Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 9 – Results Discussion


Discussion

To achieve the objectives of this study the experiments needed to be as realistic as possible, meaning that the same steps an attacker takes to compromise a network would need to be taken. This is to investigate the effectiveness of the IDS in detecting each stage at the same time there’s a need for a way to ensure that any attacks managed to evade detection have done so because of the effectiveness of the technique and not because of misconfiguration or any other issues. For this reason the experiments were divided into two scenarios. These scenarios were further divided into the experiments discussed in the previously (part 1 – part 8).

As explained by (Bejtlich 2004, p.19), in certain phases of a compromise it becomes very difficult to detect the attack; taking this under consideration it was decided to carry out the tests on the phases where if detected would mean that it was very obvious that an attack is being carried out. Table 7.1 taken from (Bejtlich 2004, p.19) shows these phases.

Phases of compromise

Description

Probability of Detection

Attacker’s Advantage

Defender’s Advantage

Reconnaissance

Enumerate hosts, services, and application version.

Medium to high

Attackers perform host and service discovery over a long time frame using normal traffic patterns.

Attackers reveal themselves by differences between their traffic and legitimate user traffic.

Exploitation

Abuse, subvert, or breach services.

Medium

Attackers may attack services offering encryption or obfuscate exploit traffic.

Exploits don’t appear as legitimate traffic, and IDSs will have signatures to detect attacks.

Reinforcement

Retrieve tools to elevate privileges and/or disguise presence.

High

Encryption hides the content of tools.

Outbound activity from servers can be closely monitored and identified.

Consolidation

Communicate via backdoor, typically using covert channel.

Low to medium

With full control over communication endpoints, the attacker’s creativity is limited only by the access and traffic control offered by intervening network devices.

Traffic profiling may reveal unusual patterns corresponding to the attacker’s use of a backdoor.

Pillage

Steal information, damage the asset, for further compromise the organisation.

Low to medium

Once operating from a “trusted host”, the attacker’s activities may be more difficult to notice.

Smart analysts know the sorts of traffic that internal systems should employ and will notice deviations.

Table 7.1: Phases of a compromise (Bejtlich 2004, p.19)

The highlighted top two columns in the above table are the stages chosen to be investigated for this study.

SCENARIO ONE – NO EVASION

The part of the experiment that represented the main focus of the study was scenario two, however scenario one was also important as it sets the seen up for the rest of the study because it provides a way of testing the operation of each component of the IDS and how they interact with the rest of the system as well as checking that there’s no misconfiguration issues and ensures the accuracy of the results.

At this stage reconnaissance techniques were tested in three phases, for each phase the packets were captured using tcpdump and analysed to see what normal packets would look like.

Phase one – here the IDS relies only on the rules (signatures) that it contains to detect attacks because an important component (pre-processor) was disabled. Thus this mode was called rules only mode. As seen in chapter 6.1 all attacks were successfully detected even when nmap’s fragmentation was used, which demonstrates that the IDS successfully detected the attacks by just using the rules only.

Type of scan

No. of PKTs Received

No. of PKTs Analysed

No. of Alerts

SYN Scan

2018

1910

941

Frag SYN

5014

4899

2328

Table 7.2: Experiment Stats Rules Only Mode

Figure 7.1: Statistics Chart for scenario one Rules only mode

Phase two – this phase was exactly the same as the above except this time the pre-processor were activated while the rules were deactivated, thus this phase was called pre-processor mode. Here none of the attacks raised an alert due to the rules being disabled and any indication of any attack taking place can only be determined by looking at the statistics as was shown by the high number in fragments, which is why it is important to look at such data every so often as it gives signs that on some occasions can’t be seen by looking at the alerts console alone.

Type of scan

No. of PKTs Received

No. of PKTs Analysed

No. of Alerts

SYN Scan

2024

2024

0

Frag SYN

5875

5875

0

Table 7.3: Experiment Stats Pre-processors Mode

Figure 7.2: Experiment Statistics For Scenario One Pre-processor mode

Phase three – this final phase of this scenario the IDS was operated in full mode, meaning the pre-processors as well as the rules were activated. Again here it can be established that all of the attacks were detected and the system and its components are fully operational.

Type of scan

No. of PKTs Received

No. of PKTs Analysed

No. of Alerts

SYN Scan

2037

1987

962

Frag SYN

5356

5097

2373

Table 7.4: Experiment Stats Full mode

Figure 7.3: Experiment Statistics Scenario one Full mode

This way it was confirmed that the system correctly configured and should be able to detect the attacks that will be launched and any attacks that managed to evade detection was due to the technique being effective.

SCENARIO TWOEVASION TECHNIQUES

As this was the main scenario of the study, two of the evasion techniques discussed in chapter two was chosen for the experiments of this study. Here the experiments were divided into three parts and the IDS was operated in full mode, the first part tested fragmentation techniques using three different configurations to test the same two reconnaissance attacks used in scenario one (SYN and nmap Fragmented SYN scans). The second part investigated the evasion techniques provided by metasploit as well as when these methods are combined with fragroute, while the third and final part used encrypted tunnel to evade detection.

SCENARIO 2.1 – FRAGMENTATION

This part demonstrated the fragmentation techniques discussed in (Newsham 1998). Tools such as fragroute (discussed in chapter four) was used to modify packets using different patterns of the fragmentation techniques explained in the paper. The setup was to use three different configuration settings for each scan. These setting were:

Fragroute’s default configurations – When this pattern was used on its own the IDS managed to successfully detect it, though when it was combined with nmap’s fragmentation the IDS failed to detect such a combination.

Type of scan

No. of PKTs Received

No. of PKTs Analysed

No. of Alerts

SYN Scan

4272

4272

68

Frag SYN

12191

12191

0

NB: this was set to zero due to the alerts generated are not linked to the scans so they were considered as false positives and the scans themselves have not been detected

Table 7.5: Experiment Stats Scenario Two – Fragmentation (default settings)

Figure 7.4: Scenario Two Fragmentation Stats chart – Default settings Stats

8-byte fragments favoring old data – the IDS successfully detected the attacks in this part of the experiment when using this pattern alone, while when combining it with nmap’s fragmentation the IDS failed to detect the attack.

Type of scan

No. of PKTs Received

No. of PKTs Analysed

No. of Alerts

SYN Scan

2412

2412

198

Frag SYN

6189

6189

0

NB: this was set to zero due to the alerts generated are not linked to the scans so they were considered as false positives and the scans themselves have not been detected.

Table 7.6: Experiment Stats Scenario Two – Fragmentation (8 Byte fragments)

Figure 7.5: Scenario Two Fragmentation Stats chart – 8 Byte fragment settings

4-byte TCP segments favoring new data – Here in this setup the IDS failed to detect any of the attacks when combined with nmap’s fragmentation, however it successfully detected the events when using this setting on its own.

Type of scan

No. of PKTs Received

No. of PKTs Analysed

No. of Alerts

SYN Scan

2272

2272

68

Frag SYN

6186

6186

0

NB: this was set to zero due to the alerts generated are not linked to the scans so they were considered as false positives and the scans themselves have not been detected.

Table 7.7: Experiment Stats Scenario Two – Fragmentation (4 Byte TCP segments)

Figure 7.6: Scenario Two Fragmentation Stats Chart – 4 Byte TCP segments

This demonstrates that these methods could still be effective in evading IDSs especially when more advanced patterns are used or when combined with other techniques. Also it is important to recognise that the above patterns are considered to be basic and a tool such as fragroute or even fragrouter (two different tools) contains over a dozen different patterns; when these are combined dozens if not hundreds of different evasion patterns can be created, which will make it very difficult if not impossible for any IDS to detect such methods. According to author fragmentation is methods still works and on many occasions can still be used to evade detection.

SCENARIO 2.2 – METASPLOIT

Metasploit is very popular and useful framework that security professionals should make use of. This part of the experiment demonstrated how such a framework can be used by professionals to test the effectiveness of their security controls. Here the same concept was used as the one used previously, first an exploit was chosen (DISTCC) and launched at the target directly without the use of any evasion methods.

At first the IDS did not detect the attack and after careful examinations it was confirmed that the IDS didn’t have signatures to detect it; therefore the captured packets were analysed to check for any unique characteristics that can be used as a signature for this attack. After that a signature was created, tested and confirmed to work and was able to detect the attack.

An evasion technique was chosen from the ones metasploit recommended (this is because metasploit comes with many evasion methods that are suitable per exploit) and the attack was launched again. This time the IDS failed to detect it. After a careful and stressful analysis of the captured traffic a set of signatures was created and tested to be very successful in detecting the attacks to the extent that no other variation of the attack can pass by the IDS without being detected.

This illustrates how useful such tools can be for researchers as they allow researchers to very easily test current technologies and develop solutions for issues that have been raised and such procedures would take a considerable amount of time to achieve without such tools.

Finally for this part of the experiment the same metasploit evasion method used previously was combined with fragroute to evade detection. This demonstrates the challenge researchers, developers and current IDSs faces and also shows that these tools are also used or can be used by attackers (because the majority of time professional hackers have their own tools) to evade the controls that are intended to stop them.

This leads to a final conclusion as also illustrated below, IDSs will continue to have these limitations if new developments are not taken to a new level by utilising new technologies and implementing the same techniques attackers use (as will be explained in chapter eight) because at the moment the majority of the developments that have been taken place are based on the methods discussed in 1998 in a paper by (Newsham 1998), which is considered in the IT field to be very old, outdated and should’ve been resolved already.

SCENARIO 2.3 – ENCRYPTED TUNNELS

IDSs with all their varieties and methods of detection are very effective and have become a main security component of any organisation network; nevertheless, they do have limitations as demonstrated. This is true for any IDS regardless of how much or how state of the art it is, which is why many organisations implement a combination of different technologies to make up for these limitations.

Although researchers and developers have spent grate amount of effort, time and money to improve these devises and resolve their weaknesses and have done a great job in making IDSs a lot better and more accurate each year, there are however issues that will continue to be a concern. Some of these issues including the ones discussed previously are attacks that have been concealed using some form of encryption, which is what this part of the experiment have demonstrated.

Regardless of how accurate IDSs are and the signatures they have at their disposal, when encryption is being used such as the SSH tunnels applied in this experiment all of these controls are rendered useless because the IDS cannot see the attacks. Therefore, for the time being it is very important for organisations, students, researchers and developers to recognise these shortcomings and to apply other measures to protect their networks and not to rely (fully) on Intrusion Detection Systems for protecting their data.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s