Additional protection against cyber attacks

Additional protection against cyber attacks

technical paper

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor a network, an individual network component or an entire server within an infrastructure and analyze the resulting “traffic” for signatures that may indicate cyber attacks. In this way, a system can be made more secure against cyber attacks in the long term. The purpose of this blog article is to show what can be achieved using IDS and IPS.

How intrusion detection and prevention systems work

IDS and IPS are between the firewall and router Used as additional security in infrastructure (“network-based IDS/IPS”). However, the system can also be installed on a server or other computer system. ,“Host Based IPD/IPS”, In the new generation of IDS and IPS systems, usually only hybrid systems are used, that is, an interaction of host-based and network-based detection systems, as it can provide greater security.

As a rule, these systems also include Security Information and Incident Management (SIEM) Solutions combined to ensure an optimal configuration.

The functionality of the detection system can be divided into three phases:

  1. Sensors collect log data in host-based IDS/IPS or network data from network-based IDS/IPS. The mentioned sensor analyzes “traffic” for known attack patterns or signatures.
  2. The signatures are compared with the database to identify any patterns.
  3. If a signature fits the scheme, an “intrusion warning” is triggered. The trigger here may be, for example, an e-mail whose faulty signature has been included in this database.

An intrusion prevention system differs from an intrusion detection system in that it is capable of discarding faulty data packets, interrupting an existing dangerous connection, or altering previously transmitted data so that it cannot cause (further) harm. .

READ  Fully exposed sun shield by James Webb Space Telescope

Methods of Locating an IDS

There are basically three ways by which suspicious activity can be detected by an IDS:

  1. signature-based identification
    With this simple method, observed events are compared based on their signatures to identify potential events. Here only units like an entry in the log of the packet or their signature are compared.
  2. anomaly based detection
    Definitions are made up of what is considered “normal”. The observations made by the IDS are compared against these definitions and should be treated as discrepancies if large differences are identified. An advantage over signature-based detection is that it may also be able to detect threats that have not yet been detected if they show abnormalities.
  3. stateful log analysis
    Here, profiles are defined in advance, which protocol activities are considered “good”. Observations that deviate from these profiles are registered as deviations and are observed more closely.

Examples of suspicious activity include:

  • Port Scanning: Targeted query of (open) ports on the server
  • Data theft: Large amount of data leaked from the system
  • Failed Login: Log entries in log files that are considered important
  • Access to one or more network drives at a time outside of business hours

Use of intrusion detection and intrusion prevention systems

Intrusion detection systems are primarily intended to enable a network to be continuously monitored and logged to make it safe, The incidence of the recorded security incident can then be handled appropriately by the responsible security administrator.

Some networks also use addressing systems to ensure that their configured security guidelines (internal) are observed by users and that there are no breaches in this area, for example by internally compromising operating system files. Doing. For this “host-based IDS/IPS” is used.

READ  Apple users can expect surprises in 2023

However, the main goal is to document information about attackers who, among other things, gain information about the network by trying to break into the system. This allows for early detection of threats and prompt action.

Oversee data security aspects

Since the system refers to recording and analyzing network traffic and any data traffic in the internal network, the aspect of data security must definitely be clarified before the introduction of intrusion detection and intrusion prevention systems. This is because a lot of data is collected through these and it must be ensured that the data is recorded and processed for a specific purpose.

In recorded data traffic, for example, only information such as IP addresses or ports is collected. These can only be assigned to specific individuals with much effort. However, intrusion detection systems can also be misused under the data protection law by monitoring and analyzing employee behavior. It is related to the internal use of “host-based IDS/IPS”.

In order to meet the necessary legal requirements, the introduction of an IDS or IPS must be coordinated with legal experts (data protection officer, work council or staff council). Company employees should be informed of the process and intended use.

Advantages and Disadvantages of IDS and IPS Systems

The advantages of IDS and IPS systems include:

  • “Normal” firewalls only block and filter network traffic – IDS and IPS detect, report and/or block an attempted attack.
  • The system responds to traffic based on the configuration of the policies.
  • Details about the attack and attack methods are recorded and hence can be better analyzed (also with respect to IT forensic investigations).
  • One sensor can be used for the entire network and can be monitored.
READ  street fighter 6 - we have a release date

Disadvantages of using IDS and IPS systems:

  • An IDS or IPS is an active component in the system, i.e. it can be leveraged or even disabled in the event of a targeted attack.
  • Usually only known attack patterns/signatures are recognized and then blocked or reported.
  • Often too many false warnings (false positives) are generated or attacks with unknown character are not recognized at all.

When should such a system be installed?

Basically, it makes sense to include an IDS or IPS in a network as an additional protective measure. However, the aspect of operating cost should not be overlooked here.

In order to identify whether the effort involved in setting up such a system is greater than the benefits involved in such a system, a so-called needs analysis and a rough concept should be used prior to installation to address this question. To clarify whether the higher is the security benefit for the company will be recorded. If this happens after such an analysis, it makes sense to install the system in a network infrastructure.

More from Laurence Porter
Leave a comment

Your email address will not be published. Required fields are marked *