Hey guys,
If you haven’t read the previous articles here they are:-
So, moving onto module 6.
- Introduction to Network Security Incident
- Common Network Security Incidents
- Need for Network Security Incident Handling and Response
- Preparation for Handling Network Security Incidents
- Preparation Steps for Handling Network Security Incidents
- Preparation of Network Security Incident Handling Toolkit
- Detection and Validation of Network Security Incidents
- General Indicators of Network Security Incidents
- Detection and Validation of Suspicious Network Events
- Tools for Detection and Validation of Suspicious Network Events
- Handling Unauthorized Access Incidents
- Introduction to Unauthorized Access Incidents
- Indicators of Unauthorized Access Incidents
- Detecting Reconnaissance Attacks
- Detecting Reconnaissance Attacks: Ping Sweep Attempts
- Detecting Reconnaissance Attacks: Port Scanning Attempts
- Detecting Reconnaissance Attacks: Social Engineering Attempts
- Detecting Sniffing and Spoofing Attacks
- Detecting Sniffing and Spoofing Attacks: MAC Flooding Attempts
- Detecting Sniffing and Spoofing Attacks: ARP Poisoning Attempts
- Detecting Sniffing and Spoofing Attacks: Other Sniffing Detection Techniques
- Detecting Firewall and IDS Evasion Attempts
- Detecting Firewall and IDS Evasion Attempts: General Indicators of Intrusions
- Detecting Firewall and IDS Evasion Attempts: Intrusion Detection Using Snort
- Detecting Firewall and IDS Evasion Attempts: Reviewing Firewalls/IDS Logs
- Detecting Brute-force Attempts
- Containment of Unauthorized Access Incidents
- Eradication of Unauthorized Access Incidents
- Recovery after Unauthorized Access Incidents
- Handling Inappropriate Usage Incidents
- Introduction to Inappropriate Usage Incidents
- Indicators of Inappropriate Usage Incidents
- Detecting Inappropriate Usage Incident
- Detecting Inappropriate Usage Incidents: Detecting High Resource Utilization
- Detecting Inappropriate Usage Incidents: Accessing Malware in the Network
- Detecting Inappropriate Usage Incidents: Reviewing Log Entries of Application Logins
- Detecting Inappropriate Usage Incidents: Analysing Network Security Device Logs
- Containment of Inappropriate Usage Incidents
- Eradication of Inappropriate Usage Incident
- Recovery after Inappropriate Usage Incident
- Handling Denial-of-Service Incidents
- Introduction to Denial-of-Service (DoS) Incidents
- Introduction to Distributed Denial-of-Service (DDoS) Incidents
- Types of DoS/DDoS Incidents
- Indicators of DoS/DDoS Incidents
- Detecting DoS/DDoS Incidents
- Detecting DoS/DDoS Incidents: Detection by Analysing Network Connections
- Detecting DoS/DDoS Incidents: Detection by Analysing Non-Responding Applications
- Detecting DoS/DDoS Incidents: Other Detection Techniques
- Tools for Detecting DoS/DDoS Incidents
- Containment of DoS/DDoS Incidents
- Post-attack Forensic
- Eradicating DoS/DDoS Incident
- Recovery after DoS/DDoS Incidents
- DoS/DDoS Recommendations
- DoS/DDoS Recommendations: Protect Secondary Victims
- DoS/DDoS Recommendations: Enable DoS/DDoS Protection at ISP Level
- The IH&R team can use the following tools to protect their networks from DoS/DDoS attacks.
- Handling Wireless Network Security Incidents
- Introduction to Wireless Network Security Incidents
- Types of Wireless Network Security Incidents
- Preparation for Handling Wireless Network Security Incidents
- Indicators of Wireless Network Security Incidents
- Detecting Wireless Network Security Incidents
- Containment of Wireless Network Security Incidents
- Eradication of Wireless Network Security Incidents
- Recovery after Wireless Network Security Incidents
So, as you can see, quite the list if things to read through and learn.
This module was very enjoyable and touching on a lot of tools and techniques used right through Cybersecurity in Blue, Purple and Red teams.
With everything we went over above in the book there was always going to be a lot of labs and at 11 we weren’t disappointed.
Lab 1
Vulnerability Assessment Using Nessus
Nessus allows the user to remotely audit a network and determine if it has been broken into or misused in some way. It also provides the ability to locally audit a specific machine for vulnerabilities.
I have used Nessus on both windows and Linux HERE and HERE, will never tire if the software its top of the market for a reason.
Lab 2
Conducting Vulnerability Assessment Using OSSIM
OSSIM (Open-Source Security Information Management) is an open-source security information and event management system.
AlienVault® OSSIMTM, Open-Source Security Information and Event Management (SIEM), provides a feature-rich open-source SIEM, complete with event collection, normalization, and correlation. It is one unified platform with many of the essential security capabilities that you need, like asset discovery, vulnerability assessment, intrusion detection, behavioural monitoring, and SIEM event correlation.
Lab 3
Configuring Snort IDS
Snort is an open-source network IDS/IPS.
Incident handlers must be able to detect attacks performed against the network. The past few years have witnessed a significant increase in DDoS attacks on the Internet, making network security a great concern.
Incident handlers must detect these attacks by examining IDS logs and packet captures and corroborating them with firewall logs, known vulnerabilities, and general trending data from the Internet. IDS attacks are becoming more cultured, and therefore automatically reasoning the attack scenarios in real-time and categorizing them has become a critical challenge.
Lab 4
Configuring Suricata IDS to Detect and Analyse ICMP and HTTP Traffic
Suricata is an open-source intrusion detection and prevention system that is capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing.
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) both increase the security level of networks, monitoring traffic and inspecting and scanning packets for suspicious data. The network should be monitored for malicious activities such as security threats or policy violations. Detection in both systems is mainly based on signatures already detected and recognized. The main reason to have such a monitoring system in place is to identify suspicious activity, log information, attempt to block it, and then, finally, to report it.
Lab 5
Monitoring Network Traffic Using ntopng
ntopng is a web-based network traffic monitoring application released under GPLv3.
Incident handlers should monitor the incoming and outgoing traffic as well as all types of network activities that create traffic. Network monitoring tools record all types of activities over the network, which can include user details such as IP address, MAC address, time, date, protocols, ports, type of connection, systems/URLs accessed, and size of files shared. Incident handlers can use these details to find suspicious events.
I had never even heard of ntopng so was good to see and use a new tool.
Lab 6
Viewing SIEM Events with OSSIM
OSSIM (Open Source Security Information Management) is an open-source security information and event management system.
The IH&R team needs to deploy various security controls such as SIEM solutions, IDS/IPS, and firewalls to log, monitor, and analyse various suspicious activities on the network. As an expert incident handler, you must be able to monitor, analyse, and correlate various malicious activities performed in the network. It is necessary to collect all events and logs pertaining to an organization’s infrastructure and examine them to assure things are in order. In this lab, you will learn how to monitor SIEM events with the OSSIM tool.
Lab 7
Detecting Reconnaissance Attacks
Using reconnaissance, attackers make an attempt to gather the target network’s crucial information and perform their attacks.
Attackers use reconnaissance attacks to gather information about the target organization, such as domains and sub-domains, network blocks, Whois and DNS records, operating systems used, and location of web servers. As an incident handler, you must be able to detect such attacks using automated tools such as Wireshark
Lab 8
FTP Traffic Analysis through VSFTPD logs
VSFTPD is an FTP server for Linux and Unix-like systems, licensed under the GNU General Public License.
The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of computer files between a client and server on a computer network. FTP uses separate control and data connections between the client and the server to exchange files between computer accounts, transfer files between an account and a desktop computer, and access online software archives.
Clients initiate conversations with servers to upload, download, delete, rename, move, or copy files on a server. A user typically needs to log on to the FTP server, although some servers make some or all of their content available without logging in, which is known as anonymous FTP.
Incident handlers need to monitor and analyse FTP traffic to detect suspicious file transfers on the target network. In this lab, you will learn how to perform FTP traffic analysis using VSFTPD logs.
Lab 9
Detecting Sniffing and Spoofing Attacks
Packet sniffing is the process of monitoring and capturing all data packets passing through a given network by using a software application or a hardware device.
ARP cache poisoning is a method of attacking a LAN network by updating the target computer’s ARP cache with both a forged ARP request and reply to packets in an effort to change the Layer 2 Ethernet MAC address (i.e., that of the network card) to one that the attacker can monitor. An attacker spoofs the target’s identity and uses Mac flooding or ARP poisoning to sniff the network traffic and perform attacks like Man-in-the-Middle.
Lab 10
Detecting Brute Forcing Attempts
Attackers will perform a trial and error method in an attempt to guess the valid input to a particular field.
Applications that allow any number of input attempts are generally prone to brute force attacks. In a brute force attack, attackers try every combination of characters until the password is broken. The attacker generates a large number of credential guesses in order to find the correct credentials to gain access to the system. Brute force attacks lead to the loss of privacy and impact data confidentiality. These attacks are performed to obtain sensitive information like administrator or common user account passwords.
As an expert incident handler, you must be able to detect brute force attempts on the enterprise network applications by analysing logs. In this lab, you will learn how to detect brute force attempts by analysing Windows logs.
I spend a lot of time in event logs in my day job so nice to get shown around more, really need to be learning more about them and the specific event ID’s.
Lab 11
Detecting DoS/DDoS Incidents
KFSensor is a Network Intrusion Detection Tool that is equipped with several mechanisms to counter DoS attacks. This tool allows you to determine the maximum number of connections to the machine per IP address.
DoS is an attack on a computer or network that reduces, restricts, or prevents the accessibility of system resources for its legitimate users. Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby causing a denial of service to the users of the targeted system.
As an incident handler, you must know how to detect DoS/DDoS attacks on the target network. Early detection helps incident handlers prevent the propagation of DoS/DDoS attacks and reduce their impact.
Thanks as always guys and will see you again for module 7.
Regards
Alex
1 thought on “Week Eight of EC-Council Certified Incident Handler (ECIH) Version 2 Self-Study Training”