15:5
INTRUSION DETECTION SYSTEMS
element of securing networks and complements firewall implementations.
works with routers and firewalls by monitoring network usage anomalies.
operates continuously on the system,running in the background
notifying administrators when it detects a perceived threat.
Categories
Network-based IDSs
identify attacks within the monitored
network
placed between the Internet and the firewall,
detect all the attack attempts, whether or not they enter the firewall
If it is placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (it will detect intruders).
Host-based IDSs
configured for a specific environment
monitor various internal resources of the OS to warn of a possible attack.
detect the modification of executable programs,
detect the deletion of files
issue a warning when an attempt is made to use a privileged command
Components of an IDS are:
• Sensors that are responsible for collecting data, such as network packets, log files and system call traces
• Analyzers that receive input from sensors and determine intrusive activity
• Administration console
• User interface
Types of IDSs include:
• Signature-based
protect against detected intrusion patterns. Identified intrusive patterns are stored as signatures.
Statistical-based
need a comprehensive definition of the
known and expected behavior of systems.
Neural networks
feature monitors the general patterns of activity and traffic on the network and creates a database
similar to the statistical model but with added self-learning functionality
cannot detect all types of intrusions due to the
limitations of the detection rules
may report many events outside of the defined normal activity but which are normal activities on the network.
Features
• Intrusion detection
• Gathering evidence on intrusive activity
• Automated response (i.e., termination of connection, alarm messaging)
• Security policy
• Interface with system tools
• Security policy management
Limitations
• Weaknesses in the policy definition
• Application-level vulnerabilities
• Back doors into applications
• Weaknesses in identification and authentication schemes
Actions in case of intrusion detection
Terminate the access
significant risk to the organization’s
data or systems, immediate termination is the usual procedure
Trace the access
risk to the data is low, the activity is not immediately threatening, or analysis of the entry point and attack method is desirable,
IDS can be used to trace the origin of the intrusion.
used to determine and correct any system weaknesses and to collect evidence of the attack which may be used in a subsequent court action
the action required should be determined by management in advance and incorporated in a policy. . #
This will save time when an intrusion is detected and may impact the possible data loss
INTRUSION PREVENTION SYSTEMS
IPSs can also reconfigure other security controls, such as a firewall or router, to block an attack.
IPS can disconnect an originating network or user session by blocking access to the target from the originating user account and/or IP address.
Whereas an IDS alerts or warns of an attack, requiring security personnel to
act, an IPS will try to stop the attack
can be effective in limiting damage or
disruption to systems that are attacked.
must be properly configured
Threshold settings that are too high or too low will lead to limited effectiveness of the IPS.
a clever attacker could send commands to many hosts protected by an IPS to cause them to become dysfunctional.
Honeypots and Honeynets
Honeypots
honeypot is a software application that pretends to be
vulnerable server on the Internet and is not set up to actively protect against break-ins
more a honeypot is targeted by an intruder, the more valuable it becomes.
two basic types
• High-interaction—Give hackers a real environment to attack
• Low-interaction—Emulate production environments and provide limited information
acts as a decoy system that lures hackers.
technically related to IDSs and firewalls, it has no real production value as an active sentinel of networks.
Honeynets
set of multiple, linked honeypots that simulate a larger
network installation.
Hackers infiltrate the honeynet, which allows investigators to observe the hackers’ actions using a combination of surveillance technologies.
traffic on honeypots or honeynets are assumed to be suspicious because the systems are not meant for internal use.
risk that external monitoring services that create lists of untrusted sites may report the organization’s system as vulnerable,
without knowing that the vulnerabilities belong to the honeypot and not to the system itself.
Full Network Assessment Reviews
following
reviews should occur:
logical access controls
network and firewall configuration
designed to support the security of the services being provided (e.g., screening routers, dual/multihomed host, screened subnet and DMZ proxy servers).
Security policy and procedures
to determine good
practices are in place
evaluated to ensure that they support SoD (e.g., development vs. operation, security administration vs. audit)
Networks
segmented by trust levels, using appropriately
configured routers.
• Determine:
– Intrusion detection software is in place.
– Filtering is being performed.
– Encryption is being used (consider VPNs/tunneling, digital signatures for email).
Strong forms of authentication are being used
firewalls have been configured properly
(consider removal of all unnecessary software, addition of security and auditing software, removal of unnecessary logon IDs, disabling of unused services).
application- or circuit-level gateways in use are running proxy servers for all legitimate services (e.g., teletype network [Telnet], HTTP and FTP).
Virus scanning is being used
Periodic penetration testing is being completed.
Audit logging is undertaken for all key systems (e.g., firewalls, application gateways and routers) and audit logs are copied to secure file systems (consider the use of SIEM software).
security administrators are keeping up to date with the latest known vulnerabilities
organizations’ vendors, their local and international CERT, and vulnerability databases (e.g., the National Vulnerability Database operated by the NIST)
SECURITY INFORMATION AND EVENT
MANAGEMENT
SEM systems automatically aggregate and correlate security event log data across multiple security devices.
allows security analysts to focus on a manageable list of critical
events.
These systems use either or
statistical correlation.
rule-based
create situation-specific rules that establish a pattern of events.
uses algorithms to calculate threat levels incurred by relevant events on various IT assets.
Advantages/uses
provide real-time monitoring, correlation of events, notifications and console views.
take the SEM capabilities and combine them with the historical analysis and reporting features of security information management (SIM) systems
Information security teams should periodically analyze the trends found from SEM or SIEM systems
allows the organization to investigate incidents as well as allocate appropriate resources to prevent future incidents.
security operations center (SOC).
organized team created to improve the security posture of an organization and to respond to cybersecurity incidents.
uses SIEM for monitoring and
detection
(consider use of smart cards, biometrics, for authentication to firewalls, to internal software/hardware within the network, and to external hardware/software).
This attack could be catastrophic in environments where continuity of service is critical