Intrusion Signatures and Analysis
Authors: Mark Cooper, Matt Fearnow,
Karen Frederick and Stephen Northcutt
Reviewed by Ashley Jelleyman
Volume 1, 2002
It seems certain key buzzwords begin to be heard more and more as they become hot topics in the field. For example, there is a new buzzword in IT audit and security--intrusion detection.
It's all very well, and necessary, to have firewalls in place, but one small error in the rule base can knock some very large bricks out of a firewall. A good set of security policies, underpinned by strong procedures and control frameworks, is effective only if they are followed. Ignore them and the very foundations on which the firewall is built are seriously undermined. So where does this leave the IT professional? Trying to establish whether anyone has actually penetrated electronic defences, and if so, where they have been, what they have done and what they have seen. This is the art of intrusion detection.
Two of the many difficulties for those wanting to perform work in this field are gaining an understanding of what's going on and understanding what all the information on system and network logs is actually telling them, if anything.
What they are looking for is evidence of an intruder, footprints in the sand of the system logs. Each type of intrusion leaves a different set of evidence on the logs, and this evidence is called the intrusion signature. As with a written signature, each intrusion's signature is different and through analysis, it is possible to establish what the intrusion was, how it was perpetrated and how skilled the intruder was. For example, compare the signatures of a five-year-old, a 12-year-old and a 20-year-old, they show differing styles and maturity.
In much the same way, the electronic signature of an intruder can show his style and maturity. This is one of the most important skills in analysing an intrusion. The risks posed by a "script kiddy" are different from those posed by a technically skilled hacker, and the actions taken to defend against their attacks need to be appropriate.
Another major difficulty is that those who do know what these intrusion signatures mean tend to fall into two groups, and neither is easily persuaded to give up their secrets.
First, there are the commercial concerns that sell software to perform analysis of the logs. They treat their detection techniques and signature information as highly confidential and usually encrypt them within their software. They are unwilling to release information beyond the "detects over x thousand intrusions" that is printed in the magazines.
Second, there are the "techies," who either work for themselves or for a consultancy. They are a tight-knit group that tends to pass information on only by word of mouth and then only to those who are "in the club." Getting membership to that club is not as simple as attending a few courses.
It is, therefore, a pleasure to find a book written by people who not only know what they are doing but also are prepared to share that information. The authors of Intrusion Signatures and Analysis are all highly qualified in their fields with a lifetime of experience amongst them. They have produced a book that holds a wealth of knowledge, which can be used as an in-depth learning tool to help the reader pick out an intrusion signature from amongst the general noise of a system or network log. After the signature has been identified, the book provides excellent advice on how to perform quite sophisticated analyses on the logs. In each chapter there are examples of intrusions, with explanations of how and why, and mini quizzes. These help turn an informative book into an excellent learning resource.
It must be stressed that this is a highly technical book and anyone who is not comfortable looking at system logs, hex dumps and system scripts will struggle. The book assumes a reasonable knowledge of IP networking, though the first chapter does provide a very brief, high-level review of reading log files. Those who are comfortable with the above will find it a useful reference. This book should not be used as a replacement for some of the popular intrusion detection software (IDS) available; rather, it should be a supplement to it--a help to understanding what that software is actually doing and telling you.
It is a good technical reference and an excellent supplement to a book reviewed last year, Hacking Exposed.
Ashley Jelleyman
is the network interconnect security manager for British Telecom. Prior to assuming this role with BT Security, he spent over 10 years in systems audit and risk management for a UK-based financial institution and a Big 5 accountancy practice. Ashley began his career in IT in the late 1970s as a systems administrator working on ICL and IBM mainframes.
Editor's Note:
Intrusion Signatures and Analysis is available now from the ISACA Bookstore. For information see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail [email protected] or telephone +1.847.253.1545, ext. 401.
|
