There’s plenty of malware floating around out there on the Internet. Thankfully, there are many protection measures available. Some of them, such as antivirus products are designed to be run on a per-device basis and are ideal for individuals with a small number of devices. Antivirus software is also useful in large enterprise networks. One of the issues there, however, is simply the number of devices that then have antivirus software running that only reports on the machine. An enterprise network really wants to have reports of antivirus incidents to be centralised. What is an advantage for home users is a weakness for enterprise networks.
Going beyond antivirus
To take things further a different approach is needed. This approach is referred to as an IDS or Intrusion Detection System. There are many different variations on the IDS, many of which can complement each other. For example, an IDS can be tasked to monitor a device or network traffic. A device monitoring IDS is referred to as HIDS or Host(-based) Intrusion Detection System. A network monitoring IDS is known as a NIDS or Network Intrusion Detection System. A HIDS is similar to an antivirus suite, monitoring a device and reporting back to a centralised system.
A NIDS Is generally placed in a high-traffic area of the network. Often this will be either on a core network/backbone router or at the boundary of the network and its connection to the Internet. A NIDS can be configured to be inline or in a tap configuration. An inline NIDS can actively filter traffic based on detections as an IPS (a facet we’ll come back to later), however, it acts as a single point of failure. A tap configuration basically mirrors all network traffic to the NIDS. It can then perform its monitoring functions without acting as a single point of failure.
An IDS typically uses a range of detection methods. The classic approach is exactly what is used in antivirus products; signature-based detection. In this, the IDS compares the observed software or network traffic to a huge array of signatures of known malware and malicious network traffic. This is a well-known and generally fairly effective way of countering known threats. Signature-based monitoring, however, isn’t a silver bullet. The problem with signatures is that you need to first detect the malware to then add its signature to the comparison list. This makes it useless in detecting new attacks and vulnerable to variations on existing techniques.
The main alternative method an IDS uses for identification is anomalous behaviour. Anomaly-based detection takes a baseline of standard usage and then reports on unusual activity. This can be a powerful tool. It can even highlight a risk from a potential rogue insider threat. The main issue with this is that it needs to be tuned to the baseline behaviour of each system which means it must be trained. This means that if the system is already compromised while the IDS is being trained, it won’t see the malicious activity as unusual.
A developing field is the use of artificial Neural Networks to perform the anomaly-based detection process. This field shows promise but is still fairly new and likely faces similar challenges to the more classic versions of anomaly-based detection.
Centralisation: A curse or a blessing?
One of the key features of an IDS is centralisation. It allows a network security team to collect live network and device status updates. This includes a lot of information, most of which is “everything is fine”. To minimise the chances of false negatives, i.e. missed malicious activity, most IDS systems are configured to be very “twitchy”. Even the slightest hint of something being off is reported. Often this report then has to be triaged by a human. If there are many false positives, the responsible team can be quickly overwhelmed and face burnout. To avoid this, filters may be introduced to reduce the sensitivity of the IDS, but this increases the risk of false negatives. Additionally, the team triaging the reports must be kept well enough staffed to handle legitimate incidents at a moment’s notice while also facing the general humdrum of a high-false positive ratio.
Centralising the system also often involves adding a complex SIEM system. SIEM stands for Security Information and Event Management system. It typically involves an array of collection agents around the network gathering reports from nearby devices. These collection agents then feed the reports back to the central management system. The introduction of a SIEM does increase the network threat surface. Security systems are often fairly well secured, but this is not a guarantee, and they may themselves be vulnerable to infection by malware that then prevents itself from being reported. This, however, is always a risk for any security system.
Automating responses with an IPS
An IDS is basically a warning system. It looks for malicious activity and then throws alerts to the monitoring team. This means that everything is looked over by a human but this comes at the risk of delays, especially in the case of a burst of activity. For example. Imagine if a ransomware worm manages to get into the network. It may take some time for the human reviewers to identify an IDS alert as legitimate by which point the worm may well have spread itself further.
An IDS that automates the process of acting on high-certainty alerts is called an IPS or an IDPS with the “P” standing for “Protection”. An IPS takes automated action to try to minimise the risk. Of course, with the high false-positive rate of an IDS you don’t want an IPS to act on every alert, only on ones that are deemed to have a high certainty.
On a HIDS, an IPS acts like an antivirus software quarantine function. It automatically locks down the suspected malware and alerts the security team to analyse the incident. On a NIDS, an IPS must be inline. This means that all traffic needs to run through the IPS, making it a single point of failure. Conversely, however, it can actively remove or drop suspicious network traffic and alert the security team to review the incident.
The key advantage of an IPS over a pure IDS is that it can automatically respond to many threats much faster than could be achieved with only human review. This allows it to prevent things like data exfiltration events as they’re happening rather than just identifying that it has happened after the fact.
An IDS has several limitations. The signature-based detection functionality is reliant on up-to-date signatures, making it less effective at catching potentially more dangerous novel malware. The false positive rate is generally really high and there can be large periods of time between legitimate issues. This can lead to the security team becoming desensitised and blasé about alarms. This attitude increases the risk that they miscategorise a rare true positive as a false positive.
Network traffic analysis tools typically use standard libraries to analyse the network traffic. If the traffic is malicious and exploits a flaw in the library, it may be possible to infect the IDS system itself. Inline NIDS act as single points of failure. They need to analyse a large volume of traffic very quickly and if they can’t keep up, they must either drop it, causing performance/stability issues, or allow it through, potentially missing malicious activity.
Training an anomaly-based system requires the network to be safe in the first place. If there is already malware communicating on the network, this will be included as normal in the baseline and ignored. Additionally, the baseline can be slowly expanded by a malicious actor simply taking their time in pushing the boundaries, stretching them rather than breaking them. Finally, an IDS can’t on its own, analyse encrypted traffic. To be able to do this, the enterprise would need to Man in the Middle (MitM) the traffic with a corporate root certificate. This has in the past introduced its own risks. With the percentage of modern network traffic that remains unencrypted, this can somewhat limit the usefulness of a NIDS. It is worth noting that even without decrypting the traffic, an anomaly-based detection system may be able to highlight potential issues.
An IDS is an Intrusion Detection System. It’s basically a scaled-up version of an antivirus product designed for use in enterprise networks and featuring centralised reporting through a SIEM. It can operate both on individual devices and monitor general network traffic in variants known as HIDS and NIDS respectively. An IDS suffers from very high false positive rates in an effort to avoid false negatives. Typically, reports are triaged by a human security team. Some actions, when detection confidence is high may be automated and then flagged for review. Such a system is known as an IPS or IDPS.