Open in app

Sign in

Write

Sign in

Proactive Cyber Defense

CyberDarkside
16 min readJul 16, 2024

--

This profile presents a real-life scenario to articulate how threats can be detected using my understanding of a network diagram. Each component’s role is considered, and the challenge of identifying the best endpoint detection software to complement the given network architecture is addressed. This scenario makes educated assumptions to recommend the most suitable software for the specific network setup provided.

Table of Contents

1.0 Introduction
1.1 Assumptions
1.2 Detection of reconnaissance
2.0 Session Data collection
3.0 Snort VS Suricata
4.0 Incident Response
5.0 Advanced persistent threats (APTs)
6.0 Cost effectiveness

The Purpose and Context
7.0 References

1.0 Introduction

As a network security specialist, my responsibilities encompass conducting specific tasks to identify and prioritize potential loopholes. I employ my expertise to meet the project requirements effectively.

The following network diagram has been optimized to illustrate the most effective solution.

1.1 Assumptions:

  • Active Directory is being utilised within the workplace.
  • Detecting services running on subnets could require more specific Nmap options.
  • Individual but separated VLANs should be present for guests within the premises.
  • MFA, utilised in server farm facilities, instead of biometrics, as it can be manipulated.

1.2 Detection of reconnaissance:

Potential intruders can obtain reconnaissance data by performing network and port scanning and enumeration (for example, version fingerprinting for web applications).

OSINT; Social Engineering:

They can use that data for malicious purposes by using known exploits for vulnerable versions of the applications used on the target infrastructure, by finding weaknesses (lack of authentication, ActiveDirectory misconfiguration, lack of brute force countermeasures, spear phishing, password attacks) and working on exploiting them. By finding ways to prevent security software from alerting the organisation of malicious activity (preventing EDR/SIEM solutions from reporting etc.) Usernames and passwords can be recovered using methods such as OSINT (passive information gathering) to create an idea of the network topology utilised in the defence sector. Next, these details can be utilised effectively by a malicious actor with persistence to gain a foothold over the system. By employing various techniques, malicious actors can gather sensitive information, including usernames, emails, passwords, and personal details about employees, including their occupations.

This information can be exploited to manipulate social engineering techniques, leveraging individuals’ backgrounds to illicitly obtain company information. This sort of information is found in employee databases, email servers, authenticated servers (misconfigured in authenticated systems), file servers (by exploiting file-sharing vulnerabilities/privileges), and unencrypted internal traffic due to malpractice of security awareness training.

Moreover, by manoeuvring through the client’s infrastructure with unrestricted access, insiders may adeptly map out the existing network and identify potential honeypots strategically placed to divert the attention of malicious individuals or groups. Additionally, they possess the capability to pinpoint valuable company assets, including prototype product development designs, novel product ideas, and allocated financial resources. Conversely, insiders can obscure their actions by identifying peak periods of network traffic activity and concealing their operations within it. Nevertheless, Insiders could construct a method to find unsecure endpoints e.g. near the server farms represented in ‘Figure 1’ labelled ‘4, 5 and 6’. With this information, they can understand which specific tools that can be utilised against it to expose, exploit, and read interesting information.

When considering intruders deploying rogue devices to intercept network packets, ‘node 9’ emerges as a potential point for unauthorized attempts to access wireless networks. This poses a significant malicious threat, enabling intruders to spy on employee devices, potentially engaging in credential farming, data theft, packet alteration, identity theft, and planning additional targeted attacks. Preventing this involves regular audits of the n/w, implementing WPA3 and utilising TLS/SSL in the office.

The effectiveness of reconnaissance techniques depends on a lot of factors, both in terms of hardening of the network infrastructure, and the awareness of the people involved in the system. VLANs, firewalls and intrusion detection systems can for example make network scanning less feasible, or even totally Impossible.

Several types of data suitable for collection include NetFlow or IPFIX data, encompassing information like ports and source/destination IP addresses. This information can be monitored at the core routers depicted in ‘Figure 1’ (2, 7, 8), as well as the initial gateway, to observe data packets. This monitoring aids in identifying trends, patterns, and detecting data exfiltration attacks. In the first instance, it is crucial to collect ‘authentication logs’ to comprehend when various users log in to access diverse resources. This tracking can be accomplished through points (4, 5, 10, 11–15). Secondly, it is imperative to monitor application access and databases through the server farm nodes to track activity logs effectively. Thirdly, EDR data proves advantageous when monitored at client nodes (10, 11, 12–15) to ensure forensic accuracy and trace incidents on the machines referenced in ‘Figure 1’. Forensic accuracy can allow us to trace back to previous incidents of the past to help understand a new incident of occurrence, by seeing how it functions and utilising similar methodologies to patch newer vulnerabilities that bypasses EDRs.

The configuration of the tools below should represent the focus in implementing and creating a better method in determining whether appropriate security controls have been set-up to detect problems, patterns and identify flaws in policies. We suggest initiating with the establishment of a SIEM system for log data analysis. Configure the alerts system to identify anomalies and irregular access patterns, and aggregate data. Additionally, implement an IDS (Snort or Suricata) for heuristic or signature-based detection. Suricata, for instance, excels in identifying predefined patterns using ETOpen rules. Additional alerts can include persistent access denials, random large-scale data transfers over the network and logins to the system at unusual times. Furthermore, (insights) EDR software tool should be deployed to detect abnormal processes, unusual network connections, and file activity. It proves valuable in identifying suspicious behaviour, such as a disgruntled employee attempting to delete a design created by the design department due to lack of credit for their work. The client may adopt IBM QRadar + Qradar Insights (EDR), proprietary monitoring platforms, to prevent potential security loopholes and the public exposure of documentation that could be exploited to bypass the SIEM. ‘Node 10’, a workstation can monitor repeated failed logins, execution of unwanted applications. The way QRadar can be setup includes the process to attach and install QRadar collectors across the network at ‘Node 2, 3 and 4’ that can be considered as main aggregation points. Then to deploy a ‘QRadar Log Source Management’ tool at the endpoints (insights) /workstations (10, 11) and server nodes (6, 12, 13) that would forward logs back to QRadar via agents. Next, would be to configure the n/w devices to send flow data to QRadar.

Hardware and software requirements play a crucial role in the design and implementation phases, especially when addressing challenges in a high-volume network for collecting valuable data during peak times or busy hours within the defence and security sector. The narrative of the methodology and strategy creation commences with network traffic analysis. This involves identifying patterns, trends, and behaviour using machine learning (ML) based on historical data during busy hours. Challenges include discarding less interesting information from filtering, collecting key information.

Secondly, continuous analysis of network conditions is conducted with Network Security Monitoring (NSM) tools such as Wireshark, Zeek, Security Onion, SELKS, or an AI-focused company. In this context, Darktrace employs autonomous resources to respond and detect threats using AI. In this case, the defence sector could implement this analysis done at client infrastructure to ‘Figure 1’. Thirdly, investing in further hardware resources can result in a significant increase in processing power as powerful infrastructure can withstand further loads in peak hours. So, splitting traffic load via a range of devices can drastically reduce overloading on single areas of the network.

[950 words]

2.0 Session Data collection:

Preferred Data Collection: My Priorities: Alert data helps teams in security operations detect and prevent threats at an early stage. This is because alerts are set to trigger when abnormal events are detected, for example, privilege escalation by a process that isn’t supposed to gain root privileges, or abnormal network traffic like a high volume of DNS traffic. Alert data can be produced by detection rules, or by anomaly detection (which relies on artificial intelligence).

Alert data is generated by IDS such as Snort or Suricata when a threat is identified or matched to existing file matches or threat signatures. This can help us detect if an on-going attempt or attack is occurring in real-time. Alert data consists of useful output information to the user, which includes severity level, protocols involved (intercepted on n/w), encountered unusual activities (understood by protocols), source/destination IP addresses, descriptions, timestamps of alerts and similar IDS Signatures. Traditional methods are not always effective in detecting threats due to the sophistication of modern malware. Attackers exploit loopholes and bypass anti-virus evasion techniques, making it challenging for conventional approaches. Evasion involves circumventing stored antivirus libraries. Alert data aids incident response, enabling threat detection and addressing emerging threats. Collected alert data indicates potential network compromise, helping understand affected systems, damage, and predicting risk severity, guiding urgent responses to emerging threats.

Collection role in understanding Potential Intrusions:

When behaviour of traffic is abnormal the slope of detection increases as it separates patterns and matches signatures to known attacks. Incident responders or SIEM Engineers can collect this information to understand whether the anomaly is a false positive or if immediate action is required to report the threat, find mitigations, and quarantine the problem.

Session Data: Session data refers to the information interactivity between the network devices and entities.

When specific information is collected and analysed between the network entities it proves useful as a visualisation of communications is generated to better understand and detect suspicious activities. At firewall we can collect source and destination IPs logs, DB sessions, DNS queries, DHCP Session logs, protocols, and session duration/length via the Firewall. This occurs in real-time, where information must be read between two devices such as the router and switch. Session data provides valuable user information, including session duration, data transfer amount, start/end timestamps, utilized protocols, and IP addresses. It is a preferable alternative to full packet capture due to its time efficiency, practicality, ease of analysis, and lower storage requirements. Collecting session data enables intrusive analysis of real-time alerts, aiding in pattern identification and trend analysis to detect new attacks.

Understanding Intrusions through Session Data:

Session data unveils unusual data transfers, unapproved communications, and anomalies not evident in alert data. For instance, it exposes intruders establishing C2 channels, such as (Node 5, 6), communicating with servers or workstations. It aids in analysing slower or covert attacks, enhancing security analysts’ responsiveness. Strategic monitoring locations include entry/exit points, marked as 2 and 3 in ‘Figure 1,’ as these nodes connect to servers.

Strategic points for data collection include the server firewall, crucial for capturing and detecting threats in traffic packets. Additionally, server farm(s) are key locations for monitoring user behaviour and logins through extensive interactions with applications (activity logs). Noteworthy tools encompass: Vulnerability Scanner, Behavioural Monitoring, EDR/XDR, SIEM, SOAR, along with server firewall and farm(s).

3.0 Snort VS Suricata:

Snort, a NIDS tool is highly customisable, in terms of, the configuration of the software. Also, Snort is quite ‘adaptive’ as it allows the conversion of files to Excel in multiple environments and operating systems (DeVito, 2023). Key considerations in software support revolve around corporate backing. Snort, backed by industry giant Cisco Systems, enjoys robust corporate support. Therefore, teams can dedicate their time to improving Snort. In contrast, Suricata relies on contributions from the opensource community without direct corporate backing.

Notably, despite lacking corporate support, Suricata demonstrates superior multi-threading capabilities, as indicated by performance evaluations and reviews. This leads to increased suitability for large-scale networks and high speeds that are dealt with within larger organisations. Suricata has great logging capabilities for extraction of files ‘file extraction’ and even analysis. Which allows Suricata to log via HTPP, FTP and SMTP streams, which helps in review of matched files. Besides, Suricata is known to have increased protocol support that enables detection of anomalies via application layers, across larger areas of the network compared to Snort that has less protocol handling support. Also, Snort requires long documentation and manual configuration to set-up, on the other hand, Suricata is user-intuitive and straight forward to set-up.

Furthermore, Suricata is specifically designed to optimize the processing of ET rulesets. Another drawback, it falls short of handling all Talos rules efficiently. This limitation positions Snort as the preferred choice for users intending to utilise both Talos and ET rulesets, granting Snort a distinct advantage. To assess both software solutions, I monitored their practical performance using Security Onion. Measurable results indicated the effectiveness, as demonstrated by the detection of a Hail Mary attack on the Ubuntu Server. The environment was configured, and alerting performance was systematically observed, revealing a significant number of alerts successfully identified using Snort.

Similarly, another lab was conducted on Suricata, but the tools shared object rules become disabled. The difference between the two results lies in the number of alerts collected. Security Onion recorded 1921 alerts when using Snort as the IDS, in comparison to 1821 alerts with Suricata as the IDS. Research indicates that the benefits and drawbacks are related to Snort’s single-threaded architecture, potentially limiting its performance on multi-core systems. Bottlenecks may occur in high-traffic setups. In contrast, Suricata was designed with a multi-threaded architecture, enabling improved performance with multiple cores in high-traffic environments. Due to this performance, rule processing is improved in comparison to Snorts architecture. Furthermore, Suricata may have better resource utilisation when compared to Snorts lack of performance.

Additionally, Suricata employs hardware acceleration through GPUs, particularly in use cases that involve pattern matching acceleration. In contrast, Snort does not utilise such hardware acceleration. Although, Suricata is an IDS solution with far higher capabilities than Snort, the latter may benefit from a larger community and further funding, making it well-known and popular, however, it does not indicate the performance as a solution when comparing it to multi-threaded architecture that Suricata brings to the table. Allowing Suricata to outperform in high-traffic environments. Therefore, high-traffic environments would be required for the innovation team — ‘R&D’ in association to ‘figure 1’.

[500 Words]

4.0 Incident Response:

Treat suspicious events as evidence. As DFIR Investigators, deploy IOCs (network, host) like Suricata for IDS/IPS. Use SIEMs such as IBM QRadar for capturing alerts. Create forensic images to log data, predict issues, and ensure data integrity, preventing accidental modifications or third-party manipulation.

The data I will collect, includes log files of all activities on servers, applications, and network devices during the incident. Secondly, capturing network flow to understand whether any suspicious packets as malware infiltrated the network. We can collect configuration files to understand vulnerabilities that can affect systems from ‘Figure 1’. Next, the collection of ‘email headers, body and content’ may redeem beneficial as malicious actors utilise social engineering techniques such as spear/phishing attacks or compromised emails (Gurkok, 2014). Also, activity logs and privileges should be collected to detect if a user has escalated through different networking devices by mapping out the n/w topology. Data on ‘user logins’ and ‘accessed files’ can be gathered from ‘node 6’, as it houses the: database.

Responding to Suspicious Off-Hours Engagement: Collecting Essential Data: File Server — Audit Logs:

Access logs: via the ‘file server’ that is connected to ‘gate 11’, this would print user information e.g. accessed by exact user, timestamp, last opened/accessed.

N/W logs: Examining ‘gateway 6’ may indicate that information is being transferred from the workstations to the database server.

Workstation logs: Also, access logs including USB usage data, applications last accessed, user login/logout timestamps, commands run on device.

With the information provided above we can derive evidence in a systematic and forensically sound manner. By, capturing ‘physical data usage’ by viewing timestamps of when the external flash drive was attached to the workstation (reading logs), any sensitive files that were copied or modified at e.g. the ‘Engineering’, ‘Finance’ or ‘R&D’ departments for financial motives by the intruder. Secondly, we could derive potential evidence e.g. unauthorised access, at odd hours allowing scope to intercept a n/w. Thirdly, to derive potential evidence of exfiltration (data) due to weird file transfers.

Advice: Additional Data Collection:

With IBM QRadar, it would be easier to collect the ‘endpoint data’ by configuring the sensors to capture all commands executed, view established n/w connections and processes executed.

In regards to, file servers; monitoring file integrity may be beneficial to preventing malicious users from accessing, sabotaging file contents and modifying documents or applications.

Similarly, monitoring and collecting the DB logs, may yield advantages to capture unauthorised attempts to query/search for specific information or to manipulate data.

Finally, capturing all session data on gateway: ‘6’, ‘11’ and ‘15’, whilst, extending retention period to collect useful session details for deeper analysis. Any information requiring timestamps should be documented forensically, retaining its original metadata, and consistently preserving the initial file hashes. The effective use of write-blockers could minimise the potential for human error and malpractice, ensuring the preservation of all essential information and maintaining the integrity of the chain of custody. In this instance, documentation should follow a methodical and precise approach, encompassing logs from various network devices and physical hardware devices, rendering the document court ready.

5.0 Advanced persistent threats (APTs):

To detect if the system is working as intended:

  • Execute an attack that uses a technique from https://attack.mitre.org/matrices/enterprise/ (can be a Metasploit module for example).
  • Penetration testing, and red team activities should take place to identify system vulnerabilities, and to test the team’s ability to detect and respond to them effectively.
  • Ensure that an alert gets triggered.

Testers should understand how exploits work, ideally having a background in computer science with knowledge in computer networks, offensive and/or defensive security, and programming. Qualifications do not always determine excellence in understanding; however, they could indicate a grasp of clear definition. Therefore, uncommon but practical certifications in malware, such as Mosse (MRE), CREA, or GREM, can be valuable. These certifications help individuals understand and specialize in reverse engineering, as well as how malware is created, deployed, and analysed. Qualifications do not always help in every circumstance; however, it does show a deep interest and add value towards the better fitted career.

Understanding static malware analysis can be beneficial in defensive security by helping individuals comprehend how to detect malware running on the backdoors of a computer system. A tester can utilise ‘attack trees’ with specific software such as: AttackTree++ (Automotive), SecuriCAD, IriusRisk and ADTool to prepare themselves for predicting real world threats, response-based and ‘what if’ scenarios.

For Advanced Persistent Threats (APTs), pertinent data sources encompass Windows event logs and Linux audit logs, capturing information such as server logins or login attempts, as well as endeavour’s to tamper with event logs. Additionally, significant insights can be derived from application logs and filesystem data, including temporary files, with a focus on HTTP server logs, SSH, FTP login attempts, files generated in the temp folder, and process crash logs. Network traffic and remote servers play a critical role, necessitating examination of remote servers and associated ports for network traffic, along with scrutiny of protocols and domain names. Monitoring API calls, facilitated by tools like sysmon, becomes crucial, particularly for identifying calls to undocumented APIs aimed at evading detection, and calls to low-level functions that exploit kernel vulnerabilities and facilitate privilege escalation.

For example (behaviour):

‘APT39’

has used DNS and HTTP to communicate with C2 servers, monitoring network traffic can raise suspicion (Mitre Att&ck, n.d.).

It has used ncrack to brute force network credentials, the Windows event logs will be useful for detecting that.

It has used AutoIt and PowerShell to execute malicious code, event logs and API monitoring can be useful to detect it.

[406 words]

6.0 Cost effectiveness In Summary: Research, Findings, and Recommendations.

The software SIEM tool that should be supported by the client is IBM QRadar and QRadar Insights (EDR), collected at the endpoints represented in ‘Figure 1’. In addition, hardware replacement/upgrades/updates from ‘figure 1’ may be required due to faults. So, the software does justice in preventing threats for the client’s organisation. Alongside, recommendation 3 — Suricata as the IDS performs, very well in high-traffic environments. Furthermore, my recommendation 5 — includes to enhance preparedness against actual threats to the company, employees should undergo training in ADTool and simulated environments, engaging with various what-if scenarios. Additionally, subjecting employees to paid training certifications can help identify constructive weaknesses that they can then strengthen. This approach is crucial for better equipping them to protect the company’s intellectual property assets effectively. While the cost of certifications may pose a slight burden on the organisation, it is a worthwhile investment in cultivating skilled engineers who can ensure the security of implemented systems storing sensitive information.

The human cost, element involves configuring tools and maintaining continuous monitoring, guided by tailored training to enable the organisation to handle real-time incidents efficiently. This proactive approach aims to prevent downtime or data loss, ensuring the client sees a return on their investment and enabling them to boost product sales during office hours.

IBM QRadar’s scalability is tied to company size changes, influenced by factors like EPS, data volume, and network size. Growing employee numbers may raise costs, and downsizing could lead to significant reductions. Initial setup expenses are ‘high up to approx: £8000’ (Midland Information Systems, n.d.) but opting for freelance or contract services can mitigate them. Human costs, as seen in Figure 1, are justified by the sector’s ability to afford IBM. QRadar’s maintenance costs are justifiable for asset protection.

A trade-off arises when implementing specific configurations, such as Multi-Factor Authentication (MFA), which might introduce minor operational delays. Nevertheless, these security controls are essential in meeting compliance requirements, further enhancing the protection of intellectual property.

[295 words]

The next section outlines the task, emphasising the importance of implementing and understanding network architectures for proactive cyber defence. It provides a concise, step-by-step guide on deploying various software solutions to enhance a company’s cyber defensive operations.

The Purpose and Context

The task was designed to assess research and analytical abilities in the context of network security. Students are expected to answer all questions in a given order within a single report. The work at-hand consists of multiple questions related to network security evaluation and monitoring solutions for a client network.

Questions Breakdown

  1. Detecting Reconnaissance (1000 words):
  • Evaluate the level of exposure to insider attacks, particularly focusing on network reconnaissance activity.
  • Explain how intruders can collect and use reconnaissance data.
  • Describe the data to be collected and at which nodes on the network.
  • Suggest tools for detecting reconnaissance activity and provide configuration recommendations.
  • Discuss strategies to overcome challenges related to high-volume network traffic.
  1. Session Data Collection (500 words):
  • Discuss alert data and session data, justifying their collection.
  • Identify three strategic locations for collecting session data and justify the choices.
  • Describe the tools and configurations for data collection.
  1. Snort or Suricata? (500 words):
  • Advise on the choice between Snort and Suricata for packet filtering.
  • Discuss the features of Suricata and why Snort is a popular choice.
  • Facilitate a clear decision for the network administrator.
  1. Incident Response (600 words):
  • Provide advice on data relevance and evidence collection for a detected incident.
  • Suggest additional data collection measures for incident response.
  • Ensure the approach is forensically sound for court use.
  1. Advanced Persistent Threats (APTs) (500 words):
  • Recommend testing methods to determine the effectiveness of the monitoring system.
  • Discuss concerns regarding tester qualifications.
  • Describe mechanisms to address APT threats and how the monitoring deployment could detect or prevent them.
  1. Cost Effectiveness (300 words):
  • Justify the costs related to equipment, human resources, and inconvenience.
  • Describe the benefits received from the investments made in the context of the recommendations provided in previous questions.

Special Instructions

  • Ensure proper spelling, grammar, and presentation.
  • References should follow the Harvard referencing system and be included at the end of the report.
  • Figures and tables must be properly labelled and captioned.
  • The narrative should be coherent and arguments presented convincingly.

Learning Outcomes

  • Critically synthesize and apply knowledge of different domains in information security.
  • Provide an in-depth and systematic understanding of methodologies to deny, disrupt, destroy, and manipulate adversarial actors’ capabilities.

By completing this task, security operation learners will demonstrate their ability to research, analyze, and provide technical recommendations for network security challenges, addressing both technical and legal aspects.

References

DeVito, A., 2023. Suricata vs Snort: A Comprehensive Comparison and Review, s.l.: StationX. Gurkok, C., 2014. Cyber Forensics and Incident Response, s.l.: Verizon. Midland Information Systems, I., n.d.. Getting a Quote is Easy. [Online] Available at: https://www.midlandinfosys.com/component/tags/tag/component/tags/tag/qradarpricing Mitre Att&ck, n.d.. Enterprise Matrix. [Online] Available at: https://attack.mitre.org/matrices/enterprise/

Cyber Defense
Cyberdefender
Network Security
Endpoint Security
Endpoint Protection

--

--

CyberDarkside
CyberDarkside

Written by CyberDarkside

12 Followers
18 Following

Crushing Security Operations, authoring on selling with impact, and building an innovative portfolio—this is the relentless journey of a boundary-pushing force.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams