Week 10, 11, 13 - Intrustion Detection System

Chapter 8: Intrusion Detection

Overview

• Focus on the various types of intruders and their behavior

• Discusses intrusion detection systems (IDS) and their requirements

Classes of Intruders

Cyber Criminals

• Definition: Individuals or organized crime groups seeking financial gain.

• Activities Include:

  • Identity theft.

  • Theft of financial data.

  • Corporate espionage.

  • Data theft and ransoming.

• Characteristics:

  • Often young hackers from Eastern Europe or Southeast Asia.

  • Operate in underground forums to exchange information and coordinate attacks.

Activists (Hacktivists)

• Definition: Individuals or groups motivated by political or social causes.

• Motivation:

  • Typically have a low skill level.

  • Aim to publicize their cause through actions like:

    • Website defacement.

    • Denial of Service (DoS) attacks.

    • Data theft and distribution for negative publicity.

State-Sponsored Organizations

• Definition: Groups of hackers funded by governments for espionage or sabotage.

• Key Features:

  • Known as Advanced Persistent Threats (APTs).

  • Engage in covert and prolonged attacks.

  • Activities span a wide range of countries including the USA, UK, and China.

Other Intruders

• Definition: Hackers with diverse motivations like technical challenges or notoriety.

• Examples include:

  • Classic hackers and crackers.

  • Hobby hackers utilizing toolkits for exploration of systems.

Intruder Skill Levels

Apprentice (Script-Kiddies)

• Characteristics:

  • Minimal technical skills.

  • Use existing attack toolkits.

  • Largest demographic of attackers, including criminals and activists.

  • Easier to defend against due to reliance on known tools.

Journeyman

• Characteristics:

  • Sufficient skill to modify attack tools.

  • Can identify new vulnerabilities to exploit.

  • Found across all categories of intruders.

Master

• Characteristics:

  • High-level technical skill.

  • Capable of discovering new vulnerabilities.

  • Develops attack toolkits.

  • Includes known classical hackers, often employed by governments.

  • Defense against their attacks is very challenging.

Examples of Intrusions

• Actions like:

  • Remote root compromises.

  • Web server defacements.

  • Password cracking.

  • Unauthorized viewing of sensitive data.

  • Use of packet sniffers, pirated software distribution.

Intruder Behavior Phases

1. Target Acquisition: Gathering information about the target.

2. Initial Access: Gaining entry into the system.

3. Privilege Escalation: Obtaining elevated access rights.

4. Information Gathering: Collecting sensitive data.

5. Maintaining Access: Ensuring continued entry into the network.

6. Covering Tracks: Hiding the intrusion evidence.

Intrusion Detection Systems (IDS)

Types of IDS

• Host-Based IDS (HIDS): Monitors individual host activities.

• Network-Based IDS (NIDS): Monitors network traffic comprehensively.

• Distributed/Hybrid IDS: Utilizes multiple sensors for better detection and response.

IDS Requirements

• Must run continuously and be fault tolerant.

• Required to resist subversion and have minimal system impact.

• Should scale efficiently and allow for dynamic reconfiguration.

Analysis Approaches

Anomaly Detection

• Focuses on normal user behavior over time to detect intrusions.

Signature/Heuristic Detection

• Compares data against known malicious patterns to identify attacks.

Honeypots

• Purpose: Lure attackers away from critical systems and gather intelligence on their actions.

• Types of Honeypots:

  • Low Interaction Honeypots: Simulations that limit engagement.

  • High Interaction Honeypots: Fully operational systems to engage attackers longer but require more resources.

Intrusion Prevention Systems (IPS)

• Extends IDS functionality to block or prevent detected threats.

• Can leverage various detection techniques for proactive defense.

Conclusion

• Understanding intrusion detection and prevention is crucial for maintaining security across systems and networks.