Written Wisdom
IDS and Cyber Attacks

IDS and Cyber Attacks

Saurav Rana's photo
Saurav Rana
·

5 min read

ABSTRACT

Cyber attacks constitute a significant threat to organizations with implications ranging from economic, reputational, and legal consequences. As cybercriminals’ techniques get sophisticated, information security professionals face a more significant challenge to protecting information systems. Network security plays a primary role in alleviating the cybersecurity risks in an organization. Accordingly, for businesses and organizations, detecting and preventing cyber-attacks are of significant importance today. Besides other components in defending side’s arsenal, organizations need robust intrusion detection systems (IDS) to protect information systems.

How IDS Works?

PVug.gif

Intrusion detection is an important countermeasure for most applications, especially client-server applications like web applications and web services. Logging is an important aspect of intrusion detection but is best viewed as a way to record intrusion-related activity, not to determine what is an intrusion in the first place. The vast majority of applications do not detect attacks, but instead, try their best to fulfill the attackers’ requests.

Lack of intrusion detection allows an attacker to attempt attacks until a successful one is identified. Intrusion detection allows the attack to be identified long before a successful attack is likely. It is not very difficult for a web application to identify some attack traffic. A simple rule-of-thumb is that if the traffic could not have reasonably been generated by a legitimate user of the application, it is almost certainly an attack. Once alerted by the IDS and the attacks are identified, then the security professional can respond appropriately. Typically, this means logging off the user, invalidating their account, potentially recording information for the authorities, or patching the root cause vulnerability.

In terms of the accuracy of an IDS, there are four possible states for each activity observed:

312181_1_En_41_Fig1_HTML.gif

  • True positive state is when the IDS identifies an activity as an attack and the activity is actually an attack. A true positive is a successful identification of an attack.
  • True negative state is similar. This is when the IDS identifies an activity as acceptable behavior and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior.

Neither of these states is harmful as the IDS is performing as expected.

  • False-positive is the term used to indicate a file or item that is marked as malicious, but, in fact, isn’t.
  • False-negative is the opposite. It happens when a malicious file or item is labeled as secure, clean.

False-positive and false-negative are errors and failures found in protection solutions that fail to label files and items correctly. Now let's talk about the above two in little detail as they are very important.

False negative in information security

In the case of a false negative, a malicious file or item gained access to your system or network because it was classified as legitimate by your protection solution. Let’s make a comparison using email.

Imagine that your company received an email that contained a virus or ransomware attached. Since you received the message, obviously, the email security solution that your company uses didn’t detect the threat. But why didn’t my email security solution issue an alert? How did the threat go unnoticed? The main reason for false-negative occurrence refers to a new threat or, as we say, a zero-day attack.

That is, recent attacks are more difficult to combat, as cybercriminals are constantly searching for new ways to attack, lure and lie.

False positive in information security

As we have said, a false positive is a flaw that scanning and protection software generates when a legitimate activity is classified as an attack.

Invariably, false-positive results in a website, file, or item being quarantined, blocked or deleted. At first, a false positive may not seem as harmful as a false negative. But think long term. What losses would you have, for example, if your email protection solution blocked emails from new customers?

There is a good comparison between a false positive and a fire alarm. Imagine that the fire alarm went off, everyone ran, but it was nothing. False alarm. Now count the time and energy that was spent on this process. That’s why, in the long run, a false positive can be as harmful as a false negative.

The most common cause of false positives is when the software identifies a signature or behavior of a file as being similar to that of a threat, such as malware.

How to prevent false positive and false negative

There are several approaches to consider when it comes to reducing the number of bogus security threats, including network analysis, enacting policies that reduce the opportunity for cyber-attacks, beefing up your overall security measures, and taking a look at how modern AI technology could help.

  • Analyze Network Traffic

Look through information in your network logs to spot unfamiliar usernames, odd connection details, and suspicious trends in the duration and frequency of communication to uncover security threats the old-fashioned way. You may be able to detect more false negatives than if you hadn’t looked, but this process is prone to suffer from human error and can become quite time-consuming.

  • Limit Network Access on IoT Devices

As a matter of protocol, consider implementing a policy that limits the network access of IoT devices. These devices have become common targets for cybercriminals looking for a way in, and they typically don’t require much access to function properly. When IoT devices are given restricted network access, your security software is more likely to recognize unusual behavior and should issue more accurate alerts.

  • Use Web Application Firewalls

A large percentage of data breaches are targeted at web application vulnerabilities. While the commonly deployed Web Application Firewall can reduce these instances, this type of firewall can hog network resources when used to detect false negatives and positives. The related slowdown can reduce the firewall’s effectiveness in quickly alerting staff to authentic threats or slow network traffic to an unacceptable level.

  • Research Artificial Intelligence Solutions

Tackle the problems associated with false positives and negatives through the power of modern AI advancements. Its context-aware AI monitors your network to gain a baseline understanding of your systems and how they have been used. Equipping your network security team with a tool that will help them better analyze emerging trends and widespread security threats will leave your company less vulnerable to actual security breaches.

Final Thoughts

No Security Program is Perfect

While it would be impossible to fend off every false positive and negative security threat, modern solutions utilizing modern tech can greatly reduce the number of threats that need further investigation.

What was once a stressful, labor-intensive task can become a manageable, productive process.

Did you find this article valuable?

Support Written Wisdom by becoming a sponsor. Any amount is appreciated!

#cybersecurity