Question

You receive a frantic call from the system administrator of the Alexander Rocco network, JW Tabacchi. He tells you he has identified several intrusion attempts from sources over the Internet. You’re not sure if the hackers have gained access to the internal network.

Quiz Question

a. First, based on the tools described in this chapter and some of the techniques you’ve learned in this book, write a one-page report about the things you might look for to identify an attacker or a compromised host on your network.

b. Second, make some recommendations on how you might instrument the network with network protection systems to better detect and prevent compromises in the future.

Answer 1

a) We can identify whether a network is compromised or not by using some simple techniques. Those are IOCs (Indicators of Compromise)

DNS Request Freaks

if a network have DNS data packets in a more number. We can consider it as a big threat. A large increase in DNS requests from a specific host is a good indicator of a compromise of a network.

A large number of Requests for the Same File

As hackers try a lot of times to get access to our network. They will do some trial and error methods which shows to us by a large number of requests for a same file. This is an Indicator of Compromise.

HTML Response Size

Usually, an HTML response will be in kb's but if anything found with a big size then it's an Indicator of Compromise. Larger the size the more the data was stolen.

Extreme Outbound Network Traffic

If the outbound network traffic increased then its the first sign to identify our network is compromised. We can easily monitor the internal traffic of our network. Here we can easily find out whether our network is compromised or not.

Risen Volume in Database Read

As they want to steal the data from database then automatically the requesting for database files will be increased. This is also an Indicator of Compromise.

Exceptions in Privileged User Account Activity

There may be a chance of misuse by the privileged accounts only in an inside network. Monitoring the weird activity in internal network of privileged user accounts is helpful and if anything found unusual it's a sign of IOC.

Log-In Exceptions

A large number of failed log-in's is one of the IOC.

b) The best way to detect and prevent the network from intrusions is by using two most powerful systems.

IDS (Intrusion Detection System) and IPS (Intrusion Protection System).

In IDS the packets coming from outside will be analyzed first then it forwards to the internal network. If anything malicious found in that packet then the IDS will detect it as an intrusion and intimate to the network admin.

When coming to IPS its a way more powerful than IDS as its not only detects it can also prevent malicious and unwanted data that coming from the outside network.

Using network monitors also helps a lot to identify malicious or weird activity in the network.

Checking the logs daily helps in detecting the intrusions before and can stop some bigger attacks.

Using of network mappers and the DDoS mitigation system helps you to maintain your network safe from the intrusions.

Installing both network firewalls and system firewalls in a network and host are also the best way to stop this kind of network attack.

***IF you have any doubt please feel free to comment..Thank You..Please UPVOTE***