(3) Common Network Issue Detection Flashcards
What are some tools that can be used to detect and therefore remedy high bandwidth consumption issues?
Tools that can be used to detect high bandwidth consumption issues include:
Flow data tools that show trends and information about the status of the network
Monitoring tools that can look for high usage levels
Real time or almost real time graphics can be put in place to monitor bandwidth
Simple Network Management Protocol (SNMP) can be put in place to look for high load and other bandwidth utilization happening at a particular network device
What is beaconing?
Beaconing activity is such that is sent to a command and control server as part of an attack on a network.
It is usually sent as HTTP or HTTPS traffic
Beaconing can involve commands, status checks, additional malware delivery, and other actions
How difficult is it to identify beaconing?
It can be very difficult to identify beaconing as it is normally encrypted traffic and looks like any other traffic
How is beaconing activity normally detected?
A good IDS or IPS with solid detection rules will help track down beaconing behavior
How can flow and monitoring tools help in the detection of beaconing traffic?
Flow analysis and overall traffic analysis tools can be used to make sure that systems aren’t sending unexpected traffic are good ideas
Inspecting outbound traffic is also crucial in this case because some devices can be infected, which would be a point where a C&C server can communicate with your network
What are examples of unexpected traffic spikes?
Unexpected traffic spikes include:
-scans, sweeps, probes, not normal peer to peer traffic between systems that don’t normally talk to each other, spikes in network traffic, activity on unexpected ports, etc.
What tools can be used to catch unexpected traffic spikes?
Tools that can be used for unexpected traffic include
behavior based detection tools used with IDSs and IPSs, traffic monitoring solutions, or by manually observing traffic
What methodologies can be used to help define what traffic is unexpected?
Three techniques can be used to help define unexpected traffic:
-Baselining, or anomaly based detection
-Heuristics, or behavior based detection
-Protocol Analysis
In terms of detecting unexpected network traffic, what are behavior based detection tools?
Behavior based detection tools include network security devices and defined rules for scans, sweeps, attack traffic, and other network concerns
In terms of detecting unexpected traffic spikes, what do protocol analyzers do?
Protocol analyzers help detect unexpected traffic, such as if a VPN is being used where a VPN shouldn’t be used, IPv6 tunnels running from a network that only uses IPv4 with no need for IPv6.
They can be used to detect when common protocols are being used on an uncommon port
What are common examples of network activity that may be a scan or sweep from a bad actor?
Examples of network activity that may be a scan include:
-Testing of service ports, connecting to a lot of IP addresses in a network, repeated requests to services that may not be active, etc.
What common network security devices can help with detecting scans and sweeps, and what do we need to be aware of when we use them?
Common network devices such as IDSs and IPSs and firewalls/network security devices have built in scanning abilities
If you use these though, understand that they generate a lot of noise, so take this into consideration