RE: IDS and Spywares

["Omar A. Herrera" <omar.herrera () oissg org>]

Hi Matt,

> -----Original Message-----
> From: Matt Jonkman [mailto:matt () infotex com]
> Sent: Thursday, October 13, 2005 4:08 PM
> To: Omar A. Herrera
> Cc: focus-ids () securityfocus com; 'vipul kumra'; dhruv_ymca () yahoo com;
> neelabhsharma1 () gmail com
> Subject: RE: IDS and Spywares
>
> I strongly disagree that IDS is not effective with spyware. I grant that
> hids is a good thing. But maybe I'm from the old school of thought, that
> you can't trust any system to police itself. That system is corruptable,
> and thus needs outside oversight. Security 101.

The problem is not related to the capabilities or deficiencies of other
security controls. This is a problem of visibility, and if you suggest that
a network based security control has better visibility than a host based
security control for threats for which most of their characteristics are
only visible while running locally on a system (e.g. key loggers, or even
simple backdoors that open ports), then I will insist that your view is
flawed.

If you know of an IDS that is capable of analyzing "any" stream of bits,
identifying within that stream that there is an executable code of some
kind, and then even be able to tell me that that particular piece of code
contains a keylogger of some sort, then I will definitely buy your idea
right way.

On the other hand, you can detect and prevent this sort of stuff at the host
level (blocking hooking attempts for the keyboard, for example) and the best
part of it is that it doesn't matter if it is a completely new or custom
made spyware, or trojan, or any other kind of malware where you can install
this capability. So, this clearly shows that the visibility (and
consequently the identification) of these threats is much better at host
level, and whether these controls have still flaws or not does not affect
their potential visibility of these threats, which in any case will be much
better than any network based security control.

I understand that you might fear putting the protection so close to the
system. But if you are that paranoid, then you should keep your IDS and
install and hIDS or preferably hIPS right away. But you shouldn't rely
solely on a less effective tool for defending against these threats, just
because it gives the impression that it will keep threats farther from your
critical systems.
 
> That is exemplified by the number of worms that kill AV on their
> victims, or alter hosts files so they can't get new dats, etc. The
> victim sits there warm and fuzzy because they paid the 40 dollar
> Symantec tax, and they're blasting spam to the world, none the wiser.
> The code to do these things is easil available, and surely will be used
> by spyware once they feel a hit to their pocketbook. If there's money to
> be made they'll do it.

First, a worm has different characteristics from a spyware, so I really
don't see your point. Of course nIDS and nIPS are best suited to deal with
worms because their attack vector is related to the network (they exploit
vulnerabilities of network services to propagate). But not all spyware do
the same (i.e. you won't be lucky enough to see spyware exploiting
vulnerabilities in some web browsers all the time), and you also have all
other types of malware that also don't. Furthermore, your IDS might still
sit clueless while your user visits that web page using SSL and gets
infected, or simply uses some P2P encrypted channel for sharing some files
with his friends that happen to contain spyware.

> Network based detection and BLOCKING is the most effective way I've seen
> to find and deal with spyware in a large network environment. But it's
> one tool in the toolbox. Once you detect with IDS you have to clean with
> spybot, adaware, etc. It's critical that both tools stay effective.

It is the easiest method to detect and probably block "known" network based
attacks only, and it may be the most cost-effective solution for some
enterprises. But I totally disagree that this solution is the best for
malware from a security point of view. 

Why do you insist in detecting and patching only known threats while you can
prevent the execution of both known and unknown malware? With host based
protection you are able to build white lists to stop the execution of non-
authorized software. Stopping exploits that target vulnerabilities is a
little bit harder but with proper security controls and the help of a well
designed and configured operating system and hardware this is doable to some
extent as well.

I don't really see myself screaming before the IDS console "Watch out, a
spyware is coming through!, I'll get Spybot and I'll clean that machine with
really sensitive information. I just hope to react fast enough before
something nasty happens".

Instead I just could have installed any personal firewall in the market with
hIPS capabilities. That kind of controls definitely hava higher chance to
stop it (again, even if it was unknown for the IDS by the time it came
through). If something goes wrong and the PFW integrated solution does not
stop it for some reason (no solution is 100% effective), then I'll have to
react and fix, but the same happens with the IDS. Where is the big benefit
over hIDS or hIPS then? 

> 3. Participate in the Spyware listening Post. This is layer 3, future
> detection. This is where folks using the dns blackhole above send the
> hits that might normaly go to spyware firms to our listening servers. We
> analyze the urls and binaries requested, and write new snort signatures
> and follow the trails to find new domains. This makes the process a
> feedback loop that continues to adjust and improve.

I will with my idea and instead of spending my time on this, I will spend it
certifying software to build white lists and maintain better solution in
terms of prevention :-)

> Check out http://www.bleedingsnort.com for more info on there, and a
> number of other very interesting tools.
>
> I've spoken a few times this summer pitching the process above, and I've
> gotten back a large number of success stories. And the best part is all
> of these tools are free. If you can contribute back time or information
> you discover all the better, but they're here for the long term, and are
> very effective.

That's nice, and please don't get me wrong, I'm sure that this solution
might be better for some companies in terms of the cost. But in terms of the
security you get from it absolutely not. 

There are also several discussions of why rules targeted at specific exploit
code and shellcodes are not a good idea, even in Snort vulnerability-based
signatures are preferred; I think I've even seen Martin Roesch state that.
It is the same principle. 

Kind regards,

Omar Herrera



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------