Question

#1) What types of intrusion detection have been implemented in your organization? If you do not work for an organization, research different intrusion detections and describe how it works.

#2) A company has suffered a data breach. Investigators are able to establish exactly when the data breach occurred, but on checking the IDS logs, no evidence of the breach is present. What type of intrusion detection error condition is this?

Answer 1

Question #1)

I do not work for an organization. An Intrusion Detection System (IDS) is basically a software type. They are automated systems that monitor and analyze the network. IDSs are generally placed between the external networks such as the public Internet and the internal (corporate) network of an organization. IDSs are specifically, placed behind the firewall on the edge of a network. One of the types of IDS called Network Intrusion Detection System (NIDS), with its one of the components called sensors, is placed at choke points in the network for monitoring. These choke-points are called the De-Militarized Zone (DMZ) or at network borders.

IDS, which is the acronym for Intrusion Detection Systems in network security, is by far, a valuable tool or solution to detect intrusions. It has the ability to locate and identify malicious activities on the network by examining network traffic in real-time, providing visibility unrivaled by any other detective control.

* It ensures the right and appropriate tool is used for the right job making it the right system to detect attack techniques.
* IDSs are available in network and host forms, hence they work at both networks and at the host level to detect attacks.
* HIDS: The Host Intrusion Detection (IDS) is installed as an agent on a machine (at the host level) to be protected and monitored to see the behavior of the attacks, their techniques, and action, accordingly.
* NIDS: Network IDS, on the other hand, examines the traffic (at the network level) between the hosts, looking for patterns or signatures of nefarious (criminal) behavior, basically, the attack techniques. IDS systems acquire signatures to implement to detect the latest threats.

Every environment is different and determining what is normal for the network, allows focusing better on anomalous and potentially malicious behavior. This saves time and brings real threats to the surface for remediation. Hence, the placement of the IDS device in the network is an important consideration in detecting attack techniques.

Hence, for the highest visibility of the attack techniques and their behavior, IDS are mostly deployed behind the firewall on the edge of the network. However, this also excludes traffic that occurs between hosts.

An example is Suricata, which is open-source software. It delivers real-time intrusion detection, intrusion prevention, and network monitoring.

Basically, IDS works by knowing or detecting the attack techniques using pattern matching or by the signatures or the specific actions that they perform. It is called signature-based IDS or misuse detection. The IDS looks for behavior and traffic matching the patterns of known attacks.

Different types of IDS to know attack techniques and to remediate the same:
There are four main types of Intrusion Detection System (IDS):
* Network Intrusion Detection System (NIDS).
* Host-based Intrusion Detection System (HIDS).
* Perimeter Intrusion Detection System (PIDS)
* Virtual Machine (VM)-based Intrusion Detection System (VMIDS).

A NIDS monitors the traffic to and from all devices on a network scanning all inbound and outbound traffic.

A HIDS monitors the inbound and outbound packets from the device only and alerts the user or administrator of any suspicious activity that has been detected.

A signature-based Intrusion Detection System (IDS) monitors data packets on the network and compares those packets against a database of signatures or attributes from known malicious threats.

Anomaly-based IDS monitors network traffic comparing it against an established baseline. The baseline identifies what is 'normal' for that network- what sort of bandwidth, protocols are used, what ports, and devices connect to each other. This, then alerts the administrator or user when anomalous traffic is detected or that is significantly different from the baseline.

A passive IDS simply detects suspicious or malicious traffic and alerts the administrator or user using an alerting system and it is up to them to take action to block the activity or respond in an appropriate way.

Reactive IDS takes pre-defined proactive actions to respond to the threats (attack techniques), detect suspicious or malicious traffic, and alerts the administrators. This involves blocking any further network traffic from the source IP address or user.

Specifically speaking IDS uses IPS – Intrusion Prevention System, working at network-level and application-level, filtering with a reactive IDS to proactively protect the network, resolving or stopping any attack techniques.

Question #2)
Answer:
An IDS might allow an intrusion based on a "false negative" state error condition, which is the most dangerous and serious state, with the IDS identifying an activity as acceptable behavior, however, in actual, the activity is an attack. Hence, the IDS logs would not have recorded, saved, and stored the attack, thus leaving no evidence of the breach, as the IDS allowed the activity considering it an acceptable behavior without logging the activity in the IDS logs. Also, a NIDS would not indicate if the attack was successful or not. IDS sensor response actions can stop an attacker, however, it does not stop a specific attack. This type of incident or attack can happen when IDS sensor response actions do not and cannot stop email viruses and automated attackers, for example, computer worms. Also, IDS sensors cannot do anything about network evasion techniques and are vulnerable to it. IDSs cannot properly categorize attacks. IDSs cannot be trained in highly dynamic and ever-changing environments. Also, the IDS may be gradually trained by hackers, attackers, intruders, or bad actors.

NIDS will not be able to scan protocols or content in case, network traffic is encrypted. Signature-based IDS cannot detect novel attacks.