Network Intrusion Chapters 1-4

  1. Unauthorized Access
    Occurs when an outsider comes in over the network and logs into your system uninvited.
  2. Jump-Off Point for other Attacks
    Once a computer has been compromised it usually contains information that opens up several other computers within the same organization. These types of attacks are identifiable by the patterns of traffic leading out of the network.
  3. Password Downloads
    Unauthorized password file downloads gives attackers the ability to compromise other systems.
  4. Bandwidth Theft
    Clever attackers will take over a machine and run whole businesses from networks they do not own (e.g. running an Internet Service Provider [ISP] to an adult web site from inside a commercial organization).
  5. Denial Of Service (DOS)
    Are named because they result in a resource not being able to service its users.
  6. Malformed Packets
    They come in a variety of shapes and sizes with the intent of causing a protocol stack to crash. In most cases, programmers do not attempt to handle impossible situations such as null arguments in critical fields. Hackers take advantage of this by creating these very situations, causing the protocol to fail.
  7. Packet Flooding
    Is a simple DOS techinique that involves sending as many packets as you can at a single network device until it either crashes because it can't handle the load or becomes so slow that legitimate user requests can't get through.
  8. Effective Audit Policy
    An effective audit policy is one that produces an appropriate number of event records; not so many that they can't be effectively analyzed and not so few that interesting behaviors are lost.
  9. Detection Policy
    Defines the patterns that are detected in the event log records. Signature recognition is the most common detection mechanism in host-based systems. The key to a good detection policy is properly configured signatures, with the appropriate number of active signatures detected in real-time and batch.
  10. Signatures
    Are priori rules that define a sequence of events and a set of transitions between the events. They may be single or multiple event signatures.
  11. Audit and detection Policy Dependencies
    Audit policies and detection policies are dependent upon each other. The events that comprise any pattern of activity in the detection policy must also be reflected in the audit policy. Failure to do this will result in signatures that will never be detected, whether or not the behavior they represent ever takes place on your system.
  12. Data Sources
    Even though application sources are better, most host-based intrusion detection systems focus on operating system data as opposed to application logs. Operating systems have been instrumented to produce event logs and most applications have not. Each audit source is unique and requires its own parser, policy management, detection policy and audit policy, so multiple audit sources can increase complexity.
  13. Operating System Event Logs
    Good event logs contain a wealth of information and are protected in the kernel of the operating system.
  14. UNIX Syslog
    Syslog is a generic logging utility available in most types of UNIX. Syslog is very loosely formatted in ASCII andd may be written by any application. The ASCII format of Syslog is very easy to modify and spoof.
  15. UNIX Binary Kernel Logs
    Kernel logs are written by the UNIX kernel, which is the closest thing to a trusted computing base (TCB) in most UNIX implementations. They reflect kernel actions, including permissions usage, object access, application execution, and trusted operations. The kernel logs are preferable to Syslog because of the richness and trustworthiness of the data.
  16. Windows NT/2000 Security Event Log
    Windows NT and Windows 2000 provide the trusted security log, which features 52 event types and is well controlled. A powerful feature in Windows NT/2000 is the ability to audit on a per-object basis.
  17. Middleware Application Audit Sources
    A middleware audit source is potentially higher quality than operating system log files because it ties many applications togather that use the middleware.
  18. Relational Databases
    Relational database managment systems (RDBMS) middleware applications, such as Oracle and Sybase, provide detailed data on access to tables, rows, and columns of sensitive data. Database audit sources are usually kept in the database itself as a protected table.
  19. Application Audit Sources
    Application audit sources are usually the hightest quality because they have considerable inherent correlated properties among transactions, users, and applications.
  20. Firewalls
    A firewall source is actually a special case of an application audit source in which the events reflect access control through a choke point on the network. Firewall sources are like most application audit sources; they are usually ASCII-based and configurable through the application interface. Events usually reflect services used, direction of traffic, and source and destination addresses. Firewall audit sources typically provide source and destination addresses but lack information about an end user's identity.
  21. Backup
    Backup applications provide logs of another critical component of corporate infrastructure. The logs reflect success and failures backing up the data across an enterprise. These logs can provide early warning of such an attack.
  22. Benefits of Host-Based Intrusion Detection
    Host-based benefits include threat detection, response, deterrence, attack anticipation, and damage assessment. Prosecution support is also possible if the audit data comes from a trusted source and the intedgrity is protected.
  23. Challenges for Host-Based Technologies/ Performance
    Host-based intrusion detection systems are massively distributed mechanisms for processing the entire behavior in a large network. Performance degradation can occur on the network and at the target.
  24. IDS Trade-off
    One major trade-off available in deploying IDS systems with regard to performance. Although challenges still exist the option to choose either the target or the network is available. If a realtime distributed architecture is chosen, the event log processing takes place on the target using the network to centralize alerts only. The result is impact on the target and negligible effect on the network. On the flip side, choosing a centralized architecture that centralizes the raw data to a common host and processes the data there will have negligible impact on the target but significant network impact.
  25. Deployment/ Maintenance
    Deploying a host-based system is difficult because the agents are widely distributed. Every target requires an agent, so initial deployment and maintenance require distributed deployment and remote update mechanisms.
  26. Compromise
    Host-based agents are present on the targets they monitor. If an unauthorized user gains privileges on the monitored system, that user can shut down the agent, rendering the intrusion detection system useless.
  27. Spoofing
    Spoofing a host-based system can be accomplished by inserting records into the audit stream that indicate false activity or removing them to erase an unauthorized activity. The best defense is always a trusted and protected audit source, such as a binary kernel log. Syslog, as an ASCII file from an untrusted source, is an example of a data source that can be spoofed quite easily.
Card Set
Network Intrusion Chapters 1-4
Network Intrusion Terminology from The Practical Intrusion Detection Handbook