Intrusion Detection and Prevention Systems

Intrusion

A confirmed attack on information assets.

Back hack

Attempting to gain access into the source of the intrusion.

Honey pots

Decoy systems designed to lure potential hackers away from critical systems to observe their actions.

Honey nets

A collection of interconnected honey pots, used to observe lateral movement between systems.

Honey monkeys

Automated browsers that visit websites to detect malicious behavior.

Padded Cell

A simulated environment where detected attackers are transferred to cause no harm.

Trap and Trace System

A system that detects intrusions and traces them back to the source using honeypots and alarms.

IDS (Intrusion Detection System)

Detects and alerts on intrusions but does not act automatically.

IPS (Intrusion Prevention System)

Detects intrusions and automatically deploys defensive countermeasures.

Host based IDPS

Protects individual systems by monitoring files and user activity; can detect encrypted data but not multi-host attacks.

Network based IDPS

Monitors network traffic for attack patterns; can detect multi-system attacks but cannot inspect encrypted data.

Signature based IDPS

Matches known attack patterns; low false positives but can't detect new attacks.

Anomaly based IDPS

Detects deviations from normal behavior; can find new attacks but has higher false positives.

Stateful Protocol Analysis

Compares observed traffic against known protocol profiles; useful for detecting complex, multi-session attacks.

Log File Monitor (LFM)

Review and analyze system and network log files for signs of intrusion.

Footprinting

Organized research of internet addresses and systems owned by an organization.

Fingerprinting

Survey of systems to find open ports and services for more detailed information.

Vulnerability Scanner

Scans network segments for known vulnerabilities; example: Nessus.

Port Scanner

Identifies open ports on systems; example: NMAP.

Packet Sniffer

Captures network traffic for review and analysis; example: Wireshark.

Firewall Analysis Tools

Tools that discover firewall rules remotely and help optimize firewall configuration.

Operating System Detection Tools

Tools that detect the operating system of a remote host based on network behavior.

Metasploit

A platform containing a wide range of exploits, payloads, and tools for penetration testing.

SIEM

System that collects, aggregates, correlates, and analyzes security event data from across the organization.

Low interaction Honeypot

Emulates basic services; easier to deploy and easier to detect.

High interaction Honeypot

Real systems offered as targets; harder to detect but harder to maintain.

Email Honeypot

Fake email accounts that trigger alerts when accessed.

Database Honeypot

Fake database set up to lure attackers and monitor their actions.

Enticement

Legally attracting intruders without encouraging illegal activity.

Entrapment

Illegally inducing someone to commit a crime.

Regression Testing

Testing IDPS effectiveness by replaying recorded attack packets.

Hardness Testing

Testing how well an IDPS resists real-world attacks.

Hypothesis Testing

Forward-looking testing to predict how an IDPS would perform against unknown threats.

True Positive

Correctly identifying an actual attack.

False Positive

Incorrectly identifying legitimate activity as an attack.

False Negative

Failing to detect a real attack.

True Negative

Correctly identifying legitimate activity as safe.

Attack Surface

The set of functions and features exposed to attackers.

Active Intrusion Prevention

Techniques like LaBrea that delay or trap attackers by pretending to be live systems.