Security Operations
Mister_Security
SecOpsweek2lesson1securitymonitoring.pptxSecurity monitoring
Learning objectives
Use monitoring tools to identify attacks that against network protocols and services.
Know monitoring data analysis techniques;
Be familiar with different monitoring tools;
Know the detection types used in IDS/IPS.
Security monitoring
3
Continuous security monitoring
4
Monitoring process NIST SP 800-137
Anomaly analysis (detect outlier data points)
Trend analysis (detect changes over time)
Behavioral analysis (detect unusual user activity)
Availability analysis (provide uptime information)
Continuous security monitoring is an important activity that provides cybersecurity experts with real-time insight into the security and performance of technology resources.
Anomaly analysis looks for data points that stand out from the rest of the data as clear outliers.
Trend analysis looks for historical changes over time.
Behavioral analysis looks at the activity of users and identifies suspicious actions.
Availability analysis provides technology leaders with key information about the performance of their systems against service level agreements. Availability analysis depends upon monitoring systems that continuously monitor system status and detect periods of downtime.
IDS/IPS
IDS: passive, out-of-band, low impact
IPS: active, in-line, impact on network performance
5
IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:
A router configured with Cisco IOS IPS software
A device specifically designed to provide dedicated IDS or IPS services
A network module installed in an adaptive security appliance (ASA), switch, or router
IDS and IPS technologies use signatures to detect patterns in network traffic. A signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).
Types of IDS
6
Host-based IDS (HIDS) - examine specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs.
Network-based IDS (NIDS) - analyze the flow of information between computers, i.e., network traffic.
https://www.techwalla.com/articles/description-of-the-difference-between-hids-nids
Types of IPS
7
Host-based IPS (HIPS) - software installed on a host to monitor and analyze suspicious activity. (evaluate packets before they're allowed to enter a computer)
Network-based IPS (NIPS) - can be implemented using a dedicated or non-dedicated IPS device. Sensors detect malicious and unauthorized activity in real time and can take action when required. (evaluate traffic before it's allowed into a network or subnet)
| Advantages | Disadvantages |
| Provides protection specific to a host operating system Provides operating system and application-level protection Protects the host after the message is decrypted | Operating system dependent Must be installed on all hosts |
Signature Alarms
8
| Detection Type | Description |
| Pattern-Based Detection | Also known as signature-based detection. Simplest triggering mechanism as it searches for a specific and pre-defined atomic or composite pattern. |
| Anomaly-Based Detection | Also known as profile-based detection. Involves first defining a profile of what is considered normal network or host activity. This normal profile is usually defined by monitoring traffic and establishing a baseline. Once defined, any activity beyond a specified threshold in the normal profile will generate a signature trigger and action. |
| Policy-Based Detection | Also known as behavior-based detection. Although similar to pattern-based detection, an administrator manually defines behaviors that are suspicious based on historical analysis. The use of behaviors enables a single signature to cover an entire class of activities without having to specify each individual situation. |
| Honey Pot-Based Detection | Honey pot-based detection uses a server as a decoy server to attract attacks. The purpose of a decoy server is to lure attacks away from production devices. Allows administrators time to analyze incoming attacks and malicious traffic patterns to tune their sensor signatures. |
Ten Strategies of a World-Class Cybersecurity Operations Center: page 121 – 122
Table 9. Advantages and Disadvantages of Intrusion Detection Elements
Read more information about IPS/IDS at
9
Tutorial – tripwire (file integrity monitoring)
10
https://github.com/Tripwire/tripwire-open-source
Install: apt install tripwire
Generate keys:
./twadmin --generate-keys -L /etc/tripwire/${HOSTNAME}-local.key
./twadmin --generate-keys -S /etc/tripwire/site.key
(Edit the policy configuration file: gedit twpol.txt)
Generate the policy: sudo twadmin --create-polfile -S site.key twpol.txt
Create the baseline: tripwire --init
Finally the check: tripwire –check
Report: twprint --print-report --twrfile /var/lib/tripwire/report/kali-20210414-110547.twr
sudo apt-get update (if needed)
Open Source Tripwire® is a security and data integrity tool for monitoring and alerting on file & directory changes.
https://www.techrepublic.com/article/how-to-install-and-use-tripwire-to-detect-modified-files-on-ubuntu-server/
Network Monitoring
11
Active – Proactively detect network and application issues; sending real traffic across a network (ping, traceroute)
Passive – Identify top protocols and users; listen only
SNMP – device-level monitoring Simple Network Management Protocol for collecting and organizing information about managed devices (e.g., routers, switches, servers, workstations, printers)
Passive Monitoring
12
Network TAPs – Network test access points that forward all traffic including physical layer errors to an analysis device.
Port mirroring – enables a switch to copy frames of one or more ports to a Switch Port Analyzer (SPAN) port connected to an analysis device.
Syslog – logs event messages.
Flow analysis – NetFlow
Packet anlalyzer – tcpdump, Wireshark
Network Taps
13
A network tap is typically a passive splitting device implemented inline between a device of interest and the network. A tap forwards all traffic including physical layer errors to an analysis device.
Taps are also typically fail-safe, which means if it fails or loses power, traffic between the firewall and internal router is not affected.
Traffic Mirroring and SPAN
14
Port mirroring enables the switch to copy frames of one or more ports to a Switch Port Analyzer (SPAN) port connected to an analysis device.
In the figure, the switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 connecting to an IDS.
The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored.
Exercise
15
Observe the configurations
Observe the traffic flow
Time: 10 minutes
Download span.pkt
Syslog
16
Syslog is used for logging event messages from network devices and endpoints.
Syslog servers typically listen on UDP port 514.
Enhancements provided by syslog-ng (next generation)
content-based filtering
Logging directly into a database
TCP for transport
TLS encryption
Linux support syslog natively; third party tools (kiwi syslog) add support on windows systems
Syslog messages
17
Syslog messages have three parts: PRI (priority), HEADER, and MSG (message text).
PRI consists of two elements, the Facility and Severity of the message.
Facility consists of broad categories of sources that generated the message, such as the system, process, or application, directs message to appropriate log file.
Severity is a value from 0-7 that defines the severity of the message.
18
Syslog message examples
19
https://www.pcwdld.com/syslog-trap-levels#wbounce-modal
https://blog.datalust.co/seq-input-syslog/
NTP
20
Syslog messages are usually timestamped using the Network Time Protocol (NTP).
NTP operates on UDP port 123.
Timestamps are essential for detection of an exploit.
Threat actors may attempt to attack NTP to corrupt time information used to correlate logged network events.
Threat actors use NTP systems to direct DDoS attacks (monlist).
Exercise
21
Investigate FTP traffic
View Syslog messages
Time: 15 minutes
Download logging network activity.pka from Canvas
NetFlow
22
NetFlow is a protocol used for network troubleshooting and session-based accounting.
Provides network traffic accounting, usage-based network billing, network planning, security,
Provides information about network users and applications, peak usage times, and traffic routing.
Collects metadata, or data about the flow (who, when, how much), not the flow data itself.
23
TCP flag
0x00 no TCP session was involved because the protocol is e.g. ICMP
0x02 request (SYN)
0x12 response (SYN-ACK)
0x12: 0001 0010
URG ACK PSH RST SYN FIN
24
| Hex | Protocol Number | Protocol |
| 0x01 | 1 | ICMP |
| 0x06 | 6 | TCP |
| 0x11 | 17 | UDP |
| 0x29 | 41 | IPv6 |
Exercise
25
Observe NetFlow Flow Records - One Direction
Observe NetFlow Records for a http Session
Time: 15 minutes
Download Explore a NetFlow Implementation.pka from Canvas
