Intrusion detection is the final layer of defence in depth against an attacker and works to detect when a server has been accessed without permission or 'hacked into'. This is the last line of defence because the other two countermeasures (a firewall and vulnerability scanning) attempt to stop an attacker gaining access to the server. However, should that occur it is vial that the server administrator be aware that their server has been compromised and immediate steps taken to lockout the intruder and return the server to normal operations as rapidly as possible.
In addition to monitoring for the presence of attackers Penetration Patrol will also flag any unusual occurrences that could be the result of a trusted party either making a mistake or deliberately modifying the server in an unauthorized manner.
Intrusion detection is possible because the days of the hacker being a teenager who wanted nothing more than to break into and trash a system are long gone. These days a compromised server is a valuable asset that can be used for illegal activities such as relaying spam or attacking other system. However, this is only possible so long as their activities remain undetected.
In order for an attacker to enter and begin using a server it must be modified in some way. This may be a virus modifying a few files or a skilled hacker loading modified kernel modules. Some changes must be made to a server in order to use it in an unintended manner. The intrusion detection agent is there to watch for these tell-tale changes and raise an alert when they are detected.
The intrusion detection system that Memset deploys is comprised of two parts; an agent and management server. The agent is the program that runs on the server and monitors for events, gathers information from logs file makes internal measurements. It continuously sends this information back to the management server. The management server is a physically different server administrated by Memset with no client access that receives and processes the data from the agent and analyses it to detect any anomalous activity.
This agent/server model has many advantages. The agent can remain very small requiring minimal memory and cpu resources as all the computation and storage is carried out on the management server. In addition, this separation of agent and management server ensures that the analysis and alerting cannot be modified or disabled as it takes place on a different server. Furthermore, should an attacker disable or modify the agent then this change will be recorded by the management server and an alert generated. This also ensures that an attack cannot be carried out undetected from within the company with by an unauthorised employee or disgruntled ex-employee. Even if they posses valid credentials to access the server any attempt to modify, damage, subvert or otherwise interferer with the server will be detected and flagged.
Memset Penetration Patrol monitors the following variables:
System Binaries And Configuration Files Integrity Checking The installed system binaries are all inspected to detect modification. Changes are spotted because the first thing that the intrusion detection agent (the program that runs on the server) does is to take a unique fingerprint (MD5/SHA1 checksums) of all system binaries and configuration files. Any changes no matter how small, even a single character, are easily detectable and will be spotted by the intrusion detection agent.
Log Files Servers produce system and application logs which document normal activity as well problems and errors. The intrusion detection agent will read and monitor those log files and any anomalous activity will be spotted and reported.
Suspicious Network Connections Some malicious programs will attempt to install themselves and usually open a network connection in order to communicate with command and control servers, relay spam or scan other servers to infect. The intrusion detection agent will monitor and flag any out of the ordinary network connections.
Rootkits and Malware A root kit is a software package designed to take over a server and hide its presence. The intrusion detection system comes with database of root kits and will periodically check for any that may be installed.
If you have Memset Managed Support with your server, all Penetration Patrol options are available to you. If you have opted for Infrastructure Assisted Support, then only our self-monitored service is available. Please note that the Penetration Patrol service is unfortunately not available at all if you have opted for our Infrastructure Only Support level. More information on the different Penetration Patrol options can be found under the "Who Is Alerted?" section found at the bottom of this page.
The intrusion detection system logs and processes a huge number of system events and classifies them according to how important they are in terms of system integrity. There are ten levels of importance with 10 being the most important events, e.g. full server compromise, and 1 being the least important and merely system notifications with no security relevance.
This is the complete list of alert levels:
It is important to note that any selected level will include alerts for that level and also every level above i.e. more levels more important than it. For example, if the suggested level 10 is selected then alerts will be sent that match the criteria for levels 10 and also 11,12,13,14,15
Some consideration should be given to selecting a level that matches both your technical requirements and your time to read all the reports. The lower levels, less important levels, will send hundreds if not thousands of messages a day for a busy server making an important alert easily overlooked in so many messages.
The desired alert level can be selected via the Manage page for the server.
Alert emails will be sent to the email address you provide. Alerts can also be configured to go to the Memset engineering team. However, additional levels of support will be required to enable this. The additional levels are as follows:
Please contact email@example.com to for more information on additional support levels.
Last updated 19 May 2016, 11:12 GMT