Get 4 FREE months of Conformio to implement ISO 27001

Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls

Networks are what make collaborative work possible. Without them, remote or global business wouldn’t exist. This critical role attracts attention, and makes networks a preferred target to wrongdoers, placing them in the security personnel’s top priorities.

In previous articles about ISO 27001 network controls, we talked about firewalls and network segregation (see How to use firewalls in ISO 27001 and ISO 27002 implementation and Requirements to implement network segregation according to ISO 27001 control A.13.1.3). While these options improve network security, they have a critical flaw: as border-related controls, they are incapable of working on events happening inside their protective zones.

Fortunately, security teams have other alternatives to cover this situation. This article will present information about network intrusion detection systems and honeynets, a particular case of honeypots, and how they can support ISO 27001 control A.13.1.1 (Network controls), identifying ongoing attacks happening inside an organization’s networks and gathering information on how attacks are made, so they can be used to improve countermeasures.

Network Intrusion Detection Systems

Network Intrusion Detection Systems (NIDSs) are devices or software applications that monitor network activities, looking for malicious behaviors or policy violations, and report their findings to a management station.

They differ from a firewall in that while a firewall looks outwardly and uses rules to limit access to internal networks, preventing intrusions, the NIDS looks at inward traffic for patterns that may mean that an intrusion or violation has taken place and signals an alarm, reducing the event’s reaction time.

To improve NIDS effectiveness, an organization needs to consider where the NIDS will be placed in the network, and the traffic evaluation methods and modes that will be used.

Choosing a place for deploying a NIDS

A NIDS should be placed at a point, or points, where it can monitor traffic to and from all devices on the network. Some suggested places are firewalls’ and critical servers’ subnets.

Since firewall subnets concentrate all the traffic between networks they connect, they are the ideal place to deploy a NIDS to identify the most common and amateur intrusions earlier.

As for critical servers’ subnets, a NIDS placed there can take advantage of the specific traffic patterns to set its configurations to spot even the most discrete intrusions, generally related to professional attacks.

How does a NIDS spot a network intrusion or violation?

Basically, there are two methods a NIDS may use for intrusion identification:

Library of known attacks: signatures of known attacks are used by the NIDS to analyze network traffic. This is the quickest way to prepare a NIDS for operation, but won’t work with attacks for which it does not have a signature. This method should be considered when the traffic to be analyzed is big or has great variation (e.g., firewall subnet).

Traffic sample: samples of what is considered normal traffic are used by the NIDS to analyze network traffic. This method takes more time to prepare the NIDS for operation, because it first has to learn how the network traffic normally flows, but once it is done, the NIDS is capable of identifying the slightest signs of an intrusion. It should be considered for sensitive networks or those with less traffic variation (e.g., critical server subnet).

Considering when the traffic analysis is performed, it can be online, in real time, or offline, when the NIDS works with stored data. Since the NIDS operation can create a bottleneck that can affect time-sensitive services, these two options must be evaluated carefully.

Honeypots and honeynets

It is a fact in security that you cannot protect everything all the time. So, what about setting a specific asset to be invaded and seeing what happens? As strange as it may seem, this is the concept of a honeypot, which can help a lot in detecting attacks, understanding how an attack is performed, and devising proper countermeasures. Since in this case our asset is a network, the proper term is honeynet.

So, a honeynet consists of a network that appears to be a legitimate part of the organization’s infrastructure, containing what seems to be valuable information, but that in fact has no business value and is isolated and monitored.

How honeynets can be used

Basically, you can use honeynets for two purposes:

First line of detection: configured with attractive parameters (e.g.: standard passwords, unpatched software, names giving the asset’s purpose, etc.), a honeynet may appear to be a tempting target for an attacker, drawing his attention from the real valuable assets while ringing a bell for the security team. Generally, this kind of honeynet does not have much interaction capability, simulating only the services frequently requested, and cannot be used for much more than an alarm system.

Information gathering: honeynets that provide more resources to be explored (e.g.: services, applications, databases, etc.) can be used to monitor an attacker’s actions to identify its methods, tools, and techniques, which can provide knowledge that can be used to update the defense capabilities of the controls deployed to protect the real network.

Integrating NIDS and Honeynets to an ISMS

As any information security control compliant with ISO 27001, NIDS and Honeynets should be integrated to an ISMS as a mitigation to network-related risks in the risk assessment documentation, and referred to in the Statement of Applicability (the most suitable control related to NIDS and honeynets is A.13.1.1, Network controls). See also: The basic logic of ISO 27001: How does information security work?

Observation and deception can do a lot to improve security

Network intrusion is not a question of if, but when. And when it happens, the reaction time may be the difference between minimal and disastrous losses.

Besides supporting compliance with A.13.1.1 control from ISO 27001, by enhancing overall security management, through using detective controls like NIDS, an organization leaves no time window for an attacker to benefit from his actions and, by using honeynets, it can both draw attention away from its valuable assets and gather information to improve the protection of the infrastructure that really matters.

To learn more on how to improve your overall information security, try this online Security Awareness Training.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.