UNIT 3

INTRUSION DETECTION AND PREVENTION

Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analyzing them for signs of possible incidents, which are violations or imminent threats
of violation of computer security policies, acceptable use policies, or standard security practices. An
intrusion detection system (IDS) is software that automates the intrusion detection process. An
intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection
system and can also attempt to stop possible incidents. IDS and IPS technologies offer many of the
same capabilities, and administrators can usually disable prevention features in IPS products,
causing them to function as IDSs.

Unauthorized Access
Unauthorized access is when a person gains entry to a computer network, system, application
software, data, or other resources without permission. Any access to an information system or
network that violates the owner or operator’s stated security policy is considered unauthorized
access. Unauthorized access is also when valid users access a resource that they do not have
permission to use.
The most common reasons for unauthorized entry are to:
 Steal sensitive data
 Cause damage
 Hold data hostage as part of a ransomware attack
 Play a prank
The three primary objectives of preventing unauthorized access are:
 Confidentiality—the protection of sensitive information from unauthorized access
 Integrity—the protection of sensitive information from unauthorized modification or
destruction
 Availability—the protection of sensitive information and information systems from
unauthorized disruption
How Unauthorized Access Occurs?
Understanding how unauthorized access occurs helps guide the implementation of best practices.
Many common tactics fall into two broad categories: digital and physical.

1
Digital Unauthorized Access Tactics
Guessing passwords:
Guessing passwords is a common entry vector for unauthorized access. Manual password
guessing is done using social engineering, phishing, or by researching a person to come up with
information that could be the password.
In scaled attacks, software is used to automate the guessing of access information, such as
user names, passwords, and personal identification numbers (PIN).
Exploiting software vulnerabilities:
A mistake in software is referred to as a bug. In most cases, these bugs are annoying, but
harmless. However, some bugs are significant vulnerabilities that can be exploited to gain
unauthorized access into applications, networks, operating systems, or hardware. These vulnerability
exploits are commonly executed with software or code that can take control of systems and steal
data.
Social engineering:
Cybercriminals often gain unauthorized access by taking advantage of human vulnerabilities,
convincing people to hand over credentials or sensitive data. These attacks, known as social
engineering, often involve some form of psychological manipulation and utilize malicious links in
email, pop-ups on websites, or text messages. Common social engineering tactics used to gain
unauthorized access include phishing, smishing, spear phishing, ransomware, and impersonation.
Physical Unauthorized Access Tactics:
Cybercriminals often gain unauthorized access to physical spaces to carry out their plans.
Some opt to steal laptops or smart devices, then break into them offsite. Others target computers or
routers to insert malware.
Tailgating or piggybacking:
Tailgating is a tactic used to gain physical access to resources by following an authorized
person into a secure building, area, or room. The perpetrator can be disguised as a delivery or repair
person, someone struggling with an oversized package who may require assistance, or someone who
looks and acts as if they belong there. Most of these situations occur "in plain sight."
Fraudulent use of access cards:
Access cards that are lost, stolen, copied or shared pose an unauthorized access risk.
Door propping:
2
 While incredibly simple, propping open a door or window is one of the most effective ways
for an insider to help a perpetrator gain unauthorized access to restricted buildings or spaces.

Other Unauthorized Access Tactics

Collusion:
A malicious insider can collude with an outsider to provide unauthorized access to physical spaces
or digital access to systems. Often, an insider comes up with a plan, then brings in an outsider to
help. A more sophisticated third party can help override internal controls and bypass security
measures.
Passbacks:
Passbacks are instances of sharing credentials or access cards to gain unauthorized access to physical
places or digital systems.

Best Practices for Preventing Unauthorized Access

Electronic Data Protection:
 Monitoring should be in place to flag suspicious attempts to access sensitive information.
 Inventory of the devices on the network should be performed regularly to maintain
comprehensive, up-to-date maps.
 Encryption should be used for viewing, exchanging, and storing sensitive information.
 Network drives should be used to store sensitive information to protect it from unauthorized
access and for disaster recovery.
 Mobile devices and personal computing devices should not be used for storing sensitive
information.
 Removable media and devices should not be used to store sensitive information.
 Access to systems and data should be limited on a need to use basis, also known as the principle
of least privilege.
 Suspected security breaches should be reported immediately.
Backup and Disposal of Data:
 Data should be backed up and stored according to data governance policies.
 Sensitive data backed up to cloud storage providers should be encrypted.
 Backups should be conducted on a regular basis.
 Data that is no longer needed should be permanently deleted.

3
  Professional computer recycling programs should be used for decommissioned computers and
devices, with all data removed prior to the recycling process.
 Cross shedders should be used to dispose of paper documents.
Password Management and Protection:
Organizational leaders should ensure strong password policies and effective compliance programs
are in place to prevent unauthorized access, as well as follow these guidelines themselves.
 Unique passwords should be used for each online account.
 Passwords should be changed for any account or device that has experienced an unauthorized
access incident.
 Strong passwords should be used that include a combination of letters, numbers, and symbols.
A password should not be a word, common phrase, or one that someone with a little personal
knowledge might guess, such as the user’s child’s name, address, or phone number.
 Passwords should never be shared.
 Passwords should be changed periodically.
 Passwords should not be written down or stored in an unsecure location.

Malware infection
As software designed to interfere with a computer's normal functioning, malware is a blanket
term for viruses, trojans, and other destructive computer programs threat actors use to infect systems
and networks in order to gain access to sensitive information.

Malware Definition
Malware (short for “malicious software”) is a file or code, typically delivered over a network,
that infects, explores, steals or conducts virtually any behavior an attacker wants. And because
malware comes in so many variants, there are numerous methods to infect computer systems.
Though varied in type and capabilities, malware usually has one of the following objectives:

 Provide remote control for an attacker to use an infected machine.

 Send spam from the infected machine to unsuspecting targets.
 Investigate the infected user’s local network.
 Steal sensitive data.

4
Types of Malware:
Malware is an inclusive term for all types of malicious software. Malware examples,
malware attack definitions and methods for spreading malware include:
Virus
Possibly the most common type of malware, viruses attach their malicious code to clean code
and wait for an unsuspecting user or an automated process to execute them. Like a biological virus,
they can spread quickly and widely, causing damage to the core functionality of systems, corrupting
files and locking users out of their computers. They are usually contained within an executable file.
Worms
Worms get their name from the way they infect systems. Starting from one infected machine,
they weave their way through the network, connecting to consecutive machines in order to continue
the spread of infection. This type of malware can infect entire networks of devices very quickly.
Spyware
Spyware, as its name suggests, is designed to spy on what a user is doing. Hiding in the
background on a computer, this type of malware will collect information without the user knowing,
such as credit card details, passwords and other sensitive information.
Trojans
Just like Greek soldiers hid in a giant horse to deliver their attack, this type of malware hides
within or disguises itself as legitimate software. Acting discretely, it will breach security by creating
backdoors that give other malware variants easy access.
Ransomware
Also known as scareware, ransomware comes with a heavy price. Able to lockdown
networks and lock out users until a ransom is paid, ransomware has targeted some of the biggest
organizations in the world today — with expensive results.

Types of Malware Attacks

Malware also uses a variety of methods to spread itself to other computer systems beyond an
initial attack vector. Malware attack definitions can include:
 Email attachments containing malicious code can be opened, and therefore executed by
unsuspecting users. If those emails are forwarded, the malware can spread even deeper into
an organization, further compromising a network.

5
  File servers, such as those based on common Internet file system (SMB/CIFS) and network
file system (NFS), can enable malware to spread quickly as users access and download
infected files.
 File-sharing software can allow malware to replicate itself onto removable media and then on
to computer systems and networks.
 Peer to peer (P2P) file sharing can introduce malware by sharing files as seemingly harmless
as music or pictures.
 Remotely exploitable vulnerabilities can enable a hacker to access systems regardless of
geographic location with little or no need for involvement by a computer user.

Prevent Malware:
A variety of security solutions are used to detect and prevent malware. These include
firewalls, next-generation firewalls, network intrusion prevention systems (IPS), deep packet
inspection (DPI) capabilities, unified threat management systems, antivirus and anti-spam gateways,
virtual private networks, content filtering and data leak prevention systems. In order to prevent
malware, all security solutions should be tested using a wide range of malware-based attacks to
ensure they are working properly. A robust, up-to-date library of malware signatures must be used to
ensure testing is completed against the latest attacks
The Cortex XDR agent combines multiple methods of prevention at critical phases within
the attack lifecycle to halt the execution of malicious programs and stop the exploitation of
legitimate applications, regardless of operating system, the endpoint’s online or offline status, and
whether it is connected to an organization’s network or roaming. Because the Cortex XDR agent
does not depend on signatures, it can prevent zero-day malware and unknown exploits through a
combination of prevention methods.

Malware Detection:
Advanced malware analysis and detection tools exist such as firewalls, Intrusion Prevention
Systems (IPS), and sandboxing solutions. Some malware types are easier to detect, such
as ransomware, which makes itself known immediately upon encrypting your files. Other malware
like spyware, may remain on a target system silently to allow an adversary to maintain access to the
system. Regardless of the malware type or malware meaning, its detectability or the person
deploying it, the intent of malware use is always malicious.

6
When you enable behavioral threat protection in your endpoint security policy, the Cortex XDR
agent can also continuously monitor endpoint activity for malicious event chains identified by Palo
Alto Networks.

Malware Removal:
Antivirus software can remove most standard infection types and many options exist for off-
the-shelf solutions. Cortex XDR enables remediation on the endpoint following an alert or
investigation giving administrators the option to begin a variety of mitigation steps starting with
isolating endpoints by disabling all network access on compromised endpoints except for traffic to
the Cortex XDR console, terminating processes to stop any running malware from continuing to
perform malicious activity on the endpoint, and blocking additional executions, before quarantining
malicious files and removing them from their working directories if the Cortex XDR agent has not
already done so.

Malware Protection:
To protect your organization against malware, you need a holistic, enterprise-wide malware
protection strategy. Commodity threats are exploits that are less sophisticated and more easily
detected and prevented using a combination of antivirus, anti-spyware, and vulnerability protection
features along with URL filtering and Application identification capabilities on the firewall.

Intrusion Detection and Prevention Systems (IDPS) Detection

Methodologies
IDPS technologies use many methodologies to detect attacks. The primary classes of detection
methodologies are signature-based, anomaly-based respectively. Most IDPS technologies use
multiple methodologies, either separately or integrated, to provide more broad and accurate
detection. These methodologies are described in more detail below.
1. Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number
of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of
the already known malicious instruction sequence that is used by the malware. The detected
patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists
in system but it is quite difficult to detect the new malware attacks as their pattern (signature)
is not known.
7
2. Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware attacks as new malware
are developed rapidly. In anomaly-based IDS there is use of machine learning to create a
trustful activity model and anything coming is compared with that model and it is declared
suspicious if it is not found in model. Machine learning-based method has a better-generalized
property in comparison to signature-based IDS as these models can be trained according to the
applications and hardware configurations.

Intrusion Prevention System (IPS)

Intrusion Prevention System is also known as Intrusion Detection and Prevention System.
It is a network security application that monitors network or system activities for malicious
activity. Major functions of intrusion prevention systems are to identify malicious activity, collect
information about this activity, report it and attempt to block or stop it.
IPS typically record information related to observed events, notify security administrators
of important observed events and produce reports. Many IPS can also respond to a detected threat
by attempting to prevent it from succeeding. They use various response techniques, which involve
the IPS stopping the attack itself, changing the security environment or changing the attack’s
content.
Classification of Intrusion Prevention System (IPS):
Intrusion Prevention System (IPS) is classified into 4 types:
1. Network-based intrusion prevention system (NIPS):
It monitors the entire network for suspicious traffic by analyzing protocol activity.
2. Wireless intrusion prevention system (WIPS):
It monitors a wireless network for suspicious traffic by analyzing wireless networking
protocols.
3. Network behavior analysis (NBA):
It examines network traffic to identify threats that generate unusual traffic flows, such as
distributed denial of service attacks, specific forms of malware and policy violations.
4. Host-based intrusion prevention system (HIPS):
It is an inbuilt software package which operates a single host for doubtful activity by
scanning events that occur within that host.

8
 Anti Malware Software:
An anti malware is a software that protects the computer from malware such as spyware,
adware, and worms. It scans the system for all types of malicious software that manage to reach the
computer. An anti malware program is one of the best tools to keep the computer and personal
information protected.
Difference between antivirus and anti-malware
An anti malware is designed to eliminate malware from the computer. Although it has
similarities with antivirus, an anti malware program is different from antivirus. An anti malware
program has more advanced features and broader coverage. It addresses spyware, spam, and other
threat issues that antivirus doesn’t.
Key Features of Anti Malware Protection
Now that we know what is anti malware, let’s now go to its key features. An anti malware
program usually contains advanced malware protection and sandboxing technology. Depending on
the software, features may vary. Comodo for example contains BOClean Anti-Malware Protection
Software. It’s an advanced security feature that destroys malware as soon as it enters the computer.
Benefits of Anti Malware
A malware removal software has many benefits, particularly keeping your computer secure. But
that’s not all anti malware has to offer, you can benefit from anti malware in many ways.
 You’re protected from hackers - hackers gain access to your computer through malware. With
the anti malware installed, you can browse the web safely.
 Your privacy is protected - cyber criminals use your personal information to their advantage. An
anti malware prevents any software that steal personal from installing.
 Your valuable files are secured - if malware and viruses are out of the computer, you can be
assured that your data are protected.
 Your software are up-to-date - nobody wants outdated software. An anti malware keeps your
software updated. It will remind you if a new version or an update is available online.
 Your computer is free of junk - an antimalware notifies you if junks are consuming your
computer memory, so you can free up some space. This eliminates useless files stored in your
computer.

9
 Network-Based Intrusion Detection System (NIDS)
A Network Intrusion Detection System (NIDS) is one common type of IDS that analyzes
network traffic at all layers of the Open Systems Interconnection (OSI) model and makes decisions
about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on
a network and can often view traffic from many systems at once. A term becoming more widely
used by vendors is “Wireless Intrusion Prevention System” (WIPS) to describe a network device that
monitors and analyzes the wireless radio spectrum in a network for intrusions and performs
countermeasures which monitors network traffic for particular network segments or devices and
analyzes the network and application protocol activity to identify suspicious activity. It can identify
many different types of events of interest. It is most commonly deployed at a boundary between
networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers,
remote access servers, and wireless networks. The NIDS are also called passive IDS since this kind
of systems inform the administrator system that an attack has or had taken place, and it takes the
adequate measures to assure the security of the system. The aim is to inform about an intrusion in
order to look for the IDS capable to react in the post. Report of the damages is not sufficient. It is
necessary that the IDS react and to be able to block the detected doubtful traffics. These reaction
techniques imply the active IDS.

Network-based Intrusion Prevention System (NIPS)

A network-based intrusion prevention system (NIPS) is a system used to monitor a network
as well as protect the confidentiality, integrity, and availability of a network. Its main functions
include protecting the network from threats, such as denial of service (DoS) and unauthorized usage.
10
 The NIPS monitors the network for malicious activity or suspicious traffic by analyzing the
protocol activity. Once the NIPS is installed in a network, it is used to create physical security zones.
This, in turn, makes the network intelligent and quickly discerns good traffic from bad traffic. In
other words, the NIPS becomes like a prison for hostile traffic such as Trojans, worms, viruses, and
polymorphic threats.
An intrusion prevention system (IPS) sits in-line on the network and monitors the traffic.
When a suspicious event occurs, it takes action based on certain prescribed rules. An IPS is an active
and real-time device unlike an intrusion detection system, which is not inline and is a passive device.
IPSs are considered to be the evolution of the intrusion detection system.
NIPSs are manufactured using high-speed application-specific integrated circuits (ASICs) and
network processors, which are used for high-speed network traffic since they are designed to execute
tens of thousands of instructions and comparisons in parallel, unlike a microprocessor, which
executes one instruction at a time.
The majority of NIPSs utilize one of the three detection methods as follows:
 Signature-based detection: Signatures are attack patterns predetermined and preconfigured.
This detection method monitors the network traffic and compares it with the preconfigured
signatures so as to find a match. On successfully locating a match, the NIPS takes the next
appropriate action. This type of detection fails to identify zero-day error threats. However, it
has proved to be very good against single packet attacks.
 Anomaly-based detection: This method of detection creates a baseline on average
network conditions. Once a baseline has been created, the system intermittently samples
network traffic on the basis of statistical analysis and compares the sample to the created
baseline. If the activity is found to be outside the baseline parameters, NIPS takes the
necessary action.
 Protocol state analysis detection: This type of detection method identifies deviations
of protocol states by comparing observed events with predefined profiles.

Host based Intrusion prevention Systems

A host-based intrusion prevention system (HIPS) is a system or a program employed to
protect critical computer systems containing crucial data against viruses and other Internet malware.
Starting from the network layer all the way up to the application layer, HIPS protects from known

11
and unknown malicious attacks. HIPS regularly checks the characteristics of a single host and the
various events that occur within the host for suspicious activities.
HIPS can be implemented on various types of machines, including servers, workstations, and
computers.

Explains Host-Based Intrusion Prevention System (HIPS)

A HIPS uses a database of system objects monitored to identify intrusions by analyzing
system calls, application logs, and file-system modifications (binaries, password files, capability
databases, and access control lists). For every object in question, the HIPS remembers each object's
attributes and creates a checksum for the contents. This information gets stored in a secure database
for later comparison.
The system also checks whether appropriate regions of memory have not been modified.
Generally, it does not use virus patterns to detect malicious software but rather keeps a list of trusted
programs. A program that oversteps its permissions is blocked from carrying out unapproved
actions.
A HIPS has numerous advantages. First and foremost, enterprise and home users have
increased protection from unknown malicious attacks. HIPS uses a peculiar prevention system that
has a better chance of stopping such attacks as compared to traditional protective measures. Another
benefit of using such system is the need to run and manage multiple security applications to protect
PCs, such as anti-virus, anti-spyware, and firewalls.

Security Information Management (SIM)

Security Information Management :
Security information management is a process of gathering, monitoring and investigating
log data in order to find and report suspicious activities on the system. This process is automated
by security information management systems or tools.
Log data is nothing but a file that collects and stores whatever happens in the system. The
files (records) have information about system activities such as running applications, services,
errors that occurred. So that is what security log data is.
With security log files, one can know the IP address of the system, MAC or internet
address, login data and status of the system. If such details fall on bad guys, they might use the
details destructively. This is one of the major reasons behind the birth of security information
management.

12
But, Where does SIM obtain log data from?
Well, the log data is collected from various sources like firewalls, intrusion detection
systems, antivirus software, proxy servers, file systems, etc. So based on the data gathered from all
sources, security information is monitored and maintained.
Thus, this is what and how the SIM system does its job. Security management is
categorized into three segments. One of them is SIM. Another one is SEM (Security Event
Management) which deals with real-time monitoring and alerting the admins whenever it detects
certain events occurring in the network activity. The last one is the fusion of SIM + SEM = SIEM
(Apparently the abbreviation stands for Security Information Event Management). These days,
businesses prefer the power-packed fusion of SIEM tools majorly.

What exactly SIM systems do ?

 SIM systems keep track and show the activity analytics of the system events as they happen.
 They then translate events data gathered from many resources into a general and simplified
format. Usually, the data is translated into an XML file.
 SIM systems collect and coordinate data from various resources in such a way that helps
administrators to recognize the real threats and false positives on the system. False positives
mean events that seem to be a major threat but in reality it’s not a threat.
 As soon as suspicious activities occur, the SIM tool responds to the event by sending alerts to
administrators of organizations and by generating reports and graphical representations such as
charts and graphs.

The reports generated by SIM systems are typically used to :

1. Detect unauthorized access as well as modifications to files and data breaches.
2. Identify data trends that can be leveraged potentially by business organizations for their
progression.
3. They are also used to identify network behavior and assess performance.
The SIM tool (system) acts as a software agent which sends the reports about the events to the
centralized server. By which admins are updated about the reports. That’s all about Security
Information Management.

System Integrity Validation

Many system problems are caused by wrong software or hardware configuration - because of wrong
installation, hardware or file system failure or software virus. Validation of software/hardware
13
configuration is a must before system testing in development, during system manufacturing and field
service.

Description
Customizable System Integrity Check utility is used for validation of system software/hardware
configuration. The utility provides recovery recommendation if problem is found.
Verification process is implemented in a number of stages. Each stage covers files with the same
verification type and the same recovery recommendation. The following validation types may be
used:

 Permanent files check - files that do not change

 Changeable files check - files that can change
 Registry entries check for Windows platform
 Custom software/hardware configuration check

Validation of the following file attributes is supported:

 Ownership, timestamp and permissions

 Check sum - for permanent files
 Non empty/non 0 content - for changeable files
Applications and integration with other tools
System Integrity Utility is used for validation of system software/hardware configuration during
formal testing, manufacturing and system troubleshooting in the field.

14