An introduction into the four main detection methods

Four Intrusion Detection Methods for Countering Cyber Threats

09/17/2024

Four Intrusion Detection Methods Blog Post

Intrusion detection methods are used to identify intruders that are trying to or have breached your network. There are four main methods of detection, but two of them—threat behavioral analytics and configuration changes—are most likely to catch bad actors. The other two, modeling and threat indicators, have uses in certain situations.

In this post, we will talk through all four types, how to use them, and the importance of understanding the difference between the categories.

What Are the Two Basic Means of Network Intrusion Detection?

Seasoned actors are adept at circumventing perimeter defenses, quietly surveying the network environment, and carrying out their mission undetected. Conventional tools and strategies fail to protect their networks and critical data from these cyber threats. That leaves companies who only use conventional tools as attractive targets for cybercriminals. Detection methods are one way to help.

There are two broad means of intrusion detection when someone is trying to break into your network.

  • Monitoring and Hunting Context: Think of this as a security guard monitoring and actively searching your house (or network) for signs that someone might be trying to break in. The guard is looking for trouble before it even happens.
  • Incident Response Context: This is akin to an alarm going off after someone has broken into your home (or network), and the security team needs to figure out what happened, how to stop the intruder, and fix any damage.

One method focuses on actively searching for problems before they happen, and the other is about responding quickly when something has already happened. You can and should use both in your approach to detection.

What Are the Four Types of Intrusion Detections?

There are four main types of detection that work to determine if an intruder is trying to break into your network or already moving around within it.

  • Modeling: This means looking for baseline anomalies, events, or groups of events that stand out from normal activity in the environment.
  • Threat indicators: This involves flagging files and infrastructure associated with malicious activity, such as IP addresses, domain names, file hashes, and more.
  • Configuration changes: This alerts the team when there are new changes to systems and data within the network, such as new processes, new connections, or new protocols.
  • Threat behavioral analytics: This is all about identifying patterns in logs and data that is known as tradecraft used by adversaries.

How Can These Detection Types Be Used?

When it comes to hunting, configuration changes and threat behavior analytics are your friend. It’s almost impossible for bad actors to avoid or overcome these detections, because as they attempt to manipulate and control your systems, they are forced to make configuration changes, such as new network connections, new processes, and new events.

As they use the various techniques required for gaining access to and moving within an environment, they create observable patterns in logs and data that experienced threat hunters can search for and detect.

Modeling and threat indicators, on the other hand, are easily avoided by a skilled or determined adversary. Many top tier bad actors leverage legitimate programs, utilize approved protocols, and disguise their traffic for the sole purpose of not creating anomalies—to masquerade as legitimate applications, network traffic, and infrastructure. Because the actor appears as though they are moving through the system as a legitimate user, they may not set off any alarms. But they are useful when it comes to incident response and figuring out what is being targeted in a specific incident.

All four types can be used in tandem to help teams identify areas of the network that are being targeted or controlled by the adversary, and then get a better sense of what they are doing and how to stop them from creating more damage.

Contact us now for more information on implementing intrusion detection within your network.