AB Network Security Challenge
.docx
keyboard_arrow_up
School
University of Texas, San Antonio *
*We aren’t endorsed by this school
Course
UTSA-VIRT-
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
16
Uploaded by AmbassadorIbex3880
Cybersecurity
Module 11 Challenge Submission File
Network Security Homework
Make a copy of this document to work in, and then fill out the solution for each prompt below. Save and submit this completed file as your Challenge deliverable.
Part 1: Review Questions Security Control Types
The concept of defense in depth can be broken down into three security control types. Identify the security control type of each set of defense tactics.
1.
Walls, bollards, fences, guard dogs, cameras, and lighting are what type of security control?
Physical
2.
Security awareness programs, BYOD policies, and ethical hiring practices are what type of security control?
Management
3.
Encryption, biometric fingerprint readers, firewalls, endpoint security, and intrusion detection systems are what type of security control?
Operational
Intrusion Detection and Attack Indicators
1.
What’s the difference between an IDS and an IPS?
Both an IDS and IPS use signature and anomaly based detection to monitor network traffic and identify threats.
An IDS keeps the flow of traffic open and sends alerts when it detects something suspicious while an IPS on the other hand makes decisions to drop or allow packets through based on a set of defined rules and automated responses.
An IDS leaves it up to the host to decide what it wants to do with the traffic while an IPS has the ability to respond against it.
2.
What’s the difference between an indicator of attack (IOA) and an indicator of compromise (IOC)?
Indicators of Compromise is evidence of a past breach or that a system or network was compromised by unauthorized access by malware or a user.
Indicators of Attack is evidence that there is currently an ongoing attack or active breach by malware or unauthorized user.
The Cyber Kill Chain
Name the seven stages of the cyber kill chain, and provide a brief example of each.
1.
Stage 1: Reconnaissance: this phase is where the attacker is surveying its target and
gathering assets and knowledge to plan an attack against it. 2.
Stage 2:
Weaponization: the bad actor creates their attack vectors, malicious code, ransomware, malware to exploit vulnerabilities they discovered. During this phaser they may create backdoors to continue accessing their target network/system.
3.
Stage 3:
Delivery: The bad actor has launched their attack and may begin sending out phishing emails or try to further their access physically with a USB filled with malicious code.
4.
Stage 4:
Exploitation: The bad actor has gained access throughout the network/system by exploiting vulnerabilities in the system.
5.
Stage 5:
Installation: Bad actor has installed their malicious code and has begun installing their malware, they are now fully embedded in the system.
6.
Stage 6:
Command and Control: The attacker now assumes remote control and can begin working their way through the system, expand their control and create more points of entry.
7.
Stage 7:
Actions on Objective: The bad actor is now nested in the system and begins to focus on carrying out their original goals for example, stealing credentials, data theft, data encryption, etc..
Snort Rule Analysis
Use the provided Snort rules to answer the following questions:
Snort Rule #1
alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:5; metadata:created_at
2010_07_30, updated_at 2010_07_30;)
1.
Break down the Snort rule header and explain what this rule does.
alert - generates alert on current packet
tcp - applies to all tcp packets
$EXTERNAL_NET - Any IP other than $HOME_NET
any - applies the rule to packets from any port
->
$HOME_NET - all the IP addresses we are protecting
5800:5820 - applies the rule to packets incoming to a range of ports, 5800 to 5820
2.
What stage of the cyber kill chain does the alerted activity violate?
violating stage 1 of the cyber kill chain, reconnaissance 3.
What kind of attack is indicated?
“attempted-recon”
Snort Rule #2
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, updated_at 2017_02_01;)
1.
Break down the Snort rule header and explain what this rule does.
alert - generates alert on current packet
tcp - applies to all tcp packets
$EXTERNAL_NET - Any IP other than $HOME_NET
$HTTP_PORTS - applies the rule to packets from external http port
->
$HOME_NET - all the IP addresses we are protecting
any - applies the rule to packets inbound to any ports
2.
What layer of the cyber kill chain does the alerted activity violate?
Violating stage 4, exploitation
3.
What kind of attack is indicated?
“policy-violation”
Snort Rule #3
Your turn! Write a Snort rule that alerts when traffic is detected inbound on port 4444
to the local network on any port. Be sure to include the msg
in the rule option.
alert tcp any any -> $HOME_NET 4444 (msg:”TRAFFIC INBOUND TO PORT 4444”)
Part 2: “Drop Zone” Lab
Set up.
Log into the Azure firewalld
machine using the following credentials:
●
Username: sysadmin
●
Password: cybersecurity
Uninstall UFW.
Before getting started, you should verify that you do not have any instances of UFW running. This will avoid conflicts with your firewalld service. This also ensures that firewalld will be your default firewall.
●
Run the command that removes any running instance of UFW.
$ sudo ufw disable
$ sudo apt remove ufw
Enable and start firewalld.
By default, the firewalld service should be running. If not, then run the commands that enable and start firewalld upon boots and reboots.
$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld
Note
: This will ensure that firewalld remains active after each reboot.
Confirm that the service is running.
Run the command that checks whether the firewalld
service is up and running.
$ sudo systemctl status firewalld
List all firewall rules currently configured.
Next, list all currently configured firewall rules. This will give you a good idea of what’s currently configured and save you time in the long run by ensuring that you don’t duplicate work that’s already done.
●
Run the command that lists all currently configured firewall rules:
$ sudo firewall-cmd --list-all
●
Take note of what zones and settings are configured. You may need to remove unneeded services and settings.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help