In this video you will learn about network mitigation techniques such as: signature management, changing native VLANs, switch port protection, network segmentation, privileged user account, file integrity monitoring, role separation, restricting access via ACLs, honeypots & honeynets, and penetration testing.
Signature Management
A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks. Signatures can be easily installed using IDS/IPS management software. Sensors enable you to modify existing signatures & define new ones. As sensors scan network packets, they use signatures to detect known attacks and respond with predefined actions. A malicious packet flow has a specific type of activity and signature, and an IDS or IPS sensor examines the data flow using many different signatures. When an IDS or IPS sensor matches a signature with a data flow, the sensor takes action, such as logging the event or sending an alarm to IDS or IPS management software.[1]
Change Native VLAN
A native VLAN exists in the case of the 802.1Q encapsulation, which supports untagged traffic. This makes it possible for your VLAN to support legacy devices that do not tag their traffic like some wireless access points & simple network attached devices. Traffic that arrives at a trunked port without an existing VLAN tag gets associated with the native VLAN. When it comes to the management aspect of a native VLAN, it is recommended that a network admin configure the VLAN to another number other than VLAN 1 because typically, VLAN 1 is the default configuration of a Cisco switch for management protocols. So configuring the native VLAN to be another number other than 1, like VLAN 999, will help to separate user traffic from network management traffic.[2]
Switch Port Protection
Network Segmentation
Privileged User Account
A privileged user account is an account that has more privileges than ordinary users. Privileged accounts might be able to install or remove software, upgrade the OS, or modify system or application configurations. They might also have access to files that are not normally accessible to standard users. There are many kinds of privileged user accounts such as:
File Integrity Monitoring
File integrity monitoring is an internal control or process that performs the act of validating the integrity of OS and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file’s original baseline and comparing it with the calculated checksum of the current state of the file.[8] Other file attributes can also be used to monitor integrity. Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process. Such monitoring can be performed randomly, at defined polling intervals, or in real-time. Changes to configurations, files and file attributes across the IT infrastructure are common, but hidden within a large volume of daily changes can be the few that impact file or configuration integrity. These changes can also reduce security posture and in some cases may be leading indicators of a breach in progress. Values monitored for unexpected changes to files or configuration items include:
Role Separation
Role separation (separation of privileges) is an IT best practice applied to organizations to broadly separate users and processes based on different levels of trust, needs, and privilege requirements. Separation of privileges refers to both the:
Similar to the concept of network segmentation, role separation essentially creates barriers around specific parts of an IT environment. It helps contain intruders close to the point of compromise and restrict lateral movement, while also ensuring that employees, applications, and system processes do not have access to more data than they need. Segmenting privileges and the tasks associated with them also provides the benefit of a cleaner audit trail and simplifying compliance.[9]
Restricting Access via ACLs
An ACL is a set of rules that is usually used to filter network traffic. ACLs can be configured on network devices with packet filtering capabilities, such as routers & firewalls. ACLs contain a list of conditions that categorize packets and help determine when to allow or deny network traffic. They are applied on the interface basis to packets leaving or entering an interface. ACLs also can list permissions associated with a system resource (object). These types of ACLs specify which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[10]
Honeypot/Honeynet
Honeypots are a type of deception technology that allows network & system administrators to understand attacker behavior patterns. Security teams can use honeypots to investigate cybersecurity breaches to collect intel on how cybercriminals operate. They also reduce the risk of false positives, when compared to traditional cybersecurity measures, because they are unlikely to attract legitimate activity. A honeynet is a decoy network that contains one or more honeypots. It looks like a real network and contains multiple systems but is hosted on one or only a few servers, each representing one environment. For example, a Windows honeypot machine, a Mac honeypot machine and a Linux honeypot machine. A “honeywall” monitors the traffic going in and out of the network and directs it to the honeypot instances. There, vulnerabilities can be injected into the honeynet to make it easy for an attacker to access the trap.[11]
Penetration Testing
A penetration test (pen test or ethical hacking) is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system, this is not to be confused with a vulnerability assessment.[12] The test is performed to identify weaknesses (also known as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.[13] The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (about which background and system information are provided in advance to the tester) or a black box (about which only basic information, if any, other than the company name is provided). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor).[14] A penetration test can help identify a system’s vulnerabilities to attack and estimate how vulnerable it is.
References