11.2 Intrusion Detection, Snort, and Network Security Monitoring

Question 1

An ______ both analyzes traffic and looks for malicious signatures.

Answer 1

An intrusion detection system (IDS) both analyzes traffic and looks for malicious signatures.

Question 2

An IDS is like a ______ that reads the data in the packets it inspects, issues alerts, and blocks malicious traffic (if configured to do so).

Answer 2

An IDS is like a firewall that reads the data in the packets it inspects, issues alerts, and blocks malicious traffic (if configured to do so).

Question 3

What is the world’s most popular open-source solution?

Answer 3

Snort

Network security monitoring (NSM) is the process of identifying weaknesses in a network’s defense.

It also provides organizations with situational awareness of their network.

Question 4

What is Security Onion?

Answer 4

Security Onion is a Linux distribution that contains many NSM tools.

Security Onion uses the Snort IDS engine as its event-driven mechanism.

Question 5

Unlike firewalls, an IDS _____ and _____ of an attack.

Answer 5

Unlike firewalls, an IDS detects and alerts of an attack.

Question 6

True or False

IDS are passive. They do not respond to attacks, they only log and document information for future analysis.

Answer 6

True

IDS helps organizations enforce the cyber kill chain by establishing situational awareness of attackers, allowing them to harden defenses.

Question 7

What are the two types of IDS?

Answer 7

1. Signature-based IDS

2. Anomaly-based IDS

Question 8

Explain a signature-based IDS

Answer 8

A signature-based IDS compares patterns of traffic to predefined signatures.

Good for identifying well-known attacks.

Can be updated as new attack signatures are released.

Vulnerable to attacks through packet manipulation.

Unable to detect zero-day attacks.

Question 9

Explain an Anomaly-based IDS

Answer 9

An anomaly-based IDS compares patterns of traffic against a well-known baseline.

Good for detecting suspicious traffic that deviates from well-known baselines.

Excellent at detecting when attackers probe and sweep a network.

Prone to false alerts.

Assumes network behavior does not deviate from well-known baselines.

Question 10

What are the two basic architectures of intrusion detection systems?

Answer 10

1. Network intrusion detection (NIDS) filters an entire subnet on a network.
2. Host-based intrusion detection (HIDS) runs locally on a host-based system or user’s workstation or server.

Question 11

Explain NIDS

Answer 11

Network intrusion detection (NIDS) filters an entire subnet on a network.

• Matches all traffic to a known library of attack signatures.
• Passively examines network traffic at points that it’s deployed.
• Relatively easy to deploy and difficult to detect by attackers.

Question 12

Explain HIDS

Answer 12

Host-based intrusion detection (HIDS) runs locally on a host based system or user’s workstation or server.

• Acts as a second line of defense against malicious traffic that successfully gets past a NIDS.
• Examines entire file systems on a host, compares them to previous snapshots or baselines, and generates an alert if there are significant differences between the two.

Question 13

True or False

An Intrusion Prevention System (IPS) can do everything an IDS can, but can also respond to attacks.

Answer 13

IPS can react to packets by blocking malicious traffic,

preventing it from being delivered to a host on the network.

Question 14

IDS connects via a _____ or ______.

Answer 14

IDS connects via a network tap or mirrored SPAN port.

Question 15

What is a network tap?

Answer 15

Network TAP (Test Access Port) is a hardware device that provides access to a network. Network taps transit both inbound and outbound data streams on separate channels at the same time, so all data will arrive at the monitoring device in real time.

Question 16

What is a SPAN port?

Answer 16

SPAN (Switched Port Analyzer), also known as port mirroring, sends a mirror image of all network data to another physical port, where the packets can b captured and analyzed.

Question 17

IPS connects _____ with the flow of data, typically between the firewall and network switch.

Answer 17

inline

IPS connects inline with the flow of data, typically between the firewall and network switch.

Question 18

True or False

An IDS system generates alerts when a Snort rule detects malicious traffic that matches a signature.

Answer 18

True

Question 19

An _____ is a message that is sent to an analyst’s console as an indicator of attack (IOA).

Answer 19

An alert is a message that is sent to an analyst’s console as an indicator of attack (IOA).

Question 20

IDS Alerts

Indicators can be either:

Answer 20

1. Indicators of attack

2. Indicators of compromise

Question 21

Explain Indicators of attack alert

Answer 21

Indicators of attack indicate attacks happening in real time.

• Proactive approach to intrusion attempts.
• Indicate that an attack is currently in progress but a full breach has not been determined.
• Focus on revealing the intent and end goal of an attacker, regardless of the exploit or malware used in the attack.

Question 22

Explain Indicators of compromise alert

Answer 22

Indicators of compromise indicate previous malicious activity.

• Indicate that an attack has occurred, resulting in a breach.
• Used to establish an adversary’s techniques, tactics, and procedures (TTPs).
• Expose all the vulnerabilities used in an attack, giving network defenders the opportunity to revamp their defense as part of their mitigation strategy.

Question 23

True or False

Yopu have to purchase Snort

Answer 23

False

Snort is free

Question 24

How many modes can Snort operate in?

Answer 24

3

1. Sniffer Mode - Reads network packets and displays them on screen.
2. Packet Logger Mode - Performs packet captures by logging all traffic to disk.
3. Network IDS Mode -Monitors network traffic, analyzes it, and performs specific actions based on administratively defined rules.

Question 25

Snort can perform ________ and can ________ on a network.

Answer 25

Snort can perform real-time traffic analysis and can log packets on a network.

Question 26

Rules can direct Snort to monitor the following information:

Answer 26

1. OSI Layer - We can watch for IP and TCP data.
2. Source and Destination Address Where the traffic is flowing from and to.
3. Byte Sequences -Patterns contained in data packets that might indicate malware, etc.

Question 27

What does this Snort rule do?

alert ip any any -> any any {msg: “IP Packet Detected”;}

Answer 27

This rule logs the message “IP Packet Detected” when it detects an IP packet.

Question 28

What are the two main differences between a firewall and an IDS system?

Answer 28

An IDS differs from a firewall in that it detects and alerts when triggered by a rule.

Question 29

What’s the best physical placement for an IDS on a network, inline or mirrored port?

Answer 29

Mirrored port

Question 30

An IDS placed at the Perimeter layer of the DiD model is referred to as what?

Answer 30

Perimeter IDS

Question 31

Define each part of the following Snort alert:

alert ip any any -> any any {msg: “IP Packet Detected”;}

Answer 31

• alert: The action that Snort will take when triggered.
• ip: Applies rule to all IP packets.
• any any: From any source IP address and from any source port.
• -->: All traffic inbound from outside the network to inside the network.
• any any: To any destination IP address and source port.
• {msg: "IP Detected;}: The message printed with the alert when the rule is matched.

Question 32

An intrusion system that can act on an alert by blocking traffic is referred to as what?

Answer 32

Intrusion prevention system or IPS

Question 33

Name the two types of detection techniques used by intrusion detection systems.

Answer 33

Anomaly and signature

Question 34

True or False:

Signature-based IDS systems are not effective against zero-day attacks.

Answer 34

True

Question 35

When used together, which should be placed farthest from the data: a firewall, an IDS, or an IPS?

Answer 35

A firewall

Question 36

Name and define the three different Snort configuration modes.

Answer 36

Sniffer Mode: Reads network packets and displays them to screen.

Packet Logger Mode: Performs packet captures by logging all traffic to disk.

NIDS Mode: Monitors network traffic, analyzes it, and performs specific actions based on administratively defined rules.

Question 37

What is the difference between an IDS and an IPS?

Answer 37

An IPS can act on traffic by blocking it and preventing it from being delivered to a host based on the contents of the packet. An IDS cannot

Question 38

What is the difference between an IDS and an IPS?

Answer 38

An IPS can act on traffic by blocking it and preventing it from being delivered to a host based on the contents of the packet. An IDS cannot

Question 39

True or False:

An indicator of attack (IOA) occurs at some previous point in time, and an indicator of compromise (IOC) occurs in real time.

Answer 39

False

(IOC) occurs at some previous point in time and (IOA) occurs in real time

Question 40

True or False:

An IOA is “proactive” and an IOC is “reactive.”

Answer 40

True

Question 41

True or False:

An IPS is physically connected “inline” with the flow of traffic, processes entire subnets of data, and requires more robust hardware.

Answer 41

True

Question 42

_______ use a variety of data analysis tools to detect and stop threats after most front-end layers are compromised.

Answer 42

Network security monitoring use a variety of data analysis tools to detect and stop threats after most front-end layers are compromised.

Question 43

What are the NSM stregnths (6):

Answer 43

Allows organizations to:

1. Track adversaries through a network and determine intent.
2. Acquire intelligence and situational awareness.
3. Be proactive by identifying vulnerabilities.
4. Be reactive through incident response and network forensics.
5. Provide insights about advanced persistent threats.
6. Uncover and track malware.

Question 44

What are the NSM limitations (5)?

Answer 44

1. Cannot read encrypted traffic.
2. Powerful hardware and CPU requirements mean higher costs.
3. Difficulty reading radio transmissions, meaning attackers can use mobile radio communications to obfuscate attacks.
4. NSM is an invasive process that monitors and records all network data.
5. Placement of an NSM can be limited at certain areas of the network.

Question 45

What are the two stages NSM operates in?

Answer 45

1. Detection - An alert is generated in the Squil analyst console.
2. Repsonse - A security team responds to a security incident.

Question 46

NSM Stages and Processes

Explain the NSM detection stage?

Answer 46

Detection is an alert is generated in the Squil analyst console.

Collection

The event is observed and the data is stored in the form of a PCAP file.

Host data
Net data
Application logs
Data from third party
Data from constituent

Analysis

The alert data is identified, validated, documented, and categorized according to its threat level.

IOC-centric analysis,
or “matching”

IOC-free analysis,
or “hunting”

Question 47

Intrusion detection systems are generally placed at strategic points in a network where traffic is______.

These devices are typically placed next to a _____ or _____ that filters traffic.

Answer 47

Intrusion detection systems are generally placed at strategic points in a network where traffic is most
vulnerable.

These devices are typically placed next to a router or switch that filters traffic.

Question 48

What is Security Onion?

Answer 48

A network security monitoring platform that provides context, intelligence, and situational awareness of a network.

Security Onion is an Ubuntu-based, open source Linux distribution that contains many NSM tools used to protect networks from attacks.

Question 49

What are 3 NSM tools for incident detection and response?

Answer 49

1. Sguil - Pulls alert data from Snort, allowing us to more thoroughly analyze alerts.
2. Transcript - Provides a view of PCAP transcripts that are rendered with TCP flow.
3. NetworkMiner Performs advanced network traffic analysis through extraction of artifacts contained in PCAP files.

Question 50

Sguil has six key functions that help with analysis:

Answer 50

1. Performs simple aggregation of alert data records.
2. Makes available certain types of metadata.
3. Allows queries and review of alert data.
4. Allows queries and review of session data.
5. Allows easy transitions between alert or session data and full content data.
6. Counts and classifies events, enabling escalation and other incident response decisions.

Question 51

Sguil has four main sections:

Answer 51

1. Alert Panel
2. Snort Rule
3. Packet Data
4. IP Resolution

Question 52

True or False:

NSM is vulnerability-centric, with its primary focus on the vulnerability and not the adversary.

Answer 52

False

Question 53

True or False:

The strength of NSM is its focus on the visibility of an attack, not its control.

Answer 53

True

Question 54

True or False:

NSM can see inside encrypted traffic.

Answer 54

False

Question 55

True or False:

Alerts in Security Onion’s Sguil console are the equivalent of an Indicator of Attack, or IOA.

Answer 55

True

Question 56

True or False:

NSM provides organizations with the capability to track and uncover malware.

Answer 56

True

Question 57

True or False:

The Snort IDS engine drives the functionality of the Sguil analyst’s console.

Answer 57

True

Question 58

Name two methods for physically connecting an IDS to a network.

Answer 58

Network tap or SPAN/mirrorored port

Question 59

Name the two stages of NSM and their processes.

Answer 59

The first stage is Detection. Its processes are Collection and Analysis.

The second stage is Response. Its processes are Escalation and Resolution.