You are a network analyst on the fly-away team for the FBI’s cybersecurity sector engagement division. You’ve been deployed several times to financial institutions to examine their
Deliverables by April 30th.
- Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Joint Network Defense Bulletin: A one- to two-page double-spaced document.
- Lab Report: A Word document sharing your lab experience along with screenshots. (I will provide).
Introduction to Packet Capture and Intrusion Detection Prevention Systems
You are a network analyst on the fly-away team for the FBI's cybersecurity sector engagement division. You've been deployed several times to financial institutions to examine their networks after cyberattacks, ranging from intrusions and data exfiltration to distributed denial of services to their network supporting customer transaction websites.
A representative from the Financial Services Information Sharing and Analysis Center, FS-ISAC, met with your boss, the chief net defense liaison to the financial services sector, about recent reports of intrusions into the networks of banks and their consortium.
He's provided some of the details of the reports in an email. "Millions of files were compromised, and financial officials want to know who entered the networks and what happened to the information. At the same time, the FS-ISAC has seen extensive distributed denial of service disrupting the bank's networks, impacting the customer websites, and blocking millions of dollars of potential transactions," his email reads.
You realize that the impact from these attacks could cause the downfall of many banks and ultimately create a strain on the US economy. In the email, your chief asks you to travel to one of the banks and using your suite of network monitoring and intrusion detection tools, produce two documents—a report to the FBI and FS-ISAC that contains the information you observed on the network and a joint network defense bulletin to all the banks in the FS-ISAC consortium, recommending prevention methods and remediation against the types of malicious traffic activity that they may face or are facing.
CST 620 Project 2 Resources:
Deliverables by April 30th.
· Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
· Joint Network Defense Bulletin: A one- to two-page double-spaced document.
· Lab Report: A Word document sharing your lab experience along with screenshots. (I will provide).
Introduction to Packet Capture and Intrusion Detection Prevention Systems
You are a network analyst on the fly-away team for the FBI's cybersecurity sector engagement division. You've been deployed several times to financial institutions to examine their networks after cyberattacks, ranging from intrusions and data exfiltration to distributed denial of services to their network supporting customer transaction websites.
A representative from the Financial Services Information Sharing and Analysis Center, FS-ISAC, met with your boss, the chief net defense liaison to the financial services sector, about recent reports of intrusions into the networks of banks and their consortium.
He's provided some of the details of the reports in an email. "Millions of files were compromised, and financial officials want to know who entered the networks and what happened to the information. At the same time, the FS-ISAC has seen extensive distributed denial of service disrupting the bank's networks, impacting the customer websites, and blocking millions of dollars of potential transactions," his email reads.
You realize that the impact from these attacks could cause the downfall of many banks and ultimately create a strain on the US economy. In the email, your chief asks you to travel to one of the banks and using your suite of network monitoring and intrusion detection tools, produce two documents—a report to the FBI and FS-ISAC that contains the information you observed on the network and a joint network defense bulletin to all the banks in the FS-ISAC consortium, recommending prevention methods and remediation against the types of malicious traffic activity that they may face or are facing.
Network traffic analysis and monitoring help distinguish legitimate traffic from malicious traffic.
Network administrators must protect networks from intrusions. This can be done using tools and techniques that use past traffic data to determine what should be allowed and what should be blocked. In the face of constantly evolving threats to networks, network administrators must ensure their intrusion detection and prevention systems are able to analyze, monitor, and even prevent these advanced threats.
In this project, you will research network intrusion and prevention systems and understand their use in a network environment. You will also use monitoring and analysis technologies in the Workspace to compile a Malicious Network Activity Report for financial institutions and a Joint Network Defense Bulletin for a financial services consortium.
following are the deliverables for this project:
The Deliverables
· Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with stonemountian64citations in APA format. The page count does not include figures, diagrams, tables, or citations.
· Joint Network Defense Bulletin: A one- to two-page double-spaced document.
· Lab Report: A Word document sharing your lab experience along with screenshots. (I will provide.)
There are eight steps to complete the project. Most steps in this project should take no more than two hours to complete, and the entire project should take no more than two weeks to complete. Begin with the workplace scenario and continue to Step 1, “Create a Network Architecture Overview.”
Step 1: Create a Network Architecture Overview
As part of your assignment to report on prevention methods and remediation techniques for the banking industry, you would have to travel to the various bank locations and gain access to their networks. However, you must first understand the network architecture of these banks.
Provide a network architecture overview along with diagrams. Your overview can be fictitious or based on an actual organization. The goal is to provide an understanding of the network architecture.
Describe the various data transmission components.
User Datagram Protocol (UDP)
User datagram protocol (UDP) is a connectionless transport layer protocol that requires no handshaking process. Unlike transmission control protocol (TCP), UDP transmits data without setting up a dedicated connection or verifying the transmission with the receiver. Consequently, there is no guarantee that data packets are delivered in the right order, or delivered at all.
However, UDP has low latency and is suitable for time-critical transmission where speed is more important than reliability. Common applications of UDP include Domain Name System (DNS) and Simple Network Management Protocol (SNMP).
Transmission Control Protocol/Internet Protocol (TCP/IP)
You may sometimes hear TCP/IP referred to as a protocol. That is not correct; it is a suite of protocols.
Each of the protocols in the suite is set inside one of the layers of the TCP/IP model. Each protocol has the job of managing a smaller part of the functionality. As each does its job, the combined efforts of those protocols allow a TCP/IP network or application to run properly.
A few protocols make up the core of the suite and are responsible for basic operations. These critical protocols include the Internet Protocol, Transmission Control Protocol, and User Datagram Protocol. In addition to performing key functions, they support other protocols, allowing them to support a variety of other functions in the protocol suite.
Internet Packets
Data transmitted over the internet is broken into small pieces or packets. It is faster and more secure to transfer several small packets, rather than one large message. According to Severance (2015):
The most important innovation that allowed messages to move more quickly across a multi-hop network was to break each message into small fragments and send each fragment individually. (p. 6)
Each packet is transmitted with the source and destination address, which routes it to the intended destination. Since a large amount of packets (from different sources) travel simultaneously, each packet from a single sender may take a different route, and these packets may not arrive at their destination in order.
References
Severance, C. (2015). Introduction to networking. http://do1.dr-chuck.net/net-intro/EN_us/net-intro.pdf.
IP Address Schemes
An Internet Protocol (IP) address is the unique network address given to each device connected to the internet. The most popular versions of IP addresses are IPv4 and IPv6. According to Ellingwood (2014):
IPv4, which is the fourth version of the protocol, currently is what the majority of systems support. The newer, sixth revision, called IPv6, is being rolled out with greater frequency due to improvements in the protocol and the limitations of IPv4 address space. Simply put, the world now has too many internet-connected devices for the amount of addresses available through IPv4.
Since "IPv6 provides for extended network address sizes of 128 bits, a substantial increase over the 32-bits address sizes that are available with IPv4," it can "handle the growth rate of the internet and the demanding requirements of services, mobility, and end-to-end security for network communications" (Radack, 2011).
References
Ellingwood, J. (2014). Understanding IP addresses, subnets, and CIDR notation for networking. Digital Ocean. https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking
Radack, S. (2011). Internet Protocol version 6 (IPv6): NIST guidelines help organizations manage the secure deployment of the new network protocol. National Institute of Standards and Technology. US Department of Commerce. http://csrc.nist.gov/publications/nistbul/January2011-ITLBulletin.pdf
Well-Known Ports and Applications
Port numbers are 16-bit numbers that are used to identify different applications and TCP/IP programs from an IP address. The port numbers are assigned by the Internet Assigned Numbers Authority (IANA) and divided into three ranges (Port, n.d.):
1. well-known ports (from 0 to 1023);
2. registered ports (from 1024 to 49151); and
3. dynamic and/or private ports (from 49152 to 65535)
According to CCM Benchmark Group (2016):
Ports 0 to 1023 are the 'well known ports' or reserved ports. Generally speaking, they are reserved for system processes (daemons) or programs executed by privileged users. A network administrator can nevertheless link services to the ports of his choice.
Commonly used well-known ports include 21 (FTP), 25 (SMTP), 80 (HTTP) and 110 (POP3).
References
CCM Benchmark Group. (2016). Port/ports TCP/IP. http://ccm.net/contents/281-port-ports-tcp-ip.
Port (Computer Networking). In Wikipedia. (n.d.). https://en.wikipedia.org/wiki/Port_(computer_networking)
Address the meaning and relevance of information, such as:
1. the sender or source that transmits a message
2. the encoder used to code messages
3. the medium or channel that carries the message
4. the decoding mechanisms used
5. the receiver or destination of the messages
Describe:
1. the intrusion detection system (IDS)
2. the intrusion prevention system (IPS)
3. the firewalls that have been established
4. the link between the operating systems, the software, and hardware components in the network, firewall, and IDS that make up the network defense implementation of the banks’ networks.
Identify:
1. how banks use firewalls
2. how banks use IDSs
3. the difference between these technologies
Include:
1. the network infrastructure information
2. the IP address schemes that will involve the IP addressing assignment model
3. the public and private addressing and address allocations
4. potential risks in setting up the IP addressing scheme
Here are some resources to review:
Intrusion Detection and Prevention (IDS/IPS) Systems
Intrusion detection and prevention systems (IDSs/IPSs) are implemented to prevent unauthorized access by attackers. An IDS passively monitors the network to report suspicious activity, whereas an IPS actively guards against threats, rather than just detecting the threats. IT expert Prashant Phatak explains the two systems using an example (2011):
…a network intrusion detection system (NIDS) will monitor network traffic and alert security personnel upon discovery of an attack. A network intrusion prevention system (NIPS) functions more like a stateful firewall and will automatically drop packets upon discovery of an attack.
Several organizations prefer an IDS over an IPS, because in the case of false positives, an IPS will stop the activities and disrupt the business, but an IDS will only report and not affect the business.
References
Phatak, P. (2011). The importance of intrusion prevention systems. http://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/
Firewalls
Firewalls provide security to network systems by controlling the flow of incoming and outgoing traffic and preventing unauthorized access. The guidelines document of the National Institute of Standards and Technology (NIST) defines firewalls as "devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures" (Scarfone & Hoffman, 2009).
Firewalls are deployed extensively by businesses, educational institutions, government organizations, and end users to prevent cyberattacks and to protect sensitive information.
There are two types of firewall implementation: software and hardware. Software firewalls are installed on individual systems or machines, whereas hardware firewalls are implemented using specialized hardware equipment (on network switches or routers) to provide security to all connected machines. According to one expert:
A firewall can exist as hardware or software (or both). A hardware firewall is a device that is connected to the network and filters the packets based on a set of rules. A software firewall runs on the operating system and intercepts packets as they arrive to a computer (Bourgeois, 2014).
References
Bourgeois, D. T. (2014). Information systems for business and beyond. The Saylor Academy. http://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond.pdf
Scarfone, K., & Hoffman, P. (2009). U.S. guidelines on firewalls and firewall policy: Recommendations of the National Institute of Standards and Technology: Special Publication 800-41.. National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
Identify:
1. any well-known ports and applications that are used
2. risks associated with those ports and applications being identified and possibly targeted
Add your overview to your report.
In the next step, you will identify network attacks and ways to monitor systems to prevent these attacks.
Step 2: Identify Network Attacks
In the previous step, you provided an overview of the network architecture. In this step, you will identify possible cyberattacks such as spoofing/cache poisoning, session hijacking, and man-in-the-middle attacks.
Cyberattacks
Cyberattacks refer to attacks launched against computer systems, networks, and infrastructure with the intention of committing theft of sensitive data, gaining unauthorized access, and sniffing passwords. These attacks are implemented by individuals, groups, or states and may use malicious software like viruses and worms. The problem of cyberattacks has been acknowledged by the National Institute of Standards and Technology (Johnson et al., 2016).
Cyberattacks have increased in frequency and sophistication, resulting in significant challenges for organizations in defending their data and systems from capable threat actors. These actors range from individual, autonomous attackers to well-resourced groups operating in a coordinated manner as part of a criminal enterprise or on behalf of a nation-state. These actors can be persistent, motivated, and agile, and they employ a variety of tactics, techniques, and procedures (TTPs) to compromise systems, disrupt services, commit financial fraud, and expose or steal intellectual property and other sensitive information. (p. 1)
Cyberattacks can be prevented or their risks minimized if organizations that have faced attack share information with others so that they can deploy resources to combat the threat.
References
Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Computer security: Guide to cyber threat information sharing: Special Publication 800-150, 2nd draft. National Institute for Standards and Technology. http://csrc.nist.gov/publications/drafts/800-150/sp800_150_second_draft.pdf
Provide techniques for monitoring these attacks using knowledge acquired in the previous step. Review the following resources to gain a better understanding of these particular cyberattacks:
· Session hijacking:
Spoofing/Cache Poisoning Attacks
Spoofing refers to attacks in which a program pretends to be another program so that it can gain unauthorized access. DNS spoofing is a type of spoofing attack that is performed on DNS records. This type of attack can be carried out in various ways, including through cache poisoning, DNS compromising, and man-in-the-middle attacks.
Cache poisoning attacks involve an attack on the cache of the DNS servers and the replacement of one or more target IP addresses with spoofed ones. The attacker loads these addresses with corrupt content and malicious viruses, which affect the users accessing the cached IP addresses on the DNS server.
IP Address Spoofing
In this type of attack, the attacker sniffs network traffic to identify the pattern of legitimate IP addresses for that particular network. The attacker then forges the IP address in the packet headers. If the network uses the IP address to authenticate the user, the attacker is able to gain access to the network through the packet with the forged IP address. The attacker can then send malicious packets to the network. For example, an attacker may introduce a Trojan or keylogging application to the network after gaining access to it.
IP address spoofing is a network layer attack.
Man-in-the-Middle Attacks
Man-in-the-middle (MITM) attacks refer to attacks "in which an adversary may replay, relay, reflect, interleave and/or modify messages in one or more protocol executions between two parties to fool at least one of those parties about the identity of the other party" (Hoeper & Chen, 2009). These attacks compromise network security, and can capture sensitive information—such as online banking credentials—in real time.
An example of MITM is a Secure Sockets Layer (SSL) attack, where details of digital certificates are obtained by the attacker to create fake certificates and respond to browser requests and collect confidential data.
References
Hoeper, K., & Chen, L. (2009). Recommendation for EAP methods used in wireless network access authentication: Special Publication 800-120. National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-120.pdf
One way to monitor and learn about malicious activities on a network is to create honeypots.
Honeypots
Honeypots are security systems that are implemented to gather information about unauthorized users or attackers. According to the National Institute of Standards and Technology (2013):
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. A honeypot is set up as a decoy to attract adversaries and to deflect their attacks away from the operational systems supporting organizational missions/business function. (p. F-202)
By using data that seems similar to generic data, honeypots are created to understand the attack methodologies and collect information for legal prosecution of attackers.
References
National Institute of Standards and Technology. (2013). Security and privacy controls for federal information systems and organizations: Special Publication 800-53, Revision 4. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Propose a honeypot environment to lure hackers to the network and include the following in your proposal:
1. Describe a honeypot.
2. Explain how a honeypot environment is set up.
3. Explain the security and protection mechanisms a bank would need for a honeypot.
4. Discuss some network traffic indicators that will tell you that your honeypot trap is working.
Include this information in your final report. However, do not include this information in the bulletin to prevent hackers from being alerted about these defenses.
Then, continue to the next step, where you will identify false negatives and positives.
Step 3: Identify False Positives and False Negatives
You just identified possible information security attacks. Now, identify the risks to network traffic analysis and remediation. Review the resources on false positives and false negatives and discuss the following:
False Positives and False Negatives
In order to prevent attacks, the intrusion detection and prevention systems (IDSs) aim to detect suspicious activities that may or may not be actual threats.
A "false positive is an instance where an IDS incorrectly identifies a benign activity to be malicious, while a false negative occurs when the IDS fails to detect a malicious activity" (Duquea & bin Omar, 2015).
False positives and false negatives are important indicators for measuring an IDS's accuracy and rate of detection. If the numbers of false positives and false negatives are high, the IDS can be considered inefficient because it may increase the work of network administrators.
References
Duquea, S., & bin Omar, M. N. (2015). Using data mining algorithms for developing a model for intrusion detection system (IDS). Procedia Computer Science, 61, 46–51. http://www.sciencedirect.com/science/article/pii/S1877050915029750
1. Identify what are false positives and false negatives.
2. How are false positives and false negatives determined?
3. How are false positives and false negatives tested?
4. Which is riskier to the health of the network, a false positive or a false negative?
Describe your analysis about testing for false negatives and false positives using tools such as IDSs and firewalls, and include this as recommendations for the banks in your public service Joint Network Defense Bulletin.
Discuss the concept of performing statistical analysis of false positives and false negatives.
Explain how banks can reduce these issues.
Research possible ways to reduce these events and include this information as recommendations in the Malicious Network Activity Report.
Network intrusion analysis is often done with a tool such as Snort. Snort is a free and open-source intrusion detection/prevention system program.
Intrusion Detection and Prevention (IDS/IPS) Systems
Intrusion detection and prevention systems (IDSs/IPSs) are implemented to prevent unauthorized access by attackers. An IDS passively monitors the network to report suspicious activity, whereas an IPS actively guards against threats, rather than just detecting the threats. IT expert Prashant Phatak explains the two systems using an example (2011):
…a network intrusion detection system (NIDS) will monitor network traffic and alert security personnel upon discovery of an attack. A network intrusion prevention system (NIPS) functions more like a stateful firewall and will automatically drop packets upon discovery of an attack.
Several organizations prefer an IDS over an IPS, because in the case of false positives, an IPS will stop the activities and disrupt the business, but an IDS will only report and not affect the business.
References
Phatak, P. (2011). The importance of intrusion prevention systems. http://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/
Resources
It is used for detecting and preventing malicious traffic and attacks on networks, analysis, and education. Such identification can be used to design signatures for the IDS, as well as to program the IDS to block this known bad traffic.
Network traffic analysis is often done using tools such as Wireshark.
Wireshark
Wireshark is a network packet—or protocol analyzer—that gathers and displays information about network packets. It is an open source network analyzer, which can be installed on Windows, Linux, and Mac operating systems (Atlassian Documentation, n.d.).
Though Wireshark is not an intrusion detection system, it can be used by administrators, security engineers, and developers for several purposes—including troubleshooting network problems, examining security issues, debugging protocol implementations, and learning network protocol internals (Network Startup Resource Center, n.d.).
References
Atlassian Documentation. (n.d.). How to capture HTTP traffic using Wireshark or Fiddler. https://confluence.atlassian.com/kb/how-to-capture-http-traffic-using-wireshark-or-fiddler-779164332.html.
Network Startup Resource Center. (n.d.). Wireshark: Network forensic exercise. https://nsrc.org/workshops/2016/apricot2016/raw-attachment/wiki/Track5Wireless/wireshark-lab.pdf.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development and education. Cybersecurity professionals must know how to perform network forensics analysis.
Network Forensics Analysis
Network forensics refers to identification and analysis of digital content to investigate attacks on the network. The National Institute of Standards and Technology defines four fundamental phases for forensic analysis as collection, examination, analysis, and reporting (Kent et al., 2006).
According to Khan et al. (2014), network forensics:
…aims to identify legal evidence from network traffic to investigate the origin of the attack and attacker behavior. NFFs [network forensic frameworks] capture and analyze network traffic in the network to investigate attacks performed by different attackers. NFFs extract information from network traffic to rebuild emails, messages, FTP traffic, and various other communications. The process helps network forensic investigators (NFIs) reconstruct the attack path and determine the attack’s origin.
Network forensics includes several techniques including logging, examination, spread spectrum, and packet marking (Khan et al., 2014).
References
Khan, S., Shiraz, M., Wahab, A., Gani, A., Han, Q., & Rahman, Z. (2014). A comprehensive review on adaptability of network forensics frameworks for mobile cloud computing. The Scientific World Journal. https://www.hindawi.com/journals/tswj/2014/547062/.
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Computer security: Guide to integrating forensic techniques into incident response (Special Publication 800-86). National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf.
In the next step, you will analyze network traffic.
Step 4: Analyze Network Traffic (Lab Document, I will provide).
In the previous step, you identified and analyzed risks related to false negatives and false positives. For this step, you will analyze network traffic, conduct network forensics analysis, and identify malicious network addresses.
Enter Workspace and perform the network traffic analysis. During this step, you will also develop proposed rules to prevent against known malicious sites and to test for these signatures.
Step 5: Determine Sensitivity of Your Analysis
In the previous step, you completed network analysis. In this step, you will determine which information to include in which document.
Information appropriate for internal consumption may not be appropriate for public consumption. The Joint Network Defense Bulletin may alert criminals of the network defense strategy. Therefore, be careful about what you include in this bulletin.
Once you have assessed the sensitivity of the information, include appropriate information in your Malicious Network Activity Report.
Then, include appropriate information in the Joint Network Defense Bulletin in a way that educates the financial services consortium of the threat and the mitigating activities necessary to protect against that threat.
Step 6: Explain Other Detection Tools and Techniques
In the previous step, you included appropriate information in the proper document. In this step, perform independent research and briefly discuss what other tools and techniques may be used to detect these signatures.
Provide enough detail so that a bank network administrator could follow your explanation to deploy your system in production. Include this information in the Joint Network Defense Bulletin.
Next, move to the next step, where you will organize and complete your report.
Step 7: Complete Malicious Network Activity Report
Now that you have gathered all the data for your Malicious Network Activity Report, it is time to organize your report. The following is a suggested outline:
1. Introduction: Describe the banking institution and the issue you will be examining.
2. Overview of the Network Architecture
3. Network Attacks
4. Network Traffic Analysis and Results
5. Other Detection Tools and Techniques
6. Recommended Remediation Strategies
Submit your report to the Assignments folder by following the directions in the final step. You are now ready for the last piece of this project, the Joint Network Defense Bulletin.
Step 8: Create the Joint Network Defense Bulletin
In this step, y
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.