1
1
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
Intrusion Detection
The Big Picture – Part VI
Stephen Northcutt
This page intentionally left blank.
2
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
2
Intrusion Detection Roadmap
What are the pieces and how they play together
•Honeypots
• Firewalls
–Proxy, State Aware, Filtering Routers
• Risk Assessment and Auditing
–Introduction to Risk Management
–Knowledge-Based Risk Assessment
–Online Auditing Tools
This page intentionally left blank.
3
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
3
Seven Most Important Things to
Do if Security Matters
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due
care; analyze vulnerabilities

5
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
5
The Three Risk Choices
• Accept the risk as is
• Mitigate or reduce the risk
• Transfer the risk (insurance model)
Whether or not we explicitly choose, we have exactly three options and we do choose between:
acceptance, mitigation, and transference.
When we accept the risk, this means we make no changes in policy or process. This decision means
that we judge the risk of a given threat to be inconsequential in the greater scheme of things.
If we feel the threat is significant and could cause harm to our business or enterprise, then we have
the option of taking action to protect operations by reducing the risk. A firewall or system patch are
obvious examples of risk mitigation.
Transferring the risk is sometimes a workable technique. The classic example is to buy insurance.
This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a
fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real
world example of this is hacker insurance. The insurance company still expects you to have a
firewall and patches, but insures should these fail.
6
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
6
Risk Management Questions
• What could happen? (what is the threat)
• If it happened, how bad could it be? (impact
of threat)
• How often could it happen? (frequency of
threat - annualized)

©2000, 2001
8
Risk Requires Uncertainty
If you have reason to believe there is no uncertainty,
there is no risk. For example, jumping out of an airplane
two miles up without a parachute isn’t risky; it is suicide.
For such an action there is a 1.0 probability you will go
splat when you hit the ground and almost 0.0 probability
you will survive.
Probability ranges between 0.0 and 1.0 though people
often express it as a per cent.
Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of
jumping out of an airplane without a chute you are committing suicide, but you aren’t doing anything
risky. Risk involves uncertainty. Let’s tie this back to the information assurance world.
If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the
perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will
happen over the course of a year. In the same way that gravity is the compelling reason jumping
from a plane sans chute is near-certain death, the continuous probing and poking of exposed systems
on the Internet is the compelling reason the box will be compromised. So what? How bad can a
compromise be? Well, once they compromise the box they have the ability to manipulate your
organization’s trust model. If you have valuable assets, that may be what happens. Or they may
just create weird system domains and hit systems all over the Internet, giving your organization a bad
name.
9
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
9
What is an Unacceptable Risk?
• You can define the threat.
• If it happened, it would be bad. (high impact)

information resource asset. Example: a company’s top salesman accounts for 25% of their $40
million in revenue, or $10 million. His client contact list and fee schedule is stored on his laptop and
is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the
competition ($1 million) and possibly more if they can finesse the information. So we find we can
calculate a minimum approximate SLE, but there is uncertainty as to a maximum value.
Another example: an author takes a royalty of $100,000 to write a book. He receives partial
payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and
the data is not recoverable? 25,000 x 80% or $20,000, unless he has been sending chapters in as they
are done.
11
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
11
Annualized Loss Expectancy
(ALE - multi-hits)
• SLE x Annualized rate occurrence = Annual
Loss Expectancy (ALE)
• Annual loss is the frequency threat is
expected to occur
• Example, web surfing on the job
– SLE: 1000 employees, 25% waste an hour per
week surfing, $50/hr x 250 = $12,500
– ALE: they do it every week except when on
vacation: $12,500 x 50 = $62,500
If you are screaming “but what if??”, relax - we understand. Again, a main point of the chapter is
uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing
risk am I willing to accept?
Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This
is the notion of annualized risk. It applies well to shoplifting - we expect to lose 9% of revenue
over N occurrences.

Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
13
Qualitative - Another Risk
Assessment Approach
• Banded values: high, medium, low
• Asset value and safeguard cost can
be tied to monetary value, but not
the rest of the model
• Very commonly used
For most applications the best approach is the financial one, with the exceptions of critical systems
(such as nuclear plant control) and weapon systems. However, it does take a lot more effort to
quantify what the value of things are, and so the qualitative approach is far more popular.
The single biggest problem with the qualitative approach is in the implementation - people tend to
mark “low risk” even if it is other than that. Or they mark “medium” or “high” for their pet peeves
as opposed to actually calculating the risk.
14
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
14
Economic vs. Qualitative
• Qualitative is easier to calculate, but its
results are more subjective
• Qualitative is much easier to accomplish
• Qualitative succeeds at identifying high
risk areas
• Economic is far more valuable as a
business decision tool
The main point between the two approaches is that qualitative is much easier and when done well,
can certainly identify the areas that need attention.

no focus in deciding what and how to protect our systems.
Once we can reduce the uncertainty over what the attacker is going to target, we can focus on
protecting these assets. This is done by developing countermeasures or defenses. The goal is to
select countermeasures that are effective, reasonable in cost (and free if possible), and measurable.
In most cases, we should be able to produce specific checklists. When we are able to produce
checklists, we have reached the point where we are able to establish best practice as our security
policy.
17
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
17
Knowledge-Based Risk
Assessment
• System administration is a high-
turnover job for large organizations,
which affects continuity
• System administrators tend to be
focused on having the “trains run on
time”
• Security configuration may not be
understood or implemented
If a sufficiently developed checklist exists, this is a major benefit to organizations. This can help
protect the organization against a number of problems, including turnover and training.
18
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
18
Windows NT Example
• Checklist approach designed for
two persons (check and double

This IS is: (Check only one)
(__) LOCATED AT NSWC DAHLGREN
(__) Complete site description is attached.
Threat and Countermeasure Check List.
Mark each as True, False, or NA - not applicable.
For all items not marked as "T", indicate in the section entitled "ADDITIONAL
COMMENTS AND EXPLANATIONS" how the risk is mitigated by other means. In
the absence of indications to the contrary, the Information System is operating at an
acceptable risk (accreditable) when all of the leftmost countermeasures are marked
'True'.
The person that knows security and risk in general (often an auditor or security officer) reads the
items to the person more familiar with the specific technology. This person checks each item and
fills in the checklist.
At the end of each section, the security officer makes the determination as to the overall risk posture
of the system.
20
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
20
a. Threat/Vulnerability: Unauthorized System Access
Operating Countermeasures:
File System Configuration.
(__) System is configured as NTFS file system?
(__) System Administrator has a current Emergency Recovery Disk in a locked
storage area.
Accounts.
(__) Guest account is not present (or is disabled).
(Check Administrative Tools, User Manager, highlight guest and hit enter)
If Guest access is allowed:
(__) Audit trails for all accesses are enabled. In the section

(__) Remote Registry access is limited to Administrators.
(__) Scheduler service is disabled.
(__) If Scheduler service is NOT disabled, access is limited to Administrators.
This is by no means the end of the checklist. On the online version, you can click on these items for
additional information about how to check.
These checklists are available at www.nswc.navy.mil/ISSEC
.
22
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
22
SANS’ Securing NT SBS
* Action 3.1.1 Disable the display of the last logged on username by setting the
following registry value. If the value does not already exist, it must be created. With REGEDT32 this
is done with the Edit menu, Add Value. Enter the Name "DontDisplayLastUsername” exactly as
shown and then use the String Editor to enter a "1". Also, you can use the C2 Configuration
Manager from the NT Resource kit instead of using REGEDT32.
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DontDisplayLastUsername
Type: REG_SZ
Value: 1
Note: In some situations it might be preferable to allow the display of the last logged
on user. Certain users may not be able to remember their user name, and this would keep the
administrator from having to tell them each time they logged on. Another reason to display the last
logged on username is because it will quickly let you know if someone else logged onto the machine.
Not displaying the last logged on user name will only keep novice hackers from finding out which
users exist on the machine. It is trivial for a determined hacker to get that information. Therefore,
many administrators do not bother hiding the last logged on user name.
A similar project - also a community development effort - is the SANS Securing Windows NT Step

revisited “How to use Risk
Assessment tools!”
This page intentionally left blank.
25
Intrusion Detection - The Big Picture – SANS GIAC
©2000, 2001
25
Intrusion Detection Roadmap
Using What We Have Learned
• Business Case for Intrusion
Detection
–How all these Capabilities Work
Together
• Future Directions
–Intrusion Detection in the Network
–Program-Based Intrusion Detection
In this next-to-last major section, we are going to summarize and use everything we have studied to
date. The goal of the business case section is to give you the process and procedure tools to
supplement the technical capabilities you have learned.