Intrusion Detection Systems

Internet is the global network of devices. With the massive increase in connectivity, organizations around the world have moved a large number of their services online, which have made them heavily reliant on this network. Thus internet connectivity, from a business standpoint, has become a vital need. But this need for connectivity also introduces some risks. As there exist both evil and legitimate users on this network, businesses need a solution that will help them identify the two, and to keep the evil users at bay, while offering swift services to legitimate users.

This very need gave rise to solutions such as firewalls, anti-viruses, anti-malwares and other software and hardware appliances which help us secure our networks and eventually the whole internet (since internet is just a network of inter-connected networks). They protect us from different attacks and malicious entities for example ransomware, trojans, worms, TCP SYN attacks etc. Although these tools provide a way of blocking external attacks and intrusions, but they alone cannot help us in identifying certain attack behaviors. For example, what if the malicious user exists within our internal organizational network? Multiple surveys carried out in the recent times have highlighted the fact that a large number of breaches originate within the organization. Such attacks are hard to detect as they are usually unexpected, and cause the greatest amount of damage. Thus, businesses around the world are now focused to stop such attacks or atleast decrease their frequency, and detect them at the very latest, in addition to the external threats. These are where Intrusion Detection Systems come into play!

An intrusion detection system (IDS) is a device or a software (virtual) application that monitors a network or a host (machine/device) for malicious activity, attacks, and/or policy violations. Any detected incident is typically reported either to an administrator (usually through emails) or collected centrally using a Security Information & Event Management (SIEM) system.

A SIEM is simply a system that combines outputs from multiple sources, and uses alarm filtering techniques to distinguish and highlight any malicious activity.

So, basically, an IDS is a type of monitoring and alerting mechanism for computers and networks. An IDS gathers and analyzes information from various sources within a network to identify possible security breaches, which include both intrusions (attacks from outside the organization/enterprise) and misuse (attacks from within the organization). IDS also make use of “vulnerability assessment” or “vulnerability scanning”, which scans the software installed on the monitored devices to identify and highlight if there exist any vulnerabilities on these systems.

Functions of an IDS include:

· Monitoring and analyzing both user and system activities

· Analyzing system configurations and vulnerabilities

· Assessing system & file integrity

· Ability to recognize patterns of attacks

· Analysis of abnormal activity patterns

· Tracking user policy violations

Now, before going further into the discussion of IDS, one question must be asked,

“Where does an IDS fit into the design of a network security architecture?”

Let us re-visit the diagram that we saw earlier:

An analogy can be drawn between an IDS and a home burglar alarm for the sake of explanation. For example, a padlock provides protection against unauthorized access to the house. It physically stops the burglar while allowing only those with a specific key to access. But relying solely on the security lock can be a mistake.

Experienced burglars have several methods to break-in or overcome the lock. Thus, the burglar alarm exists to alert the owner through raising the alarm any time it detects a breach or a possible attempt of unauthorized access.

Now, in terms of systems, we can consider the lock to be a firewall, or any other physical means of blocking access, and the burglar alarm to be an IDS. The firewall does a great job of preventing attacks and external attempts of unauthorized access. But as in case of experienced burglars, experienced hackers have various ways of overcoming these physical limitations and this is where IDS comes into play.

Every time the IDS detects an attempt of unauthorized access, it raises an alarm and alerts the company personnel to take action. But this could lead to an another unwanted situation, known as “alert fatigue” which is explained by the following meme:

The following points drive home the importance of an IDS within a network:

1. Extremely valuable information is carried over the company’s private networks, and breach of such networks could lead to massive damages, in terms of money and reputation. So, in order to protect that info, we need an IDS.

2. Launching attacks has become relatively easy.

3. A lot of organizations suffer from lax security measures for enforcing internal network security mechanisms.

4. The flow of a large amount of traffic, due to which the visual examination of the logs becomes extremely slow, and ineffective.

5. Deploying an effective IDS has become necessary from the compliance and regulation point of view as well[1].

Now, lets see what a general IDS is made of:

· Management Console: This is where all the juicy stuff happens. Management Console is the front-end of the IDS. It is the graphical user-interface with which you can interact with the IDS, configure alerts, generate reports and even view the ongoing log and network activity. It also gives you several views for observing and managing the activity, and allows you to use the data to generate graphs and visualization, which can help you analyse the data more easily. Visualizations can also help you identify several trends which can be helpful in several ways, such as identifying the top attacks that your system receives, the hour(s) of the day where the frequency of the attempts is the highest, location from where the most attempts originate (c’mon we all know where that is lol!). Plus, management console also provides the configuration of sending the alerts to the respective personnel. This could be through emails, text messages or any other form. Thus, this is by far the most critical part of the IDS infrastructure.

· Sensors/Agents: Sensors are agents which are deployed on the host/devices, which are responsible for sending the data from the hosts to the IDS Manager, which will then use the data to detect any malicious activity. This data also includes the file changes, packet payloads (in case of network devices) and installed packages list (to be used by the vulnerability detector tool)

· Database of Attack Signatures: The database records the different signatures or patterns that previous attacks used and keeps it in a retrievable format. This database is used to detect attacks or malicious activities, by comparing the signatures stored in this database, with the ones extracted from the sensor/agent data.

Now, lets tie the knowledge of the components of the SIEM to understand how they function.

Step 1

The data is generated by the agent running on the host. This data includes file integrity checksums, list of installed packages, process and user activity logs, etc. This data is then sent to the Management Console in near real-time.

Step 2

The Management Console analyses the data. While analyzing, it compares this data to the signatures stored in its attack database. In case of a match, it raises an alarm to alert the personnel. At the same time, it archives this alerts.

Step 3

When the alert is generated, different actions could be taken by the management console, which include:

· Resetting the TCP connection on the host by signalling the host to send a TCP FIN request

· Modify the access control list on the gateway router or the firewall

· Simply send an email notification to the administrator for appropriate action.

Finally, we will delve into the discussion into how many types of IDS are there and how they contribute to the providing an insight into the infrastructure.

Generally, there are 2 basic types of IDS (on the basis of nature). They are:

1. Network Based Intrusion Detection Systems (NIDS)

2. Host Based Intrusion Detection System (HIDS)

Network Based Intrusion Detection Systems (NIDS)

These are placed at a strategic point (or points) within the network to monitor traffic to and from all devices on the network. It performs analysis of traffic passing through the entire network, and matches this traffic to the attack signatures database. Once an attack is identified, or abnormal behavior is detected, an alert is sent to the administrator. Ideally, NIDS should be placed at such a point in the network, where it is able to monitor all the inbound and outbound traffic. However, doing so might create a bottleneck that could negatively impact the overall throughput of the network. Thus, a good practice is to have a monitoring interface configured on the firewall, on which all of the inbound and outbound data is replicated and sent to the NIDS for analysis. Some NIDS also posses the capability of detecting signatures in dropped packets, which contain malicious data, and then using the updated signatures to drop further packets matching the signatures.

NIDS can be further classified into two types:

1. On-line (which analyses the packets in real-time)
2. Off-line (which uses stored network data to identify attacks and raise alerts)

Some popular Network Based IDS include Snort, Bro, Suricata, IBM’s QRadar, and Security Onion.

Host Based Intrusion Detection Systems (HIDS)

These run through agents installed on individual hosts or devices on the network. The agents are responsible for activities such as file integrity monitoring, listing installed packages (for vulnerability assessment), monitoring process and network activity on the host. The agents also take a snapshot of existing system files and matches it to the previous snapshot for checking the file integrity on the monitored hosts, and then sends that data to the management console for analysis and storage.

If the critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations so frequently. Thus, they are generally used to monitor such configuration files.

Some popular host based IDS include Wazuh, IBM QRadar, LogRhythm, Arcsight, and OSSIM.

IDS can also be classified on the basis of the detection mechanism. Namely,

a. Signature-Based IDS

b. Anomaly-Based IDS

Signature-Based IDS refers to the system that detect attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.

This terminology originates from anti-virus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available.

Anomaly-Based Intrusion Detection System were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious.

Future Progress

New types of anomaly-based intrusion detection systems are being viewed by Gartner as User and Entity Behavior Analytics (UEBA) (an evolution of the user behavior analytics category) and network traffic analysis (NTA). In particular, NTA deals with malicious insiders as well as targeted external attacks that have compromised a user machine or account. Gartner has noted that some organizations have opted for NTA over more traditional IDS.

Thus, this is a brief outline of the vast world of Intrusion Detection Systems. Hopefully this article somewhat helped clear your understanding of how different types of IDS work, and how they help professional such as SOC analysts, security engineers and others to monitor, detect, and then alert against malicious activities.

Feel free to leave your queries and thoughts in the comment section below. I will be more than happy to discuss with you this amazing world of intrusion detection.

Finally, I’ll end this article with a funny comic:

References:

https://www.pciresources.com/pci-dss-requirement-11