8

In my organization, we have an IPS behind a firewall. Each time a security event is triggered, I am left to wonder if the attack is really successful. For events that are set to drop in inline, we can be assured that the attack is most unlikely to be unsuccessful. But how do we determine if an attack is successful for events that are set to alert only?

In cases like these, I would look at the payload and PCAP to grab as much information as I can. However, most of the time, I still can't determine if the attack is successful.

For cases like these, how do we determine if an attack is successful?

kalina
  • 3,354
  • 5
  • 20
  • 36
Fred1234
  • 383
  • 1
  • 3
  • 10

3 Answers3

4

A successful attack by definition will not be detected by IPS or IDS.

What IPSs and IDSs are good for is weeding out script kiddies, worms and similar attackers.

If you want to have a relatively secure web application you need to use a web application firewall with a default deny rule set. Yes, it hurts to configure it this way and it will take a bit of time, on the other hand, it is really a "fire and forget" solution. The only time the rule set has to change is when the application changes (which you know about), not when attackers think about a new way around IPS or IDS (which you, or your IPS/IDS supplier, don't know about).

IPSs and IDSs "enumerate badness" and this just doesn't work any more: The Six Dumbest Ideas in Computer Security

Hubert Kario
  • 3,708
  • 3
  • 27
  • 34
4

It depends on the product. Some products have the ability to capture the response packet(s) as well as the attack packet(s). Some products, notable IBM Proventia, will annotate the original event with a success/failure notification, which you can see if you open up the details of the event. For example, all HTTP events in Proventia will include not only the URL of the attack, but also the response code (200, 404, 500, etc.).

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14
1

There are two ways on how to run an IDS:

  • to detect attack attempts
  • to detect successful attacks

The mode is defined by the rules which are enabled. In most environments, like yours, there is no clear strategy which leads to having both kinds of events triggered.

If you want to detect possibly successful attacks only (and ignoring attempts which are not successful anyway), just enable the signatures for products and versions you are using. For example if you are not using Apache, then disable all Apache signatures. It may take some time to collect data about your software inventory and to implement it on the IDS. Furthermore you would have to make changes on the IDS whenever your software landscape changes. Don't underestimate the effort for that. But then you are able to determine attack attempts and possible success which might really impact your environment sooner or later.

Furthermore, IDS/IPS signatures usually come with categories. For example the protection filters by TippingPoint are using the categories Reconnaissance for enumeration, Vulnerabilities for common security issue detection and Exploits for actions provoked by real attack attempts. Stripping down the enabled categories might also help to prevent noise not linked to successful attacks.

Marc Ruef
  • 1,060
  • 5
  • 12