Wednesday, September 10, 2003

RAID Conference Concludes

Today I drove home from the 6th annual Recent Advances in Intrusion Detection (RAID) conference held at Carnegie Mellon University. The picture at left shows the nearby University of Pittsburgh's magnificent Cathedral of Learning, which is just about the coolest name for a building I can imagine. (It reminds me of Kwai Chang Caine's answer to a question on what he does: "I work, eat, learn.")


This was my first RAID conference, and I took several pages of notes on what IDS researchers are doing. The conference began with a presentation by Richard Clarke. Some of his more interesting points included:


  • He confirmed US DoD networks have indeed suffered worms and/or viruses on "classified networks." He also stated "one ugly fact... every network I know of has been penetrated -- recently and regularly," with the exceptions being one or two classified government networks. However, he "[hasn't] seen cyberterrorism yet," although he has seen "nation states doing reconnaissance" against each other and thinks the recent DNS attacks may have been nation state activities. I asked him about structured threats like organized crime, and Clarke replied he's more worried about nation states performing targeted attacks.

  • He claimed the northeast blackout which seems to have started in Ohio was "remarkably similar" to tests done by DoD red teams. Ohio power workers claim their displays reported normal status while the system failed. DoD red teams take similar approaches. A cybersecurity taskforce is now part of the blackout investigation. Two days before the blackout, power companies (through the North American Electric Reliability Council (NERC) adopted new security guidelines." Others are issuing warnings.

  • Clarke believes if the US Congress or EU tries to legislate security, "it won't work." Government will destroy the Internet if it tries to take it over to protect "critical infrastructure." His reference to Terminator 3 was apt: "People need machines. People take critical infrastructure for granted until it fails. Machines fail when subjected to malicious code."

  • Answering a question on poor code, he said "why is their software so shitty... because they can" [sell lousy software]. He believes big companies should band together to create a software assurance standard along the lines of the Underwriters Laboratory. He recomends the creation of a "patch management center" which offers testing of new patches to prevent redundant testing on vanilla systems throughout industry. Clarke is researching security standards for the Business Roundtable and has found 27 thus far -- too many!

  • Clarke shared stories about ELIGIBLE RECEIVER, an exercise in 1997 to test information infrastructure, particularly in the Pentagon. Although the exercise was scheduled for a week, Clarke claimed that by Tuesday the National Military Command Center was compromised and the exercise was stopped early on Wednesday. As a consequence then US Deputy Secretary of Defense John Hamre told every military service to deploy intrusion detection systems (IDS), which was one of the reasons we saw a huge surge in sensor installations in the AFCERT around that time.

  • Whereas the problems with IDS used to be not enough data on intrusions, now the mindset involves "dumping alerts into databases." In 2002 Clarke said the Internal Revenue Service and Veteran's Administration decided to pool their IDS data and mine it for trends.

  • Clarke named three IDS weaknesses: (1) insiders, who according to an upcoming Secret Service survey, are causing a "vast number" of American companies to lose money; (2) virtual private networks, which allowed a vector for a "business-to-business" customer of Bank of America to infect it with the Slammer worm; and (3) wireless, where IDS coverage is lacking.

  • He's counter 127 companies which sell IDS products, with lots of venture capital still available for security. Unfortunately, CIOs think the IDS vs. Intrusion Prevention System (IPS) debate is "silly." Furthermore, CIOs are questioning their security spending, saying "no matter what I do, I'm still owned." Why spend more money if nothing works? Clarke believes the future lies with "self-healing networks" which function regardless of compromise.



Richard Stiennon of Gartner, formerly a consultant at PriceWaterhouseCoopers, spoke as well. He was a nice enough guy but I don't think his arguments hold water, and I wasn't impressed to hear him he disabled his own laptop by installing a spyware cleaner! Here are some of his main points, either printed on his slides or spoken:


  • "Gateways and firewalls are finally plugging the holes... we are winning the arms race with hackers... the IDS is at the end of life." He "recommends delaying large investments in IDS and event management, piloting application defense and network IPS products, and locking down access control."

  • His vision of "defense in depth" includes: firewalls -> vulnerability assessment or management -> network intrusion prevention (separate from the firewall) -> host intrusion prevention -> antivirus -> security management. This vision is based on conclusions gained from "talking to users," since he doesn't have a product test lab!

  • A "deep packet (or stream) inspection firewall assembles (normalizes) packets and inspects them for compliance with a set of rules." "Rule classes" could include "attack signature, protocol anomaly, behavior, antivirus, or custom content inspection."
  • Stiennon claimed that IDS offers "mountains of data, hours of labor, heaps of alerts, false positives [and] IR nightmares," while the "security nirvana" of IPS will "drop protocol attacks, block known attacks, [and spend] less time tracking down what happened."

  • He named Cisco (who bought Okena), ISS, Enterasys, NFR, Symantec, Intrusion, Tripwire, Lancope, and Arbor Networks within the IDS market, and Tipping Point, NetScreen (via purchasing OneSecure), and Network Associates (via purchasing Intruvert and Entercept) as IPS vendors. He noted Tipping Point complained to Gartner it wasn't "getting its message out," and I found that the company declined .pdf an award nomination in the IDS category from Network Computing Magazine. That's staying on message!

  • Beyond IDS and IPS, Stiennon made interesting insights into the strenghts of content switching vendors F5, Radware, Cisco, and Blue Coat, which already does content inspection. The other vendors only need to add more security content inspection to their products to cause headaches for more traditional security vendors. On the application defense side, Stiennon mentioned Netcontinuum, Teros, Sanctum, KaVaDo, Ingrian, and Array Networks.

  • Vendors offer security event management products include GuardedNet, ArcSight, E-Security, Intellitactics, and NetForensics, the most inaptly named security company I kn ow.

  • I asked him where the "magic" comes from that makes modern firewalls perform the intrusion detection functions he says are failing. His answer was not satisfactory. Earlier he talked of Checkpoint adding INSPECT code for Snort signatures into the firewall's kernel.



Once the invited guests were done, the conference turned to papers. Some of the researchers I met were unhappy that many of the papers weren't "science" or "research," but "engineering" and "applied research." They preferred to see papers with little or no practical application. This was a new concept to me. Apparently the downturn in the tech economy has left most commercial research labs, particularly IBM Research doing less "pure research" and more "solutions to problems."


  • One of the most interesting talks was by Philip Chan of Florida Institute of Technology, titled "An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly
    Detection" (.pdf). He criticized the 1999 DARPA Intrusion Detection Evaluation Data Set. Apparently getting access to data to run through their algorithms and code is a huge problem. Dr. Chan analyzed the popular IDEVAL data to show its weaknesses and proposed some solutions.

  • Vern Paxson participating in a panel discussion on worm/virus propagation and asked "doesn't anyone read the literature?" In other words, why isn't malicious code worse? He mentioned permutation scanning, flash worms, metaserver worms, topological worms, can contagion worms as subjects for worry. He wondered if botnets were built because spammers pay for them, and pointed to a paper to be published at Worm 2003 called "Access for Sale" by S. Schecter and M. Smith.

  • Arno Wagner of the DDoSVaX project spoke about using NetFlow records for analyzing malicious code. (Incidentally, I finally found an open source NetFlow collector in the FreeBSD net ports tree -- fprobe! I've tried it with EHNT (also in the tree) and will fire up flow-tools next.)
  • The presenter of "Characterizing the Performance of Network Intrusion Detection Sensors" (.pdf), was absolutely hammered by the attendees. He was attacked for his methodology and results, particularly that the NICs he used to test Snort performance may have been the real bottleneck. Since he used a TAP to collect data I asked if he combined streams. He said he ran Snort against only one output. Since most real-world deployments care about both sides of the conversation, his choice wasn't realisitc.

  • The paper "Using Decision
    Trees to Improve Signature-based Intrusion Detection" (.ps) introduced me to Snort NG, which claims better performance than Snort 2.0 using the Snort 1.x code as a base.

  • After the talks I spoke with Brian Hernacki of Symantec, who told me about ManHunt's ability to work with a switch to change the SPAN port it monitors. This idea of sampling traffic is a great one.


Well, that's my RAID wrap-up. I don't intend to return again, but I do plan to check the future programs and read the papers that interest me.

Update: 5th Anniversary of "FloodNet"

Five years ago today Wired reported on FloodNet. It was an attempt by a group called the Electronic Disturbance Theater to overwhelm Web sites, among them the Pentagon. It's significant because, according to the Wired article, the Pentagon took countermeasures:

"Participants in the FloodNet protest needed only to load the FloodNet Web page. The page contained a Java applet configured to request and load the three target Web sites every three seconds. The Electronic Disturbance Theater estimated that up to 10,000 people took part in the demonstration, delivering 600,000 hits to each of the three Web sites per minute.

The automated rapid-fire requests are designed to overwhelm the target Web sites so they cannot be viewed by their intended audience, known as a 'denial of service' attack.

The Pentagon's Web-site support team apparently struck back with a Java applet of its own. That applet sensed requests from the FloodNet servers, and loaded -- and reloaded -- an empty browser window on the attacker's desktop. The move forced the protesters to reboot their computers."