# Intrusion Detection System IDS Hardware or software used to detect security breaches and attacks by monitoring a network or host **Network Intrusion Detection System (NIDS)** Used to detect whether traffic that meets attacker behavior signatures, by passing all traffic through it. **Host Intrusion Detection System (HIDS)** Works on a specific host. Tries to detect malicious activities by examining all network packets coming to and leaving from this device. **Protocol-Based Intrusion Detection System (PIDS)** Examines traffic between server and client in a protocol-specific way **Application Protocol-Based Intrusion Detection System (APIDS)** Type of IDS that tries to detect security breaches by monitoring communication in application-specific protocols **Hybrid Intrusion Detection System** When two or more violation detection approaches are used together ## Functions of IDS - Detecting security breaches - informing administrator and/or sending information to SIEM ## Importance of IDS for Security - Zeek/bro - snort - suricata - fail2ban - ossec It is used primarily to detect malicious behavior, and cannot usually take action by itself. Therefore, it's important to use it alongside a security product that can take additional actions. ## ~~What log sources do IDS have~~ ## Physical Location of the IDS Between the firewall and the client systems for a NIDS, or next to/on a host for a HIDS. # Intrusion Prevention System IPS is a hardware or software that detects security violations by monitoring a network or host and prevents security violations by taking necessary action. ## Types **Network Based IPS (NIPS)** Detects and eliminates security violations by monitoring all incoming traffic to the network it is in **Host Based IPS (HIPS)** Monitors and analyzes suspicious activities for a host **Network Behavior Analysis (NBA)** Detects and blocks unusual traffic flows and DoS attacks on the network **Wireless IPS (WIPS)** Monitors and analyzes network protocol traffic of wireless devices in a network ## IPS Functions - Responsible for preventing malicious behavior by detecting security breaches - Notifies relevant authorities of the security breach encountered during monitoring as an alert ## Importance Having the ability to independently take action against security breaches is highly beneficial. Must be used and configured correctly, and should be monitored by active personnel. - Cisco NGIPS - Suricata - Fidelis ## Log Resources - Date and Time Information - Message about the Attack - Source IP - Source Port - Destination IP - Destination Port Content log is similar to IDS ## Physical Location Depends on type of IPS. Generally in between LAN and Firewall # Firewall **Application Level Gateways** Proxy firewalls that function as application layer between two end systems. Captures and analyzes packets in application layer according to OSI model **Circuit Level Gateways** Verify TCP connections and sessions and operate in the session layer of the OSI model Easily configured, low resource consumption, and simplified structure. **Cloud Firewalls** FWaaS When an institution receives firewall service over cloud Easily reconfigured based on demand or traffic load **Endpoint Firewalls** HOst-based firewall installed on devices difficult to manage, but important to use to ensure security **NAT Firewalls** Access internet traffic and block unwanted connections These firewalls are used to hide IP addresses in internal network from external network **NGFWs** Combine features of different firewalls under a single firewall Have a Deep-Packet Inspection (DPI) feature Designed to block external threats, malware attacks, and advanced attack methods **Packet-filtering Firewalls** Feature that monitors network traffic and filters incoming packets according to configured rules Can be used without many resource requirements Lacks ability to block web-based attacks **Stateful Multi-Layer Inspection Firewalls** SMLI are capable of both packet inspection and TCP handshake verification Tracks status of established connections **Threat-focused NGFW** Has all features of NGFW firewall, plus advanced threat detection features Reacts quickly to attacks due to monitoring malicious activity from beginning to end Runs process faster by shortening time from first time threat is detected to cleaning phase **Unified Threat Management Firewalls** Stateful inspection firewalls with antivirus and intrusion prevention ## How Firewalls Work It's always Rules Rule decides whether network packets are allowed or blocked ## Why Firewalls are Important Very basic security solution - fortinet - palo alto networks - sonicwall - checkpoint - juniper - pfSense - Sophos ## Log Fields - Date/Time - Source IP - Destination IP - Source Port - Destination Port - Action Information - Number of packets sent - Number of packets received ## Physical Location Depends on type Between devices to defend and location to protect against # Endpoint Detection and Response EDR is installed on endpoint-qualified devices which constantly monitors activities in the system, tries to detect threats, and takes action against malicious activities. ## Endpoint Devices - desktop - laptop - mobile device - tablet - smart watch - IOT device - POS system - Medical services - printers - servers ## Core Components - Endpoint Data Collection Agents - Automated Response - Analysis and Forensics ## Functions 1. monitoring and collecting processes on each device that may identify security threats 2. analyzing behavior of threat actors according to data on device 3. informing relevant security analysts by taking appropriate action against threat actor obtained from collected data 4. allow forensic analysis on device to conduct in-depth investigation of suspicious activities ## Importance Attackers aim to gain access to network by compromising weak devices. If an endpoint does not have EDR installed, it can be used by the attacker for initial access. Products: - SentinelOne - Crowdstrike - CarbonBlack - Palo Alto - FireEye HX ## Log Fields - Process Size - Process Hash - Process Path - Files Accessed # Antivirus Software AV detects malware and blocks/removes malware from system before it harms the device. ## Types of AV ### Signature Based Scanning Scans system to detect malware via digital signature. If there are any matching signatures, it marks the file and clears it from the system. Signatures are kept on-system and must be constantly updated with up-to-date signatures. Can detect most known malware easily. ### Heuristic Scanning Monitors processes and behaviors of examined files. Probability of detecting malicious activities is much higher this way, as suspicious behavior is automatically flagged and detained. Especially useful when appropriate signatures are not in the database. ## Functions of Antivirus Software - detect malware in system by constantly scanning system - protecting system against external threats - cleaning detected malware from system ## How AV Works https://www.youtube.com/watch?v=jW626WMWNAE ## Importance Most effective way to detect known malware and quickly clean it from system. - McAfee - Symantec - Bitdefender - Eset - Norton ## Logs - File Size - File Name - Signature - Type of malware # Sandbox Solutions Used to Run/Open and examine executable files that are known or suspected to be malware, in an isolated environment. ## Benefits - Minimizes risk to Host and OSs - Detects potentially dangerous files - Allows testing of software before they go live - allows fighting against 0-day vulnerabilities ## Importance - Checkpoint - McAfee - Symantec - Trend Micro - Proofpoint # Data Loss Prevention DLP prevents sensitive data and critical information from leaving the institution Three types: - Network DLP - takes action related to critical/sensitive information on the network leaving the network or organization - blocks/requests connections to be audited - reports suspicious activity to admins - Endpoint DLP - monitors activities on individual devices rather than packet flow within network - can flag whether sensitive information is being kept in encrypted form on endpoint device - Cloud DLP - used to prevent sensitive data from leaking over cloud - ensures personnel can use cloud applications comfortably without data breaches ## How Does It Work - according to rulesets created for it - blocks or encrypts data flow ## Importance Information disclosure and prevention of it is critical - Forcepoint - McAfee - Trend Micro - Checkpoint - Symantec # Asset Management Solutions Monitor operating status of assets within corporate network, while maintaining and removing them when necessary. ## Benefits - implements policy standards - helps with documentation centralization - improves asset performance - provides inventory control - informs strategic decision-making support ## Types and Components of IT Asset Management 1. Software 2. Hardware 3. Mobile Devices 4. Cloud ## Importance of Asset Management Software for Security There are many devices used for countless individual tasks on a network. As organizations grow it becomes more difficult to manage those devices separately, and small details can become overlooked without management tools to bridge the gap. Outdated software can be easily detected and managed, action can be taken quickly rather than going through bureaucratic hoops. This is especially useful when dealing with potential vulnerabilities. - AssetExplorer - Ivanti - Armis - Asset Panda # Web Application Firewall WAFs are security software or hardware that monitor, filter, and block incoming and outgoing packets from a web application. Types: 1. Network-Based WAF 1. typically hardware based and more expensive 2. Host-Based WAF 1. offers more customization and flexibility due to being a software product 2. consumes resources on the host it is installed on 3. likely difficult to maintain, host must be securely hardened 3. Cloud-Based WAF 1. easy-to-apply since it is typically an external service 2. no additional costs such as maintenance 3. flexibility/customization options must be considered when choosing this as a solution ## How Do They Work - rulesets which relate to HTTP - prevents web-based attacks at the application layer level - requests are allowed or blocked based on rulesets ## Importance Applications are in almost every sector of the internet or within local networks. - AWS - Cloudflare - F5 - Citrix - Fortiweb # Load Balancer Hardware or Software used to distribute traffic to servers in a balanced way and placed in front of the servers ## Benefits of Load Balancers - Efficiency - Flexibility - Reduced Downtime - Redundancy - Scalability Incredibly important to organizations because ensuring security services do not get interrupted is very critical to regular operations. - NGINX - F5 - HAProxy - Citrix - Azure Traffic Manager - AWS # Proxy Server Acts as gateway between client and server TYPES 1. Forward 1. directs requests from private network to internet with a firewall in the middle 2. most common 2. Transparent 1. directs requests to target without making changes to requests and responses 3. anonymous 1. enables anonymous browsing on the internet 4. high anonymity 1. makes it difficult to track the client with high confidentiality without sending proxy server type and client IP address information in the request 5. distorting 1. tries to hide client's identity by defining itself as a website's proxy 6. data center 1. used as proxy that is not connected to ISP by getting service over data centers 2. insufficient to provide anonymity 7. residential 1. passes all requests made by client 2. blocks advertisements 8. public 1. free, available to everyone 2. sacrifices security and speed 9. shared 1. used by more than one person at the same time 2. fast and cost free 3. consequences are shared among users 10. ssl 1. communication is provided in bidirectional manner 2. safe because provides encrypted communication against threats 11. rotating 1. separate IP is assigned to each client 12. reverse 1. validates and processes transactions so client does not communicate directly 2. most popular Rproxies are varnish and squid 13. split 1. runs as two programs on two different servers 14. non-transparent 1. sends all requests to firewall 15. hostile 1. eavesdrop on traffic between client and target on web 2. MITM 16. intercepting 1. allows proxy feature and gateway feature together 17. forced 1. blocking and allowed policies are applied together 18. caching 1. has a cache 2. returns response in accordance with caching mechanism in response to requests sent by clients 19. web 1. works on web traffic 20. socks 1. prevents external network components from obtaining information about the client 21. HTTP 1. has a caching mechanism specifically for http protocol ## Benefits - private browsing - increased security - hides client's IP address - allows network traffic management - saves bandwidth in coordination wtih caching mechanisms - circumvents access restrictions ## How does it work by adding a MITM that handles requests for the client, allowing the client some measure of protection Proxies typically keep logs as records of their transactions ## Importance endpoint of an attack may not actually be the IP provided by logs due to proxies obfuscating. very important to transmit traffic as encrypted Products - smartproxy - bright data - soax - oxylabs # Email Security Solutions Provides protection against email avenues of attack. Can be soft- or hardware-based ## Functionality - ensuring security control of email files - checks URLs in email for validity and security - detects and blocks spoofed emails - blocks known harmful emails - blocks emails with malicious content detected - informs product/manager about harmful email content ## Importance Phishing is one of the most popular avenues of attack. Products: - FireEye EX - IronPort - TrendMicro Email Security - Proofpoint - Symantec