M11 - Intrusion detection and network attacks - C11

Question 1

What is an instrusion/incident?

M11 - Intrusion detection and network attacks - C11

Answer 1

an event on a host or network that violates
security policy, or is an imminent threat to put a system in an unauthorized state.

Question 2

What is intrusion detection?

M11 - Intrusion detection and network attacks - C11

Answer 2

The process of monitoring and anlyze system event in order to identify and report intrusions.

Question 3

What does a intrusion detection system (IDS) include?

M11 - Intrusion detection and network attacks - C11

Answer 3

systems to automate following processes:
- event monitoring
- logging
- means to support human analysis and repporting of events.

Question 4

What is the difference between a intrusion detection system (IDS) and an intrusion prevention system (IPS)?

M11 - Intrusion detection and network attacks - C11

Answer 4

IDS is passive as it will detect and log events, but human interaction is required to metigate deteceted violations.

IPS on the other hand include active response to detected violations.

Question 5

What does it mean that in IDS is network based (NIDS)?

M11 - Intrusion detection and network attacks - C11

Answer 5

The sensors that collect event streams are placed across a network, for example on a LAN and DMZ.

Question 6

What does it mean that IDS is host-based (HIDS)?

M11 - Intrusion detection and network attacks - C11

Answer 6

The sensors that collect event streams are placed at the host (server, PC etc.).

Question 7

What is the intrusion detection problem?

M11 - Intrusion detection and network attacks - C11

Answer 7

To rightfully determine whether an event is from a ligitimate distribution or a destribution of instruder behavior.

Question 8

Why is high rate of false positives problematic?

M11 - Intrusion detection and network attacks - C11

Answer 8

• It takes up the analysts time.
• It makes it more likely that rightfully positives will be ignored.

Question 9

What are the three philosophical approaches to intrusion detection?

M11 - Intrusion detection and network attacks - C11

Answer 9

• Signature based approach
• Specification based approach
• Anomaly-based approach

Question 10

What characterizes the signature-based IDS approach

M11 - Intrusion detection and network attacks - C11

Answer 10

An expert defines malicious patterns based on known attacks.

Question 11

Wat are the pros of a signature-based IDS approach?

M11 - Intrusion detection and network attacks - C11

Answer 11

• it is fast
• it is accurate (fewer false positive)

Question 12

What characterizes a specification-based IDS approach?

M11 - Intrusion detection and network attacks - C11

Answer 12

Expert defines allowed actions.

Question 13

When is the alarm set of with a specification-based IDS approach?

M11 - Intrusion detection and network attacks - C11

Answer 13

When events deviate from the, by expert, defined allowed (ligitimate) actions.

Question 14

What characterizes an anomaly-based IDS approach?

M11 - Intrusion detection and network attacks - C11

Answer 14

A profile of normal behaviour is created as a base-line for expected event patterns.

Question 15

For what ligitimate purposes may packet-sniffing be used?

M11 - Intrusion detection and network attacks - C11

Answer 15

Logging traffic-related details (packet sniffing) may support network management in case of:
- incidents
- late forensic investigations
- loss evaluations
- system recovery

Question 16

Whata re the three categories of vulnerability assessment tools?

M11 - Intrusion detection and network attacks - C11

Answer 16

• reconnaissance tools
• vulnerability scanners
• penetration testing tools

Question 17

What is the difference between intrusion detection tools and vulnerability detection tools?

M11 - Intrusion detection and network attacks - C11

Answer 17

• Intrusion detection tools seek to detect/defend the system against currently happening intrusions.
• Vulnerability detection tools seek to disclose weaknesses in your system in order to avoid future intrusions.

Question 18

What is a denial of service (DoS) attack?

M11 - Intrusion detection and network attacks - C11

Answer 18

Attacks denying legitimate users access to resources and services by intentional acts that severly degrade performance or cause outright failure.

Question 18

What are the two typical kinds of denial-of-service (DoS) attacks?

M11 - Intrusion detection and network attacks - C11

Answer 18

• Buffer-overflow attacks
• Flood attacks

Question 19

What is a buffer-overflow attack?

M11 - Intrusion detection and network attacks - C11

Answer 19

When an attacker exploit buffer overflow issues by overwriting the memory of an application.

Question 20

What is a flood-attack?

M11 - Intrusion detection and network attacks - C11

Answer 20

When an attacker overwhelms a server by sending a extensive amount of packets.

Question 21

What is th difference between denial-of-service (DoS) attacks and distributed-denial-of-service (DDoS) attacks?

M11 - Intrusion detection and network attacks - C11

Answer 21

• In a DDoS the attacker uses a large number of devices (botnets) to flood the target.
• In DoS the attacker sends the flooding packets from a single device.

Question 22

Why does an attacker often use a false source IP address (IP spofing) when performing a DoS attack?

M11 - Intrusion detection and network attacks - C11

Answer 22

So that the replies to the packets sent do not flood his own device, but instead some other (often random) IP.

Question 23

What is “dwell-times”?

M11 - Intrusion detection and network attacks - C11

Answer 23

The time an attacker has been on a system before they were detected.

Question 24

What is Nmap?

M11 - Intrusion detection and network attacks - C11

Answer 24

An open-source tool used for scanning networks in order to identify devices, open ports, services, and potential vulnerabilities.

Question 25

What is Snort?

M11 - Intrusion detection and network attacks - C11

Answer 25

A signature-based IDS, with which we can define specific events that should result in an alert.

Question 26

What are the typical steps of a scanning?

M11 - Intrusion detection and network attacks - C11

Answer 26

• Find Live hosts and OS version
• Find Open ports
• Determine Version of Service
• Identify Vulnerable services

Question 27

When will port scanning typically be characterized as abnormal (potential intrusion)?

M11 - Intrusion detection and network attacks - C11

Answer 27

When a port scanning is conducted on the inside of a closed network.

Question 28

What are indicators of compromise (IOC)?

M11 - Intrusion detection and network attacks - C11

Answer 28

Technical characteristics that identify a known threat. Making it possible for others to compare finds to formerly detected threats in order to determine if the find is malicious.

Question 29

What is OS fingerprinting?

M11 - Intrusion detection and network attacks - C11

Answer 29

OS fingerprinting is a technique used to identify the operating system of a device on a network. It involves analysing various characteristics of the device’s network behaviour and comparing them to a database of known operating system fingerprints to make an educated guess about what operating system the device is running.

Question 30

What is active OS fingerprinting?

M11 - Intrusion detection and network attacks - C11

Answer 30

When you actively send a number of packets (for instance pings) to target and analyze the replies in order to determine what OS the target device is running.

Question 31

What is passive OS fingerprinting?

M11 - Intrusion detection and network attacks - C11

Answer 31

When you analyze already received replies from a target device in order to determine what OS the target is running.