1
1
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
Intrusion Detection
The Big Picture – Part V
Stephen Northcutt
This page intentionally left blank.
2
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
2
Intrusion Detection Roadmap - 3
What are the pieces and how they play together
• Vulnerability Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins
• Evidence preservation - Chain of Custody
• Threat Briefing - Know Your Enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
In the next section, we are going to talk about vulnerability scanners and assessment tools, which
are one of the best ways to rapidly assess your security. They are hard to break down into functional
classifications the way we did with firewalls, proxies, packet filtering, and statefully aware. Perhaps
the most logical breakdown is commercial tools like ISS, NAI and the free, source-code tools, like
nmap and Nessus. Another breakdown is system scanner tools that run as a program to inspect the
operating system configuration, and network scanner tools that work across the network. There are
also tools that scan telephone lines for active modems. For this course, we are focused on the
network-based scanning tools and telephone scanners since they are the most applicable to

positives that have to be investigated manually. Before you plunk your money down, there are four
things you really want to consider:
• How is the product licensed? Is this flexible enough for your planned growth? Can it be
upgraded easily?
• How interoperable is the product? Is it fully Common Vulnerabilities and Exposures
(CVE) compliant?
• Can you easily compare the results of a scan today with the results of one four weeks ago,
or is this a manual process?
• Does your manager like the report output!
4
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
4
SARA (Security Auditor’s
Research Assistant)
• Where to get it
– http://www-arc.com/sara/index.shtml
• What does it do?
– Vulnerability scanner, web-based interface,
based on Satan, community-donated
modules
– Has some capability to determine probable
trust relationships
SARA is a follow-on to SAINT, which was a follow-on to SATAN. It runs pretty well and is worth
trying if you are in a Unix shop. Though it is pretty safe as scanners go, be sure and test it in a lab,
or off-hours on a non-critical network before unleashing it on your network. It is fairly lightweight
compared to other products, but may be a great way to get started.
5
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001

7
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
7
Phone Scanning for Vulnerability
Detection
• Response for successful intrusion
detection is not clear.
– Defensive posture is difficult to maintain.
– Generally not criminal to call phone
numbers.
• Intrusion detection may not be possible.
• Scanning works - attackers use it!
• Threat of scanning acts as a deterrent.
Special thanks to Simson Garfinkle and the folks at Sandstorm (www.sandstorm.net) for the
permission to use the PhoneSweep slides.
Firewalls are not perfect we said, but when they fail it is more likely that they fail because of what
the folks on the inside do, as opposed to the firewall having a technical problem. We already talked
about users bringing up services on ports that are expected to be open for other reasons. Various
multimedia programs such as napster and gnutella make it easy to get files through a site’s defenses
and there are manuals on how to do this on the Internet. One other way that users can cause firewalls
to fail is by hooking their system up to a modem.
Next Sunday, take a minute to do some research. Pull the color ads in your area for the consumer
electronic stores such as Circuit City and the like. Check out the computers. What do they all have?
8
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
8
War Dialers
• Used by attackers

they may be able to help you. Be aware that Heating, Ventilation, And Cooling (HVAC - some folks
say Heating, Ventilation, Air Conditioning) and alarm systems may be active on your phone system,
and these numbers should be avoided. ToneLoc and most other scanners allow you to avoid number
ranges.
10
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
10
PhoneSweep: Commercial Scanner
• A Telephone Scanner, not a War Dialer
–4 modems
–System ID
– Penetration
– Repeatable scans
– 80+ page manual
–Supported
Many organizations are uncomfortable using hacker code to attack their own sites because of the risk
of embedded malicious code. Also, the documentation on some underground code is not the best.
Technical support can be dicey from hacker locations. These are some of the factors that cause some
organizations to prefer commercial software with phone support, printed manuals…and someone to
sue if things go wrong.
11
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
11
Select Modems
An example of a commercial scanner is PhoneSweep shown on this slide. Notice that it can run
multiple modems in parallel; it turns out that phone scanning is really slow!
12
Intrusion Detection - The Big Picture – SANS GIAC

Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
14
How to Do a Vulnerability Scan
• Get permission, explain what you are
doing, “finding our vulnerabilities before
attackers do”
• Put out the word ahead of time,
publish your phone number; people
don’t like surprises
We will close this section with a discussion of the general principles of scanning. Note well,
vulnerability scanning can be hazardous to your career. The difference between a hacker and a
penetration tester is permission! Be certain that you have it. If you are just starting a scanning
program in your organization, you probably want written permission.
Things can go very wrong when you are scanning. I have crashed a number of systems - I’ve
already mentioned the mockup of a Navy warship – and my friend John Green has a whole Navy
base to his credit! We both did this with simple vulnerability assessment tools. People will be a lot
more forgiving if you warn them ahead of time and make sure it is easy for them to find you. If you
are not in the office or people do not know how to contact you, then you could create a serious
problem for your organization and therefore yourself.
15
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
15
How to Do a Scan (2)
• Click target selection, choose a system,
tell it to expand to the subnet
• Heavy scan, but do not allow Denial of
Service scan (at least at first)
• Only scan when you are in the

you know the tool very well
In the previous example, it isn’t that you were wrong when you went to management and told them
they were vulnerable. The problem is that attackers often leave a low footprint - you can be
compromised and not realize it.
Anyway, to summarize this section, a vulnerability scanner is a great way to find many of the holes
that external and internal attackers would exploit, given the opportunity. However, scanners are
prone to false positives and can break things. Be conservative; start the tool at low power and run it
on a low number of systems until you are very familiar with its effects.