An Open-Source Solution for Corporates to Implement Scenario based Intrusion Detection for Incident Response

Abstract

Detecting potential security compromises to aid in formulating a proactive response strategy is still a relatively new field in the local network security arena. Even managed security service providers who support these corporates on different digital security tiers face difficulties when using practical implementations that have the capability to detect and escalate to relevant parties for mitigation. This research discusses how a third-tier detection strategy can be developed with open-source toolkits like the Snort intrusion detection system as the second line of defense to support network teams. The necessity of auxiliary packages to work along with Snort must be stressed upon because the demands are higher in corporate environment settings. Some examples include Zeek and Security Onion. The placement of an IDS to perform as expected requires careful planning after a thorough examination of the relevant network diagrams. For this, the recommendation is to use dedicated hardware composed of all tools mentioned on an ad-hoc basis with a switch-span setup. It is also commonly known as port mirroring, so that an exact copy of the traffic that flows can be fed for investigation. To suit the Sri Lankan context, a stripped-down version of the MITRE ATT&CK + SHIELD Active Defense Matrix will be used to choose the applied malicious datasets and for designing the security playbooks