Transcript Analyzing the Effectiveness of Intrusion Detection Systems

Analyzing the
Effectiveness of
Intrusion Detection
Systems
BY: DILLON KORMAN
Introduction
• A Network Intrusion Detection System (NIDS) is a device or
application that monitors network traffic to detect and report
suspicious or malicious network activity.
• Intrusion detection systems are used by many medium to large
enterprises to identify attacks and possible security breaches.
• Sensors can be placed outside of the firewall to see external
threats or inside the firewall to view internal traffic.
• They can be helpful in detecting many types of threats, but can
be ineffective against advanced or targeted attacks.
• With the move to detection and response, rather than just
focusing on prevention, both open source and commercial
intrusion detections systems are becoming more widespread.
Hypothesis
• To identify the effectiveness of intrusion detection systems, I
hypothesize that an attacker will be able to compromise a
network and exfiltrate sensitive data while avoiding most
intrusion detection system alerts.
Materials
• Windows 2012 physical server with VirtualBox to host VMs, five
Windows 7 SP1 Professional VMs, Windows Server 2008 R2
Standard VM, Ubuntu 12.04 VM, Kali Linux 1.09a VM, Security
Onion 12.04 VM (Snort, Suricata, Bro), various software tools to
attack (Cobalt Strike with Metasploit Framework, nmap, VeilEvasion, Mimikatz, Incognito, sendEmail, etc.), and various
software attacked (Internet Explorer, Firefox, Flash, Java, etc.). All
VMs are 64-bit.
Procedures
1. Design a simple network with largely default settings, but
introduce vulnerabilities to allow for the analysis of the
intrusion detection system.
2. Compromise the entire network and exfiltrate data with
various attack vectors using traditional techniques.
3. Determine where the intrusion detection system
recognized malicious traffic.
4. Compromise the entire network and exfiltrate data with
various attack vectors using techniques, processes, or
tools designed to evade the intrusion detection system or
mitigate its effectiveness.
Observations
• The experiment tested two sets of attacks- one using traditional
tradecraft and another using techniques, tools, or processes
designed to evade the alerts the attack set generated.
• The attacks were modeled after both generic and targeted attacks
and leveraged common vulnerabilities and misconfigurations.
• Both sets of attacks gained full access to all systems and exfiltrated
sensitive data like documents, databases, and source code.
• My hypothesis was correct as the second set of attacks evaded
nearly all alerts and would be difficult or time consuming to detect.
• The IDSs (mainly Snort & Suricata) were very effective in detecting
much in the first set of attacks, but showed their weaknesses when
faced against encryption and stealthier techniques.
Discussion
• This experiment shows the weaknesses that intrusion
detection systems have and how to exploit them.
• There is a cat and mouse game between intrusion detection
signatures and techniques to bypass them.
• Intrusion detections systems should still be deployed as they
can still detect many attacks and even a careful attacker
would only have to mess up once for an alert to be generated.
• One must understand the limitations of an intrusion
detection system and must not rely on it for total detection.
• Security is a process and defense in depth, or the use of layers
of defense, must be practiced to be truly effective against the
prevention and detection of attacks.
Further Research
• Determine the effectiveness of more types of network security
products like intrusion prevention systems, next generation
firewalls, and data loss prevention systems.
• Test different vendors, signature rulesets, and configuration
settings to see what provides the optimal level of defense.
• Explore different attack vectors and scenarios like spear phishing,
password reuse, remotely exploitable services and web
applications, watering hole attacks, and misconfiguration.
• Identify if behavior-based intrusion detection systems are
effective and accurate in an enterprise network environment.
• Attempt to decrypt encrypted network traffic or find specific
indicators of malware’s implementation of common encryption
standards, such as SSL/TLS.
Contrasting Attack Sets
B A SIC
A DVA N C E D
• Used attached executable in
email or link to exploit site.
• Link to encrypted site hosting
executable or exploit.
• Malware used normal TCP
connection for C2 traffic.
• Malware used encrypted HTTPS
on port 443 for C2 traffic.
• No enumeration of potentially
valuable data on workstations.
• Found login credentials via
saved password in web browser.
• Data exfiltration was through
unencrypted SMB Samba share.
• Data exfiltration was through
HTTPS sessions or SSH/SCP.
• Overt scanning and brute
forcing of SSH service.
• Focused scanning and leveraged
previous credentials for login.
Receiving Shell
Sending Email
Shortening URL
Email in Target’s Inbox
ARP Scanning
Privilege Escalation
Process Migration
Initial Pass the Hash
Hashdump
Pass the Hash Across Workstations
Incognito and Mimikatz
DC Data Exfiltration
Ubuntu Data Exfiltration
All screenshots, graphs, and tables
were prepared by the student researcher.
Data
Basic Attack Alerts
Attack Alerts
• Low
5, Low
Low
10, High
Medium
2, Medium
• Five low level alerts for accessing
administrative shares during pass the hash.
High
• Medium
• One medium alert for nmap scan.
• One medium alert for SSH brute forcing.
Advanced Attack Alerts
• High
• One high alert for initial client side exploit.
• One high alert for initial payload.
• One high alert for privilege escalation
payload.
• Five high alerts for pass the hash payloads.
• One high alert for nmap scan.
• One high alert for SSH brute forcing.
5, Low
Low
Results
Attack
Basic Detection
Advanced Detection
Defensibility
Purpose
Internet Explorer Exploit
High
None
Easy
Initial Compromise
Adobe Flash Exploit
High
None
Easy
Initial Compromise
Java Exploit
High
None
Easy
Initial Compromise
Java Signed Applet
High
None
Medium
Initial Compromise
Firefox Exploit
High
None
Easy
Initial Compromise
Firefox Add-on
Medium
None
Medium
Initial Compromise
Malicious Executable
High
None
Medium
Initial Compromise
Excel Macro
None
None
Medium
Initial Compromise
Meterpreter
High
None
Difficult
Command and Control
ARP Scan
None
None
Difficult
Enumeration
Pass the Hash
Low
Low
Easy
Lateral Movement
Domain Controller Exfiltration
None
None
Difficult
Data Exfiltration
Nmap Scan
High
None
Medium
Enumeration
SSH Entry
High
None
Easy
Lateral Movement
Ubuntu Server Exfiltration
None
None
Difficult
Data Exfiltration
Squert Interface with Snort
Potential Pass the Hash Alert
Odd Ports
in Bro
Software
in Bro
Pass the Hash in Bro
Phishing Email in Bro
Title
Data
Results
Compromise
Screenshot
Introduction
Squert
Screenshot
Bro IDS
Activity
Screenshots
Escalate
Screenshot
Hypothesis
Materials
Observations
Discussion
PTH
Screenshot
Procedures
Attacks
Contrast
Further
Research
Exfiltration
Screenshot