Section 23 - Monitoring Types Flashcards
When it comes to monitoring the network, this can be done manually or through an automated means. What are three automated methods?
Signature Based
Anomaly Based
Behavior Based
What is Signature Based monitoring?
Network traffic is analyzed for predetermined attack patterns
*** imagine this is like profiling and evaluating characteristics. If you see someone walk through the door who is 5’8” with brown hair then that would be Alex’s signature.
What is anomaly based monitoring?
A baseline is established and any network traffic that is outside of the baseline is evaluated
*** This is evaluating behaviors. Doing something it doesn’t normally do
What is behavior based monitoring?
Activity is evaluated based on the previous behavior of the applications, executables, and the OS in comparison to the current activity of the system
Often times, in an intrusion detection or intrusion prevention system, we would do what with these monitoring systems?
Combine them into a hybrid approach
These methods do not have to be used in isolation
What is baselining?
Process of measuring changes in networking, hardware, software and applications
*** Doing this allows us to see what is normal and what is abnormal
What is baseline reporting?
Documenting and reporting on the changes in a baseline
What is security posture?
Risk level to which a system or other technology element is exposed
*** You will have a baseline for the system that you create as part of your security posture.
What is performance baselining?
This is focused on the operations and functionality
It is one of the most common types of monitoring
** Ex. how much disk space being used, how much is the network bandwidth being used, etc.
This is important to monitor because if something is being overtaxed it could be because it has malware and the behavior could serve as an indicator only found by monitoring its performance.
What are some different ways you can do performance monitoring?
- A tool called Performance Monitor - This will show you the amount of processing power, memory and disk space being utilized and allows you to set up reports to compare those in the future
(perfmon.exe in command prompt) - Protocol Analyzer
What are protocol analyzers?
These are used to capture and analyzed network traffic
*** Wireshark is an example of a protocol analyzer
How are protocol analyzers connected to your network?
Promiscuous mode
Non-promiscuous mode
What does Promiscuous mode in a protocol analyzer mean?
Network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them
** Of the two options, this one captures the most information but not all network adapters support this so make sure you have one that does
What does non-promiscuous mode in a protocol analyzer mean?
Network adapter can only capture the packets addresses to itself directly
What is port mirroring?
One or more switch ports are configured to forward all of their packets to another port on the switch
** With switches, everything is going based on the MAC address to specific ports based on its CAM table. To be able to get all that data, you set up port mirroring.
What is a SPAN port?
This is being used to do port mirroring of all the other ports so that the protocol analyzer can see it
This is doing using a logical method to replicate the traffic across all of the other ports on to that SPAN port
*** If you cannot configure a SPAN port, then you can use a network tap
What is a network tap?
A physical device that allows you to intercept the traffic between two points on the network
*** You could put this between the router and the switch at the boundary of the network which would allow you to see everything that’s coming in and out of the network that way
What does SNMP stand for?
Simple Network Management Protocol
What is SNMP?
A TCP/IP protocol that aids in monitoring network-attached devices and computers
*** This is heavily incorporated into the concept of management and monitoring
SNMP is broken down into three components. What are they?
Agent
Managed Devices
Network Management Systems
What are SNMP managed devices?
Computers or other network attached devices monitoring through the use of agents by a network management system
What are SNMP agents?
Software that is loaded on a managed device to redirect information to the network management system
What are SNMP Network Management Systems?
Also called NMS, this is software run on one or more servers to control the monitoring of network-attached devices and computers
*** This is going to act as our manager and it’s going to send and receive message to all of our managed devices across the network (your routers, switches and servers)
When your SNMP NMS is running, what are the different requests it can make?
Set Request - Devices will send information back
Get Request - it wants information
Trap Request - Receiving unsolicited information from management devices (where they just send information as needed at periodic intervals)
From a security standpoint, it’s important to know the different versions of SNMP. They are…?
SNMP v1
SNMP v2
SNMP v3
SNMP v1 and SNMP v2 are considered insecure because…?
They use community strings to access a device
*** These are default community strings of public, which are read-only or private. This allows read and write access to the devices.
The only version of SNMP that you should be using is…?
SNMP v3
Provides integrity, authentication and encryption of the messages being sent over the network.
*** It will hash your messages being transmitted, validate the source of the message to give you authentication and it uses DES encryption to provide confidentiality and privacy.
When you conduct network management using SNMP, you have two options where the data can be sent. What are these options?
In Band Communication
Out of Band Communication
What is SNMP In Band Communication?
Sending your management data over the same network that’s carrying your corporate information and normal data
*** This is cheaper, easier but also less secure.
What is SNMP Out of Band Communication?
Thi sis a secondary network where all the management occurs but you still ahve that primary in band network where all of the data that the user is going to get is going to occur.
Management should always be conducted on a In-band or Out of Band network?
Out of Band
This is because it increases security and takes management function out of the place where users can touch it or see it
What is auditing?
A technical assessment conducted on applications, systems or networks
*** This is essentially a detective control that’s look to make sure everything was being done correctly and if anything went wrong, we can go back and put together those pieces.
What are the two ways that auditing can be conducted?
Manually or by using tools
*** Often times these are both used in conjunction
What is a big part of auditing?
Logs
This is because these get tied together very frequently inside the auditing concept
What are logs?
Data files that contain the accounting and audit trails for actions performed by a user on the computer on the network
On a Windows system, there are three types of logs you should be familiar with. What are they?
Security
System
Application
What information would you find in security logs?
Logs for events such as successful and unsuccessful user logons to the system
What information would you find in system logs?
These logs have events such as system shutdown or driver failure
What information would you find in application logs?
Logs event for the OS and third party appications
How do you view the three types of logs on a Windows computer?
using the “Event Viewer” or a syslog server
Why would you opt to use a SYSLOG server for viewing logs?
This is a much more efficient way to view logs because it allows you to consolidate all of the logs into a single respository that you can use to read through and help correlate
What is SYSLOG server?
A standardized format for computer message logging that allows the separation of the software that generates the message, the system that stores them, and the software that reports and analyzes them.
*** Essentially, you can have different servers around the world and they would send all their log files back to a single logging server (SYSLOG.) It is a centralized monitoring system.
What port does SYSLOG use?
514
UDP
How do you maintain log files?
Perform log file maintenance
What is log file maintenance?
The actions taken to ensure proper creation and storage of a log file
Such as the proper configuration, saving, backing up, securing and encryption of those log files.
What does it mean to overwrite an event?
When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room
What is WORM?
Write Once Read Many
Technology like a DVD-R that allows data to be written only once but read unlimited times
What does SIEM stand for?
Security Information and Event Management systems
What is SIEM?
Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
One of the best ways this is used is by correlating events. For example, if you see one of your employees has logged in on a VPN in Asia but also just scanned his badge in at work then you can correlate those events to assume there’s a potential security risk through an SIEM.
A SIEM can be implemented in many ways. What are those?
Software appliances
Hardware appliances
Outsource managed service
To effectively deploy an SIEM, what things do you have to consider?
- You need to be able to log all relevant events and filter out anything that is not
- You need to make sure you can establish and document the scope of the events.
- You need to develop use cases to define a threat.
- You need to plan instant responses before given events.
- Establish a ticketing process to track the event
- Schedule regular threat hunting
- Providing auditors and analysts an evidence trail.
There are many commercial and open-source solutions available on the market. What are some examples of SIEM products you can use?
Splunk
ELK (Elastic Stack)
ArcSight
QRadar
Alient Vault
OSSIM
GrayLog
What does a SYSLOG message contain?
PRI Code
Header
Message portion
What is SYSLOG PRI code?
A priority code that is calculated based on the facility and the severity level of the data
What is a SYSLOG header?
This will contain the timestamp of the event and the host name
What is a SYSLOG message portion?
This contains the source process of the event and the related content
** Basically, what data happened and what do you want to tell us about.
Originally, SYSLOG did not use any encryption but new implementations do. What port does SYSLOG on TCP use?
1468
The newer version of SYSLOG is called what?
Syslog-ng (SYSLOG Next Generation) or rsylog
How did the new version of SYSLOG upgrade?
Moved to TCP for consistent delivery
Moved to TLS for encryption
Uses MD-5 and SHA-1 for authentication and integrity
SYSLOG is often used to mean three things. What are they?
- It can refer to the protocol that we send the data over
- It can refer to the server as in the SYSLOG server
- It can refer to the log entries themselves as in the Syslog data.
*** Depending on the context, people will often say syslog and mean all three or any of three
What does SOAR stand for?
Security Orchestration Automation and Response
What is SOAR?
This is a class of security tools that helps facilitate incident response, threat hunting, and security configurations by orchestrating and automating runbooks and delivery data enrichment
*** Basically, SIEM version 2.0. It takes a security information and event monitoring system and integrates it with SOAR.
What is a playbook?
A checklist of actions that you’re going to perform to detect and respond to a specific type of incident
What is a runbook?
An automated version of a playbook