What is an IDS? What is required for a successful implementation and utilisation? IDS can also be used for penetration testing activities, not just for defence purposes. See how! This was presented as part of the FIRST Technical Colloquium 2017 Conference in Mauritius on the 30th of November 2017. Feel free to contact us for more information. If you are reusing some of the slides or their content, can you please reference our website as the source: https://www.elysiumsecurity.com

1. {elysiumsecurity}
Open Source IDS
How to use them as a powerful free
Defensive and Offensive tool
Version: 1.2w
Author: Sylvain Martinez
cyber protection & response
Classification: Public

2. {elysiumsecurity}
Agenda
• Introduction;
• Cyber Security Context;
• IDS Concept;
• Requirements for success;
• IDS Benefits;
• Something different…

3. {elysiumsecurity}
Who Am I?
https://www.elysiumsecurity.com

4. {elysiumsecurity}
Why Listen?
* If you already have a TAP setup
• Understand why you need an IDS;
• How everyone can get started with a free IDS;
• This dashboard in your home/company in less than 2h!*

5. {elysiumsecurity}
Today’s Cyber Security Risk Context
Cyber Security Risks’ probability and impact are increasing.
Their ability to disrupt companies business operation have
growing financial, reputational and legal negative consequences;
This overall diagram is copyright Elysiumsecurity LTD and can only be re-used if the source is referenced as: Sylvain Martinez, https://www.elysiumsecurity.com
Yesterday Tomorrow
100%
0%
TIME
GROWTH
Yesterday Tomorrow
100%
0%
TIME
GROWTH
Yesterday Tomorrow
100%
0%
TIME
GROWTH

6. {elysiumsecurity}
Cyber Security Puzzle
PREVENT DETECT RESPOND
• End Point Protection
• Policies
• DLP
• DRM
• SOC
• F/W
• IPS
• IDS • Incident Response
• Forensics
• DLP
• SIEM
• CERT
• Incident Management

7. {elysiumsecurity}
Importance of Detection
PREVENT DETECT RESPOND
DETECTION allows you to know there is a problem,
and that you need to do something!

8. {elysiumsecurity}
IDS? What IDS?
IDS
NIDS
HIDS
IPS
Signature Based
Behaviour Based
Pattern Based
Passive
Active

9. {elysiumsecurity}
FREE IDS
• Snort based engine;
• Suricata based engine;
• Suites of software available as VM:
- Security Onion (SO): https://securityonion.net/
- SELKS: https://www.stamus-networks.com/open-source/
• Great community is here to help;
• Authors are very active;
• Professional support available from them too;
• Various install guide available: https://www.elysiumsecurity.com/blog/Guides/post7.html

10. {elysiumsecurity}
cyber protection & response
DEFENSIVE
IDS

11. {elysiumsecurity}
Simplistic NIDS Concept
Guest WIFI
Users Servers
DMZ
IDS
Duplicated
Traffic
Duplicated
Traffic
INTERNET
Traffic
Analysis
Signatures
Patterns/
Behaviours
Security Alerts
Icons from VMWARE

12. {elysiumsecurity}
IDS Requirements for success
1. Traffic Visibility
2. Asset Inventory
3. Context
COVERAGE
TRACKING
TUNING

13. {elysiumsecurity}
Traffic Visibility
• TAP/Span port on key egress points
• Corporate Solutions
- Dedicated hardware
- Soft Config in most switch (Ubiquity Networks, CISCO...)
• Home Solutions:
- Netgear GS105E
- Mikrotik Router
NATting

14. {elysiumsecurity}
Asset Inventory
• IP/Asset inventory software
• - Network dedicated
• - Part of wider asset inventory
• Mac Address Fingerprinting
• Fixed IP
• Reserved DHCP
NATting

15. {elysiumsecurity}
Context
QUESTIONS
• Is that a false positive?
• Is that normal behaviour?
• Is the end point targeted critical?
• Is this a configuration issue?
• Have we seen this before?
• …
ANSWERS
• Network Topology knowledge;
• Asset owner knowledge;
• Application owner knowledge;
• Business analyst contact;
• Cyber Security knowledge.
• …

16. {elysiumsecurity}
IDS Defensive Benefits
• Alerts you of Cyber Security attacks;
• Alerts you of Cyber Security issues;
• Finds vulnerable hosts on your network;
• Finds vulnerable applications on your network;
• Monitors network flow behaviours;
• Monitors network ports activity;
• Monitors network traffic;
• Monitors file transfers;
• Establish network entity relationships;
• …

17. {elysiumsecurity}
IDS Actionable Information

18. {elysiumsecurity}
IDS Defensive Benefits - revisited
• Alerts you of Cyber Security attacks;
• Alerts you of Cyber Security issues;
• Finds vulnerable hosts on your network;
• Finds vulnerable applications on your network;
• Monitors network flow behaviours;
• Monitors network ports activity;
• Monitors network traffic;
• Monitors file transfers;
• Establish network entity relationships;
• …

19. {elysiumsecurity}
cyber protection & response
OFFENSIVE
IDS

20. {elysiumsecurity}
Simplistic NIDS Concept - Revisited
Guest WIFI
Users Servers
DMZ
IDS
Duplicated
Traffic
Duplicated
Traffic
INTERNET
Traffic
Analysis
Signatures
Patterns/
Behaviours
Security Alerts
Files
Passwords,…
Files
Extraction
PCAP Files
PCAP Files
PCAP Files
Icons from VMWARE

21. {elysiumsecurity}
IDS Requirements - Offensive
1. Traffic Capture
REPLAY
&
ANALYSIS
2. Asset Inventory
3. Context
TARGETING
PRIORITISATION

22. {elysiumsecurity}
Traffic Capture
• Physical Access required in most cases
• TAP traffic against key targets
• Powered/Unpowered solutions
• Dummy Capture Devices:
• - Small Router;
• - Throwing Star LAN;
• Intelligent Capture Devices:
• - Raspberry Pi;
• - Hak5 Packet Squirrel.
NO IMPACT

23. {elysiumsecurity}
IDS Offensive Benefits
• Speed up Network Traffic Analysis;
• Identify interesting timelines;
• Identify targets of interest;
• Identify vulnerabilities to exploit;
• Extract sensitive information;
• Profile users and applications;
• …

24. {elysiumsecurity}
Takeaway
• Free IDS available;
• Pre-configured and easy to deploy;
• Provide good defensive visibility and alerts;
• Provide good offensive capabilities;
• Instant returned value;
• Try one today!

25. {elysiumsecurity}
cyber protection & response
emailus@elysiumsecurity.com
THANK YOU
https://www.elysiumsecurity.com