4.1 Map the provided events to source technologies
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What is IDS and IPS?
- IDS (Intrusion Detection System):
- This system monitors network or system traffic and detects suspicious activity.
- It does not block attacks automatically. It just alerts the security team.
- Think of it as a security camera for your network—it notices suspicious behavior but doesn’t physically stop anything.
- IPS (Intrusion Prevention System):
- IPS does everything an IDS does, but it can also block or prevent attacks automatically.
- It acts like a network guard that can stop malicious traffic before it reaches the target system.
2. Types of IDS/IPS
- Network-based IDS/IPS (NIDS/NIPS):
- Monitors network traffic on switches, routers, and firewalls.
- Example technologies: Snort, Suricata, Cisco Firepower.
- Detects attacks like:
- Port scanning
- Malware communication
- DDoS attacks
- Host-based IDS/IPS (HIDS/HIPS):
- Runs on individual servers or endpoints.
- Monitors files, logs, system calls, and user activity.
- Example technologies: OSSEC, Tripwire.
- Detects attacks like:
- Unauthorized file changes
- Privilege escalation
- Malware execution
3. How IDS/IPS works
IDS/IPS use signatures and anomaly detection methods:
- Signature-based detection:
- Looks for known patterns of attacks.
- Works like antivirus software.
- Example: Detecting a specific malware payload or SQL injection pattern.
- Anomaly-based detection:
- Learns what normal traffic looks like, then alerts when traffic deviates from the norm.
- Example: If a server suddenly starts sending huge amounts of data, it could indicate data exfiltration.
4. Events Generated by IDS/IPS
When an IDS/IPS detects something suspicious, it generates events. Knowing these events helps map them to source technologies for exam purposes.
Common IDS/IPS events:
| Event Type | Description |
|---|---|
| Port scan detected | Someone is scanning your network for open ports. |
| Malware signature detected | Known malware has been found in network traffic or a file. |
| Brute force login attempt | Multiple failed login attempts detected on a server. |
| Policy violation | Traffic violates security rules (e.g., blocked protocol). |
| Suspicious packet anomaly | Unusual traffic patterns detected (possible attack). |
5. IDS vs IPS in Event Handling
- IDS events:
- Alert only (logs, notifications)
- Example: “Suspicious TCP connection detected from IP 192.168.1.50”
- IPS events:
- Alert and take action (block, drop, reset connection)
- Example: “Connection from 192.168.1.50 blocked due to known SQL injection pattern”
6. Why IDS/IPS is important in CyberOps
- Helps detect attacks quickly and minimize damage.
- Provides visibility into network traffic and endpoint behavior.
- Supports incident response by giving logs and alerts for security analysts.
- Maps events to specific technologies so analysts know where the attack came from.
7. Example Scenario in IT Terms (No Cars or Analogies)
Imagine you have a web server:
- NIDS monitors traffic coming to the web server. It detects a SQL injection attempt.
- IDS generates an alert: “SQL injection detected from IP 10.0.0.5”
- Security team investigates.
- If you have NIPS active:
- IPS detects the same attack
- Automatically blocks traffic from 10.0.0.5
- Event logged: “Traffic blocked: SQL injection from IP 10.0.0.5”
This shows how IDS alerts vs IPS prevents attacks.
8. Key Points to Remember for the Exam
- IDS detects attacks → logs & alerts only.
- IPS detects and prevents attacks → blocks malicious traffic.
- Types: Network-based (monitors traffic) and Host-based (monitors system activity).
- Detection methods: Signature-based (known patterns) and Anomaly-based (behavior deviations).
- Events help map attacks to IDS/IPS technology, which is critical for exam questions.
