For those who are active in the network security domain, IDS is well-known acronym. With an IDS system, you analyze the traffic hitting your network and try to detect bad or unwanted packets. But how many companies look at their outgoing traffic?
First, your firewalls must restrict the outgoing traffic to the minimum to allow your applications to run. But are you sure that the allowed traffic is really business oriented? You need examples?
- ICMP tunnels
- HTTP tunnels
- Misused well known ports (Example: using a SSH connection over port 443)
There are 90% of chance that outgoing HTTP and ICMP protocols are allowed in your firewall security policy. Do I need to continue with this list? Traffic can be easily encapsulated in those protocols.
If some machine on your network are infected and are part of a botnet, scanning the traffic at layer 7 can also show unusual traffic (ex: spam sent from a zombie host). Malware activity can also be detected (credentials sent over HTTP)
Extrusion Detection is a set of mechanism and tools which try to prevent all those kind of problems on a network. The goals of Extrusion Detection are multiple:
- Try to detect infected hosts in your network
- Prevent infected hosts to start attacks against remote hosts and/or send confidential intormations to the hacker (key logs, credentials)
Finally, you will be able to react very quickly in case of suspicious activity and take the right actions. It’s very annoying to receive a complaint forwarded by your ISP or directly to your internal <abuse@company.com> address!