adam's notes

Intrusion Detection Systems (IDS)

Intrusion detection systems (IDS) is a security appliance or software that uses passive hardware sensors to monitor networks, hosts, or applications for unauthorized activity.

  • performs real-time analysis of either network traffic or system and application logs
  • configured with automated threat data
    • lists of IP addresses and domains that are associated with threat actors
  • must be configured with a sensor/sniffer to read frames from a mirrored port or TAP
    • this passive sensor
      • does not slow down traffic
      • is undetectable by the attacker
  • Advanced IDS/IPS suites analyze
    • information from multiple sensors to identify suspicious traffic flows and host activity

Uses

  • identify and log hosts and applications
  • detect
    • password-guessing attempts
    • port scans
    • worms
    • backdoor applications
    • malformed packets or sessions
    • and other policy violations

Components

  • 3 main components:
    • Sensors
      • monitor systems and generate security events
    • Console
      • used to monitor events and alerts and control sensors
    • Engines
      • recored events logged by the sensors in a database and use a system of rules to generate alerts from security events received
  • 2 databases:
    • one database contains the traffic models (which describe intrusion signatures)
    • second databases contains decision rules
      • are rules that specify the reaction to received packets
  • 3 processing modules
    • traffic pre-processor
      • summarizes the traffic activity
    • detection engine
      • traffic models and activity data provided by pre-processor are used to trigger events or alarms
    • decision engine
      • decides what to do regarding detected events or alarms
      • logs the events and alarms
      • generates reports

Components of an IDS

Types

  • Network-based IDS/IPS (NIDS/NIPS)
    • monitor network traffic
    • look for patterns or signatures of known threats and unusual network packet behavior
    • effective at identifying and responding to threats across multiple systems
  • Host-based IDS/IPS (HIDS/HIPS)
    • run as agents on end systems to monitor application processes, data files, and log files for suspicious activity
    • core feature:
      • file integrity monitoring (FIM)
        • A type of software that reviews system files to ensure that they have not been tampered with
    • do not effectively detect network-wide anomalies
    • e.g., OSSEC
      • is an open-source HIDS solution that performs
        • log analysis
        • integrity checking
        • Windows registry monitoring
        • rootkit detection
        • real-time alerting
        • and active response
      • compatible with Linux, Windows, and macOS
  • cannot substitute for each other, use both
    • HIDS
      • do not effectively detect network-wide anomalies
    • NIDS
      • can’t provide detailed visibility into host-specific activities or detect threats that don’t involve network traffic

Types of Detection

Analysis engine is the component that scans and interprets the traffic captured by the sensor with the purpose of identifying suspicious traffic.

  • aka decision engine
  • determines an event’s classification with typical options of:
    • ignore, log only, alert, and block (IPS)
  • set of programmed rules drives the analysis engine’s decision-making process
  • several methods of formulating the ruleset:
    • signature-based
    • anomaly-based

Signature-Based Detection

Signature-based IDS maintains a database of the signatures that might signal an attack and compares incoming traffic to those signatures.

  • aka pattern-matching
  • works like most antivirus systems
  • engine is loaded with a database of attack patterns or signatures
  • Each pattern represents a known type of malicious activity
    • if matched in traffic stream, IDS raises an alert
  • must be kept up to date with the latest signature patterns
    • via threat feeds

Weaknesses

  • If you don’t have a signature for the attack, you may not see it at all
    • new attacks may not have signatures
  • the attacker may have access to the same IDS tools and craft the attack traffic to specifically avoid detection

Anomaly-Based IDS

Network behavior and anomaly detection (NBAD) is a security monitoring tool that monitors network packets for anomalous behavior based on known signatures.

Anomaly-based IDS works by determining a baseline of normal traffic and activity taking place on the network and then measure the present traffic against this baseline in order to detect patterns that aren’t present in the traffic normally.

  • aka behavioral detection
  • can detect new attacks or custom attacks very well
  • engine uses heuristics to generate a statistical model of what baseline normal traffic looks like
    • A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious
  • Machine learning (ML) has improved this method
    • 2 classes of behavior-based ML detection products:
      • user and entity behavior analytics (UEBA)
        • products that scan indicators from multiple intrusion detection and log sources to identify anomalies
        • often integrated with SIEM platforms
      • network traffic analysis (NTA)
        • apply analysis techniques only to network streams
          • rather than multiple network and log data sources

Weaknesses

  • can produce a larger number of false positives
    • flag legitimate activity that causes unusual traffic patterns or spikes in traffic

Using Both

  • Can detect attacks more reliably
  • But operates more slowly and cause lag in detection

Trend Analysis

Trend analysis is the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or to better understand past events.

  • can help in tuning IDS/IPS systems

Placing NIDS

  • attach a network IDS to a location where it can monitor the traffic going by
  • typically placed behind a firewall to monitor traffic entering and exiting a security zone
    • aim is to detect suspicious traffic that the firewall has not blocked
      • defense in depth
  • don’t overload with traffic
  • in-band (inline) deployment
    • device sits in the path of network communications
    • device can block suspicious traffic from entering the network
  • Out-of-band (passive) deployment
    • device connects to a SPAN port on a switch
    • device can react after suspicious traffic enters the network

Weaknesses of Network IDS

Network IDS typically examine large amounts of traffic, so they generally do a cursory inspection of it.

  • can miss some attacks
  • some attacks are crafted to pass IDS

Packet crafting attacks use packets of traffic that carry attacks or malicious code but are designed to avoid detection by IDS, firewalls, and other similar devices.

Tools

Graph View

Backlinks