Evading IDS, Firewalls, and Honeypots Flashcards
What is Signature Recognition?
Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network resource
What is Protocol Anomaly Detection?
In this type of detection, models are built to explore anomalies in the way in which vendors deploy the TCP/IP specification
What is Anomaly Detection?
Anomaly detection detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system
What is a Bastion Host?
The bastion host is designed for defending the network against attacks. It acts as a mediator between inside and outside networks. A bastion host is a computer system designed and configured to protect network resources from attacks. Traffic entering or leaving the network passes through the firewall
What is a malware honeypot?
Malware honeypots are used to trap malware campaigns or malware attempts over the network infrastructure. These honeypots are simulated with known vulnerabilities such as outdated APIs, vulnerable SMBv1 protocols, etc., and they also emulate different Trojans, viruses, and backdoors that encourage adversaries to perform exploitation activities
What is a honeynet?
Honeynets are networks of honeypots. They are very effective in determining the entire capabilities of the adversaries. Honeynets are mostly deployed in an isolated virtual environment along with a combination of vulnerable servers. The various TTPs employed by different attackers to enumerate and exploit networks will be recorded, and this information can be very effective in determining the complete capabilities of the adversary
What is a spider honeypot?
Spider honeypots are also called spider traps. These honeypots are specifically designed to trap web crawlers and spiders. Many threat actors perform web crawling and spidering to extract important information from web applications. Such crucial information includes URLs, contact details, directory details, etc
What is a spam honeypot?
Spam honeypots specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies. Basically, spam honeypots consist of mail servers that deliberately accept emails from any random source from the Internet
What is a packet-filter (stateless) firewall?
A packet filtering firewall investigates each individual packet passing through it and makes a decision whether to pass the packet or drop it. It works at the Internet protocol (IP) layer of the TCP/IP model (network layer of the OSI model). Packet filter–based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to be directed
What is a packet-filter (stateless) firewall?
A packet filtering firewall investigates each individual packet passing through it and makes a decision whether to pass the packet or drop it. It works at the Internet protocol (IP) layer of the TCP/IP model (network layer of OSI). Packet filter–based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to be directed
Which of the following descriptions is true about a static NAT?
A static NAT uses a one-to-one mapping.
A static NAT uses a many-to-one mapping.
A static NAT uses a one-to-many mapping.
A static NAT uses a many-to-many mapping.
A static NAT uses a one-to-one mapping
Which of the following descriptions is true about a static NAT?
A static NAT uses a one-to-one mapping.
A static NAT uses a many-to-one mapping.
A static NAT uses a one-to-many mapping.
A static NAT uses a many-to-many mapping.
A static NAT uses a one-to-one mapping
At which two traffic layers do most commercial IDSes generate signatures? (Select Two)
Session layer
Application layer
Network layer
Transport layer
Network and Transport layers (easiest layers to filter)
Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?
TCP flag bits
Interface
Direction
Source IP address
Interface
A circuit-level gateway works at which of the following layers of the OSI model?
Layer 5 – Session
Layer 4 – Transport
Layer 2 – Data Link
Layer 3 – Network
Layer 5 - Session
What is discretionary access control?
In discretionary access control (DAC), the owner of the object specifies which subjects can access the object. This model is called discretionary because the control of access is based on the discretion of the owner.
Most operating systems such as all Windows, Linux, and Macintosh and most flavors of Unix are based on DAC models.
In these operating systems, when you create a file, you decide what access privileges you want to give to other users; when they access your file, the operating system will make the access control decision based on the access privileges you created
What is mandatory access control?
In mandatory access control (MAC), the system (and not the users) specifies which subjects can access specific data objects.
The MAC model is based on security labels. Subjects are given a security clearance (secret, top secret, confidential, etc.), and data objects are given a security classification (secret, top secret, confidential, etc.). The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects.
When the system is making an access control decision, it tries to match the clearance of the subject with the classification of the object. For example, if a user has a security clearance of secret, and he requests a data object with a security classification of top secret, then the user will be denied access because his clearance is lower than the classification of the object.
The MAC model is usually used in environments where confidentiality is of utmost importance, such as a military institution.
Examples of the MAC-based commercial systems are SE Linux and Trusted Solaris
What is Snort (software)?
Snort is an open-source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching, and it is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts
What is Suricata (software)?
Suricata is a robust network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing
What is KFSensor (software)?
KFSensor is a host-based IDS that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than that achieved using firewalls and NIDS alone
What is zIPS (software)?
Zimperium’s zIPS™ is a mobile intrusion prevention system app that provides comprehensive protection for iOS and Android devices against mobile network, device, and application cyber-attacks
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following:
Stops checking rules, sends an alert, and lets the packet continue
Continues to evaluate the packet until all rules are checked
Drops the packet and moves on to the next one
Blocks the connection with the source IP address in the packet
Continues to evaluate the packet until all rules are checked
Which of the following is not an action present in Snort IDS?
Alert
Pass
Log
Audit
Audit
What is NetPatch Firewall (software)?
NetPatch firewall is a full-featured advanced android noroot firewall. It can be used to fully control over mobile device network. With NetPatch firewall, you can create network rules based on APP, IP address, domain name, and so on. This firewall is designed to save mobile device’s network traffic and battery consumption, and improve network security and protect privacy.
