[Discussion] Why IDS sucks
Matt Jonkman
jonkman at jonkmans.com
Fri Oct 17 01:23:11 UTC 2008
John Ives wrote:
>> 1. Signature matching has its use but can not be an end all for
>> detection of attacks. (easy to bypass, layer 7 hurts, encryption hurts
> Your right, however I will point out that 1a and 1b can be handled, to a
> degree, by having signatures that don't look at specific attacks but
> look at the vulnerability being attacked. If the problem is that
> product A has a buffer overflow condition that and can only accepted 64
> bytes of data before its buffer is filled, look for data at byte 65 to
> detect the attack. Unfortunately, from the network, it can be hard to
> tell if what was attacked was actually running that vulnerability
> without a comprehensive vulnerability assessment program.
For vulnerabilities that's true. But if you run the ET rules I think
you'll find as much or more value in our detection of post infection
activity. These aren't vulnerabilities, for the most part it's hostile
traffic trying really hard to look like legit traffic. Here's where
scoring and such come into play. We can write signatures that will only
push a bad actor over the alerting threshold if they do all of the
things then we alert.
I think it's a misconception that IDS is for vulnerabilities only. Known
or unknown. I think it's value lies as much or more in policy
enforcement, malware/infection detection, etc.
But PLEASE let's not start the "IDS isn't meant for policy enforcement"
war. It's not meant for it, but it's damn good at it, so it's going to
be used for it. :)
>> 3. Inability of vendors/producers of IDS technology to keep ahead of
>> the curve (be it signature awareness, or be it protocol parsers, etc)
>
> Your probably preaching to the choir on this one, but, to be fair I
> think security is one area where I doubt the good guys are ever going
> win (at least not as long as we are so adamantly focused on defense).
> The best we can hope for, baring some fundamental shift in the
> landscape, is a tie. I say this not to be defeatist, but because
> security is a zero sum game. The defenders only have to make one
> mistake to loose, while the attackers only need to get it right once to
> win. With that in mind, I would say the best hope we have is to start
> playing more offense, but at this point I don't know best to accomplish
> this without breaking laws, etc. But, I digress, because hearing my
> somewhat depressing view of the state of security today is not why
> everyone joined this list. Also, it doesn't do anything to move along a
> conversation about IDS. :)
>
IP Reputation I think will give us an advantage here. They have to build
botnets now to get spam delivered before they are blacklisted, then they
toss the bot and infect more. That had a fundamental shift on how
spammers operate.
I think we can do the same for a lot of badness. If every site can know
about and block a known bad IP, and do so in near realtime, then
reconnaissance becomes something you need a botnet for, and becomes much
more difficult. And ideally you'd only get one shot to make an attack
and you're blacklisted. On shot against ANY participating network, ont
one shot PER network.
>> 4. Anomaly detection based technologies can be effective but on their
>> own they tend to be more of a burden then a help.
>
> I've found that many times anomaly detection is best when used with
> other detection mechanisms.
>
Scoring and thresholds to alert!!
>> And the single largest issue IMHO, is the lack of infrastructure to
>> properly correlate and analyze data to produce actionable
>> intelligence. This intelligence can then be piped to various types of
>> "technical controls" to be used as part of the overall security
>> architecture. Granted this isn't necessarily a weakness in IDS as much
>> as it is a weakness in the approach the industry has taken.
>
> Damn Straight! I wonder how many of us have had to write our own
> scripts/programs to help us parse and use the data we get from all of
> the security tools we run.
Agreed! What could we do at the engine level to make this more useful?
We hope to have ip reputation and hit scoring. Those could go a long
ways in prioritizing. What else?
matt
_______________________________________________
Discussion mailing list
Discussion at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list