Intrusion detection systems (IDS) function incredibly well when it comes to making signature based detections and spotting explicit attack signals. But what happens when the attack signal is weak, low-amplitude, or subtle? These types of signals can easily be missed by IDS. This is because the IDS lacks the fundamental capability to analyze this type of activity.
Let’s take anomalous behavior for example. When a user, service, or host is not acting normal, it could simply mean the system in question is malfunctioning. In a lot of cases however, anomalous behaviors point towards something more dangerous. A user on the system could be violating an internal policy, or even worse, there could be a malware actor present on the network. Unfortunately, these types of attack signals are going to be missed by your legacy IDS, and you will need to employ other countermeasures in order to detect them.
What is Anomalous Network Activity?
Simply put, anomalous behavior is any change in the established standard communication happening on a network. An anomaly could signal malware or another type of cyberattack. Further investigation could uncover network problems or equipment failure. Regardless, anomaly detection is important because it helps identify early attack signals that could be missed elsewhere while also giving greater visibility into the health and efficiency of your network.
Common detection methods, such as those used in a legacy IDS, focus on detecting known cyber threats and defined attack signals. Anomalous behavior has likely never been seen on the network. There are any number of behaviors that could be considered anomalous, and it just depends on the baseline that has been set for what is considered “normal”. Some examples of potentially anomalous activity are as follows:
- new network clients and devices
- new network connections
- changed command structure
- unknown data packets
- previously unseen communications
- new protocol types between devices
- malware communication
Essentially, when something or someone on the network is not behaving in the way you expect it to behave or when something or someone is present on the network that you have never seen before, that should be considered an anomaly. IDS detection just isn’t capable of detecting this type of behavior.
Why Can’t Your Legacy IDS Detect Anomalous Network Activity?
There are two main reasons why your legacy IDS cannot detect anomalous behavior.
- 1. Legacy IDS does not maintain host state
- 2. Legacy IDS cannot track network activity over time
Traditional IDS uses signature-based detection. Traffic on the network must be compared against a library of explicit, predefined rules. When a traffic pattern matches a rule, an IDS alert is triggered. This type of detection does not work for anomalous behavior because it cannot maintain the host state and view all the relevant pieces of metadata over time. Maintaining state requires keeping track of the combination of original data plus any changes seen in that data over time. Your legacy IDS simply does not maintain the state of the hosts and their related metadata, preventing it from seeing the changes which could signal anomalous behavior.
How Can Anomalous Network Activity be Detected?
To detect anomalies, the detection system must have some way of maintaining the host state and then provide a way for the analyst to see a full panel of the host’s activities over time. Your legacy IDS does generate a lot of this data, and in addition, it must be paired with the related logs and NSM data in order to get the full picture. Change cannot be tracked unless the detection engine provides a way to see how the host has behaved over a period of time.
There are three primary mechanisms that may be used to detect anomalous network activity using information gathered from the host state. The first is machine learning, which is becoming a popular method of anomaly detection. With machine learning, the system analyzes host data to learn what is “normal” activity. Deviations from “normal” are considered anomalous.
The second detection method is the use of statistical algorithms. These detection engines can locate previously unseen or otherwise unfamiliar network activity which could help signal an anomalous behavior.
Finally, proactive threat hunting is a common way analysts locate anomalous network activity. Using analysis tools, guided filters, or custom filters, a threat hunter can search through host data to find specific types of anomalies (such as users from non-IT departments performing advanced administrative processes).
Each of these mechanisms have their strengths and weaknesses. A Mature security team uses all three to help their organizations uncover anomalous network activity.
Not all anomalous behavior is dangerous, but maintaining visibility into the network to track these instances is important for the health and safety of your network. IDS simply lacks the capability to see these weak attack signals, but identifying them before they become a security risk keeps the network better protected. If you are solely using legacy IDS, then you run the risk of completely missing anomalous behavior on your network.
Stamus Security Platform (SSP) is a broad-spectrum and open network detection and response (NDR) system that provides response ready threat detection from multiple sources — machine learning, behavioral anomalies, stateful logic, and IDS signatures. To learn more about how SSP uses insights from the Host to detect anomalous behaviors, read our article “Host Insight Transformation with IDS Alert Metadata”.