1
1
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
Intrusion Detection
The Big Picture – Part V
Stephen Northcutt
This page intentionally left blank.
2
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
2
Intrusion Detection Roadmap - 3
What are the pieces and how they play together
• Vulnerability Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation - Chain of Custody
• Threat Briefing - Know Your Enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
In the next section, we are going to talk about vulnerability scanners and assessment tools, which
are one of the best ways to rapidly assess your security. They are hard to break down into functional
classifications the way we did with firewalls, proxies, packet filtering, and statefully aware. Perhaps
the most logical breakdown is commercial tools like ISS, NAI and the free, source-code tools, like
nmap and Nessus. Another breakdown is system scanner tools that run as a program to inspect the
operating system configuration, and network scanner tools that work across the network. There are
also tools that scan telephone lines for active modems. For this course, we are focused on the
network-based scanning tools and telephone scanners since they are the most applicable to

intrusion detection.
So, in this section we will cover the following topics:
• What are they generally
•Saint
•Nessus
• ISS Real Secure
• Scanning for modems - Phone Sweep
• Red Teaming
• Scanner warning
3
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
3
Vulnerability Scanners
What are they generally
• Target, scanners
must
only scan
systems you own
• Scan, “test for services”, multiple ports
on multiple machines
– May have knowledge of vulnerabilities and
test to see if the vulnerability is present
• Report, provide results in a clear,
understandable fashion
The cardinal rule of scanning or vulnerability assessment is to be certain to only scan systems that
you own and are authorized to scan. Otherwise, you will be setting off someone else’s intrusion
detection capability and that is hardly a good idea.
If you are shopping for a scanning toolset, it is reasonable to assume that either of the big three (ISS,
NAI, Symantec) scan for the same number of vulnerabilities. They will all come up with false

positives that have to be investigated manually. Before you plunk your money down, there are four
things you really want to consider:
• How is the product licensed? Is this flexible enough for your planned growth? Can it be
upgraded easily?
• How interoperable is the product? Is it fully Common Vulnerabilities and Exposures
(CVE) compliant?
• Can you easily compare the results of a scan today with the results of one four weeks ago,
or is this a manual process?
• Does your manager like the report output!
4
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
4
SARA (Security Auditor’s
Research Assistant)
• Where to get it
– />• What does it do?
– Vulnerability scanner, web-based interface,
based on Satan, community-donated
modules
– Has some capability to determine probable
trust relationships
SARA is a follow-on to SAINT, which was a follow-on to SATAN. It runs pretty well and is worth
trying if you are in a Unix shop. Though it is pretty safe as scanners go, be sure and test it in a lab,
or off-hours on a non-critical network before unleashing it on your network. It is fairly lightweight
compared to other products, but may be a great way to get started.
5
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
5

Nessus
• Where to get it?
–
• What does it do?
–Vulnerability scanner, more heavy-
handed than Saint in our experience
SARA was a free tool and so is Nessus. This tool is better in the hands of someone that is
technically sophisticated. It is already a powerful scanner based on community-donated plug-ins. It
was also the fastest scanner in the Top Ten scanner evaluations.
6
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
6
Nmap
Nmap is my personal favorite. It is the most commonly used scanning tool on planet Earth, bar
none. It has a large number of scan modes and has a unique capability of operating system
detection. Different operating systems have made divergent choices in building their network
stacks, especially in areas that are not defined by RFC standards documents, or for fields that are
reserved for the future. OS detection tools intentionally send packets that write into reserved fields
or use illegal values in an effort to identify the operating system.
(Editor’s note: Nmap is available from: www.insecure.org
– Unix version; www.eeye.com –
Windows version. – JEK)
At this point we have briefly discussed three commercial tools and three freeware tools. If you run
Unix tools (and all KickStart students are supposed to have access to Linux and Windows), the free
tools - especially nmap - may be a great way for you to start. After all, in an organization of any
size, you have plenty to find and fix before you need a top-of-the-line commercial scanner.
Now, let’s think about phone scanning for a minute. Ever get a phone call, pick up the phone and
no one was there? You might have been scanned.
7

Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
7
Phone Scanning for Vulnerability
Detection
• Response for successful intrusion
detection is not clear.
– Defensive posture is difficult to maintain.
– Generally not criminal to call phone
numbers.
• Intrusion detection may not be possible.
• Scanning works - attackers use it!
• Threat of scanning acts as a deterrent.
Special thanks to Simson Garfinkle and the folks at Sandstorm (www.sandstorm.net) for the
permission to use the PhoneSweep slides.
Firewalls are not perfect we said, but when they fail it is more likely that they fail because of what
the folks on the inside do, as opposed to the firewall having a technical problem. We already talked
about users bringing up services on ports that are expected to be open for other reasons. Various
multimedia programs such as napster and gnutella make it easy to get files through a site’s defenses
and there are manuals on how to do this on the Internet. One other way that users can cause firewalls
to fail is by hooking their system up to a modem.
Next Sunday, take a minute to do some research. Pull the color ads in your area for the consumer
electronic stores such as Circuit City and the like. Check out the computers. What do they all have?
8
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
8
War Dialers
• Used by attackers
to find dial-up

modems.
•Many programs,
widely available
– Toneloc, The
Hacker’s Choice,
etc.
Well, what I notice about the ads (besides a price that is wrong by $400, because nobody in their
right mind is going to sign a contract with Microsoft Networks or CompuServe), is all the computers
have modems.
Eventually, someone, somewhere is going to hook that modem up. Modems have a “dial on
demand” mode, but they also have an auto-answer mode. This would be useful if you wanted to be
able to access your computer at work from your computer at home to download files.
The screen shot you see is for ToneLoc, probably the most popular wardialer. It will scan a range of
phone numbers looking for a modem on auto-answer. These systems can then be targeted.
9
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
9
Mitigating the War Dialer Threat
• Intrusion Detection Response:
– Monitor call logs at phone switch.
– Set up monitored modems on special
phone numbers (honeypot).
• Scanning Response:
– Proactively scan your own phone numbers.
– Take action when modems are found.
Your facility almost certainly has and will be scanned. The question is, what action are you willing
to take? The logical countermeasure is to scan your own phone lines on a regular basis. Now, this is
simple in theory, complex in practice. Your organization may have a person in charge of phones and
they may be able to help you. Be aware that Heating, Ventilation, And Cooling (HVAC - some folks

say Heating, Ventilation, Air Conditioning) and alarm systems may be active on your phone system,
and these numbers should be avoided. ToneLoc and most other scanners allow you to avoid number
ranges.
10
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
10
PhoneSweep: Commercial Scanner
• A Telephone Scanner, not a War Dialer
–4 modems
–System ID
– Penetration
– Repeatable scans
– 80+ page manual
–Supported
Many organizations are uncomfortable using hacker code to attack their own sites because of the risk
of embedded malicious code. Also, the documentation on some underground code is not the best.
Technical support can be dicey from hacker locations. These are some of the factors that cause some
organizations to prefer commercial software with phone support, printed manuals…and someone to
sue if things go wrong.
11
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
11
Select Modems
An example of a commercial scanner is PhoneSweep shown on this slide. Notice that it can run
multiple modems in parallel; it turns out that phone scanning is really slow!
12
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001

12
Specify Dialing Times
(PhoneSweep relies on the system clock for
accurate time & day of the week.)
hours outside Business Hours
With a commercial tool, you tend to get more flexibility in settings. For instance, you might want to
consider scanning at night in case people leave their modems on auto-answer when they leave work.
It is nice to have this capability, but scanning when you are not there can be dangerous. Another
high end feature to look for is the ability to detect fax machines.
13
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
13
Telephone Scanning Summary
• Any large site probably has modems
that they do not know about
• Remember the “Legion” slide
• Slow, slow, slow, think seriously about
the parallel modem option
• Doesn’t seem to distinguish between
faxes and modems as well as I had
hoped
To summarize the phone scan section, this is something you should seriously consider doing.
Remember that example in the firewalls section, of the facility that was compromised because of a
user accessing the Internet via a modem and ISP? Unfortunately, phone scanning will only detect
modems on auto-answer. Many organization have digital phones, and so analog lines require special
permission; this certainly limits how many numbers you need to test. Commercial tools have some
significant advantages. On the other hand, ToneLoc is simple and very well tested!
14
Intrusion Detection - The Big Picture – SANS GIAC

©2000, 2001
14
How to Do a Vulnerability Scan
• Get permission, explain what you are
doing, “finding our vulnerabilities before
attackers do”
• Put out the word ahead of time,
publish your phone number; people
don’t like surprises
We will close this section with a discussion of the general principles of scanning. Note well,
vulnerability scanning can be hazardous to your career. The difference between a hacker and a
penetration tester is permission! Be certain that you have it. If you are just starting a scanning
program in your organization, you probably want written permission.
Things can go very wrong when you are scanning. I have crashed a number of systems - I’ve
already mentioned the mockup of a Navy warship – and my friend John Green has a whole Navy
base to his credit! We both did this with simple vulnerability assessment tools. People will be a lot
more forgiving if you warn them ahead of time and make sure it is easy for them to find you. If you
are not in the office or people do not know how to contact you, then you could create a serious
problem for your organization and therefore yourself.
15
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
15
How to Do a Scan (2)
• Click target selection, choose a system,
tell it to expand to the subnet
• Heavy scan, but do not allow Denial of
Service scan (at least at first)
• Only scan when you are in the
office by the phone

• Fix the red “priority” problems first
There is no point in configuring the scanner to hit all of your addresses unless you are in a small
organization. Do a subnet at a time, a workgroup at a time, whatever makes sense. This way you
don’t have an overwhelming number of vulnerabilities to fix.
If you do scan the whole facility, you will have a huge list of problems and everyone will talk about
fixing them, but it never gets past the promises stage. This is very dangerous. After you run the scan
on a large scale, you get a huge printout of all the problems and some of them are flagged as “very”
serious, some “just” serious and so forth. You present it to management, tell them it is the end of life
as we know it if they aren’t fixed. They agree, they task people, there are meetings, everyone agrees
to get things fixed and you run into deadlines and emergencies and they never get fixed. Now you
can’t play that card again - after all, the organization is still in business! If you run another scan, no
one will take it that seriously.
Therefore – scan a small section. Start with your own shop. Fix the problems, and move on.
There is another approach, called the Top Ten Project. A number of scanners, including SARA and
Nessus, have scanning modes that only look for the Top Ten vulnerabilities. This way, you only
have to deal with the most serious problems first. For more information, please see
www.sans.org/topten.htm
.
16
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
16
Warning!!!
Vulnerability scanners may be hazardous to your career
• Be very sure you are authorized
• People really prefer to be warned
• Scanners sometimes crash systems
• Don’t jump to conclusions about
how vulnerable a system is until
you know the tool very well

In the previous example, it isn’t that you were wrong when you went to management and told them
they were vulnerable. The problem is that attackers often leave a low footprint - you can be
compromised and not realize it.
Anyway, to summarize this section, a vulnerability scanner is a great way to find many of the holes
that external and internal attackers would exploit, given the opportunity. However, scanners are
prone to false positives and can break things. Be conservative; start the tool at low power and run it
on a low number of systems until you are very familiar with its effects.
17
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
17
Intrusion Detection Roadmap
What are the pieces and how they play together
• Vulnerabilty Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation- Chain of Custody
• Threat Briefing - Know your enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
This page intentionally left blank.
18
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
18
Response and Incident Handling
Response
Automated Response

Manual Response
Emergency Action Plan
7 Deadly Sins
Evidence preservation - Chain of Custody
Intrusion response, or the response to intrusions, is an interesting problem. The fundamental
concept to understand is that you will respond. Your system will respond. The question is, will it be
a good response?
Let’s start at the beginning. A packet comes to your firewall, one of three things will happen:
• The packet will be allowed to pass.
• The packet will not be allowed to pass, and the firewall will notify the sender (most likely
with an ICMP “administratively prohibited” message).
• The packet will not be allowed to pass and the firewall will NOT notify the sender. This is
known as the “silent drop”.
More complex responses are also possible. There is a tool called a RST kill. A RESET (RST) is the
signal to abort a TCP connection. A firewall or intrusion detection system can forge a RST and send
it to one or both sides of the TCP connection if it sees evidence of an attack.
19
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
19
Automated Response
• Commercial IDS can be connected
to routers/firewalls and take
automated action
–Drop connection
–Shun IP address
• Significant potential for denial of
service
The intrusion detection system can detect a signature, and if that connection matches a known
attack signature, it can order the firewall to drop the connection and block that IP address. Further,

it could refuse to allow a route from the attacking IP address.
Shunning is the notion of blocking an IP address and/or an IP address family from then on. It
doesn’t matter what service they wish to connect to, they are not welcome.
The logic for doing this is obvious; attacks happen so fast, a computer has a much better opportunity
to respond than a person. Also, while we have have an attack signature to recognize this attack, we
may not for the next attack – so it’s best to block while we can.
It takes a LOT of smart software to do this in a heuristic manner, that can calculate the probability a
connection is spoofed, and what the cost to the organization of blocking it might be. If you run auto-
response software, attackers can toy with you using spoofed packets.
20
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
20
Manual Response
• Person in the loop auto response
options
• Incident Handling
–Emergency Action
–7 Deadly Sins
–Chain of Custody
–Forensics
In a 24x7 manned response center, an obvious solution to the high risk of auto-response would be to
offer the detect and from one to N recommended responses to a trained incident handler and allow
them to make the decision on what to do next. This is known as “person in the loop”.
Let’s go back to the fundamental concept, you will respond. The question is whether you will
respond well. If the packet penetrates your firewall, and it penetrates your system defenses, and if it
is successful, you are generally dealing with an incident - but computer incident handling is a much
broader field than Computer Network Attacks (CNA). Incidents are any situation where harm or the
threat of harm affects information processing resources. This includes hacker attacks, malicious
code, fires, floods and other weather events, and sometimes even software and hardware

configuration problems.
21
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
21
Emergency Action Points
• Remain calm, don’t hurry
• Notify your organization’s management, apply
need to know, use out-of-band communications
•Take good notes
• Contain the problem
• Back up the system(s), collect evidence
• Eradicate the problem and get back in business
•Lessons learned
Please take a minute to read this slide. This slide shows the fundamental steps to take when handling
an incident. Record keeping is especially important and can be of great value if legal action is ever
needed. Keep in mind, even if your organization does not wish to prosecute, if your systems are
compromised and used to attack someone else, you may still end up in court.
A system backup is one of the first things that you want to do whenever possible. The situation can
always go from bad to worse and you certainly want to save your data.
Containment is the key to keeping the situation from getting worse, but it is very hard to do unless
you can isolate what the problem is.
Credit: If you are taking this course for academic credit, develop a two-page incident response plan
for your system or school lab. Make sure the plan covers the bullets shown above. Be explicit as to
how you will accomplish the system backup. Your plan will also describe your plan to continue
operations if the systems are totally destroyed.
22
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
22

Seven Deadly Sins
• Failure to report or ask for help
• Incomplete/non-existent notes
• Mishandling/destroying evidence
• Failure to create working backups
• Failure to contain or eradicate
• Failure to prevent re-infection
• Failure to apply lessons learned
These are the errors that most commonly occur. Be sure to compare your response plan against these
errors.
Let’s take a minute to discuss failure to eradicate or to prevent re-infection. This is important from
your career perspective. If there is an incident and you lead the charge and everything is all right,
your are a hero. However, if it comes back the next day, you are a goat. Take the time to be careful
and sure, be conservative. It can pay off.
23
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
23
Chain of Custody and Legal Issues
• Primary goal is to prove evidence
presented to court has not been
tampered with
– Was it “pure” when it was detected?
– How was it collected?
– Who has had access to it (was it stored in
a limited access container)?
• Cryptographic hash created at time of collection and
stored out-of-band very valuable
Once evidence is turned over to law enforcement, they have chain of custody procedures. The high
risk for evidence is often where it is stored until law enforcement is called.

If there is no urgency (fires are urgent, Trojan software often isn’t), describe the scene in detail -
who, what, where, when - before you touch anything. Take a picture and find out the old cliché is
very true. Make a backup. If you are not skilled in forensic procedures, pulling the disk drive (if
possible) from the affected machine is a good idea. Disk drives are cheap – go get them another one!
Take notes and label the notes 1 of 1, 2 of 2 etc. If possible, put all the evidence in a gallon size
Ziplock bag. Make a couple copies of a list of all the evidence, your notes, and a list of all the
witnesses. Then lock it all in a container few people have access to, keeping a copy of the evidence,
your notes, and witness list for yourself and give your boss one. Two: stay with the evidence. This
is chain of custody in a single paragraph. Do it and your attorney will love you!
24
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
24
Intrusion Detection Roadmap - 3
What are the pieces and how they play together
• Vulnerabilty Scanners
• Response, Automated and Manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation - Chain of Custody
• Threat Briefing - Know Your Enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
This page intentionally left blank.
25
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
25
Introduction to Information

Warfare - Goals
•Espionage
–Economic benefit
–Military advantage
–Personal advantage
•Psychop
–Disinformation
–Perception management
Just today, I was trying to convince an organization not to put their personal names on their intrusion
detection reports. These analysts were proud of their ability and in a bit of competition. They
wanted the recognition. So why can’t we put our names on our report? This is what I told them.
In terms of ships and airplanes, we are not at war right now; we are in peace time. But there is a war
going on and your intrusion detection analysts are the front line troops. How many intrusion
attempts did you detect this month - fifteen, twenty? I suppose there are a lot of ways to determine
one is at war, but one good one is that people are shooting at you! When people are shooting at you
it is a good idea to keep your head down.
There are lots of reasons for information warfare and dimensions of same as this slide discusses, but
the key point to remember: we are at war.