Cyber Systems Operations Block 4 Unit 6 (ALL) Cyber Operations INTRUSION DETECTION

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Sensors utilized to monitor various enclaves comprising AFNet.

ASIM-Identified Incidents

This is the process of monitoring the network and computer system events for signs of incidents indicating imminent threats or are violations of computer security policies.

Intrusion Detection

The Topology Viewer imports data from the Nessus scanner or Security Center and provides graphical analysis such as network and protocol maps, communication paths, and vulnerability maps.

3d Tool

This is also known as an Intrusion Prevention System (IPS). It blocks network traffic when it detects an intrusion.

Active IDS

This is an integrated, scalable software solution used at a number of locations. The solution gives DoD an easy to install enhanced enterprise network security that is also easy to manage.

Assured Compliance Assessment Solution (ACAS)

In this type of vulnerability scanning method, the tester logs in as a network user, revealing the vulnerabilities that are accessible to a trusted user, or an intruder that has gained access as a trusted user.

Authenticated Scans

This is a hardware/software system sitting on AF networks "listening" for suspicious activity that is characteristic of intruder techniques. It processes what it deems suspicious and generates reports to the AFNOC Network Security Division.

Automatic Security Incident Measurement (ASIM)

Occurs when higher classification level of data is transferred to lower classification level system/device via messaging systems.

Classified Message Incident

Occurs when higher classification level of data is placed on lower classification level system/device or across compartments.

Data Spillage

Attackers may set up rogue device pretending to be legitimate access point.

Detect Rogue Devices

Trigger alert if senses use of device or software intended for attacking wireless access point.

Detect Wireless Attack Tools

Review organization's security policy to types of traffic allowed on network.

Document Allowable Types of Network Traffic

The DoD provided HIDs which includes HIPS created by McAfee.

HBSS

These watch for dangerous or illogical combinations in packet headers.

Header Signatures

This system primarily uses software installed on a specific host. It allows system administrators to see any misuse occurring within the system itself.

Host-based IDS

Modern systems combine both passive observance of traditional IDS systems with automatic protection of active IPS system. Allows detection of potentially malicious activities and reporting while also allowing system to manipulate firewall or router.

IDPS

Attempted entry, unauthorized entry, and attacks on an information system.

Incident Types

Includes unauthorized individuals gaining full (root) or limited (user) access to network device or information system and unusual or excessive network activity.

Intrusion Activity

This is a system scanning, auditing, and monitoring the security infrastructure for signs of attacks in progress. They monitor network traffic and changes to computer settings to detect patterns indicating known intrusion attempts.

Intrusion Detection System

Consider using both network-based IDS and host-based IDS. Network IDS are often blind to what happening on host and vice versa. Frequently update IDS signatures (new attacks released all the time). Understand nature of intrusions IDS can detect. Attacks with legitimate credentials probably pass unnoticed. Distinguish between real intrusions and false positives. Deploy IDS on each network segment. Use centralized management console to manage IDS

Key Points for Implementing IDS

Reviewing these can reveal a possible intrusion attempt on target system.

Log Entries

All end users accessing AFNet required to report unusual network, information system, and stand-alone computing device events suspected to stem from some form of malicious logic.

Malicious Logic Reporting

Access Control Lists, Setup Black Hole Firewalls, Keep all security software up-to-date, Keep unused ports closed, and Monitor IA controls.

Methods Preventing Unauthorized Port Scanning

When no actual messages sent, channel can be masked by sending dummy traffic that looks like encrypted traffic thereby keeping bandwidth usage constant.

Network Traffic Masking

This system primarily uses passive hardware sensors to monitor traffic on a specific segment of a network.

Network-based IDS

Use network devices, monitoring software, and IDS to monitor network traffic.

Observe Regular Network Traffic and Look for Anomalies

This monitors network traffic and only alerts an administrator about suspicious traffic.

Passive IDS

These can be defined as an attack that sends client requests to a range of server port addresses on a host with the goal of finding an active port and exploiting a known vulnerability of that service

Port Scanning

NIDS watch for connection attempts to well-known, frequently attacked ports.

Port Signatures

Primary detection tool is ASIM sensors deployed across AFNet. Reporting accurate incident information as close to near real time as possible is crucial to effective response.

Reporting Events

NCCs, NOSCs, and AFNOSC record suspicious, unauthorized network, information systems access and activity. Upon detecting a suspected or verified incident, end users immediately notifies assigned Workgroup Manager (WM) and assist WM in filling out an IR. If WM unavailable, end users immediately notifies next computer security professional in chain of command (i.e., FSA, NCC, NOSC, ISSO, ISSM).

Reporting Malicious Activity

Regular inspect to monitor for new traffic patterns and update baseline as necessary.

Review Logs and Network Statistics Regularly

The central console provides the ability to automate the vulnerability and compliance scanning of an organization's infrastructure. It also provides a capability to manage, alert, and report on vulnerability and compliance requirements.

Security Center

Use filter and triggers to capture exceptions to normal network traffic.

Set Triggers for Common Intrusions

Open source network-based Intrusion Detection and Prevention System. Capable of packet logging and real time traffic analysis. Does protocol analysis, content searching and matching.

Snort

NIDS looks for specific groupings of characters common in known attacks.

String Signatures

Includes detection of network scanning, multiple connection attempts to network device from an unknown entity.

Suspicious Activity

This is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted

Traffic Analysis

In this type of vulnerability scanning method, the tester performs the scan as an intruder would, without trusted access to the network. Such a scan reveals vulnerabilities that can be accessed without logging into the network.

Unauthenticated Scans

Use combination active, passive, network-based, and host-based IDS products for comprehensive detection.

Use Multiple IDS Products

Nessus scanner covering multitude of checks including common vulnerabilities and exposures.

User Interface

This monitors real-time network traffic. It analyzes server and client side vulnerabilities and reports these to the Security Center. It continuously looks for new hosts, new applications, and new vulnerabilities without requiring active scanning.

Vulnerability Scanner

This is an inspection of the potential points of exploit on a computer or network to identify security holes. The scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures.

Vulnerability Scanning

NIDS placed at strategic points within network to monitor traffic to and from all devices. Performs analysis of passing traffic on entire subnet and matches traffic passed to library of known attacks.

Wired IDS


Kaugnay na mga set ng pag-aaral

"Strict Liability" Causes of Action 2018

View Set

Chapter 6 Torts and Strict Liability

View Set

Chapter 9: Interpreting Quantitative Data

View Set

N144 - Exam 1 - Practice Questions

View Set

Chapter 2 quiz: Types of life policies

View Set

Rock Music Styles: A History Chapter 15 Punk Rock/New Wave

View Set

ATI Nursing care of Children Practice Tests

View Set