Joint Network Defense Bulletin

Joint Network Defense Bulletin

BULLETIN INFORMATION

Network Defense against Data Compromise and Distributed Denial of Service

1/22/2020

ABOUT THIS BULLETIN

The Financial Services Information Sharing and Analysis Center (FS-ISAC) is responsible for issuing the Joint Network Defense Bulletin. The FS-ISAC consortium is the target of the Joint Network Defense Bulletin. This includes the Zurich Bank, which is part of the Swiss International Group that the Financial Services Information Sharing and Analysis Center represents. The Joint Network Defense Bulletin addresses the threats noted in the Swiss International Group network. This includes the vulnerabilities, threats, and recommendations provided by the FBI network analyst assigned to investigate the threats at Zurich Bank.

TECHNICAL DETAILS

The presence of various vulnerabilities in the Zurich Bank’s network led to the occurrence of two threats in the network. These threats include data compromise and the occurrence of a Distributed Denial of Service attack in the network. An attacker using malware to transfer the data in the network to an unauthorized destination performed the data compromise that occurred in the network. The lack of appropriate network security measures resulted in the occurrence of data compromise. The existence of a buffer overflow error in the software used by the organization allowed the attacker to implement an attack that included the installation of malware in the network. Due to the unavailability of a security mechanism to address the threat presented by the malware, the malware successfully executed and ended up transferring confidential data in the network to the destination defined by the attacker.

Another vulnerability exploited by the attacker was the lack of security measures to address the occurrence of a Denial of Service (DoS) attack in the network. This includes designing a system that addresses network congestion and implementing measures to prevent the execution of DoS attacks. Since the network used by Zurich Bank and the other banks owned by Swiss International Group does not have an architecture that prevents the occurrence of a DoS attack, the attacker exploited this vulnerability to execute the attack. Additionally, the security measures implemented by the organization, such as firewalls and access control lists, were not configured to address Denial of Service attacks. This vulnerability allowed the attacker to execute the DDoS attack. The various vulnerabilities noted in the Zurich Bank’s network prompted the need for the Joint Network Defense network to address the vulnerabilities and propose recommendations to prevent the occurrence of threats in the networks.

The major impact of data compromise and exfiltration is the loss of data confidentiality. When the data was accessed by an unauthorized individual and transferred to an unauthorized destination, confidential information could also have been transferred out of the network. The loss of data confidentiality causes the bank’s stakeholders to lose trust in the organization’s ability to ensure data privacy in the network. Additionally, data compromise can lead to intellectual property information being available to the organization’s competitors. Stahie (2020) notes that the occurrence of an attack in a bank that results in loss of data confidentiality would lead to the bank suffering from reputational losses that would challenge the organization when trying to recover from the attack. The major impact of the Distributed Denial of Service attack is the prevention of network access for authorized network users. This prevents the organization’s customers from performing transactions which not only inconveniences the customers but also prevents the organization from making any profit during the period.

SUPPORTING DATA

The occurrence of a Distributed Denial of Service attack was detected through analysis of the traffic in the network. Several spikes in traffic, which did not occur before the DDoS attack, were noted.

The increased traffic was noted to originate from port 53, which is used by the Domain Name System (DNS) using the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). By using the unconfigured port, the attacker was able to bypass the packet filtering conducted by the firewall and execute the attacks.

RECOMMENDATIONS

One of the proposed solutions to prevent unauthorized access into the network is configuring the firewall and the access control lists to block DNS requests using port 53 and originating from outside the organization’s network (Swedan et al., 2018). Additionally, the firewalls can be configured to detect anomalous traffic in the network and block it. A data security measure that can be implemented to prevent data compromise is the encryption of data in the network. Data encryption in the network ensures that despite the attackers gaining access to the data in the network, they would not be able to use it. DDoS attacks in the network can be prevented through the purchase of additional bandwidth as well as the distribution of servers used in the network. (Burke, 2018) The purchase of additional bandwidth ensures that despite the attackers’ efforts to flood the organization’s network, the network is capable of handling the spikes in traffic. The distribution of servers ensures that even when the attacker compromises some servers, other servers remain functional and can be accessed by authorized network users.

REPORTING EVENTS

Phone:

Email:

References

Burke, D. (2018). Preventing DDOS Attacks against IoT Devices (Doctoral dissertation, Utica College).

Stahie, S. (2020). Entire U.S. Banking Sector Would Suffer Greatly If Even Just One Major Bank Is Compromised. Retrieved January 22, 2020, from https://securityboulevard.com/2020/01/entire-u-s-banking-sector-would-suffer-greatly-if-even-just-one-major-bank-is-compromised/

Swedan, A., Khuffash, A. N., Othman, O., & Awad, A. (2018). Detection And Prevention Of Malicious Cryptocurrency Mining On Internet-Connected Devices. In Proceedings Of The 2nd International Conference On Future Networks And Distributed Systems (pp. 1-10).

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

---

Project 2 instructions

Project 2: Introduction to Packet Capture and Intrusion Detection/Prevention Systems

Network traffic analysis and monitoring help distinguish legitimate traffic from malicious traffic.

Network administrators must protect networks from intrusions. This can be done using tools and techniques that use past traffic data to determine what should be allowed and what should be blocked. In the face of constantly evolving threats to networks, network administrators must ensure their intrusion detection and prevention systems are able to analyze, monitor, and even prevent these advanced threats.

In this project, you will research network intrusion and prevention systems and understand their use in a network environment. You will also use monitoring and analysis technologies in the Workspace to compile a Malicious Network Activity Report for financial institutions and a Joint Network Defense Bulletin for a financial services consortium.

The following are the deliverables for this project:

Deliverables

• Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
• Joint Network Defense Bulletin: A one- to two-page double-spaced document.

Step 1: Create a Network Architecture Overview

As part of your assignment to report on prevention methods and remediation techniques for the banking industry, you would have to travel to the various bank locations and gain access to their networks. However, you must first understand the network architecture of these banks.

Provide a network architecture overview along with diagrams. Your overview can be fictitious or based on an actual organization. The goal is to provide an understanding of the network architecture.

Describe the various data transmission components. Select the links below to review them:

1. User Datagram Protocol (UDP)
2. Transmission Control Protocol/Internet Protocol (TCP/IP)
3. internet packets
4. IP address schemes
5. well-known ports and applications

Address the meaning and relevance of information, such as:

1. the sender or source that transmits a message
2. the encoder used to code messages
3. the medium or channel that carries the message
4. the decoding mechanisms used
5. the receiver or destination of the messages

Describe:

1. the intrusion detection system (IDS)
2. the intrusion prevention system (IPS)
3. the firewalls that have been established
4. the link between the operating systems, the software, and hardware components in the network, firewall, and IDS that make up the network defense implementation of the banks’ networks.

Identify:

1. how banks use firewalls
2. how banks use IDSs
3. the difference between these technologies

Include:

1. the network infrastructure information
2. the IP address schemes that will involve the IP addressing assignment model
3. the public and private addressing and address allocations
4. potential risks in setting up the IP addressing scheme

Here are some resources to review:

• intrusion detection and prevention (IDS/IPS) systems
• firewalls

Identify:

1. any well-known ports and applications that are used
2. risks associated with those ports and applications being identified and possibly targeted

Add your overview to your report.

In the next step, you will identify network attacks and ways to monitor systems to prevent these attacks.

Step 2: Identify Network Attacks

In the previous step, you provided an overview of the network architecture. In this step, you will identify possible cyberattacks such as spoofing/cache poisoning, session hijacking, and man-in-the-middle attacks.

Provide techniques for monitoring these attacks using knowledge acquired in the previous step. Review the following resources to gain a better understanding of these particular cyberattacks:

• Session hijacking: spoofing/cache poisoning attacks
• Man-in-the-middle attacks

One way to monitor and learn about malicious activities on a network is to create honeypots.

Propose a honeypot environment to lure hackers to the network and include the following in your proposal:

1. Describe a honeypot.
2. Explain how a honeypot environment is set up.
3. Explain the security and protection mechanisms a bank would need for a honeypot.
4. Discuss some network traffic indicators that will tell you that your honeypot trap is working.

Include this information in your final report. However, do not include this information in the bulletin to prevent hackers from being alerted about these defenses.

Then, continue to the next step, where you will identify false negatives and positives.

Step 3: Identify False Positives and False Negatives

You just identified possible information security attacks. Now, identify the risks to network traffic analysis and remediation. Review the resources on false positives and false negatives and discuss the following:

1. Identify what are false positives and false negatives.
2. How are false positives and false negatives determined?
3. How are false positives and false negatives tested?
4. Which is riskier to the health of the network, a false positive or a false negative?

Describe your analysis about testing for false negatives and false positives using tools such as IDSs and firewalls, and include this as recommendations for the banks in your public service Joint Network Defense Bulletin.

Discuss the concept of performing statistical analysis of false positives and false negatives.

Explain how banks can reduce these issues.

Research possible ways to reduce these events and include this information as recommendations in the Malicious Network Activity Report.

Network intrusion analysis is often done with a tool such as Snort. Snort is a free and open-source intrusion detection/prevention system program. It is used for detecting and preventing malicious traffic and attacks on networks, analysis, and education. Such identification can be used to design signatures for the IDS, as well as to program the IDS to block this known bad traffic.

Network traffic analysis is often done using tools such as Wireshark. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development and education. Cybersecurity professionals must know how to perform network forensics analysis.

In the next step, you will analyze network traffic.

Step 4: Analyze Network Traffic

In the previous step, you identified and analyzed risks related to false negatives and false positives. For this step, you will analyze network traffic, conduct network forensics analysis, and identify malicious network addresses.

Enter Workspace and perform the network traffic analysis. During this step, you will also develop proposed rules to prevent against known malicious sites and to test for these signatures.

his program of study has exposed you to a variety of cybersecurity tools. Can you summarize what these tools do? Can you discuss their use in new situations? Can you do this for both technical and nontechnical staff?

As you progress in your career, you will likely need to sway people who hold authority over cybersecurity decisions. These people may know very little about cybersecurity, but they will understand their own goals within the organization.

It’s not enough to just be well-versed on the technical side; sometimes you must be able to explain in understandable terms how a computing platform will be affected by a breach.

Step 5: Determine Sensitivity of Your Analysis

In the previous step, you completed network analysis. In this step, you will determine which information to include in which document.

Information appropriate for internal consumption may not be appropriate for public consumption. The Joint Network Defense Bulletin may alert criminals of the network defense strategy. Therefore, be careful about what you include in this bulletin.

Once you have assessed the sensitivity of the information, include appropriate information in your Malicious Network Activity Report.

Then, include appropriate information in the Joint Network Defense Bulletin in a way that educates the financial services consortium of the threat and the mitigating activities necessary to protect against that threat.

Step 6: Explain Other Detection Tools and Techniques

In the previous step, you included appropriate information in the proper document. In this step, perform independent research and briefly discuss what other tools and techniques may be used to detect these signatures.

Provide enough detail so that a bank network administrator could follow your explanation to deploy your system in production. Include this information in the Joint Network Defense Bulletin.

Next, move to the next step, where you will organize and complete your report.

Step 7: Complete Malicious Network Activity Report

Now that you have gathered all the data for your Malicious Network Activity Report, it is time to organize your report. The following is a suggested outline:

1. Introduction: Describe the banking institution and the issue you will be examining.
2. Overview of the Network Architecture
3. Network Attacks
4. Network Traffic Analysis and Results
5. Other Detection Tools and Techniques
6. Recommended Remediation Strategies

Submit your report to the Assignments folder in the final step. You are now ready for the last piece of this project, the Joint Network Defense Bulletin.

Step 8: Create the Joint Network Defense Bulletin

In this step, you will create the Joint Network Defense Bulletin. Compile the information you have gathered, taking care to eliminate any sensitive bank-specific information. The Joint Network Defense Bulletin is an educational document for the financial services consortium. This bulletin should be addressed to the FBI chief and the FS-ISAC representative.

Here is a list of the final deliverables for Project 2.

Deliverables

• Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
• Joint Network Defense Bulletin: A one- to two-page double-spaced document.

Submit all deliverables to the Assignments folder below.

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.

Check Your Evaluation Criteria

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title

• 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
• 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
• 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
• 1.4: Tailor communications to the audience.
• 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
• 2.2: Locate and access sufficient information to investigate the issue or problem.
• 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
• 2.4: Consider and analyze information in context to the issue or problem.
• 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
• 5.3: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.
• 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.
• 8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence approporiately.
• 8.4: Possess knowledge of proper and effective communication in case of an incident or crisis.
• 8.5: Obtain knowledge and skills to conduct a post:mortem analysis of an incident and provide sound recommendations for business continuity.
• 9.1: Knowledge of the Information Technology industry, its systems, platforms, tools, and technologies.