Chapter 8

Question 1

Class of intruders

Answer 1

1. cyber criminals
2. activists
3. state-sponsored organizations
4. others

Question 2

cyber criminals

Answer 2

1. member of organized crime group with goal of financial reward

Question 3

activists

Answer 3

motivated by social/political reasons
1. hacktivists - skill level quite low

Question 4

state sponsored organizations

Answer 4

group of hackers sponsored by state to conduct espionage /sabotage activities
(APT’s)

Question 5

others

Answer 5

technical challenges motivation - discover new categories of buffer overflow vulnerabilities

Question 6

skill level

Answer 6

1. apprentice
2. journeyman
3. master

Question 7

apprentice

Answer 7

minimal technical skills
criminal + activists
script-kiddies

Question 8

journeyman

Answer 8

sufficient skills to modify + extend attack toolkits to use newly discovered /purchased vulnerabilities
may locate new vulnerabilities
all intruder classes

Question 9

master

Answer 9

high-level skills - discover brand new categories of vulnerabilities
write new powerful attack toolkits
some employed by state
difficulty defending

Question 10

Intrusion example

Answer 10

1. remote root compromise
2. web server defacement
3. cracking passwords
4. copying database containing credit card numbers
5. view sensitive data without authorization
6. running packet sniffer
7. distributing pirated software
8. using unsecured modem/access point to access internal network
9. impersonating executive to get info
10. using unattended workstation

Question 11

Intruder behavior

Answer 11

1. target acquisition + info gathering
2. initial access
3. privilege escalation
4. info gathering
5. maintaining access covering tracks

Question 12

intrusion detection

Answer 12

hardware/software function gathers + analyzes info from various areas within computer/network to identify possible security intrusions

Question 13

Intrusion detection system (IDS)

Answer 13

1. Host-based - monitors characteristics of single host for suspicious activity
2. Network-based - monitor network traffic + analyzes network protocols to identify suspicious behavior
3. distributed / hybrid - combine info from number of sensors often both host + network in central analyzer that is able to better identify + respond

Question 14

logical components of IDS

Answer 14

1. sensor - collect data
2. analyzers - determine if intrusion has occurred
3. user interface - view output/control system behaviour

Question 15

IDS requirement

Answer 15

1. run continually
2. be fault tolerant
3. resist subversion
4. impose minimal overhead on system
5. configured according to system security policies
6. adapt to changes in systems + users
7. scale to monitor large number of systems
8. provide graceful degradation of services
9. allow dynamic reconfiguration

Question 16

analysis approach

Answer 16

1. anomaly detection - collect data relating to behavior of legitimate users over period of time - analyze to determine if behavior = legitimate
2. signature/heuristic detection - use set of known malicious data patterns /attack rules compared with current behavior - only identify known attacks

Question 17

Anomaly detection

Answer 17

1. statistical - analysis of observed behavior using univariant /time-series model of observed metrics
2. knowledge based - expert system that classifies behavior according to set of rules that model legitimate behavior
3. Machine learning - automatically determine suitable classification model from training data using data mining techniques

Question 18

Signature/heuristic detection

Answer 18

1. Signature - match large collection of known patterns of malicious data against data stored/in transit
   - need to be large enough to avoid false positives
2. rule based/heuristics - involves use of rules for identifying known penetrations /would exploit known weaknesses
   SNORT - rule based NIDS

Question 19

HIDS

Answer 19

add specialized layer of security software to vulnerable /sensitive systems - either anomaly/signature
both internal + external

Question 20

data sources + sensors

Answer 20

• intrusion - sensor collecting data
• system call traces
• audit records
• file integrity checksums
• registry access

Question 21

NIDS

Answer 21

• monitor traffic at selected points in network
• examine traffic packet by packet in real time
• NIDS management functions sensor + management console sensors
• sensor analyses traffic

Question 22

signature detection attacks

Answer 22

1. application layer reconnaissance
2. transport layer
3. network layer
4. unexpected application services
5. policy violations

Question 23

anomaly detection attacks

Answer 23

1. DOS
2. scanning
3. worms

Question 24

stateful protocol analysis

Answer 24

subset of anomaly detection that compares observed network traffic against predetermined universal vendor supplied profiles of benign protocol traffic - high resource use

Question 25

logging of alerts

Answer 25

1. timestamp
2. connection/session ID
3. event/alert type
4. rating
5. network, transport, application layer protocols
6. source + destination IP addresses
7. source + destination TCP/UDP ports /ICMP types + codes
8. number of bytes transmitted over connection
9. decoded payload data
10. state-related data

Question 26

IETF intrusion detection working group

Answer 26

define data formats + exchange procedures for sharing info of interest to intrusion detection + response systems + management systems that may need to interact with them

Question 27

IETF RFC

Answer 27

1. Intrusion detection message exchange requirements - IDMEF (intrusion detection message exchange format)
2. Intrusion detection message exchange format - describe data model to represent info exported by intrusion detection system
3. Intrusion detection exchange protocol - IDXP application level protocol for exchanging data between intrusion detection entities

Question 28

honeypot classification

Answer 28

1. low interaction - provide realistic initial interaction
2. high interaction - real system , occupy attacker for extended period