IPS/IDS

00:00

hi and welcome to a lesson to dot to 0.0.3. In this lesson, we're gonna talk about I ps and I DS systems. Now I P s stands for intrusion prevention system and idea stands for intrusion detection system

00:15

earlier. The difference between the two is kind of how it sounds. I ps is going to actually taken action. Intrusion prevention means it's going to take an action and actually prevent the intrusion where I D. S or intrusion detection system means. It's just going to detect the the intrusion, and it's going to alert the proper staff.

00:35

Now both ideas and I ps consume network traffic. So these things are devices that that they're actually they sit at the perimeter. They can actually sit internally on the internal network as well. But we're covering them in the perimeter section because very often they sit in the perimeter and they monitor the network traffic coming in and out of your environment.

00:53

They look for patterns in this traffic to determine if there's an anomaly in the actual way. The traffic looks in the

01:00

the pattern within the session itself.

01:04

Now they take actions based on threat feeds, so they can consume network traffic that can also skins consume threat feeds. And we'll show you how that happens here in just a minute. And that can taken action based on if there's a match in the Threat Feet

01:18

and I PS and ideas work on both the signature based an anomaly based detection methodologies. We covered this a little bit in previous sections during our malware section, where we talked a little bit about identifying malware. And there's the we talked about the

01:34

virus total solution that we when we do manual identification

01:38

where we're looking at a just an actual file, we can upload a file and we can see if there's if that particular file, the structure of that file itself, has been identified as malware. That's that's what we call signature based, right? So we is something that we know. We know what it looks like.

01:56

Does it match something else that we know exactly what it's looks like? And if so, that's a signature match

02:00

when we talk about anomalies, that's more of the sand boxing technology that we talked about, where we're looking at how this thing behaves, and we're seeing if the behavior of whatever it is we're looking at is showing signs or anomalies or certain things that could be suspicious. And then we can put that together on DSA. Say that if there's enough of those, it's suspicious.

02:21

So signature base is something that we know

02:23

anomaly basis, something that we suspect and we can put it all together.

02:27

I ps and I. D s work on both methodologies.

02:31

So let's take a look at some basic ideas functionality. We're talking about intrusion detection systems. So, first of all, intrusion detection systems, As I said, just like I ps, they consume network traffic.

02:44

But the main thing to point out with an idea system is that that network traffic doesn't actually have to pass through the idea system. The intrusion detection system can use a span poured in the environment or a tap or some other passive mechanism to collect the network traffic.

03:00

We can take a copy of the network traffic and we can send it to the I. D s.

03:04

The traffic doesn't actually have to pass through and ideas to determine if something's malicious because we're just detecting. We're not trying to take any action on it,

03:13

but so as the ideas is collecting that network traffic. It's also ingesting these threat feeds and a threat. Feet is basically just a list of, you know, suspicious I P addresses or domains or specific network patterns, or anything like that related to network traffic that looks suspicious can be a threat feed.

03:30

Now that feeds could be a lot of different flavors, you could have a manual list that you create in the ideas itself. That's a threat. Feet. You know, maybe you have a threat hunting team in your organization, and they're going out there scouring the dark Web every day, and they're finding new threats or new patterns that Attackers use.

03:49

They can manually input that into a threat feet in the idea system, and that could be

03:53

considered a feed.

03:53

You can also have external feeds that can be consumed on a real time basis there, and even the external fees are both open source and paid. You can have these open source feeds that are just, you know, the larger security community has put together a list of things that have been seen out there in the community that are suspicious,

04:13

or you could have a paid threat feed where you're actually paying a price

04:16

to consume. Ah, more specific threat feed. And generally, the differences between the open source threat feeds and the pain threat feeds are the pain. Pet threat feeds are gonna give you higher fidelity.

04:27

You know, sometimes there's a lot of there's a lot of false positives with the open source threat feeds because they haven't been fully vetted. Or, you know, maybe stale entries in that feed never get taken out there. Open source, right? There's not a not a private company.

04:41

It was getting paid to maintain them, so they're gonna maintain them less than than it would with an actual threat. Feed

04:46

a lot of times. Also, with the paid threat feeds, you get a lot more granular in the weeds you have. You have reach researchers whose entire job it is to go out and find new threats, and Adam to that threat feeds. You're gonna get a lot more information and a lot more down in the weeds type of detection techniques,

05:06

anyway, the ideas is consuming network traffic, and at the same time it's consuming the threat feeds, and it's looking for matches. When the network traffic matches something in one of those known threat feeds. And there's a policy on the idea system that says, you know, when we get a match against our actual threat network traffic and a threat feed,

05:25

we're gonna alert the security team toe. Let them know this is something that might be suspicious.

05:30

You need to go look at it a little bit further

05:32

now with an I P s, which is intrusion prevention system. It works much the same way. Except this time, instead of being able to tap into a threat, feed the actual I'm sorry, the traffic, the number traffic has to actually pass through the i PS device.

05:48

So in an I. D s device and intrusion detection, we can either tap into that network traffic or we can pass it through ideas you can do either or in an I. P. S. The traffic has to pass through that device because we're gonna take some action on that traffic, and we need to be in line with the traffic in order to take that action.

06:06

So same kind of a situation as the network traffic passes through the I PS devices, consuming those threat feeds just like an ideas device would do. And there's an internal policy just like an ideas device. But this time, instead of just alerting the security team, we can actually taken action, weaken block that network traffic and not let it pass whenever we have a match.

06:27

And we can also alert to security team

06:30

so every I P s device is also an idea. So you think about it as a hierarchy. I ds is detection Onley or I. P s is always gonna be detection and prevention because you have to be able to detect something before you can prevent it.

06:46

Let's take a harder look at signature based detection verse versus anomaly based detection

06:51

with signature based detection. As I said before, it's something that we know. It's a known bad thing in the environment. So a signature based detection Let's assume we have some network traffic passing through our I. P s device in this case intrusion prevention system.

07:05

And when we when we strip out the header information from this traffic, we see that the source domain is abc mauer dot com.

07:15

The destination port is 58 40 and the http method is put

07:19

now in the case of this is not a real example. By the way, this is just a visual representation. But in the case of this particular traffic, let's say perhaps one of our threat feeds. It detects a match. So one of our threat feeds says you know what it detects. We knew one of our threat fees may be a paid threat, Feed said.

07:39

We've seen some activity out there in the wild. Where ABC mauer dot com is trying to make connections on Port 58 40.

07:45

The http put and that's a known that some known threats. So we're gonna add it to our feed. And since there was a match on our feet, weaken, block that traffic right away.

07:55

That was we took every part of that piece of network traffic, and we we looked at it as an entire comprehensive pattern, and that pattern matched one of our feet. So that's a signature detection, because it's something that we knew was bad. We saw it. We blocked it right away

08:11

with anomaly detection. Let's say we have that same flow coming through, and this time, instead of us detecting, maybe there none of our feeds detected that full pattern as something bad. But perhaps each one of our feeds detected. A little piece of that is something that might be suspicious.

08:28

Maybe one feed says. You know what ABC mauer dot com is? It is a suspicious domain.

08:33

And another feed said Destination Port 58 40 is a suspicious port. And another one said http method put is a suspicious method. Not that it is. But if you know again, it's just an example that the point is is that we have different feeds and and we see that each little piece of that traffic might have

08:52

pinned on a different piece of threat intelligence

08:54

or a different piece of threat feeds from from different sources.

08:58

And in our policy on the internal I. P s determines some threshold and says, You know, when we have enough of these things that look suspicious, we want to block that traffic or we want to alert and we want to take whatever action it is that we're gonna take.

09:11

The one thing I'll say about I PS devices is that essentially wraps up anomaly detection. The differences between signature a signature we know the entire pattern anomaly. We get these bits and pieces of it that looks suspicious, and then we have some policy that has a threshold that says whenever we meet that threshold, we're gonna taken action.

09:30

But one thing I want to say about I PS devices before we wrap up here is you can see that I PS devices would would take a lot of tuning. There's a lot of false positives, particularly when we're talking about the anomaly detection, right, Because

09:43

there's a lot we can have a lot of different threat feeds, and not all of them are high fidelity. Some of them may be stale, especially for using open source,

09:52

so we don't want to necessarily just deploy an I. P. S device in our environment and right off the gate have this really restrictive policy where we're blocking anything that has more than two or three suspicious artifacts within it, because you can see how well actually cause issues for our environment. Maybe we have a business application that functions

10:11

from a specific domain on a specific port with a specific method.

10:15

We don't know that because an i t. We don't always know about every single application in the environment.

10:20

So the best way to do this is to put the I PS device in place and put it in a monitor only state for a while. Maybe instead of the action being blocking, maybe the action is alert and we just alert the security team. We even have to be careful with that, though, because in the very beginning, when we turn it on

10:35

way, maybe it's just flooded with alerts and in the security teams not reacting to real things because they're just they're chasing red herrings all the time.

10:43

So the best thing with an I. P s devices to put it in a monitor only state and then pull reports from it and take a look at those reports. And over time, as you develop a baseline of what your environment looks like, then you can start putting in blocking policies as you start to get more and more confident

11:00

that those patterns are those anomalies actually are malicious.