ملخص التسلل PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document provides a summary of intrusion and its prevention in computer systems and networks. It discusses different types of intrusion detection and prevention systems (IDS and IPS), such as network-based and host-based systems, and the functions of Intrusion Prevention Systems (IPS). The document also covers packet filtering, stateful inspection, behavioral analysis, and throttling or blocking as techniques to prevent intrusion. Finally, it discusses deep packet inspection and its benefits and limitations.
Full Transcript
Ch1 What are IDS & IPS? are security mechanisms designed to safeguard computer systems and networks from unauthorized access, attacks, or malicious activities. Intrusion Detection Systems (IDS): IDS monitors and analyzes network or system activities for signs of malicious behavior or security policy...
Ch1 What are IDS & IPS? are security mechanisms designed to safeguard computer systems and networks from unauthorized access, attacks, or malicious activities. Intrusion Detection Systems (IDS): IDS monitors and analyzes network or system activities for signs of malicious behavior or security policy violations. Types of IDS: 1. Network-based IDS (NIDS) 2. Host-based IDS (HIDS) Network-based IDS (NIDS): Monitors network traffic in real-time to identify suspicious patterns or signatures indicative of malicious activity. Host-based IDS (HIDS): Monitors activities on individual computers or devices. Intrusion Prevention Systems (IPS): IPS, on the other hand, not only detects but also takes active measures to prevent detected intrusions or malicious activities. IPS functionalities include: 1. Packet Filtering 2. Stateful Inspection 3. Behavioral Analysis 4. Throttling or Blocking Packet Filtering: Analyzing packets in real-time and blocking those that match known attack signatures or patterns. Stateful Inspection: Examining the context of network packets to determine whether they are part of an established and legitimate connection or represent a potential threat. Behavioral Analysis: Monitoring for abnormal behavior and taking action if deviations from the normal baseline are detected. Throttling or Blocking: Limiting or blocking network traffic from specific sources or to specific destinations based on predefined security policies. Deep Packet Inspection (DPI) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point. Deep packet inspection (DPI) is an advanced method of examining and managing network traffic. Deep packet inspection techniques: 1- Pattern or signature matching 2- The protocol anomaly method 3- Intrusion prevention system (IPS) Pattern or signature matching: A firewall with IDS capability analyzes each packet against a database of known network attacks. The protocol anomaly method used by firewalls with an IDS -- doesn't have the inherent weakness of the pattern/signature matching method because it doesn't simply allow all content that doesn't match the signature database. IPS solutions can block detected attacks in real time by preventing malicious packets from being delivered based on their contents. How does deep packet inspection work? Deep Packet Inspection (DPI) Removes the header information from a packet to inspect the actual contents of the packet. The benefits of deep packet inspection: DPI is an important network security tool DPI provides additional options for managing network traffic flows DPI uses: Network management Network security “Lawful intercept” Statistical data for network planning What are limitations of deep packet inspection? It can create new vulnerabilities in the network, even as it provides protection against existing vulnerabilities. Elements of Perimeter Defense: Border Routers Firewalls Intrusion detection system Intrusion Prevention Systems What is a Firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust). Firewall Used to implement and enforce a security policy for communication between networks. Firewall vs IDS vs IPS Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event. Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected. Ch2 log is a comprehensive file that captures activity within the operating system, software applications or devices. Log aggregation is the process of collecting, standardizing, and consolidating log data from across an IT environment in order to facilitate streamlined log analysis. Log aggregation is the practice of centralizing log files using special software so that they can be processed into structured data, enriched, searched and eventually. Without log aggregation, developers would have to manually organize, prepare, and search through log data from numerous sources in order to extract useful information from it. Why log aggregation is important? Search, filter, and group logs Troubleshoot in response to production incidents Perform real-time monitoring Log analysis is the process of reviewing computer-generated event logs to proactively identify bugs, security threats or other risks. How does Log Analysis Work? they're usually saved in a file or database, or in a specialized application called a log collector. Log Analysis Methods: 1- Artificial Intelligence 2- Correlation 3- Normalization What is Cross Log Comparison and Analysis? Cross log comparison and analysis is the process of comparing and analyzing log files from different sources. steps for performing log file analysis: 1- Data Collection. A central database collects data from hardware and software probes. 2- Data Indexing. Data from all sources are centralized and indexed to improve searchability, allowing IT professionals to find problems or patterns more quickly. 3- Analysis Normalization, pattern recognition, correlation, and tagging are all log analysis techniques that can be conducted either automatically or manually, depending on the situation. 4- Monitoring When anomalies are found, a real-time, self-contained log analysis platform can send out notifications. Most continuous monitoring of the entire IT stack relies on this form of automated log analysis. 5- Reports A log analysis platform includes both traditional reports and dashboards, which provide at-a glance or historical views of metrics for operations, development, and management stakeholders. Log Analysis Methods: 1- Correlation 2- Pattern Recognition 3- Structured 4- Tagging and Classification Correlation Analysts can aggregate logs from different sources to help decode an event that isn't observable in a single log. Pattern Recognition Modern machine learning (ML) technologies may be used to find patterns in log data that may indicate abnormalities. Structured to provide the most value, all log data should be stored in a central location and formatted in a way that both humans and machines can interpret it. Tagging and Classification filters can be used to data that has been tagged with keywords and classified by type, which can speed up the discovery of important information. Cross Log Comparison and Analysis: 1- Cross Log Analysis Cross log analysis compares logs from different systems to identify correlations and detect potential security threats. 2- Compare User Activity By analyzing logs from different infrastructure components, organizations can detect if a user is trying to access a restricted resource and if the user's activity is providing a valuable insight into any potential security incidents. The Importance of Log File Analysis: 1- Threat Detection and Enhanced cybersecurity 2- Compliance 3- Investigation and Incident Response Challenges and Limitations in Log Analysis: 1- Data Overload 2- Log Quality 3- Log Retention Advantages of log file analysis: Automatic logging of crawlers No JavaScript or cookies required Simple preparation Disadvantages of log file analysis: Caching and proxies Regular updates necessary Additional storage effort Ch3 IDS Analysis Techniques: Misuse-based (signature-based) detection What is bad, is known What is not bad, is good Anomaly-based detection What is usual, is known What is unusual, is bad Specification-based detection What is good, is known What is not good, is bad Misuse detectors analyze system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. Techniques for Misuse-based detection Determines whether a sequence of instructions being executed is known to violate the site security policy. Advantage of Misuse-based detection: very effective at detecting attacks without generating an overwhelming number of false alarms. Disadvantage of Misuse-based detection: only detect those attacks they know about. Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network. Anomaly Detection an IDS which builds a model of “normal” system behavior, and alerts when a deviation from the model is detected Advantages of anomaly detection: detect unusual behavior without specific knowledge of details. Disadvantage of anomaly detection: produce a large number of false alarms. Techniques for Anomaly Detection: analyzes a set of characteristics of system and compares their values with expected values; report when computed statistics do not match expected statistics. Specification based detection they distinguished between normal and intrusive behaviors by monitoring the traces of system calls of the target processes. Specification-based detection determines whether execution of sequence of instructions violates specification. Misuse-based Detection Anomaly-based Detection Specification-based Detection Targets known attack Focuses on identifying Checks for compliance patterns or signatures deviations from normal with predefined specifications behavior Effective against known Flexible and adaptive to Highly accurate but attacks but may miss new threats requires clear unknown ones specifications Ch4 Host-based IDS (HIDS): Monitors activities on individual computers or devices. حسب خبرتي بيجي اختياري او صح وخطأ Host-based IDPS (HIDPS) Resides on a particular computer or server (host) and monitors activity only on that system. Benchmarks and monitors the status of key system files and detects when intruder creates, modifies, or deletes files. Most HIDPSs work on the principle of configuration or change management. Deploying host-based IDPSs: Proper implementation of HIDPSs can be a painstaking and time-consuming task. Deployment begins with implementing most critical systems first. Installation continues until either all systems are installed, or the organization reaches planned degree of coverage it will accept. Host-Based Agents: 1- Obtain information from logs May use many logs as sources. May be security-related or not. May use virtual logs if agent is part of the kernel. 2- Agent generates its information Analyzes state of system. Treats results of analysis as log data. Components of HIDP Systems: Data collectors that collect data from hosts. Data storage the data is usually aggregated and stored in a central location. Analytics engine uses an analytics engine to process and evaluate the various data sources that it collects. What Are the Specific Functions of HIDS? 1. Logging 2. Alerting 3. Analysis Types of Host-Based Intrusion Detection Systems (IDS) 1- An agent-based HIDS An agent-based HIDS relies on software agents that are installed on each host to collect information from the host. 2- Agentless HIDS Information from hosts is collected without relying on agents. HIDS provides one layer of defense against security threats. Advantages of Host-Based IDS: HIDS can monitor specific activities, which provide more detail than network-based systems Disadvantages of Host-Based IDS: HIDS are more challenging to manage than similar-sized NIDS setups. Policy Development for HIDP 1. Data Collection and Monitoring Policies 2. Alert Levels and Incident Response Policies 3. Configuration Management Policies Ch5 Network Intrusion Detection System (NIDS): are set up at a planned point within the network to examine traffic from all devices on the network. Host-Based IDS Network-Based IDS Source of data Logs of operating system or application Network traffic programs Deployment Every host; Dependent on operating Key network nodes; Easy to deploy systems; Difficult to deploy Detection efficiency Low, must process numerous logs High, can detect attacks in real time Intrusion traceability Trace the process of intrusion according Trace position and time of intrusion to system call paths according to IP addresses and timestamps Limitation Cannot analyze network behaviors Monitor only the traffic passing through a specific network segment How Does NIDS Work? It typically operates in a passive or inline mode, and they use different detection methods to identify network intrusions. In passive mode, the NIDS monitors outgoing network traffic without interfering with it. In inline mode, the NIDS can modify network traffic to detect intrusions or block malicious activities. What is Stealth Mode? Operating an intrusion detection and prevention sensor without IP addresses assigned to its monitoring network interfaces. Stealth interfaces allow an IDS to be invisible to other hosts on the network while still being able to detect attacks. How NIDP Systems Function Real-time Monitoring and Analysis Proactive Threat Detection Comprehensive Coverage Advantages of Network-Based IDP 1. Prevention of Network Attacks 2. Identification of Vulnerabilities 3. Protection of Sensitive Information 4. Real-Time Monitoring Disadvantages of Network-Based IDP 1. Requires frequent updating 2. Requires extensive configuration 3. Requires maintenance Challenges of Network Based IDP 1. Need for Frequent Updating 2. Time-Consuming Process 3. Regular Maintenance NIDP Best Practices and Policies 1. Continuous Monitoring. 2. Traffic Baseline Establishment. 3. Incident Response Planning. 4. Regular Auditing and Reporting. Ch6 What is a Distributed Intrusion Detection Systems (dIDS)? consists of multiple Intrusion Detection Systems (IDS) over a large network, all of which communicate with each other, or with a central server that facilitates advanced network monitoring, incident analysis, and instant attack data. A dIDS also allows a company to efficiently manage its incident analysis resources by centralizing its attack records. IDS could be used on the agent machines, it is highly suggested that Snort be used. Components of a dIDS? 1- The Central Analysis Server 2- The Co-operative Agent Network 3- Attack Aggregation The Central Analysis Server The central analysis server is really the heart and soul of the operation. The co-operative agent network is one of the most important components of the dIDS. Attack aggregation is another core part of the dIDS system. This part of the system is programming logic based on the central server. Aggregation simply refers to the method in which group users or order the information gathered from the agent network Advantages of a dIDS: detect attack patterns across an entire corporate network. Aggregation is the main component used to facilitate this advanced method of analysis across a network's multiple segments. Analysis Using Aggregation Aggregating by attacker IP Aggregating by destination port Aggregating by agent ID Ch 7 honeypot is a security mechanism that creates a virtual trap to lure attackers. Honeypots are a type of deception technology that allows you to understand attacker behavior patterns. Honeypots vary based on design and deployment models, but they are all decoys intended to look like legitimate, vulnerable systems to attract cybercriminals. Types of honeypot designs Production honeypots Research honeypots Types of Honeypot Deployments 1- Pure honeypots 2 Low-interaction honeypots 3 High-interaction honeypots Honeypot cannot detect security breaches in legitimate systems, and it does not always identify the attacker. A honeynet is a decoy network that contains one or more honeypots. A “honeywall” monitors the traffic going in and out of the network and directs it to the honeypot instances. Spam traps are fraud management tools that help Internet Service Providers (ISPs) identify and block spammers. Types of spam traps include: 1- Username typos 2- Expired email accounts 3- Purchased email lists Honeynets are a great way to study the behavior of hackers. They’re designed with two or more honeypots. The benefits of using a honeynet The ability to study the behavior of attackers The ability to distract and mislead attackers Ch 8 Intrusion Detection System (IDS) is a monitoring system that detects suspicious activities and generates alerts when they are detected. The Importance of Intrusion Response: 1- Continuous Monitoring 2- Risk Mitigation Key Components of an Effective Intrusion Response Plan: 1- Incident Identification 2- Response Team Coordination 3- Communication Protocols Common types of intrusions: 1- Malware 2- Distributed Denial of Service (DDoS) attacks 3- Phishing Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. DDoS or Distributed Denial-of-Service attack is a form of cybercrime where the attacker inundates a server or other Internet-based entity with excessive traffic. Phishing is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email and text messaging. What are the Phases of Incident Response? 1. Preparation 2. Detection and Analysis 3. Containment, Eradication, and Recovery 4. Post-Event Activities The containment phase is the second stage in the Incident Response plan, following detection and analysis. Strategies for Effective Containment of Security Incidents Rapid response Isolate affected systems Block malicious activity Monitor the network Wireless Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are essential security measures for protecting wireless networks against unauthorized access and attacks. common Challenges and Limitations of Wireless IDS/IPS 1. Network Complexity Managing security for diverse wireless networks with numerous devices and access points can be challenging. 2. False Positives IDS/IPS systems may incorrectly identify legitimate traffic as threats, leading to unnecessary alerts and actions. How does WIDS work? 1. Packet Inspection WIDS examines data packets within the wireless network to detect anomalies and potential security breaches 2. Signature-Based Detection It uses a database of known attack patterns to identify malicious behavior within the network 3. Anomaly Detection WIDS looks for behaviors that deviate from normal patterns, alerting administrators to potential threats. Types of Wireless Intrusion Detection System 1. Network-Based WIDS Monitors wireless traffic and analyzes it for potential security issues, usually at the network perimeter. 2. Wireless Sensor WIDS Utilizes sensors placed strategically throughout the network to detect intrusions and monitor traffic. 3. Host-Based WIDS Runs on individual devices to monitor and protect their wireless communication. Benefits of implementing WIDS 1- Threat Detection It provides early detection of potential threats, allowing prompt response to mitigate risks. 2- Compliance Adherence Helps in maintaining regulatory compliance by keeping the wireless network secure. 3- Improved Visibility Enhances visibility into wireless network activities, helping in better monitoring and analysis. Features and capabilities of WIPS 1. Real-time Monitoring WIPS provides continuous real-time monitoring of the wireless network, enabling immediate response to security threats. 2. Threat Detection Algorithms Advanced algorithms identify and classify potential threats, ensuring effective and accurate threat detection capabilities. 3. Wireless Protocol Support Support for various wireless protocols allows WIPS to protect networks using different wireless technologies. -قلق ُ ُنسأكل ايهلل اخلالص من لك أم ٍر ي-