The Evolution of IDS: Why Context is Key

Dave Shackleford, Voodoo Security and SANS

Joe Schreiber, AlienVault

© 2014 The SANS™ Institute - www.sans.org

Introduction

• How has IDS/IPS changed in the past 10 years?

• First, there’s been more of a move to prevention vs. just passive detection

• Second, IDS really doesn’t function as a “standalone” tool anymore (for most)

• The context of what is happening in and around the environment is key

© 2014 The SANS™ Institute - www.sans.org 2

Packets? What packets?

• Getting access to network traffic was one of the first goals of intrusion detection platforms

• Classic sniffers like TCPdump led to the creation of Snort and Bro, as well as commercial options

• Gaining access to the network traffic itself was a challenge

– Promiscuous mode interfaces

– Dual-homed configs

– Finally, SPAN ports or taps

© 2014 The SANS™ Institute - www.sans.org 3

Aha. Now we’ve got packets!

• Packets! We have them!

• But…now what?

• For most, setting up IDS sensors led to the realization that we needed better knowledge of the environment

© 2014 The SANS™ Institute - www.sans.org 4

Patterns of packets make more sense.

• We now can start to analyze patterns of behavior

– Who is talking to who

– Types of traffic

– Source/destination ports

– Protocols

• Patterns of traffic ebbs and flows are useful for volume analysis and troubleshooting, too

© 2014 The SANS™ Institute - www.sans.org 5

Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl

0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14

0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14

Patterns -> Blocking.

• Intrusion detection gave way to blocking with intrusion prevention systems

– This was driven by better understanding of traffic patterns and signature sets

• Most IDS and IPS platforms, even in blocking mode, did not have much understanding of context

– Most blocks were “point in time” matches based on packet attributes

© 2014 The SANS™ Institute - www.sans.org 6

What do the patterns MEAN?

• IDS and IPS needed to evolve to make better sense of what was happening in the environment

• To that end, more data is needed

– Events from other network devices

– Events from scans and user information

– Data from vulnerability scanners and monitoring tools

• This is how we can start to build context of what’s happening in the environment.

© 2014 The SANS™ Institute - www.sans.org 7

Event Data, and Lots of It

© 2014 The SANS™ Institute - www.sans.org8

[**] SQL Injection [**]

10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80

TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF

***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Traditional IDS and IPS alerts

are

often overwhelming

Event Data, and Lots of It (2)

© 2014 The SANS™ Institute - www.sans.org9

Firewalls and routers are simple,

static filtering devices with no

understanding of context

Context + Alerting

• With event data from numerous sources, you can start to build context in the environment

– What systems communicate in a given subnet?

– What known vulnerabilities are there in the environment?

– What network devices does the traffic pass through?

• The IDS/IPS by itself, however, will still only report what it “sees”

© 2014 The SANS™ Institute - www.sans.org 10

Visibility: What IDS “Sees”

• Only traffic that passes by or through the IDS/IPS is analyzed

– Subnets? Check.

– Source/Destination ports? Check.

– Applications or platforms in use? Nope.

© 2014 The SANS™ Institute - www.sans.org11

Visibility: More Data = Better

• Attacks are no longer viewed as discrete events at a “point in time”

• More data adds context and tells a better “security story”

– Passive scan data on OS, applications

– Active scan data on vulnerabilities

– Behavioral trend data

– System logs and endpoint security

– User directory data

© 2014 The SANS™ Institute - www.sans.org12

Hmmm. Too many alerts?

• Now we have to start paring down alerts to get to *better* data

– Are there false positives we’ve discovered?

– Can we prioritize some data?

– Can we start combining data types into unique alert models?

• Data overload is a very common problem with IDS/IPS sensors

© 2014 The SANS™ Institute - www.sans.org 13

Correlation -> BETTER alerts.

• Correlation makes a big difference in how events are reported

• Not every unique event makes sense to alert on

– Combinations of events

– Quantity of events

– Times of day or location (source/destination)

• Having some context and behavioral baseline can help

© 2014 The SANS™ Institute - www.sans.org 14

Correlation Examples

• High Severity Threat Targeting Vulnerable Asset

– Goal: Identify threats in real time that are likely to compromise a host. Vulnerability data has shown the host to be vulnerable to the inbound attack being detected by NIPS.

– Trigger: Any event from a single IP Address targeting a host known to be vulnerable to the attack that is inbound.

– Event Sources: NIPS events, Vulnerability Assessment data

© 2014 The SANS™ Institute - www.sans.org 15

Correlation Examples

• Repeat Attack-Multiple Detection Sources

– Goal: Find hosts that may be infected or compromised detected by multiple sources (high probability of true threat).

– Trigger: Alert on ANY second threat type detected from a single IP Address by a second source after seeing a repeat attack. (i.e. Repeat Firewall Drop, followed by Malware Detected)

– Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

© 2014 The SANS™ Institute - www.sans.org 16

The Keys to Context-Driven Threat Assessment

1. Visibility: Know what you’re protecting in the environment

2. Baselines: Understand the behaviors of the assets in your environment

3. Impact: Understand how threats will impact assets

4. Intelligence: Incorporate threat intelligence from internal/external sources

5. Action: Prioritize security response

© 2014 The SANS™ Institute - www.sans.org17

Threat Intel -> Better Correlation.

• Threat intelligence is the set of data collected, assessed, and applied regarding:

– Security threats

– Threat actors

– Exploits

– Malware

– Vulnerabilities

– Compromise indicators

• When this data is incorporated, much more accurate event monitoring can take place

© 2014 The SANS™ Institute - www.sans.org 18

IDS…Where’s it going?

• Intrusion detection systems are evolving today

– More context-aware

– More behavioral analysis

– Some “SIEM-like” capabilities, too

• Some IDS can now also integrate with threat intelligence feeds, too

• IDS is not a “set and forget” technology

– Tuning and correlation are required

© 2014 The SANS™ Institute - www.sans.org 19

AlienVault Unified Security Management

© 2014 The SANS™ Institute - www.sans.org 20

Coordinated Analysis, Actionable Guidance

• 200-350,000 IPs validated daily• 8,000 collection points• 140 countries

Collaborative Threat Intelligence:

AlienVault Open Threat ExchangeTM

(OTX)

Join OTX: www.alienvault.com/open-threat-exchange

Questions?

Q@SANS.ORG

Thank You!

© 2014 The SANS™ Institute - www.sans.org 22

Three Ways to Test Drive

AlienVault USM

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http://www.alienvault.com/marketing/ali

envault-usm-live-demo