Any security-related project starts with an inventory. You need to know what systems are in your environment and what software they are running. You also need to know what business processes exist in your organization so you can tailor your information technology decisions to support these processes.
When starting an IDS project, it's important to know not just what you're protecting, but also what the threats to your environment are. If you don't understand the nature and methods of your enemy, building defenses to protect against their attack is nearly impossible. While you might stumble onto something by accident, a targeted approach to an IDS deployment yields better returns on your time (and budget).
It's unlikely that a maniacal billionaire is hiring some elite hacker to break into your network or that a group of former Spetnatz commandos are trying to steal the secret to how your widgets are manufactured. The threat often comes from people who aren't targeting you specifically; they are simply scanning huge ranges of Internet-connected systems looking for vulnerable systems that they can use for whatever purpose. No matter the identity of these individuals, they can be the cause of your two real enemies: downtime and data loss.
Most often these attackers are not targeting your environment specifically. They scan and probe wide ranges of addresses looking for systems that are vulnerable to the exploits they are familiar with. They range from the classic 15-year-old boy trying to gain notoriety with his peers to a SPAM sender looking for an open mail server to act as a relay for his unsolicited emails. While this group of people represents mainly an annoyance, it is folly to ignore the threat.
Simply connecting your network to the Internet exposes you to this kind of attacker. It's not a matter of if but when someone will probe and attempt to penetrate your network.
These individuals are trying to break into systems just for the challenge. They might just look around after getting in, or may become vandals. While not (at least initially) malicious, they can inadvertently do damage or cause service interruptions in the course of their activity.
These people are generally not trying to get your data—they're after your bandwidth, computing power, or want to use your mail system for their own purposes. Your network bandwidth is probably better than theirs and would make their explorations much easier than their slow dial-up line. Your computers compile programs better, have more disk space for their pirated DVD rips, and are easier to get to than their own systems for their friends.
In the old days, someone would shimmy up a water tower and spray paint his high school's team name for everyone to see. Now, someone will shimmy into your web server and do the same thing with your main web page. As soon as your web site is defaced, they hop onto their favorite IRC channel and tell their friends to have a look. In the meantime, your company faces reputation damage and you, as the person who's ultimately responsible for the security of your network, have to explain how it happened without you noticing.
There are many stories from the cold war era of spies using computers to steal information or do harm to their opponent. The East Germans broke into the Lawrence Berkeley National Laboratory (chronicled in Clifford Stoll's "The Cuckoo's Egg") and the United States planted faulty designs for software and computer chips that caused a massive explosion of the trans-Siberian pipeline. The attackers of government systems these days are more likely to be terrorist-related groups.
The threat of a professional attack on your environment is relatively small. The payout for the freelancer doing the work is low for days of painstaking work (the work is harder when you have to cover your tracks). The impact of such an attack can be huge, however. Intellectual property can be lost, or systems can be destroyed. I've met people who do this for a living—the threat is real.
The threat from this group is often underestimated. These folks have been trained by you, are familiar with your environment, and can often bypass your perimeter security measures. They have motive, opportunity, and the skills necessary to do real damage. The existence of this threat inside your network is a strong argument for defense-in-depth. Protecting internal systems from internal users is fairly difficult and requires consideration and vigilance.
Once, the only way to get a virus on your system was to use an infected floppy disk. Now, an actual virus is fairly rare. Infections occur from across the network. The newly infected machine, in turn, infects other systems. Many times the inconvenience is not the impact on the infected systems, but the impact on the network. The SQL Slammer worm caused many networks to become completely saturated with the 404-byte UDP packets (the entire worm was contained in a single UDP packet!).
The worms are getting faster, too. The Code Red worm took about 13 hours to infect 90 percent of the hosts it would eventually affect. SQL Slammer took 10 minutes to do the same thing! This speed of propagation is due to the fact the UDP worms have the unfair advantage of not needing to establish a three-way handshake—not all subsequent worms will have this advantage. Increased vigilance is absolutely called for, and the only way to notice is by watching your network traffic.
Simply closing ports on your firewall does not help much, either. The series of worms that exploited the vulnerable RPC services on Windows systems (Blaster, SoBig, Nachi, Welchia, and so on) required access to TCP ports 135-139—not normally open to the Internet. Most organizations were infected across VPN connections, remote dial-up connections, and backend connections to business partners. See Chapter 1 for a discussion of the disappearing perimeters of our networks.
Sometimes the automated attack is not actually a worm, but a script running on the Internet looking for systems that are vulnerable to a particular attack. The results of this scan then acts as a target list for an actual person to attack. This method has been suggested as one way to introduce a worm in a fashion that jumps up the growth curve; e.g., by finding a large number of vulnerable machines in advance, an attacker can start the worm from 5,000 hosts (each scanning the network) at once, instead of, say, 5 hosts.