sm 2 - additional insight/responses

Instructions: Add additional insight opinions or challenge opinions and you can visit a couple of the web sites contributed and share your opinion of these sites.  Minimum of 150 words for each.  Task 1

Respond in 150 words

1) This week we analyzed the different tools and tactics that malicious users can take towards attacking an organization's network security monitoring (NSM) . There are several used methodologies to disrupt or disable NMS systems, and each utilizes specific hardware and software tools to accomplish this. To describe the intruder's approach we must first delineate the tactics and then correlate them to how the tools enable each.  Bejtlich (2005) writes that there are 4 key attack vectors that are commonly used against NSMs; promote anonymity, evade detection, appear normal, and degrade/deny collection. Promote anonymity is the ability to launch attacks remotely through legitimate third party systems which have been compromised. Tools like Layer Four Traceroute (LFT) can be used to build out a map of the network, and Xprobe2 can scan operating systems for vulnerabilities to exploit and then lauch anonymous attacks from. Evading Detection is an attack that occurs completely unnoticed by the target organization. Running brute force password cracking tools like Cain and Abel at different hours, across a longer span of time, and distributed from multiple points will help keep the suspicious traffic under the radar. The third attack type, appearing normal, tries to mask network traffic as being legitimate and common in order to evade setting off NSM signatures or anomaly detection. Running packet capture tools like Wireshark from authorized devices on the LAN would not trigger any NSM system alerts, but it could compile a massive amount of internal network knowledge for attacks to be launched against. The fourth attack type is degrade/deny collection. The ultimate goal is to overwhelm the NSMs to the point that they can no longer perform their functions or to eliminate the system logs to make recovery and forensics difficult if not impossible. Tools like Low Orbit Ion Canon (LOIC) or  the Layer 7 DDOS Simulator (DDOSIM) can be distributed across multiple zombie devices and then launched towards the NSM.      There are multiple considerations involved in executing an effective incident response. The first step is to consider establishing a mature Incident Response Plan, and for the organization's leadership to supply the necessary resources for success. Peltier (2013) states then a multi-disciplinary group of experts across the formation, from the Team Lead to the Technical Specialists, must be developed with each fully aware of their roles and responsibilities. Next, the team will analyze the NSM systems and logs, check industry for new vulnerability reports, software exploit lists, and public warnings. Once the incident has been neutralized and services restored it is highly recommended to host an After Action Review (AAR) to understand what was done right, done wrong, and develop a list of ways to improve the incident response process.This information should then be included in the next Incident Response Plan which will increase the team's performance level during the next attack. 

Task 2

Respond in 150 words

2) Their are various tools and tactics for attacking network security monitoring.  Social Engineering It is not unique to hacking since many individuals employ this kind of trickery every day both criminally and professionally.  Passwords are one of the most common goals of a hacker and they like to obtain a valid user account and password and at times it is the only way a hacker can bypass security measures thus when an organization uses firewalls, intrusion detection systems, and more, a hacker will need to borrow obtain a real account until he/she can obtain root access and set up a new account for himself/herself. TTPs is a great acronym that many are starting to hear about within cyber security teams but few know and understand how to use it properly within a cyber threat intelligence solution. Tactics, techniques and procedures (TTPs) get at how threat agents (the bad guys) orchestrate and manage attacks. “Tactics” is also sometimes called “tools” in the acronym. Specifically, TTPs are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,” according to the Definitive Guide to Cyber Threat Intelligence (Peltier, 2014). TTPs such as tools are often shared or sold in hacking forums and in private groups on the DarkWeb. Knowing what tools are being used and how they are being leveraged and developed can aid in counter-actions. For example, if a hacker knows that five failed attempts to login to a server is reported, they can use a tool configured to only attempt four remote desktop brute force logins before starting a new session, and thus avoid detection. A counteraction to this TTP is to lower the threshold for logging failed login attempts (e.g. three failed attempts results in a log and alert in the SIEM). TTPs can help with predictive or emergent risk, such as the sharing of a zero-day exploit on a forum being integrated into a bot for eCrime attacks. This type of DarkWeb TTP-based information is useful in assisting action-based decisions such as patch priorities and emergency patching. Detailed research into payloads and logs (e.g. incident forensics and reverse engineering of malware) also reveals TTPs of interest, such as steps or actions taken by actors or code in traversing a network or exfiltration of data. This information can then be used to increase visibility, logging and/or mitigation of threats (Bejtlich, 2005). An IDS can contribute to aiding the prevention of attacks on the NSM systems. An intrusion detection is a mere system placed outside the firewall to identify attack attempts coming from Internet. The advantages of a Network-based IDS is that it provides protection against attacks and even made undetectable to many attackers. To be successful, NIDS, being strategically-placed IDS can monitor a large network but it may have difficulty processing all packets in a large or busy network and, consequently, may run into roadblocks when facing an attack launched during periods of high traffic (Traynor, P., Mcdaniel, P., & La Porta, T. 2008). Number of Pages: 1 Page Page Line Spacing: Double spaced (Default) Number of Slides : No slides needed