Ch8 - 8.02 - Using Intrusion Detection Systems

Question 1

Intrusion Detection System (IDS)

Answer 1

An intrusion detection system (IDS) is responsible for monitoring activity on a system or network and then logging or notifying the administrator of any suspicious activity.

Question 2

Different Methods That an IDS Uses to Determine If There Is Suspicious Traffic

Answer 2

1. Signature-Based Systems
2. Anomaly-Based Systems
3. Heuristic Analysis

Remember that a signature-based system determines suspicious activity based on the signatures in a file that you would need to program or keep up to date.

An anomaly-based system determines malicious activity based on the activity being abnormal.

Heuristic analysis monitors the activity and knows what is
suspicious based on past events.

Question 3

Signature-Based Systems

Answer 3

With a signature-based IDS, the IDS has a signature file that lists what is considered suspicious activity. When the IDS captures activity, it compares the activity against the signature database, and if there is a match, it sends out notification of an intrusion.

Pros:
The benefit of a signature-based system is that it has few false positives—meaning minimal false alarms—because a signature-based system bases everything on the signatures that you configured on the system. Because you are looking for specific activity, you will have a limited number of false alarms.

Cons:

Question 4

Anomaly-Based Systems

Answer 4

An anomaly-based system understands what is considered normal activity (a baseline) and then considers anything outside that normal activity to be “suspicious” activity. The anomaly-based monitoring system typically determines the baseline from the behavior of the person using the system. This is known as a behavior-based anomaly monitoring system.

Pros:
The benefit of the behavior-based anomaly system is that you do not need to configure a definition file of known suspicious activity; the system learns what is normal based on the users’ activity.

Cons:
The drawback of a behavior-based system is that anything outside the norm is considered suspicious, which results in a large number of false alarms (false positives).

Question 5

Heuristic Analysis

Answer 5

Heuristic analysis is an analysis type that identifies malicious activity based on rules generated by the vendor that are stored in a database and then used by the detection software.

The vendor rules are created based on past experiences with malicious activity. Heuristic analysis
is a popular approach with antivirus software. With virus detection, the goal of heuristic analysis is to detect new viruses that are unknown.

The virus protection software typically runs the program in an isolated area known as a virtual machine. The virus protection software then analyzes everything the
program does when it executes and compares the activity to past experiences. For example, the antivirus software may look for malicious activity such as file overwrites or signs the program is replicating itself or trying to hide itself.

Question 6

Types of IDS

Answer 6

1. Host-Based IDS

2. Network-Based IDS

Question 7

Host-Based IDS

Answer 7

A host-based IDS (HIDS) is installed on a single system and monitors activity on that system. The host-based IDS identifies suspicious activity by monitoring areas such as memory, system files, log files, and network connections, to name only a few.

Question 8

Network-Based IDS

Answer 8

A network-based IDS (NIDS) can be installed as its own network device or as software on a system. Either way, the NIDS analyzes all traffic that travels across the network. The NIDS analyzes the network traffic and looks for suspicious activity, logs the details of the activity, and sends out an administrative alert.

If the traffic is encrypted, the network-based IDS will be unable to monitor the traffic.

Question 9

Components of a Network-based IDS

Answer 9

1. Sensors
   1a. A Collector
2. Analysis Engine
3. Console

Question 10

False Positive

Answer 10

A false positive is when the IDS states there was suspicious activity (positive), but in reality, there was not (a false assumption).

In simple terms, the IDS reports suspicious activity but none occurred.

Question 11

False Negative

Answer 11

A false negative is when the IDS does not see any
suspicious activity, and again that was false—there really was some!

In simple terms, the IDS fails to detect suspicious activity that actually occurred and thus doesn’t report it.

Question 12

Honeypots

Answer 12

A honeypot is a system that is placed on the private network, or in a DMZ, and is designed to lure the hacker
away from production systems and to the honeypot. The hacker spends time trying to hack into the honeypot, but all the while, you are logging the activity and having the host-based IDS installed on the honeypot send you notification of the hacker’s existence!

Most companies make the mistake of not securing the honeypot because they want the hacker to break into the honeypot, but if you make it too easy for the hacker to compromise the honeypot, the hacker may walk away, sensing a trap. It is critical that you challenge the hacker by hardening the honeypot and that you implement security controls to make the system appear as if it may have value.

Question 13

Honeynet

Answer 13

A honeynet is an entire network that is designed to appear as a production network, but is solely there to lure the hacker away from the real production network