SB 17: Attacks Flashcards
What does incident prevention mean?
It is when you (ideally) can detect and stop an attack before it succeeds. It is common to use real-time intrusion detection and other techniques for monitoring logs and systems. In order to respond to an attack it needs to be identified before it is completed.
What is jailing?
It aims to fool an attacker into believing their attack was successful by placing them in a confined area. Multilevel security systems are excellent for jailing because they can provide greater degrees of confinement.
What is diversity?
It is an attempt to increase the difficulty of succeeding with an attack by introducing diversity in the different systems. If all systems are the same then one attack will work on all of them.
What is moving target defense?
It is a diversity mechanism that changes the system whilst it is running in order to try and thwart attacks.
What is the attack surface?
The set of entry points and data that can be used to compromise a system.
What is the defender’s dilemma?
The attacker has more flexibility because they can change tactics. Whereas the attack surface can really only stay the same, be minimized or eliminated. It highlights the asymmetry that exist between a defender and attacker. Moving target can reduce the asymmetry.
Give some examples of moving target defense and briefly explain how they work
Network based: IP address hopping. Meant to confuse attackers and hide services. When a client contacts the server, a component maps the destination address and port number to different ones. When the packet gets to the network the server is located on a mechanism maps the address and port to the actual ones the server is located on. The mapped addresses and port numbers are selected pseudorandomly. It must not cause any impediment to the authorized client while still preventing unauthorized ones. Relies on randomness to prevent predicting the changes to the attack surface.
Address space layout randomization (ASLR): Randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. The effectiveness is dependent upon the amount of randomness introduced. Attacks that rely on knowing the location of variables and functions will fail. It aims to prevent the exploitation of memory corruption vulnerabilites (like buffer overflow).
What are the different phases of intrusion handling?
There are different steps that are required in order to restore a system to comply with the security policy.
- Preparation: occurs before an attack. Deals with establishing procedures and mechanisms for detecting and responding to attacks.
- Identification: when an attempted attack has been identified it triggers the remaining phases.
- Containment: trying to limit the effects of the attack as much as possible.
- Eradication: to try and stop and block the attack and any further similar ones.
- Recovery: to restore the system to a secure state that complies with the security policy.
- Follow-up: taking action against the attacker, identifying problems in the handling of the incident and recording lessons learned.
Describe the containment phase
To limit the access of the attacker to system resources. Can be done via two approaches.
- Passive monitoring
- Constraining access to prevent further damage. Minimize the protection domain of the attacker and prevent them from achieving their goal. If the goal is unknown there is a risk that the attacker might be constrained to the area where the information they want is.
What are some methods used in the eradication phase?
Wrappers: a common method for blocking. Placed around suspected targets. Implement various forms of access control, enables local or networked control of access.
Firewalls: controls access from the external network (the Internet) to the internal network and vice versa.
What is a Computer Security Incident Response Team (CSIRT)?
A team established to assist and co-ordinate responses to a security incident among a defined constituency.
What forms can a counter-attack take?
Legal measures
Technical counterattack
What is a honeypot and during which phase can it be implemented?
A carefully designed piece of information or data that will entice the attacker and thus trap them (hopefully) long enough for any countermeasures to be carried out. Used in the containment phase (in order to continue by moving to the eradication phase i guess)
What is a deception toolkit (DTK)?
Using deception as a method for countering attacks. Decieving the attacker into believing the system has more vulnerabilities than it actually does. This can increase the workload for the attacker becuase they will not know which of their attacks is going to work. It enables tracking of attack attempts in order to respond in time.
If enough people use it is will (supposedly) become easier to detect and twhart all but the most sophisticated of attacks.
Requires a widespread usage of the tool = port 365: indicates wheter the machine is running a deception defense or not, therefore it is likely that attackers will look their first and their attack will then be immediately noticed.
What are three aspects of a CSIRT mission?
- Publication: publish policies and procedures to inform its constituency of what it can do. Communication plan.
- Collaboration: collaborate with other CSIRT in gathering and disseminating information and responding to attacks.
- Secure communication: Ensuring it’s communicating with the correct recipients and not some impersonator.
