RE: IDS and Spywares

[Matt Jonkman <matt () infotex com>]

On Thu, 2005-10-13 at 18:38 +0100, Omar A. Herrera wrote:
> Hi Matt,

Hey Omar!

> The problem is not related to the capabilities or deficiencies of other
> security controls. This is a problem of visibility, and if you suggest that
> a network based security control has better visibility than a host based
> security control for threats for which most of their characteristics are
> only visible while running locally on a system (e.g. key loggers, or even
> simple backdoors that open ports), then I will insist that your view is
> flawed.

Thats definitely true, a host based system has the ability to detect
keyloggers, etc in use. Until the next thing comes along that evades
detection, they have to learn about it, and implement things to detect
it. Just as we do in IDS and network traffic analysis.

But the big thing that all of these malwares have in common, and what
they have to do, is either send data they collect somewhere, or take
commands from somewhere. And to do this they have to talk to someone,
and that's where IDS can see them, and IPS can stop them. No matter what
new OS hook, or what they disable or defeat on the host, they still have
to get data through the network. 


> On the other hand, you can detect and prevent this sort of stuff at the host
> level (blocking hooking attempts for the keyboard, for example) and the best
> part of it is that it doesn't matter if it is a completely new or custom
> made spyware, or trojan, or any other kind of malware where you can install
> this capability. So, this clearly shows that the visibility (and
> consequently the identification) of these threats is much better at host
> level, and whether these controls have still flaws or not does not affect
> their potential visibility of these threats, which in any case will be much
> better than any network based security control.

At many levels you can be effective at the host. But inevitably there
will be found a way to evade or disable these protections. Likely it'll
be defeated by researchers quickly, but it exists. We need layers of
security. Hence my comment about a system policing itself. You need
outside oversight of any system to ensure it's not compromised. 

I never implied that HIDS isn't useful or effective. But you can't put
your eggs into one basket, especially when that basket is expected to
police itself. 

> I understand that you might fear putting the protection so close to the
> system. But if you are that paranoid, then you should keep your IDS and
> install and hIDS or preferably hIPS right away. But you shouldn't rely
> solely on a less effective tool for defending against these threats, just
> because it gives the impression that it will keep threats farther from your
> critical systems.

That was my point as well. Layers. If you can afford hids on all
systems, and the load and such isn't an impact, and there is a hids for
every OS and server you run, then it's a great tool. But nearly any
network can afford IDS (snort is free), and with basic training can
implement an effective network-wide control. 

> First, a worm has different characteristics from a spyware, so I really
> don't see your point.

This is a tangent, but you're definitely wrong here. Spyware, worms,
viruses, bots, they all use similar methods and code for similar ends.
We've recently seen spyware using parts of code from hacker defender to
evade spyware removers, and just the initials CWS make my point. they'll
do anything to make a buck. 

I don't want to go off on that tangent though. If you'd like another
thread on it that's a good conversation to have. I've argued that
spyware is just like a trojan for a long time.


> It is the easiest method to detect and probably block "known" network based
> attacks only, and it may be the most cost-effective solution for some
> enterprises. But I totally disagree that this solution is the best for
> malware from a security point of view. 

It's the 80/20 rule. We now about the vast majority of spyware out there
(by distribution). Your odds of being hit by a totally unknown spyware
package, or a totally unknown worm are slim. And even if so it'll be
known within hours or days. So a tool that blocks known things IS
effective. :)

> Why do you insist in detecting and patching only known threats while you can
> prevent the execution of both known and unknown malware?

I don't insist. :) IDS catches new and unknown things as well. Layers.
IDS is one tool among many others, but an essential tool.


> I don't really see myself screaming before the IDS console "Watch out, a
> spyware is coming through!, I'll get Spybot and I'll clean that machine with
> really sensitive information. I just hope to react fast enough before
> something nasty happens".

But how do you know what machine is compromised, and when? IDS will tell
you, or prevent it. Can you aford to have a tech at every pc in your
enterprise on a regular basis to make sure there's nothing there?

> Instead I just could have installed any personal firewall in the market with
> hIPS capabilities. That kind of controls definitely hava higher chance to
> stop it (again, even if it was unknown for the IDS by the time it came
> through). If something goes wrong and the PFW integrated solution does not
> stop it for some reason (no solution is 100% effective), then I'll have to
> react and fix, but the same happens with the IDS. Where is the big benefit
> over hIDS or hIPS then? 

It doesn't have to be installed on 10,000 machines in an enterprise, or
managed, or licenses purchased for them. Plus, there's more to the net
than workstations and spyware. IDS is a full range product for all
systems, apps, and OSs.

> That's nice, and please don't get me wrong, I'm sure that this solution
> might be better for some companies in terms of the cost. But in terms of the
> security you get from it absolutely not. 

I think you'll get a lot of argument that there is security benefit to
IDS/IPS. I'll not go down that road.

> There are also several discussions of why rules targeted at specific exploit
> code and shellcodes are not a good idea, even in Snort vulnerability-based
> signatures are preferred; I think I've even seen Martin Roesch state that.
> It is the same principle. 

Yes, thats true. And why there are signatures for specific exploits
initially upon discovery, then more research into the actual
vulnerability and signatures to detect any violation of norms. And if
you're quoting Marty to point out how useless IDS is, you're also going
down the wrong road. :)

Matt

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------