Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 10_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Deploying a Host-based IDS Deploying a host-based IDS provides an additional layer of security This type of IDS must be installed and configured on each critical system in the network it You should consider installing a host-based IDS on every host in the organization When deploying a host-based IDS, it is recommended that it has centralized management and reporting functions, which reduces the complexity for managing alerts from a large number of hosts Deploying a Host-based IDS Deploying a host-based IDS provides an additional layer of security. This type of IDS must be installed and configured on each critical system in the network. You should consider installing a host-based IDS on every host in the organization. When deploying a host-based IDS, it is recommended that it has centralized management and reporting functions, which reduces the complexity for managing alerts from a large number of hosts. Host-based IDS (HIDS) deployment is done with proper planning and care, as deploying these on a large-scale environment has the potential to generate numerous false alarms, which can get quite difficult to manage. Initial deployment of a HIDS is done on critical servers only. Security professionals must consider implementing an IDS management console before adding additional hosts. If security professional comfortably manages the HIDS on critical servers at the initial stage, then and only then they can consider deploying the HIDS on all remaining hosts in the network. This allows security professional to provide security at the individual host level. However, deploying HIDS on every host on the network is quite expensive and requires additional software and maintenance, especially in case of a wide-scale HIDS deployment. Module 07 Page 857 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls What is an IDS Alert? QO Alertis a graduated O event, which notifies that a particular event (or series of events) has notification, indicating that something is wrong and requires immediate attention and monitoring reached a specified threshold and needs proper action by a responsible party alionn What it sends the 1l il is an IDS Alert? An alert is a graduated event that notifies that a particular event (or series of events) has reached a specified threshold and needs appropriate action by a responsible party. It generates incidents and/or issue tickets, indicating that something is wrong and requires immediate attention and monitoring. This alerting can be done in many ways such as sending emails, producing alerts on the desktop, etc. An alert may contain details such as what kind of event, duration of that event, when it occurred, where it occurred, in which device, and what OS or version is it running on. Alerts are the domain of security devices and security-related systems. However, this is not fixed. For example, IDS/IPS analyzes all inbound network traffic and decides whether a specific connection is allowed or not, based on packet content. If it is identified that a specific connection is malicious, then it will take predefined actions or generate alerts to notify the users. Module 07 Page 858 Certified Cybersecurity Technician Copyright © by EG-Couneil Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Types of IDS Alerts True Positive (Attack - Alert) O R Q An n IDS raises rai (No Attack - Alert) An IDS raises an alarm when a legitimate attack occurs larm an alarm when nono attackCK has has takentaken P pl place ® © wnen ' False Negative (Attack - No Alert) True Negative g (No Attack - No Alert) - O An IDS does not raise an alarm when a legitimate attack has taken place ® ® O An IDS does not raise an alarm when an attack has not taken place @ ® Copyright © by. All Rights Reserved. Reproductions Strictly Prohibited Types of IDS Alerts An IDS generates four types of alerts: True Positive, False Positive, False Negative, and True Negative. = True Positive (Attack - Alert): A true positive is a condition that occurs when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. The event may be an actual attack, in which case an attacker attempts to compromise the network, or it may be a drill, in which case security personnel use hacker tools to test a network segment. = False Positive (No attack - Alert): A false positive occurs if an event triggers an alarm when no actual attack is in progress. It occurs when an IDS treats regular system activity as an attack. False positives tend to make users insensitive to alarms and weaken their reactions to actual intrusion events. While testing the configuration of an IDS, administrators use false positives to determine whether the IDS can distinguish between false positives and real attacks. = False Negative (Attack - No Alert): A false negative is a condition that occurs when an IDS fails to react to an actual attack event. This condition is the most dangerous failure, as the purpose of an IDS is to detect and respond to attacks. = True Negative (No attack - No Alert): A true negative is a condition that occurs when an IDS identifies an activity as acceptable behavior, and the activity is acceptable. A true negative means successfully ignoring acceptable behavior. It is not harmful, as the IDS performs as expected in this case. Module 07 Page 859 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Characteristics of Good IDS Solutions 01 l Run continuously with less human intervention 02 l Must be fault tolerant 03 l Resistant to subversion 04 l Minimal overhead on the system 05 I Observe deviations from normal behavior 06 | Not easily deceived 07 l Tailored to specific system needs | Copes with dynamic system behavior...l%. cll. All Rights Reserved. Reproductionis Strictly Prohibited. Characteristics of Good IDS Solutions An ideal IDS should have the following characteristics: = Organizations should have an IDS that can run without or with minimal human intervention. The configuration of the system monitors and detects all suspicious activities on the host system. However, administrators should have all the privileges in auditing and monitoring for this to work. = Even if the host system fails or crashes, the IDS should still function reliably. It is advisable to configure the IDS so it is fault tolerant and does not require a reconfiguration or reboot every time the host system fails. In addition, it should be capable of monitoring itselfto avoid any damage. = An IDS should provide features for halting and blocking attacks. These attacks can occur from any application or software. This also involves alerting the security professional through online, mobile, or email notification. The method of notification depends on the configuration setup by the administrator. = By having information gathering capabilities, an IDS helps a security professional detect the type of attack, source of the attack, and the effects the attack caused in the network. Gathering evidence for a cyber-forensic investigation is one of the required characteristics of an IDS. * |n large organizations, an IDS is built with a fail-safe feature to help hide itself in the network. This feature helps create a fake network to attract intruders to as well as for analyzing the possibilities of different types of attacks. It also helps in vulnerability analysis of the network. Module 07 Page 860 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls = Exam 212-82 Not easily deceived. An IDS should be able to detect changes in the files of the system or network. The file checker feature in an IDS notifies the security professional intruder made any sort of alteration to the files. The IDS should if the report every activity that has occurred on the network as this aids the security professional when analyzing vulnerabilities and rectifying them. = Tailored to specific system needs. When recursive changes occur in the network, an IDS should be adaptable to these changes. This also includes adapting different defense mechanisms for every different system in the network. = Minimal overhead on the system. The configuration of an IDS should be such that it does not cause overheads in the network or system. = Resistant to subversion. = = (QObserve deviations from normal behavior. Copes with dynamic system behavior. Module 07 Page 861 Certified Cybersecurity Technician Copyright © by EC-Council