Site icon Eminence Papers

Malicious Network Activity Report

Malicious Network Activity Report

1.0. Description Of Event

The Swiss International Group noted various threats compromising the security implemented in the different banks belonging to the international banking company. Since the Financial Services Information Sharing and Analysis Center (FS-ISAC) represents the Swiss International Group, a representative from FS-ISAC requested the FBI Chief Network Defense Liaison to the FS-ISAC to provide a network analyst to look into the suspected threats. The investigation carried out at Zurich Bank, which is one of the banks belonging to Swiss International Group located in Lanham, Maryland, noted the presence of data compromise and a Distributed Denial of Service (DDoS) attack in the institution. We offer assignment help with high professionalism.

2.0. Cyber Security Response

2.1. Role

As a network analyst working for the FBI, the FBI Chief Network Defense Liaison was assigned to investigate the occurrence of data compromise and potential Distributed Denial of Service (DDoS) attack on the FS-ISAC.

2.2. Information Attacks

The two major information attacks the Swiss International Group suspected to have occurred in the organization include the compromise of the data in the organization’s network and the execution of a Distributed Denial of Service attack. While the compromise of the data in the network led to the loss of data confidentiality, the DDoS attack led to the loss of data availability in the network. Data compromise occurs when an attacker gains unauthorized access to a network. The unauthorized access into the network makes it possible for the attacker to steal the data from the network. A DDoS attack involves flooding a network’s traffic, making it impossible for authorized network users to perform various activities in the network.

2.3. Cyber-attack Methods

The Distributed Denial of Service attacks can be implemented by increasing the network traffic to a point where the network is not capable of successfully transmitting the traffic. To achieve this, an attacker creates a botnet by infecting multiple computers in the network with malware. Using the botnet, the attacker can increase the traffic in the network, which causes the occurrence of a DDoS attack in the network. Data compromising in the network can be executed through various means. Examples of these means include session hijacking, social engineering, and executing man-in-the-middle attacks. Session hijacking involves the manipulation of a valid session where the attacker can gain unauthorized access to a computer system by pretending to be the authorized individual in a computer session. Social engineering attacks include scenarios where the attacker manipulates an authorized network user to reveal their network authentication credentials. With the authentication credentials, the attacker can gain access to the network. In a man-in-the-middle attack, the attacker can eavesdrop by positioning themselves between authorized network users or network components. The execution of the man-in-the-middle attack compromises the confidentiality of the data.

3.0. Target and Profile

The consortium of banks refers to the different banks in various locations that belong to a specific organization. In this case, the Swiss International Group is the organization that manages the various banks located in different countries. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is responsible for analyzing potential cyber and physical threats in the financial industry and sharing the information with other actors in the financial industry. Zurich Bank is one of the banks managed by the Swiss International Group. While the Swiss International Group headquarters is in Geneva, Switzerland, Zurich Bank is in Lanham, Maryland.

4.0. Overview of Target Banking Institution Network Architecture

The network of Zurich Bank is a local area network connected to a wide area network that comprises other local area networks of banks managed by the Swiss International Group. The members of Zurich Bank access the network through either wired connections or wireless connections. The network also consists of a web server, a database server, and a mail server. As a security measure, the various servers in the network are located between two firewalls. Additionally, an Intrusion Detection System (IDS) and an intrusion prevention system (IPS) are located between the inner and outer firewalls. A router connects the local area network of Zurich Bank with other local area networks through the Internet.

The primary use of the User Datagram Protocol (UDP) is the establishment of low-latency and loss-tolerance connections. Some attacks deploy the UDP protocol. These attacks are called UDP DDoS. These attacks depend on the idea that sending any erroneous UDP packet to a given resource attracts the return of the ICMP Destination Unreachable packet. The actual message that is returned is “Error, Return to Sender.” (Silberschatz, Galvin, and Gagne, 2006) Any form of flooding to the targeted site with UDP packets into the system produces a resultant flooding of ICMP Destination Unreachable packets out of it. Subsequently, the network becomes unavailable to authorized users.

The Transmission Control Protocol/Internet Protocol (TCP/IP) protocols facilitate communication between two or more computers. During the communication, a mechanism pushback is useful in defending against DDoS attacks that occur in the form of network congestion. The congestion originates from malicious hosts that disobey the universal end-to-end congestion control (Bauer & Bernroider, 2017). The routers are fitted with the necessary functionality to detect and selectively ignore potentially harmful packets. Client puzzles are better in countering DDoS attacks. Both puzzle-solving and pushback approaches require Router-based Pushback, a hybrid scheme. The puzzle-solving is sent to the routers. The client puzzle checks the legitimacy of the host system by providing a puzzle that requires a solution from the suspected host.

DDoS measurement occurs in terms of the amount of bandwidth per unit of time. However, the process of mitigating the DDoS attacks calls for the absolute number of packets that go into a network or website. DDoS attacks deplete all the available network bandwidth. The network resources take two main forms: network capacity and network infrastructure. The former aims at avoiding network pipe congestion by employing a significant network capacity, hence an expensive exercise. DDoS protection should be greater than the largest DDoS attack to render the attack volume ineffective (Silberschatz et al., 2006). On the other hand, the network infrastructure comprises all the mitigation appliances, such as routers and switches. These appliances evaluate the headers of every packet.

DDoS attacks are very harmful to all the servers on the network. The goals of both the normal and attack flow produce diverse features on IP addresses. An IP Address Interaction Feature algorithm depends on interaction, traffic changes, dissymmetry, and the target address (Omariba et al., 2012). The algorithm intends to describe all the basic features of network flow states. Additionally, an SVM classifier becomes useful in classifying the network flow and then proceeds to identify the DDoS attacks.

Today, dynamic packet filtering firewalls analyze the header information to review the application layer. Zurich Bank sets up a system to compare the outgoing packets with the ones from the source internal computer. The firewall permits the packet flow if the packet information is the same as the data from the outgoing packets. Otherwise, the firewall blocks the packet and its flow. The bank operates within specific hours. However, the IDS customizes a plan for opening, opening, closing, and after-hours. During opening and closing, the intrusion detection systems are useful. A firewall blocks unauthorized access into a networked environment but permits authorized communications while IDS/ IPSs detect and report any intrusion attempts into the network.

Linux operating system and Microsoft Windows form the basis of the implemented network defense. It is important to identify them because the vulnerability to attacks informs the choice of their use. Linux control attacks that are intended for significant network bandwidth. On the other hand, Windows can connect to the C&C server through the domain name while communicating to a different port. The bank configures its network depending on the number of machines to be supported. There should be subdivisions called subnets whenever necessary, depending on the network class, network number, and IP address scheme. Static allocation is applicable as it allows the network administrator to choose the IP address to assign to the client. Zurich Bank meets the public and private addressing method requirements by using the DHCP protocol for every device within the network.

Potential risks in setting up the IP address scheme give room for the legitimate owner to set up malicious services on the IP addresses. Therefore, the users may end up accessing the malicious IP addresses while accessing the bank’s VPN range. Covering addressing monitors any incoming traffic to the bank website by permitting legitimate traffic through its site while denying access to illegitimate processes. The bank performs deposit of money, loans, and processing of credits, floating new accounts, servicing loans, and customer relationship management. Service ports and tool ports are the basic and well-known ports associated with the services and applications of the ban. The operation of the bank is never smooth. It is marred with risks that include credit, market, operational liquidity, reputational, systematic, moral hazard, and business risks. These services form the basis of the ban operations. Therefore, there are higher chances that they are the ones to be targeted. There is a need to cover applications. Covering minimizes the chances of losing information to attackers. Subsequently, it improves the loyalty of the clients when they realize that their details are confidential.

Honey pots are decoy systems within the computer for tracking all the unconventional hacking techniques. The philosophy behind their use is the engagement and deception of hackers to identify malicious activities that attackers may perform over the Internet. The target bank has a honeypot. The honeypot traverses between the source and destination addresses because malware propagates to the nearest IP addresses (Silberschatz et al., 2006).

5.0. Network Traffic Monitoring and Results

5.1. False Negative and False Positive

Christodorescu and Jha (2004) provide a framework for testing malware detectors. They point out that useful techniques are important in evaluating malware. The main goal is to evaluate the resilience of malware detectors that most hackers use. There is a need to understand false positives and false negatives as the first step towards understanding how they happen. False positive marks a test failed even when the functionality is okay. The test tool may return “SQL Injection vulnerability” when SQL injection is impossible (Christodorescu & Jha, 2004). This leads to conflicts. The best way to handle false positives involves properly reviewing the report by checking each bug for confirmation. On the other hand, false negative marks a test as passed even when it failed. The risk of false negatives is riskier to the network. In automated testing, the testing tool may not test properly due to the type of system used. It is dangerous as it makes web apps vulnerable to attacks by hackers. The bank should have both manual and automated testing. Manually, the bank should add a verification process to find any hidden bugs. Automatically, the users should note every tool they use. As such, the users should understand the techniques that can reduce the occurrence of the false negative.

NIDS requires a normal IDS sensor to accommodate just 10% of true security events alarms. However, an average of 60% alarm rate is normal (Timm, 2001). Since a false negative is riskier, there should be prompt actions to reduce the chances of its conditions while closely observing the quantity of false positives. Therefore, the bank uses three IDS designs. Firstly, signature-based NIDS is handy because it supports a strong dependence on signature-oriented detection. Secondly, anomaly-based NIDS triggers alarms whenever there are unusual activities. The last one is protocol modeling. This facilitates network traffic analysis for any abnormal protocol activity and proceeds to alert the traffic (Timm, 2001).

5.2 Anomalous Source and Destination IP Address

Various risks are associated with network traffic. When encryption is used, a hacker finds it easy to control the device. They easily operate before they are detected and remedied. Another problem is ransomware. Ransomware is a threat that is heavily dependent on humans for execution and can, therefore, easily reduce the organization’s productivity when the human factor is missing or is inefficient (Korowajczuk, 2011). The organization is responsible for addressing the problems associated with network traffic. Some measures to achieve this goal include monitoring bottlenecks, updating both the software and the firmware, regular network upgrades, using VLANs to segment low-priority traffic, and checking for viruses or system defects (Korowajczuk, 2011).

Dedicated Denial of Service (DDoS) attacks are harmful to an organization. Any organization should find better ways to deal with this problem. The first easy way to achieve the goal is to purchase more bandwidth that handles spikes during the traffic. Another way is to build redundancy into the infrastructure. This step allows spreading servers across multiple data centers with stable load-balancing systems. An organization can configure its network hardware against DDoS attacks. The configuration may involve using a firewall to block all the responses from outside the organization’s network (Praseed & Thilagam, 2018).

6.0 Recommended Remediation Strategies

Purchasing More Bandwidth 

There is a need to acquire more bandwidths that handle spikes during the traffic. The bandwidth defines the network rate and internet connection. In this light, it gives the exact measurement of the data to be sent over some given connection within a specified timeframe. Bandwidth increment is quite expensive but relatively cheaper compared to what they are intended for. The process is easy to implement as it does not require additional training time for the staff organization. The technique is not entirely efficient. It tasks the attackers more by raising the bar they must overcome before launching successful DDoS attacks (Burke, 2018).

Implementing Network Redundancy Into the Infrastructure

Dedicated Denial of Service attacks can be mitigated by implementing network redundancy. This involves spreading all the servers across multiple data centers with stable load-balancing systems (Burke, 2018). It calls for the installation of alternative or additional network devices. Additionally, communication mediums and infrastructure may be helpful. The process takes care of the availability whenever there is a failure of the path or device. The network needs to be fully redundant with all the associated devices and tools. Its complication needs to be minimal as a complicated network will likely come with issues that are difficult to diagnose. This technique calls for data centers to be in different locations. The centers are then connected to different networks. The servers’ geographical and topographical distribution reduces the servers’ vulnerability (Burke, 2018). Just a few servers stand the chance of attacks. Attacking a few servers leaves the majority of the servers unaffected. The unaffected ones can handle the extra traffic the affected servers would have handled.

Configuring the Network Hardware Against DDoS Attacks

Several simple hardware configurations may be adopted to overcome DDoS attacks. One such measure may involve configuring the firewall and router to ignore any incoming ICMP packets. Also, the firewall and the router may block all the DNS responses that originate from outside the organization’s network. The technique prevents several DNS attacks (Swedan et al., 2018).

References

Bauer, S., & Bernroider, E. W. (2017). From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 48(3), 44-68.

Burke, D. (2018). Preventing DDOS Attacks against IoT Devices (Doctoral dissertation, Utica College).

Christodorescu, M., & Jha, S. (2004). Testing malware detectors. ACM SIGSOFT Software Engineering Notes, 29(4), 34-44.

Korowajczuk, L. (Ed.). (2011). LTE, WiMAX and WLAN network design, optimization and performance analysis. John Wiley & Sons.

Omariba, Z. B., Masese, N. B., & Wanyembi, G. (2012). Security and privacy of electronic banking. International Journal of Computer Science Issues (IJCSI), 9(4), 432.

Praseed, A., & Thilagam, P. S. (2018). DDoS attacks at the application layer: Challenges and research perspectives for safeguarding Web applications. IEEE Communications Surveys & Tutorials, 21(1), 661-685.

Silberschatz, A., Galvin, P. B., & Gagne, G. (2006). Operating system principles. John Wiley & Sons.

Swedan, A., Khuffash, A. N., Othman, O., & Awad, A. (2018, June). Detection and prevention of malicious cryptocurrency mining on internet-connected devices. In Proceedings of the 2nd International Conference on Future Networks and Distributed Systems (pp. 1-10).

Timm, K. (2001). Strategies to reduce false positives and false negatives in NIDS. http://securityfocus. com/infocus/1463.

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

Question 


Malicious Network Activity Report

Project 2 instructions

Project 2: Introduction to Packet Capture and Intrusion Detection/Prevention Systems

Network traffic analysis and monitoring help distinguish legitimate traffic from malicious traffic.

Network administrators must protect networks from intrusions. This can be done using tools and techniques that use past traffic data to determine what should be allowed and what should be blocked. In the face of constantly evolving threats to networks, network administrators must ensure their intrusion detection and prevention systems are able to analyze, monitor, and even prevent these advanced threats.

Malicious Network Activity Report

In this project, you will research network intrusion and prevention systems and understand their use in a network environment. You will also use monitoring and analysis technologies in the Workspace to compile a Malicious Network Activity Report for financial institutions and a Joint Network Defense Bulletin for a financial services consortium.

The following are the deliverables for this project:

Deliverables

Step 1: Create a Network Architecture Overview

As part of your assignment to report on prevention methods and remediation techniques for the banking industry, you would have to travel to the various bank locations and gain access to their networks. However, you must first understand the network architecture of these banks.

Provide a network architecture overview along with diagrams. Your overview can be fictitious or based on an actual organization. The goal is to provide an understanding of the network architecture.

Describe the various data transmission components. Select the links below to review them:

  1. User Datagram Protocol (UDP)
  2. Transmission Control Protocol/Internet Protocol (TCP/IP)
  3. internet packets
  4. IP address schemes
  5. well-known ports and applications

Address the meaning and relevance of information, such as:

  1. the sender or source that transmits a message
  2. the encoder used to code messages
  3. the medium or channel that carries the message
  4. the decoding mechanisms used
  5. the receiver or destination of the messages

Describe:

  1. the intrusion detection system (IDS)
  2. the intrusion prevention system (IPS)
  3. the firewalls that have been established
  4. the link between the operating systems, the software, and hardware components in the network, firewall, and IDS that make up the network defense implementation of the banks’ networks.

Identify:

  1. how banks use firewalls
  2. how banks use IDSs
  3. the difference between these technologies

Include:

  1. the network infrastructure information
  2. the IP address schemes that will involve the IP addressing assignment model
  3. the public and private addressing and address allocations
  4. potential risks in setting up the IP addressing scheme

Here are some resources to review:

Identify:

  1. any well-known ports and applications that are used
  2. risks associated with those ports and applications being identified and possibly targeted

Add your overview to your report.

In the next step, you will identify network attacks and ways to monitor systems to prevent these attacks.

Step 2: Identify Network Attacks

In the previous step, you provided an overview of the network architecture. In this step, you will identify possible cyberattacks such as spoofing/cache poisoning, session hijacking, and man-in-the-middle attacks.

Provide techniques for monitoring these attacks using knowledge acquired in the previous step. Review the following resources to gain a better understanding of these particular cyberattacks:

One way to monitor and learn about malicious activities on a network is to create honeypots.

Propose a honeypot environment to lure hackers to the network and include the following in your proposal:

  1. Describe a honeypot.
  2. Explain how a honeypot environment is set up.
  3. Explain the security and protection mechanisms a bank would need for a honeypot.
  4. Discuss some network traffic indicators that will tell you that your honeypot trap is working.

Include this information in your final report. However, do not include this information in the bulletin to prevent hackers from being alerted about these defenses.

Then, continue to the next step, where you will identify false negatives and positives.

Step 3: Identify False Positives and False Negatives

You just identified possible information security attacks. Now, identify the risks to network traffic analysis and remediation. Review the resources on false positives and false negatives and discuss the following:

  1. Identify what are false positives and false negatives.
  2. How are false positives and false negatives determined?
  3. How are false positives and false negatives tested?
  4. Which is riskier to the health of the network, a false positive or a false negative?

Describe your analysis about testing for false negatives and false positives using tools such as IDSs and firewalls, and include this as recommendations for the banks in your public service Joint Network Defense Bulletin.

Discuss the concept of performing statistical analysis of false positives and false negatives.

Explain how banks can reduce these issues.

Research possible ways to reduce these events and include this information as recommendations in the Malicious Network Activity Report.

Network intrusion analysis is often done with a tool such as Snort. Snort is a free and open-source intrusion detection/prevention system program. It is used for detecting and preventing malicious traffic and attacks on networks, analysis, and education. Such identification can be used to design signatures for the IDS, as well as to program the IDS to block this known bad traffic.

Network traffic analysis is often done using tools such as Wireshark. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development and education. Cybersecurity professionals must know how to perform network forensics analysis.

In the next step, you will analyze network traffic.

Step 4: Analyze Network Traffic

In the previous step, you identified and analyzed risks related to false negatives and false positives. For this step, you will analyze network traffic, conduct network forensics analysis, and identify malicious network addresses.

Enter Workspace and perform the network traffic analysis. During this step, you will also develop proposed rules to prevent against known malicious sites and to test for these signatures.

his program of study has exposed you to a variety of cybersecurity tools. Can you summarize what these tools do? Can you discuss their use in new situations? Can you do this for both technical and nontechnical staff?

As you progress in your career, you will likely need to sway people who hold authority over cybersecurity decisions. These people may know very little about cybersecurity, but they will understand their own goals within the organization.

It’s not enough to just be well-versed on the technical side; sometimes you must be able to explain in understandable terms how a computing platform will be affected by a breach.

Step 5: Determine Sensitivity of Your Analysis

In the previous step, you completed network analysis. In this step, you will determine which information to include in which document.

Information appropriate for internal consumption may not be appropriate for public consumption. The Joint Network Defense Bulletin may alert criminals of the network defense strategy. Therefore, be careful about what you include in this bulletin.

Once you have assessed the sensitivity of the information, include appropriate information in your Malicious Network Activity Report.

Then, include appropriate information in the Joint Network Defense Bulletin in a way that educates the financial services consortium of the threat and the mitigating activities necessary to protect against that threat.

Step 6: Explain Other Detection Tools and Techniques

In the previous step, you included appropriate information in the proper document. In this step, perform independent research and briefly discuss what other tools and techniques may be used to detect these signatures.

Provide enough detail so that a bank network administrator could follow your explanation to deploy your system in production. Include this information in the Joint Network Defense Bulletin.

Next, move to the next step, where you will organize and complete your report.

Step 7: Complete Malicious Network Activity Report

Now that you have gathered all the data for your Malicious Network Activity Report, it is time to organize your report. The following is a suggested outline:

  1. Introduction: Describe the banking institution and the issue you will be examining.
  2. Overview of the Network Architecture
  3. Network Attacks
  4. Network Traffic Analysis and Results
  5. Other Detection Tools and Techniques
  6. Recommended Remediation Strategies

Submit your report to the Assignments folder in the final step. You are now ready for the last piece of this project, the Joint Network Defense Bulletin.

Step 8: Create the Joint Network Defense Bulletin

In this step, you will create the Joint Network Defense Bulletin. Compile the information you have gathered, taking care to eliminate any sensitive bank-specific information. The Joint Network Defense Bulletin is an educational document for the financial services consortium. This bulletin should be addressed to the FBI chief and the FS-ISAC representative.

Here is a list of the final deliverables for Project 2.

Deliverables

Submit all deliverables to the Assignments folder below.

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.

Check Your Evaluation Criteria

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title

Exit mobile version