log ins are not permitted
• Alert messages– Illegal root login– Unauthorized use of su() command– Root assumed a user’s identity– Unauthorized transition to a new user ID
![Page 26: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/26.jpg)
Statement #3 Responses
• Assumptions– all acquisition of root privileges should be
made known to security personnel
• Alert messages– Illegal transition to root (buffer overflow)– Root shell attack has occurred– Undefined root acquisition
![Page 27: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/27.jpg)
Defining Barriers
• Knowledgeable of basic system security– vulnerabilities– version specific data
• Know your system setup– What have you added? deleted?
![Page 28: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/28.jpg)
Barrier Breakdown
• Audit daemon– primary barrier
• su() command– used to change effective UID
• Login Service– limits user log in capabilities
![Page 29: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/29.jpg)
Barrier Breakdown (cont'd)
• /etc/passwd– user information
• Development systems– IP address specific
• Audit ID– unique identifier
![Page 30: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/30.jpg)
Boundary Breakdown
• “ppf” files– contain price schedules
• /proposal directory– repository of company sensitive
• root privilege– limited to a few individuals
• PropGen application
![Page 31: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/31.jpg)
Rule Generation
• Limitation of presentation paper– not all rules– not all circumstances
• Two step process– initial definition– refinement
![Page 32: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/32.jpg)
Sample Rules
• Successful use of su() and “root” login at console– ba2 and ba3(root)
• Successful use of su() and you’re not a development machine– ba2 and not ba5
![Page 33: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/33.jpg)
Sample Rules (cont'd)
• Successful use of su() and on the development platform and your current ID is not root– (ba2 and ba5) and not ba6(root)
![Page 34: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/34.jpg)
Rule Threshold
• Numeric values as levels
• Trigger value assumption– ba2 = 5 ba3 = 1– ba5 = 4 ba6 = 3
• Level of Significance– SF = .25
![Page 35: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/35.jpg)
Refined Equation
• ba2 and ba3 => 6
• ba2 and not ba5 => 9
• (ba2 and (ba5*SF)) and not ba6 => 12– allows 4 su() before alerting on development
systems– alert message severity level
![Page 36: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/36.jpg)
Advantages
• Proven methodology
• Flexibility– levels of significance– prioritization of events
• Multiple levels - one to many relation
• Attack signature is not required
• Historical analysis
![Page 37: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/37.jpg)
Disadvantages
• Number of possible enemies to monitor– traditional I&W had a few enemies– SIW has potentially thousands of enemies
• System requirements– memory– disk space
![Page 38: POC: Wayne Campbell 402-293-3967 campbell_wayne@prc](https://reader035.fdocuments.net/reader035/viewer/2022070411/56814758550346895db4947c/html5/thumbnails/38.jpg)
Summary
• Consistent with IDS requirements– warns of potential attacks
• Implementation– manual– automatic
• Guidance for security professional