MODULE 24 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards
Syslog and NTP
Various protocols that commonly appear on networks have features that make them of special interest in security monitoring.
For example, syslog and Network Time Protocol (NTP) are essential to the work of the cybersecurity analyst.
Syslog and NTP The syslog standard is used for
logging event messages from network devices and endpoints, as shown in the figure
https://snipboard.io/cuZAPX.jpg.
The standard allows for a system-neutral means of transmitting, storing, and analyzing messages.
Many types of devices from many different vendors can use syslog to send log entries to central servers that run a syslog daemon.
This centralization of log collection helps to make security monitoring practical. Servers that run syslog typically listen on UDP port 514.
Syslog and NTP Because syslog is so important to security monitoring, syslog servers may be a target for threat actors.
Some exploits,
such as those involving data exfiltration, can take a long time to complete due to the
very slow ways in which data is secretly stolen from the network.
Syslog and NTP Some attackers may try to hide the fact that exfiltration is occurring.
They attack syslog servers that contain the information that could lead to detection of the exploit.
Hackers may attempt to block the transfer of data from syslog clients to servers, tamper with or destroy log data, or tamper with the software that creates and transmits log messages.
The next generation (ng) syslog implementation, known as syslog-ng, offers enhancements that can help prevent some of the exploits that target syslog.
NTP - Network Time Protocol Syslog messages are usually timestamped.
This allows messages from different sources to be organized by time to provide a view of network communication processes.
Because the messages can come from many devices, it is important that the devices share a consistent timeclock. One way that this can be achieved is for the devices to use Network Time Protocol (NTP).
NTP uses a hierarchy of authoritative time sources to share time information between devices on the network, as shown in the figure.
In this way, device messages that share consistent time information can be submitted to the syslog server. NTP operates on UDP port 123.
NTP - Network Time Protocol
Because events that are connected to an exploit can leave traces across every network device on their path to the target system, timestamps are essential for detection.
Threat actors may attempt to attack the NTP infrastructure in order to corrupt time information used to correlate logged network events.
This can serve to obfuscate traces of ongoing exploits.
In addition, threat actors have been known to use NTP systems to direct DDoS attacks through vulnerabilities in client or server software.
While these attacks do not necessarily result in corrupted security monitoring data, they can disrupt network availability.
NTP - Network Time Protocol
https://snipboard.io/RklCav.jpg
https://snipboard.io/RklCav.jpg
DNS - DOMAIN NAME SERVICE
Domain Name Service (DNS) is used by millions of people daily.
Because of this, many organizations have less stringent policies in place to protect against DNS-based threats than they have to protect against other types of exploits.
Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.
DNS - DOMAIN NAME SERVICE
DNS is now used by many types of malware.
Some varieties of malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as normal DNS queries.
Various types of encoding, such as Base64, 8-bit binary, and Hex can be used to camouflage the data and evade basic data loss prevention (DLP) measures.
DNS - DOMAIN NAME SERVICE
For example, malware could encode stolen data as the subdomain portion of a DNS lookup for a domain where the nameserver is under control of an attacker.
A DNS lookup for ‘long-string-of-exfiltrated-data.example.com’ would be forwarded to the nameserver of example.com, which would record ‘long-string-of-exfiltrated-data’ and reply back to the malware with a coded response.
This use of the DNS subdomain is shown in the figure.
The exfiltrated data is the encoded text shown in the box.
The threat actor collects this encoded data, decodes and combines it, and now has access to an entire data file, such as a username/password database.
DNS - DOMAIN NAME SERVICE
It is likely that the subdomain part of such requests would be much longer than usual requests.
Cyber analysts can use the distribution of the lengths of subdomains within DNS requests to construct a mathematical model that describes normality.
They can then use this to compare their observations and identify an abuse of the DNS query process.
For example, it would not be normal to see a host on your network sending a query to
aW4gcGxhY2UgdG8gcHJvdGVjdC.example.com.
DNS - DOMAIN NAME SERVICE
DNS queries for randomly generated domain names, or extremely long random-appearing subdomains, should be considered suspicious, especially if their occurrence spikes dramatically on the network.
DNS proxy logs can be analyzed to detect these conditions.
Alternatively, services such as the Cisco Umbrella passive DNS service can be used to block requests to suspected CnC and exploit domains.
DNS - DOMAIN NAME SERVICE DNS Exfiltration
DNS Exfiltration:
https://snipboard.io/QJ0L2I.jpg
HTTP and HTTPS Hypertext Transfer Protocol (HTTP)
is the backbone protocol of the World Wide Web.
However, all information carried in HTTP is transmitted in plaintext from the source computer to the destination on the internet.
HTTP does not protect data from alteration or interception by malicious parties, which is a serious threat to privacy, identity, and information security.
All browsing activity should be considered to be at risk.
HTTP and HTTPS A common exploit of HTTP is called iFrame (inline frame) injection.
Most web-based threats consist of malware scripts that have been planted on webservers.
These webservers then direct browsers to infected servers by loading iframes.
In iFrame injection, a threat actor compromises a webserver and plants malicious code which creates an invisible iFrame on a commonly visited webpage.
When the iFrame loads, malware is downloaded, frequently from a different URL than the webpage that contains the iFrame code.
Network security services, such as Cisco Web Reputation filtering, can detect when a website attempts to send content from an untrusted website to the host, even when sent from an iFrame, as shown in the figure.
HTTP and HTTPS HTTP iFrame Injection Exploit
HTTP iFrame Injection Exploit
https://snipboard.io/l0YQPu.jpg
To address the alteration or interception of confidential data, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services.
HTTP and HTTPS HTTPS adds a layer of encryption to the HTTP protocol by using secure socket layer (SSL), as shown in the figure :
https://snipboard.io/U2LS0n.jpg
This makes the HTTP data unreadable as it leaves the source computer until it reaches the server.
Note that HTTPS is not a mechanism for web server security.
It only secures HTTP protocol traffic while it is in transit.
HTTPS Protocol Diagram
https://snipboard.io/U2LS0n.jpg
HTTP and HTTPS
Unfortunately, the encrypted HTTPS traffic complicates network security monitoring.
Some security devices include SSL decryption and inspection; however, this can present processing and privacy issues.
In addition, HTTPS adds complexity to packet captures due to the additional messaging involved in establishing the encrypted connection.
This process is summarized in the figure and represents additional overhead on top of HTTP.
HTTPS Transactions
https://snipboard.io/aNlyJY.jpg
Email Protocols
Email protocols such as SMTP, POP3, and IMAP can be used
Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to spread malware, exfiltrate data, or provide channels to malware CnC servers, as shown in the figure.
https://snipboard.io/m82QnS.jpg
Email Protocols SMTP sends data from a host to a mail server and between mail servers.
Like DNS and HTTP, it is a common protocol to see leaving the network.
Because there is so much SMTP traffic, it is not always monitored. However, SMTP has been used in the past by malware to exfiltrate data from the network.
In the 2014 hack of Sony Pictures, one of the exploits used SMTP to exfiltrate user details from compromised hosts to CnC servers.
This information may have been used to help develop exploits of secured resources within the Sony Pictures network.
Security monitoring could reveal this type of traffic based on features of the email message.
Email Protocols IMAP and POP3 are used to download email messages from a mail server to the host computer.
For this reason, they are the application protocols that are responsible for bringing malware to the host.
Security monitoring can identify when a malware attachment entered the network and which host it first infected.
Retrospective analysis can then track the behavior of the malware from that point forward.
In this way, the malware behavior can better be understood and the threat identified.
Security monitoring tools may also allow recovery of infected file attachments for submission to malware sandboxes for analysis.
Email Protocols Email Protocol Threats
https://snipboard.io/lH1uE4.jpg
ICMP ICMP has many legitimate uses,
however ICMP functionality has also been used to craft a number of types of exploits.
ICMP can be used to identify hosts on a network, the structure of a network, and determine the operating systems at use on the network.
It can also be used as a vehicle for various types of DoS attacks.
ICMP ICMP can also be used for data exfiltration.
Because of the concern that ICMP can be used to surveil or deny service from outside of the network, ICMP traffic from inside the network is sometimes overlooked.
However, some varieties of malware use crafted ICMP packets to transfer files from infected hosts to threat actors using this method, which is known as ICMP tunneling.
Security Technologies ACLs
– Access Control Lists (ACLs) Many technologies and protocols can have impacts on security monitoring.
Access Control Lists (ACLs) are among these technologies. ACLs can give a false sense of security if they are overly relied upon.
ACLs, and packet filtering in general, are technologies that contribute to an evolving set of network security protections.
ACLs – Access Control Lists (ACLs)
The figure illustrates the use of ACLs to permit only specific types of Internet Control Message Protocol (ICMP) traffic:
https://snipboard.io/t0HGos.jpg
The server at 192.168.1.10 is part of the inside network and is allowed to send ping requests to the outside host at 209.165.201.3.
The outside host’s return ICMP traffic is allowed if it is an ICMP reply, source quench (tells the source to reduce the pace of traffic), or any ICMP unreachable message.
All other ICMP traffic types are denied. For example, the outside host cannot initiate a ping request to the inside host.
The outbound ACL is allowing ICMP messages that report various problems. This will allow ICMP tunneling and data exfiltration.
ACLs – Access Control Lists (ACLs)
Attackers can determine which IP addresses, protocols, and ports are allowed by ACLs.
This can be done either by port scanning, penetration testing, or through other forms of reconnaissance.
Attackers can craft packets that use spoofed source IP addresses.
Applications can establish connections on arbitrary ports.
Other features of protocol traffic can also be manipulated, such as the established flag in TCP segments.
Rules cannot be anticipated and configured for all emerging packet manipulation techniques.
ACLs – Access Control Lists (ACLs)
In order to detect and react to packet manipulation, more sophisticated behavior and context-based measures need to be taken.
Cisco Next Generation firewalls, Advanced Malware Protection (AMP), and email and web content appliances are able to address the shortcomings of rule-based security measures.
Mitigating ICMP Abuse:
https://snipboard.io/t0HGos.jpg
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT)
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT) can complicate security monitoring.
Multiple IP addresses are mapped to one or more public addresses that are visible on the internet, hiding the individual IP addresses that are inside the network (inside addresses).
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT) The figure illustrates the relationship between internal and external addresses that are used as source addresses (SA) and destination addresses (DA):
https://snipboard.io/jYDF6V.jpg
These internal and external addresses are in a network that is using NAT to communicate with a destination on the internet.
If PAT is in effect, and all IP addresses leaving the network use the 209.165.200.226 inside global address for traffic to the internet, it could be difficult to log the specific inside device that is requesting and receiving the traffic when it enters the network.
This problem can be especially relevant with NetFlow data.
NetFlow flows are unidirectional and are defined by the addresses and ports that they share. NAT will essentially break a flow that passes a NAT gateway, making flow information beyond that point unavailable.
Cisco offers security products that will “stitch” flows together even if the IP addresses have been replaced by NAT.
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT) Network Address Translation
Network Address Translation:
https://snipboard.io/jYDF6V.jpg
Encryption, Encapsulation, and Tunneling
As mentioned with HTTPS, encryption can present challenges to security monitoring by making packet details unreadable.
Encryption is part of VPN technologies.
In VPNs, a commonplace protocol like IP, is used to carry encrypted traffic.
The encrypted traffic essentially establishes a virtual point-to-point connection between networks over public facilities.
Encryption makes the traffic unreadable to any other devices but the VPN endpoints.
Encryption, Encapsulation, and Tunneling Encryption is part of VPN technologies.
In VPNs, a commonplace protocol like IP, is used to carry encrypted traffic.
The encrypted traffic essentially establishes a virtual point-to-point connection between networks over public facilities.
Encryption makes the traffic unreadable to any other devices but the VPN endpoints.
A similar technology can be used to create a virtual point-to-point connection between an internal host and threat actor devices.
Malware can establish an encrypted tunnel that rides on a common and trusted protocol, and use it to exfiltrate data from the network.
A similar method of data exfiltration was discussed previously for DNS.
Peer-to-Peer Networking and Tor In peer-to-peer (P2P) networking, shown in the figure
https://snipboard.io/jYDF6V.jpg,
hosts can operate in both client and server roles.
Three types of P2P applications exist: file sharing, processor sharing, and instant messaging.
In file sharing P2P, files on a participating machine are shared with members of the P2P network.
Examples of this are the once popular Napster and Gnutella.
Bitcoin is a P2P operation that involves the sharing of a distributed database, or ledger, that records Bitcoin balances and transactions.
BitTorrent is a P2P file sharing network.
Peer-to-Peer Networking and Tor In file sharing P2P, files on a participating machine are shared with members of the P2P network.
Examples of this are the once popular Napster and Gnutella.
Bitcoin is a P2P operation that involves the sharing of a distributed database, or ledger, that records Bitcoin balances and transactions.
BitTorrent is a P2P file sharing network.
Any time that unknown users are provided access to network resources, security is a concern. File-sharing P2P applications should not be allowed on corporate networks.
P2P network activity can circumvent firewall protections and is a common vector for the spread of malware.
P2P is inherently dynamic. It can operate by connecting to numerous destination IP addresses, and it can also use dynamic port numbering.
Shared files are often infected with malware, and threat actors can position their malware on P2P clients for distribution to other users.
Peer-to-Peer Networking and Tor Any time that unknown users are provided access to network resources, security is a concern.
File-sharing P2P applications should not be allowed on corporate networks.
P2P network activity can circumvent firewall protections and is a common vector for the spread of malware. P2P is inherently dynamic.
It can operate by connecting to numerous destination IP addresses, and it can also use dynamic port numbering.
Shared files are often infected with malware, and threat actors can position their malware on P2P clients for distribution to other users.
Processor sharing P2P networks donate processor cycles to distributed computational tasks.
Cancer research, searching for extraterrestrials, and scientific research use donated processor cycles to distribute computational tasks.
Peer-to-Peer Networking and Tor Processor sharing P2P networks donate processor cycles to distributed computational tasks.
Cancer research, searching for extraterrestrials, and scientific research use donated processor cycles to distribute computational tasks.
Instant messaging (IM) is also considered to be a P2P application.
IM has legitimate value within organizations that have geographically distributed project teams.
In this case, specialized IM applications are available, such as the Webex Teams platform, which are more secure than IM that uses public servers.
P2P - Peer-to-Peer Networking and Tor Instant messaging (IM) is also considered to be a P2P application.
IM has legitimate value within organizations that have geographically distributed project teams.
In this case, specialized IM applications are available, such as the Webex Teams platform, which are more secure than IM that uses public servers.
https://snipboard.io/WUPXYF.jpg
P2P - Peer-to-Peer Networking and Tor Tor is a software platform and network of P2P hosts that function as internet routers on the Tor network.
The Tor network allows users to browse the internet anonymously.
Users access the Tor network by using a special browser.
When a browsing session is begun, the browser constructs a layered end-to-end path across the Tor server network that is encrypted, as shown in the figure.
Each encrypted layer is “peeled away” like the layers of an onion (hence “onion routing”) as the traffic traverses a Tor relay.
P2P - Peer-to-Peer Networking and Tor Users access the Tor network by using a special browser.
When a browsing session is begun, the browser constructs a layered end-to-end path across the Tor server network that is encrypted, as shown in the figure.
Each encrypted layer is “peeled away” like the layers of an onion (hence “onion routing”) as the traffic traverses a Tor relay.
The layers contain encrypted next-hop information that can only be read by the router that needs to read the information.
In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it.
Finally, at the end of the Tor path, the traffic reaches its internet destination.
When traffic is returned to the source, an encrypted layered path is again constructed.
P2P - Peer-to-Peer Networking and Tor
The layers contain encrypted next-hop information that can only be read by the router that needs to read the information.
In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it.
Finally, at the end of the Tor path, the traffic reaches its internet destination.
When traffic is returned to the source, an encrypted layered path is again constructed.
Tor presents a number of challenges to cybersecurity analysts. First, Tor is widely used by criminal organizations on the “dark net.” In addition, Tor has been used as a communications channel for malware CnC.
Because the destination IP address of Tor traffic is obfuscated by encryption, with only the next-hop Tor node known, Tor traffic avoids blacklists that have been configured on security devices.
P2P - Peer-to-Peer Networking and Tor Tor Operation
Tor Operation
https://snipboard.io/ZnAvNC.jpg
Load Balancing Load balancing involves the distribution of traffic between devices or network paths to prevent overwhelming network resources with too much traffic.
If redundant resources exist, a load balancing algorithm or device will work to distribute traffic between those resources, as shown in the figure.
Load balancing involves the distribution of traffic between devices or network paths to prevent overwhelming network resources with too much traffic.
If redundant resources exist, a load balancing algorithm or device will work to distribute traffic between those resources, as shown in the figure.
https://snipboard.io/ynObzW.jpg
Load Balancing One way this is done on the internet is through various techniques that use DNS to send traffic to resources that have the same domain name but multiple IP addresses.
In some cases, the distribution may be to servers that are distributed geographically.
This can result in a single internet transaction being represented by multiple IP addresses on the incoming packets.
This may cause suspicious features to appear in packet captures. In addition, some load balancing manager (LBM) devices use probes to test for the performance of different paths and the health of different devices.
For example, an LBM may send probes to the different servers that it is load balancing traffic to in order to detect that the servers are operating.
This is done to avoid sending traffic to a resource that is not available.
These probes can appear to be suspicious traffic if the cybersecurity analyst is not aware that this traffic is part of the operation of the LBM.
Load Balancing Load Balancing with DNS Delegation
Load Balancing with DNS Delegation
https://snipboard.io/ynObzW.jpg
Network and Server Profiling Network Profiling In order to detect serious security incidents, it is important to understand, characterize, and analyze information about normal network functioning.
Networks, servers, and hosts all exhibit typical behavior for a given point in time.
Network and device profiling can provide a statistical baseline that serves as a reference point.
Unexplained deviations from the baseline may indicate a compromise.
Network and Server Profiling Network Profiling Network and device profiling can provide a statistical baseline that serves as a reference point.
Unexplained deviations from the baseline may indicate a compromise.
Care must be taken when capturing baseline data so that all normal network operations are included in the baseline. In addition, it is important that the baseline is current.
It should not include network performance data that is no longer part of normal functioning.
For example, rises in network utilization during periodic server backup operations is part of normal network functioning and should be part of the baseline data.
However, measurement of traffic that corresponds to outside access to an internal server that has been moved to the cloud would not be.
A means of capturing just the right period for baseline measurement is known as sliding window anomaly detection. It defines a window that is most representative of network operation and deletes data that is out of date.
This process continues with repeated baseline measurements to ensure that baseline measurement statistics depict network operation with maximum accuracy.
Network and Server Profiling Network Profiling Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data.
Hosts that begin to access obscure internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise.
Deviations in network behavior are difficult to detect if normal behavior is not known.
Network and Server Profiling Network Profiling Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics.
Because organizations can make different demands on their networks depending on the time of day or day of the year, network baselining should be carried out over an extended period.
The figure displays some questions to ask when establishing a network baseline.
Network and Server Profiling Network Profiling Elements of a Network Profile
Elements of a Network Profile
https://snipboard.io/FKCZeE.jpg
Network and Server Profiling Network Profiling
The table lists important elements of the network profile.
The table lists important elements of the network profile.
https://snipboard.io/kTY1jA.jpg
Network and Server Profiling Network Profiling In addition, a profile of the types of traffic that typically enter and leave the network is an important tool in understanding network behavior.
Malware can use unusual ports that may not be typically seen during normal network operation.
Host-to-host traffic is another important metric.
Most network clients communicate directly with servers, so an increase of traffic between clients can indicate that malware is spreading laterally through the network.
Finally, changes in user behavior, as revealed by AAA, server logs, or a user profiling system like Cisco Identity Services Engine (ISE) is another valuable indicator.
Knowing how individual users typically use the network leads to detection of potential compromise of user accounts.
A user who suddenly begins logging in to the network at strange times from a remote location should raise alarms if this behavior is a deviation from a known norm.
Server Profiling Server profiling is used to establish the accepted operating state of servers.
A server profile is a security baseline for a given server.
It establishes the network, user, and application parameters that are accepted for a specific server.
Server Profiling A server profile is a security baseline for a given server.
It establishes the network, user, and application parameters that are accepted for a specific server.
In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network.
From there, various operating and usage parameters can be defined and documented.
The table lists elements of a server profile.
https://snipboard.io/m3VYIa.jpg
Server Profiling Network Anomaly Detection Network behavior is described by a large amount of diverse data such as the features of packet flow, features of the packets themselves, and telemetry from multiple sources.
One approach to detection of network attacks is the analysis of this diverse, unstructured data using Big Data analytics techniques.
This is known as network behavior analysis (NBA).
This entails the use of sophisticated statistical and machine learning techniques to compare normal performance baselines with network performance at a given time.
Significant deviations can be indicators of compromise.
In addition, network behavior can be analyzed for known network behaviors that indicate compromise.
Server Profiling Network Anomaly Detection Anomaly detection can recognize network traffic caused by worm activity that exhibits scanning behavior.
Anomaly detection also can identify infected hosts on the network that are scanning for other vulnerable hosts.
The figure illustrates a simplified version of an algorithm designed to detect an unusual condition at the border routers of an enterprise.
https://snipboard.io/ZIMS0T.jpg
Server Profiling Network Anomaly Detection
For example, the cybersecurity analyst could provide the following values:
X = 5 Y = 100 Z = 30 N = 500 Now, the algorithm can be interpreted as: Every 5th minute, get a sampling of 1/100th of the flows during second 30.
If the number of flows is greater than 500, generate an alarm. If the number of flows is less than 500, do nothing.
This is a simple example of using a traffic profile to identify the potential for data loss.
In addition to statistical and behavioral approaches to anomaly detection is rule-based anomaly detection.
Rule-based detection analyzes decoded packets for attacks based on pre-defined patterns.
