Cybersecurity: Understanding Intruders

Questions and Answers

Which of the following best describes the primary goal of intrusion detection systems (IDS)?

• To encrypt all data transmitted over a network.
• To prevent all unauthorized access to a system.
• To monitor, analyze, and detect security intrusions. (correct)
• To serve as a firewall and block malicious traffic.

Internal intruders generally cause less damage than external intruders.

False (B)

Which of the following is a typical motivation for cyber criminals?

• Financial gain. (correct)
• Political activism.
• Curiosity.
• Espionage.

Match the intruder skill level with its corresponding activity:

Apprentice = Uses known tools ('script kiddies') Journeyman = Modifies tools, finds known-type vulnerabilities Master = Creates new exploits/tools, hardest to defend against

Which of the following is an example of an intrusion technique?

Remote root access (A)

A defense-in-depth strategy involves using ______, logs, and authentication to protect against intrusions.

encryption

Intruders typically maintain a static set of techniques and do not adapt to bypass defenses.

False (B)

Which of the following is a reconnaissance technique used by attackers?

Mapping networks using Nmap (A)

Which of the following actions is associated with the 'covering tracks' stage of an attack?

Editing logs (A)

What is the primary function of intrusion detection in the context of system security?

monitor analyze detect

Match the component of an IDS with its function:

Sensors = Collect data (e.g., network packets, system calls, log files) Analyzers = Interpret sensor data, detect intrusions User Interface = Allows interaction, viewing alerts, and configuring system

Why is early identification and prevention of attacks important?

It increases the risk of detection for attackers. (B)

An IDS design should prioritize only sensitivity, even if it leads to decreased accuracy.

False (B)

Which of the following describes a Host-Based Intrusion Detection System (HIDS)?

Monitors internal host activities (B)

What does a Network-Based Intrusion Detection System (NIDS) primarily analyze

Network traffic. (B)

A Distributed/Hybrid IDS uses both ______ and network data sources to detect intrusions.

host

What does behavior-based detection assume?

Attacker behavior is different from legitimate user behavior. (D)

An IDS that is 'too strict' is likely to have a high number of false negatives.

False (B)

Which of the following is a consequence of the Base-Rate Fallacy in intrusion detection?

Even a low false positive rate results in many false alerts (B)

Which of the following is a typical requirement for Intrusion Detection Systems?

Continuous operation with minimal supervision (A)

Match the Intrusion Detection Analysis approach with its concept:

Anomaly Detection = Build profile of 'normal' behavior Signature/Heuristic Detection = Use known attack patterns or behavior rules

Anomaly detection is best suited for detecting known attacks rather than new or unknown threats.

False (B)

During which phase of anomaly detection is the 'normal' behavior learned?

Training Phase (B)

Which of the following is a disadvantage of anomaly detection?

High false positives (D)

Signature or Heuristic detection is also known as what?

Misuse detection (B)

What is a limitation of signature-based detection systems?

They cannot detect unknown or new (zero-day) threats. (A)

Heuristic detection systems use ______ logic to define suspicious behavior.

rulebased

Host-Based Intrusion Detection Systems (HIDS) can only detect external intrusions, not internal ones.

False (B)

Which activity can HIDS monitor on a system?

System-level events like file changes or system calls (D)

What is the purpose of file integrity checksums?

Detect changes in critical files (B)

In anomaly-based HIDS, what is compared to the modeled normal system behavior?

realtime behavior

What challenge is specific to anomaly detection on Windows systems?

System call tracing is obscured by DLLs (D)

Signature/Heuristic HIDS are ineffective and not used antivirus software.

False (B)

What is a major limitation of signature-based HIDS?

Detecting zero-day attacks (C)

The security tool Tripwire is an example of what?

File Integrity Checker (B)

Which of the following best describes Distributed HIDS?

Coordinates HIDS across multiple hosts (C)

How does NIDS monitor a network?

By monitoring traffic across networks (B)

NIDS cannot see ______ payloads.

encrypted

Which sensor type in NIDS can directly block or modify packets?

Inline Sensors (D)

Where is the best sensor deployment location?

Outside firewall, inside firewall, Between internal segments or to Protect critical assets or DMZ (B)

Which is an example of Intrusion Detection Techniques in NIDS

Signature Detection, Anomaly Detection, or Stateful Protocol Analysis (D)

Flashcards

Who are Intruders?

Unauthorized users accessing or damaging systems.

Intruder Location

Can be external or internal, with internal intruders often causing more damage.

Cyber Criminals

Financial motivation (e.g., theft, ransomware).

Hacktivists

Political or social motives (e.g., Anonymous).

State-sponsored attackers (APTs)

Espionage, sabotage.

Apprentice Intruder

Uses known tools ('script kiddies').

Journeyman Intruder

Modifies tools, finds known-type vulnerabilities.

Master Intruder

Creates new exploits/tools, hardest to defend against.

Intrusion Examples

Remote root access, defacing websites, password cracking, unauthorized data access, packet sniffing, pirated content distribution, social engineering and misuse of logged-in sessions.

Defense-in-Depth Against Intruders

IDS/IPS can detect many known attacks. Need for multi-layered defense: encryption, logs, authentication.

Intruder Behavior Patterns

Adapt and evolve techniques to bypass defenses. Follow structured attack methodologies.

Reconnaissance

Explore corporate/public sources, DNS, WHOIS. Map network using tools like Nmap.

Initial Access

CMS exploit, phishing, password guessing.

Privilege Escalation

Local exploits, sniffing.

Exploitation

Read/modify data, move laterally.

Persistence

Install backdoors, disable security software.

Covering Tracks

Edit logs, use rootkits to hide activity.

Intrusion Detection

Systems that monitor, analyze, and detect security intrusions. Implemented as hardware or software tools.

IDS Sensors

Collect data (e.g., network packets, system calls, log files).

IDS Analyzers

Interpret sensor data, detect intrusions

IDS User Interface

Allows interaction, viewing alerts, and configuring system.

Why Use Intrusion Detection?

Early identification and prevention of attacks. Deters attackers by increasing risk of detection. Helps improve and inform future security policies.

Host-Based (HIDS)

Monitors internal host activities.

Network-Based (NIDS)

Analyzes network traffic.

Hybrid IDS

Uses both host and network data sources.

Behavior-Based Detection

Assumes attacker behavior != legitimate user behavior. Uses historical data to model “normal” usage. Tries to flag anything significantly different

The Detection Dilemma

Too strict = False positives. Too loose = False negatives.

Base-Rate Fallacy

Most system activity is benign -> few actual intrusions. Even a low false positive rate results in many false alerts

IDS Requirements

Continuous operation with minimal supervision. Fault tolerance and ability to detect subversion. Minimal performance overhead. Scalable and adaptable to behavior changes

Two main methods of Intrusion Detection Analysis

Anomaly Detection and Signature/Heuristic Detection

Anomaly Detection

Build profile of 'normal' behavior. Detect deviations from this profile. Can identify new/unknown attacks

Signature/Heuristic Detection

Use known attack patterns or behavior rules. Also known as 'misuse detection'. Quick and reliable for known threats

Signature Detection - How It Works

Match observed data against a database of signatures

What is Host-Based Intrusion Detection

Specialized software running on sensitive systems. Monitors internal host activity for suspicious behavior. Detects both internal and external intrusions

Common Data Sources in HIDS

Monitor program interaction with OS, Track user and system activity, Detect changes in critical files,Monitor Windows registry interactions

File Integrity Checkers

Monitor changes in critical system files, Use cryptographic hashes for verification

Network-Based Intrusion Detection

Monitor traffic across networks in real or near-real time, Detects patterns or anomalies in packet flow

Sensor Deployment Locations

Outside firewall (detect raw attacks), Inside firewall (check what gets through)

What Are Honeypots

Decoy systems set up to attract attackers, Have no production value – any access is suspicious

Honeypot Benefits

Reduces false positives, Helps identify new vulnerabilities/exploit methods

Study Notes

Introduction to Intruders

• Intruders are unauthorized users who access or damage systems.
• Intruders can be external, which is most common, or internal, which is often more damaging.
• Attacks are increasing in sophistication and targeting.

Classes of Intruders

• Cyber Criminals: Driven by financial motivations such as theft or ransomware.
• Hacktivists: Motivated by political or social causes.
• State-sponsored attackers (APTs): Engage in espionage and sabotage.
• Other Intruders: Include curious hackers, hobbyists, or researchers.

Intruder Skill Levels

• Apprentice: Uses known tools, often referred to as "script kiddies."
• Journeyman: Modifies tools and finds known-type vulnerabilities.
• Master: Creates new exploits/tools and is the hardest to defend against.

Intrusion Examples

• Examples include remote root access and website defacement.
• Password cracking and unauthorized data access are intrusions.
• Packet sniffing and distribution of pirated content are intrusions.
• Social engineering and misuse of logged-in sessions also qualify.

Defense-in-Depth Against Intruders

• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can detect many known attacks.
• A multi-layered defense is needed, incorporating encryption, logs, and authentication.

Intruder Behavior Patterns

• Intruders adapt and evolve their techniques to bypass defenses.
• Intruders tend to follow structured attack methodologies.

Attack Methodology - Step 1: Reconnaissance

• This step involves exploring corporate/public sources such as DNS and WHOIS.
• Attackers map the network using tools like Nmap.

Step 2-4: Access, Escalation, Exploitation

• Initial Access: Achieved through CMS exploits, phishing, or password guessing.
• Privilege Escalation: Achieved through local exploits or sniffing.
• Exploitation: Actions include reading/modifying data and moving laterally.

Step 5-6: Persistence and Covering Tracks

• Installation of backdoors and disabling security software are key.
• Editing logs and using rootkits to hide activity are also performed.

Intrusion Detection

• Security Intrusions: These are unauthorized acts that bypass system security.
• Intrusion Detection: Systems monitor, analyze, and detect such intrusions.
• Implemented as hardware or software tools.

Components of an IDS

• Sensors: Collect data such as network packets, system calls, and log files.
• Analyzers: Interpret sensor data to detect intrusions.
• User Interface: Allows interaction for viewing alerts and configuring the system.

Why Use Intrusion Detection?

• Provides early identification and prevention of attacks.
• It deters attackers by increasing the risk of detection.
• It helps improve and inform future security policies.

Types of IDS

• Host-Based (HIDS): Monitors internal host activities.
• Network-Based (NIDS): Analyzes network traffic.
• Distributed/Hybrid IDS: Uses both host and network data sources.

Behavior-Based Detection

• Assumes attacker behavior differs from legitimate user behavior.
• Historical data is used to model "normal" usage patterns.
• Tries to flag any activity that's significantly different from the normal model.

The Detection Dilemma

• Too strict detection leads to false positives, flagging legitimate users.
• Too loose detection leads to false negatives (missing intrusions).
• IDS design balances sensitivity and accuracy.

Base-Rate Fallacy

• Most system activity is benign, so there are few actual intrusions.
• Even a low false positive rate can result in many false alarms.
• This can make the system seem unreliable or wasteful of time.

Implications of the Base-Rate Fallacy

• It is hard to maintain a high detection rate with low false alarms.
• Extremely accurate tests must be designed.
• There's a trade-off between sensitivity and alert fatigue.

IDS Requirements

• Continuous operation with minimal supervision is necessary.
• Fault tolerance and the ability to detect subversion are key.
• Minimal performance overhead is required.
• Needs to be scalable and adaptable to behavior changes.

Intrusion Detection Analysis Approaches

• Two main methods are Anomaly Detection and Signature/Heuristic Detection.
• Methods differ in how they define and detect intrusions.

Anomaly Detection – Concept

• Anomaly detection builds a profile of 'normal' behavior.
• Detects deviations from this baseline profile.
• It can identify new/unknown attacks.

Anomaly Detection – Phases

• Includes a training phase to learn normal behavior.
• Includes a detection phase to compare current behavior to a learned model.
• It has a high false positive risk if normal behavior changes.

Anomaly Detection – Techniques

• Employs Statistical Models that can be univariate, multivariate, or time-series-based.
• Employs knowledge-based systems that are based on expert-defined rules.
• Employs machine learning such as data-driven models (e.g., neural nets).

Anomaly Detection – Pros & Cons

• Pros: Detects novel attacks, is flexible, and is adaptive.
• Cons: High false positives, requires good training data, and is resource intensive.

Signature/Heuristic Detection – Concept

• Uses known attack patterns or behavior rules.
• Also known as 'misuse detection.'
• It's quick and reliable for known threats.

Signature Detection – How It Works

• Matches observed data against a database of signatures.
• It's used in antivirus and network security systems.
• Signature detection cannot detect unknown or new (zero-day) threats.

Heuristic Detection

• Uses rule-based logic to define suspicious behavior.
• Rules come from analysis of known attack scripts/tools and expert security knowledge.
• It can detect suspicious but not necessarily malicious activity.

What is Host-Based Intrusion Detection?

• Refers to specialized software running on sensitive systems.
• Monitors internal host activity for suspicious behavior
• Detects both internal and external intrusions

Benefits of HIDS

• Monitors system-level events such as file changes or system calls.
• Can detect unauthorized internal user actions.
• Complements Network-based IDS (NIDS).

Common Data Sources in HIDS

• System call traces: Monitor program interaction with OS.
• Audit (log) files: Track user and system activity.
• File integrity checksums: Detect changes in critical files.
• Registry access: Monitors Windows registry interactions.

Anomaly-Based HIDS

• Learns normal system behavior, often via system calls.
• Compares real-time behavior to this model.

Anomaly Detection Challenges

• Windows systems: DLLs obscure system call tracing.
• Training phase is resource intensive.
• It is prone to false positives and detection limits.

Signature/Heuristic HIDS

• Common in antivirus software.
• Uses known malware signatures or behavior rules.
• It is efficient and effective for known threats.

Limitations of Signature-Based HIDS

• Cannot detect zero-day attacks.
• Requires constant updates to signature databases.
• Often bypassed by polymorphic or obfuscated malware.

File Integrity Checkers

• Monitor changes in critical system files.
• Use cryptographic hashes for verification.
• An example is Tripwire (available on Linux, Windows, macOS).

Distributed HIDS

• Coordinate HIDS across multiple hosts.
• Can use a centralized or decentralized architecture.
• Enhances detection by aggregating and correlating data.

Network-Based Intrusion Detection

• Monitors traffic across networks in real or near-real time.
• Detects patterns or anomalies in packet flow.
• Often deployed at perimeter points such as firewalls.

NIDS vs HIDS

• NIDS observes network traffic, ideal for detecting external attacks.
• HIDS monitors internal host behavior.
• NIDS cannot see encrypted payloads unless decrypted before inspection; HIDS can see decrypted data.

Sensor Types in NIDS

• Inline Sensors: Directly in the path of traffic and can block/modify packets.
• Passive Sensors: Listen to copies of traffic and cannot interfere in real-time.
• Trade-off: Inline = power; Passive = stealth.

Passive Sensor Deployment

• Connects via tap or mirror port.
• It's stealthy (no IP address on the sniffing interface).
• Uses a second NIC for reporting to the management console.

Sensor Deployment Locations

• Outside the firewall (detect raw attacks).
• Inside the firewall (check what gets through).
• Between internal segments (catch lateral movement).
• Protect critical assets or DMZ.

Intrusion Detection Techniques in NIDS

• Includes signature detection by matching packets to known patterns.
• Includes anomaly detection to identify unusual network behaviors.
• Includes Stateful Protocol Analysis (SPA) to compare traffic against expected protocol behavior.

Signature Detection – NIDS Examples

• Application-level attacks such as HTTP, FTP, and DNS exploits are detected.
• Transport-level attacks such as port scans and SYN floods are detected.
• Network-level attacks with IP spoofing and invalid headers are detected.
• Policy violations due to unauthorized services/websites are detected.

Anomaly Detection – NIDS Examples

• DoS attacks with unusual traffic volume are identified.
• Scanning activity with repeated connection attempts to many hosts/ports is identified.
• Worms with rapid spread and unusual communication patterns are detected.

Logging and Alerting

• Sensors record timestamp, session ID, alert type and, severity.
• Sensors also record source/destination IPs and ports.
• Protocols and payload are also logged to help refine IDS rules and support forensics.

Distributed or Hybrid IDS

• Combines multiple IDS components (HIDS, NIDS) across systems.
• Enables better correlation and broader visibility.
• useful for detecting complex or stealthy attacks

Why Distributed IDS?

• Individual IDSs may miss stealthy or slow attacks.
• Combining data increases detection accuracy.
• Useful for networks with mobile and dynamic hosts.

Hybrid Detection Strategy

• HIDS provides deep host-level visibility.
• NIDS monitors network activity broadly.
• Hybrid systems aggregate insights from both layers.

Advantages of Cooperation

• Detect attacks missed by individual sensors.
• Reduce false positives using consensus.
• Adapt more quickly to new attack patterns.

Peer-to-Peer Communication

• Nodes share 'suspicion levels' using gossip protocols.
• Alerts are triggered only if multiple nodes agree.
• Helps detect slow, distributed attacks.

Intel's Autonomic Security Model

• Treats every host/router as a potential sensor.
• Local decisions plus shared data equals smarter global defense.
• Example of adaptive, distributed protection.

Benefits of Hybrid IDS

• Early detection with fewer false positives.
• More effective against stealthy or multi-stage attacks.
• Adapts to changing environments and attack tactics.

Need for a Common Exchange Format

• IDS systems from different vendors must interoperate.
• Standard formats help in sharing alerts, logs, and threat data.

What Are Honeypots?

• Decoy systems set up to attract attackers.
• Have no production value – any access is suspicious
• Used to detect, deflect, and study intrusion attempts

Goals of Honeypots

• Divert attackers from valuable assets.
• Gather intelligence on attacker behavior/tools.
• Buy time for defenders to respond.

How Honeypots Work

• Imitate vulnerable systems/services.
• Are filled with fake but believable data.
• and are instrumented with logging/monitoring tools.

Types of Honeypots

• Low-Interaction Emulate limited services and are easier to deploy with lower risk.
• High-Interaction use real systems with full OS/services, are more realistic, but carry greater risk.

High vs Low Interaction

• Low Interaction honeypots present low risk, limited realism, basic info gain, and easy deployment
• High interaction honeypots present high risk, high realism, detailed info gain, and complex deployment

Deployment Locations for Honeypots

• Outside firewall to track external scans/attacks.
• In DMZ, mimicking public-facing servers.
• Inside network, detecting internal threats and lateral movement.

Honeypot Benefits

• Reduces false positives (no legit use of system).
• Helps identify new vulnerabilities/exploit methods.
• Complements IDS by detecting stealthy threats.

Risks of Honeypots

• If compromised, they may be used to launch further attacks.
• Must be carefully monitored and isolated.

Honeyfiles

• Fake documents designed to lure intruders.
• Can trigger alerts when accessed.
• Example: A file named 'passwords.xlsx' on a shared drive.