The SANS Institute offers the article The History and Evolution of Intrusion Detection in its Reading Room. The article was published in 2001. It starts with the phrase „during the past five years…“. We now have 2013. Why is it important to examine the history of a technology which certainly is well established and widely deployed in information security? Well, first of all even to this day many people have a problem with what intrusion detection really is. Detecting an intrusion is not the same as intrusion detection. Secondly not everything marketed as intrusion detection system really detects intrusions. How can this be? The answer can be found by attending Arron „Finux“ Finnon‘s Historical Tour Of IDS Evasion, Insertions, and Other Oddities at DeepSec 2013. He will address the history of intrusion detection along the lines of tricks to overcome detection.
Modern information security is quite easy in theory. You get yourself some valuable digital assets, connect them to the network, add filters so no one except your trusted peers can access these assets, and you add a couple of magical black boxes that detect intrusions (they can even block intruders with a single flip of a switch). The black boxes are supported by the Elders of the Internet, a secret society that knows every single threat to every single piece of data mankind has to protect. A defender’s job is pure pleasure.
In practice the picture looks different. You still have your digital crown jewels, networks, security gadgets, and the problem of intrusion detection. But in real life not every intrusion can be easily detected. Detection systems can be evaded, and it can be done in a surprisingly effortless manner, depending on the implementation your attacker is up against. Intrusion detection signatures don’t catch all possible attack variations, or they are optimised to match only the „top 10“ attacks. Understanding what your magical black box is looking for and teaching it your individual threat profile is crucial for defence.
Security experts know that detecting anomalies depends on the knowledge of what your normal state looks like. The Quest for the Baseline™ is nothing new. Even outside the field of intrusion detection this is a very crucial question. Given the historical tour of evasions and other oddities you will get a very clear picture of what intrusion detection looks like behind the scenes. Moreover you will be able to question the promises of vendors, put them into perspective, and work on improvements of your defence capabilities. Make sure you are not surrounded by machines that go „Bing!“. You need to understand what’s really going on at your perimeter and on the inside network.
Arron’s talk is recommended for anyone connected to the Internet with a desire for protection. His talk is especially recommended for vendors developing and selling intrusion detection systems. Arron has published an announcement as well.