2.1 Regulations and Standards

Section 6.1 Security Monitoring

As you study this section, answer the following questions:

What are some signs of a network intrusion?
Which methods can an attacker use to avoid intrusion detection systems?
What is the difference between heuristic and trend analysis types?

In this section, you will learn to:

Evade IDS
Implement intrusion detection prevention with pfSense
Configure a perimeter firewall
Perform a decoy scan

The key terms for this section include:

Description of the Table

Description of the Table
Term	Definition
Security monitoring	The process of configuring an automated system, such as security information and event management (SIEM), to actively analyze network and endpoint device data and send an alert if suspicious activity is found.
Signature detection	A method used by automated systems to recognize threats.
Heuristic analysis	Also referred to as statistical anomaly-based analysis, it determines the baseline of regular known-good behavior for networks, applications, and endpoint devices. It triggers an alert when any activity falls outside the baseline. It can receive and process data from different sources to discover real-world threats and learn how to recognize and defeat them. It requires little human interaction.
Trend analysis	A method that involves analyzing data over a period of time to establish patterns to make predictions about future events. Network security teams can analyze logs and data to find events that are connected and possibly indicate that an attack is coming. It looks at frequency, volume, and statistical deviations.

This section helps you prepare for the following certification exam objectives:

Exam	Objective
CompTIA CySA+ CS0-003	1.2 Given a scenario, analyze indicators of potentially malicious activity Network-related Other Obfuscated links 1.4 Compare and contrast threat-intelligence and threat-hunting concepts Threat intelligence sharing Detection and monitoring 2.1 Given a scenario, implement vulnerability scanning methods and concepts Special considerations Segmentation 2.2 Given a scenario, analyze output from vulnerability assessment tools Tools Network scanning and mapping Multipurpose Nmap 3.2 Given a scenario, perform incident response activities Detection and analysis 4.1 Explain the importance of vulnerability management reporting and communication Metrics and key performance indicators (KPIs) Trends
TestOut CyberDefense Pro	1.3 Implement Logging Manage and perform analysis using security information and event management (SIEM) tools 2.2 Detect threats using analytics and intelligence Use an Intrusion Detection System (IDS) Use endpoint protection tools 3.2 Implement system hardening Check service configuration

Exam

Objective

CompTIA CySA+ CS0-003

1.2 Given a scenario, analyze indicators of potentially malicious activity

Network-related
Other
- Obfuscated links

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

Threat intelligence sharing
- Detection and monitoring

2.1 Given a scenario, implement vulnerability scanning methods and concepts

Special considerations
- Segmentation

2.2 Given a scenario, analyze output from vulnerability assessment tools

Tools
- Network scanning and mapping
- Multipurpose
  - Nmap

3.2 Given a scenario, perform incident response activities

Detection and analysis

4.1 Explain the importance of vulnerability management reporting and communication

Metrics and key performance indicators (KPIs)
- Trends

TestOut CyberDefense Pro

1.3 Implement Logging

Manage and perform analysis using security information and event management (SIEM) tools

2.2 Detect threats using analytics and intelligence

Use an Intrusion Detection System (IDS)
Use endpoint protection tools

3.2 Implement system hardening

Check service configuration

6.1.1 Security Monitoring

Click one of the buttons to take you to that part of the video.

Security Monitoring 00:00-00:24 To secure a network, you need to have systems in place to detect attempts to gain unauthorized access. Monitoring systems can help you track and identify suspicious or malicious activity.

In this lesson, we'll go over security monitoring, different threat classifications, and steps that you can take to improve your network security.

Security Monitoring 00:24-02:50 To protect your networks, you usually implement multiple automated devices, such as IDSs and IPSs, as well as firewalls. You can also implement SIEM or SOAR systems to help collect and analyze data. Even with these systems in place, it's still up to the network security team to find and determine credible threats.

You have the option of using automated systems, such as a Security Information and Event Management system, or SIEM system. They can use different methods to actively analyze network and endpoint device data and send alerts for suspicious activity.

The most basic method is signature detection, but modern devices can analyze data to recognize threats. Two common analysis methods are heuristic analysis and trend analysis.

Heuristic analysis is sometimes referred to as statistical anomaly-based detection. With this type of detection, the monitoring system determines a baseline of regular known, good behavior for the network, applications, and endpoint devices. If any activity falls outside of this defined norm, an alert is generated.

Advanced detection systems use machine learning to improve heuristic detection over time. They do this by receiving and processing data from different sources, including honeypots, which discover real-world threats and help you learn how to recognize and defeat them. The best part is that this can all be done with little or no human interaction.

Trend analysis involves looking at data over a period of time and using patterns to make predictions about future events. For example, network security teams can analyze logs and data to find events that are connected and could indicate an attack. Trend analysis monitors three areas.

The first is frequency. A change in the frequency of specific events can indicate different things. For example, an increase in failed login attempts could signify a password attack. Next, we have volume. An increase in the volume of events, such as network traffic or logs created, can also mean there's an issue that needs to be investigated. The last is statistical deviation. Statistical deviations are usually more difficult to spot. But when you can identify them, they'll help you understand the meaning of even very small changes on your network.

Security analysts need to know what's open on their networks and find out how and when hackers are trying to penetrate their systems. Security monitoring helps to ensure that analysts have the most accurate data, which they can use to detect suspicious activity.

Summary 02:50-03:09 That's it for this lesson. In this video, we discussed how to monitor your network and systems to ensure they remain secure. First, we talked about different methods security tools used to analyze network traffic and system behavior to determine if there's a credible threat.

6.1.2 Security Monitoring Facts

Automated devices such as firewalls, IDSs, and IPSs can be implemented to help protect the network. Even though these devices perform different tasks, there are common features.

This lesson covers the following topic:

Security monitoring

Security Monitoring

You can configure an automated system, such as security information and event management (SIEM), to use different methods to analyze network and endpoint device data actively. You can also configure these systems to send an alert if suspicious activity is found.

The most basic method these devices use is signature detection, but newer, more sophisticated devices can analyze the data to recognize threats. Two common analysis methods are heuristic analysis and trend analysis. The following table describes these two methods:

Analysis Method	Description
Heuristic analysis	Heuristic analysis: Is also referred to as statistical anomaly-based analysis. Determines baseline of regular known-good behavior for network, applications, and endpoint devices. Triggers an alert when any activity falls outside the baseline. Can receive and process data from different sources to discover real-world threats and learn how to recognize and defeat them. Requires little human interaction.
Trend analysis	Trend analysis involves analyzing data over a period of time to establish patterns to make predictions about future events. Network security teams can analyze logs and data to find events that are connected and possibly indicate that an attack is coming. Trend analysis looks at the following three main areas. Frequency - A change in the frequency of specific events can indicate that something is wrong. For example, an increase in failed login attempts could signify an attacker is attempting to crack the password. Volume - An increase in the volume of events can include increased network traffic or the number of logs being generated. This can signify an attack. Statistical deviations - These are small changes in the system over a period of time. These deviations can be more difficult to spot, but when noticed, they can lead the security team to investigate further.

Analysis Method

Description

Heuristic analysis

Heuristic analysis:

Is also referred to as statistical anomaly-based analysis.
Determines baseline of regular known-good behavior for network, applications, and endpoint devices.
Triggers an alert when any activity falls outside the baseline.
Can receive and process data from different sources to discover real-world threats and learn how to recognize and defeat them.
Requires little human interaction.

Trend analysis

Trend analysis involves analyzing data over a period of time to establish patterns to make predictions about future events. Network security teams can analyze logs and data to find events that are connected and possibly indicate that an attack is coming. Trend analysis looks at the following three main areas.

Frequency - A change in the frequency of specific events can indicate that something is wrong. For example, an increase in failed login attempts could signify an attacker is attempting to crack the password.
Volume - An increase in the volume of events can include increased network traffic or the number of logs being generated. This can signify an attack.
Statistical deviations - These are small changes in the system over a period of time. These deviations can be more difficult to spot, but when noticed, they can lead the security team to investigate further.

6.1.3 Segmentation

Click one of the buttons to take you to that part of the video.

Segmentation 00:00-01:01 In this lesson, I'm going to talk about segmentation. Segmentation is a method used to secure network hardware. Essentially, segmentation creates islands within your network. The idea behind properly segmenting your network is that if a system were compromised, the damage would be limited to that network segment. Network segmentation also makes it easier for you to identify suspicious network traffic, since the network traffic is broken into manageable chunks.

For example, if your network has static systems, such as IoT devices, you probably want to have them on their own network segment. This minimizes the damage they can cause to a single network segment and makes identifying issues with them much easier. You also probably need to segment the wireless network from the wired network, as wireless networks are inherently less secure. Segmenting workstations from authentication servers, SQL servers, or DNS servers is also essential.

Physical Segmentation 01:01-01:21 You can physically segment networks into segments or zones. This is usually done using switches. Each zone has its own switch, and all the hosts in that zone are connected to that switch. The switch is connected to a router, which uses an access control list to prevent, permit, and direct traffic passing between zones.

Access Control List 01:21-01:56 Access control lists, or ACLs, are router filters that control which network packets are allowed or denied. If a packet is allowed, it's forwarded onto its destination. If the packet is denied, it's dropped. A router uses the ACL to protect your network from attacks and to control which type of communications are allowed. A router's ACL almost always includes an implicit deny statement at the end of the list. This means there's an automatic rule that denies all traffic unless there's some other rule given that allows it.

Air Gap 01:56-02:24 If one or more computers contain highly sensitive information and needs to be physically separated from all other computers on the network, these computers are isolated using an air gap. This means that the computers, and sometimes even networks, have no network interfaces connected to other networks. This method is only used when absolutely necessary because physically separating one or more device from the network can make maintenance and management challenging.

Virtual Segmentation 02:24-02:56 As you can probably imagine, purchasing separate hardware for all segments can be expensive and a challenge to manage. Instead, we create most network zones using virtual LANs, or VLANs, because multiple VLANs with varying security requirements can be configured on one switch. This keeps the costs down. Although these VLANs are connected to the same switch, the devices on one VLAN cannot see the devices on the other VLAN, and any communication between separate VLANs would need to go through the router.

Demilitarized Zone 02:56-03:56 Another benefit to segmentation is that all your zones don't need to be internet-facing. All internet-facing devices, such as web servers, email servers, or DNS servers, have a higher risk of being targeted by an attacker. If one device is compromised, an attacker could then use it as a platform for launching additional attacks against other internal hosts on your network. You need to maintain a connection to the outside world, but you also need to protect your network. So, how would you do this?

A demilitarized zone, or DMZ, is a subnetwork that you place between your LAN and the internet or other unsecure network. External network nodes can only access what you choose to expose in the DMZ, and the rest of your network is protected by firewalls. Your most vulnerable services are ones that also serve users outside of your local area network. Communication between hosts in the DMZ and other hosts is extremely restricted to help maintain security.

Jump Server 03:56-04:17 The strict barriers that go along with a DMZ make external attacks much more difficult to execute, but they also make management and administrative tasks a bit more challenging. You can implement a jump server, also known as a jumpbox, to provide a tightly controlled jumping point for administrators needing access to the DMZ.

Summary 04:17-04:28 That's it for this lesson. In this lesson, we discussed physical and virtual network segmentation options.

6.1.4 Segmentation Facts

This lesson covers the following topics:

Physical segmentation
Virtual segmentation
Vulnerability scanning on segmented network

Physical Segmentation

Networks can be separated into segments or zones. Remember the following:

Segments are usually created using switches.
Each zone has its own switch.
All hosts in a zone are connected to the same switch.
The switch is connected to a router that uses an access control list (ACL) to prevent, allow, and direct traffic passing between zones.

Access control lists are router filters that allow (forward) or deny (drop) network packets coming into or going out of a network. A router uses the ACL to protect a network from attacks and to control the type of communications allowed on the network.

Be familiar with the following ACL characteristics:

An ACL describes the traffic type and traffic characteristics that will be controlled.
ACL entries can allow all traffic, deny all traffic, identify allowed traffic, or identify denied traffic.
An ACL usually contains an implicit deny any entry at the end of the list. This means all traffic is automatically blocked unless a previous statement allows the traffic.
Each ACL applies to a specific protocol.
Each router interface can have up to two ACLs for each protocol. One ACL is for incoming traffic, and the other is for outgoing traffic.
When an ACL is applied to an interface, the ACL identifies whether the list controls incoming or outgoing traffic.
Each ACL can be applied to more than one interface.

Physically separate a computer with highly sensitive information from other computers on the network. This is known as an air gap. This method is used only when necessary because physically separating one device from the network can make maintenance and management more challenging.

Virtual Segmentation

A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. Most screened segments, also known as demilitarized zones (DMZs), are created using a virtual LAN. You can configure multiple VLANs with varying security requirements on one switch. This keeps the cost down.

Although devices connect to the same switch, they cannot see other devices configured to a separate VLAN. All communication between separate VLANs must go through the router.

VLAN membership is configured by assigning a switch port to a VLAN.
A switch can have multiple VLANs configured on it, but each switch port can be a member of only one VLAN. The one exception is described below.
VLANs can be defined on a single switch or configured on multiple interconnected switches.
With multiple switches, each switch can be configured with the same VLANs. The devices on one switch can communicate with devices on other switches if they are members of the same VLAN.
A trunk port is used to connect two switches together.
In a typical configuration with multiple VLANs, workstations in one VLAN cannot communicate with workstations in other VLANs.
To enable inter-VLAN communication, use a router or an OSI Layer 3 switch.
Using VLANs, you can create multiple IP broadcast domains on a switch. Each VLAN is in its own broadcast domain. Broadcast traffic is sent only to members of the same VLAN.

A screened subnet (demilitarized zone) is a segmented network (or subnet) that sits between a private network and an untrusted network, such as the internet. Typically:

Firewalls allow traffic that originates in the secured internal network into the screened subnet and through to the internet.
Traffic that originates in the screened subnet (low-security area) or the internet (no-security area) should not be allowed access to the intranet (high-security area).

Because screened subnets can be challenging to access for management and administrative tasks, a server, or jumpbox, can be implemented to provide administrators with a tightly controlled access method, or jumping point.

Vulnerability Scanning on Segmented Network

Most networks are divided into separate zones, represented by virtual LANs (VLANs) and IP subnets. This segmentation has performance and security benefits because traffic flows between zones are more predictable and easier to monitor and filter. However, when you perform vulnerability scanning across a segmented network, you need to consider the requirements and limitations:

A server-based scanner must be able to communicate with remote subnets, possibly including multiple VLANs, and through one or more firewalls. Alternatively, multiple scanning host nodes can be deployed in multiple segments and configured to report back to a central management server.
An agent-based scanner must be able to communicate reports to the management server.

6.1.5 Intrusion Detection System (IDS)

Click one of the buttons to take you to that part of the video.

Avoid IDS Detection 00:00-00:28 Having an intrusion detection system, or IDS, on your network is necessary to protect your system. Unfortunately, though, attackers always try to find ways around being detected. In this lesson, I'll go over how IDSs work and some of the methods attackers may use to avoid IDS detection. Then I'll discuss a few signs you can look for that could indicate intrusion attempts.

IDS Detection Methods 00:28-00:35 Attackers use different techniques depending on the IDS you've installed. First, let's look at how an attacker would avoid a signature-detection method.

Signature Detection Method 00:35-01:23 The signature-detection method is also called misuse detection. With this method, your system compares traffic to known signatures in a signature file database. These signatures are usually given a number or name so that the administrator can easily identify and recognize an attack when it sets off an alert. The biggest disadvantage of a pattern-matching system is that the IDS is only triggered when it recognizes signatures that have been loaded.

While your IDS monitors traffic, an attacker could slip past using a zero-day attack or an unknown threat. Unknown threats have no defined signatures and won't be detected by a signature-detection IDS. It won't generate any alerts and you'll have no idea what's happening.

Anomaly-Based Detection 01:23-02:55 While signature-based detection compares data streams to matching signature keys, anomaly-based detection compares system behavior differences to baseline profiles. For an anomaly-based IDS to be effective, the system must learn what normal behavior is.

An anomaly-based IDS typically works by taking a baseline of the normal traffic on the network at peak and off-peak hours. Then the IDS measures the present state of network traffic against those baselines to detect abnormal patterns. This method works well if you want the system to detect new attacks or attacks that are deliberately assembled for avoidance.

For example, an anomaly-based system focuses on differences that might indicate an exploit for an unreleased vulnerability based on abnormal traffic between two hosts. This approach could also detect previously unknown threats or zero-day exploits. Of course, this system isn't foolproof. A conscientious attacker can fool an anomaly-based IDS into thinking an attack activity is nothing to worry about by making small, subtle changes to baseline behavior over a long period of time.

Business activity changes and higher workloads can cause an anomaly-based IDS to generate a lot of false positives. To avoid this problem, the system must re-learn and update the baseline profiles constantly. The re-learning periods are an especially vulnerable time. That's when it's easiest for attackers to make subtle changes to the network.

Protocol Anomaly-Based Detection 02:55-05:23 Another type of anomaly-based system is protocol detection. Protocol detection uses the same network baseline but focuses on the protocols being used. If a specific protocol begins showing signs outside the

norm, the IDS triggers an alert. This method usually identifies new attacks before signature-based or anomaly-based IDSs do. Instead of rapidly changing attack methods, this detection method relies on the protocol's use or misuse, which is often its greatest strength.

Protocol anomalies can include malformed messages, sequencing errors, and similar variations from a protocol's known good behavior. Detecting and determining if a service or application is operating on an unusual port is another way to check for protocol anomalies. You might also find protocol detection useful against unknown or zero-day exploits, which sometimes attempt to utilize a protocol IDS for malicious purposes.

Attackers sometimes use DNS poisoning to avoid IDS detection. DNS poisoning is a man-in-the-middle type of attack. When your browser sends a DNS request to a DNS server, the attacker intercepts the request and sends back a malicious response. This is usually to redirect you to a malicious website, such as a phishing site. These attacks get even worse because the response can be stored in the browser's DNS cache so that every time you go back to the site, you're redirected to the malicious site. At this point, the attacker doesn't have to worry about being detected by the IDS and he or she has successfully avoided it for the foreseeable future.

Because DNS is a two-step process, an IDS using protocol detection should detect that when several DNS responses occur without a DNS request, it probably means cache poisoning. To effectively detect these intrusions, a protocol IDS must reimplement a wide variety of Application layer protocols that detect suspicious behavior.

An attacker can also use IP spoofing to avoid an IDS. When spoofing an IP address, the attacker modifies the IP packet header and source address to make it look like they're coming from a trusted source. When the packet is sent, the IDS checks the packets but doesn't trigger any alert because it trusts the packets. But if the IDS is using protocol detection, it should detect the difference and trigger an alert.

Summary 05:23-05:39 That's it for this lesson. In this lesson, we looked at some techniques attackers use to avoid your network safeguards, including against signature-based and anomaly-based IDSs.

6.1.6 Intrusion Detection System (IDS) Facts

An Intrusion Detection System (IDS) can monitor traffic flowing in and out of a network. If potentially malicious traffic is detected, the IDS will trigger an alert. The IDS will not stop any traffic; it only triggers alerts. Attackers can use various methods to avoid being detected by an IDS.

This lesson covers the following topics:

IDS detection methods
Signs of intrusion

IDS Detection Methods

An IDS gathers and analyzes information from within a computer or network. You can implement an IDS as follows:

A network intrusion detection system (NIDS) is designed to inspect each packet traversing the network for the presence of malicious or damaging behavior.
A host intrusion detection system (HIDS) is responsible for monitoring activities on a host system. It looks for misuse of a system, including insider misuse.

An HIDS is more difficult to manage since it has to be maintained individually on each host system.

The following table identifies the roles of an IDS. Note that roles may be specific to the type of IDS.

Role	Description
Analyze network traffic	An NIDS acts as a network sniffer to examine network traffic for: Violations of security policies. Malicious activity on operations. Unauthorized access. Misuse of the organization's network. Signs of intrusions.
Monitor log files	A Log File Monitor IDS (LFM IDS) searches log files for suspicious activity such as: Blocked traffic due to failed or anonymous authentication. Repeated failed login attempts. Connections to known malicious sites. Activity during odd or non-business hours. Missing, short, or incomplete logs.
Check file integrity	An IDS with file-checking mechanisms evaluates a specific system for the following: New or unrecognized files, programs, or processes. Unexplained changes in file permissions. Unexplained changes in file size. Changes in configuration files. Presence of Trojan horse software.

An IDS can use different methods to detect malicious traffic. The three common methods you should know are signature detection, anomaly detection, and protocol-based detection. Depending on the detection types implemented and the sophistication of the method of evasion used, a malicious attack may or may not generate an alert.

The following table describes the three common types of intrusion detection:

Detection Method	Description
Signature-based	The signature-based detection method, sometimes called misuse detection , analyzes network traffic for common patterns, called signatures. Signature matching is the most basic form of detection and is used in many systems. The IDS analyzes network traffic looking for signatures in the signature file database. When a match is found, the IDS logs and reports the attack. Be aware of the following regarding signature-based detection: Signature recognition is effective at detecting known attacks, but poor at detecting attacks not in the signature file database. Signature-based detection systems are easy to implement and have a low false-positive rate and a high true-positive rate for known attacks. Network traffic analysis can impact network performance. Attackers can avoid detection by a signature-based IDS by: Using zero-day attacks or other unknown threats. Because these threats have no signatures in the database, a signature-based IDS will not detect them. Modifying an attack so the signature is changed. This can be done by changing the code, pattern of attack, or another technique for changing the signature.
Anomaly-based	Anomaly-based detection compares network behavior to baseline profiles or network behavior baselines. For example, if Internet Control Message Protocol (ICMP) traffic becomes greater than the baseline set, an alert is sent. Be aware of the following when you use an anomaly-based IDS: An anomaly-based IDS typically works by taking a baseline of the normal traffic and activity on the network at peak and off-peak hours. Then it measures the present state of traffic on the network against its baseline in order to detect patterns that are not normally present in the traffic. An anomaly-based approach can detect previously unknown threats by detecting deviations from normal baseline behavior. Anomaly-based methods can work very well when the system is configured to detect attacks that have been deliberately assembled to avoid an IDS. A higher rate of false positives can occur with an anomaly-based IDS due to changing business needs or heightened workloads. Fluctuation in normal system use requires the system to be able to re-learn or update the baseline profiles constantly. An attacker can avoid detection by making small subtle changes to the baseline behavior over a period of time. Because the system is re-learning and updating the system constantly, it is vulnerable to an attack that makes small changes over time.
Protocol-based	Protocol-based detection uses the same network baseline as an anomaly-based IDS but focuses on the protocols being used. If a specific protocol begins showing signs outside the norm, the IDS will trigger alerts. This helps it identify new attacks earlier than signature or anomaly intrusion detection systems. Protocol-based detection can include malformed messages, sequencing errors, and similar variations from a protocol's known good behavior. Protocol detection can be useful against unknown (zero-day) exploits, that attempt to manipulate protocol behavior for malicious purposes. Detecting unusual port usage by a protocol is another way to check for attacks. Some methods an attacker can use to avoid detection are: DNS Poisoning - The attack occurs when a web browser sends a DNS request to a DNS server. The attacker intercepts the request from the web brower to the DNS server and sends a response that typically redirects the victim to a malicious website. The response is stored in the DNS cache, causing future connections to automatically redirect to the malicious site. Once this occurs, the IDS will not be able to detect future attacks. Spoofing - The attacker modifies the IP packet header and source address to make it look like the packet is from a trusted source. The IDS checks the packets but will not trigger an alert because it trusts them.

Detection Method

Description

Signature-based

The signature-based detection method, sometimes called misuse detection , analyzes network traffic for common patterns, called signatures. Signature matching is the most basic form of detection and is used in many systems.

The IDS analyzes network traffic looking for signatures in the signature file database. When a match is found, the IDS logs and reports the attack. Be aware of the following regarding signature-based detection:

Signature recognition is effective at detecting known attacks, but poor at detecting attacks not in the signature file database.
Signature-based detection systems are easy to implement and have a low false-positive rate and a high true-positive rate for known attacks.
Network traffic analysis can impact network performance.

Attackers can avoid detection by a signature-based IDS by:

Using zero-day attacks or other unknown threats. Because these threats have no signatures in the database, a signature-based IDS will not detect them.
Modifying an attack so the signature is changed. This can be done by changing the code, pattern of attack, or another technique for changing the signature.

Anomaly-based

Anomaly-based detection compares network behavior to baseline profiles or network behavior baselines. For example, if Internet Control Message Protocol (ICMP) traffic becomes greater than the baseline set, an alert is sent. Be aware of the following when you use an anomaly-based IDS:

An anomaly-based IDS typically works by taking a baseline of the normal traffic and activity on the network at peak and off-peak hours. Then it measures the present state of traffic on the network against its baseline in order to detect patterns that are not normally present in the traffic.
An anomaly-based approach can detect previously unknown threats by detecting deviations from normal baseline behavior.
Anomaly-based methods can work very well when the system is configured to detect attacks that have been deliberately assembled to avoid an IDS.
A higher rate of false positives can occur with an anomaly-based IDS due to changing business needs or heightened workloads. Fluctuation in normal system use requires the system to be able to re-learn or update the baseline profiles constantly.

An attacker can avoid detection by making small subtle changes to the baseline behavior over a period of time. Because the system is re-learning and updating the system constantly, it is vulnerable to an attack that makes small changes over time.

Protocol-based

Protocol-based detection uses the same network baseline as an anomaly-based IDS but focuses on the protocols being used. If a specific protocol begins showing signs outside the norm, the IDS will trigger alerts. This helps it identify new attacks earlier than signature or anomaly intrusion detection systems.

Protocol-based detection can include malformed messages, sequencing errors, and similar variations from a protocol's known good behavior.
Protocol detection can be useful against unknown (zero-day) exploits, that attempt to manipulate protocol behavior for malicious purposes.
Detecting unusual port usage by a protocol is another way to check for attacks.

Some methods an attacker can use to avoid detection are:

DNS Poisoning - The attack occurs when a web browser sends a DNS request to a DNS server.
- The attacker intercepts the request from the web brower to the DNS server and sends a response that typically redirects the victim to a malicious website.
- The response is stored in the DNS cache, causing future connections to automatically redirect to the malicious site.
- Once this occurs, the IDS will not be able to detect future attacks.
Spoofing - The attacker modifies the IP packet header and source address to make it look like the packet is from a trusted source. The IDS checks the packets but will not trigger an alert because it trusts them.

6.1.7 Evade IDS

Click one of the buttons to take you to that part of the video.

Evade IDS 00:00-00:38 An Intrusion Detection System, or IDS, is one of the first lines of defense against unauthorized attacks. Their job is to monitor and alert the security team of any suspicious activities. Attackers can use a variety of methods to avoid an IDS and gain access to the system. These methods will generally fall into one of three different categories: obfuscation; insertion and evasion; and distributed denial of service, or DDoS. In this lesson, we'll look at each of these methods and how to mitigate IDS evasions.

Obfuscation 00:38-01:06 Obfuscation is the process of hiding what we're doing by making it unintelligible or unclear. For example, we can obfuscate code to make it harder to read. However, attackers can also use obfuscation to encode an attack payload so that the IDS can't decode it, but the destination host can. Some examples of obfuscation are unicode evasion, polymorphic code, and encryption. Let's look at unicode evasion first.

Unicode Evasion 01:06-01:40 Unicode is a coding system that supports encoding, processing, and the display of written texts for universal languages. This means that Unicode can be read and understood by many different languages, including Java and XML.

An attacker can take advantage of this and write an attack in Unicode that the target, like a web server, will understand, but the IDS may not. Because the IDS won't be able to decode the Unicode, the packets won't be detected by the IDS, and no alert will be triggered.

Polymorphic Code 01:40-02:27 Polymorphic code is another obfuscation technique attackers can use. Many attacks have known signatures or patterns that an IDS looks for. If a signature matches, then an alert is triggered. Polymorphic shellcode can be used to disguise the signature. Basically, the code of the payload is changed, but the structure and function stay the same. There are different techniques an attacker can use to achieve this, but the results are the same.

For example, using some method, the attacker encodes the payload and places a decoder in front of the payload. Everything is combined and sent to the target, which is undetected by the IDS. Every time the payload is sent, the code is rewritten so the IDS won't recognize it and trigger alerts.

Encryption Obfuscation 02:27-02:54 However, one of the best methods used to avoid IDS detection is to encrypt the payload. This can be done by establishing an encrypted session somehow with the target using a VPN tunnel, SSL, or SSH. If this can be accomplished, the IDS won't be able to see the traffic and no alerts will be triggered.

Obfuscation can work well for attackers, but it isn't the only option available to avoid IDS detection.

Insertion Attacks 02:54-04:09 Another common attack to evade IDSs is an insertion attack. To understand insertion attacks, remember that TCP sends data in multiple segments called a packet stream. When the packets reach their destination, the end host puts the segments together to compile and read the data. Attackers can take

advantage of this to confuse the IDS and force it to read invalid packets even though the end host will reject those packets. Insertion attacks work when the IDS is less strict in processing packets than the internal network.

For example, if we want to send an attack like this, the IDS will pick this up right away. So, what the attacker will do, is add extra packets and send these packets out of order and with different Time To Live, or TTL values. When done this way, the IDS reads all the packets, but because the Time To Live values are shorter for the flake packets, only the packets containing the payload make it to the target device. Using this method, the IDS gets confused because the attack is hidden in these packets so no alert will be triggered, but the host will still get the packet stream that contains the exploit. TTL values and bad checksums are two common methods to pulling this attack off.

Evasion Attacks 04:09-05:03 Similar to the insertion method, the attacker can use an evasion attack to get around the IDS. The evasion attack takes advantage of the weakness that an endpoint can receive a packet that the IDS rejects. Instead of getting the IDS to process invalid packets and get confused, the evasion attack has the IDS drop packets that the host will actually process. This method works when the IDS is more strict in processing packets than the internal network.

Fragmentation overlap is one evasion attack technique. For example, here we have an attacker's TCP stream with the packets out of order. In this example, the A's have overlapping data or sequence numbers. The stream is sent to the switch, and when the IDS reads this, it drops one of the A's and now doesn't see the attack. The target device, however, puts the fragments back together properly and the attack can be carried out.

Mitigation for IDS Evasion 05:03-06:52 There are no measures to completely prevent the threat of IDS evasion, but you can take steps to reduce the threat to network applications and devices. Using a combination of evasion countermeasures and in-depth defense, you can create a more secure network. Identification and detection techniques based on the ability to detect and distinguish legitimate traffic from illegitimate traffic can play a part in defending a network against IDS evasions. This countermeasure may not prevent the attack, but it can detect attacks early on. In-depth network analysis should be performed as a countermeasure. In-depth analysis includes recording average packet rates and then flagging any flow deviations which can trigger an alert.

Maximizing bandwidth and implementing load balancing are two other important countermeasure steps you should become familiar with. A system should always have more bandwidth than it will need. Having additional bandwidth isn't just about deterring DoS attacks; it also allows for legitimate events that might cause a surge in traffic. Additional bandwidth can also help absorb an attack and buy a little more time for response.

Closing ports associated with known attacks, only allowing necessary traffic, and blocking invalid addresses are also good network defenses. To properly defend your IDS, you also need to implement effective patch management. Many types of attacks beside DoS attacks are mitigated by patch management. Although patch management might not prevent a zero-day attack, it can help overall network security.

As you can see, there's no one solution to mitigate IDS evasion attacks, but by following proper security protocols and implementing multiple safeguards, you will have a better chance of stopping these types of attacks.

Summary 06:52-07:23 That's it for this lesson. In this lesson we looked at the different methods that an attacker can use to evade an IDS. We first looked at obfuscation methods, which is the process of hiding the attack in something else. We then looked at how insertion and evasion attacks work to get past the IDS. And finally, we looked at just a few of the steps we can take to mitigate these attacks and help prevent an attacker from evading our IDS.

6.1.8 Evade IDS Facts

An Intrusion Detection System (IDS) is one of the first lines of defense against unauthorized attacks. The job of an IDS is to monitor the system and alert the security team of any suspicious activities.

Attackers can use various methods to evade an IDS and gain access to the system. To mitigate risks, a security analyst should be aware of evasion techniques and how to use those techniques.

This lesson covers the following topics:

Obfuscation techniques
Insertion and evasion attacks
IDS evasion mitigation

Obfuscation Techniques

Obfuscation is the process of hiding something. Attackers can use obfuscation to hide malicious code and disguise it as legitimate.

Because an IDS relies on identifying an attack signature, the process of obfuscating malicious code can be an effective evasion technique. An attacker can obfuscate code through manual manipulation or the use of an obfuscator tool.

The following table describes some common obfuscation techniques:

Obfuscation Technique	Description
Unicode evasion	Unicode is a coding system used to support the interchange, processing, and display of written texts through a network medium. Be aware that: Character strings converted to Unicode can avoid IDS patterns and signature protocol detection. Standard code, such as HTTP requests and responses changed into Unicode equivalents, can produce code that the target understands and can execute, but the IDS does not recognize it as a signature. The IDS does not trigger an alert if it does not recognize the signature. For example, the Unicode for ATTACK is \u0041 \u0054 \u0054 \u0041 \u0043.
Polymorphic code	An attacker can use polymorphic shellcode to disguise the signature. Polymorphic shellcode works as follows: The attacker encodes the attack payload and places a decoder in front of the payload. The code of the payload is changed, but the structure and function stay the same. Everything is combined and sent to the target. Every time the payload is sent, the code is rewritten so the signature changes. An attacker can use varying techniques to achieve this, but the results are the same.
Encryption	Encryption is one of the most successful and effective techniques used to bypass an IDS. Be aware that: A common means of obfuscation is encrypting the attack on a protocol such as HTTPS. Another common method is using Nmap to obscure the origin of scanning activities. Nmap has the ability to generate decoys that make the detection of the scanning system much more difficult. The nmap command to generate decoys is nmap -D RND:10 target_IP_address .

Insertion and Evasion Attacks

Insertion and evasion attacks are similar methods that an attacker can use to evade being detected by the IDS:

Attack Type	Description
Insertion	TCP sends data in multiple segments called a stream. When the packets reach the destination, the end host puts the stream segments together to compile and read the data. Key points about this type of attack are: Attackers can take advantage of this process to confuse the IDS and force it to read invalid packets even though the end host will reject those packets. Insertion attacks work when the IDS is less strict in processing packets than the internal network.
Evasion	The evasion attack takes advantage of the weakness that an endpoint can receive a packet that the IDS rejects. Key points about this type of attack are: Instead of getting the IDS to process invalid packets and get confused, the evasion attack has the IDS drop packets that the host will actually process. Evasion attacks work when the IDS is more strict in processing packets than the internal network.

Attack Type

Description

Insertion

TCP sends data in multiple segments called a stream. When the packets reach the destination, the end host puts the stream segments together to compile and read the data. Key points about this type of attack are:

Attackers can take advantage of this process to confuse the IDS and force it to read invalid packets even though the end host will reject those packets.
Insertion attacks work when the IDS is less strict in processing packets than the internal network.

Evasion

The evasion attack takes advantage of the weakness that an endpoint can receive a packet that the IDS rejects. Key points about this type of attack are:

Instead of getting the IDS to process invalid packets and get confused, the evasion attack has the IDS drop packets that the host will actually process.
Evasion attacks work when the IDS is more strict in processing packets than the internal network.

Insertion and evasion attacks are difficult for the attacker to execute because they require prior knowledge on how the network, target systems, and IDS operate. The attacker must know the operating systems, protocols, and other configuration information to carry out one of these attacks properly.

IDS Evasion Mitigation

There is no way to completely prevent an attacker from evading an IDS, but you can take steps to reduce the threat to network applications and devices. Using a combination of evasion countermeasures and building defense in depth, an organization can make its network more secure.

Identification and detection techniques can help play a part in defending a network against IDS evasions. Although countermeasures may not always prevent the attack, they can help detect an attack in the early stages.

Methods to reduce exposure to IDS evasion include:

Close ports associated with known attacks and allow only necessary traffic.
Block invalid addresses.
Practice effective patch management. Many types of attacks, not just DoS, can be mitigated by effective patch management. Although patch management might not prevent a zero-day attack, it can improve the overall security of the network.
Implement acceptable use policies and promote user network security awareness training.
Use intrusion detection systems to block incoming packets from untrusted sources.
Block ICMP inbound and outbound traffic at critical gateways.
Eliminate single points of failure. Add redundancy or extra bandwidth.
Analyze outbound traffic and block suspicious traffic to prevent hosts from being compromised.

The following table describes some additional countermeasures:

Countermeasure	Description
Establish a baseline of network traffic	An in-depth network analysis is necessary to establish a baseline for network traffic. In-depth analysis includes recording average packet rates and then flagging flow deviations. A good practice is to use statistics and cumulative sum calculations to estimate network flow versus actual traffic flow. Statistics and cumulative sum calculations will reduce the number of false positives.
Maximize bandwidth	Maximizing bandwidth and using load balancing are two important countermeasure steps. A system should always have more bandwidth than is expected to be required. In addition to deterring DoS attacks, additional bandwidth accommodates legitimate events that might cause a surge in traffic. Additional bandwidth can also help absorb an attack and provide more time for response.
Use iptables	You can use programs such as iptables to limit the rate of traffic and filter TCP flags and TCP protocols. These tools can: Control the flow of traffic. Block malformed packets. Terminate a TCP connection.

6.1.9 Intrusion Detection and Prevention with Snort

Click one of the buttons to take you to that part of the video.

Implement Intrusion Detection and Prevention 00:00-00:17 Intrusion detection and prevention is an important task that is required to protect todays networks. In this demonstration, we'll configured intrusion detection and prevention using Snort on a pfSense security appliance.

Choose an Intrusion Detection and Prevention Product 00:17-01:30 There are several products available that can do both intrusion detection and intrusion prevention. Some cost money and some are free.

One of the most popular products is Snort. Snort is a free, open-source network intrusion detection system (IDS) and intrusion prevention system (IPS).

Although Snort is open source and free, it does have some paid plans that you can subscribe to and receive updates to rules faster. In this demo, we'll configure Snort on our pfSense security appliance.

Before we configure Snort, let's quickly look at the website. As we scroll down, you see that you can manually download Snort for various operating systems and distributions. Snort is available for Fedora, Centos, FreeBSD and Windows.

In the second step, you must get what is called an Oinkcode. We will do that in a minute but let's keep scrolling down this page. Step 3 is to get updates. We'll cover that later in the demo.

Now as a review what we just talked about, Snort is an open-source intrusion prevention system capable of real-time traffic analysis and packet logging.

Snort is the most widely deployed IPS in the world. There have been over 5 million downloads and over 600 thousand registered users.

Install Snort 01:30-02:27 To use Snort, you must first get an Oinkcode. We'll go to our account. Here is a link that says Oinkcode. We already have a code generated, so we can proceed. We will use the Oinkcode later.

Now let's go to pfSense and install Snort.

We've already logged into pfSense and we're on the Dashboard. Installing Snort on pfSense is quite easy. It is done with the Package Manager that is located under the System tab. Once on the Package Manager page, you click Available Packages.

Now let's do a search for ‘Snort'. We have one result, so we'll come down and click the Install link. Now you can make sure you have the right package. We do; so let's click Confirm to start the installation.

Now we wait for a few minutes while Snort is installed. When it does, the color changes from red to green and it says that the installation successfully completed. Down here on the bottom, a message says "Success".

Configure Snort 02:27-05:10 Now that Snort is installed, we need to set it up. Let's do that by going to Services and then down to Snort. Be aware that this menu item for Snort was not there until we installed it. If you don't have this menu, Snort probably is not installed.

We will start by going to Global Settings. Under Snort Subscriber Rules, we check the Enable Snort VRT box. VRT is an acronym for Vulnerability Research Team.

Below that, next to Snort Oinkmaster Code, we paste in the code. Remember, we got the Oinkcode from the Snort website that we were at in the beginning of the demo. We copied the code to the clipboard and will use a keyboard shortcut to paste it in here.

Next, we Enable Snort GPLv2. The Community Snort Rules fall under the GNU General Public License Version 2, which encourages the development and distribution of open-source software. This ruleset is 30 days behind the Snort Subscriber Rule Set. It does not contain zero-day threats under the limited provision of the Snort Subscriber Rule Set License.

Now let's check Enable ET Open (ET is the acronym for Emerging Threats). This downloads the Emerging Threats Open rules. The ET Open Ruleset is an anti-malware IDS/IPS ruleset that enables users with cost constraints to enhance their existing network-based malware detection.

We do not pay for the Emerging Threat Pro rules, so we won't check that box.

Let's skip down here under Sourcefire OpenAppID Detectors. Let's check the Enable OpenAppID box. Below that, check the box next to Enable RULES Open AppID. OpenAppID is an application-focused detection language and processing module for Snort. When you use OpenAppID with pfSense, the system can successfully detect (if configured to do so) and block over 2600 different services like Facebook, Netflix, Twitter, and Reddit.

For our Rules Update Settings, we set the Update Interval to 1 Day. For our Update time, we set it to 2:00 AM. Let's check the Hide Deprecated Rules Categories box. This removes old and outdated rules.

Under General Settings > Remove Blocked hosts Interval, we change that to 1 Hour. Now you might think that we should block hosts forever if they are malicious, but the problem is that often these are coming from spoofed IP addresses or from addresses that may be used by legitimate users very soon. So, we will block only for 1 hour.

We'll check the box for Startup/Shutdown Logging. We want to know who and when Snort is being started and stopped by.

That wraps up everything for this page. We'll click Save.

Assign Rules to Wide Area Network (WAN) Interface 05:10-06:05 Now that we have the rules figured out, we need to assign these rules to the WAN interface. We'll go to the Snort Interfaces tab. Then come down here to the right and click the Add link.

Under General Settings, we want to make sure that Enable Interface is checked. We see that it is. Make sure you have WAN selected under Interface. This is the traffic we want to inspect. For Description, we enter WAN. We want to keep it obvious and simple here.

Under Alert Settings, we check the box to Send Alerts to System Log. This will send alerts to the firewall log.

We check the Block Offenders box. If an offender creates a Snort alert, they will be blocked. For the IP to Block, we block the Source IP address.

There is nothing more we want to do here. We'll come down and click Save.

Now we want to check the box to enable the WAN interface. Under Snort Status, click Runto start Snort.

Summary 06:05-06:18 That's it for this demo. In this demo we configured intrusion detection and prevention using Snort on our pfSense security appliance.

6.1.10 Intrusion Detection and Prevention with Suricata

Click one of the buttons to take you to that part of the video.

Suricata 00:00-00:20 Suricata is an open-source intrusion detection and intrusion prevention system, or IDS/IPS. This software can be installed on a wide variety of platforms, such as Linux, macOS, and Windows. Today, we're going to implement Suricata on pfSense.

Configure 00:20-02:00 Out of the box, pfSense comes with just the basics, so we'll have to download the Suricata package. Let's go to System, Package Manager, and then Available Packages. In the search bar, we're going to type Suricata just to make things easier. Next, we click Install and confirm. This may take a while, so we're going to pause the demo for a few minutes.

Once Suricata is installed, we have to configure it to run. Let's click Services and then Suricata. You can see there's no interface set up so we'll have to configure it. Let's click the Add button. Next, we'll make sure it's enabled and select the WAN interface. There's an option here called Block Offenders, which is considered to be an IPS. Currently, we just want to monitor traffic coming in instead of blocking it. Let's scroll down and click Save at the bottom.

Next, we're going to go to Global Settings and select Install ETOpen Emerging Threat Rules. This is the free open-source rules vs. some other options that are paid. We're going to scroll down and click Save. In order to get these rules, we must run an update. Click the Updates tab and then click Update.

Once this is successful, we can go back to Interfaces and click edit on the WAN connection. Click on WAN Categories. This whole list shows you all the different categories for determined threats. Normally, not all of them will be enabled on a tuned system, but for demo purposes, we'll turn all of them on to get some alerts flowing. Click Select All and then click Save. In order for this to be active for the WAN, we have to go back to the interface and start Suricata.

Alerts 02:00-02:36 The alerts that we'll be analyzing are just on the WAN interface. We're going to click on the Alerts tab. Keep in mind as long as the specific ports someone's attempting to attack are blocked inbound, you should be safe from this. A good way to see open ports exposed to the internet is to have an outside source scan your public IP address.

Here's a listing of the many alerts triggered by the IDS. If you wanted to research an alert such as this first one, you would keep track of the source IP address and the description. The source IP address could be searched on a site such as Shodan, while the description could be found using a search engine.

Use Cases 02:36-03:05 Security analysts may not have any ports open that are exposed to the internet on the WAN interface. For demonstration purposes, this was the only way to generate some good traffic. It's possible to enable this for only the LAN side by going to Interfaces and adding the LAN interface. You would follow the same procedure to set this up as we did for the WAN interface. This would help analyze the outbound traffic from the LAN if the computer were infected by malware or there was traffic that was unexpected.

Summary 03:05-03:23 That's it for this demo. In this demo, we installed Suricata on pfSense. We showed you how to configure and set up an interface. We describe alerts received from the IDS and use cases for both WAN and LAN interfaces.