Detecting Intrusions (Theoretically)

How do you know when you’ve been attacked successfully? That question has been posed by administrators and intrusion analysts for a long time. The methods used for detecting successful attacks used to be more art than science. Luckily, various tools are now available to make intrusion detection much more science than art.
With that said, the primary tool for intrusion detection still remains a human who can gather data from a number of sources and make an intelligent, educated decision about the meaning of the data. The current tools are sophisticated and can perform some of this correlation themselves, but the true worth of an intrusion analyst is proven in their ability to assess the situation and present likely causes and effects.

With or without tools, determining whether there has been a successful attack is left to the intrusion analyst. At some level, detection of intrusions is only assisted by the tools rather than driven by them. It’s still up to a person to correlate the data. Many times, detection of an attack occurs when a service outage is reported. In this way, it’s important to actively monitor your services using a package such as Nagios. By actively monitoring as many services as possible, you can quickly spot an anomaly that warrants further investigation. If you run a web server, rather than monitoring merely whether the server is listening (usually on TCP port 80) you should monitor specific text on one or more web pages. If you monitor only the state of the server and whether it’s listening, you won’t catch a defacement of the website. In essence, you should monitor the behavior of the specific services to ensure that they are running as expected rather than making sure that they are merely running.
It’s also important to monitor resources such disk space, memory usage, and load average. Monitoring these resources can indicate if a process has run away and is consuming too many resources (as might be the case with a poorly written exploit). Additionally, monitoring disk space is another useful item. If you normally consume 25% of the disk and suddenly the disk usage jumps to 85%, you’ll want to investigate to see whether an attacker is using the server as a drop point for files.
Basic service monitoring, performed as much as you can, as often as you can, will help provide an early warning of anomalies. Monitoring services will also help improve the reliability of the services, all security considerations aside. Monitoring should not, however, replace intrusion detection tools such as Snort, nor should it replace a good security policy implemented through an in-depth strategy.
After an anomaly has been noted, whether through normal service monitoring or through another means, it’s up to you to investigate the anomaly. Your investigation should conform to the security policy you have in place. One of the first responses would likely be to determine whether an intrusion has actually taken place. There could be many reasons why the load average just spiked or why the disk usage has increased, so you shouldn’t assume that an attack has happened merely because of an outage alert.
Determining the root cause of a service outage is a difficult task that usually ends in a service being restarted or some similar routine procedure being performed to clear up the outage. However, it’s important to look for underlying causes of such outages to ensure that an attack isn’t underway or that an attack hasn’t already occurred. It is in this area, event correlation, where a human is most necessary. For example, did the disk partition just run out of space because an attacker is using the space or because the log files filled up the partition?