1
1
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
Intrusion Detection
The Big Picture – Part V
Stephen Northcutt
This page intentionally left blank.
2
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
2
Intrusion Detection Roadmap - 3
What are the pieces and how they play together
• Vulnerability Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation - Chain of Custody
• Threat Briefing - Know Your Enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
In the next section, we are going to talk about vulnerability scanners and assessment tools, which
are one of the best ways to rapidly assess your security. They are hard to break down into functional
classifications the way we did with firewalls, proxies, packet filtering, and statefully aware. Perhaps
the most logical breakdown is commercial tools like ISS, NAI and the free, source-code tools, like
nmap and Nessus. Another breakdown is system scanner tools that run as a program to inspect the
operating system configuration, and network scanner tools that work across the network. There are
also tools that scan telephone lines for active modems. For this course, we are focused on the
network-based scanning tools and telephone scanners since they are the most applicable to

intrusion detection.
So, in this section we will cover the following topics:
• What are they generally
•Saint
•Nessus
• ISS Real Secure
• Scanning for modems - Phone Sweep
• Red Teaming
• Scanner warning
3
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
3
Vulnerability Scanners
What are they generally
• Target, scanners
must
only scan
systems you own
• Scan, “test for services”, multiple ports
on multiple machines
– May have knowledge of vulnerabilities and
test to see if the vulnerability is present
• Report, provide results in a clear,
understandable fashion
The cardinal rule of scanning or vulnerability assessment is to be certain to only scan systems that
you own and are authorized to scan. Otherwise, you will be setting off someone else’s intrusion
detection capability and that is hardly a good idea.
If you are shopping for a scanning toolset, it is reasonable to assume that either of the big three (ISS,
NAI, Symantec) scan for the same number of vulnerabilities. They will all come up with false

positives that have to be investigated manually. Before you plunk your money down, there are four
things you really want to consider:
• How is the product licensed? Is this flexible enough for your planned growth? Can it be
upgraded easily?
• How interoperable is the product? Is it fully Common Vulnerabilities and Exposures
(CVE) compliant?
• Can you easily compare the results of a scan today with the results of one four weeks ago,
or is this a manual process?
• Does your manager like the report output!
4
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
4
SARA (Security Auditor’s
Research Assistant)
• Where to get it
– />• What does it do?
– Vulnerability scanner, web-based interface,
based on Satan, community-donated
modules
– Has some capability to determine probable
trust relationships
SARA is a follow-on to SAINT, which was a follow-on to SATAN. It runs pretty well and is worth
trying if you are in a Unix shop. Though it is pretty safe as scanners go, be sure and test it in a lab,
or off-hours on a non-critical network before unleashing it on your network. It is fairly lightweight
compared to other products, but may be a great way to get started.
5
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
5

Nessus
• Where to get it?
–
• What does it do?
–Vulnerability scanner, more heavy-
handed than Saint in our experience
SARA was a free tool and so is Nessus. This tool is better in the hands of someone that is
technically sophisticated. It is already a powerful scanner based on community-donated plug-ins. It
was also the fastest scanner in the Top Ten scanner evaluations.
6
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
6
Nmap
Nmap is my personal favorite. It is the most commonly used scanning tool on planet Earth, bar
none. It has a large number of scan modes and has a unique capability of operating system
detection. Different operating systems have made divergent choices in building their network
stacks, especially in areas that are not defined by RFC standards documents, or for fields that are
reserved for the future. OS detection tools intentionally send packets that write into reserved fields
or use illegal values in an effort to identify the operating system.
(Editor’s note: Nmap is available from: www.insecure.org
– Unix version; www.eeye.com –
Windows version. – JEK)
At this point we have briefly discussed three commercial tools and three freeware tools. If you run
Unix tools (and all KickStart students are supposed to have access to Linux and Windows), the free
tools - especially nmap - may be a great way for you to start. After all, in an organization of any
size, you have plenty to find and fix before you need a top-of-the-line commercial scanner.
Now, let’s think about phone scanning for a minute. Ever get a phone call, pick up the phone and
no one was there? You might have been scanned.
7

Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
7
Phone Scanning for Vulnerability
Detection
• Response for successful intrusion
detection is not clear.
– Defensive posture is difficult to maintain.
– Generally not criminal to call phone
numbers.
• Intrusion detection may not be possible.
• Scanning works - attackers use it!
• Threat of scanning acts as a deterrent.
Special thanks to Simson Garfinkle and the folks at Sandstorm (www.sandstorm.net) for the
permission to use the PhoneSweep slides.
Firewalls are not perfect we said, but when they fail it is more likely that they fail because of what
the folks on the inside do, as opposed to the firewall having a technical problem. We already talked
about users bringing up services on ports that are expected to be open for other reasons. Various
multimedia programs such as napster and gnutella make it easy to get files through a site’s defenses
and there are manuals on how to do this on the Internet. One other way that users can cause firewalls
to fail is by hooking their system up to a modem.
Next Sunday, take a minute to do some research. Pull the color ads in your area for the consumer
electronic stores such as Circuit City and the like. Check out the computers. What do they all have?
8
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
8
War Dialers
• Used by attackers
to find dial-up

modems.
•Many programs,
widely available
– Toneloc, The
Hacker’s Choice,
etc.
Well, what I notice about the ads (besides a price that is wrong by $400, because nobody in their
right mind is going to sign a contract with Microsoft Networks or CompuServe), is all the computers
have modems.
Eventually, someone, somewhere is going to hook that modem up. Modems have a “dial on
demand” mode, but they also have an auto-answer mode. This would be useful if you wanted to be
able to access your computer at work from your computer at home to download files.
The screen shot you see is for ToneLoc, probably the most popular wardialer. It will scan a range of
phone numbers looking for a modem on auto-answer. These systems can then be targeted.
9
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
9
Mitigating the War Dialer Threat
• Intrusion Detection Response:
– Monitor call logs at phone switch.
– Set up monitored modems on special
phone numbers (honeypot).
• Scanning Response:
– Proactively scan your own phone numbers.
– Take action when modems are found.
Your facility almost certainly has and will be scanned. The question is, what action are you willing
to take? The logical countermeasure is to scan your own phone lines on a regular basis. Now, this is
simple in theory, complex in practice. Your organization may have a person in charge of phones and
they may be able to help you. Be aware that Heating, Ventilation, And Cooling (HVAC - some folks

say Heating, Ventilation, Air Conditioning) and alarm systems may be active on your phone system,
and these numbers should be avoided. ToneLoc and most other scanners allow you to avoid number
ranges.
10
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
10
PhoneSweep: Commercial Scanner
• A Telephone Scanner, not a War Dialer
–4 modems
–System ID
– Penetration
– Repeatable scans
– 80+ page manual
–Supported
Many organizations are uncomfortable using hacker code to attack their own sites because of the risk
of embedded malicious code. Also, the documentation on some underground code is not the best.
Technical support can be dicey from hacker locations. These are some of the factors that cause some
organizations to prefer commercial software with phone support, printed manuals…and someone to
sue if things go wrong.
11
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
11
Select Modems
An example of a commercial scanner is PhoneSweep shown on this slide. Notice that it can run
multiple modems in parallel; it turns out that phone scanning is really slow!
12
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001

12
Specify Dialing Times
(PhoneSweep relies on the system clock for
accurate time & day of the week.)
hours outside Business Hours
With a commercial tool, you tend to get more flexibility in settings. For instance, you might want to
consider scanning at night in case people leave their modems on auto-answer when they leave work.
It is nice to have this capability, but scanning when you are not there can be dangerous. Another
high end feature to look for is the ability to detect fax machines.
13
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
13
Telephone Scanning Summary
• Any large site probably has modems
that they do not know about
• Remember the “Legion” slide
• Slow, slow, slow, think seriously about
the parallel modem option
• Doesn’t seem to distinguish between
faxes and modems as well as I had
hoped
To summarize the phone scan section, this is something you should seriously consider doing.
Remember that example in the firewalls section, of the facility that was compromised because of a
user accessing the Internet via a modem and ISP? Unfortunately, phone scanning will only detect
modems on auto-answer. Many organization have digital phones, and so analog lines require special
permission; this certainly limits how many numbers you need to test. Commercial tools have some
significant advantages. On the other hand, ToneLoc is simple and very well tested!
14
Intrusion Detection - The Big Picture – SANS GIAC

©2000, 2001
14
How to Do a Vulnerability Scan
• Get permission, explain what you are
doing, “finding our vulnerabilities before
attackers do”
• Put out the word ahead of time,
publish your phone number; people
don’t like surprises
We will close this section with a discussion of the general principles of scanning. Note well,
vulnerability scanning can be hazardous to your career. The difference between a hacker and a
penetration tester is permission! Be certain that you have it. If you are just starting a scanning
program in your organization, you probably want written permission.
Things can go very wrong when you are scanning. I have crashed a number of systems - I’ve
already mentioned the mockup of a Navy warship – and my friend John Green has a whole Navy
base to his credit! We both did this with simple vulnerability assessment tools. People will be a lot
more forgiving if you warn them ahead of time and make sure it is easy for them to find you. If you
are not in the office or people do not know how to contact you, then you could create a serious
problem for your organization and therefore yourself.
15
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
15
How to Do a Scan (2)
• Click target selection, choose a system,
tell it to expand to the subnet
• Heavy scan, but do not allow Denial of
Service scan (at least at first)
• Only scan when you are in the
office by the phone

• Fix the red “priority” problems first
There is no point in configuring the scanner to hit all of your addresses unless you are in a small
organization. Do a subnet at a time, a workgroup at a time, whatever makes sense. This way you
don’t have an overwhelming number of vulnerabilities to fix.
If you do scan the whole facility, you will have a huge list of problems and everyone will talk about
fixing them, but it never gets past the promises stage. This is very dangerous. After you run the scan
on a large scale, you get a huge printout of all the problems and some of them are flagged as “very”
serious, some “just” serious and so forth. You present it to management, tell them it is the end of life
as we know it if they aren’t fixed. They agree, they task people, there are meetings, everyone agrees
to get things fixed and you run into deadlines and emergencies and they never get fixed. Now you
can’t play that card again - after all, the organization is still in business! If you run another scan, no
one will take it that seriously.
Therefore – scan a small section. Start with your own shop. Fix the problems, and move on.
There is another approach, called the Top Ten Project. A number of scanners, including SARA and
Nessus, have scanning modes that only look for the Top Ten vulnerabilities. This way, you only
have to deal with the most serious problems first. For more information, please see
www.sans.org/topten.htm
.
16
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
16
Warning!!!
Vulnerability scanners may be hazardous to your career
• Be very sure you are authorized
• People really prefer to be warned
• Scanners sometimes crash systems
• Don’t jump to conclusions about
how vulnerable a system is until
you know the tool very well

In the previous example, it isn’t that you were wrong when you went to management and told them
they were vulnerable. The problem is that attackers often leave a low footprint - you can be
compromised and not realize it.
Anyway, to summarize this section, a vulnerability scanner is a great way to find many of the holes
that external and internal attackers would exploit, given the opportunity. However, scanners are
prone to false positives and can break things. Be conservative; start the tool at low power and run it
on a low number of systems until you are very familiar with its effects.