Question

The SOC has noticed an unusual volume of traffic coming from an open wi-fi guest Network that appears correlated with a border Network slow down. The network team is unable to capture traffic, but logs from Network Services are available.

• No users have authenticated recently there was a guest networks captive portal

• DDoS mitigation systems are not alerting

• DNS resolver logs show some very long domain names

Which of the following is the best step for security analysis to take next?

1. Block all outbound traffic from the guest Network at the border firewall

2. verify the passphrase on the guest network has not been changed

3. search antivirus logs for evidence of compromise company device

4. review access point logs to identify potential a zombie services

Answer 1

• Block all outbound traffic from the guest Network at the border firewall is the best step Security Analysis take:

Firewalls, Next-Generation Firewalls (NFGW) and Web Application Firewalls (WAF)Firewalls are a standard part of any cybersecurity arsenal. Two new technologies are complementing or replacing the traditional firewall:

• · NGFW—extends the firewall by providing intrusion prevention and intrusion detection with deep packet inspection capabilities. NGFWs can block threats at the network edge using techniques like URL filtering, behavioral analysis and geolocation filtering. They use a reverse proxy to terminate connections and inspect content before it reaches a web server.
• · WAF—a WAF is deployed in front of web applications, inspects traffic and identifies traffic patterns that may represent malicious activity. A WAF can detect attacks while minimizing false positives, by learning acceptable URLs, parameters and user inputs, and uses this data to identify traffic or inputs that deviate from the norm.

These technologies are leveraged in the modern SOC to reduce the attack profile of websites a and web applications, and gather higher quality data about legitimate and malicious traffic hitting critical web properties.

• Endpoint Detection and Response (EDR)

EDR is a new category of tools that helps SOC teams respond to attacks on endpoints, like user workstations, mobile phones, servers or IoT devices. These tools are built around the assumption that attacks will happen, and that the SOC team usually has very limited visibility and control into what’s happening on a remote endpoint. EDR solutions are deployed on endpoints, provide instant, accurate data about malicious activity, and gives SOC teams remote control over endpoints to perform immediate mitigation.

Wireless Network Security System Mechanisms:

· Wireless network security system mechanisms increase the overall security of the system, guarding against illegitimate accesses to the machine, removing application bugs and updating protocol installations to prevent intrusions and misuse of the system.

· DDoS attacks owe their power to large numbers of subverted machines that cooperatively generate the attack streams. If these machines were secured, the attackers would lose their army and the DDoS threat would then disappear.

· DDoS attacks in which the attacker, having gained unlimited access to the machine, deletes or alters its contents. Potential victims of DDoS attacks can be easily overwhelmed if they deploy vulnerable protocols.

· Examples of wireless network security system mechanisms include monitored access to the machine; applications that download and install security patches; firewall systems; virus scanners; intrusion detection systems; access lists for critical resources; capability-based systems; and, client-legitimacy-based systems .

Firewalls:

· Defending against DDoS attacks, wireless network firewalls are indispensable for countering many kinds of malicious incursions.

· Firewalls are designed to manage an environment where everyone outside the enterprise is untrusted and everyone inside the enterprise is trusted.

· While bi-directional filtering is a good method to protect the wireless Net at large, unless it is implemented everywhere, there is still the threat of attacks from those wireless networks that are not well protected.

· Extensive filtering of this nature is rarely implemented, because filtering is cost heavy on a CPU

Different Mechanisms use for prevent the network:

1)Enabling Denial-Of-Service Prevention Mechanisms :

Without denying service to legitimate clients, denial-of-service prevention mechanisms enable the victim to enable attack attempts. This is done either by enforcing policies for resource consumption or by ensuring that abundant resources exist so that legitimate clients will not be affected by the attack. Consequently, based on the prevention method, let's differentiate here between resource accounting and resource multiplication mechanisms

2)Using Resource Accounting Mechanisms:

To Police Based on the privileges of the user and his or her behavior, resource accounting mechanisms police the access of each user to resources. Such 30 Chapter 1 mechanisms guarantee fair service to legitimate well-behaving users. In order to avoid user identity theft , they are usually coupled with legitimacy-based access mechanisms that verify the user's identity .

3) Resource Multiplication Mechanisms:

Counter DDoS Threats In order to counter DDoS threats, resource multiplication mechanisms provide an abundance of resources. The straightforward example is a system that deploys a pool of servers with a load balancer and installs high bandwidth links between itself and upstream routers. This approach essentially raises the bar on how many machines must participate in all attack to be effective. While not providing perfect protection, for those who can afford the costs, this approach has often proven sufficient. For example, Microsoft has used it to weather large DDoS attacks.

4) Intrusion Prevention Systems Mechanisms :

Intrusion Detection Systems form a small but critical piece of the computer security jigsaw, alerting to intrusions and attacks aimed at computers or networks. They're not the computer security panacea. But, they are your eyes and ears, essential in knowing whether you are under attack. Intrusion Prevention Systems (IPS) mechanisms take this concept to the next level and sit inline blocking the packets you tell them to based on signatures as per the IDS. They can be highly effective as a defensive tool but need to be configured with great care and attention in stages.

5)Reactive Mechanisms Alleviate:

The Impact Of An Attack Reactive mechanisms strive to alleviate the impact of an attack on the victim. In addition, they need to detect the attack and respond to it in order to attain this goal . To detect every attempted DDoS attack as early as possible and to have a low degree of false positives, is the goal of attack detection. Upon attack detection, steps can be taken to characterize the packets belonging to the attack stream and provide this characterization to the response mechanism. Based on the attack detection strategy into mechanisms that deploy pattern L 31 detection, anomaly detection, hybrid detection, and third-party detection, is the classification of reactive mechanisms .

6) Pattern Attack Detection Mechanisms :

The signatures of known attacks in a database are stored by mechanisms that deploy pattern detection. Each commimication is monitored and compared with database entries to discover occurrences of DDoS attacks. Occasionally, the database is updated with new attack signatures. The obvious drawback of this detection mechanism is that it can only detect known attacks, and it is usually helpless against new attacks or even slight variations of old attacks that cannot be matched to the stored signature. Nonetheless, no false positives are encountered and known attacks are easily and reliably detected.

7) Anomaly Attack Detection Mechanisms :

Deployment of anomaly detection mechanisms have a model of normal system behavior, such as a model of normal traffic dynamics or expected system performance. The current state of the system is periodically compared with the models to detect anomalies. The advantage of anomaly detection over pattern detection is that unknown attacks can be discovered. However, anomaly-based detection has to address two issues: threshold setting and model update [2].

8) Mechanisms Filtering In order to filter out the attack stream completely, filtering mechanisms use the characterization provided by a detection mechanism. Examples include dynamically deployed firewalls, and also a commercial system called TrafficMaster.

9)Victim- Wireless Network Mechanisms

This network is protected from DDoS attacks by DDoS defense mechanisms deployed at the victim wireless network; as well as, a response to detected attacks by alleviating the impact on the victim. Historically, most defense systems were located at the victim since it suffered the greatest impact of the attack and was therefore the most motivated to sacrifice some resources for increased wireless network security. Examples of these systems are provided by resource accounting and protocol wireless network security mechanisms .

10)Intermediate- Wireless Network Mechanisms Infrastructural service is provided to a large number of Internet hosts by DDoS defense mechanisms deployed at the intermediate wireless network. Victims of DDoS attacks can contact the infrastructure and request the service, possibly providing adequate compensation. Examples of intermediate-wireless network mechanisms, are pushback and traceback techniques .