Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 12 Security Monitoring Operational Challenges

    Uploaded by

    Akshata Chawhan
    3 views12 pages
    This document discusses challenges for security monitoring operations. It covers how encryption, network address translation, time synchronization, DNS tunneling, Tor networks, and peer-to-peer communications can make monitoring more difficult. Encryption can hide threats but is important for privacy and security, while NAT obscures device identities in logs. Time synchronization is critical for accurate logs. Threats may also use DNS tunneling, Tor, or P2P networks to hide activities and movements.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses challenges for security monitoring operations. It covers how encryption, network address translation, time synchronization, DNS tunneling, Tor networks, and peer-to-peer communications can make monitoring more difficult. Encryption can hide threats but is important for privacy and security, while NAT obscures device identities in logs. Time synchronization is critical for accurate logs. Threats may also use DNS tunneling, Tor, or P2P networks to hide activities and movements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views12 pages

    Chapter 12 Security Monitoring Operational Challenges

    Uploaded by

    Akshata Chawhan
    This document discusses challenges for security monitoring operations. It covers how encryption, network address translation, time synchronization, DNS tunneling, Tor networks, and peer-to-peer communications can make monitoring more difficult. Encryption can hide threats but is important for privacy and security, while NAT obscures device identities in logs. Time synchronization is critical for accurate logs. Threats may also use DNS tunneling, Tor, or P2P networks to hide activities and movements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 12

    Chapter 12: Security

    Monitoring Operational
    Challenges

    Cybersecurity Operations - SECFND

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
    Chapter 12 - Sections & Objectives
     12.1 Security Monitoring and Encryption
     12.2 Security Monitoring and Network Address Translation
     12.3 Security Monitoring and Event Correlation Time
    Synchronization
     12.4 DNS Tunneling and other Exfiltration Methods
     12.5 Security Monitoring and Tor
     12.6 Security Monitoring and Peer-to-Peer Communication

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
    12.1 Security Monitoring
    and Encryption

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
    Security Monitoring Challenges
    Security Monitoring and Encryption
     Encryption has great benefits for security and privacy
     Encryption can be used for protection of information and
    communications by govt., corporations and individuals
     It can also be used by threat actors for evasion and obfuscation
     Govt. try to regulate the use and exportation of encryption
    technologies (Wassenaar Arrangement)
     Law enforcement agencies often try to force vendors to
    leave certain investigative techniques in their software
     Another idea is “encrypt everything”
     Many security products can intercept, decrypt, and re-
    encrypt encrypted traffic payload
     This is often considered as man-in-the-middle (MITM)
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
    Security Monitoring Challenges
    Security Monitoring and NAT
     Network Address Translation (NAT) can present a challenge
    when:
    • you’re performing security monitoring and analyzing logs
    • NetFlow and other data
     Because device IP can be seen in the logs as “translated” IP
    addresses versus the “real” IP address.
     Even more pronounced in the case of Port Address
    Translation (PAT)
     Security products like Lancope provide features that can be
    used to correlate and “map” translated IP addresses with
    NetFlow
     The feature is called NAT stitching in Lancope

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
    Security Monitoring Challenges
    Security Monitoring Contd.
    Security Monitoring and Event Correlation Time Synchronization
     Logs are useless if it shows th wrong date and time
     Best practices is to configure all network devices to use
    Network Time Protocol (NTP)
    DNS Tunneling and Other Exfiltration Methods
     Threat actors can send data over DNS using tunneling
     Encoding methods can be used to put sensitive data in the
    payload of DNS packets, examples are:
    • Base64 encoding
    • Binary (8-bit) encoding
    • NetBIOS encoding
    • Hex encoding
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
    Security Monitoring Challenges
    DNS Tunneling and Other Exfiltration Methods
     DNS tunneling utilities include:
    • DeNiSe
    • dns2tcp
    • DNScapy
    • DNScat or DNScat-P
    • DNScat (DNScat-B)
    • Heyoka
    • Iodine
    • Nameserver Transfer Protocol (NSTX)
    • OzymanDNS
    • psudp
    • Feederbot and Moto

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
    Security Monitoring Challenges
    Security Monitor and Tor (The onion router)
     Many people uses tools such as Tor for privacy
     Tor enables its users to surf the web anonymously
     Tor usage makes security monitoring and incident response
    more difficult
     Malware are known to use Tor to cover their tracks
     “onion routing” is accomplished by encrypting application
    layer of a communication protocol stack that’s “nested” just
    like the layers of an onion
     The data is encrypted multiple times and sends it through a
    “network or circuit” of randomly selected Tor relays
     Tor exit node is the last Tor node or the gateway where the
    encrypted traffic “exits” to the Internet
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
    Security Monitoring Challenges
    Security Monitor and Tor (The onion router)

    The Tor Browser


    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
    Security Monitoring Challenges
    Security Monitor and P2P Communication
     Peer-to-peer (P2P) communication involves a distributed
    architecture that “divides tasks” between participant
    computing peers.
     They’ve been used to share music, videos, stolen books and
    other data
     An application called Peercoin (also known as PPCoin) is a
    P2P crypto currency
     P2P systems introduce unique challenges
    • Malware can use them to communicate and also spread to victims
    • Many “free” or stolen music and movie files usually come with malware
    • P2P applications are not immune to security vulnerabilities, hence it is
    more susceptible to remote exploits due to the nature of P2P network
    architecture
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

    You might also like