Intrusion Detection Systems (IDS) Overview

Questions and Answers

What is a significant challenge of Host Intrusion Detection Systems (HIDS) in large networks?

• They require minimal configuration for different operating systems.
• They are easy to maintain.
• They can be disabled by attackers after compromise. (correct)
• They can often be monitored effectively from a single location.

Which of the following describes a typical indication of a system intrusion?

• Unchanged system software.
• Gaps in system accounting. (correct)
• Consistent and complete log files.
• Regular system reboots.

When selecting an Intrusion Detection System (IDS), what is a crucial technical consideration?

• The popularity of the product among users.
• The color and design of the user interface.
• The brand of the product.
• The scalability of the product. (correct)

Which of the following is most likely a network intrusion detection event?

Repeated probes of services on a machine. (B)

What is an expected user requirement that an IDS product must address?

Adaptability to the user’s skill level. (D)

In the context of Network Intrusion Detection, what does an arbitrary data entry in log files suggest?

Potential Denial of Service attempts. (C)

What is a notable drawback of analyzing intrusion attempts across multiple hosts in an IDS?

Difficulty in maintaining consistency in analysis. (A)

What is a significant organizational constraint when choosing an IDS product?

Financial resources and budget constraints. (A)

What is the primary function of a network-based intrusion detection system (IDS)?

To monitor and analyze data packets traveling over a network (A)

Which detection method does not rely on specific known patterns of attacks?

Anomaly detection (A)

What is a common challenge in the maintenance of an IDS?

High rate of false positives affecting system reliability (C)

What role does an IDS play in terms of security documentation within an organization?

It assists in documenting existing security violations and threats (B)

How does an IDS signal a potential intrusion event?

Through alarms and notifications to administrators (C)

Which control strategy is aimed specifically at identifying misuse of a system?

Misuse detection (C)

What is an essential feature of host-based Intrusion Detection Systems (HIDS)?

Monitoring changes to system files and configurations (D)

What is a benefit of deploying an IDS in a network?

It increases the perceived risk of discovery and punishment for attackers (A)

What is a characteristic of a fully distributed IDS control strategy?

All control functions operate at each IDS component's physical location. (D)

Which combination of IDS types allows for coverage of both individual systems and networks?

Network-Based IDS (NIDS) and Host-Based IDS (HIDS) (B)

What is one advantage of using padded cells?

They offer a secure environment for monitoring attacker behavior. (A)

What is the purpose of deploying NIDS sensors behind each external firewall?

To enhance protection from external attacks. (C)

What is a challenge associated with the proper implementation of HIDS?

It can be time-consuming and complex. (D)

Which metric is NOT typically used to evaluate the effectiveness of IDS?

Cost of the IDS deployment. (B)

What legal concern is associated with trap and trace systems?

They may inadvertently lead to entrapment. (B)

What is a disadvantage of honey pots regarding security technology?

Legal implications of their use are unclear. (A)

Which of the following locations is NOT recommended by NIST for NIDS sensors?

Inside the corporate headquarters. (C)

What does a honey net refer to?

Network of several honey pots for enhanced monitoring. (C)

What is the primary function of honey pots?

To lure attackers away from critical systems. (C)

Which of the following statements is incorrect regarding partially distributed IDS control strategies?

They can only detect internal threats. (B)

What role does a honey pot have in the context of responder activities?

To prolong engagement while gathering data on the attacker. (A)

Which is an essential consideration in the deployment strategy for IDS?

Analyzing the organization’s specific security requirements. (D)

Flashcards

Host-Based Intrusion Detection (HIDS)

HIDS monitors and analyzes data originating from a computer hosting a service, like a web server. The data helps identify malicious activity.

HIDS Drawbacks (Large Networks)

Analyzing intrusion attempts across many computers in a large network with varied operating systems and configurations is difficult with HIDS.

HIDS and Attackers

Intruders can potentially disable a compromised host's HIDS system after gaining unauthorized access.

System Intrusion Indicators

Unusual signs suggesting malicious activity, such as altered system files, discrepancies in account usage, system failures, and unexpected messages.

Network Intrusion Indications

Indications of a network attack include repeated probes of available services, connections from unusual locations, suspicious log entries suggesting Denial-of-Service attempts, or an unusual number of login attempts.

Selecting IDS Products

Choosing an Intrusion Detection System (IDS) requires careful consideration of your system's setup, security objectives, existing policies, and resource constraints. Factors such as scalability and ongoing support are important.

Evaluations of IDS Products

When selecting an IDS, consider its scalability, user expertise level, testing history, support provisions, and ongoing suitability as the environment evolves.

Identifying Malicious Packets

Malicious packets are checked and contrasted with empirical data analysis to confirm their nature. Checking is critical to know the packet nature.

IDS (Intrusion Detection System)

A system that monitors network or computer activities to identify and signal potential security breaches.

Packet Sniffer

A type of IDS that intercepts and analyzes network packets to detect potential intrusions.

Signature Recognition

IDS method that identifies malicious activity based on known attack patterns.

Anomaly Detection

IDS method that detects intrusions by identifying unusual or unexpected network behaviors.

Network-based IDS

A type of IDS that monitors network traffic for malicious activities.

False Alarm

An IDS alert that is not caused by a real security violation.

True Attack

A real security violation that is detected by an IDS.

IDS Functionality

Detects unauthorized network activity, malicious code, and potential security breaches.

Centralized IDS

All IDS control functions are managed from a single point.

Fully Distributed IDS

Each IDS component has its own control functions, independent of others.

Partially Distributed IDS

A mix of centralized and distributed control, with local analysis and reporting to a central authority.

NIDS Deployment Locations

Where to place network intrusion detection systems for optimal coverage.

NIDS Location 1

Behind the external firewall, in the DMZ.

NIDS Location 2

Outside the external firewall.

NIDS Location 3

On major network backbones.

NIDS Location 4

On critical subnets.

HIDS Deployment

Implementing host-based intrusion detection systems, starting with critical systems.

IDS Effectiveness Metrics

Measuring the effectiveness of an IDS using detection rate and failure tolerance.

IDS Testing

Verifying the performance of an IDS using real-world scenarios.

Honey Pot

A decoy system designed to attract attackers away from critical systems.

Honey Net

A collection of honey pots connected on a subnet.

Padded Cell

A protected honey pot that prevents attackers from causing harm.

Trap and Trace Systems

A combination of techniques that detect and trace intrusions back to their source.

Study Notes

Intrusion Detection Systems (IDS)

• IDS gathers and analyses information from a computer or network
• It acts like a packet sniffer, intercepting packets traveling through various communication mediums and protocols
• Packets are analyzed after capture
• An IDS evaluates suspected intrusions and triggers an alarm
• IDS monitors network and threat activity, detecting viruses, malware, spyware, etc.
• It identifies the source of these threats and restores affected points
• IDS observes unauthenticated and unauthorized use of network programs

How IDS Works

• Monitors network and threat activity
• Detects viruses, malware, spyware, and different forms of viruses
• Locates the source of threats and restores affected points
• Observes unauthorized use of network programs

Intrusion Detection Systems (IDSs)

• Detect violations of configuration and activate an alarm
• Allow administrators to configure systems to notify them of issues via email or pagers
• Systems can be configured to notify external security services about breaches

IDS Terminology

• Alert or alarm: Triggered by suspicious activity
• False attack stimulus: A false alarm
• False negative: Failure to detect a real attack
• False positive: Detecting an event that is not an attack
• Noise: Non-attack related events that trigger an alarm
• Site policy: Rules dictating allowed behavior within a network
• Site policy awareness: Knowledge of a network's acceptable use policies
• True attack stimulus: A real attack
• Confidence value: Assessment of likelihood of an event being an attack
• Alarm filtering: Filtering of false alarms

Why Use an IDS?

• Prevents problematic behaviors by increasing the perceived risk of detection and punishment
• Detects attacks and security violations
• Detects attack preambles
• Documents existing threats to an organization
• Acts as quality control for security design and administration, especially in large and complex enterprises
• Provides useful information about intrusions

Ways to Detect an Intrusion

• Signature recognition (misuse detection): Identifies events that misuse a system
• Anomaly detection: Identifies intrusions based on fixed behavioral characteristics of users and components
• Protocol anomaly detection: Models based on TCP/IP protocols

Types of IDSs

• Network-based IDS (NIDS): Analyzes packets traveling over the network, comparing them with empirical data to find malicious activities
• Host-based IDS (HIDS): Collects and analyzes data originating from a computer hosting a service (e.g., web server). This data can be analyzed locally or sent elsewhere for central analysis.
• Host-based IDS: Examines the data files on the host and alerts the system administrators of any changes

Disadvantages of HIDS

• Difficult to analyze intrusions on multiple computers
• Difficult to maintain in networks with varied operating systems and configurations
• Can be disabled by attackers after compromise

Network Intrusion Indicators

• Repeated probes of available services on a machine
• Connections from unusual locations
• Arbitrary data in log files (possible Denial-of-Service attempts)
• Repeated login attempts from remote hosts

Modifications to System Software and Configuration Files

• Gaps in system accounting
• System crashes or reboots
• Short or incomplete logs
• Missing logs
• Unusual processes
• Unusual graphic displays or text messages

Selecting IDS Approach and Products

• Consider your system environment, security goals, and existing security policy.
• Evaluate organizational requirements and constraints, especially external requirements and resource limitations.

IDS Product Features and Quality

• Scalability of the product for your environment
• Product testing methods.
• Ability to evolve along with your organization.
• Targeted user expertise level.
• Support provisions for the product

IDS Control Strategies

• Centralized: All IDS control functions in a single location
• Fully distributed: All control functions at each IDS component's physical location
• Partially distributed: Combines both centralized and distributed, with agents reporting to a central facility for broader analysis

IDS Deployment Overview

• Consider the location of elements in the IDS for effective use.
• Select the deployment strategy, considering security requirements and minimal impact.
• NIDS and HIDS can be used together to cover various systems and networks.

Deploying Network-Based IDSs

• NIST recommends four locations for NIDS sensors:
  • Behind external firewalls within the network DMZ
  • Outside external firewalls
  • On major network backbones
  • On critical subnets

Deploying Host-Based IDSs

• Proper deployment is painstaking and time-consuming.
• Start deploying HIDS with critical systems first.
• Install until planned coverage is achieved.

Measuring the Effectiveness of IDSs

• Administrators evaluate the number of attacks detected in a known collection of probes.
• Administrators measure the level of use at which IDSs fail.
• IDS vendors provide testing mechanisms to verify expected performance.
• IDS testing can involve recording and retransmitting packets from real viruses or worms, including those with incomplete TCP/IP session connections (missing SYN packets). It also might include testing against vulnerable systems or environments.

Honey Pots, Honey Nets, and Padded Cell Systems

• Honey pots: Decoy systems to lure attackers away from critical systems, encouraging attacks directed at themselves
• Honey nets: Collection of honey pots connected together
• Padded cells: Protected honey pots that cannot be easily compromised, operating in conjunction with traditional IDSs to redirect attackers to a safe zone

Trap and Trace Systems

• Use techniques to detect intrusions and trace them back to their source
• Traps typically include honey pots/padded cells and alarms

Scanning and Analysis Tools

• Collect information attackers might need for successful attacks
• Attack protocols are detailed sequences of steps or processes
• Footprinting involves researching Internet addresses owned or controlled by a target organization

Tools

• Snort
• KFSSensor