Wednesday, September 18, 2013

Getting Started on Intrusion Detection

If someone asked you for advice on what he or she should do first to get started on Intrusion Detection, what would you recommend?

Honestly, I would meet the question with another. What is meant by “to get started on intrusion detection”? I read this as a set of distinct scenarios, all of which need to be addressed separately. When I first read the sentence, the image brought to mind was a home user first looking to secure their own network.

  • When I first read the sentence, the image brought to mind was a home user first looking to secure their own network. Technical experience is very little, maybe a help desk job; existing host based software consisting of just operating system software firewalls, possibly an assortment of pre-loaded trial personal security products; network size limited to a small handful of consumer out-of-box operating systems.
  • Not too different of a use case is an IT professional looking to add intrusion detection to their existing small business network. More machines, likely with pro OS licenses, but similar a similar basic starting point.
  • My final use case is a significant direction away from the other two. It focuses not on the network just gaining intrusion detection, but rather the asker attempting to break into the field of intrusion detection. They will be, or aspiring to, joining a mature network with entrenched intrusion detection components.

Given that the significant aspects of intrusion detection boil down to host-based monitoring, traffic monitoring, signature-based detection, and behavior anomalies, each of the above use cases need to focus on specific cases. The new home user needs to select and install off-the-shelf monitoring components, as detection cannot be done without the pieces in place. Host based logging should be enabled and a file scanning security product can catch the low-hanging fruit of intrusion detection: recognizing known malicious code on disc. Installing Snort with its default configuration should be sufficient to get the network side started for the small home network, harnessing its preloaded rules for signature detection. (Vacca, 2009, pp 64-65)

The new network admin will want to build up all the components like the home user, while also including behavior anomaly detection in the traffic and host logs. Unlike the home network, the administrator cannot personally vouch for all of the legitimate actions; thus, it is important to have assistance in locating which actions are anomalous.

Even though this write up has gotten far longer than I had intended, there is the third, and far different interpretation of the question: how to get started effectively utilizing the existing, mature intrusion detection setup. As stated by Kemmerer and Vigna, “Auditing your system is useless if you don’t analyze the resulting information.” (2002) Get comfortable with logs and traffic dumps, automating as much of automation as you can. In a large network with a mature set of intrusion detection tools running you will have all the data you can handle to analyze. Learn the protocols of the traffic you are scanning so that your comments about the traffic can be more than just “it’s all greek to me”, to use a Shakespearean idiom.

Kemmerer, R. A., & Vigna, G. (2002). Intrusion detection: a brief history and overview. Computer, 35(4), 27-30.

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman


  1. My first question would be, what do you want to protect? The two prevailing theories are network defense and data defense with the latter being more more attainable and effective.

    Also, that text book is familiar to me. Are you pursuing a degree with UMUC?

    1. Oh great, make the initial question even more ambiguous!

      Yep. I think that book has been used for all three classes so far.