To help combat marauders who exploit such server vulnerabilities, systems administrators can employ intrusion detection software, such as Cybercop from Santa Clara, CA-based Network Associates, Cisco Systems’ Secure IDS and SRI International’s Emerald. These systems monitor network traffic looking for sequences of commands specifically associated with malicious attacks, as well as out-of-the-ordinary command sequences or data traffic. When the software spots something unusual, it notifies the systems administrator, who can then decide whether to shut the questionable traffic down.
But some attacks will be new and subtle enough to avoid detection. Or more commonly, invasions may be detected but ignored. Routine hackers and even inept legitimate users so frequently trigger current intrusion detection systems that many systems administrators disregard the alarms-or turn them off. Many of the companies Jim Settle’s team penetrated were running high-end intrusion detection software costing $100,000 or more but for one reason or another didn’t recognize the attack.
To counteract these glitches, researchers at Sandia National Laboratories, Network Associates and Cisco are working on intrusion detection systems that do a better job of differentiating false alarms and amateurish attacks from serious invasions. Some systems under development will even be able to analyze activity across a network to distinguish isolated attacks from the sort of massive, coordinated assaults that tend to be more damaging, says Fred Cohen, a security consultant and Livermore, CA-based Sandia researcher who coined the term “computer virus.” Future intrusion detection systems, he notes, will also make the network “self-coordinating”: when a particular server is under attack, the network will place similar servers on high alert, or even shut them down, under the assumption that the attacker will attempt to exploit related vulnerabilities. Cohen has been working on ways to allow intrusion detection systems to recognize “slow attacks,” an especially subtle and hard-to-spot technique in which an attack is purposely spread out over hours or even days to avoid triggering conventional alarms. “Most organizations have been ignoring that problem, because they have their hands full just recognizing attacks that occur in real time,” he says.
Cohen is also among those working on another method to defend servers: so-called deception techniques. These involve setting the network up not merely to resist intruders but also to confuse and mislead them-preventing them from causing damage and making it easier to monitor their activities. For example, an intruder will normally use software to scan a network for open ports, typically resulting in a list of 30 or so gateways that can be explored for vulnerabilities. One deception technique is to have the network automatically reply to a port scan with a list of a million or more ports-far more than even the most motivated agent is likely to sift through looking for weaknesses. Organizations that want to go all out can even set up entire databases of phony information that are made available to anyone trying to improperly access the system.
Cohen notes that some security professionals have shied away from deception techniques out of concern that legitimate users will be fooled or inconvenienced, but he disagrees. “We’ve been experimenting with the techniques for four years on our networks, and we haven’t seen one case where a user wasted time because of them, or as far as we know, one case where an attacker got to real data,” he says. Cohen currently gives away some deception software on his Web site, and security firm Recourse Technologies of Redwood City, CA, sells a product called ManTrap, probably the most sophisticated deception system available commercially. But Cohen says more advanced systems are generally built in-house because they require a great deal of customization and maintenance.
In an effort to identify network vulnerabilities before invaders exploit them, companies can run software designed to ferret out and flag flaws. For example, Bill Cheswick’s group at Lumeta sends a barrage of specially tagged packets of data from inside an organization’s network to servers outside the network, and vice versa. The software then points out any network servers that let traffic move through in both directions. Such “leaky” servers represent an easy way in for intruders-and for malicious software like the Code Red worm that infected servers worldwide last summer. “The way companies usually find out about leaky servers is when a worm like Code Red spreads throughout the network,” notes Cheswick. “If your network is tight, you should never see anything like Code Red inside. But it ran through all kinds of organizations.”