The Importance of Intrusion Detection and Prevention Systems

Hackers take part in lots of port scans and address scans with the intentions of finding loop holes within organizations. This calls for the installations of IDS and IPS. The main work of Network Intrusion Detection Systems (IDS) is to monitor the system’s behavior and alert on potentially malicious network traffic (Baker, 2004). IDS can be set dual inline package switch that are attached to a spanning port of a switch, or make use of a hub in place of a switch (Baker, 2004). The idea here is to allow access to all packets you wish the IDS to monitor. IPS on the other hand has capability of stopping possible intrusion incidences. Therefore when the system is compromised, IPS/IDS systems send alert to the admin since their systems are made up of sensors. They also take action by; blocking the attack, logging the attack and adding IP source address to the block list for a given time duration, or permanently blocking the IP address based on the specified settings.

Would the alarms necessarily have alerted the appropriate parties?      

The alarms only necessarily alerts security personnel to a threat as an appropriate IPS rule set could serve as a point of protection against the known vulnerability before it reaches that server. The ability of IDS and IPS to simulate the response of a host gives it the unique capability to catch, stop or alert on attacks that could have a negative effect on a secured server or compromise its data.

What would the attackers have done to prevent them from being detected by IDS/IPS?

Hackers or attackers have various ways of IDS/IPS evasion techniques by determining the failing in the design and taking advantage of the weakness through means such as; encryption and tunneling, timing attacks, resource exhaustion, traffic fragmentation, protocol-level misinterpretation and traffic substitution and insertion (Baker et al. 2004). They use these techniques to bypass the intrusion detection, prevention and traffic filtering functions provided by fooling network IPS and IDS sensors to think that their attack is logical data traffic.

Attackers can avoid detection by encrypting the messages or putting them in a safe tunnel since they are aware that NIDS will be able to examine the payload of every packet that crosses its path for effectiveness. When the packets are encrypted, IDS/IPS the sensors capture the data but are not able to decrypt it and perform meaningful analysis (Baker et al. 2004). This is assuming the attacker has already established a secure session with the target network or host and therefore the packets true payload is not analyzed.

Traffic substitution and insertion is also another category of evasion attack. This is done when the hacker maintains the meaning of the payload data but interchange payload’s data with a dissimilar format. The IPS sensors then overlook such vicious payloads when it is looking for data in a specific format and does not realize the data’s true meaning.

Attackers can also evade the detection system through protocol level misinterpretation by causing the IPS sensors to misread the true meaning of the network protocols. In this situation, the data traffic is perceived differently from the target by the hacker prompting the sensor to ignore traffic that should not be ignored or does not ignore the data that should be ignored.

Attackers van evade from IPS/DNS detection by overloading the NIDS (Newsham, 2003) such that there is denial of service. The denial of service can be executed in two different ways; firstly, the attacker can oversupply the unit with attacks from falsified IP addresses that creates several alarms that the security staff officer would have a risk of not finding the true hacker. Secondly, the attacker can flood the NIDS so that it cannot perhaps inspect every packet and at the same time dislocate the malicious packets beyond the overloaded NIDS.

Timing attacks is where attacker escapes detection by executing their actions at a slower pace by not going beyond the normal threshold of the time window uses its signature to mutually relate different data packets together.

What might be the implications of this action on the business from an information security (InfoSec) perspective?

Intrusion detections and preventions systems are usually installed to serve business intentions and to meet their target. Absence of these intrusion systems can make it easy for hackers to introduce infections, such as viruses that have partial or total control of the internal systems. These viruses are used to spread infection and attack other systems within the organization. The attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can access, such as employee information, financial records or customer personal data. If a business environment hosts critical systems, secret data or falls under the range of strict conformity regulations, then it's a great prospect for IDS, IPS or both (Rehman, 2003). Alternatively, an IPS is best for organizations that want to detect and stop or prevent an assault because of its ability to proactively protect critical assets, whereas IDS only shows that an attack may be in progress; extra fulfilment is needed on the part of administrators to actually prevent it from happening.

References

Baker, A. R., Beale, J., Caswell, B., & Poor, M. (2004). Snort 2.1 Intrusion Detection Second Edition. Rockland, MA: Syngress Publishing, Inc.

Rehman, R. U. (2003). Intrusion Detection with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID. Saddle River, NJ: Prentice Hall PTR.

Newsham, P. (1998).  “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.” Retrieved on  Aug.7, 2018 from   http://downloads.securityfocus.com/library/ids.ps