Chapter 17
The most common method of detection is ____________: (1) Knowledge-based, or (2) Behavior based
(1) Knowledge-based [also called signature-based] It uses a database of known attacks developed by the IDS vendor. The only negative is that it is only effective against known attack methods. Behavior-based systems do not use signatures, and instead compares activity against a baseline of normal performance to detect abnormal behavior. Many IDSs use a combination of both methods.
Notifications being sent to administrators via email, text, or pop up messages is an example of which type of IDS response: (1) Passive, or (2) Active
(1) Passive An active response can modify the environment using several methods, including modifying ACLs to block traffic and disabling communications.
True or False: A Smurf attack is another type of flood attack (DoS attack), but it floods the victims with Internet Control Message Protocol (ICMP) echo packets instead of with the TCP SYN packets.
True. In a Smurf attack, Ping uses ICMP to check connectivity with remote systems. The attacker sends an echo request out as a broadcast to all systems on the network and spoofs the source IP address. All these systems respond with echo replies to the spoofed IP address, flooding the victim with traffic. Disabling ICMP will prevent this attack.
True or False: A distinguishing difference between an IDS and an IPS is that the IPS is placed in line with traffic.
True. In other words, all traffic must pass through the IPS and the IPS can choose what to forward and what traffic to block after analyzing it.
True or False: Fraggle attacks are similar to Smurf attacks, however instead of using ICMP, a fraggle attack uses UDP packets over UDP ports 7 and 19.
True. The fraggle attack will broadcast a UDP packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim.
True or False: A land attack occurs when the attacker sends spoofed SYN packets to a victim using the victim's IP address as both the source and destination IP address.
True. This tricks the system into constantly replying to itself and can cause it to freeze, crash, or reboot. Keeping a system up to date and filtering traffic to detect traffic with identical source and destination addresses helps to protect against LAND attacks.
True or False: A distributed denial of service attack occurs when multiple systems attack a single system at the same time
True. Reflected is another variant, where the network traffic is manipulated so that the attacks are reflected back at the victim from other sources. DoS attacks are typically aimed at internet-facing systems. I.E if attackers can access a system via the internet, it is highly susceptible to a DoS attack. DoS attacks are not common for internal systems that are not directly accessible via the internet.
A _________ can detect when users have more privileges than necessary
User Entitlement Audit
A __________ is any event that has a negative effect on the CIA of an organization's assets
incident In contrast, a computer security incident [sometimes called just security incident] commonly refers to an incident that is the result of an attack, or the result of malicious or intentional actions on the part of the users.
Multiple bots in a network form a _________ and will do whatever attackers instruct them to do
Botnet Bots are also called zombies. This is commonly used to launch a wide range of attacks (including DoS), send spam and phishing emails, or rent the botnets out to other criminals. Use defense in depth and update anti-malware software. Educating users is also very important. Also keep web browsers updated.
________ is a form of nonstatistical sampling that reduces the amount of logged data based on a threshold
Clipping. Sampling is a statistical method on the other hand.
After detecting and verifying an incident, what is the next step that should be taken?
Contain it. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step.
What are the 7 steps in the incident response process?
DRM-RRRL (1) Detection, (2) Response [collecting evidence], (3) Mitigation [containment], (4) Reporting, (5) Recovery [reboot], (6) Remediation [root cause analysis], (7) Lessons Learned
What is the most common method for distributing malware?
Drive-by downloads
__________ is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization
Espionage
A __________ is two or more networked honeypots used together to simulate a network.
Honeynet. They look and act like legitimate systems, but they do not host data of any real value for an attacker.
___________ are individual computers created as a trap for intruders.
Honeypot. They look and act like legitimate systems, but they do not host data of any real value for an attacker.
______________ are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers
Psuedo flaws They are often used on honeypot systems to emulate well-known operating systems vulnerabilities.
Root cause analysis would be performed during which stage of the incident response process?
Remediation. This attempts to discover the source of the problem.
Employee _________ is a criminal act of destruction or disruption committed against an organization by an employee
Sabotage
True or False - The primary goal of incident response is to minimize the impact on the organization
True
True or False: A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDPS detects an intruder, that intruder is automatically transferred to a padded cell. The padded cell has the look and feel of an actual network, but the attacker is unable to perform any malicious activities or access any confidential data from within the padded cell.
True
True or False: A ping of death attack employs an oversized ping packet
True
True or False: As much as 75 percent of internet traffic is encrypted using Transport Layer Security (TLS) with Hypertext Transfer Protocol Secure (HTTPS)
True
True or False: Before performing recovery (e.g - rebooting a system), the incident should be contained and evidence should be gathered
True
True or False: Computers should not be turned off when containing an incident.
True
True or False: Malicious codes can take many forms, including viruses, worms, trojan horses, documents with destructive macros, and logic bombs
True
True or False: Sandboxing provides a security boundary for applications and prevents the application from interacting with other applications
True
True or False: Teardrop, Smurf, and Ping of Death are all DoS attacks
True
True or False: Traffic analysis focuses more on patterns and trends of data rather than the actual content
True
True or False: With regards to behavior-based IDSs, the baseline of normal activities and events needs to be updated if the network is modified
True
True: IDSs can be host-based and/or network based
True HIDs are more costly to manage. Many HIDs include anti-malware capabilities.
True or False: A significant benefit of behavior-based IDS is it can detect newer attacks that have no signatures and are not detectable with the signature-based method.
True However, behavior-based systems often raise a high number of false alarms.
True or False: In a teardrop attack, an attacker fragments traffic in such a way that a system is unable to put data packets back together
True Larger packets are normally divided into smaller fragments when sent over a network, and the receiving system then puts the packet fragments back together in their original state. This attack mangles these packets in such a way that the system cannot put them back together. IDS' can check for malformed packets.
True or False: A SYN Flood attack is a common DoS attack. It dsirupts the standard three-way handshake used by the TCP protocol to initiate communication sessions.
True The attacker keeps sending SYN flagged packets and never responds to the ACK packet from the client, effectively crashing their system with SYN packets (since the server reserves system resources for the SYN request - consumes memory and processing power). Using SYN cookies is one way to block this attack.
True or False: IDSs are an effective method of detecting many DoS and DDoS attacks.
True. An IPS includes all the capabilites of an IDS but can also take additional steps to stop or prevent intrusions.
True or False: A man in the middle attack can be someone either sniffing communication between to parties, or someone that has positioned themselves in the line of communication where they can act as a store-and-forward or proxy mechanism.
True. An attacker can collect logon credentials and other sensitive data as well as change the content of messages exchanged between the two systems. An IDS cannot usually detect man in the middle or hijack attacks. Man users often use VPNs to avoid these attacks.
True or False: A ping flood attack floods a victim with pin requests. A common way to handle this today is by blocking ICMP traffic
True. IDS's can also detect a ping flood and modify they environment to block IMP traffic during the attack.