Fri Apr 8 06:51:40 PDT 2016

Incidents: Detection: Are intrusions detected, and if so, how?


Options:

Option 1: Ignore detection and wait till consequences reveal attacks.
Option 2: Occasionally or periodically examine log files and systems to detect intrusions and/or anomalies.
Option 3: Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
Option 4: Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.
Option 5: Use a network-wide intrusion and/or anomaly detection and analysis system.
Option 6: Devise a system to detect event sequences with potentially serious negative consequences.
Option 7: Add expertise.
Option A: Favor anomaly detection.
Option I: Favor intrusion detection.

Decision:

The table below summarizes this decision.
Risk Network size Expertise Approach
High Small Low Devise a system to detect event sequences with potentially serious negative consequences. AND Favor anomaly detection.
High Small High Devise a system to detect event sequences with potentially serious negative consequences. AND Favor anomaly detection.
High Big Low add expertise
High Big High Devise a system to detect event sequences with potentially serious negative consequences. AND Use both intrusion and anomaly detection.
Medium Small Low [Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
OR Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.]
AND Favor anomaly detection.
Medium Small High [Occasionally or periodically examine log files and systems to detect intrusions and/or anomalies.
OR Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
OR Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.]
AND Favor anomaly detection.
Medium Big Low add expertise
Medium Big High [Use intrusion detection products that independently detect intrusions and/or anomalies.
OR Use a network-wide intrusion and/or anomaly detection and analysis system.
OR Devise a system to detect event sequences with potentially serious negative consequences.]
AND Use both intrusion and anomaly detection.
Low Small Low Ignore detection and wait till consequences reveal attacks.
Low Small High [Occasionally or periodically examine log files and systems to detect intrusions and/or anomalies.
OR Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.]
AND Use both intrusion and anomaly detection.
Low Big Low [Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
OR Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.]
AND Favor intrusion detection.
Low Big High [Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
OR Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.]
AND Use both intrusion and anomaly detection.
How intrusions and/or anomalies are detected

Basis:

Ignore detection and wait till consequences reveal attacks.
Ignoring intrusion detection and waiting till an attack is obvious from its consequences has two major problems. (a) Many attacks are not immediately detectable by their consequences, leading to far greater harm. (b) Attacks can happen quite quickly and covertly. In many cases the attack is over long before the consequences become apparent. The only exception is small low-risk networks.

Occasionally or periodically examine log files and systems to detect intrusions and/or anomalies.
For certain classes of attacks, like long term infestation of systems by intruders, this approach is marginally effective. Many attackers erase logging information about their attacks as part of their attack process, but this can be mitigated by the use of logging servers. We advise periodic checks with the period determined by the harm from different infestation times and random checks to augment periodic checks in case an attacker understands and tries to take advantage of the periodicity.

Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
Automation is used to collect and analyze log files and other indicators of intrusions. This can provide more rapid detection, reducing the exposure time, and be automated, reducing the time and effort required to do the job. It produces false negatives, but so does human examination. It can also produce false positives, but the workload for investigation false positives is less than for examining the audit information by hand. For medium and high risk situations, internal automation is preferred. When there are a substantial number of available sources of information and they are not otherwise gathered together, commercial collection and fusion systems should be used and tailored to needs.

Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.
In cases where there are substantial vulnerabilities and consequences of undetected break-ins, intrusion detection products that independently detect intrusions are important. In cases without strong preventive controls, substantial consequences of unidentified attacks, and when there are intrusion types not detected by the normal control mechanisms, intrusion detection products that independently detect intrusions are advised. These mechanisms should be devised to detect otherwise unprotected event sequences that can lead to serious negative consequences and failures in other protective mechanisms.

Use a network-wide intrusion and/or anomaly detection and analysis system.
Network-wide intrusion detection and analysis systems are typically used for networks with at least 100 computers. They consolidate audit and detection records, correlate them, rank them according to preset and customer modifiable settings, and present their results in real-time to network operations center staff. These systems are expensive but far less so than humans doing the same tasks.

Devise a system to detect event sequences with potentially serious negative consequences.
For situations in which the consequences and threats justify in-depth analysis and preparation in order top respond in time, it is necessary to develop a system that identifies indicators and produces warnings of pending event sequences when the level of consequence justifies the effort.

Add expertise
For any enterprise with a network involving hundreds or more computers (big), it is necessary to get additional expertise if existing expertise is inadequate. This can often be outsourced to specialist intrusion and/or anomaly detection and response firms.

Favor intrusion or anomaly detection?
Intrusion and/or anomaly detection mechanisms provide the means to detect unauthorized or unusual activities within systems and networks. The value of these systems is that they allow these unauthorized or unusual activities to be detected when they might otherwise not be detected, or to be detected more quickly than they would otherwise be detected. If the business consequences of these activities warrant the costs of detection, then detection is called for. Detection mechanisms range from audit records and methods to analyze those records, to automated systems that use surveillance methods to detect known intrusions or deviations from normal behavior. Essentially all such systems produce an unlimited number of false positives and false negatives, and investigation is required to follow-up on indications provided by these systems. As a general rule, when a system is designed so that its normal behaviors are known or it behaves in very much the same manner during all normal operations, anomaly detection is the better approach. When behavior is not predictable or consistent over time, or when known attack methods are of concern, intrusion detection is appropriate.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved