Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Top 10 Intrusion Alerts

Hello - I'd like to know what people think are the most valuable types of intrusion threats and attacks to monitor and look out for please. We are considering using intrusion detection and prevention so would like to understand what are the main threats and attacks we will be looking out for.

Thanks
You must sign in to rate content.
(1 ratings)

Comments

RE: Top 10 Intrusion Alerts

It depends on your environment, what you are protecting and where the device is placed. OWASP and SANS are good resources, the systems will come with various configuration options and add ons and will need a lot of tuning to the specific environment to get the best from them. It's also a good idea to monitor outgoing, as that will identify botnets and other signs of malware infections and potentially breaches. Some can detect and or prevent malware. 
MilfordLively at 5/22/2014 4:21:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: Top 10 Intrusion Alerts

I would suggest doing a little reading and research on Advanced Persistent Threats (APT). Trend Micro has a decent whitepaper "Detecting APT Activity with Network Traffic Analysis. I am a just getting into this area as well. Usually books on penetration testing will also suggest top priorities to monitor for.
Louis345Lively at 1/28/2015 2:27:56 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Top 10 Intrusion Alerts

Hi Martin,

***************************************************************************
(I'd written the detail below before realising your post is now extremely dated, despite it appearing near the top of the IPS discussion forum in December 2015!  Given I'd written out a response and in the hope it might be of use to others treading the same path, I've decided to share my comments anyway.)
***************************************************************************

A number of the larger vendors of IPS blades/modules will have a predefined list of attack traffic signatures and patterns that are supplied with the system.  The signatures/filters/patterns are frequently updated by the vendor so need to be updated by the organisation buying the device on an ongoing basis.  

To that end, the IPS is similar to many other security tools considered by IT management teams. Deciding to buy one is great and will deliver benefit, but is only the first step.  As referenced by Milford above, the management team needs to invest in tuning/configuration but the upkeep of the device(s) and monitoring of alerts being raised must also be considered and funded to really gain from its presence.  It needs TLC over its useful life, otherwise it becomes less and less effective each and every month.  

There are design considerations that must be worked through, including the location(s) of the IPS within the network, and what traffic passes through it/them.  You don't want to create a cottage industry, particularly when you're starting up a new service/technical stream, but you do absolutely want to have management-approved, funded time to get the most from it and for staff to act appropriately on alerts raised.

To answer your question specifically: " the most valuable types of intrusion threats and attacks to monitor ?":

The intrusions attempted will often relate in some way to the location of the IPS but will typically include vulnerability tests, exploitation of published vulnerabilities, efforts to capture system files, SQL injection traffic, cross-site scripting attacks and many others.  The ability to tune the system to look for other attack traffic, specific to your own industry/company is also very useful.

Lastly (and particularly given the time since your original post) - we shouldn't forget client-side IPS, i.e. HIPS.  Attack prevention at the perimeter is worthwhile, without a shadow of a doubt, but we can't realistically ever expect preventative controls to work all the time... so we need to consider IPS within the LAN and on client machines - not just those used in locations offering untrusted wifi but on desktops too.  The endpoint is our last line of defence.  

[I make deliberate references to IPS, not IDS.  IMHO, IDS can be useful but can involve considerable additional spend in the service wrap and ongoing management of bad traffic - IPS is where the real value comes.]

GlynLively at 12/1/2015 7:39:24 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Top 10 Intrusion Alerts

Hi Martin,

***************************************************************************
(I'd written the detail below before realising your post is now extremely dated, despite it appearing near the top of the IPS discussion forum in December 2015!  Given I'd written out a response and in the hope it might be of use to others treading the same path, I've decided to share my comments anyway.)
***************************************************************************

A number of the larger vendors of IPS blades/modules will have a predefined list of attack traffic signatures and patterns that are supplied with the system.  The signatures/filters/patterns are frequently updated by the vendor so need to be updated by the organisation buying the device on an ongoing basis.  

To that end, the IPS is similar to many other security tools considered by IT management teams. Deciding to buy one is great and will deliver benefit, but is only the first step.  As referenced by Milford above, the management team needs to invest in tuning/configuration but the upkeep of the device(s) and monitoring of alerts being raised must also be considered and funded to really gain from its presence.  It needs TLC over its useful life, otherwise it becomes less and less effective each and every month.  

There are design considerations that must be worked through, including the location(s) of the IPS within the network, and what traffic passes through it/them.  You don't want to create a cottage industry, particularly when you're starting up a new service/technical stream, but you do absolutely want to have management-approved, funded time to get the most from it and for staff to act appropriately on alerts raised.

To answer your question specifically: " the most valuable types of intrusion threats and attacks to monitor ?":

The intrusions attempted will often relate in some way to the location of the IPS but will typically include vulnerability tests, exploitation of published vulnerabilities, efforts to capture system files, SQL injection traffic, cross-site scripting attacks and many others.  The ability to tune the system to look for other attack traffic, specific to your own industry/company is also very useful.

Lastly (and particularly given the time since your original post) - we shouldn't forget client-side IPS, i.e. HIPS.  Attack prevention at the perimeter is worthwhile, without a shadow of a doubt, but we can't realistically ever expect preventative controls to work all the time... so we need to consider IPS within the LAN and on client machines - not just those used in locations offering untrusted wifi but on desktops too.  The endpoint is our last line of defence.  

[I make deliberate references to IPS, not IDS.  IMHO, IDS can be useful but can involve considerable additional spend in the service wrap and ongoing management of bad traffic - IPS is where the real value comes.]

GlynLively at 12/1/2015 7:39:24 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Top 10 Intrusion Alerts

I would suggest doing a little reading and research on Advanced Persistent Threats (APT). Trend Micro has a decent whitepaper "Detecting APT Activity with Network Traffic Analysis. I am a just getting into this area as well. Usually books on penetration testing will also suggest top priorities to monitor for.
Louis345Lively at 1/28/2015 2:27:56 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Top 10 Intrusion Alerts

It depends on your environment, what you are protecting and where the device is placed. OWASP and SANS are good resources, the systems will come with various configuration options and add ons and will need a lot of tuning to the specific environment to get the best from them. It's also a good idea to monitor outgoing, as that will identify botnets and other signs of malware infections and potentially breaches. Some can detect and or prevent malware. 
MilfordLively at 5/22/2014 4:21:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: Top 10 Intrusion Alerts

I would suggest doing a little reading and research on Advanced Persistent Threats (APT). Trend Micro has a decent whitepaper "Detecting APT Activity with Network Traffic Analysis. I am a just getting into this area as well. Usually books on penetration testing will also suggest top priorities to monitor for.
Louis345Lively at 1/28/2015 2:27:56 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Top 10 Intrusion Alerts

Hi Martin,

***************************************************************************
(I'd written the detail below before realising your post is now extremely dated, despite it appearing near the top of the IPS discussion forum in December 2015!  Given I'd written out a response and in the hope it might be of use to others treading the same path, I've decided to share my comments anyway.)
***************************************************************************

A number of the larger vendors of IPS blades/modules will have a predefined list of attack traffic signatures and patterns that are supplied with the system.  The signatures/filters/patterns are frequently updated by the vendor so need to be updated by the organisation buying the device on an ongoing basis.  

To that end, the IPS is similar to many other security tools considered by IT management teams. Deciding to buy one is great and will deliver benefit, but is only the first step.  As referenced by Milford above, the management team needs to invest in tuning/configuration but the upkeep of the device(s) and monitoring of alerts being raised must also be considered and funded to really gain from its presence.  It needs TLC over its useful life, otherwise it becomes less and less effective each and every month.  

There are design considerations that must be worked through, including the location(s) of the IPS within the network, and what traffic passes through it/them.  You don't want to create a cottage industry, particularly when you're starting up a new service/technical stream, but you do absolutely want to have management-approved, funded time to get the most from it and for staff to act appropriately on alerts raised.

To answer your question specifically: " the most valuable types of intrusion threats and attacks to monitor ?":

The intrusions attempted will often relate in some way to the location of the IPS but will typically include vulnerability tests, exploitation of published vulnerabilities, efforts to capture system files, SQL injection traffic, cross-site scripting attacks and many others.  The ability to tune the system to look for other attack traffic, specific to your own industry/company is also very useful.

Lastly (and particularly given the time since your original post) - we shouldn't forget client-side IPS, i.e. HIPS.  Attack prevention at the perimeter is worthwhile, without a shadow of a doubt, but we can't realistically ever expect preventative controls to work all the time... so we need to consider IPS within the LAN and on client machines - not just those used in locations offering untrusted wifi but on desktops too.  The endpoint is our last line of defence.  

[I make deliberate references to IPS, not IDS.  IMHO, IDS can be useful but can involve considerable additional spend in the service wrap and ongoing management of bad traffic - IPS is where the real value comes.]

GlynLively at 12/1/2015 7:39:24 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Top 10 Intrusion Alerts

It depends on your environment, what you are protecting and where the device is placed. OWASP and SANS are good resources, the systems will come with various configuration options and add ons and will need a lot of tuning to the specific environment to get the best from them. It's also a good idea to monitor outgoing, as that will identify botnets and other signs of malware infections and potentially breaches. Some can detect and or prevent malware. 
MilfordLively at 5/22/2014 4:21:47 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.