Intrusion detection techniques: monitor and react to unusual activity

Intrusion detection techniques: monitor and react to unusual activity

Look for typical traits of upcoming problems

Monitor wall

Security monitoring is a constantly changing area; the threats can appear at any moment; when there are so called 0-day threats, there are quite few techniques available to efficiently prevent an unknown yet type of problem.

However, there are typical behavior patterns that can be detected using well-known pieces of software and monitor types.

Most techniques mentioned below are related to Unix-like systems; however, exactly the same approaches can be used for every operating system.

Detect scanning and probing activity

When a known vulnerability gets known, all the services that can be potentially exploited are getting probed for possible weaknesses. In such cases, proactive logs analysis can provide much information on what is going on.

For example, typically crafted communication with mail servers; increased volume of brute force attacks and so on.

Talking of Web servers, that could result in raised amounts of calling possibly vulnerable URLs. Unless a Web Application Firewall (WAF) is used, watching Web server logs could help to detect a possible problem. If there are repeated attempt to pass data via known URLs, they should be inspected as soon as possible.

In such a case, Syslog monitor could be of help. Watching the analysis of a utility similar to logwatch can simplify detecting unusual activity.

Use existing intrusion detection systems (IDS)

There are well-known intrusion detection systems: both passive (should be run to find a possible problem – such as Aide) and active ones (also known as host-based IDS, HIDS), which monitor I/O activity and can raise an alert if something out of pattern is encountered.

HIDS similar to Snort can be used to trigger an alert (via syslog facility; again, Syslog monitor can be used to get warning in real time). Even if exact nature of a security breach isn’t known, HIDS can warn about a strange new pattern of activity. In such a case, attention should be paid immediately.

Passive IDS, such as Aide find changes in the system – i.e. new or changed files in areas not expected to host any changes – and report them. If there are new Cron jobs, new system services etc., they should be paid close attention to. Most known threats such as cryptominers often use self-reinstalling tricks of this kind, to stay active even if their main process has been stopped.

New or unusual process activity

When monitoring your systems, it’s a good idea to keep track of processes that can be using quite a lot of resources, even if for short duration.

Monitoring CPU load can be used to detect such an activity and run, in response to an alert, a script trying to analyze the origin of high load. If there’s a process not yet known to use many resources earlier, it’s a reason to investigate it as soon as possible.

Same type of checks can be applied to look for new user accounts, for higher than usual bandwidth usage – for any type of activity that is definitely out of pattern.

React to possible threats

As earlier stated, active response is preferable, other conditions equal. If a threat or possible intrusion is found, measure should be taken to stop the problem in its tracks, to isolate it or, at least, make it harder to spread. All typical security precautions (such as cutting Internet communications with probably compromised systems; shutting down the affected systems; preventing further connection from a system under attack etc) can be triggered in such a case.

Do you have technique(s) of your own, to prevent and/or handle possible security threats, by means of monitoring software? If yes, please share it with us, or comment this post below.