Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion


IDS Evasion Techniques

Since the introduction of intrusion detection systems they became very popular amongst network administrators because it provided a way to detect if any attacks took place. At them days (1990s) these systems were very simple devises that monitor the network traffic, match it to a database of signatures and if there is a match an alert is produced that informs the administrator of the event
(Bruneau, 2001,
History and Evolution of Intrusion Detection, p. 3). Throughout the years attackers, security professionals, researchers and developers have always played a cat and mouse game. Every time developers, security professionals and researchers find or develop new ways to counteract attacks, attackers seem to develop new ways to attack security devises such as IDSs or even bypass them altogether. This is because of the complexities in capturing, analysing and understanding network traffic (Timm, 2002, IDS Evasion Techniques and Tactics, p. 1). These complexities meant the existence of many techniques that can be used to take advantage of the weaknesses in IDSs. These methods were very simple such as pattern matching, denial of service (DOS) and false positives. However overtime more advanced techniques such as fragmentation, session splicing and polymorphic shell-code techniques began to appear.

As mentioned by (Roberts, 2010)
that stonesoft’s disclosure of a new way to evade IDSs and IPSs (IDPSs) raises some doubts about the effectiveness of many security products already used by many organisations worldwide. However stonesoft’s discovery was not new; anyone has an interest in information security knows that these techniques have been around for a very long time and was first mentioned in 1998 by (Newsham, 1998).

As quoted by (Roberts, 2010):

“Researchers working for Stonesoft have been delving into evasion techniques since 2007 in an effort to improve Stonesoft’s own products, said Matt McKinley, Director of Product Management in the U.S.”

He further quoted:

“”In the process of doing so, we basically discovered that it’s possible to combine multiple evasion techniques together working at different layers (of the IP stack) and they can confound the IPS and become hard to protect,” he said.”

However, I respectfully disagrees with what Mr. Matt McKinley had said; this is because these techniques as will be discussed in the following sections have been around for a very long time and all are based on the techniques mentioned in
(Newsham, 1998)
paper.

In this section the author presents an overview of some of these techniques by dividing them into two categories Basic techniques and Complex techniques.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion

Advertisements

Uses of free Unix-based Security Tools to Develope Secure Systems – Part 4


4.    ENUMERATION

“Enumeration can best be defined as the process of counting. From a security standpoint, it’s the process the attacker follows before an attack. The attacker is attempting to count or identify systems and understand their role or purpose.

This may mean the identification of open ports, applications, vulnerable services, DNS or NetBIOS names, and IP addresses before an attack.”

Michael Gregg (2008, p 149)

This means at this stage it’s only a matter of time before the attacker compromises a system on the network.

The main aim of this stage is to find:

Uses of free Unix-based Security Tools to Develope Secure Systems – Part 3


3.    SCANNING

At this stage an attacker would’ve got a list of IP ranges, DNS servers, Mail servers, employee names and phone numbers. All this would be used by attackers to probe our network to see which systems are alive and the services running on them.

There are many tools and techniques available to accomplish this.

Ping sweeps basically a method used to find out which of a range of IP addresses are a live and reachable from the internet.

Fping can be used on large networks, it doesn’t wait for a reply before trying the next IP, it sends many requests in parallel.

root@bt:#fping -a -f ipadd.txt

-a – shows systems that are alive.

-d – resolves hostnames.

-f – read from file.

-h – help.

Nmap is another tool that can be used for ping sweeps.

root@bt:#nmap –sP 192.168.1.0/24

There are other methods that can be used if ICMP is blocked but they are not as accurate as Continue reading Uses of free Unix-based Security Tools to Develope Secure Systems – Part 3

Uses of free Unix-based Security Tools to Develope Secure Systems – Part 2


2.    FOOT PRINTING

The aim of foot printing is to gather as much information as possible about the organisation and its network. One would ask why would I need to perform such step when I have all the information about my network?

Joel Scambray, Stuart McClure and George Kurtz (2009, page 10), answers this question:

“Foot printing is necessary for one basic reason: it gives you a picture of what the hacker sees. And if you know what the hacker sees, you know what potential security exposures you have in your environment. And when you know what exposures you have, you know how to prevent exploitation.

Hackers are very good at one thing: getting inside your head, and you don’t even know it. They are systematic and methodical in gathering all pieces of information related to the technologies used in your environment. Without a sound methodology for performing this type of reconnaissance yourself, you are likely to miss key pieces of information related to a specific technology or organization—but trust me, the hacker won’t.”

…….

“Foot printing is one of the most important steps and it must be performed accurately and in a controlled fashion.” Continue reading Uses of free Unix-based Security Tools to Develope Secure Systems – Part 2

Uses of free Unix-based Security Tools to Develope Secure Systems – Part 1


1.    INTRODUCTION

In today’s world it is very rare to find a business or an organisation that is not reliant on a computer network of some sort, whether it is a hospital, a school, large bookstore, small shop or even a home business. This sets a challenge for IT professionals around the world, especially with the increased number of network attacks that are happening every day. The challenge is how to keep these networks secure?

What is network security?

Network security to IT professionals doesn’t mean that a network is 100% secure because that is impossible unless you completely disconnect your network from the outside world and even that doesn’t protect the network from internal attacks or the physical theft of the computer and the data inside it. The only way to have 100% security is to power off all computers and for businesses these days that isn’t an effective decision. Continue reading Uses of free Unix-based Security Tools to Develope Secure Systems – Part 1