If Hackers Sidestep Your Front Door, Who's Watching Your Back?

Port 80 is locked down. No more false alarms at 2:00 a.m.

Thanks to a well-configured firewall, you're stopping 80% of the causes of network breaches -- but despite your precautions, your Web server was brought to its knees today by a worm and the latest buffer overflow attack.

What happened? And what now?

The problem is not with your firewall or your network intrusion prevention system. These network-level security devices are designed for perimeter protection, and by definition they cannot stop attacks that originate inside your network.

Back-door attacks -- those originating inside the network -- are triggered by roaming laptops, traveling floppy disks, independent contractors who unwittingly infect your network, and dial-up connections. Worms and other exploits are unleashed when the infected component reconnects to your corporate network. A layer of security at the host level is your best protection against attacks like these: attacks that sidestep the front door.

What is host-based intrusion prevention?

A host-based intrusion prevention system (HIPS) is a layer of security that augments, but does not replace, firewalls, anti-virus software, and network-based intrusion prevention systems (NIPS). HIPS stops attacks that other protection layers did not see, did not recognize, or were not in a position to stop.

From a user's perspective, HIPS software acts somewhat like anti-virus software, with an important difference: HIPS watches the kernel at the heart of the operating system, while anti-virus protection watches email.

HIPS inserts itself between software applications and the kernel and focuses on behavior rather than attack activity. When an application makes a request to the kernel, HIPS determines whether the request is legitimate. If not -- if the Web server is attempting to launch a command shell, for example -- HIPS recognizes and neutralizes the threat.

Host-based intrusion prevention does not stop specific attacks. It stops specific damage. NIMDA devastation, for example, is caused when the worm successfully opens a command shell to inflict damage. With HIPS in place, the attack is harmless.

The life and death of a hack attack

Computer attacks move through a predictable life cycle, and the best security strategy is to stop events after they're judged malicious and before they cause damage. A layered approach is the only effective defense against varied breaches at the perimeter level, the server level and the file level.

The five stages of an Internet attack cycle are probing, penetrating, persisting, propagating and paralyzing.

The first two stages -- probe and penetrate -- are moving targets, with attackers constantly changing tactics to avoid detection. Anti-virus software, firewalls and NIPS are the security weapons of choice against these early-stage attacks.

HIPS addresses the latter three stages of the cycle: persist, propagate, and paralyze. Unlike the constantly mutating nature of attacks in the first two stages, malicious activities at this point are stable and limited: modifying the operating system, for example; adding a new user account, opening up an outgoing network connection, or deleting files. HIPS analyzes the behavior used to attack networks at this stage, interceding instantly when an aberration occurs.

Step one: probing

Scanning the network for vulnerabilities. You need a properly configured firewall to protect against sweeping probes, which are also called network scans or port scans. Highly automated, probes are the hacker's equivalent of gathering intelligence. What are you running on your network? Where are your software vulnerabilities? What's the easiest way into your network? Ping addresses and systematic guesses about passwords and mail users are typical probing tools.

Step two: penetrating

Getting exploit code onto the victim machine. Mail attachments, buffer overflows, activeX controls, network installs and compressed messages are effective penetration devices against an improperly secured network. Stopping attacks at this stage calls for a signature-based security layer (NIPS). SecureWorks NIPS filters malicious traffic at the packet level, crucial for effective protection.

(Note: Maintenance problems created by traditional intrusion detection methods -- floods of false-positive alerts, the inability to recognize some types of attacks, and the continual need for signature updates -- can swamp an IT staff. Outsourcing HIPS and NIPS security management to SecureWorks is virtually always less expensive and more effective than handling the job in-house.)

Step three: persisting

Making sure the exploit code sticks to the victim. The attacker's goal here is to ensure the code will be running and available even if the target system reboots. Hackers accomplish this by creating new files, modifying existing files, weakening registry security settings, installing new services and registering trap doors.

At this stage the attacker is attempting to take up permanent residence on your network. For systems without a layered security blanket, this is when the danger signs first become visible: an unauthorized entity is modifying your system. HIPS recognizes these attempts to tamper with files, settings and configurations and neutralizes them instantly.

Step four: propagating

Like biological viruses, computer attacks usually propagate themselves. The invader automatically looks for vulnerable neighboring machines to attack. This is done by emailing the attack to every contact name in Outlook, for example, or hacking the next victim machine through FTP, IRC or Web connections. Infected file shares are notorious attack propagators.

Step five: paralyzing

The paralysis stage causes permanent damage. This is every IT manager's nightmare. Computers crash, the system becomes riddled with security holes; data is corrupted, destroyed, or sent to the attacker, and users experience wholesale denial of service (DoS). The best defense is a network protected by multiple security layers, properly managed, and monitored around the clock.

Why add host-based intrusion prevention...
...if you already have network intrusion prevention?

Here are a few ways attacks may find their way to your servers and workstations, despite the best network security. Host-based intrusion prevention isn't about replacing network-based systems, it's about filling in the gaps.

Encrypted connections such as VPN or secure web sites pass through perimeter security before decryption. Finding attacks is impossible until the traffic is decrypted. Host-based intrusion prevention systems (HIPS) run at the host, analyzing decrpyted traffic.

Buffer overflows are really hard to catch at your network's perimeter. That's because finding them requires knowledge of the application they're attacking. Host-based systems are better suited to finding buffer overflows.

Infected floppies, Zip disks, and even CD-ROM's can contain self-propagating worms. Network-level security isn't in a position to stop these nasties till they try to leave your network. Host-based security, on the other hand, is in a prime position to stop nasties before doing any damage. Think of it as anti-bacterial soap for your computers.

Mobile computers that come and go from your network are highly risky. There's no guarantee they didn't pick up a nasty infection while outside the safe harbor of your network. Mobile computers are like huge floppy disks, so the same rules as infected floppies apply, see above.

Managed HIPS: hands-off peace of mind

HIPS defense is not a set-it-and-forget-it proposition. Staffing and managing an around-the-clock Internet security operation is out of reach for most companies. Outsourcing to SecureWorks makes sense both technically and financially. The service is up within two working days and requires no capital outlay or added staff. Equally important, it makes true layered intrusion detection and prevention affordable for firms of all sizes.