What is a network intrusion?
A network intrusion is any unauthorised activity on a computer network. Detecting an intrusion depends on having a clear understanding of network activity and common security threats. A properly designed and deployed network intrusion detection system and network intrusion prevention system can help block intruders who aim to steal sensitive data, cause data breaches, and install malware.
Common network vulnerabilities include:
- Malware: Malware, or malicious software, is any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware. Read our full post on malware here.
- Social engineering attacks: Social engineering is an attack vector that exploits human psychology and susceptibility to manipulate victims into divulging confidential information and sensitive data or performing an action that breaks usual security standards. Common examples of social engineering include phishing, spear phishing, and whaling attacks. Read our full post on social engineering here.
- Outdated or unpatched software and hardware: Outdated or unpatched software and hardware can have known vulnerabilities like those listed on CVE. A vulnerability is a weakness which can be exploited by a cyber attack to gain unauthorised access to or perform unauthorised actions on a computer system. Wormable vulnerabilities like the one that led to the WannaCryransomware are particularly high risk. Read our full post on vulnerabilities for more information.
- Data storage devices: Portable storage devices like USB and external hard drives can introduce malware into your network.
What is an intrusion detection system (IDS)?
An intrusion detection system (IDS) is a device or software application that monitors a network or system for malicious activity and policy violations. Any malicious traffic or violation is typically reported to an administrator or collected centrally using a security information and event management (SIEM) system.
How does an intrusion detection system (IDS) work?
There are three common detection variants that IDS employ to monitor intrusions:
- Signature-based detection: Detects attacks by looking for specific patterns, such as byte sequences in network traffic or use signatures (known malicious instruction sequences) used by malware. This terminology originates from antivirus software which refers to these patterns as signatures. While signature-based IDS can easily detect known cyberattacks, they struggle to detect new attacks where no pattern is available.
- Anomaly-based detection: An intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. This type of security system was developed to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity and compare new behaviour to the model. Since these models can be trained according to specific application and hardware configurations, they have better-generalised properties when compared to traditional signature-based IDS. However, they also suffer from more false positives.
- Reputation-based detection: Recognises the potential cyber threats according to the reputation scores.
What are the different types of intrusion detection systems (IDS)?
IDS systems can range in scope from single computers to large networks and are commonly classified into two types:
- Network intrusion detection system (NIDS): A system that analyses incoming network traffic. NIDS are placed at strategic points within networks to monitor traffic to and from devices. It performs an analysis of passing traffic on the entire sub-net and matches the traffic that is passed on the sub-nets to a library of known attacks. When an attack is identified, an alert can be sent to an administrator.
- Host-based intrusion detection system (HIDS): A system that runs and monitors important operating system files on individual hosts or devices. A HIDS monitors the inbound and outbound packets from the device and alerts the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches them to previous snapshots if critical files have been modified or deleted an alert is raised.
What is an intrusion prevention system (IPS)?
An intrusion prevention system (IPS) or intrusion detection and prevention systems (IDPS) are network security applications that focus on identifying possible malicious activity, logging information, reporting attempts, and attempting to prevent them. IPS systems often sit directly behind the firewall.
In addition, IPS solutions can be used to identify problems with security strategies, document existing threats, and to deter individuals from violating security policies.
To do stop attacks, an IPS may change the security environment, by re-configuring a firewall, or by changing the attack's content.
Many consider intrusion prevention systems as extensions of intrusion detection systems as they both monitor network traffic and/or system activities for malicious activity.
How does an intrusion prevention system (IPS) work?
Intrusion prevention systems (IPS) work by scanning all network traffic via one or more of the following detection methods:
- Signature-based detection: Signature-based IPS monitors packets in a network and compares with pre-configured and pre-determined attack patterns known as signatures.
- Statistical anomaly-based detection: An IPS which is anomaly-based monitors network traffic and compares it against an established baseline. This baseline is used to identify what is "normal" in a network, e.g. how much bandwidth is used and what protocols are used. While this type of anomaly detection is good for identifying new threats, it can also generate false positives when legitimate uses for bandwidth exceed a baseline or when baselines are poorly configured.
- Stateful protocol analysis detection: This method identifies deviations in protocol states by comparing observed events with pre-determined profiles of generally accepted definitions of benign activity.
Once detected, an IPS performs real-time packet inspection on every packet that travels across the network and if deemed suspicious, the IPS will perform one of the following actions:
- Terminate the TCP session that has been exploited
- Block the offending IP address or user account from accessing any application, host, or network resource
- Reprogram or reconfigure the firewall to prevent a similar attack from occurring at a later date
- Remove or replace malicious content that remains after an attack by repackaging the payload, removing header information, or destroying infected files
When deployed correctly, this allows an IPS to prevent severe damage being caused by malicious or unwanted packets and a range of other cyber threats including:
What are the different types of intrusion prevention systems (IPS)?
Intrusion prevention systems are generally classified into four types:
- Network-based intrusion prevention system (NIPS): NIPS detect and prevent malicious activity or suspicious activity by analysing packets throughout the network. Once installed, NIPS gather information from the host and network to identify permitted hosts, applications, and operating systems on the network. They also log information about normal traffic to identify changes from the baseline. They can prevent attacks by sending a TCP connection, limiting bandwidth usage, or rejecting packets. While useful, they typically can't analyse encrypted network traffic, handle high traffic loads, or handle direct attacks against them.
- Wireless intrusion prevention system (WIPS): WIPS monitor the radio spectrum for the presence of unauthorised access points and automatically take countermeasures to remove them. These systems are typically implemented as an overlay to an existing Wireless LAN infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructure has integrated WIPS capabilities. The following types of threats can be prevented by a good WIPS: rogue access points, mis-configured access points, man-in-the-middle attacks, MAC spoofing, honeypot, and denial of service attacks.
- Network behaviour analysis (NBA): This type of intrusion prevention system relies on anomaly-based detection and looks for deviations from what is considered normal behaviour in a system or network. This means it requires a training period to profile what is considered normal. Once the training period is over inconsistencies are flagged as malicious. While this is good for detecting new threats, issues can arise if the network was compromised during the training period, as malicious behaviour may be considered normal. Additionally, these security tools can produce false positives.
- Host-based intrusion prevention system (HIPS): A system or program employed to protect critical computer systems. HIPS analyse activity on a single host to detect and prevent malicious activity, primarily through analysing code behaviour. They are often praised for being able to prevent attacks that use encryption. HIPS can also be used to prevent sensitive information like personally identifiable information (PII) or protected health information (PHI) from being extracted from the host. Since HIPS live on a single machine, they are best used alongside network-based IDS and IPS, as well as IPS.
What are the limitations of intrusion detection systems (IDS) and intrusion prevention systems (IPS)?
The limitations of IDS and IPS include:
- Noise: Bad packets generated from bugs, corrupt DNS data, and local packets that escape can limit intrusion detection systems effectiveness and cause a high false alarm rate.
- False positives: It's not uncommon for the number of real attacks to be dwarfed by the number of false alarms. This can cause real attacks to be missed or ignored.
- Outdated signature databases: Many attacks exploit known vulnerabilities which means the library of signatures needs to remain up to date to be effective. Outdated signature databases can leave you vulnerable to new strategies.
- The lag between discovery and application: For signature-based detection, there can be a lag between discovery a new type of attack and the signature being added to the signature database. During this time, the IDS won't be able to identify the attack.
- Limited protection from weak identification or authentication: If an attacker gains access due to poor password security then an IDS may not be able to prevent the adversary from any malpractice.
- Lack of processing of encrypted packets: Most IDS won't process encrypted packets which means they can be used for intrusion into a network and may not be discovered.
- Reliance of IP attribute: Many IDS provide information based on the network address that is associated with the IP packet sent to the network. This is beneficial if the IP packet is accurate, but it can be faked or scrambled. See our post on the limitations of IP attribution for more information.
- Susceptible to the same protocol-based attacks they are designed to protect against: Due to the nature of NIDS and the need to analyse the protocols they capture they can be vulnerable to certain types of attacks. For example, invalid data and TCP/IP stack attacks can cause NIDS to crash.
What are the differences between intrusion detection systems (IDS) and intrusion prevention systems (IPS)?
The main difference is an IDS is a monitoring system and an IPS is a control system. Both IDS/IPS read network packets and compare their contents to a database of known threats or baseline activity. However, IDS don't alter network packets while IPS can prevent packets from delivering based on their contents, much like a firewall does with an IP address:
- Intrusion detection systems (IDS): Analyse and monitor traffic for indicators of compromise that may indicate an intrusion or data theft. IDS compares current network activity against known threats, security policy violations, and open port scanning. IDS require humans or another system to look at the results and to determine how to respond, making them better as post-mortem digital forensics tools. Also, IDS is not inline, so traffic doesn’t have to flow through it.
- Intrusion prevention systems (IPS): IPS have detection capabilities too, but will proactively deny network traffic if they believe it represents a known security threat.
Can IDS and IPS work together?
Yes IDS and IPS work together. Many modern vendors combine IDS and IPS with firewalls. This type of technology is called Next-Generation Firewall (NGFW) or Unified Threat Management (UTM).
How are intrusion detection systems (IDS) and intrusion prevention systems (IPS) different from firewalls?
Traditional network firewalls use a static set of rules to permit or deny network connections. This can prevent intrusions, assuming appropriate rules have been defined. Essentially, firewalls are designed to limit access between networks to prevent intrusion but do not prevent attacks from inside a network.
IDS and IPS send alerts when they suspect intrusion and also monitor for attacks from within a network. Note that next-generation firewalls generally combine traditional firewall technology with deep packet inspection, IDS, and IPS.
Why are IDS and IPS important?
Security teams face an ever growing list of security concerns from data branches and data leaks to compliance fines while still being constraint by budgets and corporate politics. IDS and IPS technology can help cover specific and important parts of your security management program:
- Automation: Once configured IDS and IPS are generally hands-off which means they're a great way to improve network security without needed additional people.
- Compliance: Many regulations require you to prove that you have invested in technology to protect sensitive data. Implementing an IDS or IPS can help you address a number of CIS controls. More importantly, they can help protect you and your customers' most sensitive data and improve data security.
- Policy enforcement: IDS and IPS are configurable to help you enforce your information security policies at a network level. For example, if you only support one operating system, you can use an IPS to block traffic coming from others.