IDS mailing list archives
RE: IDS and Spywares
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Thu, 13 Oct 2005 18:38:23 +0100
Hi Matt,
-----Original Message----- From: Matt Jonkman [mailto:matt () infotex com] Sent: Thursday, October 13, 2005 4:08 PM To: Omar A. Herrera Cc: focus-ids () securityfocus com; 'vipul kumra'; dhruv_ymca () yahoo com; neelabhsharma1 () gmail com Subject: RE: IDS and Spywares I strongly disagree that IDS is not effective with spyware. I grant that hids is a good thing. But maybe I'm from the old school of thought, that you can't trust any system to police itself. That system is corruptable, and thus needs outside oversight. Security 101.
The problem is not related to the capabilities or deficiencies of other security controls. This is a problem of visibility, and if you suggest that a network based security control has better visibility than a host based security control for threats for which most of their characteristics are only visible while running locally on a system (e.g. key loggers, or even simple backdoors that open ports), then I will insist that your view is flawed. If you know of an IDS that is capable of analyzing "any" stream of bits, identifying within that stream that there is an executable code of some kind, and then even be able to tell me that that particular piece of code contains a keylogger of some sort, then I will definitely buy your idea right way. On the other hand, you can detect and prevent this sort of stuff at the host level (blocking hooking attempts for the keyboard, for example) and the best part of it is that it doesn't matter if it is a completely new or custom made spyware, or trojan, or any other kind of malware where you can install this capability. So, this clearly shows that the visibility (and consequently the identification) of these threats is much better at host level, and whether these controls have still flaws or not does not affect their potential visibility of these threats, which in any case will be much better than any network based security control. I understand that you might fear putting the protection so close to the system. But if you are that paranoid, then you should keep your IDS and install and hIDS or preferably hIPS right away. But you shouldn't rely solely on a less effective tool for defending against these threats, just because it gives the impression that it will keep threats farther from your critical systems.
That is exemplified by the number of worms that kill AV on their victims, or alter hosts files so they can't get new dats, etc. The victim sits there warm and fuzzy because they paid the 40 dollar Symantec tax, and they're blasting spam to the world, none the wiser. The code to do these things is easil available, and surely will be used by spyware once they feel a hit to their pocketbook. If there's money to be made they'll do it.
First, a worm has different characteristics from a spyware, so I really don't see your point. Of course nIDS and nIPS are best suited to deal with worms because their attack vector is related to the network (they exploit vulnerabilities of network services to propagate). But not all spyware do the same (i.e. you won't be lucky enough to see spyware exploiting vulnerabilities in some web browsers all the time), and you also have all other types of malware that also don't. Furthermore, your IDS might still sit clueless while your user visits that web page using SSL and gets infected, or simply uses some P2P encrypted channel for sharing some files with his friends that happen to contain spyware.
Network based detection and BLOCKING is the most effective way I've seen to find and deal with spyware in a large network environment. But it's one tool in the toolbox. Once you detect with IDS you have to clean with spybot, adaware, etc. It's critical that both tools stay effective.
It is the easiest method to detect and probably block "known" network based attacks only, and it may be the most cost-effective solution for some enterprises. But I totally disagree that this solution is the best for malware from a security point of view. Why do you insist in detecting and patching only known threats while you can prevent the execution of both known and unknown malware? With host based protection you are able to build white lists to stop the execution of non- authorized software. Stopping exploits that target vulnerabilities is a little bit harder but with proper security controls and the help of a well designed and configured operating system and hardware this is doable to some extent as well. I don't really see myself screaming before the IDS console "Watch out, a spyware is coming through!, I'll get Spybot and I'll clean that machine with really sensitive information. I just hope to react fast enough before something nasty happens". Instead I just could have installed any personal firewall in the market with hIPS capabilities. That kind of controls definitely hava higher chance to stop it (again, even if it was unknown for the IDS by the time it came through). If something goes wrong and the PFW integrated solution does not stop it for some reason (no solution is 100% effective), then I'll have to react and fix, but the same happens with the IDS. Where is the big benefit over hIDS or hIPS then?
3. Participate in the Spyware listening Post. This is layer 3, future detection. This is where folks using the dns blackhole above send the hits that might normaly go to spyware firms to our listening servers. We analyze the urls and binaries requested, and write new snort signatures and follow the trails to find new domains. This makes the process a feedback loop that continues to adjust and improve.
I will with my idea and instead of spending my time on this, I will spend it certifying software to build white lists and maintain better solution in terms of prevention :-)
Check out http://www.bleedingsnort.com for more info on there, and a number of other very interesting tools. I've spoken a few times this summer pitching the process above, and I've gotten back a large number of success stories. And the best part is all of these tools are free. If you can contribute back time or information you discover all the better, but they're here for the long term, and are very effective.
That's nice, and please don't get me wrong, I'm sure that this solution might be better for some companies in terms of the cost. But in terms of the security you get from it absolutely not. There are also several discussions of why rules targeted at specific exploit code and shellcodes are not a good idea, even in Snort vulnerability-based signatures are preferred; I think I've even seen Martin Roesch state that. It is the same principle. Kind regards, Omar Herrera ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor, (continued)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Tim Holman (Oct 14)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor byte_jump (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Frank Knobbe (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason Haar (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Joel Esler (Oct 19)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Teemu Schaabl (Oct 18)
- RE: IDS and Spywares vipul kumra (Oct 12)
- RE: IDS and Spywares Omar A. Herrera (Oct 13)
- RE: IDS and Spywares Matt Jonkman (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 14)
- RE: IDS and Spywares Matt Jonkman (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 14)
- RE: IDS and Spywares Frank Knobbe (Oct 18)
- RE: IDS and Spywares Omar Herrera (Oct 18)
- RE: IDS and Spywares Dhruv Soi (Oct 18)
- RE: IDS and Spywares Frank Knobbe (Oct 18)
- RE: IDS and Spywares Omar A. Herrera (Oct 18)
- RE: IDS and Spywares Omar A. Herrera (Oct 13)
- RE: IDS and Spywares Omar Herrera (Oct 18)