Weak Attack Signals Your Legacy IDS Will Miss: Homoglyphs

Intrusion detection systems (IDS) have proven to be a highly effective and commonly used method of network-based threat detection. Unfortunately, an IDS still faces challenges when detecting more subtle, low-amplitude attack signals. Many modern attacks employ tactics that require more specialized or sophisticated detection methods than IDS can provide.

Organizations wishing to identify subtle attack signals must employ additional detection mechanisms or replace their legacy IDS with a more advanced solution. Homoglyphs, for example, are easily missed by IDS solutions.

What are Homoglyphs?

Homoglyphs (sometimes known as homographs) are a common method of deception used primarily in phishing attempts. In this type of attack, the attacker disguises their malicious domain, URL, or TLS certificate by using characters that appear identical to those that are used by the spoofed domain, URL, or TLS server name indication (SNI). Sometimes this is done by simply substituting similar letters from the English alphabet — for example, a lowercase “g” for a lowercase “q”. For example, an attacker might register “guickbooks.com” in an attempt to trick users into thinking they were being directed to “quickbooks.com.”

In more sophisticated cases, an attacker might substitute a  character from other alphabet (represented by different unicodes) which the network will see as different, but which a user would not be able to detect. Compare the examples below to see how closely these characters from completely different alphabets can appear. 

An Example of how different unicode characters from different alphabets can appear identical in visual appearance

Homoglyphs are commonly used to spoof domain names, URLs, or even TLS certificates. Because of the vast number of unicode combinations and potential spoofs, the number of possible homoglyph combinations is essentially infinite. This makes detecting homoglyphs incredibly difficult without the right technology.

Why Can’t Your IDS Detect Homoglyphs?

To understand why the typical IDS cannot detect homoglyphs, we have to understand how an IDS works. An IDS uses a signature-based detection mechanism. It functions by comparing a packet to an explicit rule. This means that to trigger an alert, the IDS must see a match between network traffic and the pre-defined indicator of compromise, known malicious IP address, untrusted domain name, or any other explicitly identifiable characteristic. 

While, technically speaking, rules could be written to detect certain commonly known instances of domain spoofing homoglyphs, it is impractical to assume that a rule could be written for every possible instance of homoglyph usage. If it was even possible to write that nearly infinite number of rules, the IDS would still fail to be capable of storing that many rules while also effectively checking traffic against them.

How Can Homoglyphs be Detected?

Homoglyph detection requires advanced functionality that the IDS simply does not possess – advanced logic on unicode decoding. In this method, there must be a database of commonly spoofed domains (such as the Alexa top 100 domain list paired with a custom list of known domains specific to the monitored network). When traffic moves through the network, it is checked against this list for similarity and an alert is triggered if the estimated similarity is below a given threshold. Essentially, known and trusted domains are defined, and then an engine is used to perform computational logic which compares the domains seen in incoming traffic against those known and trusted or regularly spoofed domains. 

An IDS solution, such as Suricata, actually gathers all the data needed to make homoglyph detection possible as it generates transaction logs containing a robust set of metadata, but the analysis of this data must be conducted by a post-processing engine. By dedicating computing power to the inspection of key pieces of metadata (like URLs, Domain Names, and SNI Certificates) the logic engine can analyze the unicodes present in the serving domain and trigger alerts as needed. By using post-processing to do unicode decoding and data analysis, the detection engine does not need to store countless rules the way an IDS would.

Conclusion

An IDS is designed to detect a multitude of different threat types, but the reality is that it is not effective when it comes to more nuanced attack signals like Homoglyphs. Because phishing is an incredibly common attack tactic, it is important for organizations to ensure that they are taking proactive steps to defend against it. Relying on an IDS alone is not enough.

To ensure maximum visibility into network activity, an organization should be employing advanced detection solutions that provide advanced detection tools. A modern network detection and response (NDR) platform could be the answer to the challenges and shortcomings faced by legacy IDS solutions. Stamus Security Platform (SSP) is a broad-spectrum and open NDR system that provides response ready threat detection from multiple sources — machine learning, behavioral anomalies, stateful logic, and IDS signatures.

To learn more about how SSP detects homoglyphs and other phishing-related attack signals, read our articles “Threats! What Threats? Detecting Phishing with Stamus Security Platform'' and “Hunting for Phishing Activity with Stamus Security Platform”.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

Weak Attack Signals Your Legacy IDS Will Miss: Unauthorized User Activity

When you already know the specific attacks faced by your organization, then the basic detection...

Weak Attack Signals Your Legacy IDS Will Miss: Anomalous Network Activity

Intrusion detection systems (IDS) function incredibly well when it comes to making signature based...

Weak Attack Signals Your Legacy IDS Will Miss: Malware Beacons

Command-and-control (C2) attacks are bad news for any organization. Attackers use C2 servers to...