Certified Ethical Hacker (CEHv13) Module 12 Evading IDS, Firewalls, and Honeypots

Intrusion Detection System (IDS)

A security software or hardware device used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions.

Intrusion Prevention System (IPS)

Not only detects intrusions in the network but also prevents them

IPS Classifications

- Host Based

- Network Based

Methods and IDS Uses to Identify an Intrusion

- Signature Recognition

- Anomaly Detection

- Protocol Anomaly Detection

Signature Recognition

Involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision

Anomaly

An anomaly is detected when an event occurs outside the tolerance threshold of normal traffic

Anomaly Detection

Detects intrusions based on the fixed behavioral characteristics of the users and components in a computer system

Protocol Anomaly Detection

Involves analyzing the network traffic to detect deviations from established protocol standards or expected behavior patterns

Protocol Anomaly Detection Components

- Baseline Behavior

- Anomaly Identification

- Detection Rules

Protocol Anomaly Detection Components Baseline Behavior

This involves learning the expected structure, sequence, timing, and content of network traffic

Protocol Anomaly Detection Components Detection Rules

These rules guide the IDS in detecting the deviations

General Indicators of Intrusions

- File Intrusions

- Network Intrusions

- System Intrusions

General Indicators of File Intrusions

- New/unknown files

- Changes to file permissions

- Unexplained changes in file size, ownership, and access permissions

- The presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid file

- Unfamiliar file names in directories, including executable files with strange extensions and double extensions

- Unexplained disk space usage or sudden depletion of available storage

- Missing Files

- Abnormal system behavior, such as slow performance or frequent file crashes

- If an attacker gains access to a file system, it may result in a reduction in the available bandwidth owing to resource consumption

General Indicators of Network Intrusions

A sudden increase in bandwidth consumption

- Repeated probes of the available services on your machines

- Connection requests from IPs other than those in the network range, which imply that an unauthenticated user (intruder) is attempting to connect to the network

- Repeated login attempts from remote hosts

- A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth consumption, and DDoS attacks

- Unexpected changes in network configurations or firewall rules

- Unexpected system crashes or performance degradation due to increased network load

- Unusual outbound connections or traffic to malicious domains

General Indicators of System Intrusions

- Sudden changes in logs such as short or incomplete logs

- Unusually slow system performance

- Missing logs or logs with incorrect permissions or ownership

- Modifications to system software and configuration files

- Unusual graphic displays or text messages

- Gaps in system accounting

- System crashes or reboots

- Unfamiliar processes

- Alerts from intrusion detection or antivirus software

- Installation of unauthorized software or applications on the system

- Presence of artifacts such as shell history files, temporary files, or remnants of attacker tools

Network-based intrusion detection systems (NIDS)

Check every packet entering the network for the presence of anomalies and incorrect data

Host-based intrusion detection systems (HIDS)

Can be installed on any system ranging from a desktop PC to a server to analyze each system's behavior.

True Positive

Occurs when an event triggers an alarm and causes the IDS to react as if a real attack is in progress

False Positive

Occurs if an event triggers an alarm when no actual attack is in progress

False Negative

Occurs when an IDS fails to react to an actual attack event.

True Negative

Occurs when an IDS identifies an activity as acceptable behavior and the activity is acceptable

Firewall

A software-or hardware-based system located at the network gateway that protects the resources of a private network from unauthorized access by users on other networks

Firewall Architecture Elements

- Bastion Host

- Screened Subnet

- Multi-Homed Firewall

Bastion Host

Designed for defending the network against attacks. It acts as a mediator between inside and outside networks.

Screened Subnet

A protected network created with a two-or three-homed firewall behind a screening firewall

Multi Homed Firewall

A node with multiple NICs that connects to two or more networks. It connects each interface to separate network segments logically and physically.

Demilitarized Zone (DMZ)

An area that hosts computer(s) or a small sub-network placed as a neutral zone between a particular company's internal network and an untrusted external network to prevent outsider access to a company's private data

Network Based Firewall

A dedicated firewall device placed on the perimeter of the network

Host Based Firewall

Sits between a regular application and the networking components of the OS

Types of Firewalls

- By Configuration: Host Based, Network Based

- By Working Mechanism: Packet filtering, circuit level gateways, application level firewall, stateful multilayer inspection, application proxies, network address translation, virtual private network

Packet Filtering Firewall

Each packet is compared with a set of criteria before it is forwarded

Circuit Level Gateway Firewall

Works at the session layer of the OSI model or transport layer of TCP/IP. It forwards data between networks without verification and blocks incoming packets from the host but allows the traffic to pass through itself.

Application Level Firewall

Application-level gateways (proxies) can filter packets at the application layer of the OSI model (or the application layer of TCP/IP)

Active Application Level Firewall

Examine all incoming requests against known vulnerabilities and the requests that are deemed genuine are allowed to pass through them

Application Level Firewall Modes

- Active

- Passive

Passive Application Level Firewall

Check all incoming requests against known vulnerabilities, but they do not actively reject or deny those requests if a potential attack is discovered

Stateful Multilayer Inspection Firewall

Combine the aspects of the three packet filtering, circuit-level gateways, and application-level firewalls. They filter packets at the network layer of the OSI model (or the internet layer of the TCP/IP model) to determine whether session packets are legitimate, and they evaluate the contents of the packets at the application layer.

Application Proxy

Works as a proxy server and filters connections for specific services

Network Address Translation (NAT)

Separates IP addresses into two sets and enables the LAN to use these addresses for internal and external traffic

Virtual Private Network (VPN) Firewall

A network that provides secure access to the private network through the Internet

Next Generation Firewall (NGFW)

Incorporate advanced features such as deep packet inspection, application awareness, control, integrated intrusion prevention systems (IPS), and cloud-based threat intelligence by examining the network traffic at various layers of the OSI model

Firewalking

A method of collecting information about remote networks behind firewalls.

Banners

Service announcements provided by services in response to connection requests, and they often carry vendor version information

Banner Grabbing

A method of fingerprinting that helps in detecting the vendor of a firewall and the firmware version

IP Address Spoofing

A technique used by attackers to evade firewalls and IDS by masquerading as trusted sources. This method involves altering the source IP address in the packet headers to conceal the attacker's true identity and bypass security measures.

Source Routing

The sender of the packet designates the route via less-secured, less-monitored, or alternative segments of the network where IDS/firewall solutions are partially or not entirely installed

HTML Smuggling

HTML smuggling is a type of web attack in which an attacker injects malicious code into a HTML script to compromise a web page

Background Intelligent Transfer Service (BITS)

A service used to distribute automatic Windows updates to its global users

Unicode

A character coding system that supports encoding, processing, and displaying of written texts for universal languages to maintain consistency in a computer representation

Time to Live (TTL)

Each IP packet has a field called Time to Live (TTL), which indicates how many hops the packet can take before a network node discards it

Polymorphic Shellcode

Polymorphic shellcode attacks include multiple signatures, making it difficult to detect the signature. Attackers encode the payload using some technique and then place a decoder before the payload. As a result, the shellcode is completely rewritten each time it is sent, thereby evading detection.

Domain generation algorithm (DGA)

A software program that attackers can employ to generate numerous new domain names and execute malware code

VLAN Hopping

Used to gain access to a network through Dynamic Trunking Protocol (DTP). To set up a trunk with the switch, the DTP packets are forwarded by attackers by setting the switch mode to "dynamic auto" or "dynamic desirable." The established trunk creates a way for attackers to access all VLANs

Trunking

A networking technique used to allow multiple VLANs (Virtual Local Area Networks) to share a single physical network link between switches or between a switch and a router

Ghostwriting

Involves modifying the structure of the malware code without effecting its functionality to evade signature-based detection

Whitelist

Contains the list of signed applications that are allowed to run in the system

Microsoft Office Macros

Used to automate various processes and user tasks

Dechaning Macros

Attackers create VBA-based malicious codes to modify memory, registry, and other Windows files

Memory Hooking

An approach used by EDR tools to monitor and change the behavior of an application's execution process

Process Injection

Injecting malware code into the memory of the running processes

Living off the Land Binaries (LoLBins)

Legitimate system tools that are preinstalled on the operating system or downloaded from trusted sources such as Microsoft

Control Panel (CPL) Files

Developed for Windows control panels to organize and provide quick access to different tools in the Control Panel, making it easier to manage these tools

Windows Antimalware Scan Interface (AMSI)

A Windows API that enhances malware protection in Windows applications. It can be integrated with compatible antimalware software in the system to enhance detection capabilities, including signature-and reputation-based detection.

Fast Flux Method

Allows attackers to change both the IP addresses and DNS names rapidly

Event Tracing for Windows (ETW)

Facilitates extensive instrumentation and tracking of the functionality of processes and WINAPI calls.

Honeypot

A computer system on the Internet intended to attract and trap those who attempt unauthorized or illicit utilization of the host system to penetrate an organization's network

Low Interaction Honeypot

Emulate only a limited number of services and applications of a target system or network

Medium Interaction Honeypot

Simulate a real OS as well as applications and services of a target network

High Interaction Honeypot

Do not emulate anything; they run actual vulnerable services or software on production systems with real OS and applications

Honeynet

A high-interaction honeypot that is an architecture—an entire network of computers designed to attack

Pure Honeypots

Emulate the real production network of a target organization

Honeypots Level of Interaction

- Low Interaction

- Medium Interaction

- High Interaction

- Pure

Honeypot Deployment Strategy

- Research

- Production

Production Honeypot

Deployed inside the production network of the organization along with other production servers

Research Honeypots

High-interaction honeypots primarily deployed by research institutes, governments, or military organizations to gain detailed knowledge about the actions of intruders

Honeypots Deception Technqiues

- Malware Honeypots

- Database Honeypots

- Spam Honeypots

- Email Honeypots

- Spider Honeypots

- Honeynets

Malware Honeypots

Used to trap malware campaigns or malware attempts over the network infrastructure

Database Honeypots

Employ fake databases that are vulnerable to perform database-related attacks such as SQL injection and database enumeration.

Spam Honeypots

Target spammers who abuse vulnerable resources such as open mail relays and open proxies

Email Honeypots

Fake email addresses that are specifically used to attract fake and malicious emails from adversaries

Spider Honeypots

Designed to trap web crawlers and spiders

Methods of Detecting Honeypots

- Fingerprinting the Running Service

- Analyzing Response Time

- Analyzing MAC Address

- Enumerating Unexpected Open Ports

- Analyzing System Configuration and Metadata

Tar pits

Security entities that are similar to honeypots, which are designed to respond slowly to incoming requests

Layer 7 tar pit

React slowly to incoming SMTP commands by attackers/spammers

Layer 4 tar pits

Manipulate the TCP/IP stack and are effectively employed to slow down the spreading of malware

Layer 2 tar pits

Used to block the network penetration of the attacker who gains access to the network as well as to prevent internal threats

Bait and switch honeypots

Redirect all malicious network traffic to a honeypot after any intrusion attempt is detected