Cisco IPS/IDS Fundamentals
Which method requires participation in global correlation involving groups outside your own enterprise? A. Reputation-based IPS B. Policy-based IPS C. Signature-based IPS D. Anomaly-based IPS
Reputation-based IPS
List 6 recommended IPS/IDS best practices.
1. Implement an IPS so that you can analyze traffic going to your critical servers. 2. Use modules or IOS software-based IPS/IDS if you can not afford appliances. 3. Take advantage of global correlation to improve resistance against attacks that may be moving towards your organization. 4. Use a risk-based approach, where countermeasures occur based on the calculated risk rating. 5. Use automated signature updates when possible 6. Continue to tune the IPS/IDS infrastructure as traffic flows and network devices/topologies change.
What are 4 different methods a sensor can be configured for to identify malicious traffic?
1. Signature-based 2. Policy-based 3. Anomaly-based 4. Reputation-based
List 5 factors that influence risk rating.
1. Target Value Rating (TVR) 2. Signature Fidelity Rating (SFR) 3. Attack Severity Rating (ASR) 4. Attack Relevancy (AR) 5. Global Correlation
Which of the following are properties directly associated with signatures? (Choose all that apply) A. ASR B. SVR C. TVR D. RR
ASR SVR
A method of identifying malicious traffic. Ex. Creating a baseline of how many TCP sender requests are generated on average each minute that do not get a response. If the half-formed sessions are increased more than normal, the sensor generates an alert or denies packets.
Anomaly-based
A method of identifying malicious traffic. Self-configuring baselines, detect worms based on anomalies, even if specific signatures have not be created yet for that type of traffic. Difficult to accurately profile extremely large networks. May cause false positives based on significant changes in valid network traffic.
Anomaly-based
Which method of IPS uses a baseline of normal network behavior and looks for deviations from that baseline? A. Reputation-based IPS B. Policy-based IPS C. Signature-based IPS D. Anomaly-based IPS
Anomaly-based IPS
Which of the following is not a best practice? A. Assign aggressive IPS responses to specific signatures B. Assign aggressive IPS responses based on the resulting risk rating generated by the attack C. Tune the IPS and revisit the tuning process periodically D. Use correlation within the enterprise and globally, for an improved security posture
Assign aggressive IPS responses to specific signatures
Micro-Engines (Groupings of signatures). Signatures that can match on a single packet, as compared to a string of packets.
Atomic
Which of the micro-engines contains signatures that can only match on a single packet, as opposed to a flow of packets? A. Atomic B. String C. Flood D. Other
Atomic
Factor that influences Risk Rating. This is a minor contributor to the risk rating. A signature match that is destined to a host where the attack is relevant, such as a Windows server-based attack, which is going to the destination address of a known Windows server, is considered a relevant attack, and the risk rating increases slightly as a result.
Attack Relevancy (AR)
Factor that influences Risk Rating. How critical the attack is as determined by the person who created that signature.
Attack Severity Rating (ASR)
IPS/IDS Evasion Techniques. If an IPS/IDS sees only encrypted traffic, the attacker can build a SSL or IPSec session between himself and the victim and could then send private data over that VPN. Anti-Evasion: Encrypted traffic through the sensor cannot be inspected. If using GRE tunnels, there is support for inspection if the data is not encrypted.
Encryption and tunneling
When there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator that anything negative is going on.
False negative
When the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network.
False positive
Factor that influences Risk Rating. If the sensor is participating and receives information about specific source addresses that are being used to implement large-scale attacks, attacks coming from the source IP addresses are also given a slightly increased risk rating value.
Global Correlation
A company has hired you to determine whether attacks are happening against the server farm, and they do not want any additional delay added to the network. Which deployment method should be used? A. Appliance based inline B. IOS software based inline C. Appliance based IPS D. IDS
IDS
Which method should you implement when it is not acceptable for an attack to reach its intended victim? A. IDS B. IPS C. Out of band D. Hardware appliance
IPS
This type of device is not inline (Promiscuous mode) with the network and can alert administrators about an attack on the network using signature matching. It does not prevent the initial packet from entering the network. No delay is added to the original packet since it is not inline with production traffic. It does not hinder network performance if it fails.
Intrusion Detection System (IDS)
This type of device is placed inline on a network and can alert administrators about an attack on the network using signature matches. It can prevent the initial packet from entering the network. All traffic is slightly delayed because the traffic is analyzed as it goes through the network. Also acts as a single point of failure.
Intrusion Prevention System (IPS)
Micro-Engines (Groupings of signatures). Miscellaneous signatures that may not specifically fir into other categories.
Other
A method of identifying malicious traffic. It can be implemented based on the policy for your network. Ex. If network policy states no telnet traffic is allowed, you can configure a custom rule on the IPS/IDS to generate an alert and drop packets.
Policy-based
A method of identifying malicious traffic. Simple, reliable, customizable, only allows policy-based traffic that could deny unknown attacks. Must be manually created. Implementation is only as good as the signatures you manually create.
Policy-based
Which type of implementation requires custom signatures to be created by the administrator? A. Reputation-based IPS B. Policy-based IPS C. Signature-based IPS D. Anomaly-based IPS
Policy-based IPS
IPS/IDS Evasion Techniques. An attacker may attempt to cause a sensor to misinterpret the end-to-end meaning of a network protocol and so perhaps not catch an attack in progress. Anti-Evasion: IP Time-To-Live (TTL) analysis, TCP checksum validation.
Protocol level misinterpretation
A method of identifying malicious traffic. Leverages enterprise and global correlation, providing info based on the experience of other systems. Requires timely updates and participation in the correlation process.
Reputation-based
A method of identifying malicious traffic. Collects input from systems all over the planet that are participating in global correlation; so what other sensors have learned collectively, your local sensor can use locally. May include descriptors such as blocks of IP addresses, URLs, DNS domains.
Reputation-based
IPS/IDS Evasion Techniques. If thousands of alerts are being generated by distractor attacks, and attack may just be trying to disguise the single attack that they are trying to accomplish. It could be overwhelming the sensor and the admin team who has to view the events. Anti-Evasion: Dynamic and configurable event summarization.
Resource exhaustion
What is the name of Cisco cloud-based services for IPS correlation? A. SIO B. EBAY C. ISO D. OSI
SIO
The protocol used for real-time delivery of alerts, and is the most secure method for delivering alerts.
Security Device Event Exchange (SDEE)
Micro-Engines (Groupings of signatures). Signatures that examine application layer services, regardless of the OS.
Service
Factor that influences Risk Rating. The accuracy of the signature as determined by the person who created that signature.
Signature Fidelity Rating (SFR)
A method of identifying malicious traffic. A set of rules looking for some specific pattern or characteristics in either a single packet or a stream of packets. A sensor may come with thousands of defaults, and can be enabled/disabled by the admin. This is the most significantly used method with IPS/IDS.
Signature-based
A method of identifying malicious traffic. Easy to configure, simple to implement. Does not detect attacks outside of the rules. May need to disable some signatures that are creating false positives. Must keep updated periodically to be current.
Signature-based
Which IPS/IDS method is the most prominent way to identify malicious traffic?
Signature-based
Micro-Engines (Groupings of signatures). Supports flexible pattern matching, and can be identified in a single packet or group of packets, such as a session.
String or Multistring
Factor that influences Risk Rating. The value that an administrator has assigned to specific destination IP addresses or subnets where the critical servers/devices live.
Target Value Rating (TVR)
Why does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim? A. Policy-based routing B. TCP resets are used C. The IPS is inline with the traffic D. The IPS is in promiscuous mode
The IPS is inline with the traffic
IPS/IDS Evasion Techniques. An attacker sends packets at a rate so low enough so as to not trigger a signature. Anti-Evasion: Configurable intervals and use of third-party correlation.
Timing attacks
IPS/IDS Evasion Techniques. The attacker splits malicious traffic into multiple parts with the intent that any detection system will not see the attack for what it really is. Anti-Evasion: Complete session reassembly so that the IPS/IDS can see the big picture.
Traffic fragmentation
IPS/IDS Evasion Techniques. The attacker substitutes characters in the data using different formats that have the same final meaning. Anti-Evasion: Looking for Unicode, case sensitivity, substitution of spaces with tabs, and other similar anti-evasion techniques
Traffic substitution and insertion
When there was normal non-malicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regarding non-malicious traffic.
True negative
When there was malicious traffic and the sensor saw it and reported on it. If the sensor is an IPS it may have dropped the malicious traffic based on your current set of rules in place.
True positive