Task 10.5: Implementing a Host-Based Intrusion Detection System

A common security practice is to implement monitoring devices or applications on the network and on critical systems to identify, alert, and sometimes block undesirable traffic, activities, and attempted access. Intrusion detection systems (IDSs) monitor, analyze, and log traffic watching for attacks. If an attack is detected, the IDS will alert administrators of the perceived attack, requiring human reaction and intervention.

Intrusion prevention systems (IPSs) are an extension of the IDS. Like IDSs, IPSs monitor, analyze, and log traffic watching for attacks. If an attack is detected, the IDS will alert administrators of the perceived attack and will take automatic and programmed action in an attempt to block the traffic and/or deny the unauthorized access. The objective of the IPS is to protect the information-systems environment without requiring human reaction and intervention.

Always configure the IPS to react to systems you manage and maintain. Counterattacking the attacker is generally discouraged. A counterattack, while tempting, is generally considered unethical and unprofessional and could result in your company being held liable for damages to the attacker—for attacking them! The perceived attack by the IPS might have been a misconfiguration, a malfunctioning device, or a simple accident by an innocent user.

The automatic protective actions that an IPS can perform include the following:

• Adding a new “block rule” on a firewall to disallow traffic from an attacking source IP address
• Sending the internal and friendly victim TCP Reset frames that spoof the attacker to keep them from establishing a session with the attacker
• Sending 802.11 deauthentication frames to wireless clients (“friendlies”) to keep them disconnected from a rogue access point

The terms IDS and IPS are often used interchangeably, but there are significant differences in the level of protection these two different systems can provide. For the remainder of this task, we will refer to these two types of systems collectively as IDSs.

These devices remain active 24/7 and diligently monitor and inspect all traffic. These devices typically utilize two types of analysis engines:

Knowledge-Based The purpose is to detect known attacks. This engine compares actual traffic to a collection of known and therefore recognizable attack signatures or undesirable protocols to identify attacks. This engine requires frequent definition updates to keep current with new attack signatures.

Behavior-Based The purpose is to detect new, unknown attacks. This engine maintains a statistical overview of the normal operations, demands, resource consumption, and so forth of the monitored system by monitoring actual use. If these statistical values for use deviate significantly from the established “normal” levels, the behavior-based engine reacts to the anomaly. The items that are watched and the level of deviation from the learned, normal use that causes a triggered event are typically configurable. This engine may also detect malicious actions performed by applications, such as deleting files or attempting to reconfigure system settings.

IDSs can be configured to monitor the network, called a network-based IDS, or NIDS. IDSs can be configured to monitor a single, critical system, called a host-based IDS, or HIDS. In this exercise, you will install a host-based antivirus and IDS tool on your local computer to monitor for potential malicious activities on the system.

Microsoft has provided several free and relatively easy-to-use HIDS tools for consumers. Microsoft’s Windows Defender program monitors for spyware and malicious activities on a system. This program was followed by the Windows Live OneCare program, which has evolved into a host-protection system that includes antivirus features in Microsoft’s Security Essentials.

See Windows Defender at

www.microsoft.com/windows/products/winfamily/defender/software.mspx

www.microsoft.com/en-us/security_essentials/default.aspx

For more than 10 systems, Microsoft provides commercial-grade protection (for a fee) in their Microsoft Forefront Endpoint Protection product. See Microsoft Forefront Endpoint Protection at

http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx

Scenario

You are preparing a report on computer security for management. To complete the required research, you must visit some potentially hazardous websites on the Internet and you are concerned about protecting the system from malware that may be injected onto your system. Whenever this occurs, you want the computer to quarantine any processes that may be malicious.

Scope of Task

Duration

This task should take 25 minutes.

Setup

You will download and install a free antivirus/HIDS application.

In the exercise, the Windows 7 operating system has User Account Control (UAC) disabled. If your system does not have UAC disabled, you will be prompted for administrator approval during numerous steps.

Caveat

The antivirus, IDS, and IPS application used in this exercise does not provide 100 percent of the security required to protect networks or systems. It is an important part of the security structure, but must be layered within many additional security systems and procedures, including policies, user training, operating system and application patching, strong authentication, strict permissions, auditing, encryption, and firewalls.

The application you will install in this exercise cannot be installed on a system that already has an antivirus program running. You must uninstall any existing antivirus applications before beginning the exercise.

Procedure

You will download and install a security application that includes antivirus and a host-based IDS, Microsoft’s free and relatively new Microsoft Security Essentials (MSE). MSE quarantines or deletes applications that are detected containing known malware or that demonstrate potentially malicious behavior. Since MSE triggers a protective response when malware or malicious behavior is detected, MSE falls into the category of host-based intrusion prevention systems (HIPSs).

Equipment Used

For this task, you must have:

• Windows 7 system (with no antivirus software installed)
• Administrator access
• Internet access

Details

Download and Install the Security Application

1. Log on to the Windows 7 system as the Administrator.

2. Launch Internet Explorer.

3. In the address field, type the URL http://www.microsoft.com/security_essentials/ and press Enter.

4. Review the details of Microsoft Security Essentials. Click on the Download Now link to download the application.

5. Save the application to your desktop.

6. Launch the downloaded setup application.

7. Click Next at the Welcome screen.

8. Feel free to review the terms of licensing. Click I Accept on the Software License Terms page.

9. On the Customer Experience Improvement Program page, select the “I do not want to join the program at this time” option and click Next.

10. On the Optimize Security screen, enable the Turn Firewall On check box (enabled by default) and click Next.

11. Review the warning regarding the dangers of running multiple antivirus programs on a single system, and click Install.

12. Save any open files and close any open applications. On the Completing the Microsoft Security Essentials Installation Wizard screen, click Restart Now to reboot the computer.

Using the Security Application

1. After the reboot has completed, log on as the Administrator.

2. Notice that Microsoft Security Essentials automatically launches and downloads the latest malware updates, and then proceeds with performing a Quick scan of the system.

3. Review the scan summary when the Quick scan completes. Notice that you can perform a Quick scan, which scans the commonly infected file types and locations; a Full scan, which scans all files on the system; or a Custom scan, which allows you to target areas of concern, such as a directory where you store downloaded files.

4. Click the Update tab. Observe the Definitions Created On and Definitions Last Checked dates. Also notice that you can manually trigger a definitions update by clicking the Update button.

5. Click the History tab. Observe the three filters to view selected, quarantined, or deleted malware that has been detected on the system. Also notice that you can purge the history by clicking the Delete History button.

6. Click the Settings tab. Notice the left pane where eight different sets of settings can be selected. The initial focus is on the Scheduled Scan settings. Review the options available for the scheduled scans, including the scan type, when to perform the scan, whether you want to update definitions before the scan and whether to start the scan only if the system is not in use, and a limit of CPU usage for the scan to allow other processes reasonable functionality during the scan. Choose a scan time when the system will be powered on but not in a critical function or use time, since the scanning process will degrade the system’s performance.

Optional activity: Feel free to schedule the automatic scan for the immediate future to observe its firing.

7. In the left pane, click Default Actions. Notice the four levels of alerts, indicating the severity of the perceived threat to the system: Severe, High, Medium, and Low. Review the actions and alert levels by clicking on the “What are actions and alert levels?” link.

To convert the HIPS into an HIDS by disabling the automatic, protective functions, you could clear the Apply Recommended Actions check box.

8. In the left pane, click Real-Time Protection. Learn more about real-time monitoring by clicking the Tell Me More link. Review the options on the Settings tab, which include scanning all downloads, monitoring file and program activity, monitoring behavioral patterns, and monitoring for network-based exploit attempts.

9. In the left pane, click Excluded Files And Locations. To keep MSE from scanning specified, known good files and locations, add those files and locations to this dialog box. It is not uncommon for a security professional to keep and use (for white-hat purposes) a collection of known hacker tools that would be quarantined or deleted by MSE. This feature allows you to keep these otherwise-malicious tools intact.

10. In the left pane, click Excluded File Types. Use this dialog box as well to keep MSE from scanning specified, known good file types.

11. In the left pane, click Excluded Processes. A process is a subset of an application. Use this dialog box to keep MSE from scanning specified, known good applications that may contain inaccurately detected malicious processes.

12. In the left pane, click Advanced. Review the optional settings available.

13. In the left pane, click Microsoft SpyNet. Here, you can select to not join Microsoft SpyNet or to join with a Basic or Advanced membership. The Basic membership assures anonymity of the user, but sends some technical details of system use back to Microsoft SpyNet. The Advanced membership potentially identifies the user and some of their computer and Internet use details. Feel free to review the Microsoft SpyNet privacy statement by clicking on the link at the bottom of the scrolling window.

Criteria for Completion

You have completed this task when you have installed and configured the host-based intrusion prevention system, Microsoft Security Essentials.