11.2 Intrusion Detection, Snort, and Network Security Monitoring Flashcards
An ______ both analyzes traffic and looks for malicious signatures.
An intrusion detection system (IDS) both analyzes traffic and looks for malicious signatures.
An IDS is like a ______ that reads the data in the packets it inspects, issues alerts, and blocks malicious traffic (if configured to do so).
An IDS is like a firewall that reads the data in the packets it inspects, issues alerts, and blocks malicious traffic (if configured to do so).
What is the world’s most popular open-source solution?
Snort
Network security monitoring (NSM) is the process of identifying weaknesses in a network’s defense.
It also provides organizations with situational awareness of their network.
What is Security Onion?
Security Onion is a Linux distribution that contains many NSM tools.
Security Onion uses the Snort IDS engine as its event-driven mechanism.
Unlike firewalls, an IDS _____ and _____ of an attack.
Unlike firewalls, an IDS detects and alerts of an attack.
True or False
IDS are passive. They do not respond to attacks, they only log and document information for future analysis.
True
IDS helps organizations enforce the cyber kill chain by establishing situational awareness of attackers, allowing them to harden defenses.
What are the two types of IDS?
- Signature-based IDS
2. Anomaly-based IDS
Explain a signature-based IDS
A signature-based IDS compares patterns of traffic to predefined signatures.
Good for identifying well-known attacks.
Can be updated as new attack signatures are released.
Vulnerable to attacks through packet manipulation.
Unable to detect zero-day attacks.
Explain an Anomaly-based IDS
An anomaly-based IDS compares patterns of traffic against a well-known baseline.
Good for detecting suspicious traffic that deviates from well-known baselines.
Excellent at detecting when attackers probe and sweep a network.
Prone to false alerts.
Assumes network behavior does not deviate from well-known baselines.
What are the two basic architectures of intrusion detection systems?
- Network intrusion detection (NIDS) filters an entire subnet on a network.
- Host-based intrusion detection (HIDS) runs locally on a host-based system or user’s workstation or server.
Explain NIDS
Network intrusion detection (NIDS) filters an entire subnet on a network.
- Matches all traffic to a known library of attack signatures.
- Passively examines network traffic at points that it’s deployed.
- Relatively easy to deploy and difficult to detect by attackers.
Explain HIDS
Host-based intrusion detection (HIDS) runs locally on a host based system or user’s workstation or server.
- Acts as a second line of defense against malicious traffic that successfully gets past a NIDS.
- Examines entire file systems on a host, compares them to previous snapshots or baselines, and generates an alert if there are significant differences between the two.
True or False
An Intrusion Prevention System (IPS) can do everything an IDS can, but can also respond to attacks.
IPS can react to packets by blocking malicious traffic,
preventing it from being delivered to a host on the network.
IDS connects via a _____ or ______.
IDS connects via a network tap or mirrored SPAN port.
What is a network tap?
Network TAP (Test Access Port) is a hardware device that provides access to a network. Network taps transit both inbound and outbound data streams on separate channels at the same time, so all data will arrive at the monitoring device in real time.
What is a SPAN port?
SPAN (Switched Port Analyzer), also known as port mirroring, sends a mirror image of all network data to another physical port, where the packets can b captured and analyzed.
IPS connects _____ with the flow of data, typically between the firewall and network switch.
inline
IPS connects inline with the flow of data, typically between the firewall and network switch.
True or False
An IDS system generates alerts when a Snort rule detects malicious traffic that matches a signature.
True
An _____ is a message that is sent to an analyst’s console as an indicator of attack (IOA).
An alert is a message that is sent to an analyst’s console as an indicator of attack (IOA).
IDS Alerts
Indicators can be either:
- Indicators of attack
2. Indicators of compromise
Explain Indicators of attack alert
Indicators of attack indicate attacks happening in real time.
- Proactive approach to intrusion attempts.
- Indicate that an attack is currently in progress but a full breach has not been determined.
- Focus on revealing the intent and end goal of an attacker, regardless of the exploit or malware used in the attack.
Explain Indicators of compromise alert
Indicators of compromise indicate previous malicious activity.
- Indicate that an attack has occurred, resulting in a breach.
- Used to establish an adversary’s techniques, tactics, and procedures (TTPs).
- Expose all the vulnerabilities used in an attack, giving network defenders the opportunity to revamp their defense as part of their mitigation strategy.
True or False
Yopu have to purchase Snort
False
Snort is free
How many modes can Snort operate in?
3
- Sniffer Mode - Reads network packets and displays them on screen.
- Packet Logger Mode - Performs packet captures by logging all traffic to disk.
- Network IDS Mode -Monitors network traffic, analyzes it, and performs specific actions based on administratively defined rules.
Snort can perform ________ and can ________ on a network.
Snort can perform real-time traffic analysis and can log packets on a network.
Rules can direct Snort to monitor the following information:
- OSI Layer - We can watch for IP and TCP data.
- Source and Destination Address Where the traffic is flowing from and to.
- Byte Sequences -Patterns contained in data packets that might indicate malware, etc.
What does this Snort rule do?
alert ip any any -> any any {msg: “IP Packet Detected”;}
This rule logs the message “IP Packet Detected” when it detects an IP packet.
What are the two main differences between a firewall and an IDS system?
An IDS differs from a firewall in that it detects and alerts when triggered by a rule.
What’s the best physical placement for an IDS on a network, inline or mirrored port?
Mirrored port
An IDS placed at the Perimeter layer of the DiD model is referred to as what?
Perimeter IDS
Define each part of the following Snort alert:
alert ip any any -> any any {msg: “IP Packet Detected”;}
-
alert: The action that Snort will take when triggered. -
ip: Applies rule to all IP packets. -
any any: From any source IP address and from any source port. -
-->: All traffic inbound from outside the network to inside the network. -
any any: To any destination IP address and source port. -
{msg: "IP Detected;}: The message printed with the alert when the rule is matched.
An intrusion system that can act on an alert by blocking traffic is referred to as what?
Intrusion prevention system or IPS
Name the two types of detection techniques used by intrusion detection systems.
Anomaly and signature
True or False:
Signature-based IDS systems are not effective against zero-day attacks.
True
When used together, which should be placed farthest from the data: a firewall, an IDS, or an IPS?
A firewall
Name and define the three different Snort configuration modes.
Sniffer Mode: Reads network packets and displays them to screen.
Packet Logger Mode: Performs packet captures by logging all traffic to disk.
NIDS Mode: Monitors network traffic, analyzes it, and performs specific actions based on administratively defined rules.
What is the difference between an IDS and an IPS?
An IPS can act on traffic by blocking it and preventing it from being delivered to a host based on the contents of the packet. An IDS cannot
What is the difference between an IDS and an IPS?
An IPS can act on traffic by blocking it and preventing it from being delivered to a host based on the contents of the packet. An IDS cannot
True or False:
An indicator of attack (IOA) occurs at some previous point in time, and an indicator of compromise (IOC) occurs in real time.
False
(IOC) occurs at some previous point in time and (IOA) occurs in real time
True or False:
An IOA is “proactive” and an IOC is “reactive.”
True
True or False:
An IPS is physically connected “inline” with the flow of traffic, processes entire subnets of data, and requires more robust hardware.
True
_______ use a variety of data analysis tools to detect and stop threats after most front-end layers are compromised.
Network security monitoring use a variety of data analysis tools to detect and stop threats after most front-end layers are compromised.
What are the NSM stregnths (6):
Allows organizations to:
- Track adversaries through a network and determine intent.
- Acquire intelligence and situational awareness.
- Be proactive by identifying vulnerabilities.
- Be reactive through incident response and network forensics.
- Provide insights about advanced persistent threats.
- Uncover and track malware.
What are the NSM limitations (5)?
- Cannot read encrypted traffic.
- Powerful hardware and CPU requirements mean higher costs.
- Difficulty reading radio transmissions, meaning attackers can use mobile radio communications to obfuscate attacks.
- NSM is an invasive process that monitors and records all network data.
- Placement of an NSM can be limited at certain areas of the network.
What are the two stages NSM operates in?
- Detection - An alert is generated in the Squil analyst console.
- Repsonse - A security team responds to a security incident.
NSM Stages and Processes
Explain the NSM detection stage?
Detection is an alert is generated in the Squil analyst console.
Collection
The event is observed and the data is stored in the form of a PCAP file.
Host data Net data Application logs Data from third party Data from constituent
Analysis
The alert data is identified, validated, documented, and categorized according to its threat level.
IOC-centric analysis,
or “matching”
IOC-free analysis,
or “hunting”
Intrusion detection systems are generally placed at strategic points in a network where traffic is______.
These devices are typically placed next to a _____ or _____ that filters traffic.
Intrusion detection systems are generally placed at strategic points in a network where traffic is most
vulnerable.
These devices are typically placed next to a router or switch that filters traffic.
What is Security Onion?
A network security monitoring platform that provides context, intelligence, and situational awareness of a network.
Security Onion is an Ubuntu-based, open source Linux distribution that contains many NSM tools used to protect networks from attacks.
What are 3 NSM tools for incident detection and response?
- Sguil - Pulls alert data from Snort, allowing us to more thoroughly analyze alerts.
- Transcript - Provides a view of PCAP transcripts that are rendered with TCP flow.
- NetworkMiner Performs advanced network traffic analysis through extraction of artifacts contained in PCAP files.
Sguil has six key functions that help with analysis:
- Performs simple aggregation of alert data records.
- Makes available certain types of metadata.
- Allows queries and review of alert data.
- Allows queries and review of session data.
- Allows easy transitions between alert or session data and full content data.
- Counts and classifies events, enabling escalation and other incident response decisions.
Sguil has four main sections:
- Alert Panel
- Snort Rule
- Packet Data
- IP Resolution
True or False:
NSM is vulnerability-centric, with its primary focus on the vulnerability and not the adversary.
False
True or False:
The strength of NSM is its focus on the visibility of an attack, not its control.
True
True or False:
NSM can see inside encrypted traffic.
False
True or False:
Alerts in Security Onion’s Sguil console are the equivalent of an Indicator of Attack, or IOA.
True
True or False:
NSM provides organizations with the capability to track and uncover malware.
True
True or False:
The Snort IDS engine drives the functionality of the Sguil analyst’s console.
True
Name two methods for physically connecting an IDS to a network.
Network tap or SPAN/mirrorored port
Name the two stages of NSM and their processes.
The first stage is Detection. Its processes are Collection and Analysis.
The second stage is Response. Its processes are Escalation and Resolution.
