Are Your IDS Rules Still Chasing Last Year's Attacks While This Year's Walk Right Through?

By IPThreat Team June 18, 2026

The Alert That Means Nothing Is Still Consuming Your Analyst's Time

Security operations teams running intrusion detection systems often face a specific and demoralizing problem: the system is firing constantly, analysts are spending hours triaging, and the genuinely dangerous activity is buried somewhere in the middle of hundreds of low-value alerts. This is not a tuning problem in the abstract sense. It is a structural problem that compounds over time as environments change, attack techniques evolve, and the detection rules stay exactly where they were when someone first deployed the system.

The recent credential harvesting campaign that compromised more than 30,000 Fortinet devices, combined with the FortiBleed leak exposing VPN credentials for 73,000 devices, illustrates exactly why this matters operationally. Attackers did not need to defeat the IDS. They exploited a configuration vulnerability, harvested credentials at scale, and moved laterally through networks where the IDS was watching for known malware signatures while the actual intrusion happened through valid authentication flows. A well-tuned IDS with behavioral detection would have flagged anomalous VPN authentication patterns. A poorly maintained one, still focused on signature matching for older threat categories, would have stayed silent.

This article works through the practical decisions that determine whether an IDS deployment actually catches intrusions or serves primarily as an expensive noise machine. The framing moves from immediate actions you can take today, through short-term improvements over the next week, into architectural decisions that should happen this quarter.

What Makes an IDS Deployment Drift Toward Uselessness

The core failure mode for intrusion detection systems is not technical misconfiguration. It is the gradual mismatch between what the system is looking for and what attackers are actually doing. When an IDS is first deployed, it is tuned against the threat landscape at that moment. Rule sets get configured, thresholds get set, and the system starts generating output. Over the following months, the network changes. New applications get deployed. Traffic patterns shift. A cloud migration adds east-west traffic the sensors were never positioned to see. Remote access expands the authentication surface substantially.

The IDS rule set, in most organizations, does not evolve at the same pace. Teams apply vendor-provided rule updates but do not retire obsolete rules, do not add detection logic for new attack patterns, and do not adjust thresholds to reflect the changed baseline of normal behavior. The result is a detection system that generates significant alert volume around old threat categories while providing limited visibility into the techniques attackers are using right now.

The EvilTokens phishing campaign represents a concrete illustration of this drift. EvilTokens bypasses password theft entirely, targeting session tokens after authentication completes. An IDS configured to detect credential-based attacks, watching for brute force patterns or known phishing infrastructure, contributes nothing when the attack technique operates entirely within authenticated sessions. Detection requires a different approach: behavioral analysis of session activity, anomalous API call sequences, or unusual geographic patterns following successful authentication.

Today: Audit What Your IDS Is Actually Detecting

The first action for this week is running an honest audit of your current alert output. Pull ninety days of IDS alert data and categorize it by rule trigger, not by severity label. What you will typically find is that a small percentage of rules generate the majority of alert volume, and a significant portion of active rules have generated zero alerts in that period.

High-volume rules deserve scrutiny in two directions. First, determine what percentage of high-volume alerts are true positives. If a rule fires ten thousand times per month and analysts have validated two true positives in that period, the rule is generating noise at a ratio that actively degrades your security posture. Analysts learn to ignore high-frequency rules, and when those rules occasionally fire on real activity, the alert gets processed with the same low-priority attention as the ninety-nine percent that were benign.

Zero-alert rules deserve equal scrutiny. A rule that has not fired in ninety days is either detecting nothing because the threat category it covers is not present in your environment, or it is misconfigured and would not detect the threat even if it occurred. Both situations require action. Disable rules covering threat categories genuinely absent from your environment. Validate rules that should theoretically fire by running controlled test traffic and confirming detection.

Create a simple spreadsheet with three columns: rule ID, alert volume over ninety days, and confirmed true positive count. Sort by the ratio of volume to confirmed detections. This becomes your suppression and tuning backlog. Address the highest-noise, lowest-value rules first.

Understanding Where Your Sensors Are Not Looking

Sensor placement is a foundational decision that determines visibility, and many organizations made initial deployment decisions years ago that no longer reflect their current network architecture. A sensor positioned at the perimeter in 2019 may have provided adequate coverage when most sensitive workloads were on-premises. That same placement provides limited visibility into cloud-hosted workloads, container environments, or the east-west traffic between internal systems where lateral movement actually happens.

The container security challenge is particularly relevant here. As organizations move workloads into containerized environments, the traffic between containers running on the same host or within the same cluster often never crosses a network segment where a traditional IDS sensor can observe it. Attackers who gain initial access to a container can explore adjacent containers, attempt privilege escalation, or exfiltrate data through paths the IDS cannot see. Container-native security tooling, including runtime security monitoring and network policy enforcement at the cluster level, fills this gap in a way that repositioning traditional sensors cannot.

Map your current sensor positions against your actual traffic flows. Identify the segments generating significant data that no sensor currently monitors. Prioritize coverage expansion in two areas: segments carrying lateral movement traffic between internal systems, and egress points where data exfiltration would route. Both represent high-value detection opportunities that perimeter-focused deployments miss.

This Week: Rebuild Detection Logic Around Current Attack Patterns

With the audit complete and coverage gaps mapped, the next priority is updating detection logic to reflect how attacks are actually being conducted. The ransomware landscape provides a useful frame here. Ransomware groups increasingly follow a multi-stage pattern: initial access through credential compromise or vulnerability exploitation, a period of quiet reconnaissance and lateral movement, privilege escalation, and finally the destructive payload deployment. The encryption event that gets reported in breach disclosures represents the end of an intrusion that may have begun weeks earlier.

Detection logic focused on the encryption event itself is detection that arrives after the damage is done. The higher-value detection targets are the earlier stages: the anomalous internal scanning behavior during reconnaissance, the unusual credential usage patterns during lateral movement, the unexpected process execution sequences during privilege escalation. These are detectable if the rules exist and the behavioral baselines are accurate enough to distinguish them from normal administrative activity.

For each major attack category relevant to your environment, map the full attack chain and identify which stages your current rules cover. Common gaps appear in the reconnaissance and lateral movement phases. Build detection logic specifically targeting these stages. Concrete examples include rules watching for internal hosts initiating connection attempts across unusually broad port ranges, authentication events where a single credential authenticates to an unusual number of systems within a short time window, and service account activity outside of normal operational hours.

The Hackers Used Meta's AI Support Bot to Seize Instagram Accounts incident highlights a different detection challenge: attacks that route through legitimate services. When attackers use a legitimate platform's infrastructure as part of the attack chain, signature-based detection watching for known-malicious IPs or domains provides limited protection. Detection shifts to behavioral indicators: unexpected account activity following social engineering sequences, authentication from unusual devices or locations following suspicious communication patterns, permission changes inconsistent with normal account usage.

Separating Signature Detection From Behavioral Detection

Modern IDS deployments benefit from treating signature-based detection and behavioral detection as separate capabilities with different operational roles, rather than expecting one approach to cover both functions.

Signature detection remains effective for known attack patterns with stable technical characteristics. Specific exploit payloads, known malware command-and-control communication patterns, and established attack tool signatures all fall into this category. These rules should be maintained through regular vendor updates, with local customization to suppress signatures irrelevant to your environment and amplify those covering your highest-risk exposure areas.

Behavioral detection covers what signatures miss: novel attack techniques, attacks using legitimate tools and services, and intrusions that operate within the bounds of what signatures consider normal. Behavioral detection requires establishing accurate baselines of normal network activity, then building detection logic around deviations from those baselines. This is more complex to implement than signature rules, generates different operational challenges around false positives, and requires ongoing maintenance as normal behavior evolves.

The practical implementation involves choosing detection categories where behavioral rules add the most value given your threat model. Authentication anomalies represent a high-return target: establish normal authentication patterns per user account or service account, then alert when authentication events deviate significantly from that baseline in terms of timing, source location, or target systems. Data transfer anomalies represent another high-value target: identify normal data volume and destination patterns for sensitive systems, then alert when outbound transfers exceed those baselines in volume or route to unexpected destinations.

Alert Triage That Does Not Destroy Analyst Capacity

An IDS that generates high alert volume without effective triage mechanisms creates a specific operational hazard: alert fatigue. Analysts processing hundreds of low-value alerts per shift develop pattern recognition biased toward dismissal. When a genuine threat produces an alert that superficially resembles the routine noise, that alert gets processed with the same dismissive efficiency as the previous hundred low-value notifications.

Alert prioritization should incorporate context beyond the raw IDS alert. The alert severity assigned by the rule is a starting point, not a final determination. Context that should modify priority includes whether the source IP has appeared in recent threat intelligence feeds, whether the target system hosts sensitive data or critical services, whether related alerts have fired for the same source or destination in the past twenty-four hours, and whether the alert time falls outside normal operational windows for the affected system.

Build enrichment into your alert handling pipeline. When an IDS alert fires, automated enrichment should pull threat intelligence context for involved IPs, look up the asset classification of the destination system, and check for correlated alerts involving the same source within a configurable time window. Analysts receive an alert package that includes this context rather than a bare rule trigger, which allows faster and more accurate triage decisions.

Set explicit thresholds for escalation versus dismissal that are documented and consistent. An analyst who dismisses an alert should record the reason in a searchable format. Periodic review of dismissed alerts, looking for patterns indicating that the dismissal logic is wrong, catches cases where analysts have learned to dismiss a category of alerts that occasionally includes real threats.

This Quarter: Building IDS Into a Detection Architecture

An IDS operating as an isolated tool produces less value than one integrated into a broader detection and response architecture. The architectural work that should happen over the next quarter involves three interconnected improvements: integration with threat intelligence feeds, correlation with other data sources, and formalized response playbooks.

Threat intelligence integration makes IDS detection contextually aware. When your IDS can check detected indicators against current threat intelligence, it can differentiate between a connection attempt from a generic cloud IP and a connection attempt from an IP actively used in the campaign currently targeting your industry vertical. The latter warrants significantly different response prioritization. This requires operational threat intelligence feeds that are current, relevant to your threat profile, and integrated into your detection pipeline in a way that actually affects alert prioritization rather than sitting in a separate dashboard that analysts check occasionally.

The Netherlands law enforcement seizure of 800 servers and subsequent arrests demonstrates that threat intelligence can have a real-world impact on the attacker infrastructure your IDS is monitoring. Active threat intelligence about takedown operations, newly identified command-and-control infrastructure, and emerging campaign indicators directly improves what your IDS can detect when integrated properly.

Correlation across data sources transforms point-in-time IDS alerts into attack chain visibility. A single IDS alert noting a port scan from an internal host is informative but not conclusive. The same alert correlated with an authentication event on that host thirty minutes earlier from an unusual source location, and with a user account that received a suspicious email attachment earlier that day, produces a picture that is far more actionable. This correlation requires log aggregation infrastructure that brings IDS output together with authentication logs, email security logs, endpoint telemetry, and network flow data in a common query environment.

Maintaining Detection Quality Over Time

The ongoing maintenance that most organizations underinvest in is detection quality management. Rules get added, environments change, and the relevance of existing rules degrades without anyone explicitly deciding to let it happen. Structural approaches to maintenance prevent this drift.

Establish a quarterly review cycle for your complete rule set. The review should answer three questions for each active rule: Has it fired in the past quarter? If it fired, what was the true positive rate? Has the threat category it covers changed in a way that requires rule modification? Rules failing the first question get suspended pending validation. Rules failing the second question get modified or suppressed to reduce noise. Rules where the threat category has evolved get updated to reflect current attack patterns.

Run regular validation exercises where controlled test traffic is sent through monitored segments to confirm that rules detecting specific attack patterns actually trigger as expected. This catches configuration drift where network changes have inadvertently moved traffic away from sensor positions, and catches rule degradation where updates have broken detection logic for specific attack patterns.

Document the threat model your IDS is designed to detect. This seems obvious but is frequently absent. Without explicit documentation of the threats your detection logic is targeting, it becomes impossible to evaluate whether your coverage is adequate or identify where it has gaps. The threat model document should be a living artifact, updated as your threat landscape evolves and reviewed alongside the rule set during quarterly maintenance cycles.

Practical Takeaways for the Operational Team

The organizations that get consistent value from intrusion detection systems share several practices that distinguish their deployments from the noise-generating installations that have driven some teams to deprioritize IDS as a security control.

  • Treat rule maintenance as a recurring operational task with assigned ownership, not a one-time configuration activity. Someone should own the rule set the way a network engineer owns firewall policy.
  • Measure alert quality, not just alert volume. Track true positive rates per rule category and treat rules with persistently low true positive rates as bugs requiring fixes.
  • Position sensors based on where attacks are actually happening in your environment, which increasingly means east-west traffic and cloud egress rather than perimeter alone.
  • Integrate threat intelligence at the detection layer, not just the investigation layer. Intelligence that only gets consulted after an alert fires helps analysts triage; intelligence integrated into detection logic helps the system prioritize automatically.
  • Build response playbooks for your highest-confidence alert categories so that when a true positive fires, the response is immediate and consistent rather than dependent on whoever happens to be on shift.
  • Treat behavioral detection as a distinct capability from signature detection, with separate development, maintenance, and tuning processes for each.

The attack campaigns making headlines right now, from large-scale credential harvesting to session token theft to ransomware groups operating with extended dwell times, share a common characteristic: they succeed in environments where detection is focused on the wrong signals. Getting IDS deployment right is not primarily a technology procurement problem. It is an operational discipline problem, and the teams solving it are doing so through structured maintenance, honest measurement of detection quality, and continuous alignment between their detection logic and the actual threat landscape they face.

Contact IPThreat