Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Transcription

1 Emerging Threat Intelligence using IDS/IPS Chris Arman Kiloyan

2 Who Am I? Chris AUA Graduate (CS) Thesis : Cyber Deception Automation and Threat Intelligence Evaluation Using IDS Integration with Next-Gen Filesystems and Machine Learning via Kernel Dynamic Tracing Frameworks Super Curious Break,fix and Break it in a different way Penetration tester ;) Previous Security Engineer at Round Table Apps Co-Founder & CISO illuria security

3 Outline Introduction History of IDS IDS HowTO Problems Solutions Emerging Threat Detection Threat Intelligence

4 INTRODUCTION TO IDS

5 What are Intrusion Detection Systems? Definition: It is the unrelenting active attempts in discovering or detecting the presence of intrusive activities. In computer security, it is a software application that monitors a network and systems for malicious activity or policy violations.

6 History grep IDS

7 The First IDS USAF had the problem of securing different domains on the same network Between 1984 and 1986 they researched and developed the first model of a real-time IDS. During this period, the U.S. government funded most of this research. Wheelgroup s Netranger prototyped by USAF and got acquired by CICO in 1988

8 Timeline : First IDS by USAF : Intrusion Detection Preferred Over Prevention The Adoption of IPS, : Adoption of Faster Combined Intrusion Detection and Prevention Systems : Next Generation Intrusion Prevention Systems (IDS/IPS) current : AI based detection systems

9 IDS

10 Types of IDS (Deployment) Host based Intrusion Detection System (HIDS) Network based Intrusion Detection System (NIDS)

11 How to deploy HIDS Pretty straight forward on single solo host machine File systems monitors Logs analysis Network analysis Kernel based detection

12 Advantages/Disadvantages of HIDS Accuracy of attack determination No messy data Difficult for hackers to use defragmentation attacks High resource consumption Lack of visibility Failure of HIPS Difficulty of Multiple deployments (OS/HIPS)

13 How to deploy NIDS NIDS purpose is to monitor the whole subnet Port-mirroring on the switch is mandatory You can have multiple sensors Placement of the sensors affects its efficiency There are mainly 3 possible placements

14 Topology #1 (WAN) Pros : All suspicious attempts are detected Cons : Too much noise and will affect the NIDS performance and flood the alert system

15 Topology #2 (DMZ) Pros: Improves NIDS performance and less noise Cons:Only traffic that passed by the firewall will be visible, not the blocked ones

16 Topology #3 (Inner Network) Pros: Improves NIDS performance and less noise Cons:Only traffic that passed by the firewall will be visible, not the blocked ones

17 Topology #4 (Both #2 & #3) One of the best practices is using multi-zone monitoring (Also depends on your network architecture)

18 Types of IDS (Detection) Signature Based detection model Anomaly detection model

19 Signature Based IDS Comparing network packets payloads and headers with a list of defined signatures No network behaviour is needed to detect attacks Ex : Snort and Suricata

20 Advantages/Disadvantages Efficient at Identifying known attacks Ability to implement your custom signature set Useless against emerging attacks False positives Having a large databases of signatures Dropped Packets

21 Solutions False positive Tuning according to each network Using machine learning algorithms such as SVM and other classification models Continuous training and keeping up to date with the signatures

22 Solutions Large Database dividing the databases into several mobile agents categorize each with most triggered alerts to least place it in different nodes in the network according to each categories characteristic if normal network behavior is known, the other protocol signatures can be disabled to increase efficacy e.g.- your network only using specified protocols

23 Solutions Dropped Packets load balancing method is introduced to decrease the flow of traffic and optimize it Multi threading processors

24 Anomaly Detection Model Detection based on abnormal activity/patterns within the network and application layer Anomaly IDS learns the baseline network behavior Rules can be set

25 Anomaly Detection Model The engine then analyses each protocol and decodes each packet with their payloads, such as : Overlapped IP fragments and misused network protocols, E.g. - running a standard protocol on a stealthy port (SSH hidden on port 53 - DNS) A large number of UDP packets against TCP (abnormal traffic patterns) Suspicious patterns on the application layer.

26 Advantages/Disadvantages Detects Emerging attacks Low false positives Takes time to define normal behaviour of the network Setting rules and thresholds are challenging Slow in the begging Requires large amount of data

27 Emerging Threat Detection

28 You are under attack as you are listening Knowing what types of threats exist is no longer enough By the time most new cyber threats are discovered, they have already damaged your network, your business and, potentially, your customers. The time gap between compromising and discovering is getting wider through the years

29 The Main Challenges The challenge is to identify attacks and understand how they develop in real-time by analysing and correlating the subtle signs of compromise that an insider makes when they infiltrate the network. APT Worm/Trojans Malware New Exploits Zero Days Ransomware etc

30 How to Detect Emerging Threats Some techniques and technology that would help in Detection Emerging Threats Honeypots & Decoy servers Sandboxes Sinkholes and Reverse Proxies Intelligent and distributed IDS

31 Honeypots & Decoy Servers Honeypots are production servers replicas VMs/containers Containing dummy Data Placed within the infrastructure (DMZ/Internal) Any attack to the honeypot guarantees and real threat detection Honeypots provides insights about the attackers techniques, tools and even exploits they are using

32 Sandboxes It is placed within the infrastructure in very isolated segment of the network Where untrusted application and executions are run in This is a very efficient way of detecting malwares and ransomware

33 Sinkholes Sinkholing is a technique for manipulating data flow in a network There are two ways of using it Either blocking this connection Turn the sinkhole to a getaway and MITM the attacker

34 Where does IDS play a role? As we can see all these techniques and technologies depends on detecting the early stages of attacks and then alerting the system to take actions such as : redirection to Honeypots, Sandboxes and sinkholes Alerting the Security Operation Center(SOC) for quick incident response

35 Threat Intelligence

36 The main Challenges for CISOs Increase in log and alerts size False Positive/False Negative Detect and Patch Alert identification Script kiddies Generic Malware APT etc

37 What is Threat Intelligence? Risk = ƒ(threat, Vulnerability, Asset Value) Threat = ƒ(capability, Motivation) Capability = ƒ(skills, Tools, Resources, Techniques) Threat intelligence = Awareness of Capability function

38 Types of Threat Intelligence Strategic Tactical Reports by humans Humans/Machine Where/From/ Reason/Purpose System/Network level Helps Helps Determine Risk Finding technical solutions Decisions How to act Long period of validity (days-month) Valid for couple of hours or days

39 Types of Threat Intelligence TI Data Phishing urls TOR nodes IPs IRC Pastebin BOT Malware File hashes Compromised web servers Many more Sources AV vendors Online community Honeypots Sinkholes Sandboxes Crawlers Research Labs Reverse Engineering Social Media Many more

40 Use cases of Threat Intelligence Detecting and Preventing know attacks (creating rules and signatures for IDS/IPS) Alert Evaluation and Prioritization Incident response => Clean up => Post-Mortem Risk Assessments and Analytics ( Reports by vendors and partners) Comparing the new data with the historical data to identify and uncover unknown attacks Forensics

41 Implementation of Threat Intelligence 1. Identifying assets 2. Business requirements and priorities 3. Use cases (Detect fraud? APT? or for risk managements?) 4. Define the architecture 5. Evaluation Criteria (Type of data, coverage, response time, classification) 6. Starting the whole process(automate) 7. Integrate with other security infrastructures (sharing data) 8. Define Incident Response Team 9. Gradually expand the scope

42 Thank You for listening!!