cspp Chapter 8 - Intrusion Detection - Stallings 4th ed.

F

12. An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

A

13. _________ is a document that describes the application level protocol for exchanging data between intrusion detection entities. A. RFC 4767 B. RFC 4766 C. RFC 4765 D. RFC 4764

T

14. Network-based intrusion detection makes use of signature detection and anomaly detection.

C

14. The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria. A. protocol B. direction C. action D. destination port

D

15. The _______ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. A. data source B. sensor C. operator D. analyzer

D

2. A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so. A. intrusion detection B. IDS C. criminal enterprise D. security intrusion

F

2. Activists are either individuals or members of an organized crime group with a goal of financial reward.

A

3. A _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection

T

3. Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.

T

4. Those who hack into computers do so for the thrill of it or for status.

A

5. The ________ is responsible for determining if an intrusion has occurred. A. analyzer B. host C. user interface D. sensor

intrusion

6. Copying a database containing credit card numbers, viewing sensitive data without authorization, and guessing and cracking passwords are examples of _________ .

F

6. The IDS component responsible for collecting data is the user interface.

B

6. __________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection

T

8. The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

F

9. Signature-based approaches attempt to define normal, or expected behavior, whereas anomaly approaches attempt to define proper behavior.

Information gathering or system exploit

Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.

Maintaining access

Actions such as the installation of backdoors or other malicious software or through the addition of covert authentication credentials or other configuration changes to the system.

Privilege escalation

Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their desired goals on the target system.

action

The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria.

base rate fallacy

The tendency to ignore information about general principles in favor of very specific but vivid information.

Machine-learning anomaly detection approaches

Bayesian networks, Markov models, Neural networks, Fuzzy logic, Genetic algorithms, Clustering and outlier detection

HIDS primary benefit

Can detect both external and internal intrusions

IDS Sensors

Collect data. The input can be anything that could contain intrusion evidence. Types of input are: network packets, log files and system call traces.

Distributed or hybrid IDS

Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity

NIDS Anomaly Detection attack types

DOS, Scanning, Worms

Benefits of Network sensors on critical networks

Detects attacks targeting critical systems and resources Allows focusing of limited resources to the network assets considered of greatest value.

Benefits of Network sensors between External Firewall and Internet

Document number and types of attacks originating from the Internet that target the network

Which intrusion attempts do NIDS focus on?

External

State-sponsored organizations

Groups of hackers sponsored by governments to conduct espionage or sabotage activities.

T

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

True

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

Anomaly detection

Involves the collection of data relating to the behavior of legitimate users over a period of time. Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or alternatively that of an intruder.

High interaction honeypot

Is a real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers

user interface

3. The _________ to an IDS enables a user to view output from the system or control the behavior of the system.

C

4. A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection

T

5. Intruders typically use steps from a common attack methodology.

T

7. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

Profile-based

7. _________ anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations.

D

7. _________ involves the collection of data relating to the behavior of legitimate users over a period of time. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection

B

8. A (n) __________ is a hacker with minimal technical skill who primarily uses existing attack toolkits. A. Master B. Apprentice C. Journeyman D. Activist

A

9. The _________ module analyzes LAN traffic and reports the results to the central manager. A. LAN monitor agent B. host agent C. central manager agent D. architecture agent

T

11. To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

B

12. A(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way. A. PEP B. DDI C. IDEP D. IDME

IDS

12.The functional components of an _________ are: data source, sensor, analyzer, administration, manager, and operator.

T

13. A common location for a NIDS sensor is just inside the external firewall.

security policy

13. The _________ is the predefined formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements.

F

15. Snort can perform intrusion prevention but not intrusion detection.

Neural networks

9. _________ simulate human brain operation with neurons and synapse between them that classify observed data

Rule-based anomaly detection

historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns(past behaviors)

Network - Inline Sensor

inserted into a network segment so that the traffic that it is monitoring must pass through the sensor

What are the types of attacks suitable for "Anomaly Detection Techniques"?

+ Denial of Service Attacks + Scanning + Worms

What are the types of attacks suitable for "Signature Detections Techniques"?

+ application layer reconnaissance and attacks + transport layer reconnaissance and attacks + network layer reconnaissance and attacks unexpected application services + policy violations

T

A common location for a NIDS sensor is just inside the external firewall.

T

The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

Snort Actions

Alert Log Pass Activate Dynamic Drop Reject Sdrop

Sequence time-delay embedding (STIDE)

An algorithm based on artificial immune system approaches , that compares observed sequences of system calls with sequences from the training phase to obtain a mismatch ratio that determines whether the sequence is normal or not.

F

An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

An IDS comprises three logical components: sensors, ________, and user interface.

Analyzers

Master

Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities, or writing new powerful attack toolkits.

Apprentice

Hackers with minimal technical skill who primarily use existing attack toolkits. Also known as "script kiddies."

Journeyman

Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities; or to focus on different target groups.

False negative

IDS does not identify intruders as intruders.

False positive

IDS identifies authorized users as intruders (i.e. false alarms)

Base-rate fallacy

If actual numbers of intrusions is low compared to the number of legitimate uses of a system, then the false alarm rate will be high unless the test is extremely discriminating. (Example of base-rate fallacy in IDS)

Cyber-criminals

Individuals or members of an organized crime group with a goal of financial reward

Inline sensor

Inserted into a network segment so that the traffic that it is monitoring must pass through the sensor

An anomaly detection approach that uses an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.

Knowledge based

An anomaly detection approach that determines a suitable classification model from the training data using data mining techniques.

Machine-learning

T

Network-based intrusion detection makes use of signature detection and anomaly detection.

Analyzers

Receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion has occurred.

T

Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.

Sensors

Sensors are responsible for collecting data. The input for a sensor may be part of a system that could contain evidence of an intrusion. Types of input to a sensor includes network packets, log files, and system call traces.

Intrusion Detection System (IDS) logical components

Sensors, Analyzers, User Interface

F

Signature-based approaches attempt to define normal, or expected behavior.

F

Snort can perform intrusion prevention but not intrusion detection.

An anomaly detection approach that uses analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.

Statistical

Name three categories of anomaly detection

Statistical, knowledge based, & machine learning

administrator

The ______ is the human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS.

LAN monitor agent

The _________ module analyzes LAN traffic and reports the results to the central manager.

T

To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

True or false: Ideally, you want an IDS to have a high detection rate, that is, the ratio of detected to total attacks, while minimizing the false alarm rate, the ratio of incorrectly classified to total normal usage.

True

The _____ to an IDS enables a user to view output from the system or control the behavior of the system.

User interface

Covering tracks

Where the attacker disables or edits audit logs to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.

Windows-based systems have traditionally not used _____, as the wide usage of Dynamic Link Libraries (DLLs) as an intermediary between process requests for operating system functions and the actual system call interface has hindered the effective use of system call traces to classify process behavior.

anomaly-based HIDS

Low interaction honeypot

consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute the full version.

B

1. _________ are either individuals or members of a larger group of outsider attackers who are motivated by social or political causes. A. State-sponsored organizations B. Activists C. Cyber criminals D. Others

net-work based (NIDS)

10. A ________ IDS monitors traffic at selected points on a network or interconnected set of networks.

F

10. Anomaly detection is effective against misfeasors.

D

11. A(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A. passive sensor B. analysis sensor C. LAN sensor D. inline sensor

Intrusion Detection Message Exchange Requirements

11. The _________ (RFC 4766) document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF).

C

10. The purpose of the ________ module is to collect data on security related events on the host and transmit these to the central manager. A. central manager agent B. LAN monitor agent C. host agent D. architecture agent

Intruder Behavior

* Target Acquisition and Information Gathering * Initial Access * Privilege Escalation * Information Gathering or System Exploit * Maintaining Access - Backdoor installation, or some installation of other software to allow for future access * Covering Tracks - Attackers disable logs

Common intruder behaviors...

++Target acquisition and information gathering, ++initial access, ++privilege escalation,++ information gathering or system exploit, ++maintaining access, & ++covering tracks

T

1. An intruder can also be referred to as a hacker or cracker.

True

A common location for a NIDS sensor is just inside the external firewall.

Banner grabbing

A method used to gain information about a remote system. It identifies the operating system and other details on the remote system.

Security Intrusion

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Intrusion Detection

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner

Honeypot

A security tool used to lure attackers away from the actual network components. They divert an attacker from attacking critical systems, collect information about the attacker's activity, and encourage attack to stay on the system long enough for the administrators to respond. They are classified as being either low or high interaction.

False

An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

Snort

An open source, highly configurable and portable host-based or network-based IDS. Snort is referred to as a lightweight IDS. A Snort installation consists of four logical components: Packet decoder, detection engine, logger, and alerter.

Statistical anomaly detection

Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.

NIDS Signature Detection attack types

Application, Transport and Network layer reconnaissance and attacks, unexpected application services and policy violations

Machine-learning anomaly detection

Approaches automatically determine a suitable classification model from the training data using data mining techniques

Knowledge based anomaly detection

Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior

Activists

Are either individuals working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes. They are also known as hacktivists, and their skill level might be quite low. The aim of their attacks is often to promote and publicize their cause.

True

Intruders typically use steps from a common attack methodology.

NIDS location

Perimeter security infrastructure of an organization, either incorporated in, or associated with, the firewall

Passive sensor

Monitors a copy of network traffic; the actual traffic does not pass through the device.

Benefits of Network sensors to protect major backbone networks

Monitors a large amount of a network's traffic Detects unauthorized activity by authorized users within the organization

Network-based IDS (NIDS)

Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity

Host-based IDS (HIDS)

Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity

Host IDS vs Network IDS

NIDS examines packet traffic directed towards potentially vulnerable computer system on a network. Host based system examines user and software activity on a host.

True

Network-based intrusion detection makes use of signature detection and anomaly detection.

Snort Components

Packet decoder, Detection engine, Logger, Alerter

IDS Analyzers

Receive input from sensors or other analyzers. Responsible for determining if an intrusion has occurred. Outputs if intrusion has occurred and evidence of it. Provides guidance as to what to do.

IDS Requirements

Run continually, be fault tolerant, resist subversion, impose a minimal overhead on system, configured according to system security policies, adapt to changes in systems and users, scale to monitor large numbers of systems, provide graceful degradation of service, allow dynamic reconfiguration.

A ____ attack occurs when an attacker probes a target network or system by sending different kinds of packets. Using the responses received from the target, the attacker can learn many of the system's characteristics and vulnerabilities.

Scanning

Benefits of Network sensors on the External Firewall

Sees attacks that penetrate the firewall Highlights problems with the Firewall policy Sees attacks that might target Web/FTP servers Can detect outgoing traffic from compromised servers

IDS data sources

System call traces, Audit (log file) records, File integrity checksums, Registry access

False

The IDS component responsible for collecting data is the user interface.

Stateful protocol analysis (SPA)

The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.

Initial access

The initial access to a target system, typically by exploiting a remote network vulnerability by guessing weak authentication credentials or via the installation of malware.

True

The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

True

To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

Signature or Heuristic detection

Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if is that of an intruder. It is also known as misuse detection. This approach can only identify known attacks for which it has patterns or rules

Signature or heuristic detection

Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if it is that of an intruder. It is also known as misuse detection. This approach can only identify known attacks for which it has patterns or rules.

Target acquisition and information gathering

Where the attacker identifies and characterizes the target systems using publicly available information, both technical/non- technical and the use of network exploration tools to map target resources.

Signature Detection

_____ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.