Intrusion detection is an important and difficult task when maintaining a secure computing system. It may not be possible to detect intrusions unless the necessary tools and a well executed strategy are implemented. If an intruder is not detected properly, the SA staff may not be able to determine the full extent of the intrusion and damage caused. Moreover, it may be difficult to completely remove the intruder’s effects from the compromised system. A compromised system may have other repercussions: Legal action may be taken against an agency with a compromised system which is used to launch additional attacks. There is also the possibility of lost business opportunities, loss of reputation, and lost revenues.
Monitor Network Traffic
System security is an ongoing iterative process requiring careful planning and implementation. The system administrative staff is responsible for a well documented active strategy for detecting signs of intrusion or suspicious activity and should always Monitor Network Traffic. Network and system activities must be monitored. Reviews of alerts, error reports, system logs, user behavior, and system activities must be done in real time. Periodic audits of all equipment connected to the computing network must be completed. A well defined and documented network map must be maintained to determine if any unauthorized changes have occurred. Vulnerability testing must be done to identify security weaknesses in the computing system. Correctness of the file system and its content must be verified using checksums and other possible tools. The staff maintaining system security must be well trained and know their responsibilities. If the admin understands how to Monitor Network Traffic, the staff must be prepared to implement an intrusion response once an intrusion has been detected.
Monitor Network Traffic: Detecting Signs of Intrusion
Verify that software used to monitor the systems is not compromised.
Regularly monitor network activities and system activities by reviewing:
- Alerts
- Error reports
- Network traffic
- System performance
- System usage
- Process activity
- User behavior
Keep the network configuration and all of its associated hardware documented
- Keep an inventory of all hardware
- Periodically audit all equipment attached to the network
- Investigate any unexpected hardware devices attached to the network.
- Monitor for unauthorized packet sniffing.
- Look for any unexpected routes on the network and investigate them thoroughly.
Regularly perform vulnerability testing to identify system weaknesses
Verify the file systems and their content with checksums and other possible tools.
- Document the results of system checks.
- Document and investigate any anomalies.
Update system verification metrics after completing system updates.
- This will require running and documenting new checksums.
- Document and investigate any anomalies.
Inspect physical security measures for theft, tampering, or intrusion by Monitor Network Traffic
- locks
- keys
- keycards
- CCTV
- Alarms
- portable media
Log all physical security breaches.
Train the computer systems staff in intrusion detection
- Document responsibilities for staff members
- Provide a contact check list when intrusions are detected
- document an intrusion response plan
Detecting Signs of Intrusion
If you never detect an intrusion, does this imply your systems have never been compromised by an intruder?
General Approach to detection:
- Monitor your systems and look for unusual (or suspicious) activity.
- Investigate anything unusual (or suspicious).
- If some activity cannot be explained, initiate intrusion response procedures.
Implementing intrusion detection:
- Protect the integrity of your intrusion detection tools (hardware and software).
- Monitor the system behavior.
- Physical forms of intrusion: output devices, portable media.
- Follow through from incidence reports.
Detecting Signs of Intrusion
- Integrity of detection software: Software cannot be compromised
- Integrity of hardware: cannot be compromised
- Behavior of networks: Monitor and inspect Activities
- Behavior of systems: Monitor: network activity, memory usage, cpu usage, disk usage.
- Physical forms of intrusion: Attached hardware devices, unauthorized access to physical resources.
- Follow through: Review reports of suspicious system and network behavior and events.
- Do not rely on software tools that reside on compromised systems.
Examples:
- Replace the ps command to filter out processes used by the intruder.
- Replace the editor software to open files other than the files requested.
- Modify the system log files.
Be suspicious:
- What software produced the current output?
- What other software does this output rely on?
- What software can you trust?
- Write protected media is ideal for software to test a system.
Method:
- physically attach a suspect data device to a secure device for testing.
- Attach to the suspect system a write protected system disk, boot and test.
- Generate an image of the suspect system disk mount it on a verified system and examine it there
- Use external media containing a verified set of software to examine the suspect system.
- Use verified software to examine the suspect system.
Policy considerations:
- System security policy should specify the level of verification required when examining each class of data and service provided by the organization’s systems.
- If a file can be immutable, it should be.
- Monitor and inspect Network Activities
Traffic, performance
- ICMP – internet control message protocol pings, port probes, simple network management protocol queries.
- Log files: routers, firewalls, hosts, devices
- Alert reports
- Error reports
- Network performance statistics reports.
Unexpected behavior:
- unexpected changes in network performance such as variations in traffic load at specific times.
- traffic coming from or going to unexpected locations
- connections made at unusual times
- repeated failed connection attempts
- unauthorized scans and probes
- Nonstandard or malformed packets
If you allow third parties access to your systems (vendors, contractors, suppliers, partners, customers, …), you must monitor their access.
Notify users of system monitoring – this is known as disclosure. Most notification of monitoring is done at login time using a login banner.