🛡️ Understanding Intrusion Detection and Prevention Systems (IDS/IPS)

Intrusion Detection Systems (IDS) are critical security tools that detect attacks on computer systems. IDS solutions employ different approaches for detecting anomalies or recognizing attack patterns. Depending on the specific IDS software used, various sensors can be deployed across different points in an infrastructure.

Some IDS can even be extended to act as Intrusion Prevention Systems (IPS), enabling them to block further attack attempts or evict attackers post-compromise.

🧠 Detection Methods in IDS

IDS generally uses two major methods to identify intrusions

🧬 Pattern Recognition (Static Analysis)

Pattern recognition (or signature based detection) is a time tested approach that scans for known attack signatures. This method is highly reliable as long as the attack techniques are known and modeled.

• Antivirus programs are a classic example, scanning binaries for known malware signatures.
• Signature databases may include information about
  • File existence
  • Registry keys
  • Timestamps
  • Ownership data
  • File permissions

📌 Use Case: A web server managed via SSH is scanned for brute force login attempts using known usernames and passwords. Upon detection, rule sets can trigger defensive actions to block attackers.

🧾 Indicators of Compromise (IoCs)

Threat Intelligence includes the collection and analysis of Indicators of Compromise (IoCs) evidence that a system has been attacked or compromised.

Common IoCs based on STIX (Structured Threat Information Expression) include

• 🧱 Artifact
• 🌐 Domain Name
• 📂 Directory
• 📁 File
• 🧮 IPv4/IPv6 Address
• 🧑‍💻 User Account
• 🧵 Mutex
• 📨 Email Message
• 🔑 Windows Registry Key
• 🔗 URL

👤 Example

• If an attacker creates new accounts for persistence, you can define a User Account IoC with fields such as

1{
2"account_login": "backupadmin",
3"account_type": "admin",
4"user_id": "1337"
5}

You can then scan your directory services for users matching these patterns.

📈 Anomaly Detection (Dynamic Analysis)

Anomaly detection identifies deviations in network or system behavior based on dynamic profiles of legitimate activity.

Examples of Anomalies

• 🚨 New devices in the network that were not previously known
• 🔌 Unexpected communication between devices
• ⏰ Access outside working hours
• 📈 Use of new/unusual protocols

❗ Caveats

• Anomalies can also arise from legitimate events such as

  • Business growth
  • Users in different time zones
  • Shift changes

• Naive implementation of anomaly based IPS may trigger false positives, potentially causing disruptions.

🏠 Host Based Intrusion Detection Systems (HIDS)

Host Based IDS monitor activity on individual endpoints. They work by inspecting logs, processes, files, registry entries, and user behavior directly on the host machine.

Key Features of HIDS

• Data Collection Location: Deployed directly on each monitored host.
• Analysis Methods: Can be event based or continuous.
• Detection Capabilities
  • Examine logs for suspicious entries.
  • Inspect file hashes, ownership, and permissions.
  • Monitor user account anomalies.

🔍 Example Tool: GRR Rapid Response (by Google)

GRR enables remote forensic investigations by sending “hunts” to endpoints

1# Example hunt definition (simplified)
2hunt:
3name: "Search Explorer.exe Hash"
4target: "C:WindowsExplorer.exe"
5hash: "d41d8cd98f00b204e9800998ecf8427e"

GRR clients check in with a central server to receive these hunts and send back results. This allows for timely detection of compromised binaries or malicious file replacements.

✅ Pros and Cons

🌐 Network Based Intrusion Detection Systems (NIDS)

NIDS are deployed at strategic points in the network to monitor and analyze traffic. They detect threats based on packet metadata and optionally the contents of the traffic (payloads).

📊 Types of Data Used in NIDS

• Metadata (from IP, TCP, TLS headers)
  • IP addresses, ports, protocols
  • TLS certificate authorities
  • TCP sequence numbers
• Connection Content (when decryption is available)
  • HTTP headers and payload
  • Email attachments
  • DNS queries

🔐 NIDS in Action: Example Use Cases

1. Suspicious SSH Activity

• Frequent short lived SSH connections from an unknown IP range might indicate brute force attacks.

2. TLS Certificate Monitoring

• Sudden appearance of unknown certificate authorities can signal MITM or forged cert attempts.

3. DNS Query Monitoring

• Malware often uses domain generation algorithms (DGA) to evade detection

1hdyu382jd.com
2rfh3949ru.net

By analyzing DNS logs, you can detect abnormal domain resolution patterns.

4. Quantum Insert Detection

• By watching TCP sequence numbers and retransmission anomalies, NIDS can detect NSA style HTTP injection attacks.

🛡️ Data Leakage Prevention

NIDS can also prevent data leaks by inspecting

• File uploads
• Email attachments
• Outbound web requests with sensitive keywords

✅ Pros and Cons

🔐 Automated Intrusion Prevention

Much like host based systems such as Fail2ban, IDS solutions can automatically react to detected anomalies or malicious behavior. When operating in inline mode, an IDS not only monitors but also actively controls the data flow between network segments. This allows for immediate reactions, such as terminating a connection or blocking further attempts.

⚠️ Note: Inline mode can introduce latency depending on system performance, rule complexity, and network load. Comprehensive performance testing is crucial before deployment.

Alternatively, when IDS operates in monitor mode, it observes traffic via a switch’s mirror port and cannot intervene directly. However, integration with tools like iptables via plugins or custom scripts enables near real time defensive actions.

Walled Garden Strategy

The Walled Garden approach is adapted from captive portals seen in public Wi-Fi networks. When a suspicious host is identified, it is quarantined into a restricted network zone. This allows the user limited access (e.g., to the internet) while minimizing the risk of internal damage.

Benefits

• User continuity: The user can keep working with limited access.
• Live malware analysis: Systems remain operational for forensic analysis.

System Replacement

A common response to IDS alerts is to replace the affected system.

This is especially effective if

• User data is stored centrally.
• Applications are cataloged and easily reinstallable.
• Spare systems with updated images are readily available.

In virtualized environments (e.g., with diskless thin clients), this process is even easier simply delete and redeploy a clean VM. Avoid relying solely on snapshots, as modern malware often lies dormant for extended periods.

⚠️ Evasion Techniques

Attackers aim to evade or manipulate IDS to operate undetected. Effective evasion typically starts with reconnaissance and depends on the specific IDS deployment.

Static IDS Evasion Categories

• Insertion: Add extra data that the IDS sees but the target ignores (e.g., overlapping IP fragments).
• Evasion: IDS ignores parts that the target system still processes (e.g., comment stripping in scripts).
• Resource Exhaustion: Overload the IDS with traffic or complex regex to cause delays or failures.

Dynamic IDS Evasion

• Habituation: Gradually introduce harmless activity that mimics malicious behavior until it is ignored.

IDS must reconstruct and analyze full streams to be effective, which poses challenges in both performance and design. Understanding these limitations is essential for defenders and opportunities for attackers.

🧠 Choosing Between HIDS and NIDS

• Use HIDS when you need forensic level detail or suspect targeted attacks on specific endpoints.
• Use NIDS when visibility across infrastructure is needed, or to detect attacks moving laterally.

🧩 Best Practice: Combine Both

A layered security architecture integrates both IDS types, ensuring comprehensive threat coverage.