Cybersecurity Essentials - Module 19 Cheat Sheet

# Module 19: Technologies and Protocols :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### **19.1 Monitoring Common Protocols** --- #### **19.1.1 Syslog and NTP** **Syslog** Syslog is a standard protocol for logging event messages from network devices and endpoints. It provides a system-neutral method for transmitting, storing, and analyzing logs, enabling centralization and efficient security monitoring. Syslog servers typically listen on **UDP port 514**. - **Benefits**: - Centralized log collection helps monitor security events across multiple devices. - Enables correlation of security incidents by analyzing compiled logs. - **Threats**: - Attackers may target syslog servers to tamper with or destroy log data. - Exploits may involve blocking or manipulating log transfers between clients and servers. - Syslog-NG provides enhancements to mitigate some exploits. ![image](https://hackmd.io/_uploads/HyzsYTFVkx.png) **NTP** Network Time Protocol (NTP) ensures consistent timestamps across network devices, which is critical for correlating logs. NTP operates on **UDP port 123** and uses a hierarchical structure to share time information. - **Importance**: - Timestamps help organize messages from different devices to detect exploits. - Consistent time synchronization is essential for identifying attack timelines. - **Threats**: - Threat actors can corrupt NTP infrastructure to obfuscate traces of attacks. - NTP systems may be exploited for DDoS attacks. ![image](https://hackmd.io/_uploads/SJznYTFEyg.png) --- #### **19.1.2 DNS** Domain Name Service (DNS) translates domain names into IP addresses. However, it is often exploited by malware for communication and data exfiltration. - **Threats**: - **DNS-based Malware Communication**: - Malware can use DNS queries to communicate with Command-and-Control (CnC) servers. - Exfiltrated data may be encoded in the subdomain portion of DNS requests. ![image](https://hackmd.io/_uploads/Sk319TF4ke.png) - **Evasion Techniques**: - Encodings like Base64, Hex, and 8-bit binary are used to camouflage data. - Subdomain lengths and random-appearing domains can indicate abuse. - **Detection**: - Analyze DNS proxy logs for irregular subdomain lengths and patterns. - Use services like Cisco Umbrella to block malicious DNS requests. --- #### **19.1.3 HTTP and HTTPS** **HTTP** HTTP transmits plaintext data, making it vulnerable to interception, alteration, and iFrame injection exploits. - **iFrame Injection**: - Threat actors compromise web servers to insert malicious iFrames. - Malware is downloaded from infected servers to clients through invisible frames. - Tools like Cisco Web Reputation Filtering detect and block these threats. ![image](https://hackmd.io/_uploads/rydb9TFE1x.png) **HTTPS** HTTPS secures HTTP traffic using SSL/TLS encryption to protect data during transmission. However, it complicates network monitoring. - **Features**: - Encrypts HTTP traffic between the client and the server. - Adds overhead to packet captures due to encryption protocols. - **Challenges**: - Security devices must decrypt HTTPS traffic for inspection, which involves processing and privacy concerns. ![image](https://hackmd.io/_uploads/BkM4caYEkx.png) - **HTTPS Transactions**: 1. Client browser requests a secure page with HTTPS. 2. Web server sends its public key with a certificate. 3. Client verifies the certificate and sends a symmetric key. 4. Web server uses its private key to decrypt the symmetric key. 5. Data is encrypted with the symmetric key and sent to the client. ![image](https://hackmd.io/_uploads/SySS9TKEJl.png) --- #### **19.1.4 Email Protocols** Email protocols (SMTP, IMAP, POP3) are frequently targeted by malware for exfiltration and infection. - **SMTP**: - Used to send data to mail servers. - Exploited for data exfiltration (e.g., Sony Pictures hack in 2014). - **IMAP and POP3**: - Responsible for downloading emails to host computers. - Malware attachments can be delivered to hosts through these protocols. - **Security Monitoring**: - Identify infected attachments and initial host infections. - Perform retrospective analysis to understand malware behavior. ![image](https://hackmd.io/_uploads/S1ZP5TtEyg.png) --- #### **19.1.5 ICMP** ICMP facilitates network diagnostics but is often exploited for surveillance and attacks. - **Legitimate Uses**: - Identifies network hosts and structure. - Diagnoses network issues. - **Exploitation**: - Used in **DoS attacks** to deny service. - Facilitates **data exfiltration** through ICMP tunneling (e.g., LOKI exploit). - **Threat Mitigation**: - Monitor ICMP traffic for unusual activity. - Understand tools like Ping Tunnel for crafting ICMP tunnels. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/24-1-7-check-your-understanding-identify-the-monitored-protocol-answers.html). ::: >[!Warning]Recap >Many types of devices from many different vendors can use syslog to send log entries to central servers that run a syslog daemon. This centralization of log collection helps to make security monitoring practical. Because syslog is so important to security monitoring, syslog servers may be a target for threat actors.. Hackers may attempt to block the transfer of data from syslog clients to servers, tamper with or destroy log data, or tamper with software that creates and transmits log messages. Syslog messages are usually timestamped. Because the messages can come from many devices, it is important that the devices share a consistent timeclock. One way that this can be achieved is for the devices to use Network Time Protocol (NTP). Because events that are connected to an exploit can leave traces across every network device on their path to the target system, timestamps are essential for detection. Threat actors may attempt to attack the NTP infrastructure in order to corrupt time information that is used to correlate logged network events or use NTP systems to direct DDoS attacks through vulnerabilities in client or server software. > >Attackers commonly encapsulate different network protocols within DNS to evade security devices. DNS is now used by many types of malware. Some varieties of malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as normal DNS queries. Various types of encoding can be used to camouflage the data and evade basic data loss prevention (DLP) measures. It is likely that the subdomain part of such queries would be much longer than usual requests. > >Hypertext Transfer Protocol (HTTP) is the backbone protocol of the World Wide Web. HTTP does not protect data from alteration or interception by malicious parties, which is a serious threat to privacy, identity, and information security. A common exploit of HTTP is called iFrame (inline frame) injection. A threat actor compromises a webserver and plants malicious code which creates an invisible iFrame on a commonly visited webpage. When the iFrame loads, malware is downloaded. To address the alteration or interception of confidential data, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. HTTPS adds a layer of encryption to the HTTP protocol by using secure socket layer (SSL), making the HTTP data unreadable as it leaves the source computer until it reaches the server. Unfortunately, the encrypted HTTPS traffic complicates network security monitoring. Some security devices include SSL decryption and inspection; however, this can present processing and privacy issues. In addition, HTTPS adds complexity to packet captures due to the additional messaging involved in establishing the encrypted connection. > >Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to spread malware, exfiltrate data, or provide channels to malware CnC servers. SMTP sends data from a host to a mail server and between mail servers. Because there is so much SMTP traffic, it is not always monitored. However, SMTP has been used in the past by malware to exfiltrate data from the network. Security monitoring could reveal this type of traffic based on features of the email message. IMAP and POP3 are used to download email messages from a mail server to the host computer. Security monitoring can identify when a malware email attachment entered the network, and which host it first infected. Retrospective analysis can then track the behavior of the malware from that point forward. > >ICMP functionality has been used to craft a number of types of exploits. ICMP can be used to identify hosts on a network, the structure of a network, and determine the operating systems at use on the network. It can also be used as a vehicle for various types of DoS attacks. It can also be used for data exfiltration. Because of the concern that ICMP can be used to surveil or deny service from outside of the network, ICMP traffic from inside the network is sometimes overlooked. However, some varieties of malware use crafted ICMP packets to transfer files from infected hosts to threat actors using this method, which is known as ICMP tunneling. ### **19.2 Security Technologies** --- #### **19.2.1 Access Control Lists (ACLs)** **Overview** Access Control Lists (ACLs) are a rule-based security mechanism to filter traffic based on IP addresses, protocols, and ports. They can permit or deny specific types of traffic, providing a layer of security for network communication. **Limitations** Relying solely on ACLs can create a false sense of security because attackers can exploit weaknesses such as: - **Reconnaissance Techniques**: Port scanning, penetration testing, and spoofing source IP addresses. - **Packet Manipulation**: Crafting packets with arbitrary ports, spoofed IPs, or altered TCP flags. **Advanced Measures** To address the shortcomings of ACLs, behavior and context-based technologies, such as Cisco Next-Generation Firewalls and Advanced Malware Protection (AMP), can detect and react to sophisticated threats. **Example Configuration** ![image](https://hackmd.io/_uploads/r1Qj3TtVkx.png) The figure illustrates rules applied to an ACL for ICMP traffic. Key ACL rules include: - Allowing ICMP echo replies, source-quench messages, and unreachable errors. - Denying any other ICMP traffic. This prevents outside hosts from initiating pings but allows troubleshooting-related ICMP messages. --- #### **19.2.2 Network Address Translation (NAT) and Port Address Translation (PAT)** **Overview** NAT and PAT mask internal IP addresses by translating them into one or more public addresses. This hides the internal structure of the network from external observers. **Challenges for Security Monitoring** 1. **Address Mapping**: - Internal addresses (e.g., `192.168.10.10`) are mapped to external addresses (e.g., `209.165.200.226`). - PAT may assign multiple internal hosts to the same external IP, making it difficult to trace traffic back to specific devices. 2. **NetFlow Limitations**: - NetFlow logs are unidirectional and may break beyond a NAT gateway, complicating flow analysis. **Mitigation** Cisco provides security products that can "stitch" flows together even when NAT breaks continuity, improving traceability and monitoring. ![image](https://hackmd.io/_uploads/HkQ16TY41g.png) --- #### **19.2.3 Encryption, Encapsulation, and Tunneling** **Overview** Encryption secures data by making it unreadable to unauthorized parties. It is commonly used in: - HTTPS to protect web traffic. - VPNs to create virtual private connections over public networks. **Challenges** Encryption can also be exploited by threat actors to: - Create encrypted tunnels for data exfiltration. - Mask malicious activities from network monitoring tools. **Example** Malware can establish encrypted connections using common protocols like HTTPS or VPNs, making it difficult for analysts to detect and block threats. --- #### **19.2.4 Peer-to-Peer Networking and Tor** **Peer-to-Peer (P2P) Networking** In P2P networking, hosts can act as both clients and servers. Applications include: 1. **File Sharing**: Examples include BitTorrent and Bitcoin. - **Security Risks**: - Circumvents firewall protections. - Distributes malware through infected files. - **Recommendation**: Prohibit file-sharing P2P applications on corporate networks. 2. **Processor Sharing**: Distributed computational tasks for scientific research. 3. **Instant Messaging (IM)**: Specialized IM platforms like Cisco Webex are more secure than public IM platforms. ![image](https://hackmd.io/_uploads/Skxf6at4yl.png) **Tor Network** Tor is a P2P network designed for anonymous browsing. - **How It Works**: - Traffic is encrypted in multiple layers ("onion routing"). - Each Tor relay only knows its immediate next hop, preventing full-path visibility. - **Challenges for Analysts**: - Tor is frequently used on the dark web and for malware command-and-control (CnC) communication. - Obfuscated IPs bypass blocklists, making it difficult to trace malicious activity. ![image](https://hackmd.io/_uploads/BkO7paYEkl.png) --- #### **19.2.5 Load Balancing** **Overview** Load balancing distributes network traffic across multiple resources to optimize performance and avoid overloading. **Techniques** 1. **DNS-Based Load Balancing**: - Multiple IPs are assigned to a single domain name. - DNS servers direct traffic to resources based on load or geographical proximity. 2. **LBM Probes**: - Load Balancer Managers (LBMs) use probes to monitor resource availability and performance. - These probes may appear as suspicious traffic if their purpose is not understood. **Challenges** - **Packet Captures**: - Multiple IPs for a single transaction can create anomalies in packet analysis. - **Security Implications**: - Misinterpretation of LBM probes as malicious activity. Load balancing improves network efficiency but requires analysts to understand its behavior to distinguish legitimate traffic from potential threats. ![image](https://hackmd.io/_uploads/rJ9rTatNyg.png) >[!Warning]Recap >ACLs can give a false sense of security if they are overly relied upon. Attackers can determine which IP addresses, protocols, and ports are allowed by ACLs. This can be done either by port scanning or penetration testing, or through other forms of reconnaissance. Attackers can craft packets that use spoofed source IP addresses. Applications can establish connections on arbitrary ports. Other features of protocol traffic can also be manipulated, such as the established flag in TCP segments. Rules cannot be anticipated and configured for all emerging packet manipulation techniques. > >Network Address Translation (NAT) and Port Address Translation (PAT) can complicate security monitoring. Multiple IP addresses are mapped to one or more public addresses that are visible on the internet, hiding the individual IP addresses that are inside the network (inside addresses). This problem can be especially relevant with NetFlow data. NetFlow flows are unidirectional and are defined by the addresses and ports that they share. NAT will essentially break a flow that passes a NAT gateway, making flow information beyond that point unavailable. > >Encryption can present challenges to security monitoring by making packet details unreadable. Encryption is part of VPN technologies. In VPNs, a commonplace protocol like IP, is used to carry encrypted traffic. The encrypted traffic essentially establishes a virtual point-to-point connection between networks over public facilities. Encryption makes the traffic unreadable to any other devices but the VPN endpoints. A similar technology can be used to create a virtual point-to-point connection between an internal host and threat actor devices. Malware can establish an encrypted tunnel that rides on a common and trusted protocol and use it to exfiltrate data from the network. > >In peer-to-peer (P2P) networking, hosts can operate in both client and server roles. Three types of P2P applications exist: file sharing, processor sharing, and instant messaging. In file sharing P2P, files on a participating machine are shared with members of the P2P network. Any time that unknown users are provided access to network resources, security is a concern. File-sharing P2P applications should not be allowed on corporate networks. P2P network activity can circumvent firewall protections and is a common vector for the spread of malware. P2P is inherently dynamic. Shared files are often infected with malware, and threat actors can position their malware on P2P clients for distribution to other users. > >Tor is a software platform and network of P2P hosts that function as internet routers on the Tor network. This allows users to browse the internet anonymously. Users access the Tor network by using a special browser. The browser constructs a layered end-to-end path across the Tor server network that is encrypted. Each encrypted layer is “peeled away” like the layers of an onion (hence “onion routing”) as the traffic traverses a Tor relay. The layers contain encrypted next-hop information that can only be read by the router that needs to read the information. When traffic is returned to the source, an encrypted layered path is again constructed. Tor presents a number of challenges to cybersecurity analysts. First, Tor is widely used by criminal organizations on the “dark net.” In addition, Tor has been used as a communications channel for malware CnC. Because the destination IP address of Tor traffic is obfuscated by encryption, with only the next-hop Tor node known, Tor traffic avoids block lists that have been configured on security devices. > >Load balancing involves the distribution of traffic between devices or network paths to prevent overwhelming network resources with too much traffic. One way this is done on the internet is through various techniques that use DNS to send traffic to resources that have the same domain name but multiple IP addresses. This can result in a single internet transaction being represented by multiple IP addresses on the incoming packets, which may cause suspicious features to appear in packet captures. Some load balancing manager (LBM) devices use probes to test for the performance of different paths and the health of different devices. These probes can appear to be suspicious traffic if the cybersecurity analyst is not aware that this traffic is part of the operation of the LBM.