In this article, you will discover:
- Definitions of ISO 27001 and Intrusion Detection Systems (IDS)
- Intrusion Detection System types, detection methods, and evasion methods
- Intrusion Detections requirements in ISO 27001
What’s ISO 27001?
ISO 27001 is the globally recognized standard for Information Security Management Systems (ISMS), providing companies of any size from all sectors with a systematic and structured approach to managing and protecting sensitive information.
It employs a Plan-Do-Check-Act (PDCA) cycle and provides a framework for organizations to:
- Identify and assess information security risks
- Implement control to mitigate risks
- Monitor and review the effectiveness of of those controls on an ongoing basis
More information about ISO 27001 can be found in this article.
What Is an Intrusion Detection System?
An Intrusion Detection System (IDS) is a device or software application that monitors a network for malicious activity, suspicious activity, or security policy violations. Some IDSs are capable of responding to detected intrusion upon discovery. These are classified as Intrusion Prevention Systems (IPS).
IDS Detection Types
IDSs come in various forms, from antivirus software to comprehensive monitoring systems that oversee network traffic. IDS categories differ in their placement within a system and the type of activity they monitor:
- Network intrusion detection systems (NIDS): analyze inbound and outbound network traffic, and are strategically positioned at key points in the network, typically just behind firewalls at the network perimeter to identify any potentially harmful traffic breaching the defenses.
- Host-based intrusion detection systems (HIDS): installed on specific endpoints like laptops, routers, or servers and monitor the activity occurring on that particular device. They typically operate by periodically capturing and comparing snapshots of critical operating system files, alerting security teams to any alterations or suspicious changes.
While NIDS and HIDS are the most common, security teams can employ other IDSs for specific needs:
- Protocol-based IDS (PIDS): monitor the connection protocols between servers and devices, commonly deployed on web servers to oversee HTTP or HTTPS connections.
- Application protocol-based IDS (APIDS): operate at the application layer and monitor application-specific protocols, such as between web servers and SQL databases to identify SQL injections.
- Hybrid IDS: combines two or more intrusion detection approaches, leveraging both system or host agent data and network information to provide a comprehensive view of the system’s security.
IDS Detection Methods
There are various IDS detection methods, with the two most common variants being:
- Signature-based: identifies potential threats by recognizing specific patterns, such as byte sequences in network traffic or known sequences used by malware. However, it’s incapable of detecting new attacks with no known patterns.
- Anomaly-based: utilizes machine learning to establish a baseline of normal network behavior and identifies deviations from this baseline, such as unusually high bandwidth usage or unexpected port openings. While effective at detecting unknown attacks like zero-day exploits, anomaly-based IDSs may produce false positives, flagging activities like legitimate user access to sensitive resources as potential threats.
IDS Evasion Techniques
Understanding how cyber criminals attempt to breach secure networks can provide insights into how they may circumvent IDS systems.
Common tactics employed to evade IDS detection include:
- Distributed denial-of-service (DDoS): Overwhelming IDS resources with malicious traffic from multiple sources to take them offline, allowing hackers to slip through undetected.
- Spoofing: Faking IP addresses and DNS records to mask the origin of traffic and make it appear legitimate.
- Fragmentation: Dividing malware or other malicious payloads into smaller packets to obscure their signatures and avoid detection. Hackers may strategically delay or send packets out of order to prevent the IDS from reconstructing them and identifying the attack.
- Encryption: Leveraging encrypted protocols to bypass IDS detection, particularly when the IDS lacks the corresponding decryption key.
- Operator fatigue: Generating a large volume of IDS alerts to overwhelm incident response teams, diverting their attention from real threats.
Why do we need Intrusion Detection?
Modern networked business environments require a high level of security to ensure safe and trusted communication of information between various organizations. An intrusion detection system acts as an adaptable safeguard technology for system security after traditional technologies fail. Cyber attacks will only become more sophisticated, so it is important that protection technologies adapt along with their threats.
Intrusion Detection for ISO 27001
Among the 93 controls outlined in ISO 27001:2022, Annex 8.20 Networks security and 8.21 Security of network services are particularly relevant to IDS requirements.
Annex A 8.20: “Network and network devices should be secured, managed and controlled to protect information in systems and applications.”
This Annex mandates the implementation of controls to safeguard information security within networks and to prevent unauthorized access to connected services.
Within network security management, two relevant controls concerning IDS are the Security of Network Services and Network Controls.
Network Controls
Like other types of security controls, network controls can be categorized into various types, depending on their primary function. Here are some control types that related to IDS:
- Preventive controls: aim to preemptively halt attacks or intrusions. Intrusion Prevention Systems (IPS), a type of IDS, are among such preventive controls. Other examples include Firewalls, Web Gateways, and physical isolation of network components.
- Detective controls: identify attacks or intrusions in progress or after they have occurred. Examples of detective controls include IDS, Log collection and review, Security Information and Event Management (SIEM) systems, and Antivirus software.
- Perimeter controls: strategically positioned to oversee all inbound and outbound network traffic. IDS/IPS is a typical perimeter control, providing an additional layer of defense by analyzing, restricting, or blocking suspicious or potentially malicious traffic permitted through the border firewall.
Security of Network Services
Network services security is ensured through the establishment of Network service agreements that outline relevant security parameters and requirements, including the deployment of firewalls and Intrusion Detection Systems (IDS). These agreements must be documented and signed to ensure adherence to security protocols.
Annex A 8.21: “Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored”.
Network services encompass systems operating on the ‘network application layer,’ including email, printing, or file servers, as well as infrastructure components like firewalls, Intrusion Detection System, gateway antivirus platforms, and connection services.
To enhance security, one recommended measure outlined in this Annex is to employ mechanisms that limit access to network services or applications, a task typically accomplished through the utilization of firewalls and IDS/IPS.
