March 12th, 2004, 09:02 AM
HIDS Evasion Techniques
I'm working on a theoretical text that outlines possible host-based IDS evasion tactics. I'm curious if any AO members have any comments/insights to share. Some of my current theories draw from network-based IDS evasion techniques and some are just thoughts...some subpoints may overlap into other categories but I'm not worried about that right now. I'm mostly interested in discovering what other theories may be out there.
Here's a strawman of my work-in-progress and several questions I'm currently chewing on. Ignore the titles- they're just there to keep things categorized...
appreciation extended in advance.
Host-Based Intrustion Detection Evasion Tactics
1. 'Target Saturation'
a) overload the target HIDS w/ enough valid information that the attack sneaks by undetected.
b) overload the target HIDS w/ enough invalid information that the attack too buried in log files/alerts to be noticed
c) silence the HIDS by cutting off alerting channels (DoS mail server, etc.)
2. 'Ninja Mode'
a) trojan plant on the inside which initiates outbound connection to attacker
b) impersonation of valid traffic via mimicry/hijacking
c) 'overtime' attack...basically, attacker knowingly triggers a few alarms over a long period of time. this may cause the HIDS admin to misconfigure the HIDS, turn off alerting, or otherwise cripple it out of sheer annoyance.
a) disable HIDS from within after obtaining 'root' on adjacent devices
i. adjacent servers could be leveraged in attacks on HIDS
ii. adjacent switches/hubs could be configured to disable HIDS
b) use adjacent, compromised server(s) to launch 'diversionary' attack on HIDS
1. is it possible to remotely enumerate a target and discover HIDS?
2. can network topology, after the recon phase, be leveraged to mask activities from HIDS?
3. can vulnerabilities in the Host OS be exploited to evade HIDS?
4. can we remotely determine through probing methodology what rules/filters/signatures the HIDS may possess?
Ego is the great Logic killer