Security Monitoring

• The first goal of a security program is to set the security posture of an organisation.

• A security posture defines how an organisation documents initial configurations, monitors activity, and remediates any detected issues.

• The primary purpose of monitoring is to detect abnormal behavior.

• You can’t remediate behavior that you can’t detect!

• Technical (ADS/IDS), or administrative—for (observing, CCTV, etc).

Security Monitoring Cont'

• Security monitoring must be obvious enough to discourage security breaches,
• but adequately hidden so as not to be overbearing.

Tools and Techniques for Security Monitoring

1. Baselines: Understanding 'Normal'

• Importance of Baselines: To detect anomalies, establishing a baseline for normal behavior is essential.
• Example: A sudden increase in disk usage may indicate a security issue if it deviates significantly from established norms.
  

2. Alarms, Alerts, and Trends

• Alarms and Alerts: These are critical tools for notifying personnel about potential security incidents.
  • Alarms are triggered by more severe conditions requiring immediate attention.
  • Alerts may indicate minor issues or deviations that need monitoring but not immediate action.
• Trends: Long-term monitoring to identify slow-developing threats based on observed trends.
• Example: A door-open alert is routine unless it occurs outside of normal operating hours, which could then escalate to an alarm.

3. Systems for Detecting Irregular Behavior

• Intrusion Detection Systems (IDS): Monitor network traffic for signs of unusual or malicious activity.
• Honeypots: Deliberately vulnerable systems designed to attract and analyse attacks, providing insights into attack methods and strategies.

Security Monitoring: Data

Activities: Host-Based Activity; and Network and Network devices (traffic, patterns, malware, and performance.).

• Real-time monitoring: information on what is happening as it happens.
  • Intrusion/Anomaly Detection System (I/ADS)
  • System Integrity Monitoring, e.g. Tripwire
  • Data Loss Prevention (DLP): use business rules to classify sensitive information to prevent unauthorised
• Historical Logging: keeps historical records of activity.
  • Application logging
  • System logging

Monitoring Issues

• Too Much Information
  • Example: Wireshark producing excessive data logs.
• Spatial Distribution
  • Example: Botnets using dispersed computers with different administrators.
• Switched Networks
  • Example: Segmented network areas requiring individual monitoring.
• Encryption
  • Example: Unencrypted data portions available in Data Link, Network, and Application layers.

Logging Anomalies: the differences of real attacks, noise or minor event

• False positives (Type I errors):alerts that seem malicious yet are not real security events
  • distractions, and effort which leads to ignor real attaches
• False negatives (Type II errors): Failure of the control to catch suspicious behavior.
  • wrong configrations.
    

Intrusion Detection System (IDS) 101

• Monitoring solution that spots suspicious network incidents.

• It monitors traffic that gets through the firewall to detect malicious activity.

• IDS will not be detectable from the network

Intrusion Detection System (ID) 101

• Two main network deployment locations exist for

  • IDS—host-based IDS (HIDS): deployed at the endpoint level and protects individual endpoints from threats.
  • Network-based IDS (NIDS): monitor and protect entire enterprise networks.

  

Intrusion Prevention System(IPS)

is a network security hardware or software that continuously observes network behavior for threats, just like an intrusion detection system.

• However, IPS goes one step ahead of IDS and automatically takes the appropriate action to thwart the detected threats:
  • reporting, blocking traffic from a particular source, dropping packets, or resetting the connection.

Some IPS solutions can also be configured to use a ‘honeypot’ (a decoy that contains dummy data) to misdirect attackers and divert them from their original targets that contain accurate data.

How IDS/IPS Works

• Step1: Data Collection
• Step2: Data Analysis
• Step3: Response

Step1: Data Collection

• Network Traffic (Wireshark) and Snort
• System Logs
• Other sources: Data is collected from network devices, firewalls, system logs, and application logs.

Step2: Data Analysis

Network packets comparision; addresses to rules, whereas others look at the frequency and type of activity.

1. Pattern- or signature-based IDSs
   • Compares information collected against a database of known threat signatures.

Pattern- or signature-based IDSs: Cont'

• Find network, host traffic patterns that match known signatures

• Advantage: Many attacks have distinct signatures

• Disadvantages:

  • IDS’s signature database must be updated to keep pace with new attacks

• Malicious code authors intentionally use tricks to fool these IDSs

Step-2: Data Analysis

2. Statistical anomaly-based IDS:

Statistical anomaly-based IDS sample network activity, compare to “known normal” traffic

• IDS sounds alarm when activity is outside baseline parameters.
• Advantage: IDS can detect new types of attacks
• Disadvantages:
  • Requires more overhead, compute power than signature-based IDSs
  • May generate many false positives

Step2: Data Analysis Others'

3. Machine Learning and AI in IDS:
   Utilises advanced algorithms to enhance detection capabilities, adaptively learning from new data to identify emerging threats without conventional signatures.

Step2: Data Analysis IDS operation:

• Network-based intrusion detection syst. (NIDS)
  • Resides on computer or appliance connected to segment of an organisation’s network
  • Look for attack patterns for detection
  • Accomplished via certain implementation of TCP/IP stack:
    • Protocol stack verification: look for invalid packets
    • App. protocol verification: look at higher-order protocols for unexpected behavior or improper use

Step2: Data Analysis IDS operation:

• Host-based IDS (HIDS)
  • HIDS runs on a particular computer, monitors activity only on that system
  • Benchmarks, monitors key system files; detects when intruders’ file I/O
  • HIDSs work on principle of configuration management
  • Unlike NIDSs, HIDSs can be installed to access info. that’s encrypted in transit over network

Step2: Data Analysis IDS operation:

Application-based systems (AppIDS)

• looks at apps for abnormal events
• AppIDS may be configured to intercept requests:
  • File System
  • Network
  • Configuration
  • Process's Virtual Memory Address Space

IDS Control Strategies

Measuring Effectiveness of IDSs

Key Performance Metrics

• Detection Rate: Measures the percentage of attacks detected from a known set of probes or attack vectors.

  • Example: At a network speed of 1 Gbps, the IDS detected 95% of directed attacks.

• Bandwidth Threshold: Indicates the network bandwidth at which the IDS's performance begins to degrade or fail.

  • Example: The IDS maintains effective performance up to 1 Gbps but may falter at higher speeds due to processing limits.

Measuring Effectiveness of IDSs

Testing and Verification

• Vendor Test Suites:

  • Many IDS vendors provide specific test suites that can be used to verify the effectiveness of their systems.

• Common Test Methods:

  • Real Packet Traces: Record and retransmit real packet traces from known viruses or worms to simulate typical network traffic during an attack.

Honeypots, Honeynets, and Padded Cell Systems

Honeypots: decoy systems designed to lure potential attackers away from critical systems

• Divert attacker from accessing critical systems
• Gather information about attacker’s activity
• Encourage attacker to linger so admins can document event, respond
  -E.g, A fake login page capturing attacker credentials.

Honeypots, Honeynets, and Padded Cell Systems

Honeynets: collection of honeypots connected in a subnet.

• mimicking a range of systems and applications
• Useful to analyse large-scale threats and attacker behaviors.

E.g, A simulated corporate network with fake email servers, file shares, and user accounts.

Honeypots, Honeynets, and Padded Cell Systems

Padded cell: honeypot protected in order to hinder compromise.

• Typically works in tandem with traditional IDS
• When IDS detects attackers, it transfers them to “special environment” where they cannot cause harm (hence the name)
• Uses deception technology to engage attackers
  
  E.g., : Redirecting an attacker who attempts to exploit a web application vulnerability to a virtual server designed for observation.

Honeypots, Honeynets, and Padded Cell: comparision

Lab

1. Snort Lab