Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Module Flow

Discuss Essential Network Understand Different Types of
Security Protocols Proxy Servers and their Benefits

:. Discuss Fundamentals of VPN
Discuss Security Benetiis /7 an and its importance in Network
of Network Segmentation - G.
— ’ Security

N
Understand Different Types @ 4\ Discuss Other Network Security
of Firewalls and their Role Controls

|

Understand Different Types Discuss Importance of Load
of IDS/IPS and their Role E\ Balancing in Network Security

Understand Different Types Understand Various
of Honeypots Antivirus/Anti-malware Software

L All Rights Reserved. Reproduction s Strictly Prohibited

Understand Different Types of IDS/IPS and their Role
The objective of this section is to explain different types of IDS/IPS, their role, capabilities,
limitations, and concerns in implementing IDS security. This section also discusses IDS
components, collaboration of IDS components in intrusion detection, deployment of network
and host based IDS, types of IDS alerts, and intrusion detection tools.

Module 07 Page 807 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Intrusion Detection and Prevention System (IDS/IPS)

01 02 03
An intrusion detection and prevention If found, the IDS will alert the IDS checks the network traffic for
system (IDS/IPS) is a network security administrator about the suspicious signatures that match known
appliance that inspects all inbound activities intrusion patterns and triggers an
and outbound network traffic for alarm when a match is found
suspicious patterns that might indicate
a network or system security breach

Server
Untrusted Network

&@%..................,.....................

&' @ Firewall 5

Intrusion Detection and Prevention System (IDS/IPS)
An Intrusion Detection and Prevention System (IPS/IDPS) is a network security appliance which
inspects all inbound and outbound network traffic for suspicious patterns that could indicate a
network or system security breach, identifies suspicious activity if any, logs information of the
suspicious activity, reports it and attempts to block it. An intrusion prevention system (IPS) is an
extension of the intrusion detection system (IDS). An IPS can

= Send alarms
= Defragment packet streams
= Drop identified malicious packets
= Reduce TCP sequencing issues
= Reset a connection

= Block traffic from a malicious IP address
® Correct cyclic redundancy check (CRC) errors
= (Clean unneeded transport and network layer options
The Intrusion Detection System (IDS) monitors all inbound and outbound network activity and
identifies malicious patterns by looking for known attack signatures and warns the security
professionals of suspicious activity but does not prevent them. An IDS displays an alert, logs the
event, or pages an administrator, reconfigures the network to mitigate the consequences of
intrusions.

Module 07 Page 808 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

IDS vs. IPS

The key difference between an IPS and an IDS is that the IPS is implemented in-line, however
the IDS sits off to the side. The traffic that is directed through an IPS either blocks or allows the
packets depending on the policy and performs correction if needed. In the case of IDS, it is
connected via a network tap and it monitors traffic, but cannot act directly.
Server

i
Untrusted Network

IPS

Figure 7.64: IDS vs. IPS

Module 07 Page 809 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

How does an IDS Work?
IDS Preprocessor

Signature File |..
Comparison < >a. D =
Y Signature File : =
: Cisco log sever
Internet Router Firewall Matched? \ s W
" esererense Database ::

X : foend g
Anomaly : i Alarm notifies
Detection : : admin and packet
v can be dropped
Y
M‘(ghgdf-!un-u--é............... i..... > "
+ Action Rule : d b
Y, H ¢ Connections are
@x H ¢ cutdown from
: that IP source
Stateful Protocol : :
Analysis : :
v : :.
: ‘ X Lispy '| i
—_—_— ,‘V'\ :.
Enterprise Network (200 a) ¢ R KA. - packet
dropped
s
Switch

Copyright © by L All Rights Reserved. Reproduction
is Strictly Prohibited.

How does an IDS Work?
IDS Preprocessor

Signature File
""""b‘ Comparison ‘< >

v Signature File
Internet Router Firewall IDS ¥ Database :
Matched? -. lllllllllll: :

A4
PX :: Teered |
Anomaly : ! Alarm notifies
Detection * admin and packet. ¢+ can be dropped
Y :

Matched? r#sssssssnuas a:n...............E..... > %
: Action Rule : d%o
¢ - : Connections are
\:,X : : cut down from
S H : that IP source
Stateful Protocol :.
Analysis
: : : =
>\/< v E :. LR l) m

Enterprise Network [maae. 1. X rstchodiiy Woesasssssst Zig':;‘;:
Switch

Figure 7.65: Working of an IDS

Signature-based IDS: In a signature-based IDS, the network traffic is checked with the
databases that comprises of intrusions. As shown in the above figure, if an attack signature

Module 07 Page 810 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

matches with any of the signatures in the signature file database, the connection will be
disconnected down from the source IP, the packet will be dropped, the activity will be logged,
and an alarm will be initiated. Alternatively, the packet will be moved to the next step called
the anomaly detection step.
Anomaly-based IDS: An anomaly-based IDS uses statistical techniques to compare the
monitored traffic with the normal traffic. This method can identify new forms of attacks that
are not in the IDS signature database and issue a warning. The disadvantage of this method is
issuing false positive messages, which will complicate the functioning of an administrator. In
the anomaly detection step, if the attack signature matches, the connections will be
disconnected from the source IP, the packet will be dropped, the activity will be logged, and an
alarm will be initiated. Alternatively, the packet will be sent to stateful protocol analysis.
A stateful protocol analysis is used for detecting the deviations of the protocol state, which uses
predetermined profiles based on the vendor-developed definitions of malicious activity. In the
stateful protocol analysis, if the packet is matched, the connections will be disconnected from
the source IP, the packets will be dropped, the activity will be logged, and an alarm will be
initiated. Alternatively, the packet will be passed to the network through a switch.
An IDS performs an evaluation of a network traffic for illegal activities and policy violations. It
performs a vulnerability assessment for ensuring the security of the network. The following are
the features of IDS:
= Evaluating system and network activities
= Analyzing vulnerabilities in a network
* Measuring the system and file reliability
= Skill to identify the possibilities of attacks
*= Monitoring irregular activities in a network and system
= Evaluating the policy violations
Organizations can identify the presence of attacks or intrusions from outside a network as well
as the intrusions or misuse within that network. An IDS generally performs a vulnerability
assessment or scanning in order to identify the vulnerabilities in a network and to monitor the
security of the network.
Firewalls prevent intrusions within a network, but do not actually issue an alert regarding an
intrusion or an attack. On the other hand, IDS systems can monitor and identify the intrusions
within a network as well as signal an alarm to the administrator.
Advantages of IDS:
= An IDS allows continuous monitoring and tracking of all intrusions and attacks in a
network.
= An IDS provides an extra layer of security to a network.
= An IDS can also provide a log or data regarding the attack or intrusion that can be later
used for investigating the incident.

Module 07 Page 811 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

= |DS requires more maintenance as compared to firewalls.
Disadvantages of IDS:
= |tis not always possible for an IDS to detect intrusions.

= IDS requires properly trained and experienced users to maintain it.
= |DS can raise false alarms to the network administrator.

Module 07 Page 812 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Role of an IDS in Network Defense

—
=211

O An IDS works from inside the network, unlike a O An DS is placed behind the firewall, inspecting
firewall which only looks outside the network all the traffic, looking for heuristics and a pattern
for intrusions match for intrusions

Role of an IDS in Network Defense

Why Do We Need IDS?
Relying solely on a firewall for network security can provide a false sense of security. The
firewall is simply implemented in the IT security policy to allow or deny traffic based on the
policy rules. It allows certain packets to pass through or denies access if it does not meet
certain criteria specified in a rule. It does not check the contents of legitimate traffic that are
allowed based on the ruleset. Even legitimate traffic may contain malicious content, which is
not evaluated during inspection by a firewall.
As an example, a firewall can be configured to pass traffic solely to port 80 of the Web server
and to port 25 of the email server but it will not inspect the nature of the traffic flowing
through either of these ports.
This is the reason why an IDS is implemented. An IDS will inspect the legitimate traffic coming
from firewall and conduct signature-based analysis to identify malicious activity and raise an
alarm to notify security professionals.
Role of an IDS in Network Defense

= An IDS works from inside the network, unlike a firewall which only looks outside the
network for intrusions

= An IDS is placed behind the firewall, inspecting all the traffic, looking for heuristics and a
pattern match for intrusions

Module 07 Page 813 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

How an IDS Detects an Intrusion?

Signature Recognition
Signature recognition, also known as
misuse detection, tries to identify events
that indicate an abuse of a system or
network resource

Anomaly Detection

It detects the intrusion based on the fixed
behavioral characteristics of the users and
components in a computer system

Protocol Anomaly Detection
In this type of detection, models are built
to explore anomalies in the way in which
vendors deploy the TCP/IP specification

Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited

How an IDS Detects an Intrusion?

An IDS uses three methods to detect intrusions in the network.
Signature Recognition
Signature recognition, also known as misuse detection, tries to identify events that
indicate an abuse of a system or network. This technique involves first creating models
of possible intrusions and then comparing these models with incoming events to make a
detection decision. The signatures for IDS were created under the assumption that the
model must detect an attack without disturbing normal system traffic. Only attacks
should match the model; otherwise, false alarms could occur.
o Signature-based intrusion detection compares incoming or outgoing network
packets with the binary signatures of known attacks using simple pattern-matching
techniques to detect intrusions. Attackers can define a binary signature for a specific
portion of the packet, such as TCP flags.
Signature recognition can detect known attacks. However, there is a possibility that
other innocuous packets contain the same signature, which will trigger a false
positive alert.
Improper signatures may trigger false alerts. To detect misuse, a massive number of
signatures are required. The more the signatures, the greater are the chances are of
the IDS detecting attacks; however, the traffic may incorrectly match with the
signatures, thus impeding system performance.

A large amount of signature data requires more network bandwidth. IDS compare
signatures of data packets against those in the signature database. An increase in

Module 07 Page 814 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

the number of signatures in the database could result in the dropping of certain
packets.
Anomaly Detection
Anomaly detection, or “not-use detection,” differs from signature recognition. Anomaly
detection involves a database of anomalies. An anomaly is detected when an event
occurs outside the tolerance threshold of normal traffic. Therefore, any deviation from
regular use is an attack. Anomaly detection detects intrusions based on the fixed
behavioral characteristics of the users and components in a computer system.
Establishing a model of normal use is the most challenging step in creating an anomaly
detector.
o In the traditional method of anomaly detection, essential data are kept for checking
variations in network traffic. However, in reality, there is some unpredictability in
network traffic, and there are too many statistical variations, thus making these
models imprecise. Some events labeled as anomalies might only be irregularities in
network usage.
o In this type of approach, the inability to construct a model thoroughly on a regular
network is a concern. These models should be used to check specific networks.
Protocol Anomaly Detection
Protocol anomaly detection depends on the anomalies specific to a protocol. It
identifies particular flaws in vendors’ deployment of the TCP/IP protocol. Protocols are
designed according to RFC specifications, which dictate standard handshakes to permit
universal communication. The protocol anomaly detector can identify new attacks.
o There are new attack methods and exploits that violate protocol standards.
o Malicious anomaly signatures are becoming increasingly common. By contrast, the
network protocol is well defined and is changing slowly. Therefore, the signature
database should frequently be updated to detect attacks.
o Protocol anomaly detectors are different from traditional IDS in terms of how they
present alarms.
o The best way to present alarms is to explain which part of the state system is
compromised. For this purpose, IDS operators must have thorough knowledge of
protocol design.

Module 07 Page 815 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

IDS Capabilities
O DS provides an additional layer of security to the network under the defense-in-depth
principle
O IDS does several things that basic firewalls cannot do
O IDS helps minimize the chance of missing security threats that could come from firewall
evasions

P
IDS/IPS Functions

Monitoring and analyzing both user and Q
Recognizing typical attack patterns
system activities
Analyzing system configurations and
Analyzing abnormal activity patterns
vulnerabilities

Assessing system and file integrity Tracking user policy violations

IDS Capabilities
IDS provides an additional layer of security to the network under the defense-in-depth
principle. IDS does several things that basic firewalls cannot do. IDS helps minimize the chance
of missing security threats that could come from firewall evasions.

The main task of an IDS is detecting an intrusion attempt on a network and issuing a notification
about what occurred. Detecting hostile attacks depends on several types of actions including
prevention, intrusion monitoring, intrusion detection, and response. Intrusion prevention
requires a well-selected combination of luring and tricking aimed at investigating threats.
Diverting the intruder’s attention from protected resources is another task. An IDS constantly
monitors both the real system and a possible trap system and carefully examines data
generated for detection of possible attacks.
Once an IDS detects an intrusion it issues alerts notifying administrators. Once the intrusion is
detected and notified, the security professionals can execute certain countermeasures, which
may include blocking functions, terminating sessions, backing up the systems, routing
connections to a system trap, legal infrastructure, etc. An IDS is an important element of the
security policy.
IDS alerts and logs are useful in forensic research of any incidents and installing appropriate
patches to enable the detection of future attack attempts targeting specific people or
resources.
An IDS observes computer network activity and keeps track of user policies and activity
patterns to ensure they do not violate policies. It also observes network traffic and components
for detecting virus and malware hidden in the form of spyware, key loggers, etc.

Module 07 Page 816 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

An IDS works by gathering information about illicit attempts made to compromise security and
then verifying them. It also records the event data and the security professional can use this
data to take future preventive measures and make improvements to network security.
IDS/IPS Functions
= Monitoring and analyzing both user and system activities
= Analyzing system configurations and vulnerabilities
= Assessing system and file integrity
= Recognizing typical attack patterns

= Analyzing abnormal activity patterns
* Tracking user policy violations

In addition to its core functionality of identifying and analyzing intrusions, an IDS can perform
the following types of activities related to intrusion detection:

= Records information about events: An IDS notes down every detail regarding the
monitored events and forwards the recorded information to various other systems such
as centralized logging servers, security information and event management (SIEM), and
enterprise management systems.

= Sending an alert: The IDS sends an intrusion alert to the security professional through
emails, pop-up messages on the IDS user interface, etc.

= Generating reports: The IDS generates reports providing insight into observed events or
any suspicious event that may have occurred.

Module 07 Page 817 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

IDS/IPS Limitations: What an IDS/IPS
is NOT?

Network Logging Vulnerability
Systems \ ‘ Assessment Tools

IDS/IPS cannot act
as or replacement of

Antivirus < 5 Cryptographic
Products Systems

Copyright © by EC- IL All Rights Reserved. ReproductionIS Strictly Prohibited

IDS/IPS Limitations: What an IDS/IPS is NOT?

Contrary to popular belief and terminology employed in the literature on IDSs, not every
security device falls into this category. In particular, the following security devices should not be
categorized as IDSs:
= Network logging systems: These devices are network traffic monitoring systems. They
detect DoS vulnerabilities across a congested network.
* Vulnerability assessment tools: These devices check for bugs and flaws in operating
systems and network services (security scanners).
= Antivirus products: These devices detect malicious software such as viruses, Trojan
horses, worms, bacteria, logic bombs, etc. When compared feature by feature, these
devices are very similar to IDSs and often provide effective security breach detection.
= Security/cryptographic systems: These devices protect sensitive data from theft or
alteration by mandating user authentication. Examples include VPN, SSL, S/MIME,
Kerberos, and RADIUS.

Module 07 Page 818 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

IDS/IPS Security Concerns
O Improper IDS/IPS configuration and management will
make an IDS/IPS ineffective
o QO IDS/IPS deployment should be done with careful planning,
preparation, prototyping, testing, and specialized training '

Common Mistakes in IDS/IPS Configuration

v Deploying an IDS in a location where it does not see all the network
traffic

v' Frequently ignoring the alerts generated by the IDS

¥ Not having the proper response policy and the best possible solutions
to deal with an event

¥ Not fine-tuning the IDS for false negatives and false positives

v Not updating the IDS with the latest new signatures from the vendor

¥ Only monitoring inbound connections

IDS/IPS Security Concerns
Improper IDS/IPS configuration and management will make an IDS/IPS ineffective. IDS/IPS
deployment should be done with careful planning, preparation, prototyping, testing, and
specialized training.
Common Mistakes in IDS/IPS Configuration
= Deploying an IDS in a location where it does not see all the network traffic
= Frequently ignoring the alerts generated by the IDS
= Not having the proper response policy and the best possible solutions to deal with an
event
= Not fine-tuning the IDS for false negatives and false positives
= Not updating the IDS with the latest new signatures from the vendor
= Only monitoring inbound connections
Included below are some mistakes and workarounds to avoid them for effective deployment of
an IDS in the network:

= Deploying an IDS if the infrastructure planning is not efficient: An improper or
incomplete network infrastructure will not help the functioning of an IDS. If the tuning
of the IDS does not follow the network infrastructure, it has the potential to disable the
network by flooding it with alerts.
* Incorrect sensitivity: After the deployment of an IDS, organizations usually set its level
to the highest sensitivity enabling the IDS to detect a large number of attacks. However,
this also leads to a rise in the number of false positives. If an IDS generates a large

Module 07 Page 819 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

number of false positive alerts per day, it could cause the administrator to miss an
actual alert. In the long run, ignoring these alerts can be harmful for network security.
* Detecting an intrusion is not enough: Organizations should also design a response
policy that administrators implement in response to an incident that has occurred. This
response policy should answer the following questions: What is a normal event and
what is a malicious event? What is the response for every event generating an alert?
The person reviewing the alerts should be aware of this action plan.
= NIDS without IPsec: An infrastructure that has established a NIDS without IPsec network
protocols makes the network more vulnerable to intrusions. A NIDS listens to all the
traffic that it senses and then compares the legitimacy of the traffic. If it encounters
encrypted traffic, it can only perform packet-level analysis as the application layer
contents are inaccessible. This increases the vulnerability of the network.
* Ignoring outbound traffic: Many organizations prefer securing and monitoring only the
inbound traffic and ignore the outbound traffic. It is important to place IDS sensors
throughout the organization. If the setup is cost effective, the organization should place
the sensors near the choke points on the network. This will help monitor outbound as
well as internal host network traffic.

= Deploying IDS sensors on a single NIC or on multiple data links: This will lead to an IDS
sensor sending the data on the same interface on which it is sensing. This may lead to a
possible attack as the interface reports all the data to the centralized database. If an
attacker gets access to this infrastructure, they can disable the IDS and prevent further
alerts. The attacker can also intercept the data on the interface and alter it. This issue
can be resolved by connecting the interface to a dedicated monitoring network.

Module 07 Page 820 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

General Indications of Intrusions
« L

File System Intrusions Network Intrusions System Intrusions

O The presence of new or O Repeated probes of the O Short or incomplete logs
unfamiliar files, or programs available services on your O Unusually slow system
machines
QO Changes in file permissions ) performance
O Unexolained ch n a file' Q Connections from unusual O Missing logs or logs with incorrect
si::xp RO GOSN 8 ReS locations permissions or ownership
O Repeated login attempts from O Modifications to system software
Q Rogue files on the system that remote hosts and configuration files
(,jo -y Forrespond othe naster Q' Asudden influx of log data Q Unusual graphic displays or text
list of signed files
messages
QO Missing files O Gaps in system accounting
O System crashes or reboots
i 0 Unfamiliar processes
¢ ]

Copyright © by EC L All Rights Reserved. Reproductionis Strictly Prohibited.

General Indications of Intrusions

Intrusion attempts on networks, systems, or file systems can be identified by following some
general indicators:
* File System Intrusions

By observing system files, the presence of an intrusion can be identified. System files
record the activities of the system. Any modification or deletion of the file attributes or
the file itself is a sign that the system has been a target of an attack:
o If you find new, unknown files/programs on your system, then there is a possibility
that the system has been intruded into. The system can be compromised to the
extent that it can, in turn, compromise other network systems.
When an intruder gains access to a system, he or she tries to escalate privileges to
gain administrative access. When the intruder obtains administrator privileges,
he/she could change file permissions, for example, from read-only to write.
Unexplained modifications in file size are also an indication of an attack. Make sure
you analyze all your system files.
The presence of rogue suid and sgid files on your Linux system that do not match
your master list of suid and sgid files could indicate an attack.
You can identify unfamiliar file names in directories, including executable files with
strange extensions and double extensions.
Missing files are also a sign of a probable intrusion/attack.

Module 07 Page 821 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

= Network Intrusions

Similarly, general indications of network intrusions include:
o A sudden increase in bandwidth consumption
o Repeated probes of the available services on your machines
Connection requests from IPs other than those in the network range, which imply
that an unauthenticated user (intruder) is attempting to connect to the network
Repeated login attempts from remote hosts
A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth
consumption, and DDoS attacks
= System Intrusions

Similarly, general indications of system intrusions include:
o Sudden changes in logs such as short or incomplete logs
o Unusually slow system performance

Missing logs or logs with incorrect permissions or ownership
Modifications to system software and configuration files
Unusual graphic displays or text messages
Gaps in system accounting

System crashes or reboots
Unfamiliar processes

Module 07 Page 822 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

IDS Classification

@ An IDS is classified based on an approach, protected system, structure, data source, behavior, and time analysis

{ Classification of Intrusion Detection System }. = [wmu

Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited

IDS Classification

Generally, an IDS uses anomaly-based detection and signature-based detection methods to
detect intrusions. An IDS is classified based on an approach, protected system, structure, data
source, behavior, and time analysis.

The classification of IDSs is shown in following figure. This categorization depends on the
information gathered from a single host or a network segment, in terms of behavior, based on
continuous or periodic feed of information, and the data source.

[ Classification of Intrusion Detection System J

Bet lor after Analysls Timing
an Attack

On-the-fly
Processing

Anomaly
Detection

":‘E{-" nt System

Figure 7.66: Classification of Intrusion Detection System

Module 07 Page 823 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Approach-based IDS

Signature-Based Detection
O Known as misuse detection
O Monitors patterns of data packets in the network and compares them
to pre-configured network attack patterns, known as signatures
Q This method uses string comparison operations to compare ongoing
activity, such as a packet or a log entry, against a list of signatures

Advantages
= |t detects attacks with minimal false
alarms
= [t can quickly identify the use of a
specific tool or technique
= |t assists administrators to quickly track
any potential security issues and
initiate incident handling procedures

Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited

Approach-based IDS (Cont’d)
O In this approach, alarms for anomalous activities are generated by evaluating network patterns such as
what sort of bandwidth is used, what protocols are used, and what ports and which devices are
connected to each other
h; ¢ Zt-ibased O An IDS monitors the typical activity for a particular time interval and then builds the statistics for the
e network traffic
O For example: anomaly-based 1DS monitors activities for normal Internet bandwidth usage, failed logon
attempts, processor utilization levels, etc.

Advantages Disadvantages
v' An anomaly-based IDS identifies abnormal v The rate of generating false alarms is high due to
behavior in the network and detects the unpredictable behavior of users and networks
symptoms for attacks without any clear details
v The need to create an extensive set of system
¥ Information acquired by anomaly detectors is events in order to characterize normal behavior
further used to define the signatures for misuse patterns
detectors

Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited

Module 07 Page 824 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Approach-based IDS (Cont’d)

@ This method compares observed g It also detects variations in command
events with predetermined profiles length, minimum/maximum values for
based on accepted definitions of attributes and other potential
benign activity for each protocol to anomalies
identify any deviations of the protocol
state

Stateful Protocol
Analysis
It can identify unpredictable For any protocol performing
sequences of commands. For example, authentication, the IDS/IPS will keep
it can identify activities such as issuing track of the authenticator being used for
the same commands repeatedly or each session and will record the
arbitrary commands being used : authenticator involved in the suspicious
activity

Approach-based IDS
Signature-based Detection
It is also known as misuse detection. Monitors patterns of data packets in the network and
compares them to pre-configured network attack patterns known as signatures. A signature is a
predefined pattern in the traffic on a network. Normal traffic signatures denote normal traffic
behavior. However, attack signatures are malicious and are harmful to the network. These
patterns are unique, and the attacker uses these patterns to get into the network. This method
uses string comparison operations to compare ongoing activity, such as a packet or a log entry,
against a list of signatures.
Advantages
= |t detects attacks with minimal false alarms.
= |t can quickly identify the use of a specific tool or technique.
= |t assists administrators to quickly track any potential security issues and initiate
incident handling procedures.
Disadvantages
= This approach only detects known threats, the database must be updated with new
attack signatures constantly.
= |t utilizes tightly defined signatures that prevent it from detecting common variants of
the attacks.

Module 07 Page 825 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Examples of signatures:
= Atelnet attempt with a username of ‘root’, which is a violation of the corporate security
policy.
= An operating system log entry with a status code of 645 indicates the host auditing
system is disabled.
Anomaly-based Detection
The anomaly-based detection process depends on observing and comparing the observed
events with the normal behavior and then detecting any deviation from it. Normal behavior
depends on factors such as users, hosts, network connections, and/or applications. These
factors are considered only after examining a particular activity over a period of time.
Normal traffic behavior is based on various behavioral attributes such as normal email activity,
reasonable number of failed attempts, processor usage, etc. Any activity that does not match
normal behavior can be treated as an attack. For example, numerous emails coming from a
single sender or a large number of failed login attempts can indicate suspicious behavior. Unlike
signature-based detection, anomaly-based detection can detect previously unknown attacks.
In this approach, alarms for anomalous activities are generated by evaluating network patterns
such as what sort of bandwidth is used, what protocols are used, and what ports and which
devices are connected to each other. An IDS monitors the typical activity for a particular time
interval and then builds the statistics for the network traffic. For example: anomaly-based IDS
monitors activities for normal Internet bandwidth usage, failed logon attempts, processor
utilization levels, etc.
Advantages
= An anomaly-based IDS identifies abnormal behavior in the network and detects the
symptoms for attacks without any clear details
* |Information acquired by anomaly detectors is further used to define the signatures for
misuse detectors
Disadvantages
= The rate of generating false alarms is high due to unpredictable behavior of users and
networks

* The need to create an extensive set of system events in order to characterize normal
behavior patterns
Stateful Protocol Analysis
Network communication uses various types of protocols to exchange information on different
layers. These protocols define the accepted behavior. Stateful protocol analysis—based IDS
detects suspicious activity by analyzing the deviation of specific protocol traffic from its normal
behavior. Using this analysis, an IDS can analyze the network, transport, and application layer
protocols and traffic against their normal behavior.

Module 07 Page 826 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Certain IDSs can specify suitable activities for each class of users in accordance with the
authenticator information. This method compares observed events with predetermined profiles
based on accepted definitions of benign activity for each protocol to identify any deviations of
the protocol state. It can identify unpredictable sequences of commands. For example, it can
identify activities such as issuing the same commands repeatedly or arbitrary commands being
used. It also detects variations in command length, minimum/maximum values for attributes
and other potential anomalies. For any protocol performing authentication, the IDS/IPS will
keep track of the authenticator being used for each session and will record the authenticator
involved in the suspicious activity.

Module 07 Page 827 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Anomaly and Misuse Detection Systems

Misuse Detection System Anomaly Detection System

oo |

Auditing Modules Interference Engine

Ul
maz.u.?
Target Systems

Anomaly and Misuse Detection Systems
Misuse Detection System

In a misuse detection system, first the abnormal behavior system is defined and then the
normal behavior. The misuse detection system works differently from an anomaly detection
system in that it has a static approach in detecting attacks. Generally, misuse detection systems
show a low rate of false positives as the rules are predefined, such as rule-based languages,
state transition analysis, expert system, etc.

[ Detection Module J

Auditing Modules Profiles Interference Engine

Target Systems

@% = @o
=Y =g m?
Figure 7.67: Misuse detection system

Module 07 Page 828 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Advantages
= More accurate detection than an anomaly detection system
= Fewer false alarms
Disadvantage
= Unable to detect new attacks due to predefined rules
Anomaly Detection System
An anomaly detection system involves detecting intrusions on the network. It uses algorithms
to detect discrepancies occurring in a network or system. It categorizes an intrusion as either
normal or anomalous. Anomaly intrusion is a two-step process where the first step involves
gathering information of how data flows and the second step involves working on that data
flow in real time and detecting if the data is normal or not. By implementing this process, an
anomaly detection—based IDS protects the target systems and networks that may be vulnerable
to malicious activities. Anomalies in the system can be detected through artificial intelligence,
neural networks, data mining, statistical method, etc.

Detection Module

¥ 8
Auditing Modules Profiles Anomaly Detection

1]
=0 =) =)
Target Systems

E=Y = =Y
Figure 7.68: Anomaly detection system

Advantages
* |t detects and identifies probes in network hardware, thereby providing early warnings
about attacks.
* |t has the ability to detect a wide range of attacks in the network.
Disadvantages
= |f a legitimate network behavior is not part of the designed model, the system will
detect it as anomalous. This increases the number of false positive alerts in the system.
*= Network traffic varies and deployment of the same model throughout can lead to a
failure in detecting known attacks.

Module 07 Page 829 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Behavior-based IDS

O An IDS is categorized based on
how it reacts to a potential
Active IDS Mode Passive IDS Mode
intrusion
Traffic 5
4 Traffic & A

Q It functions in one of two modes,
R
active or passive, based on the
Firewall
behavior after an attack
: ¢
v Active IDS: Detects and
¥4 2.
“Frontlings
responds to detected intrusions e 1ps
listenand * § Active E Listen and
v Passive IDS: Only detects Monitor ¥ * Response : Monitor
intrusions v
Active IDS Mode Passive IDS Mode

Copyright © by

Behavior-based IDS

Behavior-based intrusion detection techniques assume an intrusion can be detected by
observing a deviation from normal or expected behavior of the system or users. The model of
normal or valid behavior is extracted from reference information collected by various means.
The IDS later compares this model with current activity. When a deviation is observed, an alarm
is generated.
An IDS is categorized based on how it reacts to a potential intrusion. It functions in one of two
modes, active or passive, based on the behavior after an attack.

Active IDS Mode
4 ~
| Active IDS Mode

E P
5 Firewall

:

Listenand * E Active
Monitor * Response

L Active IDS Mode J
i 3
L o

Figure 7.69: Active IDS Mode

Module 07 Page 830 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Detects and responds to detected intrusions. An active IDS is configured to automatically block
suspected attacks without any intervention from the administrator. Such an IDS has the
advantage of providing real-time corrective action in response to an attack. The exact action
differs per product and depends on the severity and type of the attack.
Passive IDS Mode

Passive IDS Mode

Traffic E é
;.

Firewall

¢ H
¥.‘.frontlln%:
* lg-g'o

E Listen and
+ Monitor.
v
Passive IDS Mode

Figure 7.70: Passive IDS Mode

Only detects intrusions. A passive IDS is configured only to monitor and analyze network traffic
activity and alert the administrator of any potential vulnerabilities and attacks. This type of IDS
is not capable of performing any protective or corrective functions on its own. It merely logs the
intrusion and notifies an administrator, through email or pop-ups. A system administrator or
someone else will have to respond to the alarm, take appropriate action to halt the attack and
possibly identify the intruder.

Module 07 Page 831 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Protection-based IDS

O An DS is classified based on the system/network
if offers protection to

o Ifit protects the network, it is called a network
intrusion detection system (NIDS)

o Ifit protects a host, it is called a host intrusion
HIDS HIDS HIDS HIDS HIDS
detection system (HIDS)

o Ifit protects the network and a host, it is called a
Misuse Known Attack
hybrid intrusion detection system (Hybrid IDS) 'l:e.t.g?'l?: Misuse [EESESEERERRNNESRERNEEaREE
R >

Detection prrrsnneann
- |. Unknown
Q A hybrid IDS combines the advantages of both the low » Features

false-positive rate of a NIDS and the anomaly-based v
detection of a HIDS to detect unknown attacks Anomaly | NOVEAE
Detection

Copyright © by EC cll. All Rights Reserved. Reproduction is Strictly Prohibited

Protection-based IDS

An IDS can be classified based on the device or network to which it offers protection. There are
mainly three types of IDS technologies under this category which includes network intrusion
detection systems (NIDS), host intrusion detection systems (HIDS), and hybrid intrusion
detection systems (hybrid 1DS).
= |f it protects the network, it is called a network intrusion detection system (NIDS)

= |fit protects a host, it is called a host intrusion detection system (HIDS)

= |f it protects the network and a host, it is called a hybrid intrusion detection system
(Hybrid 1DS)

Module 07 Page 832 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Untrusted Network NIDS

HIDS HIDS HIDS HIDS HIDS

Known Attack
M. ssn nnnnnnnnnnd
Detection Misuse tesssssssssnssssss
"
Illllllll’
Detection b uasanannn e
* Unknown
« Features

Novel Attack
Anomaly TELETETERTY =
Detection

Figure 7.71: Protection-based IDS

Network Intrusion Detection System (NIDS)
NIDS is used to observe the traffic for any specific segment or device and recognize the
occurrence of any suspicious activity in the network and application protocols. NIDS is typically
placed at boundaries between networks, behind network perimeter firewalls, routers, VPN,
remote access servers, and wireless networks.
Host Intrusion Detection Systems (HIDS)
HIDS is installed on a specific host and is used to monitor, detect, and analyze events occurring
on that host. It monitors activities related to network traffic, logs, process, application, file
access, and modification on the host. HIDS is normally deployed for protecting very sensitive
information that is kept on publicly accessible servers.
Hybrid Intrusion Detection Systems (Hybrid IDS)
A hybrid IDS is a combination of both HIDS and NIDS. It combines the advantages of both the
low false-positive rate of a NIDS and the anomaly-based detection of a HIDS to detect unknown
attacks. It has its agent installed on almost every host in the network, and it has the ability to
work online with encrypted networks and storing data on a single host.

Module 07 Page 833 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Structure-based IDS
il ‘ - \ILE) ‘ _ An IDS is also classified as a centralized IDS or a
distributed IDS, this classification is based on the
structure of the IDS

In a centralized IDS, all data is shipped to a central
location for analysis, independent of the number of
hosts that are monitored

In a distributed IDS, several IDS are deployed over
a large network and each IDS communicates with
each other for traffic analysis

Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited.

Application Network Host-based
System Itoring System
() - — G g

:fiflwwt{......... e
Network Monltoring System
g :
Host-based Monltoring System
et e (oot
rully Distributed. :
i Monitoring System

P T ,
B
G S-S L1
Copyright © by L All Rights Reserved. Reproduction
s Strictly Prohibited.

Structure-based IDS

An IDS is also classified as a centralized IDS or a distributed IDS, this classification is based on
the structure of the IDS

Centralized Structure of IDS

In a centralized system, the data is gathered from different sites to a central site and the central
coordinator analyzes the data following an intrusion. Such an IDS is designed for centralized

Module 07 Page 834 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

systems. In a centralized IDS, data analysis is performed in a fixed number of locations,
independent of how many hosts are being monitored. As a result, the centralized structure of
an IDS can be harmful in a high-speed network.
Application Network Host-based
Monitoring System Monitoring System Monitoring System
g@.............. Qe G )
1DS Console

= BB =D
Figure 7.72: Centralized Structure of an IDS

Distributed Structure of an IDS

A distributed intrusion detection system (dIDS) consists of multiple IDSs over a large network.
These systems communicate with each other or with a central server that facilitates an
advanced network of monitoring, incident analysis, and instant attack data. By having these
cooperative agents distributed across a network, network operators can get a broader view of
what is occurring on their network as a whole.
dIDS also allows a company to efficiently manage its incident analysis resources by centralizing
its attack records and by giving the analyst a way to spot new trends or patterns and identify
threats to the network across multiple network segments.
Network Monitoring System Host-based Monitoring System

Figure 7.73: Distributed structure of an IDS

Module 07 Page 835 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Analysis time is a span of time elapsed between the
events occurring and the analysis of those events

@ An IDS is Categorized based on Analysis Time as: @

[ ]

Interval-based IDS Real-Time-based IDS
O The information about an intrusion detection does QO The information about an intrusion detection flows
not flow continuously from monitoring points to continuously from monitoring points to analysis
analysis engines, it is simply stored and forwarded engines

O It performs analysis of the detected intrusion offline Q 1t performs analysis of the detected intrusion on the fly
[

Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited.

Analysis Timing-based IDS
Analysis timing refers to the elapsed time between the occurrence of events and analysis of
those events. Based on analysis timing, an IDS can be classified into two distinct types: interval-
based IDS and real-time—based IDS.
Interval-based IDS

Interval-based or offline analysis refers to the storage of the intrusion-related information for
further analysis. This type of IDS checks the status and content of log files at predefined
intervals. The information about an intrusion detection does not flow continuously from
monitoring points to analysis engines, it is simply stored and forwarded. It performs analysis of
the detected intrusion offline. Interval-based IDSs are prohibited from performing an active
response. Batch mode was common in early IDS implementations because their capabilities did
not support real-time data acquisition and analysis.

Real-time-based IDS

The information about an intrusion detection flows continuously from monitoring points to
analysis engines. It performs analysis of the detected intrusion on the fly.
A real-time-based IDS is designed for on-the-fly processing and is the most common approach
for a network-based IDS. It operates on a continuous information feed. Real-time—based IDS
gathers and monitors information from network traffic streams regularly. The detection
performed by this IDS yields results quick enough to allow the IDS system to take action
affecting the progress of the detected attack. It can also conduct online verification of events
with the help of on-the-fly processing and respond to them simultaneously. An IDS using this
type of processing requires more RAM and a large hard drive because of the high data storage
required to trace all of the network packets online.

Module 07 Page 836 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Exam 212-82
Certified Cybersecurity Technician
Network Security Controls — Technical Controls

Source Data Analysis-based IDS 5

An IDS is classified based on the
type of data source used for
detecting intrusions

and network
An IDS uses data sources such as audit trail
packets to detect intrusions

Intrusion Detection Using Network Packets
1
I
Intrusion Detection Using Audit Trails I
I
!

Capturing and analyzing network packets
1
1 Q
O Audit trails help the IDS detect performance 1
1
help an IDS detect well-known attacks
problems, security violations, and flaws in
1
1
1
applications 1
1
1
1
I
I
]
I
1
L All Rights Reserved. Reproductionis Strictly Prohibited
Copyright © by I

Source Data Analysis-based IDS
ting intrusions. An IDS uses
An IDS is classified based on the type of data source used for detec
intrusions. Depending on the
data sources such as audit trail and network packets to detect
tion using audit trails and
data source, an IDS can be categorized into two types: intrusion detec
intrusion detection using network packets.

Intrusion Detection Using Audit Trails
mentary evidence of a system’s activity using
An audit trail is a set of records that provide docu
activity of systems and applications. Audit trails
the system and application processes and user
, security violations, and flaws in applications.
help the IDS in detecting performance problems
reports in a single file to avoid intruders from
Administrators should avoid storage of audit trail
accessing the audit reports and making changes.
= Audit systems are used for the following:
o Watch file access
o Monitor system calls
o Record commands run by user
o Record security events
o Search for events
o Run summary reports
ws:
= The reasons for performing audit trails are as follo
sis
o Identifying the signs of an attack using event analy

by EG-Council
Certified Cybersecurity Technician Copyright ©
ited.
Module 07 Page 837 All Rights Reserved. Reproduction is Strictly Prohib
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

o Identifying recurring intrusion events
o lIdentifying system vulnerabilities
o To develop access and user signatures
o To define network traffic rules for anomaly detection-based IDSs
o Provides a form of defense for a basic user against intrusions
Intrusion Detection Using Network Packets

A network packet is a unit of data transmitted over a network for communication. It contains
control information in a header and user data. The header of the packet contains the address of
the packet’s source and its destination; the payload is the body of the packet storing the
original content. The header and the payload of a packet can contain malicious content sent by
attackers. Capturing these packets before they enter their final destination is an efficient way to
detect such attacks.

Module 07 Page 838 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

IDS Components
An IDS system is built on various components.
@ Knowledge of their functions and placement
is required for effective IDS implementation

IDS Components

-! P
Network Sensors

Alert Systems

Command Console

Response System
s —

Attack Signature Database

]
Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited

IDS Components
An IDS system is built on various components. Knowledge of their functions and placement is
required for effective IDS implementation. These components are used to collect information
from a variety of systems and network sources, and then analyze the information for any
abnormalities. Major components of an IDS are listed below.
IDS Components

|
l
Network Alert
|
Command
l
Response Attack Signatures
|
Sensors Systems Console System Database

Figure 7.74: IDS Components

Network sensors: These agents analyze and report any suspicious activity.
= Analyzer: It analyzes the data collected by the sensors.
= Alert systems: These systems trigger alerts when detecting malicious activity.
= Command console: It acts as an interface between the user and the IDS.

= Response system: An IDS uses this system to initiate countermeasures on detected
activities.

= Database of attack signatures or behaviors: A list of previously detected signatures
stored in a database that assist the IDS in intrusion detection.

Module 07 Page 839