issc642 discussion and discussion responses 5

/in /by

Hello,

This is a two part questions. First I will need the discussion question answer which will be below in bold, 300 words APA format. For those response I will need two responses of at least 175 words each.

Differentiate between the various tools and tactics for attacking network security monitoring and the considerations involved in incident response.




Part two

Student one:

Differentiate between the various tools and tactics for attacking network security monitoring and the considerations involved incident response.

When we start looking at tools, you will notice that a lot of tools will be found opensource. Big named tools such as Megasploit is first an open source tool. There are options to purchase a paid version for this tool but if you have ever looked into it and played around with its features, you may only need the open source tool. Some tools that were mentioned in the book are

FRAGROUTE

IP SORCERY (ipmagic)

PACKIT

FRAGROUTE and PACKIT are command line tools while IP SORCERY has a GUI that can be a little easier to work with. These tools are al used to conduct packet manipulation. From a network security monitoring standpoint, if an attack is utilizing these tools, the actual analysis of packets would get difficult as the packet would have changes to things such as port, IP version, IP address, and generate new packet traffic with user modifiers.

When we start talking about tactics used to attack network security monitoring, there are some social engineering, compromised accounts, and sniffing. One of the big ones is compromised accounts. This is because if an attacker is able to gain authenticated access, many rules and detection controls will not send an alert due to be an authorized account on the network.

When we look into preventing certain attacks on our network, we will want to keep a few things in mind. The first, being anonymity. This is important as when an attack scans the organization network, labeling an asset (Windows Server 2010) is information that can be used to further try and find a vulnerability. The second way is encryption. This ensure the CIA of network traffic for both outgoing and incoming traffic. Ensuring a man-in-the-middle or sniffing attack cannot be accomplished can be done with encryption.

Reference

Aquilina, J. M. (2008). Malware Forensics. Retrieved from https://www.sciencedirect.com/science/article/pii/…

Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond intrusion detection. Boston, MA: Addison-Wesley.

Ellis, D. (n.d.). 6 Phases In The Incident Response Plan. Retrieved April 13, 2020, from https://www.securitymetrics.com/blog/6-phases-inci…

Student two:

This week’s reading materials discussed a numbers of tools for attacking network security monitoring and they all have a number of considerations for individuals performing incident response. The key tools discussed in this week’s reading include Packit, IP Sorcery, Fragroute, LFT, Xprobe2, Cisco IOS Denial of Service, Solaris Sadmin Exploitation Attempt, Microsoft and RPC Exploitation.

Packit still appears to be supported today and is a network auditing tool that allows an individual to inject and manipulate IP traffic into your network (Bounds, 2018). A number of suggested uses for the tool include using it to test your networks firewalls as well as the intrusion detection system. While Darren Bounds was involved in the original development of the tool, Joao Eriberto Mota Filho appears to have taken over development around 2016. The last update for Packit was published in February of this year (Filho, 2020).

IP Sorcery was one of the first packet generators and developed back in the 1990s (Zayner, 2004). A number of Google searches give me the impression that this tool is no longer supported, and likely has not been supported in a number of years. IP Sorcery was capable of sending IP, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Internet Group Management Protocol (IGMP) packets.

Fragroute is still around and active and much like the other tools, also assists in IP/TCP stack behavior (Sankar, 2018). LFT (Layer Four Traceroute) and its predecessor FFT, are reconnaissance tools that do not appear to be supported anymore. The last updates I have been able to find are from roughly a decade ago (McCarthy, 2008). Xprobe2 is a fingerprinting tool that relies on probabilistic fuzzy matching techniques that uses raw sockets in order to send out probes (Yarochkin, Arkin, & Kydyraliev, 2001). The tool hasn’t been updated in roughly a decade; however, it appears to still be a popular tool (SourceForge, 2013).

The Cisco IOS Denial of Service, Solaris Sadmin Exploitation Attempt, Microsoft and RPC Exploitation are vulnerabilities that programmers made testing exploits around (Bejtlich, 2005). For the Cisco exploit, generated code targeted IP protocols 55, 103, and 53 (Bejtlich, 2005). The Sadmin exploit involved the sending of remote procedure call (RPC) requests, and the Microsoft exploit involved a buffer-overflow vulnerability in the RPC interface (Bejtlich, 2005).

For miscellaneous considerations, I think the point that these are either publicly known vulnerabilities or open-use tools is a good one. With foreign intelligence entities using zero-day exploits, its unlikely that these tools or methods would identify a number of threat vectors.

References

Bejtlich, R. (2005). The Tao of Network Security Monitoring. Boston: Addison-Wesley.

Bounds, D. (2018). Packit. Retrieved from Sourceforge: https://sourceforge.net/p/packit/wiki/Home/

Filho, J. E. (2020, February 5). Packit. Retrieved from Github: https://github.com/resurrecting-open-source-projec…

McCarthy, N. (2008, August 21). lft-3.8/lft.spec. Retrieved from Fossies: https://fossies.org/linux/privat/lft-3.8.tar.gz/lf…

Sankar, R. (2018, April 25). Fragroute – A Network Packet Fragmentation & Firewall Testing Tool. Retrieved from Kali Linux: https://kalilinuxtutorials.com/fragroute/

SourceForge. (2013, June 4). X Probe – Active OS Fingerprinting Tool. Retrieved from SourceForge: https://sourceforge.net/projects/xprobe/

Yarochkin, F., Arkin, O., & Kydyraliev, M. (2001). xprobe2(1). Retrieved from die.net: https://linux.die.net/man/1/xprobe2

Zayner, J. (2004). IP Sorcery. Retrieved from The GNU Operating System: https://www.gnu.msn.by/directory/IPSorcery.html