Intrusion Detection and Prevention Systems
An Intrusion Detection System (IDS) is a detective device designed to detect malicious including policy-violating actions. Also, an Intrusion Prevention System (IPS) is a preventive device designed to prevent malicious actions.
IDS and IPS are discussed earlier in communication and network security domain. Also we discussed again about IDS and IPS, in this domain and in “Conduct Logging and Monitoring Activities” section.
Anyway, as we said earlier in “Conduct Logging and Monitoring Activities” section, there are two basic types of IDSs and IPSs: Network-based (NIDS and NIPS) and Host-based (HIDS and HIPS).
Today some networks use a combination of NIDS and NIPS.
A NIDS is passive device that detects malicious traffic on a network. NIDS often require promiscuous network access to analyze all traffic, including all unicast traffic.
The NIPS (unlike NIDS) alters the flow of network traffic. And that’s the difference between NIDS and NIPS. The NIPS often has a smaller set of rules compared to a NIDS.
There are two types of NIPS:
- Active response: It may kill malicious traffic through a variety of methods.
- Inline: An inline NIPS is “in line” with traffic, playing the role of a firewall by passing or allowing traffic.
NIPS also provides defense-in-depth protection.
And finally, HIDS and HIPS process network traffic as it enters the host.
Whitelisting and Blacklisting
One of the most effective measures to protect computers and the entire network, is to separate all common functions as well as all available applications in two separate lists. Put your trusted actions and plans (such as email delivery from a known sender, traffic from a specific IP address range, or execution of a trusted application) on the whitelist and everything else on the blacklist.
Whitelisting involves explicitly allowing some action. Blacklisting explicitly blocks specific actions.
This is an effective preventative measure that prevents users from running unauthorized applications or send/receive emails with unreliable/unauthorized people.
Whitelisting and blacklisting can be automated. They can also help prevent malware infections.
Third-Party Provided Security Services
There are a variety of third-party security services. For example auditing, SIEM, penetration testing, or forensic services. Third-party security services cover a wide spectrum of possible security services.
A sandbox enables untrusted or unknown programs to be executed in a separate, isolated operating environment. In other words, a sandbox is an application execution environment that isolates the executing code from the operating system to prevent security violations.
When we sandbox an application, it behaves as if it were communicating directly with the OS.
Sandboxing is used in many types of systems today, including anti-malware, web filtering, and intrusion prevention systems (IPS).
Honeypots and Honeynets
Honeypots: individual computers, network computers, folders, or files created as a trap for intruders.
Honeynet: two or more networked honeypots used together to simulate a network.
Administrators usually configure honeypots with vulnerabilities to lure intruders into attacking them. They may be unpatched or have security vulnerabilities that administrators purposely leave open.
The goal is to grab the attention of intruders and keep the intruders away from the legitimate network that is hosting valuable resources.
Another benefit is that after the attacker’s attention is drawn and something is done, the attacker’s approach as well as his behavior can be monitored and analyzed. Identifying malware behavior is very important today and allows us to better identify and fix security vulnerabilities in our systems.
Anti-malware (also known as antivirus) is a software that designed to detect and deactivate malicious software, including viruses, worms, and Trojan horses.
The anti-malware software compares the contents of the file being opened or stored against a database of malware signatures. If a malware signature is matched, then anti-malware software prevents the file from being opened or saved. Of course, anti-malware also alerts the user.
The most important protection against malicious code is the use of anti-malware software with up-to-date signature files.
Advanced anti-malware tools use various advanced techniques such as machine learning to detect and block malware from executing on a system.
There are two general categories of anti-malware software:
- For personal computers (often called Desktop)
- For the network and its computers (sometimes called Enterprise)
Anti-malware for personal computers, like any software, can be easily installed on a computer.
Networked anti-malware usually has two or three components:
- Management console (installed on malware server. this computer usually called Administration Server)
- Network Agent (which should be installed on all computers)
- Anti-malware software (which must be installed on all computers)
The connection between the anti-malware software of each computer and the management console is done through the network agent. Of course, some malware manufacturers sometimes, merge the second and third components and distribute them as only a software on computers.
When Enterprise anti-malware software find a malware (or even if it gives the possibility of malware in a file) , sends an alert to central management console so that the organization’s security team is alerted and can take the appropriate action.
Anti-malware software that has an old database will not detect the existence of many malware. So it is very important that the database of these softwares is always up to date.