It’s been over a decade since I’ve worked directly for an IDS/IPS company and in one of my (few) moments of boredom I pondered why IDS and AV have such a sullied reputation. If I ask anyone “what’s wrong with IDS or AV” I inevitably get the same basic answer: They are signature based solutions and that’s antiquated technology.
I think everyone’s forgetting just how valuable good signatures can be to a security team. The problem is most likely exacerbated by what appears to be a decline in writing rock-solid signatures.
Signature-based detection appears to be equated to pattern matching, and the simple fact is, everything is matching some type of pattern. Whether it be an explicit pattern like “abc” or a deviation from established patterns of activity. Even anomaly-based detection relies on establishing a known pattern of activity and then looking for the deviations from that pattern (remember my example of anomaly-based detection where Inspector Harry Callahan in Sudden Impact realizes his coffee that he’s ordered black for ten years is suddenly full of sugar?)
As I was familiarizing myself with the Emerging Threats Ruleset of signatures, I went looking for an old friend, the SQL Slammer Worm, and here is what I found
(2102003) GPL SQL Slammer Worm propagation attempt (2102003)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:”GPL SQL Slammer Worm propagation attempt”; content:”|04|”; depth:1; content:”|81 F1 03 01 04 9B 81 F1 01|”; content:”sock”; content:”send”; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; priority:2; sid:2102003; gid:1; rev:9;)
OK, this will definitely nail the SQL Slammer Worm, but let’s take this and look at how signature reliability is impacted when focused on three different areas:
IP Reputation Signature: If I knew an IP Address was being used by a bad guy, I could write a very easy signature to identify any malicious activity: “alert any $BAD_GUY_IP any -> $HOME_NET any.”
Pros: Will alert you to any type of attack the bad guy throws at you.
Cons: Doesn’t tell you WHAT the attacker is throwing at you. Also, if the attacker changes IP Addresses, you are suddenly blind. IP Addresses can also be re-assigned at a future date so eventually the signature ages out – if you don’t account for this, you get false positives.
Exploit Signature: The SQL Slammer Worm signature above is a prime example of an exploit signature. It identifies a specific attack.
Pros: No matter where the attacker is coming from, if using this attack you will get alerted.
Cons: Variations of the attack, or different attacks targeted at the same vulnerability get missed. You also may not know WHO is attacking you.
Vulnerability Signature: This type of signature focuses on the weakness in the service being targeted by the attacker. In order to exploit the system, certain factors must exist for the vulnerability to be exposed and the target compromised. Internet Security Systems wrote a vulnerability signature for this issue as a result of their research that goes like this: “This event looks for a UDP packet with destination port 1434 whose 1st byte is 0x04 and whose length is greater than the configurable value ssrp.stackbo.threshold. The default threshold value is 96.” Source: http://www.iss.net/security_center/reference/vulntemp/SQL_SSRP_StackBo.htm
Pros: No matter where the attacker is coming from, you will get alerted. Any variation of attack will be caught because the root cause of the vulnerability is being identified.
Cons: Any unknown variant will not have an identifiable name (though not getting that alerts you to the fact that you have encountered a new variant). You also may not know WHO is attacking you.
Vulnerability signatures allow for Zero-Day EXPLOIT detection, meaning, I do not need to know what the exploit is, so long as I have a vulnerability signature written. If the attacker discovers a vulnerability before anyone else AND develops an exploit for it, you are then relying on malware analysis solutions to assist in identifying malicious activity – that’s a topic for another day.
I break signatures down into three categories: Known Attacker, Known Attack, Known Vulnerability. Knowing exactly what you are facing, and having proper threat intelligence for each category allows security operations analysts to make faster, more accurate determinations of the threat facing the organization.
And that’s what good signature detection is supposed to be all about.