Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network...

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network Understand Different Types of Security Protocols Proxy Servers and their Benefits :. Discuss Fundamentals of VPN Discuss Security Benetiis /7 an and its importance in Network of Network Segmentation - G. — ’ Security N Understand Different Types @ 4\ Discuss Other Network Security of Firewalls and their Role Controls | Understand Different Types Discuss Importance of Load of IDS/IPS and their Role E\ Balancing in Network Security Understand Different Types Understand Various of Honeypots Antivirus/Anti-malware Software L All Rights Reserved. Reproduction s Strictly Prohibited Understand Different Types of IDS/IPS and their Role The objective of this section is to explain different types of IDS/IPS, their role, capabilities, limitations, and concerns in implementing IDS security. This section also discusses IDS components, collaboration of IDS components in intrusion detection, deployment of network and host based IDS, types of IDS alerts, and intrusion detection tools. Module 07 Page 807 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Intrusion Detection and Prevention System (IDS/IPS) 01 02 03 An intrusion detection and prevention If found, the IDS will alert the IDS checks the network traffic for system (IDS/IPS) is a network security administrator about the suspicious signatures that match known appliance that inspects all inbound activities intrusion patterns and triggers an and outbound network traffic for alarm when a match is found suspicious patterns that might indicate a network or system security breach Server Untrusted Network &@%..................,..................... &' @ Firewall 5 Intrusion Detection and Prevention System (IDS/IPS) An Intrusion Detection and Prevention System (IPS/IDPS) is a network security appliance which inspects all inbound and outbound network traffic for suspicious patterns that could indicate a network or system security breach, identifies suspicious activity if any, logs information of the suspicious activity, reports it and attempts to block it. An intrusion prevention system (IPS) is an extension of the intrusion detection system (IDS). An IPS can = Send alarms = Defragment packet streams = Drop identified malicious packets = Reduce TCP sequencing issues = Reset a connection = Block traffic from a malicious IP address ® Correct cyclic redundancy check (CRC) errors = (Clean unneeded transport and network layer options The Intrusion Detection System (IDS) monitors all inbound and outbound network activity and identifies malicious patterns by looking for known attack signatures and warns the security professionals of suspicious activity but does not prevent them. An IDS displays an alert, logs the event, or pages an administrator, reconfigures the network to mitigate the consequences of intrusions. Module 07 Page 808 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS vs. IPS The key difference between an IPS and an IDS is that the IPS is implemented in-line, however the IDS sits off to the side. The traffic that is directed through an IPS either blocks or allows the packets depending on the policy and performs correction if needed. In the case of IDS, it is connected via a network tap and it monitors traffic, but cannot act directly. Server i Untrusted Network IPS Figure 7.64: IDS vs. IPS Module 07 Page 809 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls How does an IDS Work? IDS Preprocessor Signature File |.. Comparison < >a. D = Y Signature File : = : Cisco log sever Internet Router Firewall Matched? \ s W " esererense Database :: X : foend g Anomaly : i Alarm notifies Detection : : admin and packet v can be dropped Y M‘(ghgdf-!un-u--é............... i..... > " + Action Rule : d b Y, H ¢ Connections are @x H ¢ cutdown from : that IP source Stateful Protocol : : Analysis : : v : :. : ‘ X Lispy '| i —_—_— ,‘V'\ :. Enterprise Network (200 a) ¢ R KA. - packet dropped s Switch Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. How does an IDS Work? IDS Preprocessor Signature File """"b‘ Comparison ‘< > v Signature File Internet Router Firewall IDS ¥ Database : Matched? -. lllllllllll: : A4 PX :: Teered | Anomaly : ! Alarm notifies Detection * admin and packet. ¢+ can be dropped Y : Matched? r#sssssssnuas a:n...............E..... > % : Action Rule : d%o ¢ - : Connections are \:,X : : cut down from S H : that IP source Stateful Protocol :. Analysis : : : = >\/< v E :. LR l) m Enterprise Network [maae. 1. X rstchodiiy Woesasssssst Zig':;‘;: Switch Figure 7.65: Working of an IDS Signature-based IDS: In a signature-based IDS, the network traffic is checked with the databases that comprises of intrusions. As shown in the above figure, if an attack signature Module 07 Page 810 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls matches with any of the signatures in the signature file database, the connection will be disconnected down from the source IP, the packet will be dropped, the activity will be logged, and an alarm will be initiated. Alternatively, the packet will be moved to the next step called the anomaly detection step. Anomaly-based IDS: An anomaly-based IDS uses statistical techniques to compare the monitored traffic with the normal traffic. This method can identify new forms of attacks that are not in the IDS signature database and issue a warning. The disadvantage of this method is issuing false positive messages, which will complicate the functioning of an administrator. In the anomaly detection step, if the attack signature matches, the connections will be disconnected from the source IP, the packet will be dropped, the activity will be logged, and an alarm will be initiated. Alternatively, the packet will be sent to stateful protocol analysis. A stateful protocol analysis is used for detecting the deviations of the protocol state, which uses predetermined profiles based on the vendor-developed definitions of malicious activity. In the stateful protocol analysis, if the packet is matched, the connections will be disconnected from the source IP, the packets will be dropped, the activity will be logged, and an alarm will be initiated. Alternatively, the packet will be passed to the network through a switch. An IDS performs an evaluation of a network traffic for illegal activities and policy violations. It performs a vulnerability assessment for ensuring the security of the network. The following are the features of IDS: = Evaluating system and network activities = Analyzing vulnerabilities in a network * Measuring the system and file reliability = Skill to identify the possibilities of attacks *= Monitoring irregular activities in a network and system = Evaluating the policy violations Organizations can identify the presence of attacks or intrusions from outside a network as well as the intrusions or misuse within that network. An IDS generally performs a vulnerability assessment or scanning in order to identify the vulnerabilities in a network and to monitor the security of the network. Firewalls prevent intrusions within a network, but do not actually issue an alert regarding an intrusion or an attack. On the other hand, IDS systems can monitor and identify the intrusions within a network as well as signal an alarm to the administrator. Advantages of IDS: = An IDS allows continuous monitoring and tracking of all intrusions and attacks in a network. = An IDS provides an extra layer of security to a network. = An IDS can also provide a log or data regarding the attack or intrusion that can be later used for investigating the incident. Module 07 Page 811 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls = |DS requires more maintenance as compared to firewalls. Disadvantages of IDS: = |tis not always possible for an IDS to detect intrusions. = IDS requires properly trained and experienced users to maintain it. = |DS can raise false alarms to the network administrator. Module 07 Page 812 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Role of an IDS in Network Defense — =211 O An IDS works from inside the network, unlike a O An DS is placed behind the firewall, inspecting firewall which only looks outside the network all the traffic, looking for heuristics and a pattern for intrusions match for intrusions Role of an IDS in Network Defense Why Do We Need IDS? Relying solely on a firewall for network security can provide a false sense of security. The firewall is simply implemented in the IT security policy to allow or deny traffic based on the policy rules. It allows certain packets to pass through or denies access if it does not meet certain criteria specified in a rule. It does not check the contents of legitimate traffic that are allowed based on the ruleset. Even legitimate traffic may contain malicious content, which is not evaluated during inspection by a firewall. As an example, a firewall can be configured to pass traffic solely to port 80 of the Web server and to port 25 of the email server but it will not inspect the nature of the traffic flowing through either of these ports. This is the reason why an IDS is implemented. An IDS will inspect the legitimate traffic coming from firewall and conduct signature-based analysis to identify malicious activity and raise an alarm to notify security professionals. Role of an IDS in Network Defense = An IDS works from inside the network, unlike a firewall which only looks outside the network for intrusions = An IDS is placed behind the firewall, inspecting all the traffic, looking for heuristics and a pattern match for intrusions Module 07 Page 813 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls How an IDS Detects an Intrusion? Signature Recognition Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network resource Anomaly Detection It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system Protocol Anomaly Detection In this type of detection, models are built to explore anomalies in the way in which vendors deploy the TCP/IP specification Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited How an IDS Detects an Intrusion? An IDS uses three methods to detect intrusions in the network. Signature Recognition Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. The signatures for IDS were created under the assumption that the model must detect an attack without disturbing normal system traffic. Only attacks should match the model; otherwise, false alarms could occur. o Signature-based intrusion detection compares incoming or outgoing network packets with the binary signatures of known attacks using simple pattern-matching techniques to detect intrusions. Attackers can define a binary signature for a specific portion of the packet, such as TCP flags. Signature recognition can detect known attacks. However, there is a possibility that other innocuous packets contain the same signature, which will trigger a false positive alert. Improper signatures may trigger false alerts. To detect misuse, a massive number of signatures are required. The more the signatures, the greater are the chances are of the IDS detecting attacks; however, the traffic may incorrectly match with the signatures, thus impeding system performance. A large amount of signature data requires more network bandwidth. IDS compare signatures of data packets against those in the signature database. An increase in Module 07 Page 814 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls the number of signatures in the database could result in the dropping of certain packets. Anomaly Detection Anomaly detection, or “not-use detection,” differs from signature recognition. Anomaly detection involves a database of anomalies. An anomaly is detected when an event occurs outside the tolerance threshold of normal traffic. Therefore, any deviation from regular use is an attack. Anomaly detection detects intrusions based on the fixed behavioral characteristics of the users and components in a computer system. Establishing a model of normal use is the most challenging step in creating an anomaly detector. o In the traditional method of anomaly detection, essential data are kept for checking variations in network traffic. However, in reality, there is some unpredictability in network traffic, and there are too many statistical variations, thus making these models imprecise. Some events labeled as anomalies might only be irregularities in network usage. o In this type of approach, the inability to construct a model thoroughly on a regular network is a concern. These models should be used to check specific networks. Protocol Anomaly Detection Protocol anomaly detection depends on the anomalies specific to a protocol. It identifies particular flaws in vendors’ deployment of the TCP/IP protocol. Protocols are designed according to RFC specifications, which dictate standard handshakes to permit universal communication. The protocol anomaly detector can identify new attacks. o There are new attack methods and exploits that violate protocol standards. o Malicious anomaly signatures are becoming increasingly common. By contrast, the network protocol is well defined and is changing slowly. Therefore, the signature database should frequently be updated to detect attacks. o Protocol anomaly detectors are different from traditional IDS in terms of how they present alarms. o The best way to present alarms is to explain which part of the state system is compromised. For this purpose, IDS operators must have thorough knowledge of protocol design. Module 07 Page 815 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Capabilities O DS provides an additional layer of security to the network under the defense-in-depth principle O IDS does several things that basic firewalls cannot do O IDS helps minimize the chance of missing security threats that could come from firewall evasions P IDS/IPS Functions Monitoring and analyzing both user and Q Recognizing typical attack patterns system activities Analyzing system configurations and Analyzing abnormal activity patterns vulnerabilities Assessing system and file integrity Tracking user policy violations IDS Capabilities IDS provides an additional layer of security to the network under the defense-in-depth principle. IDS does several things that basic firewalls cannot do. IDS helps minimize the chance of missing security threats that could come from firewall evasions. The main task of an IDS is detecting an intrusion attempt on a network and issuing a notification about what occurred. Detecting hostile attacks depends on several types of actions including prevention, intrusion monitoring, intrusion detection, and response. Intrusion prevention requires a well-selected combination of luring and tricking aimed at investigating threats. Diverting the intruder’s attention from protected resources is another task. An IDS constantly monitors both the real system and a possible trap system and carefully examines data generated for detection of possible attacks. Once an IDS detects an intrusion it issues alerts notifying administrators. Once the intrusion is detected and notified, the security professionals can execute certain countermeasures, which may include blocking functions, terminating sessions, backing up the systems, routing connections to a system trap, legal infrastructure, etc. An IDS is an important element of the security policy. IDS alerts and logs are useful in forensic research of any incidents and installing appropriate patches to enable the detection of future attack attempts targeting specific people or resources. An IDS observes computer network activity and keeps track of user policies and activity patterns to ensure they do not violate policies. It also observes network traffic and components for detecting virus and malware hidden in the form of spyware, key loggers, etc. Module 07 Page 816 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls An IDS works by gathering information about illicit attempts made to compromise security and then verifying them. It also records the event data and the security professional can use this data to take future preventive measures and make improvements to network security. IDS/IPS Functions = Monitoring and analyzing both user and system activities = Analyzing system configurations and vulnerabilities = Assessing system and file integrity = Recognizing typical attack patterns = Analyzing abnormal activity patterns * Tracking user policy violations In addition to its core functionality of identifying and analyzing intrusions, an IDS can perform the following types of activities related to intrusion detection: = Records information about events: An IDS notes down every detail regarding the monitored events and forwards the recorded information to various other systems such as centralized logging servers, security information and event management (SIEM), and enterprise management systems. = Sending an alert: The IDS sends an intrusion alert to the security professional through emails, pop-up messages on the IDS user interface, etc. = Generating reports: The IDS generates reports providing insight into observed events or any suspicious event that may have occurred. Module 07 Page 817 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS/IPS Limitations: What an IDS/IPS is NOT? Network Logging Vulnerability Systems \ ‘ Assessment Tools IDS/IPS cannot act as or replacement of Antivirus < 5 Cryptographic Products Systems Copyright © by EC- IL All Rights Reserved. ReproductionIS Strictly Prohibited IDS/IPS Limitations: What an IDS/IPS is NOT? Contrary to popular belief and terminology employed in the literature on IDSs, not every security device falls into this category. In particular, the following security devices should not be categorized as IDSs: = Network logging systems: These devices are network traffic monitoring systems. They detect DoS vulnerabilities across a congested network. * Vulnerability assessment tools: These devices check for bugs and flaws in operating systems and network services (security scanners). = Antivirus products: These devices detect malicious software such as viruses, Trojan horses, worms, bacteria, logic bombs, etc. When compared feature by feature, these devices are very similar to IDSs and often provide effective security breach detection. = Security/cryptographic systems: These devices protect sensitive data from theft or alteration by mandating user authentication. Examples include VPN, SSL, S/MIME, Kerberos, and RADIUS. Module 07 Page 818 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS/IPS Security Concerns O Improper IDS/IPS configuration and management will make an IDS/IPS ineffective o QO IDS/IPS deployment should be done with careful planning, preparation, prototyping, testing, and specialized training ' Common Mistakes in IDS/IPS Configuration v Deploying an IDS in a location where it does not see all the network traffic v' Frequently ignoring the alerts generated by the IDS ¥ Not having the proper response policy and the best possible solutions to deal with an event ¥ Not fine-tuning the IDS for false negatives and false positives v Not updating the IDS with the latest new signatures from the vendor ¥ Only monitoring inbound connections IDS/IPS Security Concerns Improper IDS/IPS configuration and management will make an IDS/IPS ineffective. IDS/IPS deployment should be done with careful planning, preparation, prototyping, testing, and specialized training. Common Mistakes in IDS/IPS Configuration = Deploying an IDS in a location where it does not see all the network traffic = Frequently ignoring the alerts generated by the IDS = Not having the proper response policy and the best possible solutions to deal with an event = Not fine-tuning the IDS for false negatives and false positives = Not updating the IDS with the latest new signatures from the vendor = Only monitoring inbound connections Included below are some mistakes and workarounds to avoid them for effective deployment of an IDS in the network: = Deploying an IDS if the infrastructure planning is not efficient: An improper or incomplete network infrastructure will not help the functioning of an IDS. If the tuning of the IDS does not follow the network infrastructure, it has the potential to disable the network by flooding it with alerts. * Incorrect sensitivity: After the deployment of an IDS, organizations usually set its level to the highest sensitivity enabling the IDS to detect a large number of attacks. However, this also leads to a rise in the number of false positives. If an IDS generates a large Module 07 Page 819 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls number of false positive alerts per day, it could cause the administrator to miss an actual alert. In the long run, ignoring these alerts can be harmful for network security. * Detecting an intrusion is not enough: Organizations should also design a response policy that administrators implement in response to an incident that has occurred. This response policy should answer the following questions: What is a normal event and what is a malicious event? What is the response for every event generating an alert? The person reviewing the alerts should be aware of this action plan. = NIDS without IPsec: An infrastructure that has established a NIDS without IPsec network protocols makes the network more vulnerable to intrusions. A NIDS listens to all the traffic that it senses and then compares the legitimacy of the traffic. If it encounters encrypted traffic, it can only perform packet-level analysis as the application layer contents are inaccessible. This increases the vulnerability of the network. * Ignoring outbound traffic: Many organizations prefer securing and monitoring only the inbound traffic and ignore the outbound traffic. It is important to place IDS sensors throughout the organization. If the setup is cost effective, the organization should place the sensors near the choke points on the network. This will help monitor outbound as well as internal host network traffic. = Deploying IDS sensors on a single NIC or on multiple data links: This will lead to an IDS sensor sending the data on the same interface on which it is sensing. This may lead to a possible attack as the interface reports all the data to the centralized database. If an attacker gets access to this infrastructure, they can disable the IDS and prevent further alerts. The attacker can also intercept the data on the interface and alter it. This issue can be resolved by connecting the interface to a dedicated monitoring network. Module 07 Page 820 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls General Indications of Intrusions « L File System Intrusions Network Intrusions System Intrusions O The presence of new or O Repeated probes of the O Short or incomplete logs unfamiliar files, or programs available services on your O Unusually slow system machines QO Changes in file permissions ) performance O Unexolained ch n a file' Q Connections from unusual O Missing logs or logs with incorrect si::xp RO GOSN 8 ReS locations permissions or ownership O Repeated login attempts from O Modifications to system software Q Rogue files on the system that remote hosts and configuration files (,jo -y Forrespond othe naster Q' Asudden influx of log data Q Unusual graphic displays or text list of signed files messages QO Missing files O Gaps in system accounting O System crashes or reboots i 0 Unfamiliar processes ¢ ] Copyright © by EC L All Rights Reserved. Reproductionis Strictly Prohibited. General Indications of Intrusions Intrusion attempts on networks, systems, or file systems can be identified by following some general indicators: * File System Intrusions By observing system files, the presence of an intrusion can be identified. System files record the activities of the system. Any modification or deletion of the file attributes or the file itself is a sign that the system has been a target of an attack: o If you find new, unknown files/programs on your system, then there is a possibility that the system has been intruded into. The system can be compromised to the extent that it can, in turn, compromise other network systems. When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When the intruder obtains administrator privileges, he/she could change file permissions, for example, from read-only to write. Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all your system files. The presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid files could indicate an attack. You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. Missing files are also a sign of a probable intrusion/attack. Module 07 Page 821 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls = Network Intrusions Similarly, general indications of network intrusions include: o A sudden increase in bandwidth consumption o Repeated probes of the available services on your machines Connection requests from IPs other than those in the network range, which imply that an unauthenticated user (intruder) is attempting to connect to the network Repeated login attempts from remote hosts A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth consumption, and DDoS attacks = System Intrusions Similarly, general indications of system intrusions include: o Sudden changes in logs such as short or incomplete logs o Unusually slow system performance Missing logs or logs with incorrect permissions or ownership Modifications to system software and configuration files Unusual graphic displays or text messages Gaps in system accounting System crashes or reboots Unfamiliar processes Module 07 Page 822 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Classification @ An IDS is classified based on an approach, protected system, structure, data source, behavior, and time analysis { Classification of Intrusion Detection System }. = [wmu Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited IDS Classification Generally, an IDS uses anomaly-based detection and signature-based detection methods to detect intrusions. An IDS is classified based on an approach, protected system, structure, data source, behavior, and time analysis. The classification of IDSs is shown in following figure. This categorization depends on the information gathered from a single host or a network segment, in terms of behavior, based on continuous or periodic feed of information, and the data source. [ Classification of Intrusion Detection System J Bet lor after Analysls Timing an Attack On-the-fly Processing Anomaly Detection ":‘E{-" nt System Figure 7.66: Classification of Intrusion Detection System Module 07 Page 823 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Approach-based IDS Signature-Based Detection O Known as misuse detection O Monitors patterns of data packets in the network and compares them to pre-configured network attack patterns, known as signatures Q This method uses string comparison operations to compare ongoing activity, such as a packet or a log entry, against a list of signatures Advantages = |t detects attacks with minimal false alarms = [t can quickly identify the use of a specific tool or technique = |t assists administrators to quickly track any potential security issues and initiate incident handling procedures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited Approach-based IDS (Cont’d) O In this approach, alarms for anomalous activities are generated by evaluating network patterns such as what sort of bandwidth is used, what protocols are used, and what ports and which devices are connected to each other h; ¢ Zt-ibased O An IDS monitors the typical activity for a particular time interval and then builds the statistics for the e network traffic O For example: anomaly-based 1DS monitors activities for normal Internet bandwidth usage, failed logon attempts, processor utilization levels, etc. Advantages Disadvantages v' An anomaly-based IDS identifies abnormal v The rate of generating false alarms is high due to behavior in the network and detects the unpredictable behavior of users and networks symptoms for attacks without any clear details v The need to create an extensive set of system ¥ Information acquired by anomaly detectors is events in order to characterize normal behavior further used to define the signatures for misuse patterns detectors Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited Module 07 Page 824 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Approach-based IDS (Cont’d) @ This method compares observed g It also detects variations in command events with predetermined profiles length, minimum/maximum values for based on accepted definitions of attributes and other potential benign activity for each protocol to anomalies identify any deviations of the protocol state Stateful Protocol Analysis It can identify unpredictable For any protocol performing sequences of commands. For example, authentication, the IDS/IPS will keep it can identify activities such as issuing track of the authenticator being used for the same commands repeatedly or each session and will record the arbitrary commands being used : authenticator involved in the suspicious activity Approach-based IDS Signature-based Detection It is also known as misuse detection. Monitors patterns of data packets in the network and compares them to pre-configured network attack patterns known as signatures. A signature is a predefined pattern in the traffic on a network. Normal traffic signatures denote normal traffic behavior. However, attack signatures are malicious and are harmful to the network. These patterns are unique, and the attacker uses these patterns to get into the network. This method uses string comparison operations to compare ongoing activity, such as a packet or a log entry, against a list of signatures. Advantages = |t detects attacks with minimal false alarms. = |t can quickly identify the use of a specific tool or technique. = |t assists administrators to quickly track any potential security issues and initiate incident handling procedures. Disadvantages = This approach only detects known threats, the database must be updated with new attack signatures constantly. = |t utilizes tightly defined signatures that prevent it from detecting common variants of the attacks. Module 07 Page 825 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Examples of signatures: = Atelnet attempt with a username of ‘root’, which is a violation of the corporate security policy. = An operating system log entry with a status code of 645 indicates the host auditing system is disabled. Anomaly-based Detection The anomaly-based detection process depends on observing and comparing the observed events with the normal behavior and then detecting any deviation from it. Normal behavior depends on factors such as users, hosts, network connections, and/or applications. These factors are considered only after examining a particular activity over a period of time. Normal traffic behavior is based on various behavioral attributes such as normal email activity, reasonable number of failed attempts, processor usage, etc. Any activity that does not match normal behavior can be treated as an attack. For example, numerous emails coming from a single sender or a large number of failed login attempts can indicate suspicious behavior. Unlike signature-based detection, anomaly-based detection can detect previously unknown attacks. In this approach, alarms for anomalous activities are generated by evaluating network patterns such as what sort of bandwidth is used, what protocols are used, and what ports and which devices are connected to each other. An IDS monitors the typical activity for a particular time interval and then builds the statistics for the network traffic. For example: anomaly-based IDS monitors activities for normal Internet bandwidth usage, failed logon attempts, processor utilization levels, etc. Advantages = An anomaly-based IDS identifies abnormal behavior in the network and detects the symptoms for attacks without any clear details * |Information acquired by anomaly detectors is further used to define the signatures for misuse detectors Disadvantages = The rate of generating false alarms is high due to unpredictable behavior of users and networks * The need to create an extensive set of system events in order to characterize normal behavior patterns Stateful Protocol Analysis Network communication uses various types of protocols to exchange information on different layers. These protocols define the accepted behavior. Stateful protocol analysis—based IDS detects suspicious activity by analyzing the deviation of specific protocol traffic from its normal behavior. Using this analysis, an IDS can analyze the network, transport, and application layer protocols and traffic against their normal behavior. Module 07 Page 826 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Certain IDSs can specify suitable activities for each class of users in accordance with the authenticator information. This method compares observed events with predetermined profiles based on accepted definitions of benign activity for each protocol to identify any deviations of the protocol state. It can identify unpredictable sequences of commands. For example, it can identify activities such as issuing the same commands repeatedly or arbitrary commands being used. It also detects variations in command length, minimum/maximum values for attributes and other potential anomalies. For any protocol performing authentication, the IDS/IPS will keep track of the authenticator being used for each session and will record the authenticator involved in the suspicious activity. Module 07 Page 827 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Anomaly and Misuse Detection Systems Misuse Detection System Anomaly Detection System oo | Auditing Modules Interference Engine Ul maz.u.? Target Systems Anomaly and Misuse Detection Systems Misuse Detection System In a misuse detection system, first the abnormal behavior system is defined and then the normal behavior. The misuse detection system works differently from an anomaly detection system in that it has a static approach in detecting attacks. Generally, misuse detection systems show a low rate of false positives as the rules are predefined, such as rule-based languages, state transition analysis, expert system, etc. [ Detection Module J Auditing Modules Profiles Interference Engine Target Systems @% = @o =Y =g m? Figure 7.67: Misuse detection system Module 07 Page 828 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Advantages = More accurate detection than an anomaly detection system = Fewer false alarms Disadvantage = Unable to detect new attacks due to predefined rules Anomaly Detection System An anomaly detection system involves detecting intrusions on the network. It uses algorithms to detect discrepancies occurring in a network or system. It categorizes an intrusion as either normal or anomalous. Anomaly intrusion is a two-step process where the first step involves gathering information of how data flows and the second step involves working on that data flow in real time and detecting if the data is normal or not. By implementing this process, an anomaly detection—based IDS protects the target systems and networks that may be vulnerable to malicious activities. Anomalies in the system can be detected through artificial intelligence, neural networks, data mining, statistical method, etc. Detection Module ¥ 8 Auditing Modules Profiles Anomaly Detection 1] =0 =) =) Target Systems E=Y = =Y Figure 7.68: Anomaly detection system Advantages * |t detects and identifies probes in network hardware, thereby providing early warnings about attacks. * |t has the ability to detect a wide range of attacks in the network. Disadvantages = |f a legitimate network behavior is not part of the designed model, the system will detect it as anomalous. This increases the number of false positive alerts in the system. *= Network traffic varies and deployment of the same model throughout can lead to a failure in detecting known attacks. Module 07 Page 829 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Behavior-based IDS O An IDS is categorized based on how it reacts to a potential Active IDS Mode Passive IDS Mode intrusion Traffic 5 4 Traffic & A Q It functions in one of two modes, R active or passive, based on the Firewall behavior after an attack : ¢ v Active IDS: Detects and ¥4 2. “Frontlings responds to detected intrusions e 1ps listenand * § Active E Listen and v Passive IDS: Only detects Monitor ¥ * Response : Monitor intrusions v Active IDS Mode Passive IDS Mode Copyright © by Behavior-based IDS Behavior-based intrusion detection techniques assume an intrusion can be detected by observing a deviation from normal or expected behavior of the system or users. The model of normal or valid behavior is extracted from reference information collected by various means. The IDS later compares this model with current activity. When a deviation is observed, an alarm is generated. An IDS is categorized based on how it reacts to a potential intrusion. It functions in one of two modes, active or passive, based on the behavior after an attack. Active IDS Mode 4 ~ | Active IDS Mode E P 5 Firewall : Listenand * E Active Monitor * Response L Active IDS Mode J i 3 L o Figure 7.69: Active IDS Mode Module 07 Page 830 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Detects and responds to detected intrusions. An active IDS is configured to automatically block suspected attacks without any intervention from the administrator. Such an IDS has the advantage of providing real-time corrective action in response to an attack. The exact action differs per product and depends on the severity and type of the attack. Passive IDS Mode Passive IDS Mode Traffic E é ;. Firewall ¢ H ¥.‘.frontlln%: * lg-g'o E Listen and + Monitor. v Passive IDS Mode Figure 7.70: Passive IDS Mode Only detects intrusions. A passive IDS is configured only to monitor and analyze network traffic activity and alert the administrator of any potential vulnerabilities and attacks. This type of IDS is not capable of performing any protective or corrective functions on its own. It merely logs the intrusion and notifies an administrator, through email or pop-ups. A system administrator or someone else will have to respond to the alarm, take appropriate action to halt the attack and possibly identify the intruder. Module 07 Page 831 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Protection-based IDS O An DS is classified based on the system/network if offers protection to o Ifit protects the network, it is called a network intrusion detection system (NIDS) o Ifit protects a host, it is called a host intrusion HIDS HIDS HIDS HIDS HIDS detection system (HIDS) o Ifit protects the network and a host, it is called a Misuse Known Attack hybrid intrusion detection system (Hybrid IDS) 'l:e.t.g?'l?: Misuse [EESESEERERRNNESRERNEEaREE R > Detection prrrsnneann - |. Unknown Q A hybrid IDS combines the advantages of both the low » Features false-positive rate of a NIDS and the anomaly-based v detection of a HIDS to detect unknown attacks Anomaly | NOVEAE Detection Copyright © by EC cll. All Rights Reserved. Reproduction is Strictly Prohibited Protection-based IDS An IDS can be classified based on the device or network to which it offers protection. There are mainly three types of IDS technologies under this category which includes network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), and hybrid intrusion detection systems (hybrid 1DS). = |f it protects the network, it is called a network intrusion detection system (NIDS) = |fit protects a host, it is called a host intrusion detection system (HIDS) = |f it protects the network and a host, it is called a hybrid intrusion detection system (Hybrid 1DS) Module 07 Page 832 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Untrusted Network NIDS HIDS HIDS HIDS HIDS HIDS Known Attack M. ssn nnnnnnnnnnd Detection Misuse tesssssssssnssssss " Illllllll’ Detection b uasanannn e * Unknown « Features Novel Attack Anomaly TELETETERTY = Detection Figure 7.71: Protection-based IDS Network Intrusion Detection System (NIDS) NIDS is used to observe the traffic for any specific segment or device and recognize the occurrence of any suspicious activity in the network and application protocols. NIDS is typically placed at boundaries between networks, behind network perimeter firewalls, routers, VPN, remote access servers, and wireless networks. Host Intrusion Detection Systems (HIDS) HIDS is installed on a specific host and is used to monitor, detect, and analyze events occurring on that host. It monitors activities related to network traffic, logs, process, application, file access, and modification on the host. HIDS is normally deployed for protecting very sensitive information that is kept on publicly accessible servers. Hybrid Intrusion Detection Systems (Hybrid IDS) A hybrid IDS is a combination of both HIDS and NIDS. It combines the advantages of both the low false-positive rate of a NIDS and the anomaly-based detection of a HIDS to detect unknown attacks. It has its agent installed on almost every host in the network, and it has the ability to work online with encrypted networks and storing data on a single host. Module 07 Page 833 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Structure-based IDS il ‘ - \ILE) ‘ _ An IDS is also classified as a centralized IDS or a distributed IDS, this classification is based on the structure of the IDS In a centralized IDS, all data is shipped to a central location for analysis, independent of the number of hosts that are monitored In a distributed IDS, several IDS are deployed over a large network and each IDS communicates with each other for traffic analysis Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. Application Network Host-based System Itoring System () - — G g :fiflwwt{......... e Network Monltoring System g : Host-based Monltoring System et e (oot rully Distributed. : i Monitoring System P T , B G S-S L1 Copyright © by L All Rights Reserved. Reproduction s Strictly Prohibited. Structure-based IDS An IDS is also classified as a centralized IDS or a distributed IDS, this classification is based on the structure of the IDS Centralized Structure of IDS In a centralized system, the data is gathered from different sites to a central site and the central coordinator analyzes the data following an intrusion. Such an IDS is designed for centralized Module 07 Page 834 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls systems. In a centralized IDS, data analysis is performed in a fixed number of locations, independent of how many hosts are being monitored. As a result, the centralized structure of an IDS can be harmful in a high-speed network. Application Network Host-based Monitoring System Monitoring System Monitoring System g@.............. Qe G ) 1DS Console = BB =D Figure 7.72: Centralized Structure of an IDS Distributed Structure of an IDS A distributed intrusion detection system (dIDS) consists of multiple IDSs over a large network. These systems communicate with each other or with a central server that facilitates an advanced network of monitoring, incident analysis, and instant attack data. By having these cooperative agents distributed across a network, network operators can get a broader view of what is occurring on their network as a whole. dIDS also allows a company to efficiently manage its incident analysis resources by centralizing its attack records and by giving the analyst a way to spot new trends or patterns and identify threats to the network across multiple network segments. Network Monitoring System Host-based Monitoring System Figure 7.73: Distributed structure of an IDS Module 07 Page 835 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Analysis time is a span of time elapsed between the events occurring and the analysis of those events @ An IDS is Categorized based on Analysis Time as: @ [ ] Interval-based IDS Real-Time-based IDS O The information about an intrusion detection does QO The information about an intrusion detection flows not flow continuously from monitoring points to continuously from monitoring points to analysis analysis engines, it is simply stored and forwarded engines O It performs analysis of the detected intrusion offline Q 1t performs analysis of the detected intrusion on the fly [ Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. Analysis Timing-based IDS Analysis timing refers to the elapsed time between the occurrence of events and analysis of those events. Based on analysis timing, an IDS can be classified into two distinct types: interval- based IDS and real-time—based IDS. Interval-based IDS Interval-based or offline analysis refers to the storage of the intrusion-related information for further analysis. This type of IDS checks the status and content of log files at predefined intervals. The information about an intrusion detection does not flow continuously from monitoring points to analysis engines, it is simply stored and forwarded. It performs analysis of the detected intrusion offline. Interval-based IDSs are prohibited from performing an active response. Batch mode was common in early IDS implementations because their capabilities did not support real-time data acquisition and analysis. Real-time-based IDS The information about an intrusion detection flows continuously from monitoring points to analysis engines. It performs analysis of the detected intrusion on the fly. A real-time-based IDS is designed for on-the-fly processing and is the most common approach for a network-based IDS. It operates on a continuous information feed. Real-time—based IDS gathers and monitors information from network traffic streams regularly. The detection performed by this IDS yields results quick enough to allow the IDS system to take action affecting the progress of the detected attack. It can also conduct online verification of events with the help of on-the-fly processing and respond to them simultaneously. An IDS using this type of processing requires more RAM and a large hard drive because of the high data storage required to trace all of the network packets online. Module 07 Page 836 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam 212-82 Certified Cybersecurity Technician Network Security Controls — Technical Controls Source Data Analysis-based IDS 5 An IDS is classified based on the type of data source used for detecting intrusions and network An IDS uses data sources such as audit trail packets to detect intrusions Intrusion Detection Using Network Packets 1 I Intrusion Detection Using Audit Trails I I ! Capturing and analyzing network packets 1 1 Q O Audit trails help the IDS detect performance 1 1 help an IDS detect well-known attacks problems, security violations, and flaws in 1 1 1 applications 1 1 1 1 I I ] I 1 L All Rights Reserved. Reproductionis Strictly Prohibited Copyright © by I Source Data Analysis-based IDS ting intrusions. An IDS uses An IDS is classified based on the type of data source used for detec intrusions. Depending on the data sources such as audit trail and network packets to detect tion using audit trails and data source, an IDS can be categorized into two types: intrusion detec intrusion detection using network packets. Intrusion Detection Using Audit Trails mentary evidence of a system’s activity using An audit trail is a set of records that provide docu activity of systems and applications. Audit trails the system and application processes and user , security violations, and flaws in applications. help the IDS in detecting performance problems reports in a single file to avoid intruders from Administrators should avoid storage of audit trail accessing the audit reports and making changes. = Audit systems are used for the following: o Watch file access o Monitor system calls o Record commands run by user o Record security events o Search for events o Run summary reports ws: = The reasons for performing audit trails are as follo sis o Identifying the signs of an attack using event analy by EG-Council Certified Cybersecurity Technician Copyright © ited. Module 07 Page 837 All Rights Reserved. Reproduction is Strictly Prohib Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls o Identifying recurring intrusion events o lIdentifying system vulnerabilities o To develop access and user signatures o To define network traffic rules for anomaly detection-based IDSs o Provides a form of defense for a basic user against intrusions Intrusion Detection Using Network Packets A network packet is a unit of data transmitted over a network for communication. It contains control information in a header and user data. The header of the packet contains the address of the packet’s source and its destination; the payload is the body of the packet storing the original content. The header and the payload of a packet can contain malicious content sent by attackers. Capturing these packets before they enter their final destination is an efficient way to detect such attacks. Module 07 Page 838 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Components An IDS system is built on various components. @ Knowledge of their functions and placement is required for effective IDS implementation IDS Components -! P Network Sensors Alert Systems Command Console Response System s — Attack Signature Database ] Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited IDS Components An IDS system is built on various components. Knowledge of their functions and placement is required for effective IDS implementation. These components are used to collect information from a variety of systems and network sources, and then analyze the information for any abnormalities. Major components of an IDS are listed below. IDS Components | l Network Alert | Command l Response Attack Signatures | Sensors Systems Console System Database Figure 7.74: IDS Components Network sensors: These agents analyze and report any suspicious activity. = Analyzer: It analyzes the data collected by the sensors. = Alert systems: These systems trigger alerts when detecting malicious activity. = Command console: It acts as an interface between the user and the IDS. = Response system: An IDS uses this system to initiate countermeasures on detected activities. = Database of attack signatures or behaviors: A list of previously detected signatures stored in a database that assist the IDS in intrusion detection. Module 07 Page 839

Use Quizgecko on...
Browser
Browser