Intrusion Detection:
Reducing Network Security Risk —continued

by Recourse Technologies [December 24, 2001]

Appendix A: ManHunt and ManTrap
Products from Recourse Technologies called ManHunt® and ManTrap® exhibit the properties used to detect network intruders as described in the body of this document.

ManHunt
ManHunt is a threat management solution that enables a company to maintain control and respond to intrusions and denial of service attacks against the network. ManHunt provides a highly coordinated approach to managing security issues, from identifying threats on the network and gathering additional information on demand, to responding quickly and taking appropriate action. Through the use of distributed sensors, protocol anomaly detection, and high-speed statistical correlation analysis, ManHunt can identify and respond to both common and novel attacks. Enterprise protection doesn't stop at a single segment; it requires a scalable solution hardened to resist the most determined hacker. With the ability to deploy cooperative ManHunt clusters across the enterprise and built-in attack hardening, ManHunt handles the largest and most demanding deployment scenarios.

Detection
ManHunt sets a new standard in network detection with high-speed traffic monitoring up to 1 Gigabit per second, allowing implementation at virtually any level within an organization, even Gigabit Ethernet. Unique attack identification techniques eliminate the need for exhaustive signature databases, quickly recognizing known and unknown attacks and minimizing false positives. Unlike traditional intrusion detection sensors, ManHunt gathers its primary detection data directly from switches through copy ports, decreasing the number of sensors needed to be deployed, managed and maintained, dramatically lowering the Total Cost of Ownership (TCO).

Analysis
The analysis and correlation engine of ManHunt successfully makes sense of the numerous events taking place on the network, and evaluates them in context. Time and knowledge are critical in order to mount an effective and rapid response to attacks on mission critical enterprise assets as they occur. Real time event aggregation, correlation and analysis enables ManHunt to collect events from security devices throughout the enterprise and uses advanced event correlation and analysis to quickly recognize events as they happen. This dramatically reduces the effort traditionally required by security personnel, giving them time for more sophisticated intrusion investigation and policy work instead of spending hours examining uncorrelated event logs. Collecting events from third party security sources such as Cisco® IDS products and ManTrap® deception hosts enables ManHunt to extend the threat management umbrella beyond events collected from ManHunt hosts to cover the entire enterprise.

Response
ManHunt goes a step beyond simple notification by providing automated responses to protect systems and buy time and peace of mind for security personnel.

When it is desirable to locate the source of an attack, most often with a spoofed address, the traditional approach is to manually interrogate routers, hunting for the relevant stream of data. This is a grueling exercise that can take many hours to many days, even for a skilled network engineer. Using TrackBack technology, ManHunt can quickly and automatically trace attacks, even those that are spoofed or reflected, back to the ingress point of a network. This allows enterprises to react quickly and efficiently to block denial of service attacks that can seriously impact bandwidth and service availability. In addition, features such as policy-based response, payload inspection and CVE support provide security personnel with enough information to discover even the subtlest attacks.

ManTrap
ManTrap protects networked resources by providing deception hosts that contain, control and respond to intruders, whether the source of the attack is internal or external. ManTrap hosts may also be configured to reside in a multitude of ways within a DMZ to provide an integral security component against external attackers. As with internal attacks, a ManTrap cage can be configured to resemble another host, like a public FTP, mail or web server. To combat attackers who have access to the network from inside, ManTrap hosts can be placed in strategic locations throughout the network.

ManTrap cages can be easily configured to resemble currently existing hosts within a network or they may be configured to look slightly more vulnerable than the surrounding servers and can be an effective way to lure attackers.

ManTrap maintains an audit trail of the attacker's activities, and logs relevant activity in the cage, such as keystrokes, process invocation, and file accesses. The ManTrap alerting system can be configured to send alert messages based on specific classes of events. The ManTrap software has an extremely low rate of false-positives since any traffic directed at the ManTrap cage is considered suspicious.

—End