General Introduction to Intrusion Detection and Collaboration Systems

It is inevitable that collaboration systems within an organization at some point will become compromised for any number of reasons. Although there may be numerous appropriate counter-measures set up in order to prevent SharePoint and network intrusions, it is never possible to have 100% secure collaboration system regardless of the industry that your organization is involved in.

Network Based Intrusion Detection and Host Based Intrusion Detection

Intrusion detection can basically be defined as setting up either a Network-Based Intrusion Detection System (NIDS) or Host-Based Intrusion Detection System (HIDS) which will allocate the exposure of assorted natures of data such as system logs, pertinent audit data, or network traffic that transverse through a pipe.

NIDS is preordained to target protection of an entire network segment, and SharePoint IW client machines are generally transparent to the intrusion detection process since it subsists at a high level. This is emblematic for organizations that necessitate implementation of mass protection and require that an IDS sensor (the concept of which will be covered in a later section) be placed on each individual network segment. HIDS is meant to target a single IW host machine in order to offload processing to the client machine and provide encryption levels (application level in essence) inspection of transferred packets. The latter of these austerely means that the IDS is specifically targeted to require inspection of collaboration traffic that may be encrypted, and will, in essence, provide application layer intrusion detection security.

Intrusion Types That Can Involve An IDS

There are variety of intrusion types that a IDS will compose and display to the administrator of SharePoint:

  • SharePoint Server Environmental Errors
  • SharePoint Configuration Errors
  • Race Conditions
  • Access Validation Errors
  • Condition Handling Errors
  • Buffer Overflows Targeting SharePoint
  • User Based Input Validation Errors
  • Boundary Step Through Conditions
  • IP Based attacks (SYN / other flag attacks)
  • Denial of Service Attack Targeting SharePoint Servers
  • Port redirection
  • Man-The-Middle-Attacks
  • Viruses and Trojans

The Modules That Assemble An IDS System

The IDS system has three major components that compose it:

  • A Sensor (also referred to as an agent in some contexts) the sensor purely amasses the relevant intrusion information (typically, there are certain IDS systems whose sensor may offer other functionality) and pushes to the analyzer, the second object within the intrusion system. The sensor also has a sensor rating which determines the amount of packets that can be analyzed before they are simply dropped by the sensor for analysis, since there is a threshold of information for which the sensor can handle the load for. For this reason, flood attacks are very common against IDS’s as primary attack launching point to bypass the IDS packet inspection routines (regardless of the inspection techniques being used, which are discussed more thoroughly shortly). This can be counteracted by implementing suitable rate limiting which throttles the amount of bandwidth that can enter a network before handshake requests are simply dropped to ensure that only appositely loaded injected traffic, that which can be handled, is analyzed by the IDS.
  • An Analyzer the analyzer receives data from the sensor and parses it to determine whether the information constitutes an actual attack or a false positive (legal traffic which becomes registered as an actual attack, there are essentially for groupings of packet analysis which are discussed shortly). The analyzer characteristically uses the concepts of signatures which can ascertain the validity of traffic and the proceedings that should be taken (such as a TCP reset, block the sending host, executing alerts for example) if a frame is determined to be of malicious origin and function. From a high level standpoint, blocking the host can be the most critical step since it can impede flood attacks, and ensuring the administrator doesn’t receive millions of alerts when an attack is occurring that are sponsored by the IDS system.
  • A Security Interface –  the security analyzer is a software or hardware device that can output legitimate attacks or false positives to the SharePoint administrator to determine what actions if any should be taken. There are several concepts that the Security Interface will supply, such as tracking user actions in an audit trail, allowing forensic event reconstruction if an attack does occur, activity monitoring for real time scrutinizing of tribulations as they occur, and trailing if intrusion detection events do occur. In essence, these all manufacture the concept of violation reports, which can determine whether there have been attempted breaches and unauthorized access attempts.

IDS Object Technology

Profile Based Intrusion Detection (PBID) ( a.k.a Anomaly Detection) Using PBID there are profiles setup throughout the system, which determines the thresholds of activity. If an activity passes the thresholds defined by the profiles than the IDS will trip an alarm to alert the administrator of the system. Using these boundaries an enterprise baseline can be established for what is legitimate and illegal activity throughout the environment.

Signature Based Intrusion Detection (SBID) SBID is based on patterns and pattern matching. There is a set of rules that build an algorithm up, this algorithm is compared against the traffic patterns within a network. If the pattern is matched, then the alert is tripped and the SharePoint administrator is notified.

Signature based Intrusion detection is extremely common, and are based on the concept of recognition. The signature, as stated before, will define the rules that will generate the logic of determining a packet violation. After the sensor does inspection on the packet, the analyzer uses the defined recognition (signature based) rules which are able to determine the legality of the packet. There are various types of signatures that exist, notably:

  • State
  • Sweep
  • Flood
  • Atomic
  • String
  • Service

To see how a signature based attack works, examine the concept of a LAND attack which implements an impossible loop of an IP packet. This is down by streaming TCP SYN packets with malformed destination and port address so that the values of both are set to the numeric of the host being attacked. For some TCP/IP protocols, this causes a confusion of the protocol handler, which causes infinitely repeated connection wreaking havoc on the host machine. For a signature, the IDS can analyze whether the TCP packet has well-formed source and destination fields before forwarding the frame, if it matches the signature of a typically land attack, a TCP reset can be performed to drop the packet.

There are four main types of identification for the IDS to work with when executing:

  • True Positive Traffic that is malicious, and identified by the IDS as such
  • True Negative Benign traffic that is defined as legitimate
  • False Positive Legitimate traffic that is determined as an attack
  • False Negative Attacks that are not determined as an attack by the IDS, but should be

An IDS builds upon all of these types of identification to compose the identification traffic portion of the IDS system.

IDS Modes (Active and Passive Mode)

There are two major modes that IDS’s run in, passive and active mode.

Passive mode – means that the sensor of the IDS makes a stamp of traffic packets as they are swept and performs sniffing of the traffic packets at the copy level to offload the analysis allowing a much deeper scrutiny. This way, the sensor can dedicate all the processing that it necessitates in order to analyze the packet at any amount of depth. After the packet is determined as legitimate, it is dumped, wiped from memory, and the next packet is assimilated from the buffer. If the packet is determined as illegal, it can alert the administrator. Passive mode is not meant to do TCP resets or other relevant prevention tactics, and can inadvertently send malicious packets to the host since they packets are stored in memory, instigating some latency. On the OSI model between switches and hubs, the IDS sensor is typically bound to the switch. If it is instead bound to a hub, the frames can be forward frames through all destination ports (through a broadcast), whereas switches typically only forward frames to the singular destination host, whether it is through a port or set of ports.

Active Mode in essence provides a more intensive process of inspecting the traffic packets. When the packet is received by a sensor that is running in active mode, it is inspected, goes through Quality of Service, other miscellaneous functions, then the packet is lastly passed to the IDS. Once it goes through all inspection, the packet can be forward to the destination, however if it is deemed illegal, there can be a number of intelligent actions that take place such as a TCP reset. Although active mode on an IDS is the most security mindful setting, it is very process intensive, and require, particularly with rule base signature types, that there be less inspection as packets come through to procure the most proper operational state of the environment.

Honeypots and Honeynets

One of the largest features that an intrusion detection systems habitually supplies is the concept of a honeypot or honeynet. The major difference that exists between the notion of a honeypot and honeynet is that a honeynet purely exists on a much larger scale. Whereas a honeypot can exist solely to target SharePoint as an application, a honeynet targets an entire network segment, and mimics the production system to a large extent since it will appear, and typically mirror, an inclusive network system. Since the honeynet should have no legitimate traffic, all ingress and egress traffic should have the attack pattern of a malicious user, no actual users should be using the network.

This, in essence, is the sacrificial lamb that an organization will simply give to an attacker which is typically less securely configured than the sensitive networks, however typically has the same SharePoint implementation as the production network, however not stored with as sensitive of data. The goals of a honeypot are to lure an attacker from the production SharePoint target, provide analyze of methods being used against on organization, take action against an attacker before the real production SharePoint environment may become compromised, and verify the location and identities of attackers that wish to compromise organizational security.

Honeypots because of how they are constructed, provide no legal recourse since there is no financial loss being incurred by the victim organization. Although this may be true, the methods and tactics that can be learned from implementing a honeypot make it a worthwhile endeavor to setup for any organization. Beyond this implication of no legal action being able to be taken, there is also the issue of the attack claiming entrapment and privacy concerns. Although this may seem backwards, simply placing a banner informing the would be attacker that they are accessing a secure system provides the legal forthright needed to circumvent this headache and possible pursue certain legal actions.

Intrusion Prevention Systems (IPS)

This is not to say that Intrusion Prevention Systems (IPS) is not a valid concept that can be implemented in a collaboration environment. Since an IDS will log and parse various intrusion attempts, the IPS lives behind the IDS and provides logic which builds automation to instinctively respond to attacks. The IPS will determine based on the logic and metrics provided by the IDS whether the traffic is legal, and based on rules can bounce pack a packet request to the client machine. Overall, this process simply brings an automated, intelligent process to the concepts provided by the IDS, all of which will procure the overall intrusion system. The methods and process that the IPS uses is relatively straightforward:

  1. A request is sent from the client machine to the system which has the IDS setup
  2. The IDS intercepts the packets, and using something like stateful packet inspection, determines if it is a malicious packet or not
  3. If the packet is determined to be malicious, it is sent to the IPS by the IDS
  4. The IPS will analyze the packet further, and make several decisions, such as if it is an attack what attack it could be, how the attack would affect client systems, and what is the intended route of the packet
  5. The IPS will examine the destination of the packet, and see that if this packet is sent to the client machine, whether it can be compromised
  6. If there is no direct match between the two, the packet could not switch an attack, the packet is allowed through
  7. If there is a direct match between the two, the packet is dropped and rules can immediately state that no further packets are going to be accepted from the sending machine (TCP reset and Blocked Offending Traffic [BOT]). As well, there can be session log files and other log files created relevant to the request.
  8. As well, there are conditions whereby the IPS can determine that a hotfix or patch can resolve the issue being presented by the malicious packet, and therefore install it on the client machine.

This concept can be extended by performing Penetration Testing of SharePoint to ensure that you are conforming to all known vulnerabilities and exploits, guaranteeing all weaknesses of the system are conformed to. There are several articles on the site that talk more in-depth about the concept of penetration testing and how to facilitate it.