IDS mailing list archives
RE: IDS and Spywares
From: Matt Jonkman <matt () infotex com>
Date: Fri, 14 Oct 2005 00:45:48 -0500
On Thu, 2005-10-13 at 18:38 +0100, Omar A. Herrera wrote:
Hi Matt,
Hey Omar!
The problem is not related to the capabilities or deficiencies of other security controls. This is a problem of visibility, and if you suggest that a network based security control has better visibility than a host based security control for threats for which most of their characteristics are only visible while running locally on a system (e.g. key loggers, or even simple backdoors that open ports), then I will insist that your view is flawed.
Thats definitely true, a host based system has the ability to detect keyloggers, etc in use. Until the next thing comes along that evades detection, they have to learn about it, and implement things to detect it. Just as we do in IDS and network traffic analysis. But the big thing that all of these malwares have in common, and what they have to do, is either send data they collect somewhere, or take commands from somewhere. And to do this they have to talk to someone, and that's where IDS can see them, and IPS can stop them. No matter what new OS hook, or what they disable or defeat on the host, they still have to get data through the network.
On the other hand, you can detect and prevent this sort of stuff at the host level (blocking hooking attempts for the keyboard, for example) and the best part of it is that it doesn't matter if it is a completely new or custom made spyware, or trojan, or any other kind of malware where you can install this capability. So, this clearly shows that the visibility (and consequently the identification) of these threats is much better at host level, and whether these controls have still flaws or not does not affect their potential visibility of these threats, which in any case will be much better than any network based security control.
At many levels you can be effective at the host. But inevitably there will be found a way to evade or disable these protections. Likely it'll be defeated by researchers quickly, but it exists. We need layers of security. Hence my comment about a system policing itself. You need outside oversight of any system to ensure it's not compromised. I never implied that HIDS isn't useful or effective. But you can't put your eggs into one basket, especially when that basket is expected to police itself.
I understand that you might fear putting the protection so close to the system. But if you are that paranoid, then you should keep your IDS and install and hIDS or preferably hIPS right away. But you shouldn't rely solely on a less effective tool for defending against these threats, just because it gives the impression that it will keep threats farther from your critical systems.
That was my point as well. Layers. If you can afford hids on all systems, and the load and such isn't an impact, and there is a hids for every OS and server you run, then it's a great tool. But nearly any network can afford IDS (snort is free), and with basic training can implement an effective network-wide control.
First, a worm has different characteristics from a spyware, so I really don't see your point.
This is a tangent, but you're definitely wrong here. Spyware, worms, viruses, bots, they all use similar methods and code for similar ends. We've recently seen spyware using parts of code from hacker defender to evade spyware removers, and just the initials CWS make my point. they'll do anything to make a buck. I don't want to go off on that tangent though. If you'd like another thread on it that's a good conversation to have. I've argued that spyware is just like a trojan for a long time.
It is the easiest method to detect and probably block "known" network based attacks only, and it may be the most cost-effective solution for some enterprises. But I totally disagree that this solution is the best for malware from a security point of view.
It's the 80/20 rule. We now about the vast majority of spyware out there (by distribution). Your odds of being hit by a totally unknown spyware package, or a totally unknown worm are slim. And even if so it'll be known within hours or days. So a tool that blocks known things IS effective. :)
Why do you insist in detecting and patching only known threats while you can prevent the execution of both known and unknown malware?
I don't insist. :) IDS catches new and unknown things as well. Layers. IDS is one tool among many others, but an essential tool.
I don't really see myself screaming before the IDS console "Watch out, a spyware is coming through!, I'll get Spybot and I'll clean that machine with really sensitive information. I just hope to react fast enough before something nasty happens".
But how do you know what machine is compromised, and when? IDS will tell you, or prevent it. Can you aford to have a tech at every pc in your enterprise on a regular basis to make sure there's nothing there?
Instead I just could have installed any personal firewall in the market with hIPS capabilities. That kind of controls definitely hava higher chance to stop it (again, even if it was unknown for the IDS by the time it came through). If something goes wrong and the PFW integrated solution does not stop it for some reason (no solution is 100% effective), then I'll have to react and fix, but the same happens with the IDS. Where is the big benefit over hIDS or hIPS then?
It doesn't have to be installed on 10,000 machines in an enterprise, or managed, or licenses purchased for them. Plus, there's more to the net than workstations and spyware. IDS is a full range product for all systems, apps, and OSs.
That's nice, and please don't get me wrong, I'm sure that this solution might be better for some companies in terms of the cost. But in terms of the security you get from it absolutely not.
I think you'll get a lot of argument that there is security benefit to IDS/IPS. I'll not go down that road.
There are also several discussions of why rules targeted at specific exploit code and shellcodes are not a good idea, even in Snort vulnerability-based signatures are preferred; I think I've even seen Martin Roesch state that. It is the same principle.
Yes, thats true. And why there are signatures for specific exploits initially upon discovery, then more research into the actual vulnerability and signatures to detect any violation of norms. And if you're quoting Marty to point out how useless IDS is, you're also going down the wrong road. :) Matt -- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC my.infotex.com www.offsitefilter.com www.bleedingsnort.com -------------------------------------------- NOTICE: The information contained in this email is confidential and intended solely for the intended recipient. Any use, distribution, transmittal or retransmittal of information contained in this email by persons who are not intended recipients may be a violation of law and is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor, (continued)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor byte_jump (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Frank Knobbe (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason Haar (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Joel Esler (Oct 19)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Teemu Schaabl (Oct 18)
- RE: IDS and Spywares vipul kumra (Oct 12)
- RE: IDS and Spywares Omar A. Herrera (Oct 13)
- RE: IDS and Spywares Matt Jonkman (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 14)
- RE: IDS and Spywares Matt Jonkman (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 14)
- RE: IDS and Spywares Frank Knobbe (Oct 18)
- RE: IDS and Spywares Omar Herrera (Oct 18)
- RE: IDS and Spywares Dhruv Soi (Oct 18)
- RE: IDS and Spywares Frank Knobbe (Oct 18)
- RE: IDS and Spywares Omar A. Herrera (Oct 18)
- RE: IDS and Spywares Omar A. Herrera (Oct 13)
- RE: IDS and Spywares Omar Herrera (Oct 18)