Intrusion Detection Systems (IDS) Overview

Questions and Answers

What is a significant challenge of Host Intrusion Detection Systems (HIDS) in large networks?

They require minimal configuration for different operating systems.

They are easy to maintain.

They can be disabled by attackers after compromise. (correct)

They can often be monitored effectively from a single location.

Which of the following describes a typical indication of a system intrusion?

Unchanged system software.

Gaps in system accounting. (correct)

Consistent and complete log files.

Regular system reboots.

When selecting an Intrusion Detection System (IDS), what is a crucial technical consideration?

The popularity of the product among users.

The color and design of the user interface.

The brand of the product.

The scalability of the product. (correct)

Which of the following is most likely a network intrusion detection event?

Repeated probes of services on a machine.

What is an expected user requirement that an IDS product must address?

Adaptability to the user’s skill level.

In the context of Network Intrusion Detection, what does an arbitrary data entry in log files suggest?

Potential Denial of Service attempts.

What is a notable drawback of analyzing intrusion attempts across multiple hosts in an IDS?

Difficulty in maintaining consistency in analysis.

What is a significant organizational constraint when choosing an IDS product?

Financial resources and budget constraints.

What is the primary function of a network-based intrusion detection system (IDS)?

To monitor and analyze data packets traveling over a network

Which detection method does not rely on specific known patterns of attacks?

Anomaly detection

What is a common challenge in the maintenance of an IDS?

High rate of false positives affecting system reliability

What role does an IDS play in terms of security documentation within an organization?

It assists in documenting existing security violations and threats

How does an IDS signal a potential intrusion event?

Through alarms and notifications to administrators

Which control strategy is aimed specifically at identifying misuse of a system?

Misuse detection

What is an essential feature of host-based Intrusion Detection Systems (HIDS)?

Monitoring changes to system files and configurations

What is a benefit of deploying an IDS in a network?

It increases the perceived risk of discovery and punishment for attackers

What is a characteristic of a fully distributed IDS control strategy?

All control functions operate at each IDS component's physical location.

Which combination of IDS types allows for coverage of both individual systems and networks?

Network-Based IDS (NIDS) and Host-Based IDS (HIDS)

What is one advantage of using padded cells?

They offer a secure environment for monitoring attacker behavior.

What is the purpose of deploying NIDS sensors behind each external firewall?

To enhance protection from external attacks.

What is a challenge associated with the proper implementation of HIDS?

It can be time-consuming and complex.

Which metric is NOT typically used to evaluate the effectiveness of IDS?

Cost of the IDS deployment.

What legal concern is associated with trap and trace systems?

They may inadvertently lead to entrapment.

What is a disadvantage of honey pots regarding security technology?

Legal implications of their use are unclear.

Which of the following locations is NOT recommended by NIST for NIDS sensors?

Inside the corporate headquarters.

What does a honey net refer to?

Network of several honey pots for enhanced monitoring.

What is the primary function of honey pots?

To lure attackers away from critical systems.

Which of the following statements is incorrect regarding partially distributed IDS control strategies?

They can only detect internal threats.

What role does a honey pot have in the context of responder activities?

To prolong engagement while gathering data on the attacker.

Which is an essential consideration in the deployment strategy for IDS?

Analyzing the organization’s specific security requirements.

Study Notes

Intrusion Detection Systems (IDS)

• IDS gathers and analyses information from a computer or network
• It acts like a packet sniffer, intercepting packets traveling through various communication mediums and protocols
• Packets are analyzed after capture
• An IDS evaluates suspected intrusions and triggers an alarm
• IDS monitors network and threat activity, detecting viruses, malware, spyware, etc.
• It identifies the source of these threats and restores affected points
• IDS observes unauthenticated and unauthorized use of network programs

How IDS Works

• Monitors network and threat activity
• Detects viruses, malware, spyware, and different forms of viruses
• Locates the source of threats and restores affected points
• Observes unauthorized use of network programs

Intrusion Detection Systems (IDSs)

• Detect violations of configuration and activate an alarm
• Allow administrators to configure systems to notify them of issues via email or pagers
• Systems can be configured to notify external security services about breaches

IDS Terminology

• Alert or alarm: Triggered by suspicious activity
• False attack stimulus: A false alarm
• False negative: Failure to detect a real attack
• False positive: Detecting an event that is not an attack
• Noise: Non-attack related events that trigger an alarm
• Site policy: Rules dictating allowed behavior within a network
• Site policy awareness: Knowledge of a network's acceptable use policies
• True attack stimulus: A real attack
• Confidence value: Assessment of likelihood of an event being an attack
• Alarm filtering: Filtering of false alarms

Why Use an IDS?

• Prevents problematic behaviors by increasing the perceived risk of detection and punishment
• Detects attacks and security violations
• Detects attack preambles
• Documents existing threats to an organization
• Acts as quality control for security design and administration, especially in large and complex enterprises
• Provides useful information about intrusions

Ways to Detect an Intrusion

• Signature recognition (misuse detection): Identifies events that misuse a system
• Anomaly detection: Identifies intrusions based on fixed behavioral characteristics of users and components
• Protocol anomaly detection: Models based on TCP/IP protocols

Types of IDSs

• Network-based IDS (NIDS): Analyzes packets traveling over the network, comparing them with empirical data to find malicious activities
• Host-based IDS (HIDS): Collects and analyzes data originating from a computer hosting a service (e.g., web server). This data can be analyzed locally or sent elsewhere for central analysis.
• Host-based IDS: Examines the data files on the host and alerts the system administrators of any changes

Disadvantages of HIDS

• Difficult to analyze intrusions on multiple computers
• Difficult to maintain in networks with varied operating systems and configurations
• Can be disabled by attackers after compromise

Network Intrusion Indicators

• Repeated probes of available services on a machine
• Connections from unusual locations
• Arbitrary data in log files (possible Denial-of-Service attempts)
• Repeated login attempts from remote hosts

Modifications to System Software and Configuration Files

• Gaps in system accounting
• System crashes or reboots
• Short or incomplete logs
• Missing logs
• Unusual processes
• Unusual graphic displays or text messages

Selecting IDS Approach and Products

• Consider your system environment, security goals, and existing security policy.
• Evaluate organizational requirements and constraints, especially external requirements and resource limitations.

IDS Product Features and Quality

• Scalability of the product for your environment
• Product testing methods.
• Ability to evolve along with your organization.
• Targeted user expertise level.
• Support provisions for the product

IDS Control Strategies

• Centralized: All IDS control functions in a single location
• Fully distributed: All control functions at each IDS component's physical location
• Partially distributed: Combines both centralized and distributed, with agents reporting to a central facility for broader analysis

IDS Deployment Overview

• Consider the location of elements in the IDS for effective use.
• Select the deployment strategy, considering security requirements and minimal impact.
• NIDS and HIDS can be used together to cover various systems and networks.

Deploying Network-Based IDSs

• NIST recommends four locations for NIDS sensors:
  • Behind external firewalls within the network DMZ
  • Outside external firewalls
  • On major network backbones
  • On critical subnets

Deploying Host-Based IDSs

• Proper deployment is painstaking and time-consuming.
• Start deploying HIDS with critical systems first.
• Install until planned coverage is achieved.

Measuring the Effectiveness of IDSs

• Administrators evaluate the number of attacks detected in a known collection of probes.
• Administrators measure the level of use at which IDSs fail.
• IDS vendors provide testing mechanisms to verify expected performance.
• IDS testing can involve recording and retransmitting packets from real viruses or worms, including those with incomplete TCP/IP session connections (missing SYN packets). It also might include testing against vulnerable systems or environments.

Honey Pots, Honey Nets, and Padded Cell Systems

• Honey pots: Decoy systems to lure attackers away from critical systems, encouraging attacks directed at themselves
• Honey nets: Collection of honey pots connected together
• Padded cells: Protected honey pots that cannot be easily compromised, operating in conjunction with traditional IDSs to redirect attackers to a safe zone

Trap and Trace Systems

• Use techniques to detect intrusions and trace them back to their source
• Traps typically include honey pots/padded cells and alarms

Scanning and Analysis Tools

• Collect information attackers might need for successful attacks
• Attack protocols are detailed sequences of steps or processes
• Footprinting involves researching Internet addresses owned or controlled by a target organization

Tools

• Snort
• KFSSensor

Description

This quiz covers the fundamentals of Intrusion Detection Systems (IDS), including their functionality and how they monitor network activity for threats such as viruses and malware. Understand the mechanisms behind IDS, including the analysis of packets and the alerting of administrators in case of violations. Test your knowledge on the key concepts of IDS technology and its importance in cybersecurity.