Published on 18 March, 2013
|Dr. Ullrich points to various techniques such as netflow analysis as useful skills that can help detect intrusion
As network speeds increase with new technologies and demand, real time packet inspection is simply not sufficient to deal with cyber-attacks. According to Dr. Johannes Ullrich, Dean of Research and a faculty member of the SANS Technology Institute, “Faster networks are making it harder for intrusion detection techniques to keep up with the threats. Instead organisations need to turn to a wider set of data gathering techniques to be able to spot attackers.”
Ullrich points to techniques such as netflow analysis and the correlation of intrusion detection alerts with other logs, like for example the inspection of DNS logs, as useful skills that can help detect intrusion. “These are two areas where we have expanded in the SEC503: Intrusion Detection In-Depth course and both can help to offset the limitations of real-time deep packet inspections,” he adds.
Although the most common attack vector is still the opening of attachments and links to infected sites that trigger “zero day attacks”, Dr. Ullrich also points to proliferation of mobile devices as a smaller yet growing threat. “Apple IOS is better at stopping these threats as its devices are more closed but Android is a real challenge and we are seeing malware, especially those attacking two-factor authentication systems, used in mobile banking applications.”
The expert also points to the cellular networks providing an alternate method for attackers to avoid traditional network firewalls and IPS systems by attacking mobile clients and then “piggy backing” into the enterprise environment. “These attacks are still rare but the difficulty in looking into these cellular networks and mobile devices combined with an inability to set up device level firewalls or inspection tools makes the situation a longer term risk.”
This piggyback issue also relates to counter intelligence, another area where intrusion detection technology is becoming useful. This includes the ability to detect if communication has been tampered with or intercepted by a third party. “Detecting Interception of communication either by the state or cyber criminals is an area that we explore in the course and it also neatly intersects with the SEC 566: Implementing and Auditing the Twenty Critical Security Controls - In-Depth course that is also running at SANS Abu Dhabi 2013.”
Dr. Ullrich points out that once implemented, the 20 critical security controls can offer a marked improvement in network security but that without intrusion detection skills, it is difficult to make sure that controls are working correctly. “The SEC503 course teaches a lot of process including setting up tools, developing architecture and how to tune your sensors,” he explains, “but beyond that, we teach more advanced skills and also look at what threats are on the horizon and how to spot these new trends as they start to move from theoretical to prevalent.”
Dr. Ullrich is chief research officer for the SANS Institute and is currently responsible for the GIAC Gold program. Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognised. In 2004, Network World named him one of the 50 most powerful people in the networking industry.
SANS Institute’s professor highlights ways to improve intrusion detection