Course Outline

ArfanShahzad.com
 Intrusion Detection and Response
• An intrusion occurs when an attacker attempts to gain entry into or
disrupt the normal operations of an information system, almost
always with the intent to do harm.

• Even when such attacks are self-propagating, as in the case of viruses

and DDoS attacks, they are almost always instigated (initiated) by
someone whose purpose is to harm an organization.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• Intrusion prevention consists of activities that deter (prevent) an
intrusion.

• Some important intrusion prevention activities are:

ArfanShahzad.com
 Intrusion Detection and Response cont…

1. Writing & implementing enterprise information security policy,

2. Planning & executing effective information security programs,

3. Installing & testing technology-based information security
countermeasures (e.g. firewalls and intrusion detection systems),

4. Conducting & measuring the effectiveness of employee training

and awareness activities.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• Information security intrusion detection systems (IDSs) became
commercially available in the late 1990s.

• An IDS works like a burglar alarm (robber alarm) in that it detects a

violation and activates an alarm.
• This alarm can be audible and/or visual (producing noise and lights,
respectively), or it can be silent (an e-mail message alert).

ArfanShahzad.com
 Intrusion Detection and Response cont…
• A current extension of IDS technology is the Intrusion Detection and
Response (IDR).

• IDR is a crucial aspect of cybersecurity that involves monitoring,

detecting, and responding to unauthorized activities or potential
threats within a computer network or system.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• It aims to protect the network and its assets from malicious activities
and minimize the impact of security incidents.

• The process of IDR typically involves the following steps:

ArfanShahzad.com
 Intrusion Detection and Response cont…

1. Monitoring

2. Detection

3. Alerting

4. Investigation

5. Response

6. Reporting
ArfanShahzad.com
 Intrusion Detection and Response cont…

• 1- Monitoring: Continuous monitoring of network traffic, system logs, and

user activities to identify any abnormal or suspicious behavior.

• This can be done using various technologies such as network intrusion

detection systems (NIDS), host-based intrusion detection systems (HIDS),
and security information and event management (SIEM) tools.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• 2- Detection: Analyzing the collected data and applying detection
mechanisms to identify potential security incidents or indicators of
compromise (IOCs).

• This includes the use of signature-based detection, anomaly

detection, and behavioral analysis to identify known and unknown
threats.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• 3- Alerting: Generating alerts or notifications when potential security
incidents or anomalies are detected.

• These alerts are typically sent to a centralized console or a security

operations center (SOC) where they are analyzed and prioritized
based on their severity.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• 4- Investigation: Conducting a thorough investigation of the detected
incidents to determine the nature and extent of the security breach.

• This may involve analyzing log files, examining network traffic, and
gathering evidence to understand the root cause and impact of the
incident.

ArfanShahzad.com
 Intrusion Detection and Response cont…

• 5- Response: Implementing appropriate response actions to contain

and mitigate the impact of the security incident.

• This may include isolating affected systems, blocking malicious

traffic, applying patches or updates, resetting compromised
credentials, and restoring affected services.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• 6- Reporting: Documenting the incident response activities, including
the details of the incident, actions taken, and lessons learned.

• This helps in improving future incident response processes and

enables regulatory compliance and reporting requirements.

ArfanShahzad.com
 Intrusion Detection and Response cont…
• The overall goal of intrusion detection and response is to detect and
respond to security incidents in a timely manner, minimizing the
potential damage and reducing the risk of future incidents.

• It requires a combination of technology, processes, and skilled

personnel to effectively identify and respond to threats, ultimately
enhancing the overall security posture of an organization.

ArfanShahzad.com