Cyber Systems Operations Block 4 Unit 6 (ALL) Cyber Operations INTRUSION DETECTION
Sensors utilized to monitor various enclaves comprising AFNet.
ASIM-Identified Incidents
This is the process of monitoring the network and computer system events for signs of incidents indicating imminent threats or are violations of computer security policies.
Intrusion Detection
The Topology Viewer imports data from the Nessus scanner or Security Center and provides graphical analysis such as network and protocol maps, communication paths, and vulnerability maps.
3d Tool
This is also known as an Intrusion Prevention System (IPS). It blocks network traffic when it detects an intrusion.
Active IDS
This is an integrated, scalable software solution used at a number of locations. The solution gives DoD an easy to install enhanced enterprise network security that is also easy to manage.
Assured Compliance Assessment Solution (ACAS)
In this type of vulnerability scanning method, the tester logs in as a network user, revealing the vulnerabilities that are accessible to a trusted user, or an intruder that has gained access as a trusted user.
Authenticated Scans
This is a hardware/software system sitting on AF networks "listening" for suspicious activity that is characteristic of intruder techniques. It processes what it deems suspicious and generates reports to the AFNOC Network Security Division.
Automatic Security Incident Measurement (ASIM)
Occurs when higher classification level of data is transferred to lower classification level system/device via messaging systems.
Classified Message Incident
Occurs when higher classification level of data is placed on lower classification level system/device or across compartments.
Data Spillage
Attackers may set up rogue device pretending to be legitimate access point.
Detect Rogue Devices
Trigger alert if senses use of device or software intended for attacking wireless access point.
Detect Wireless Attack Tools
Review organization's security policy to types of traffic allowed on network.
Document Allowable Types of Network Traffic
The DoD provided HIDs which includes HIPS created by McAfee.
HBSS
These watch for dangerous or illogical combinations in packet headers.
Header Signatures
This system primarily uses software installed on a specific host. It allows system administrators to see any misuse occurring within the system itself.
Host-based IDS
Modern systems combine both passive observance of traditional IDS systems with automatic protection of active IPS system. Allows detection of potentially malicious activities and reporting while also allowing system to manipulate firewall or router.
IDPS
Attempted entry, unauthorized entry, and attacks on an information system.
Incident Types
Includes unauthorized individuals gaining full (root) or limited (user) access to network device or information system and unusual or excessive network activity.
Intrusion Activity
This is a system scanning, auditing, and monitoring the security infrastructure for signs of attacks in progress. They monitor network traffic and changes to computer settings to detect patterns indicating known intrusion attempts.
Intrusion Detection System
Consider using both network-based IDS and host-based IDS. Network IDS are often blind to what happening on host and vice versa. Frequently update IDS signatures (new attacks released all the time). Understand nature of intrusions IDS can detect. Attacks with legitimate credentials probably pass unnoticed. Distinguish between real intrusions and false positives. Deploy IDS on each network segment. Use centralized management console to manage IDS
Key Points for Implementing IDS
Reviewing these can reveal a possible intrusion attempt on target system.
Log Entries
All end users accessing AFNet required to report unusual network, information system, and stand-alone computing device events suspected to stem from some form of malicious logic.
Malicious Logic Reporting
Access Control Lists, Setup Black Hole Firewalls, Keep all security software up-to-date, Keep unused ports closed, and Monitor IA controls.
Methods Preventing Unauthorized Port Scanning
When no actual messages sent, channel can be masked by sending dummy traffic that looks like encrypted traffic thereby keeping bandwidth usage constant.
Network Traffic Masking
This system primarily uses passive hardware sensors to monitor traffic on a specific segment of a network.
Network-based IDS
Use network devices, monitoring software, and IDS to monitor network traffic.
Observe Regular Network Traffic and Look for Anomalies
This monitors network traffic and only alerts an administrator about suspicious traffic.
Passive IDS
These can be defined as an attack that sends client requests to a range of server port addresses on a host with the goal of finding an active port and exploiting a known vulnerability of that service
Port Scanning
NIDS watch for connection attempts to well-known, frequently attacked ports.
Port Signatures
Primary detection tool is ASIM sensors deployed across AFNet. Reporting accurate incident information as close to near real time as possible is crucial to effective response.
Reporting Events
NCCs, NOSCs, and AFNOSC record suspicious, unauthorized network, information systems access and activity. Upon detecting a suspected or verified incident, end users immediately notifies assigned Workgroup Manager (WM) and assist WM in filling out an IR. If WM unavailable, end users immediately notifies next computer security professional in chain of command (i.e., FSA, NCC, NOSC, ISSO, ISSM).
Reporting Malicious Activity
Regular inspect to monitor for new traffic patterns and update baseline as necessary.
Review Logs and Network Statistics Regularly
The central console provides the ability to automate the vulnerability and compliance scanning of an organization's infrastructure. It also provides a capability to manage, alert, and report on vulnerability and compliance requirements.
Security Center
Use filter and triggers to capture exceptions to normal network traffic.
Set Triggers for Common Intrusions
Open source network-based Intrusion Detection and Prevention System. Capable of packet logging and real time traffic analysis. Does protocol analysis, content searching and matching.
Snort
NIDS looks for specific groupings of characters common in known attacks.
String Signatures
Includes detection of network scanning, multiple connection attempts to network device from an unknown entity.
Suspicious Activity
This is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted
Traffic Analysis
In this type of vulnerability scanning method, the tester performs the scan as an intruder would, without trusted access to the network. Such a scan reveals vulnerabilities that can be accessed without logging into the network.
Unauthenticated Scans
Use combination active, passive, network-based, and host-based IDS products for comprehensive detection.
Use Multiple IDS Products
Nessus scanner covering multitude of checks including common vulnerabilities and exposures.
User Interface
This monitors real-time network traffic. It analyzes server and client side vulnerabilities and reports these to the Security Center. It continuously looks for new hosts, new applications, and new vulnerabilities without requiring active scanning.
Vulnerability Scanner
This is an inspection of the potential points of exploit on a computer or network to identify security holes. The scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures.
Vulnerability Scanning
NIDS placed at strategic points within network to monitor traffic to and from all devices. Performs analysis of passing traffic on entire subnet and matches traffic passed to library of known attacks.
Wired IDS