RE: IDS and Spywares

["Omar A. Herrera" <omar.herrera () oissg org>]

> -----Original Message-----
> From: Matt Jonkman [mailto:matt () infotex com]
> Sent: Friday, October 14, 2005 6:46 AM
>
> On Thu, 2005-10-13 at 18:38 +0100, Omar A. Herrera wrote:
>
> But the big thing that all of these malwares have in common, and what
> they have to do, is either send data they collect somewhere, or take
> commands from somewhere. And to do this they have to talk to someone,
> and that's where IDS can see them, and IPS can stop them. No matter what
> new OS hook, or what they disable or defeat on the host, they still have
> to get data through the network.
Mh, you certainly have a point here. An IDS/IPS should be able to pick up
that traffic. Yet, the visibility problem I mentioned before is what makes
me doubt that they are capable of identifying this traffic as malicious, all
the time.

The problem is in essence: given a certain stream of bits flowing from
inside the network to the Internet is the IDS/IPS always able to distinguish
if the content is malicious in nature or not?

My reasoning is this: If the stream by itself gives enough information, then
yes (i.e. if the malware uses a proprietary protocol and/or fixed port that
makes it uniquely identifiable). But, if there is not enough information to
identify the content as malicious, then, even if the network based IDS/IPS
can see it, there is simply not enough information to tag it as malicious. 

A simple http request for example:
http://xxx.xxx.xxx.xxx/harmless.cgi?1111222233334444 going to port 80 to
some server on the Internet.

There you go, a credit card number being transmitted  by some malware to the
internet. Unless you already know that xxx.xxx.xxx.xxx is a malicious site
beforehand, then there is simply no way for an IDS/IPS to distinguish this
malicious traffic from legitimate traffic :-).

However, hIDS/hIPS have more information at the host side. For example, they
can identify the process starting that communication, and just by looking at
a process whitelist, they can decide if the traffic is authorized or not,
and take some action based on that fact (e.g. the white list contains only a
pair of web browsers that are authorized to establish http traffic to port
80; nothing else is authorized to do this).

This is the kind of information that you have with host based products which
you don't with network based products. The host based product can even see
everything that the network based product sees on the network (for that
particular system only, of course), but the network based product can't see
what is happening inside every system it is watching, and hence has less
information (e.g. they can't guarantee that some particular http traffic for
port 80 was indeed started by an authorized browser). 
 
> > On the other hand, you can detect and prevent this sort of stuff at the
> host
> > level (blocking hooking attempts for the keyboard, for example) and the
> best
> > part of it is that it doesn't matter if it is a completely new or custom
> > made spyware, or trojan, or any other kind of malware where you can
> install
> > this capability. So, this clearly shows that the visibility (and
> > consequently the identification) of these threats is much better at host
> > level, and whether these controls have still flaws or not does not
> affect
> > their potential visibility of these threats, which in any case will be
> much
> > better than any network based security control.
>
> At many levels you can be effective at the host. But inevitably there
> will be found a way to evade or disable these protections. Likely it'll
> be defeated by researchers quickly, but it exists. We need layers of
> security. Hence my comment about a system policing itself. You need
> outside oversight of any system to ensure it's not compromised.
>
> I never implied that HIDS isn't useful or effective. But you can't put
> your eggs into one basket, especially when that basket is expected to
> police itself.

Yes I agree, there are many ways to circumvent security at the host level.
You can sort of piggy back making use of an authorized processes and
applications for example or making use of extremely complex covert channels,
but the visibility capabilities (from the point of view of events inside
each critical system) remains the same for both hIDS/hIPS and nIDS/nIPS.

> That was my point as well. Layers. If you can afford hids on all
> systems, and the load and such isn't an impact, and there is a hids for
> every OS and server you run, then it's a great tool. But nearly any
> network can afford IDS (snort is free), and with basic training can
> implement an effective network-wide control.

I do agree with you that layered security is always the best option, even if
there is some redundancy in some of the activities performed by different
kinds of products. 

Therefore, organizations going for strict security by installing hIDS/hIPS
products on every critical server and workstation, also have good network
defenses as well, which of course include nIDS and nIPS.

> It's the 80/20 rule. We now about the vast majority of spyware out there
> (by distribution). Your odds of being hit by a totally unknown spyware
> package, or a totally unknown worm are slim. And even if so it'll be
> known within hours or days. So a tool that blocks known things IS
> effective. :)

That's not good enough for some type of organizations, including some
government and financial institutions. They have to push closer towards 99%
security.

Also, you should check the trends regarding customized (or specially
crafted) malware for targeted attacks. For the kind of organizations
mentioned above this is extremely important. I don't believe that nIDS/nIPS
vendors are able to release updates for their product's blacklists on time,
because if they do, it most probably means that the organizations or
individuals being targeted already were attacked by them, detected them, and
reported them (and I doubt this last thing is done at all).

You are not supposed to wait for vendor updates while using white lists in
combination with hIDS/hIPS products because you need to create them
yourself. It is a completely different approach that requires a lot of
resources and time. But talking about organizations that need it, they will
go for it surely.

> > I don't really see myself screaming before the IDS console "Watch out, a
> > spyware is coming through!, I'll get Spybot and I'll clean that machine
> with
> > really sensitive information. I just hope to react fast enough before
> > something nasty happens".
>
> But how do you know what machine is compromised, and when? IDS will tell
> you, or prevent it. Can you aford to have a tech at every pc in your
> enterprise on a regular basis to make sure there's nothing there?

For critical servers and workstations I can afford having host based
protection with white lists (with all the resources that you require to
maintain that infrastructure) and personnel to do periodic security checks
on-site (also, I can afford having network based security controls but don't
rely on them alone for this sort of things with malware). Life is not easy
for me, but those are the requirements for the kind of organization I work
for.

See above why a network based IDS/IPS will have less chances of telling me
which and when a machine was compromised using certain types of malware. 
:-)

> It doesn't have to be installed on 10,000 machines in an enterprise, or
> managed, or licenses purchased for them. Plus, there's more to the net
> than workstations and spyware. IDS is a full range product for all
> systems, apps, and OSs.

That is a good value for the protection coverage you get I must agree. But
again, it is not good enough for the protection level it can give, not for
me at least (refer to the above explanations).

> > There are also several discussions of why rules targeted at specific 
> > exploit code and shellcodes are not a good idea, even in Snort 
> > vulnerability-based signatures are preferred; I think I've even seen 
> > Martin Roesch state that. It is the same principle. 
>
> Yes, thats true. And why there are signatures for specific exploits
> initially upon discovery, then more research into the actual
> vulnerability and signatures to detect any violation of norms. And if
> you're quoting Marty to point out how useless IDS is, you're also going
> down the wrong road. :)

No. I never meant that IDS were useless. That's not what I'm saying or
implying, but just to make sure this is perfectly clear I will rephrase it. 

What I mean is that nIDS is not better suited for certain security tasks
that are better done with other security tools (and I believe that was also
the point of Marty, as well as how to make a better use of nIDS). 

Network based IDS/IPS and host based IDS/IPS complement each other, they
have some points where there is some redundancy but you can't replace one
with the other. All I was trying to say is that for this particular task of
detecting and stopping malware (which was why this thread started), a host
based solution is more effective than a network based solution, and I assume
that we are all on the same track. That's all. :-)

Kind regards,

Omar Herrera


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------