Statistics say that the average time it takes to detect an attacker has been present in the business system is 256 days. You can only imagine what an experienced attacker can do during this time. It should also be said that intrusion detection is a critical item because the sooner an attacker is detected, the less damage is done and vice versa the later it is discovered, the greater the chance of damage multiplying. It is said that if an intrusion was detected quickly enough, the attacker was identified before damage to the system occurred. This is exactly the topic I want to write about in this post a bit.
Attack detection system
Don’t think this is some particularly expensive and complicated technology. There are also free SNORT solutions on the market as well as commercial solutions. Let’s start by looking at what IDS is and what types it is.
IDS is an attack detection system that is based on collecting a copy of traffic at a specific location on the network and, on that basis, can alert and notify a specific person that a potential attack is ongoing. He does this by analyzing traffic collected very similar to antivirus programs. This means that it has a database of signatures (signatures) of known attacks and if certain traffic matches the signature it is assumed that the attack is ongoing. However, as with antiviruses, an attack whose signature is unknown to the system sometimes occurs, in which case the behavior of the system is monitored, a departure from the normal behavior of the system (baseline). Now if that is the case, the basic question is what is normal behavior for your system. No one can answer this question except you. Specifically, the system needs to learn what is normal traffic over a period, which is a minimum of 30-60 days.
Network and host-based IDS
It should be noted here that there are several types of IDS systems, one of which is used on each computer (client or server) and the other used on the network. It is preferable to use a combination of both types to obtain better detection results. Network IDS (NIDS) is mainly used when you want to detect anomalies in network traffic while host-based IDS (HIDS) is used to track specific files on the server or client itself. This is usually accomplished by installing such a system at HASH the values of the files it deems critical and any changes to any of those files by any program will be detected and someone alerted that there has been a change in the location or content of the file. In the case of HIDS systems instead of sensors, some agents are installed on each of the computers.
What is an IDS?
IDS consists of three basic components:
- signature base
- sensors (as data is collected, one IDS can have multiple collection points in different locations)
- console management (IDS management system)
So what is IPS?
IPS is an attack prevention system that, unlike the IDS system, has additional capabilities but works in a very similar way. Specifically, IPS analyzes real traffic, not copy, as is the case with IDS. This is precisely what allows him to respond directly to an attack rather than just alarming as IDS does. This means that it is unlike the IDS inline and all traffic goes through it which gives it the ability to block potentially dangerous traffic without the need for human intervention, which is the case with the IDS system. On the other hand, this is more hardware demanding as this device can also become a bottleneck as all traffic must pass through it and be analyzed before it arrives in our network.
IPS or IDS?
This question is not easy to answer, but there is one rule that applies to professionals in the field who says that each IPS system must spend some time in learning mode or IDS mode and after 30 or more days to switch to IPS mode. It is important to note here that all IPS systems can also operate in IDS mode and that one mode is required to change mode.
My recommendation for using such systems, because there is a completely free SNORT solution that can be implemented. I want to mention here that with SNORT the initial configuration is a little more complicated for beginners, so you may need the help of a specialist to get the device started, after that everything is easy. Also, attack detection provides a collection of information about attack techniques that can be used to quickly strengthen attack prevention.