So we've talked about responding to incidents, but how do we even know when an incident has occurred, Right, that are planning our strategy in place? Well, one of the things that we're gonna rely very heavily on is the technology on our network. So let's take a minute. Just talk a little bit about incident detection devices,
and the first vice that I'll mention is a sniffer
and sniffer is really more formally known as a protocol analyzer. You could hear it called a packet analyzer network analyzer. And that's kind of the broad category that we refer to. A sniffers wire shark is probably one that you're familiar with. Very, very common. This one just happens to be packet Tizer, but
they ultimately serve the same purpose.
So what happens with the protocol analyzers. I'm capturing packets on my network. A lot of times we think of this in relation to malicious use, with an eavesdropper and attacker trying to eavesdrop on our network and steal passwords and things of that nature. But ultimately, what we can also do
is we, as administrators can proactively sniff the network
and look and see things like who's sending passwords across the network in plain text. What type of traffic is going across my network? Are there ton of broadcasts all of a sudden? You know, those types of information can be very, very helpful to me.
Now, this requires that I proactively
analyzed the network where, as we could also look at intrusion detection systems that kind of do that for us. As a matter of fact, all it takes to make an intrusion detection system is a packet sniffer, plus an analysis engine. They're the exact same type of mechanism.
It's just that an intrusion detection system is gonna make that assessment for me
and could be configured to continuously monitor the network.
Okay, so two main types of I d s, their host based systems and their network based systems network based systems are gonna include a stiffer and an analysis engine, just like I said. So this is a network based device. It's gonna capture traffic.
Pass that along to the analysis engine
that's gonna determine if it's good or bad.
Now, ah, host based I d. S is really software that I'm gonna install on a particular host
that's gonna monitor just that host right So if I'm concerned about traffic going to this system,
if I want to know who's modifying the registry on this system,
how much network traffic is hitting this network card,
then the host based system is gonna be very appropriate.
But most of the time when we're talking about really securing our network, we're gonna need that knits in place
now with the needs have already talked about. You know, it monitors a segment of traffic and a good place for that network. For that, I. D. S is in your d m. C. And I think that's probably a testable question. An important idea is in our demilitarized zone.
We're gonna have servers, and service is we're gonna make available to the general public.
Will any area where we're going allow the public to access, we need to monitor very tightly.
So I'm not saying you wouldn't have an intrusion detection system many other places. But if they ask you, where would you put the one device like, that's all you would have? The DMC is what they're looking for.
Okay, now, one of the things I'll mention here this little second point where computer network appliance with Nick in promiscuous mode. Just when I explain that for a minute, that's what turns a sniffer into a sniffer is having an interface that's in promiscuous mode
and promiscuous modes. Nowhere nearest one is it sounds like it should be All promiscuous mode means is that network card will capture all traffic
regardless of who it's addressed to. That's how a sniffer sniffs. It captures all traffic. Well, like we said, an I. D. S is just a glorified sniffer. So it, too, needs a nick in promiscuous mode.
Um, host based I. D. S again software based on a system,
uh, just for that system. They tend to generate a lot of overhead, of course, on that system, but they could be very valuable.
the other piece we have to look at is thea analysis engine that thes intrusion detection systems have, and the announces engines fall into two main categories pattern based or profile based.
Okay. And then the reality of it is today that they both have pros and cons. So most of our systems are gonna combine these two functions. All right, so our first type of analysis is pattern matching.
Let's look for something we know.
Let's look for rules that have been created and configured. Let's look for known signatures. You know, if you're familiar with how any virus programs and any about the malware programs work, they often look for known patterns known attacks that they refer to his definitions that definition files to help them identify.
So that's what we're talking about with signatures here
now, a couple of problems with that. We have to keep that system updated.
But then perhaps even a bigger problem is it only knows what it knows. So if there's a new attack, particularly one for which there has not been a signature created
well, then a signature based ideas can't detect it,
and that's referred to is a zero day attack.
Okay, now the profile comparison systems generally have an idea of what normal network performance is, so it might be based on an understanding of our F seas of network protocols. Those were anomaly based systems and anything where protocol's acting outside of its RFC.
Then it determines, Hey, this is an attack
and by the way, in RFC is a request for comment. And these air the White Papers on how protocols are supposed to function. Um, behavior based in statistical base. They're looking for things out of the norm,
so they're going to require baseline configuration and then threshold of tolerance. And then whatever's outside, that threshold of tolerance, it's gonna indicate is an attack.
But the problem with that is it's really hard to pinpoint normal network behavior.
So what you get these systems is you get a lot of false positives.
So often we combine the two on our systems that we're using today. But on the exam, they'll look at primarily. My guess is they'll talk about signature based versus behavior based systems
The device is again that we have today probably performed both functions. However, if they say i d s, they mean intrusion detection system.
That's a passive device that
is aware of an attack
and can log an administrator. Arkan alerted. Administrator can log an event in, you know, some sort of event tracker, but it doesn't do anything to terminate the attack.
The intrusion prevention system is active. It can send a reset
and terminate the tack if configured to do so it can reconfigure the firewall and block a port.
So the two are distinctly different. I d s is passive.
It alerts that an attack has happened and I ps can actually terminate the attack
In the real world, most devices do both
you're No, I d s is perfect. You're not guaranteed protection just cause you have an intrusion detection system on your network. Of course, there's a lot of traffic on the network, and the network based I d s may not be able to process all of that. So you could continue to consider
segmenting your networks a little bit smaller so that your I V s can analyze.
Maybe, um, upgrading your idea so that it has greater capacity.
Another issue with the network based idea says it can't analyze encrypted traffic.
Well, no advice should be able to look at encrypted traffic without the keys. Right. So it makes sense, and I'd yes, can't look into encrypted traffic
Now, the reality is that your higher and intrusion detection systems are gonna have a means that you can distribute the keys so that you would be able to inspect encrypted traffic, But that's beyond the scope of the exam. Okay, so I just want to let you know it's not that it can't be done. That's just kind of the standard
now, host based system. When you send encrypted data to this host, this host receives it and at that point in time can
intercept or can evaluate the encrypted traffic because it gets decrypted when it's received.
So that might be an instance in which our host based system is better force
switch based systems. Traditionally, we plug these I D. S into a hub. So all the traffic came out all ports all the time.
Well, a switch on Lee Drax traffic to the appropriate poor,
so we may not. If I plug my I. D. S and deport one, there may be no traffic coming out of it. There is a mode called port span. You could enable on your switch that will allow you to analyze all the traffic on a switch. Sorry about that.
You get false alarms we talked about with behavior based systems particularly,
and then ultimately again, it is no substitute for a layer defense. It is part of defense in depth. It's not just enough to be a standalone device.
Okay, Now, the next section were moving into is what if all the plans and procedures that we put in place
What happens if we have a larger scale event
that proceeds into disruption of the organizational business
for a day or for even longer? How do we respond then? Of course, the answer to that is we have business continuity planning in place that's coming up next.