M11 - Intrusion detection and network attacks - C11 Flashcards
What is an instrusion/incident?
an event on a host or network that violates
security policy, or is an imminent threat to put a system in an unauthorized state.
What is intrusion detection?
The process of monitoring and anlyze system event in order to identify and report intrusions.
What does a intrusion detection system (IDS) include?
systems to automate following processes:
- event monitoring
- logging
- means to support human analysis and repporting of events.
What is the difference between a intrusion detection system (IDS) and an intrusion prevention system (IPS)?
IDS is passive as it will detect and log events, but human interaction is required to metigate deteceted violations.
IPS on the other hand include active response to detected violations.
What does it mean that in IDS is network based (NIDS)?
The sensors that collect event streams are placed across a network, for example on a LAN and DMZ.
What does it mean that IDS is host-based (HIDS)?
The sensors that collect event streams are placed at the host (server, PC etc.).
What is the intrusion detection problem?
To rightfully determine whether an event is from a ligitimate distribution or a destribution of instruder behavior.
Why is high rate of false positives problematic?
- It takes up the analysts time.
- It makes it more likely that rightfully positives will be ignored.
What are the three philosophical approaches to intrusion detection?
- Signature based approach
- Specification based approach
- Anomaly-based approach
What characterizes the signature-based IDS approach
An expert defines malicious patterns based on known attacks.
Wat are the pros of a signature-based IDS approach?
- it is fast
- it is accurate (fewer false positive)
What characterizes a specification-based IDS approach?
Expert defines allowed actions.
When is the alarm set of with a specification-based IDS approach?
When events deviate from the, by expert, defined allowed (ligitimate) actions.
What characterizes an anomaly-based IDS approach?
A profile of normal behaviour is created as a base-line for expected event patterns.
For what ligitimate purposes may packet-sniffing be used?
Logging traffic-related details (packet sniffing) may support network management in case of:
- incidents
- late forensic investigations
- loss evaluations
- system recovery
Whata re the three categories of vulnerability assessment tools?
- reconnaissance tools
- vulnerability scanners
- penetration testing tools
What is the difference between intrusion detection tools and vulnerability detection tools?
- Intrusion detection tools seek to detect/defend the system against currently happening intrusions.
- Vulnerability detection tools seek to disclose weaknesses in your system in order to avoid future intrusions.
What is a denial of service (DoS) attack?
Attacks denying legitimate users access to resources and services by intentional acts that severly degrade performance or cause outright failure.
What are the two typical kinds of denial-of-service (DoS) attacks?
- Buffer-overflow attacks
- Flood attacks
What is a buffer-overflow attack?
When an attacker exploit buffer overflow issues by overwriting the memory of an application.
What is a flood-attack?
When an attacker overwhelms a server by sending a extensive amount of packets.
What is th difference between denial-of-service (DoS) attacks and distributed-denial-of-service (DDoS) attacks?
- In a DDoS the attacker uses a large number of devices (botnets) to flood the target.
- In DoS the attacker sends the flooding packets from a single device.
Why does an attacker often use a false source IP address (IP spofing) when performing a DoS attack?
So that the replies to the packets sent do not flood his own device, but instead some other (often random) IP.
What is “dwell-times”?
The time an attacker has been on a system before they were detected.
What is Nmap?
An open-source tool used for scanning networks in order to identify devices, open ports, services, and potential vulnerabilities.
What is Snort?
A signature-based IDS, with which we can define specific events that should result in an alert.
What are the typical steps of a scanning?
- Find Live hosts and OS version
- Find Open ports
- Determine Version of Service
- Identify Vulnerable services
When will port scanning typically be characterized as abnormal (potential intrusion)?
When a port scanning is conducted on the inside of a closed network.
What are indicators of compromise (IOC)?
Technical characteristics that identify a known threat. Making it possible for others to compare finds to formerly detected threats in order to determine if the find is malicious.
What is OS fingerprinting?
OS fingerprinting is a technique used to identify the operating system of a device on a network. It involves analysing various characteristics of the device’s network behaviour and comparing them to a database of known operating system fingerprints to make an educated guess about what operating system the device is running.
What is active OS fingerprinting?
When you actively send a number of packets (for instance pings) to target and analyze the replies in order to determine what OS the target device is running.
What is passive OS fingerprinting?
When you analyze already received replies from a target device in order to determine what OS the target is running.
