CENT 310 EXAM 2 WRITTEN Flashcards
Describe the functionality of an IDS
IDS function is responsible for detecting unauthorized access or attacks against a system or a network. Can verify, itemize, and characterize threats from outside and inside the network.
Describe the three modes of detection for an IDS
Signature based: analyzes traffic for patterns associated with known attacks stored in database
Anomaly based: Analyzes traffic and compares it to normal or baseline traffic for deviations that might indicate an attack
Rule/ Heuristic based: Analyzes traffic by using pre-configured rules and an interface engine to determine when characteristics of an attack exists.
What is the Security Onion
Security Onion can act as a IDS (Intrusion Detection System) and NSM (Network Security Monitoring). Open-source linux application suite of tools that provides IDS and IPS functionality, security monitoring, and log analysis.
It contains Snort, Suricata, Sguil, Squert, Snorby, Bro, Network Miner, Xplico and others.
What are the hardware requirements for the Security Onion
64 bit CPU, 4 cores, 8 GB RAM, needs processor power/storage
What is the purpose of a NSM utility (Describe the functionality of the 4 major utilities types found in SO)
Network Security Monitoring:
- Collects and displays alerts of suspicious activity - Analyzes alerts of suspicious activity - Collects packets for analysis - Allows for overview of network activity or decision-making - IDS/ IPS, Snort - HIDS session analysis, OSSEC - Session Analysis, Bro - Visibility to logs, ELSA, Sguil
Describe sources of Event Logs
Name of the software that logs the event.
Often the name of the app or the name of subcomponent of the application if app is large.
Network devices /appliances
End Devices
Internet of Things Devices IoT
What are the Cisco alert logging categories
0 Emergency: System is unable 1 Alert: Actions must taken immediately 2 Critical: Critical conditions 3 Error: Error conditions 4 Warning: Warning conditions 5 Notice: Normal But significant condition 6 Informational: Informational messages 7 Debug: Debug-Level messages
What can be used to centralize logs from network devices
A central logging server, centralized logging management application.
TADIUS / TACACAS+ is the protocol
SYSLOG is used though
What can be used to centralize logs from windows devices
An event log subscriber. A source and a collector. Have the source computer have the collector as an event log reader, enable windows remote management on the source, subscribe to the source from the collector server in event management.
Describe the 3 major logs available in a Windows environment
1) Application: The Application log records events related to Windows system components, such as drivers and built-in interface elements.
2) System: The System log records events related to programs installed on the system.
3) Security: Records events related to security, such as logon attempts and resource access.
What are the three events seen in Windows logs
1) Application: The Application log records events related to Windows system components, such as drivers and built-in interface elements.
2) System: The System log records events related to programs installed on the system.
3) Security: Records events related to security, such as logon attempts and resource access.
What are the three events seen in Windows logs
Security Log
Describe how RSYSLOG is configured and deployed on a LINUX computer
1) Install rsyslog on linux computer if not installed by default
2) Configure rsyslog linux computer to accept remote log messages using TCP and UDP in rsyslog.conf ( uncomment areas )
3) Configure the rsyslog linux computer to send rsyslog events to another server using UDP ( uncomment areas )
4) Test with logger messages
What are the three default chains in IPtables
1) INPUT chain – Incoming to firewall. For packets coming to the local server.
2) OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
3) FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.
what are the three possible actions which can be taken to packets with IPtables
1) -A, –append: Append one or more rules to the end of the selected chain
2) -C, –check: Check whether a rule matching the specification does exist in the selected chain.
3) -D, –delete: Delete one or more rules from the selected chain.
Accept, Drop, Reject
where are RSYSLOG events stored by default in Linux
/var/log/messages
Describe the functionality of Splunk
Splunk captures, indexes, and correlates real-time machine generated data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
Describe the functionality of ELSA
log receiver, archiver, indexer, and web frontend for incoming syslog.
Describe the functionality of Dumpit
used to generate a physical memory dump/ snapshot of Windows machines RAM. Used in memory forensics and incident responses.
Describe the functionality of Volatility
Analyzes ram in 32bit/64 bit systems, raw dump or crash dumps, vmware dumps, virtual box dumps and more.. Used in memory forensics and incident responses.
Name four stakeholders involved in the IR process
HR: Develop job descriptions for those persons who will be hired for positions involved in IR.
Legal: Review NDA agreements to ensure support for IR effort.
Marketing: Create newsletter and other education material to be used in employee response training.
Management: Communicate the importance of IR plan to all parts of the organizations. Important factor in the success of an IR plan is the support of both verbal and financial of upper management.
Describe 6 common network signs of security incident
Bandwidth consumption
Whenever bandwidth usage is abnormal, look for security issues that generate unusual amount of traffic like Dos, DDoS
Can use free network bandwidth monitoring tools: BitMeter OS, Freemeter Bandwidth Monitor, BandwidthD.
Beaconing
Refers to traffic that leaves a network at regular intervals, attempting to call home. Firewalls, IDS, web proxies, and SIEM systems, creating and maintaining baselines of activity will help identify beacons.
Irregular peer-to-peer communication
Illegal file sharing could be occurring and P2P communication can result of a botnet. The spread of malicious code may be shared along with the file, Network DoS attacks created by large downloads.
Rogue device on network
Wireless key loggers
Collect info and transmit it to cominal (bluetooth or wifi)
Wifi and bluetooth hacking gear
Capture both bluetooth and Wi-Fi transmissions
Rogue access points
Designed to lure hosts into a connection for P2P attack
Rogue switches
Create trunk link with a legitimate switch, providing all access to all VLANs
Mobile hacking gear
Allows malicious individual to use software w/software-defined radio to trick cell-phones users into routing connection through a fake cell tower.
Describe 10 common host signs of a security incident
Processor Consumption
Processor that is busy with very little or nothing running to generate the activity, could be a sign that the processor is working on behalf of a malicious software.
Sysinternal tools like Process Explorer enables you to see in Notification area the top CPU offender and look at the graph that appears in Task Manager and identify what caused the spikes in the past.
Memory Consumption
Increased memory consumption indicates of a compromised host. Also an indication that additional programs have been loaded into RAM so they can be processed.
Drive Capacity Consumption
Available disk space on the host decreasing for no reason could mean that the host is storing information to be transmitted at a later time. Some malware also cause an increase in drive availability due to deleting files.
Unauthorized Software
Whitelists: Specify only only application that are allowed
Blacklists: Specify which application cannot be run.
Malicious Processes
Malicious programs use processes to access the CPU. Can sometimes locate processes that are either using CPU or memory but by using Task Manager ir don’t show up. Can use Process Explorer or other tool to give better result.
Unauthorized Changes
Missing files, modified files, new menu options, strange error messages, and odd system behavior are all indication of unauthorized changes.
Unauthorized Privileges
Can be result of privilege escalation. Check all system accounts for changes to the permissions and rights should be assigned correctly, and pay special attention to new accounts with admin privileges.
Data Exfiltration
Theft of data from a device. Any reports of missing or deleted data should be investigated.
DLP is a software that attempts to prevent data leakage where it maintains a awareness of action that can and cannot be taken with respect to a document.
Describe any three containment techniques.
Segmentation
limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments.
Isolation:
Implemented by either blocking all traffic to and from a device or devices or by shutting down device interface. Works well with single compromised system but for multiple devices, segmentation is better off.
Removal:
Shutting down a device or devices or removing it off the network to stop the threat from spreading or getting to that device or network. It is not recommended until digital forensic has been completed.
