A report on my personal experience of the SEC503: Intrusion Detection In-Depth course. I will reflect on how I absorbed the material taught using the advertised learning outcomes as a basis, before going on to provide a brief summary of the days spent on the course.

Extract from the course description on the SANS website.

You will learn:

• How to analyze traffic traversing your site to avoid becoming another “Hacked!” headline
• How to identify potentially malicious activities for which no IDS has published signatures
• How to place, customize, and tune your IDS/IPS for maximum detection
• Hands-on detection, analysis, and network forensic investigation with a variety of open-source tools
• TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
• The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection

Course Schedule

The content part of the course is held over a period of five days, running from 9:00 am to roughly 7:00 pm, using the classroom-style method of teaching. The obligatory challenge, where the students apply what they’ve learned to solve gamified tasks and compete as solo players or in teams to get the highest score, takes place on the sixth day.

The information is conveyed using a projector-based presentation and handed out to students as print-outs. In addition to the lunch break, there is one break in the morning and two in the afternoon.

Various hands-on exercises on the material just learned are held in between the blocks of theory and make the learning situation less monotonous. The instructor and students are also given repeated opportunities to exchange experiences. The last hour of the teaching day is reserved for more practical hands-on exercises.

All the exercises, the tools discussed and the scenarios are supplied on a Linux VM, which also contains a variety of data and packet captures as the basis for analyzing the tasks and challenges.

Syllabus from the SANS website:

Days 1 and 2 – Fundamental Network Analysis

The first two days will likely be rough reads one of the first slides shown at the start of the course. Over two days, this message is followed by just under 360(!) slides about the basics of packets and headers, as well as an introduction to some tools.

Basic terms such as “bits”, “nibbles” and “bytes”, and decimal, binary and hexadecimal systems, are explained. The instructor talks through the structures of protocol headers. The individual header fields and options of link layer, IPv4 and IPv6 are addressed, as are the common protocols (such as TCP, UDP and ARP).

Short assignments that the students solve in plenary sessions, including the likes of reading an IP header represented in hexadecimal format and identifying its attributes (e.g. IP version, length of the header, time to live) using a tcpdump output, are held repeatedly in between the topics.

Students are shown Wireshark in greater detail relatively quickly; it is one of the first tools to be introduced. Some slides contain explanations of the software, a few useful features (primarily in Wireshark’s Statistics and Analyze tool menus) and how to use display filters.

Students are also taught about the potential tcpdump BPF filter syntax. The instructor also outlines the fundamentals and some specific information about the precise application (using bit masks, for example).

The bit masks are needed for the likes of correctly identifying the TCP flags. Because the first two bits of the “higher-order” nibble in the byte TCP header offset[13] are two ECN bits as opposed to TCP flags, they have to be masked with tcpdump by applying BPFs. (You’ll be able to understand the last sentence easily once you’ve attended the course.)

Intrusion detection is occasionally raised as a topic when using a few examples to explain the basic material

Day 3 – Application Protocols

Having spent the first two days dealing with the fundamentals, the content slowly switches towards intrusion detection. But the third day features even more fundamental topics. A brief foray into the topic of Scapy, a tool for creating your own packets (to test an IDS installation, for example), is presented with live demos. Additional Wireshark features – such as extracting files from Wireshark, or composing SMTP messages – are explored.

Snort and how to write Snort alerts are examined. Detailed explanations are provided of how the Snort alert’s content search function can be used, including how to write efficient rules.

This is followed by yet more foundation-level information about application protocols such as SMB, DNS or SMTP, as well as relevant detection opportunities with Snort or BPF/tcpdump. While these basics aren’t covered as extensively as the deeper protocols handled on the first and second days, they are nevertheless loosely peppered with intrusion detection-related special features and deal with the presented tools (processing, filtering, detecting).

The third day’s block of theory is rounded off by the basic principles of IDS/IPS evasion. Examples are used to show possible ways of bypassing the IDS/IPS system.

Day 4 – Network Monitoring

The fourth day starts with higher-level and fundamental concepts relating to IDS/IPS. Students are told how and where sensors can be positioned and what problems to expect. This is followed by a brief detour into TLS. But most of the day is spent dealing with the tool Zeek. The fundamentals of how Zeek works are presented, and students quickly get to grips with analyzing log files that Zeek generates. At this point at the latest, it is highly advantageous to have some knowledge of bashing (e.g. the commands cat, cut, awk, grep, wc and uniq) to manipulate data.

One of Zeek’s powerful features is its scripting. The instructor teaches the basic principles of Zeek scripting, and students work through a variety of short exercises. A brief aside covering threat modeling breaks the monotony of the topic. Phishing is used as an example to illustrate how analyzing threats helps with defining Zeek scripts well in the context of (in this case, behavior-based) intrusion detection.

Day 5 – Forensics in the Network

The fifth day is started by briefly introducing the topic of forensic analysis, before switching to flows and how the tool SiLK can be used to analyze NetFlow data. The tools examined with respect to SiLK are mainly rwfilter, rwcut and rwstats. Details of the methodology used, such as alert-driven vs data-driven sensors, or the analysis potential of alerts or events generated from them, are also provided in between the topics. Finally, the potential data visualization options are discussed to enable (better) reading of information/anomalies from the data.

A large chunk of the fifth day is devoted to machine learning. The mathematical principles of ML are discussed in very sparse detail. A Python code is provided using a Jupyter Notebook setup, and students work through topical examples. High-level machine learning is addressed, as are how the ML algorithm used can be trimmed for better results and why the choice and formatting of the dataset isn’t entirely trivial for the ML’s learning stage.

Day 6 – The Challenge

The last day is set aside exclusively for the challenge.

Conclusion

The six days spent on this course are intense due to the roughly 700+ slides and additional accompanying text – not to mention the exercises. Anyone who has some prior knowledge of the basics of IT (specifically of networks) and some experience with bashing is clearly at an advantage.

While the first few days could be viewed as repeating material that people are taught as IT students or trainees, someone learning these concepts for the first time might well reach their limits and not benefit ideally from the wealth of the information conveyed. Not least because the course moves at a relatively quick pace.

Students must understand the basics if they are to use the analysis tools and techniques presented. The promoted learning outcome covers the following:

TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic

The gradual introduction to analyzing network packet captures with the presented tools appears to be a sound and well-structured concept. The fundamentals of using the tools and their basic features to analyze packets are explained very well.

The promoted learning outcomes cover the following:

How to analyze traffic traversing your site to avoid becoming another “Hacked!” headline

The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection

Hands-on detection, analysis, and network forensic investigation with a variety of open-source tools

The sheer amount of material limits the time that can be spent on exercises quite a bit, which is why we couldn’t spend all the time that was effectively intended on them and certain exercises had to be left out.

If you attend the course with relevant knowledge of attack techniques/patterns, you can identify the potential of packet analysis immediately and now specifically apply the syntax of the tool in question.

In my opinion, not enough attention was paid to the topic of threat modeling and analysis in the context of IDS (intrusion detection systems). Methods and approaches for common and well-known attacks would have been exciting, as would concepts for recording “normal” states as a basis for detecting unknown attacks. The machine learning (ML) section could have been made a great deal shorter, because compared to the other tools presented, it does not offer any effective approaches for production (yet).

Conceptual and higher-level aspects also appeared to break up the monotony between the technical blocks of theory, which minimized the learning effect and students’ ability to grasp the concept as a whole somewhat. Although it wasn’t the main focus of the course, the conceptual information came across as slightly fragmented.

Specifically, the following advertised learning outcomes could have been addressed in greater depth and in a more structured way:

• How to identify potentially malicious activities for which no IDS has published signatures
• How to place, customize, and tune your IDS/IPS for maximum detection

Admittedly, this does create a dilemma. It appears difficult to pack relevant points on the topic into a week-long course without having students constantly taking notes.

Nonetheless, I can wholeheartedly recommend the course. The documents, the exercises and the instructor are all excellent-quality.

About the Author

Dominik Altermatt is working since 2003 in the IT business and was responsible for Data Leakage Prevention at a Swiss bank for many years. Besides traditional penetration testing he is also focusing on the introduction and improvement of IT security management processes. (ORCID 0000-0003-4575-4597)

Links

• https://jupyter.org/
• https://scapy.net/
• https://tls.ulfheim.net/
• https://tools.netsa.cert.org/silk/
• https://www.sans.org/course/intrusion-detection-in-depth
• https://www.snort.org/
• https://www.tcpdump.org/
• https://www.wireshark.org/
• https://www.zeek.org/