[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More
Experts Exchange Solution brought to you by
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
>>Common false alert categories can be divided include:
Reactive/Equipment-based Traffic errors: Traffic caused by another network event and mostly non malicious. E.g. NIDS device triggers off an ICMP flood alarm when it is in state of many failed and unreachable destination packets caused by equipment. Include cases unrecognized or proprietary unsupported packets from network equipment. Some old load balancers may be source of such trigger .
Detective/ Protocol violations: Unrecognized network traffic caused by poor or "lousy" developed client software. E.g. true false positives generated by an IDS from non-existence event or source device (and be of "unknown reason"). Tends to be again another those (need to be patched) software bugs. This can applies to fake AV signatures for endpoint HIPS.
Preventive/"Innocent" alarms: Really we should prevent such real occurrence that is totally non-malicious in nature, especially those of experimental and coming from isolated environment (or of Honeynet/pot based testing) that is supposedly not to be leaked out.
Preventive/ Design/ Operational "bugs": Network design flaws such as improper port spanning on switches and traffic exceeding the ability of a switch or hub, IDS is unable to understand encrypted traffic, prior maintenance work or server changes that are not properly communicated to security ops team (SOC), IDS/AV signature in tuning but configured to block production or not maintain for detecting mutations of the attack due to poor design or signature implementation.
Nature of Exploitation
Domain Generation Algorithm
Malicious web drive-by
Suspicious Java download
Infection with ransomware
Use of virtual Cyrillic keyboard
Remote access attack linked to dangerous malware
>>Nature of Malicious Network Movement
Peer-to-peer connections with the Far East
Use of ‘Tor’ anonymizing network
Port-scanning for internal company resources
Connections to website linked to Advanced Persistent Threats
Attempted connections to non-existent domain names
>>Checking for anomalous account service
-the "net user" command shows all user accounts defined locally on the machine.
-the "net localgroup" command shows groups,
-the "net localgroup administrators" shows membership of the administrators group
-the "net start" command shows running services.
>>Nature of Account compromise
Illegitimate access to database server
Unauthorized use of administrator credentials
Fast travel indicating password compromise
Risk from ‘bring-your-own-device’ (BYOD) policies
>>Checking for anomalous network activity
-for unusual and unexpected connections in the output of netstat, run : C:\> netstat -nao
-besides TCP and UDP, interested in ICMP, netstat run : C:\> netstat –s –p icmp
-list the TCP and UDP ports in use on a machine every 2 seconds, run: C:\> netstat –na 2
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
From novice to tech pro — start learning today.
Premium members can enroll in this course at no extra cost.