8. Issue Detection
Cyber Kill Chain
- Reconnaissance
- Weaponization: Client application data file: PDF, DOC
- Delivery: E-mail attachment, wesbite, USB removable media
- Exploitation:
- Installation:
- Command and Control
- Actions on Objectives
HIDS
An agent or corn job
- scan anomalies on local node
- check system resources against database of attributes (MD5 sum, time-stamps, permissions etc.) for each resource.
HIDS Tools
1. AIDE is shipped with enterprise Linux. It is highly configurable HIDS
2. Tripwire It is similar to AIDE. Extra features: (1) commercial management console (2) real-time auditing agent
3. OSSEC open source host-based intrusion detection system. It performs (1) log analysis (2) file integrity check (3) policy monitoring (4) root-kit detection (5) real time alerting (6) active response
Important files. So many files, list can be obtained by command
sudo ls -R /var/ossec
Main config file is: /var/ossec/etc/ossec.conf
Rule files: /var/ossec/rules
The active response to issues are in script files /var/ossec/active-response/bin
CIS benchmarks for different OS: /var/ossec/etc/shared
all logs file by ossec : /var/ossec/logs
NIDS
Tools, collect traffic from networking devices. Then analyze the traffic for attack signature and other anomalies
NIDS Tools
1. SNORT: CISCO maintains it. CISCO add new rules and share with subscriber. After 30 days these new rules are available to community.
2. Suricata: (1) real time IDS (2) IPS (3) NSM (4) offline pcap processing. Lua-script support for complex threat detection.
Important files
(1) /etc/suricata/suricata.yaml If we edit this file then run command
sudo suricata-update
then new rules will be added to
(2) /var/lib/suricata/rules/classification.config and
(3) /var/lib/suricata/rules/suricata.rules
Next see /va/log/suricata folder
(4) suricata.log
(5) stats.log
(6) fast.log
(7) eve.json we can use | jq 'select{}'
(8) (9) /etc/suricata/enable.conf and disable.conf to enable/disable rules. then run sudo suricata-update
ML Based Tools Vendors
1. NeuVector
2. StackRox
3. Threat Stack
4. Trend Micro
Acronyms
AIDE: Advanced Intrusion Detection Environment
C2: Command and Control
COOP: COntinuity of OPeration
CVEs: Common Vulnerabilities and Exposures
DR: Disaster Recovery
HIDS: Host Intrusion Detection System
IDS: Intrusion Detection System
IPS: Inline Intrusion Prevention System
LM-CIRT: Lockheed Martin Computer Incident Response Team
NIDS: Network Intrusion Detection System
NSM: Network Security Monitoring
NVD: National Vulnerability Database
PIDS: Physical Intrusion Detection System
US-CERT: United States Computer Emergency Readiness Team
Website
0 comments:
Post a Comment