Detect Network Intrusions

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify the importance of comprehensive network security monitoring.
  • Describe intrusion detection and prevention methods.
  • Explain the importance of adversarial testing.

Implement Comprehensive Network Security Monitoring

Imagine a king sleeping in bed in his castle. The king has many enemies who want to invade his kingdom. But the king sleeps well at night knowing he has fortified his castle with a strong wall and a wide moat. The king also has a watchman who guards the front gate to the castle and archers who patrol the front wall. But one night while the king sleeps, his son slips out a small door in the back of the castle and across a footbridge to visit a princess in a neighboring town. He leaves the back door unlocked, and a passing vagabond, seeing what he has done, sneaks into the castle undetected. The prince has left several of his jewels laying on his mantel, and the vagabond makes off with all of them. 

An image of a castle with high walls and a moat, but someone entering through a large crack in the castle wall.

This story illustrates the importance of comprehensive monitoring. Hackers, just like the vagabond, try to exploit the weakest link in an organization’s security chain. It’s not enough to rely on strong perimeter defenses to the network to protect it. It’s critical to monitor all entry and exit points and to employ defense-in-depth (a series of defensive mechanisms layered to protect valuable data and information) and monitoring between network connections, to limit the ability of a hacker to enter, pivot, and extract precious resources. Network security engineers collect monitoring data, analyze it, and escalate indications of an intrusion. They try to monitor the entire network, which can be difficult in large organizations. 

To help with these tasks, engineers use central technology tools to detect and alert them when unauthorized hardware connects to the network. These tools are called Network Access Control (NAC). A NAC authenticates connections against an identity and access management system. It can accept or deny access based on a set of parameters and policies. For example, if a guest tries to log on to a company’s network, a NAC may route them through a separate registration and authentication portal, preventing them from gaining anonymous access to the company’s most sensitive resources.

Network security engineers also rely on a security information and event management system (SIEM) to help them monitor network traffic. A SIEM performs the following functions.

  • Combines outputs from multiple sources to provide alerts that help direct the network security engineer’s attention to abnormal network activity.
  • Aggregates logs (records of transactions and events) from intrusion detection and prevention systems (referred to as IDPS, which you learn more about later), firewalls, and other devices on the network.
  • Helps an engineer monitor netflow of Internet Protocol (IP) traffic (the flow of data across the Internet) and perform deep packet inspection, which means intercepting a data packet so that it can be analyzed.
  • Combines this information with threat intelligence—information on bad actors and known exploits—to help the engineer analyze data and detect intrusions.
  • Enables the engineer to implement defense-in-depth by putting monitoring in place throughout the network, not just at the perimeter.

The next section dives into one of these tools, IDPS.

Use Intrusion Detection and Prevention

Intrusion detection and prevention can be implemented separately or in tandem. While they both provide monitoring functions, it’s helpful to review the differences. 

Intrusion detection systems (IDS) monitor signs of possible incidents, such as malware invading the network. The IDS informs the network security engineer through alerts that something may be amiss. IDS can be implemented in hardware or software but is usually placed out-of-band. This means it sits outside of the data path and uses copies of the data packets, sampling data to discover intrusions instead of inspecting every packet on the network. Think of the security at a sporting event such as a soccer game. IDS is much like the security guard standing to the side, watching people, and radioing for backup when a suspicious person tries to enter the event.

Intrusion prevention systems (IPS) go one step further than their IDS counterparts by not only detecting but also stopping incidents. They respond to and control data flows. For example, if the IPS identifies a data packet as malicious, it may discard the packet, preventing it from being delivered to its recipient. It may also block offending IP addresses that are on a blocklist. The IPS usually sits behind a firewall and provides complementary protection inline. 

Inline protection means that the device receives data packets and forwards them to their intended destination if they are normal, or discards them if they are malicious. This is much like the role of the person checking tickets at a soccer game and stopping someone with a counterfeit ticket from entering. 

Network security engineers must perform enough monitoring to secure the network while also ensuring legitimate data still reaches its intended recipient, and limiting the impact on throughput. Because IPS proactively analyzes and blocks suspicious packets, it can potentially cause latency issues or mistakenly discard legitimate packets. Properly implementing IDPS requires balancing security risks and business needs. Much as the security guard checking tickets and allowing access at a sporting event may seem like a hassle, they also have an important role to play in ensuring only authorized people enter and that the event is secure. 

Network security engineers also use a technology called unified threat management (UTM). This technology integrates a range of features such as firewall (which blocks specific types of network traffic that are not allowed), antivirus, and IDPS. UTM goes a step further than a traditional firewall, which blocks specific types of traffic, by inspecting data packets. Especially at smaller organizations, a UTM may make sense because it bundles functionality into a single security stack, rather than having to manage firewalls, IPS devices, antivirus/malware, and other functionality separately. 

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column to the matching category on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Great job! Let's move on to how adversarial testing fits into an organization's security strategy.

Use Adversarial Testing

Typically, network security engineers are part of a blue team, which refers to the security professionals who manage the network, protecting its assets and users, and detecting intrusions on a daily basis. While these professionals are focused on the day-to-day work of securing the network, a company may use other teams to test the security of the network from the viewpoint of an adversary. These teams can be either internal to the company or brought in as a third party. The services they provide include penetration testing and red teaming, described in further detail below.

During a penetration test, a team of security professionals identify risks and vulnerabilities associated with a system on the network. They look at the network from an outside perspective to discover and exploit vulnerabilities to gain unauthorized access, pivot to elevate privileges, and exfiltrate sensitive data. 

Penetration tests are usually focused on testing the security of a specific high-value system. At the end of the test, the team provides a report that explains the steps they took, including what they were able to exploit, and lists security weaknesses and suggested mitigations and timelines. The blue team then uses these recommendations to enhance the security of the system and to check other systems on the network for similar vulnerabilities.

Red team engagements are more comprehensive than penetration tests. A red team performs a full-scope, multilayered attack to measure how resistant people and processes in the organization are to attack, in addition to testing traditional system security. Whereas a penetration testing team may send a phishing email or scan to find a critical vulnerability on a public-facing system, a red team member may give a USB drive infected with malware to a receptionist, or plug a rogue device into an unsecured port in the building. At the end of the engagement, the red team provides a summary of the engagement that includes recommended updates to policies and procedures or training, in addition to technical fixes.

This adversarial testing is an important component of the security arsenal. While functions such as vulnerability scanning help the blue team discover and patch security weaknesses, adversarial testing checks the security of systems, networks, and organizations from an outside perspective. A network security engineer may be asked to provide one of these teams with information about the network or systems prior to the engagement, or they may remediate weaknesses discovered and recommend additional security improvements. These engagements are a great way to alert leadership to needed improvements and create buy-in to implement solutions through validated third-party findings.

Sum It Up

You’ve learned the importance of comprehensive network security monitoring to detect intrusions and common tools network security engineers use to accomplish this goal. What are the network security engineer’s responsibilities when they respond to a detected intrusion? You find out in the next module.

Interested in exploring more cybersecurity-related information? Check out the Cybersecurity Learning Hub on Trailhead.