Chapter 17: Preventing and Responding to Incidents
Entrapment
Illegal; honeypot owner actively solicits visitors to charge them with intrusion
Espionage
Malicious act of gathering proprietary, secret, or confidential info about an org Defense: Strictly control access Screen new employees Track all employee activities
Detection
Methods: IDS/IPS anti-malware software Automated tools/audit logs End users notifying techs
Pentest
Mimics an actual attack in an attempt to ID what techniques attackers can use to circumvent security; goes a step further than vulnerability scan and assessment Goals 1-determine how well a system can tolerate an attack 2-ID employees abilities to detect and respond to attacks in real time 3-ID controls that can be implemented to reduce risk
Incident response goal
Minimize the impact on the organization
Anti-malware software
Most important protection against malicious code is this with up to date signature files and heuristic capabilities; multi-pronged approach... firewalls fo block malware, special malware software on email servers; anti malware on each system
Reporting
Reporting an incident within the org and to outside organizations and individuals; laws govern the protection of PII and reporting of breaches; serious incidents, report to FBI (US) or INTERPOL (EUROPE)
Recovery
Return system to fully functioning state; major incident may require complete system rebuild; important to ensure it is configured properly, ACLs, services/protocols, etc.
Gray Box Testing
Security testing that is based on limited knowledge of an application's design.
Padded cell
Simulated environment that offers fake data to retain an intruders interest; IDPS transfers hackers to this
Egress monitoring
monitoring outgoing traffic to prevent data exfiltration (unauth transfer of data outside an org) -can involve looking for steganography, watermarking
7 steps of incident response
DRM-RRR-L 1: Detection 2: Response 3: Mitigation 4: Reporting 5: Recovery 6: Remediation 7: Lessons Learned
Security Logs
record access to resources like files, folders, printers, etc. -record info about when a user accessed, modified, deleted a file
System logs
record system events such as when a system starts/stops/reboots, or when services start/stop
basic preventive measures
1) keep systems and app's up-to-date 2) remove/disable unneeded services and protocols 3) use IDS/IPS 4) use up-to-date anti-malware 5) use firewalls 6) implement config and system management processes
Fraggle Attack
A DDoS attack type on a computer that floods the target system with a large amount of UDP echo traffic to IP broadcast addresses; UDP ports 7 & 19
distributed reflector DoS (DRDoS) attack
A DoS attack bounced off of uninfected computers, called reflectors, before being directed at the target. This is achieved by spoofing the source IP address in the attack to make it look like all of the requests for response are being sent by the target, then all of the reflectors send their responses to the target, thereby flooding the target with traffic.
Ping of Death Attack
A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze. Patches/updates have fixed this vulnerability
White Box Testing
A design that allows one to peek inside the "box" and focuses specifically on using internal knowledge of the software to guide the selection of test data.
Sandboxing
A form of software virtualization that lets programs and processes run in their own isolated virtual environment
Man-in-the-middle (MITM) attack
A hacker placing himself between a client and a host to intercept network traffic; also called session hijacking. Defense: Keep system up to date with patches IDS can not detect, but can see abnormal activity in comm links VPNs
Security Information and Event Management (SIEM)
A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks. IDS and IPS send data to this, as well as many other sources
Auditing
A methodical or review of an environment to ensure compliance and detect abnormalities
Honeynet
A network set up with intentional vulnerabilities.
Passive Response
A response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent action
Intrusion Prevention System (IPS)
A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. Sometimes called IDPS -places IN LINE with the traffic
Intrusion Prevention System (IPS)
A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. Sometimes combined with IDS
Teardrop Attack
A type of DoS that sends mangled IP fragments with overlapping and oversized payloads to the target machine; system is unable to put the packets back together
NIDS (network-based intrusion detection system)
A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's protective perimeter, known as the DMZ (demilitarized zone). Here, it can detect many types of suspicious traffic patterns Central console on a single purpose computer; little negative impact on network performance; however it can't always provide info on the success of an attack
HIDS (host-based intrusion detection system)
A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host. Pro: can detect anomalies on host system that NIDS cannot Negative: cost and usability; require admin attention on each system, and consume system resources
zero-day exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence. Defense: Don't run unnecessary services and protocols to reduce attack surface Enable network and host based firewalls IDS and IPS systems
Response
Activate CIRT (comp incident response team); the quicker the response, the quicker they can limit damage
Anomaly-based detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy. Benefit: can recognize attacks that have no signatures and are not detectable with signature method Negative: also raise a high number of false alarms
Signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures. Uses a database of known attacks developed by IDS vendor
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim; floods victim with ICMP echo packets Defense: Configure router so it's not an amplifying network Disable ICMP on firewalls and routers
Distributed Denial of Service (DDoS)
An attack that uses many computers to perform a DoS attack.
Ethical Hacker
An expert at breaking into systems and can attack systems on behalf of the system's owner and with the owner's consent; doesn't use knowledge for personal gain
Computer Security Incident
An incident that is the result of an attack, or the result of malicious or intentional actions on the part of users
Incident
Any event that has a negative effect on CIA of an organizations assets
Mitigation
Attempt to contain an incident; limit the effect or scope of an incident
Data Loss Prevention (DLP)
Attempt to detect and block data exfiltration attempts; have the capability of scanning unencrypted data and looking for keywords and patterns
Pentest Risks
Can cause outages
Next generation firewall (unified threat management)
Combines several filtering capabilities, packet filtering and stateful inspection; can filter malware using white and blacklists, and some IDS IPS capes
Sabotage
Criminal act of destruction or disruption committed against an organization by an employee Defense: disable account access as soon as possible after termination Auditing Properly compensate employees
Land Attack
DoS attack that uses a spoofed SYN packet that includes the victim's IP address as both source and destination; tricks system into replying to itself
Watermarking
Embedding an image of pattern in paper that isn't readily available; uses to thwart counterfeiting attempts
Access Review Audits
Ensure that object access and account management practices support the security policies; verify users don't have excessive privileges and accounts are managed properly
Lessons Learned
Examine the incident and the response; personnel look for any areas where they can improve their response
Pseudo flaws
False vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt hackers
botnets or zombie networks
Hordes of surreptitiously infiltrated computers, linked and controlled remotely. This technique is used to perpetrate click fraud, as well as a variety of other computer security crimes. Defense: Defense in depth strategy Educating users against these infections
Whitelisting
Identifies a list of applications that are authorized to run on a system; example is apple and apple store apps
Blacklisting
Identifies a list of apps that are not authorized to run on a system
Enticement
Legal use, no outward efforts of honeypot owner
Termination polciy
One witness Account is disabled during interview Badge and credentials are collected immediately after interview Employer escorted off premises
Common Security Audit Review
Patch Management Vulnerability Management Configuration Management Change Management
Remediation
Personnel look at the incident and attempt to ID what allowed it to occur, and implement methods to prevent it from happening again; includes performing a Root Cause Analysis
Ping Flood Attack
Ping utility used to send large number of echo request messages and overwhelms server Effective when launched by zombies Defense: block ICMP traffic
Sampling or Data Extraction
Process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole
Logging
Process of recording information about events to a log file or database
Monitoring
Process of reviewing information logs looking for something specific; necessary to detect malicious actions by subjects as well as attempted intrusions and system failures
drive-by download
Program which automatically downloads when a user visits a web page, usually without their knowledge or consent.
Firewalls
Provide protection to a network by filtering traffic based on IP addresses, ports, protocol numbers (first gen) Additional filtering capes based on app requirements and comm circuit (second gen) Stateful inspection firewall and dynamic packet filtering firewall filter based on its state in a stream of traffic (third gen)
Audit Report Format
Purpose of Audit Scope of Audit Results discovered or revealed by audit Problems, events, conditions Standards, criteria, baselines Causes, reasons, impact Recommended solutions and safeguard
Audit trails
Record of all changes and actions performed with a system, for security purposes; stored on one or more databases or log files
Original hacker definition
Tech enthusiast who doesn't have malicious intent
Black Box Testing
Testing, either functional or non-functional, without reference to the internal structure of the component or system.
SYN flood attack
The SYN flood attack sends TCP connections requests faster than a machine can process them. Attacker creates a random source address for each packet SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address Victim responds to spoofed IP address,then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connections Defense: SYN cookies Firewall mechanisms Reduce amount of time server will wait for an ACK
Honeypot
Vulnerable computer that is set up to entice an intruder to break into it
Intrusion Detection System (IDS)
a computer program that senses when another computer is attempting to scan or access a computer or network
denial of service attack
a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources Any attack that renders its victims unable to perform normal activities
Cracker
a hacker with criminal intent; uses synonymously with attacker
clipping level
a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to notify an administrator. Example: alarm raised after 5 failed logon attempts in 30 min; not a good representation of whole body of data, but good for specific events
Endpoint-based DLP
can scan files stored on a system as well as files sent to external devices -can prevent users from copying data to USB drives or sending sensitive info to printers
Active Response
collecting additional information about the intrusion, modifying the network environment, taking action against the intrusion
Log analysis
detailed and systematic form of monitoring inwhich the logged info is analyzed for trends, abnormal, unauth, illegal, and policy violating activities
malicious code (malware)
includes a variety of threats such as viruses, worms, Trojan horses, and bots
Network-based DLP
scans all outgoing data looking for specific data -if sensitive data is sent, the DLP with detect it, prevent it from leaving, and send an alert
Steganography
the art and science of hiding information by embedding messages within other, seemingly harmless messages; can be realized with a hashing function
Traffic Analysis
the attacker passively monitors transmissions via wireless networks to identify communication patterns and participants Also called network flow monitoring; reveals questionable traffic patterns