Final IDS Report
Date
Student name
Final IDS Report
IDPS Concepts, Technologies, Applications, Strengths, and Weaknesses
Intrusion detection and prevention systems (IDPS) is a combination of intrusion detection and prevention that may be used to identify security policy problems, document existing threats, and to deter individuals from violating security policies. Intrusion detection systems (IDS) monitor networks system for malicious activity and or policy violation, and account for the behavior by logging the activity with message alerts. Intrusion prevention systems (IPS) extends its capabilities by actively reconfiguring network devices to block or drop network connectivity.
IDPS Technologies
Common IDPS technologies that may be deployed to monitor network traffic include network-based, wireless, network behavior analysis (NBA), and host-based. Network-based technologies monitors traffic flowing from specific devices or selected network segments of interest. They provide intrusion detection/prevention adequately for traffic moving across the network, but may not be aware of malicious activity that transpire on a host system.
Wireless technologies monitor wireless network activity associated with standard wireless protocols. It is beneficial with monitoring protocols in the network layer and below, but cannot be of any service with protocols above the network layer.
NBA operate on the principle of creating a baseline for normal network traffic which would later be used to compare and look for unusual traffic. Anomalies that deviate from the baseline traffic are flagged, accounted for in logs and possibly dropped to prevent further network traffic. Benign traffic on the other hand that do not match baseline traffic may be identified and prevented as well, mistaking it for malicious traffic. Additional tuning may be required infrequently to account for drastic changes in network traffic.
Host-based technologies narrows down on specific, individual information systems (IS) for monitoring. Malevolent activities occurring on host systems are identified, whereas the same events that could happen throughout the network or IS external of the host would not be recognized.
IDPS Methodologies
Detection methodologies that IDPS uses are classified as signature-based, anomaly-based detection and stateful protocol analysis. Signature-based detection captures previously observed malicious patterns to help identify and compare the same type of activity that may be prevalent on other systems. Anomaly based detection establishes a baseline foundation by heuristically monitoring the network for what is perceived as normal activity. Other traffic that deviates from the learned behavior is identified as suspicious activity. Stateful protocol analysis uses vendor-developed universal profiles to define which stateful protocols are considered acceptable. A TCP SYN scan by Nmap could possibly be flagged because it does not complete the three-way handshake as a stateful protocol usually does.
Malware Detection
Research was conducted to replay a malicious file infecting a host system in real time. 2021-02-24 QAKBOT (QBOT) Infection with Spambot Traffic was selected, with Security Onion’s logs and network diagnostic tools being utilized to detect the malware and capture events generated by the malicious file. Sguil logged and identified that a “policy PE EXE or DLL Windows file download” had occurred from a source IP of 128.199.91.194:80 to destination IP 10.2.21.101:49725 (fig.1).
Figure 1. Sguil Logs a Policy Violation/Custom Configured Rule
The custom rule that was configured to trigger alert was “alert tcp $EXTERNAL_Net $HTTP_PORTS -> $HOME_NET any (msg:”ET POLICY PE EXE or DLL Windows file download HTTP”; flow:established,to_client; flowbits:isnotset, ET.http.binary;flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:”MZ”; withing:2; byte_jump:4,58,relative,little; content:”PE|00 00|”; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid: 2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;) /nsm/server_data/securityonion/rules/ip-10-0-0-106-eth0- 1/downloaded.rules: Line 14255” (Fig. 1). A further review from a log in Squert showed that the source IP 128.199.91.194 originated from the United Kingdom (Fig. 2) Skillful hackers tend to cover their tracks by using IP spoofing or pivoting from other compromised nodes. This could give reason to believe that
this could possibly be a command and control node or a node set up as a repository for infecting host systems.
Figure 2. Squert traces IP to the United Kingdom.
Other tools such as NetworkMiner was used to investigate this activity. It was capable of capturing the name of the file that was downloaded, the path, hash and size (Fig. 3). Once the file hash or virus file has been identified, website repositories that have signatures of known malicious files can be used to gather further data on the suspicious file. PCAPs are another way of viewing data that is passed on the network. Kibana captured the IP and logged the event under “All Logs” (Fig. 4), with a hyperlink to the PCAP. The PCAP (Fig. 5) further validated what the other tools had already displayed.
Figure 3. NetworkMiner displays information about the downloaded file.
Figure 4. Kibana Logs Source IP of Malicious Activity.
Figure 5. PCAP on Malicious Activity.
IDPS and security networking tools are great for detecting a preventing leakage of proprietary information. However threat actors have formulated work arounds to successfully smuggle data by the use of encryption and secure protocols. Enterprises may configure proxies to decrypt out going traffic and reencrypt it upon exiting the network, however specific equipment may be needed which could consume a lot of resources and require more overhead.