1
1
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
Intrusion Detection
The Big Picture – Part VI
Stephen Northcutt
This page intentionally left blank.
2
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
2
Intrusion Detection Roadmap
What are the pieces and how they play together
•Honeypots
• Firewalls
–Proxy, State Aware, Filtering Routers
• Risk Assessment and Auditing
–Introduction to Risk Management
–Knowledge-Based Risk Assessment
–Online Auditing Tools
This page intentionally left blank.
3
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
3
Seven Most Important Things to
Do if Security Matters
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due
care; analyze vulnerabilities

• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize
countermeasures, and implement top priority
countermeasures you can afford
• Conduct periodic reviews and possibly tests
• Implement intrusion detection and incident response
You will notice that I have never read a slide to you in the entire time together, so please bear with
me.
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due care; analyze vulnerabilities
• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize countermeasures, and implement top
priority countermeasures you can afford
• Conduct periodic reviews and possibly tests
• Implement intrusion detection and incident response
So here on this slide we have another big picture view of information security. Students that
complete Information Security KickStart and Security Essentials certification are well on their way
to accomplish each of these. This is by no means the only way to approach building a security
capability, but it is a comprehensive high level view.
4
4
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
Theory of Risk Assessment
It is critical to have an understanding of risk management to properly choose and deploy intrusion
detection and response assets. To manage risk, one must be able to assess it. In this section of the
course we will cover the basic theory of risk assessment. We will also talk about three methods of
risk assessment: qualitative, quantitative, and knowledge-based (also known as best practices).

5
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
5
The Three Risk Choices
• Accept the risk as is
• Mitigate or reduce the risk
• Transfer the risk (insurance model)
Whether or not we explicitly choose, we have exactly three options and we do choose between:
acceptance, mitigation, and transference.
When we accept the risk, this means we make no changes in policy or process. This decision means
that we judge the risk of a given threat to be inconsequential in the greater scheme of things.
If we feel the threat is significant and could cause harm to our business or enterprise, then we have
the option of taking action to protect operations by reducing the risk. A firewall or system patch are
obvious examples of risk mitigation.
Transferring the risk is sometimes a workable technique. The classic example is to buy insurance.
This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a
fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real
world example of this is hacker insurance. The insurance company still expects you to have a
firewall and patches, but insures should these fail.
6
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
6
Risk Management Questions
• What could happen? (what is the threat)
• If it happened, how bad could it be? (impact
of threat)
• How often could it happen? (frequency of
threat - annualized)

• How reliable are the answers to the above
three questions? (recognition of
uncertainty)
In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we
analyze the risk to better understand it.
What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy
feeling?
If the threat is successful, how bad will it hurt? What is the probable extent of the damage?
How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi,
Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often.
But, if something can damage us on a daily basis, this is a significant problem.
Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new
program or operating system vulnerabilities are discovered weekly?
7
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
7
Uncertainty
Uncertainty is the central issue
of risk management!
(What would happen to James Bond if
his luck failed in those stunts he does?)
Have you ever wondered why Bond (James Bond) never gets shot, can jump off of an airplane
without a parachute and live, and never loses at cards? It is simple! He read the script! In fact he
may have had a hand in writing it. Since they follow the script, the stunts he does are closer to
professional wrestling because he certainly knows he is going to get the bad guy – and the girl.
He wouldn’t look half so composed if he was uncertain as to what was going to happen.
Uncertainty then, is the heart of risk management.
8
Intrusion Detection - The Big Picture – SANS GIAC

©2000, 2001
8
Risk Requires Uncertainty
If you have reason to believe there is no uncertainty,
there is no risk. For example, jumping out of an airplane
two miles up without a parachute isn’t risky; it is suicide.
For such an action there is a 1.0 probability you will go
splat when you hit the ground and almost 0.0 probability
you will survive.
Probability ranges between 0.0 and 1.0 though people
often express it as a per cent.
Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of
jumping out of an airplane without a chute you are committing suicide, but you aren’t doing anything
risky. Risk involves uncertainty. Let’s tie this back to the information assurance world.
If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the
perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will
happen over the course of a year. In the same way that gravity is the compelling reason jumping
from a plane sans chute is near-certain death, the continuous probing and poking of exposed systems
on the Internet is the compelling reason the box will be compromised. So what? How bad can a
compromise be? Well, once they compromise the box they have the ability to manipulate your
organization’s trust model. If you have valuable assets, that may be what happens. Or they may
just create weird system domains and hit systems all over the Internet, giving your organization a bad
name.
9
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
9
What is an Unacceptable Risk?
• You can define the threat.
• If it happened, it would be bad. (high impact)

• If one shot didn’t kill you, and then it hit you
again and again. (frequent threat)
• There is high certainty the threat exists, it is
high impact, and potentially could occur
multiple times.
So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To be
an unacceptable risk, it has to be a defined threat. They will compromise the DNS server, most
likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model and
had several days to work without being detected - such as over the Christmas holidays - they could
make considerable headway at owning the entire organization’s information assets. You might never
get them dislodged. What if they chose simply to use your box to attack others?
People are usually forgiving if it only happens once, but there are domains that have been
compromised a number of times. These are not usually respected and may even be blocked. One of
the classics is the Brazilian Research Network. This loose group of addresses has been the source of
hundreds and hundreds of attacks against Internet hosts. The price? Besides being a standing joke,
legitimate users continue to find their access blocked.
10
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
10
Single Loss Expectancy
(SLE - one shot)
• Asset value x exposure factor =
SLE
• Exposure factor: 0 - 100% of loss
to asset
• Example Nuclear bomb/small town
($90M x 100% = $90M)
How much financial loss am I willing to accept in a single event? It all comes down to money in the
end. When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the

information resource asset. Example: a company’s top salesman accounts for 25% of their $40
million in revenue, or $10 million. His client contact list and fee schedule is stored on his laptop and
is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the
competition ($1 million) and possibly more if they can finesse the information. So we find we can
calculate a minimum approximate SLE, but there is uncertainty as to a maximum value.
Another example: an author takes a royalty of $100,000 to write a book. He receives partial
payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and
the data is not recoverable? 25,000 x 80% or $20,000, unless he has been sending chapters in as they
are done.
11
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
11
Annualized Loss Expectancy
(ALE - multi-hits)
• SLE x Annualized rate occurrence = Annual
Loss Expectancy (ALE)
• Annual loss is the frequency threat is
expected to occur
• Example, web surfing on the job
– SLE: 1000 employees, 25% waste an hour per
week surfing, $50/hr x 250 = $12,500
– ALE: they do it every week except when on
vacation: $12,500 x 50 = $62,500
If you are screaming “but what if??”, relax - we understand. Again, a main point of the chapter is
uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing
risk am I willing to accept?
Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This
is the notion of annualized risk. It applies well to shoplifting - we expect to lose 9% of revenue
over N occurrences.

The information about expected losses due to cyber attacks is much harder to come up with, as
organizations do not tend to share this type of information so it is only available in the micro-view of
a given organization.
12
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
12
When Faced with
Unacceptable Risks
• What can be done to
reduce/mitigate the risk?
• How much will it cost to reduce the
risk (usually annualized)?
• Is it cost effective to apply these
risk reduction measures
(cost/benefit analysis)?
The problem is that reducing risk tends to have costs. We need to balance the cost of the cure (or
risk reduction) against the benefits. The challenge is to determine the cost-effective fixes for the
common attacks.
This is a reason the Top Ten vulnerabilities (www.sans.org/topten.htm
) is such an important
document. This was a consolidated effort by the security community to implement the steps shown
on this slide. By going through a consensus process to agree on the known primary vulnerabilities,
we have something to target. It simply makes sense to make sure information resources are
protected against these attacks.
Then, the community worked to define the threats in tutorial fashion and calculate defenses against
them. Much of this work was done as student practicals as part of GIAC certifications. At the
conclusion of this world-wide analysis, it was then possible to execute quantitative analysis of the
risk of the Top Ten vulnerabilities with a reasonable degree of certainty.
13

Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
13
Qualitative - Another Risk
Assessment Approach
• Banded values: high, medium, low
• Asset value and safeguard cost can
be tied to monetary value, but not
the rest of the model
• Very commonly used
For most applications the best approach is the financial one, with the exceptions of critical systems
(such as nuclear plant control) and weapon systems. However, it does take a lot more effort to
quantify what the value of things are, and so the qualitative approach is far more popular.
The single biggest problem with the qualitative approach is in the implementation - people tend to
mark “low risk” even if it is other than that. Or they mark “medium” or “high” for their pet peeves
as opposed to actually calculating the risk.
14
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
14
Economic vs. Qualitative
• Qualitative is easier to calculate, but its
results are more subjective
• Qualitative is much easier to accomplish
• Qualitative succeeds at identifying high
risk areas
• Economic is far more valuable as a
business decision tool
The main point between the two approaches is that qualitative is much easier and when done well,
can certainly identify the areas that need attention.

There is still another approach to risk assessment, this is the knowledge-based, or best practices
approach. There is much more up-front work required to implement this, but the results are more
accurate and consistent.
15
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
15
Risk Assessment
• Theory of risk assessment - short
version
• Knowledge-Based (best practice)
application of risk assessment
• Business case for intrusion
detection - revisited
The steps to create knowledge-based risk assessment tools are fairly straightforward:
• Identify the problem domain (e.g. securing Windows NT).
• Identify the primary threats.
• Identify potential countermeasures.
• Select and test countermeasures.
• Develop step by step instructions for implementing and auditing countermeasures.
Ideally, each step should be made available for public review.
16
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
16
For knowledge-based risk assessment to be effective
the developer of the system must have the knowledge
and mindset to think like an attacker!
One of the hardest things to keep in mind in building knowledge-based countermeasures is the threat
step: what are the attackers likely to do, what are their goals? If we do not do this, we tend to have

no focus in deciding what and how to protect our systems.
Once we can reduce the uncertainty over what the attacker is going to target, we can focus on
protecting these assets. This is done by developing countermeasures or defenses. The goal is to
select countermeasures that are effective, reasonable in cost (and free if possible), and measurable.
In most cases, we should be able to produce specific checklists. When we are able to produce
checklists, we have reached the point where we are able to establish best practice as our security
policy.
17
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
17
Knowledge-Based Risk
Assessment
• System administration is a high-
turnover job for large organizations,
which affects continuity
• System administrators tend to be
focused on having the “trains run on
time”
• Security configuration may not be
understood or implemented
If a sufficiently developed checklist exists, this is a major benefit to organizations. This can help
protect the organization against a number of problems, including turnover and training.
18
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
18
Windows NT Example
• Checklist approach designed for
two persons (check and double

check) to configure an NT to at
least minimal acceptable security
• Draws on SANS’ Securing Windows
NT Step-by-Step
• 80/20 rule applies
When I used to fly helicopters for the US Navy, I was struck by the effectiveness of checklists. A
checklist is used to make sure the helicopter is ready to take off and also used before landing. One
crew member reads the item, the other verifies it and states that it is correct. This is a powerful
technique!
This check and double check technique is crucial for knowledge-based risk assessment. One person
who knows security and risk in general and another that knows the specific technology make the
ideal team to work with the system owner to evaluate the system.
Let’s look at a specific example of a checklist. This is from a document series originally developed
by Stephen Northcutt when he was employed at the Naval Surface Warfare Center. These have been
developed for a number of operating systems, but we will examine part of one developed for
Windows NT.
19
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
19
NAVAL SURFACE WARFARE CENTER, DAHLGREN DIVISION
IS SECURITY OFFICE, CODE CD2S
WINDOWS NT COMPUTER RISK ASSESSMENT
JUNE 7, 1999 PART II (V3.1)
Risk Assessment/Countermeasure Analysis/Security Test and
Evaluation (ST&E) for Microsoft Windows NT Computer Systems.
(__) Check here if this risk assessment is used for a version of Microsoft Windows NT
prior to version 4.0 and in the section entitled "ADDITIONAL COMMENTS AND
EXPLANATIONS", state when (within the next two months) the operating system will be
upgraded to at least version 4.0.

This IS is: (Check only one)
(__) LOCATED AT NSWC DAHLGREN
(__) Complete site description is attached.
Threat and Countermeasure Check List.
Mark each as True, False, or NA - not applicable.
For all items not marked as "T", indicate in the section entitled "ADDITIONAL
COMMENTS AND EXPLANATIONS" how the risk is mitigated by other means. In
the absence of indications to the contrary, the Information System is operating at an
acceptable risk (accreditable) when all of the leftmost countermeasures are marked
'True'.
The person that knows security and risk in general (often an auditor or security officer) reads the
items to the person more familiar with the specific technology. This person checks each item and
fills in the checklist.
At the end of each section, the security officer makes the determination as to the overall risk posture
of the system.
20
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
20
a. Threat/Vulnerability: Unauthorized System Access
Operating Countermeasures:
File System Configuration.
(__) System is configured as NTFS file system?
(__) System Administrator has a current Emergency Recovery Disk in a locked
storage area.
Accounts.
(__) Guest account is not present (or is disabled).
(Check Administrative Tools, User Manager, highlight guest and hit enter)
If Guest access is allowed:
(__) Audit trails for all accesses are enabled. In the section

entitled "ADDITIONAL COMMENTS AND EXPLANATIONS", describe
(1) how the audit information is collected,
(2) who reviews the audit logs, and
(3) the frequency of said review.
Include the signature(s) of those conducting the review.
(__) There are no Anonymous users.
(__) All accounts are password protected.
One this slide we see additional questions in the checklist.
21
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
21
Passwords.
(__) NT password policies comply with Best Practices for NT Passwords.
(__) User passwords are known only by the user.
(__) Users are required to maintain unique passwords for each AIS.
(__) Passcrack for Windows NT or other password tester is run at least yearly.
(__) Administrator password is protected to the same level as the data
contained on the IS.
(__) Password is enabled for screen saver. (Control Panel, Desktop)
Access.
(__) Automatic logon as Administrator is disabled.
(__) RAS is NOT installed.
IF RAS IS INSTALLED, describe how it is configured in a secure manner
in the section entitled "ADDITIONAL COMMENTS AND EXPLANATIONS"
(__) There are no modems connected to this Information System.
IF THIS BLOCK IS NOT MARKED, describe how it is configured in a secure
manner in the section entitled "ADDITIONAL COMMENTS AND
EXPLANATIONS". Provide the phone number used for modem connection,
any security measures in place (i.e. callback, securID) and purpose for connection.

(__) Remote Registry access is limited to Administrators.
(__) Scheduler service is disabled.
(__) If Scheduler service is NOT disabled, access is limited to Administrators.
This is by no means the end of the checklist. On the online version, you can click on these items for
additional information about how to check.
These checklists are available at www.nswc.navy.mil/ISSEC
.
22
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
22
SANS’ Securing NT SBS
* Action 3.1.1 Disable the display of the last logged on username by setting the
following registry value. If the value does not already exist, it must be created. With REGEDT32 this
is done with the Edit menu, Add Value. Enter the Name "DontDisplayLastUsername” exactly as
shown and then use the String Editor to enter a "1". Also, you can use the C2 Configuration
Manager from the NT Resource kit instead of using REGEDT32.
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DontDisplayLastUsername
Type: REG_SZ
Value: 1
Note: In some situations it might be preferable to allow the display of the last logged
on user. Certain users may not be able to remember their user name, and this would keep the
administrator from having to tell them each time they logged on. Another reason to display the last
logged on username is because it will quickly let you know if someone else logged onto the machine.
Not displaying the last logged on user name will only keep novice hackers from finding out which
users exist on the machine. It is trivial for a determined hacker to get that information. Therefore,
many administrators do not bother hiding the last logged on user name.
A similar project - also a community development effort - is the SANS Securing Windows NT Step

by Step booklet. This is on its third revision, and the current editors are Jason Fossen and Stephen
Northcutt. Both projects are related to one another. The main difference is that in the SBS booklet
the detailed information is shown up front, and is in the help files on the NSWC checklist.
23
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
23
Windows NT Form Summary
• Benefits
– Reasonably good tool for minimal OS
security
– Good form “layout”
• Limits
– Needs a list of applicable patches
– Where to get them
– Tool to determine patch status
The NSWC checklist or the SANS Securing Windows NT Step by Step checklist are not the final
answer. Teams are continually re-evaluating these, fixing problems, reacting to new threats.
However, these can help an organization or individual get up to speed fast.
24
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
24
Risk Assessment
• Theory of risk assessment - short
version
• Knowledge-Based (qualitative)
application of risk assessment
(Windows NT example)
• Business case for intrusion detection -

revisited “How to use Risk
Assessment tools!”
This page intentionally left blank.
25
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
25
Intrusion Detection Roadmap
Using What We Have Learned
• Business Case for Intrusion
Detection
–How all these Capabilities Work
Together
• Future Directions
–Intrusion Detection in the Network
–Program-Based Intrusion Detection
In this next-to-last major section, we are going to summarize and use everything we have studied to
date. The goal of the business case section is to give you the process and procedure tools to
supplement the technical capabilities you have learned.