nanoIDS - The Ultimate Cyber Alarm
Home  Cyber Security  Solution Overview  More Info  About Us 


nanoIDS Q&A:


What is nanoIDS?
nanoIDS is the cyber equivalent of the fire alarm or burglar alarm which every business has today.
It is an affordable, effective, and easy to use alarm service which detects and reports cyber attacks.


What are the components of nanoIDS?
nanoIDS has three main components:
  • nanoIDS Sensors - small and low-cost hardware devices or a 'Virtual Appliances', which detects, analyzes and logs connection attempts and other network anomalies, and sends reports to the nanoIDS Server.
  • nanoIDS Server - a cloud-based management server which receives reports from nanoIDS Sensors, and integrates them to increase their accuracy and reliability.
    The nanoIDS Server sends alerts to the nanoIDS Console and the Incident Response Team.
    The nanoIDS Server is also responsible for configuring nanoIDS Sensors, and providing them with secure remote software updates.
  • nanoIDS Console - a web dashboard which displays alerts and alert statistics, and is used by customers and MSPs to monitor and manage groups of nanoIDS Sensors at various locations.



How does nanoIDS Work?
When a computer on the network is compromised, the attacker typically scans the network to find more devices with valuable data.

The nanoIDS Sensor can detect this activity by operating in two modes:

First, it disguises itself as a network device, such as a Server, a Workstation or a Laptop.
When the attacker scans the network, it tries to connect with the nanoIDS Sensor, thinking it is a 'real' device.
The nanoIDS Sensor passively detects this attempt.

The second mode for detecting scans and other suspicious network activity is by monitoring Layer2 traffic, and looking for 'anomalies'.
Most network scans can be detected by analyzing Layer2 packets.

When a nanoIDS Sensor detects an event it logs it, and reports it to the nanoIDS Server, which integrates the data from multiple sensors, and decides whether to sends an alert to the Incident Response Team.

The Incident Response Team can disconnect the computer from which the scan was initiated, or temporarily shut down a network segment or even the whole network until the issue is identified and resolved.

More info: How does nanoIDS work?


Why is it called 'nanoIDS'?
In cyber-security, IDS stands for Intruder Detection System - a hardware device or a piece of software that monitors a network or a host, detects cyber attacks and reports them.
We call our cyber attack sensor 'nanoIDS' since it both has a smaller physical size, and it is much simpler to use than most IDS systems.


Why is nanoIDS needed?
Isn’t the EDR/XDR software already installed on the computers sufficient for preventing attacks?
Most of the organizations that suffered 'successful' cyber-attacks were using EDR or similar endpoint software-based solutions.
EDR solutions are based on detecting known or common patterns of attacks - they are not always useful for preventing newer or more innovative attacks, and are far from 100% effective.

When an attacker manages to defeat the EDR, and takes control of a computer on the network, typically the network is scanned to find other hosts that store important data and backups.
This is where nanoIDS comes in - it detects the scan and alerts the Incident Response Team that an attack is taking place.

More info: Where does nanoIDS fit in?


What do industry experts think about the need to detect intruder activity?
Nir Zuk, Founder of Palo Alto Networks, said the following at the Silicon Club meetup event which took place on April 7th, 2022:

“One of the most prominent trends we see in the field of cybersecurity, even in Israel, is the transition from preventing intrusion, to locating the attackers even when they are already inside the organization. Traditionally, most of the investment in cybersecurity has been targeted at preventing attackers from entering the organization.
The realization today is that it is important to do this, but it is impossible to succeed in 100% [of the cases]. If the attackers try a thousand times and we fail once, they're in. If not a thousand, they'll try a million times.
Once the attackers are inside, it depends on what they want to do. If they want to encrypt the files [on a single computer], identifying them when they are inside will be quite difficult, but if it is a real attack that tries to reach the most important things that the organization has and steal them or change them, it takes time.
In order to do this, the attackers need to traverse the organization, break in from one machine to another, try and fail. They need to perform a lot of actions.
At this point, the advantage moves to the protectors. The attackers have to be under the radar 100% of the time, and it’s enough that our radar will detect them once, [and then] we know something is happening and if we are quick enough to react, we will respond”

Source (Hebrew): chiportal.co.il



When nanoIDS detects a cyber attack, how can it assist the customer or the MSP in stopping it?
The nanoIDS Server analyzes the information received from nanoIDS sensors in order to pinpoint the originator of the attack and its scope.
Based on this information, it sends out alerts and displays recommendations on the nanoIDS console regarding the actions that should be taken to stop the attack:
Disconnect a specific computer from the network, perform a virus scan on that computer, temporarily shut down a network segment or even the entire network and check all computers, etc.


What happens if an attacker controls the network gateway, and prevents the nanoIDS sensor from contacting the server?
The nanoIDS Sensor sends a periodic “keep alive” signal to the nanoIDS Server, and if it is blocked the Server will report to the Console that there is no communication with the Sensor. For increased security, an advanced version of the nanoIDS Sensor called 'nanoIDS Duo' has an out-of-band communication mechanism as a backup, using cellular data networks.


How difficult is it to install and maintain the nanoIDS devices on the customers’ networks?
The cost and effort of distributing and installing nanoIDS Sensors in a network is very low, much lower than installing software such as traditional EDR (Endpoint Detection and Response) on each and every host in that network.
All you need to do is take the device out of the box and connect it to power and to the network.
The physical nanoIDS Sensor is a very simple and reliable Single Purpose Device that is designed to last for many years.
The devices require no configuration (they are self-configuring), and no regular maintenance.


How does nanoIDS work for organizations who store their data in the cloud?
Most attackers do not know whether the attacked organization has on-premises or cloud data storage (or both).
Therefore, in almost all cases they would scan the network to find servers and storage devices, and nanoIDS detects these scans.
Detecting the attack early on can prevent more damage to the compromised computer, and to other clients on the same network.
Virtual nanoIDS sensors could also be placed within the organization cloud infrastructure.


How does nanoIDS work when employees work from shared working spaces or from their home?
In shared working spaces, nanoIDS Sensors can be placed on the main network, or only on the network segment used by the employees.
nanoIDS can also be installed on home networks, to prevent cyber attacks that are initiated from a private or family member computer that has been compromised, and target the employee’s computer.
Virtual nanoIDS sensors could be placed withing the organization VPN subnets.


Is the nanoIDS sensor essentially a 'Low-Interaction Honeypot'?
If so, wouldn't a 'High-Interaction Honeypot' be better?
The NanoIDS sensor can partially fall into the category of 'Ultra-Low-Interaction Honeypots', but there are a few major differences between it and 'classic' Honeypots:

  Honeypots operate at OSI Layer 7 (Application Layer).
  NanoIDS operate at OSI Layers 2, 3 and 4.

  Honeypots are usually 'Active' - They respond to an attacker connecting to them.
  NanoIDS is completely 'Passive' - An attacker connecting to it would not get a response.

There are a few important advantages to NanoIDS 'Ultra-Low-Interaction' approach:

The main advantage is that it is much harder for the attacker to determine that they 'got caught':
An attacker that comes across a 'high interaction' Honeypot can usually determine within minutes that they have been detected.
A competent attacker would then try to cover his tracks and 'lay low' somewhere on the network while the security audits take place.
A few days later, if they were able to maintain persistence presence on the network, the attacker would try compromising the network again, and this time they would be more careful.
A 'low interaction' (or 'Passive') approach does not give an attacker 'a second chance' - All the attacker can see is a device that does not respond to connection attempts. This is 'normal behavior' and most attacker would not be able to determine that they have 'tripped an alarm'.

Another advantage of a 'low interaction' approach is that such devices inherently have a much smaller attack surface in comparison to 'high interaction' devices, mostly because they never have to interpret input from a potential attacker.
This significantly lowers the risk that the device could be utilized as an attack vector into the customer's network.


Wouldn't nanoIDS generate a lot of false alarms?
The NanoIDS system includes mechanisms that ensure High Alert Quality.

When a NanoIDS Sensor detects an 'anomaly', it sends a detailed report to the NanoIDS Server.
The server integrates this report with other reports from the same sensor as well as other sensors, then generates an 'Integrated Event'.
This Event is then processed through a sophisticated 'decision-making pipeline', and given a 'Quality score'.

Only events with a high-enough score would trigger an 'Alarm', insuring a very low 'False-Positive' rate.

Wouldn't nanoIDS alerts increase the workload for Network Administrators?
NanoIDS should only generates High Quality Alerts.
This means that an alert indicates the presence of a compromised system on the network.
That would only happen when there is an Active Attack taking place.

An early alert in case of an active attack would give the Network Administrators a chance to mitigate the attack, and greatly reduce the damage from the incident.

In the long term, stopping an attack early would always decrease the workload for Network Administrators, not increase it.

Once nanoIDS becomes popular, wouldn't the attackers find a way to defeat it?
NanoIDS Sensors are 'Passive' devices.
This makes them very hard to detect.

The Sensors also operate in multiple modes, monitoring traffic at the lowest network layers (L2-L4).
It is very difficult for an attacker to effectively scan a network without generating detectable traffic at those layers.

The NanoIDS system is also centrally managed.
It can be adapted to future attacks, and upgraded as needed, the same way as an EDR / Anti-virus receives regular updates.

Couldn't nanoIDS be used by an attacker as an 'Attack Vector' into the network?
NanoIDS was designed 'from the ground up' to be secure.
Below are some security features implemented by NanoIDS:

NanoIDS Sensors are one of the 'safest' network security devices:

  • Sensors implement only very limited, essential functionality, and thus have the smallest 'Attack Surface' possible.
  • They have no 'Open Ports', and do not respond to any external connections.
  • Connection between the Sensors and the Servers is always encrypted, and can only be initiated by the Sensor.
  • Commands and firmware updates must be digitally signed with device-specific encryption keys.

NanoIDS Servers operate in 'High-Security' mode:

  • Servers are 'hardened' - They only implement minimal functionality, and do not use vulnerable 3rd party tools and libraries.
  • Servers are constantly monitored, and updated regularly.
  • Firmware signing keys are never stored 'On-line' on the servers.
  • User Interfaces and User-facing APIs are physically and logically separated from Sensor-Facing communication and Database services.
  • Server Access control is very strict, allowing only necessary operations to be performed by users and services.
  • Credential-Stuffing, Brute-Force and Fuzzing countermeasures are built into external and internal APIs.
  • Users can only control customer-specific alert settings. Sensors cannot be controlled by Users.



External Publications:


Ransomware Gangs’ Merciless Attacks Bleed Small Companies Dry:
In 2023 ransomware attacks rose 70% from a year earlier, to 4,611, according to the SANS Institute, a cyber­security research and training organization. (Bloomberg Markets):
https://www.bnnbloomberg.ca/business/company-news/2024/12/06/ransomware-gangs-merciless-attacks-bleed-small-companies-dry/

"Abbott had thought the company was secure."
Just a month before the intrusion, he’d arranged a £1 million cyberattack policy through the British insurer Aviva Plc"

"Managers had also trained staff on cybersecurity awareness and were paying about £60,000 annually to a contractor that provided support."

"Following the attack, he says, the contractor—whom he declines to name—provided little help and “didn’t have a clue” what to do."

More about Ransomware:
What is ransomware? (IBM)
https://www.ibm.com/topics/ransomware
"The attackers also work on gaining access to other systems and domains, a process called lateral movement."

The Seven stages of Ransomware attacks (July 23):
Ransomware attacks are pervasive and devastating, targeting organizations and causing havoc on operations, finances, and reputation.
To defend against these threats, security teams must understand the ransomware attack lifecycle:
https://flashpoint.io/blog/the-anatomy-of-a-ransomware-attack/
"Phase 3: Lateral movement and privilege escalation"

Even when the hackers are in your network, it might not be too late:
Ransomware attacks can be devastating, but even if cyber criminals are already inside your network, it's not too late to stop them - if you know what to look for:
https://www.zdnet.com/article/ransomware-even-when-the-attackers-are-in-your-network-its-not-too-late-to-fight-back/
"Criminals can spend weeks in the network before triggering a ransomware attack"
"Victims often only realise that they've been compromised when files, servers and other systems have been encrypted"

Successful Ransomware Attacks:
Change Healthcare:
https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa/
"the attacker had access to the company's network for approximately ten days before deploying their encryptors"

Case Study: How Did Ransomware Attacks Affect These Three Hospitals?
https://www.healthtechzone.com/topics/healthcare/articles/2023/10/18/457461-case-study-how-did-ransomware-attacks-affect-these.htm
"In 2021, St. Margaret’s Health Hospital suffered a ransomware attack."
"In June 2023, the hospital announced that it would be closing down after 120 years of service."
"An analysis showed that hacking activity started weeks before"


Cyber-Security Tools as an attack vector - Using EDR to destroy backups:

Israeli researchers from SafeBreach claim they were able to cause a Microsoft EDR to delete a database it was supposed to protect (Hebrew):
https://www.geektime.co.il/repurpose-edr-as-an-offensive-tool-microsoft-defender/

Turning EDRs and Cloud Backups to Malicious Wipers ('The Error Code' Podcast transcript):
https://medium.com/@robvamosi/turning-edrs-and-cloud-backups-to-malicious-wipers-0f1e45b5ea2e




Top Contact Us Home