US Cyberwar Tactics over Relying on IDS?

Very interesting article recently on by Richard Stiennon about the weapons that the US is deploying to fight Cyber War. Richard is the founder and Chief Research Analyst at IT-Harvest and the author of the recently released book “Surviving Cyber War“.

According to Richard, the US is relying on 15 year old technology to defend the US. The much vaulted “Einstein” project may not be the right choice to secure our digital borders. Yes, future version supposedly will have auto defense capabilities, but currently the technology still relies on Intrusion Detection.

IDS is a technology invented over 15 years ago. It is signature based which means it relies on a massive collection of snippets of text and code that researchers have discovered over the years are associated with unwanted network traffic, be it worms, port scans, or intrusions. Because the original deployments of IDS were just passive data collectors there was no impact on network performance from adding new signatures so the data base grew and grew and the logs IDS generated grew and grew to the point where even a mid-size organization would receive millions of alerts a day.

Herein lays the problem. The Einstein system or any signature detection based system has to filter through massive amounts of packets to look for suspicious activity. In this huge river of data, you have legitimate user traffic, normal system communications, and transactions along with the malicious traffic. In analyzing this data you receive a large amount of false positive alerts along with real threats. Human analysts are required to sift through the alerts and try to determine the false alerts from the foreign national hacker with nefarious intentions. According to Richard:

The only tool in DHS’s chest is a monitoring tool. Millions of alerts have to be filtered down. The continuous port scans, the worm traffic, the DDoS attacks, have to be winnowed down to something actionable. And even if that were possible, attacks such as those seen by Google, the Dalai Lama’s office, and the Pentagon, would still be effective… Einstein is a waste of money and a distraction. Other than generating huge reports that highlight the levels of attacks targeting DHS it will do nothing to protect DHS networks.

It looks like the US may need to look in a new direction to defend government systems. But if signature based intrusion detection is out, what do you replace it with?

4 thoughts on “US Cyberwar Tactics over Relying on IDS?”

  1. UPDATE:
    Dr. Prescott B. Winter, CTO of Arcsight, former Associate Deputy Director of National Intelligence for Information Integration for the National Security Agency and prior CIO and CTO of the NSA, posted an article today on in response to Mr. Stiennon’s article.

    “The advantage of Einstein 3 is that it connects to intelligence sources to provide better insight as to what to look for–a richer list of signatures. The White House recently stated that, “DHS will be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and DoD information assurance missions for use in the EINSTEIN 3 system in support of DHS’s federal system security mission.”

    Dr. Winter does compare Einstein to a Maginot line though. And believes that even though threats will be blocked, some will get through. “Better security comes however,” Dr. Winter says,”from a risk-management approach, namely Enterprise Threat and Risk Management, in which one assumes the adversary will get in.” And that their actions can be detected through correlation without using signatures.

    Dr. Winder’s company, Arcsight, is offering a seminar today on “Hacking the Odds – Gaining a “House Advantage” Over Modern Threats” at 1pm EST. This could prove to be most interesting indeed.

  2. Interesting.

    Manning an intrusion detection system is always a problem. It’s like air traffic control, only worse, because you have to analyze all the alarms, which can eat up time and resources.

    Correlation without signatures is also an issue. It’s easier to monitor servers that have specific connectivity profiles, but it’s not perfect and there may be a few ways to avoid detection depending on what type of applications are running. Once you get to the desktop, network detection is really based on the hacker’s command and control channel. If a hacker is loud any noisy (i.e. uncommon ports, not RFC compliant or doesn’t know how to balance uploads with downloads), then it’s easy to catch him. If a hacker knows what he is doing (i.e. common ports, RFC compliant and knows how to balance uploads with downloads), he won’t be that easy to catch.

    It’s going to be a fun watching these guys figure all of this out. We’ll see what type of meetings they’re having a year from now. 😉


Leave a Reply to D. Dieterle Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.