Intrusion Detection Flashcards
What are the classes of intruders?
Cyber criminals: Are either individuals or members of an organized crime group with a goal of financial reward. To achieve this, their activities may include identity theft, theft of financial credentials, corporate espionage, data theft, or data ransoming.
Activists: Are either individuals working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes.
State-sponsored organizations: Are groups of hackers sponsored by governments to conduct espionage or sabotage activities. They are also known as Advanced Persistent Threats (APTs), due to the covert nature and persistence over extended periods involved with many attacks in this class.
Others: Are hackers with motivations other than those listed above, including classic hackers or crackers who are motivated by technical challenge or by peer-group esteem and reputation.
What are the range of skill levels of intruders?
Apprentice: Hackers with minimal technical skill who primarily use existing attack toolkits.
Journeyman: Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities; or to focus on different target groups.
Master: Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities, or writing new powerful attack toolkits.
List 3 types of intrusions:
NIST SP 800-61 (Computer Security Incident Handling Guide, August 2012) lists the following examples of intrusion:
Performing a remote root compromise of an e-mail server
Defacing a Web server
Guessing and cracking passwords
Copying a database containing credit card numbers
Viewing sensitive data, including payroll records and medical information, without authorization
Running a packet sniffer on a workstation to capture usernames and passwords
Using a permission error on an anonymous FTP server to distribute pirated software and music files
Dialing into an unsecured modem and gaining internal network access
Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
Using an unattended, logged-in workstation without permission
List the components commonly seen in intrusions:
Target Acquisition and Information Gathering: Where the attacker identifies and characterizes the target systems using publicly available information, both technical and non technical, and the use of network exploration tools to map target resources.
Initial Access: The initial access to a target system, typically by exploiting a remote network vulnerability as we will discuss in Chapters 10 and 11, by guessing weak authentication credentials used in a remote service as we discussed in Chapter 3, or via the installation of malware on the system using some form of social engineering or drive-by-download attack as we discussed in Chapter 6.
Privilege Escalation: Actions taken on the system, typically via a local access vulnerability as we will discuss in Chapters 10 and 11, to increase the privileges available to the attacker to enable their desired goals on the target system.
Information Gathering or System Exploit: Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.
Maintaining Access: Actions such as the installation of backdoors or other malicious software as we discussed in Chapter 6, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack.
Covering Tracks: Where the attacker disables or edits audit logs such as we will discuss in Chapter 18, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code as we discussed in Chapter 6.
What the logial components of intrusion detection?
Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion.
ex) network packets, log files, system call traces
Analyzers: Analyzers receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred.
User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console component.
Name the IDS classifications
Host-based IDS (HIDS): Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity.
Network-based IDS (NIDS): Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
Distributed or hybrid IDS: Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity.
List 3 Requirements for an IDS:
Run continually with minimal human supervision.
Be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations.
Resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker.
Impose a minimal overhead on the system where it is running.
Be able to be configured according to the security policies of the system that is being monitored.
Be able to adapt to changes in system and user behavior over time.
Be able to scale to monitor a large number of hosts.
Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible.
Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it.
List two approaches to how IDS detects intrusions:
Anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time.
Signature or Heuristic detection: Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if it is that of an intruder.
Name the three approaches to anomaly detection:
Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
Machine-learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques
Name some ML approaches to anomaly detection:
Bayesian networks: Encode probabilistic relationships among observed metrics.
Markov models: Develop a model with sets of states, some possibly hidden, interconnected by transition probabilities.
Neural networks: Simulate human brain operation with neurons and synapse between them, that classify observed data.
Fuzzy logic: Uses fuzzy set theory where reasoning is approximate, and can accommodate uncertainty.
Genetic algorithms: Uses techniques inspired by evolutionary biology, including inheritance, mutation, selection and recombination, to develop classification rules.
Clustering and outlier detection: Group the observed data into clusters based on some similarity or distance measure, and then identify subsequent data as either belonging to a cluster or as an outlier.
What is the difference between signature and rule-based approaches for intrusion detection?
Signature approaches match a large collection of known patterns of malicious data against data stored on a system or in transit over a network.
Rule-based heuristic identification involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage.
Name some data sources for HIDS:
System call traces
Audit logs
File integrity checksums
Registry accesses
What are the typical features of a distributed intrusion detection
Host agent module: An audit collection module operating as a background process on a monitored system. Its purpose is to collect data on security-related events on the host and transmit these to the central manager.
LAN monitor agent module: Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager.
Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion.
What is Network-Based Instrusion Detection?
A network-based IDS (NIDS) monitors traffic at selected points on a network or interconnected set of networks. The NIDS examines the traffic packet by packet in real time, or close to real time, to attempt to detect intrusion patterns.
What are some types of network sensors?
A. An inline sensor is inserted into a network segment so the traffic that it is monitoring must pass through the sensor.
B. More commonly, passive sensors are used. A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device. From the point of view of traffic flow, the passive sensor is more efficient than the inline sensor, because it does not add an extra handling step that contributes to packet delay.
C.
