mod2 mod2 IDSes and the DoD links ../mod2/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked idsl2_01 1 Welcome to the lesson on Intrusion Detection Systems and the DoD. When you have completed this lesson, you will be able to identify why and how intrusion detection systems, or IDSes, are used within the DoD. You also will be able to identify who attacks DoD systems, and the different types of attacks that those attackers use to try to gain access to DoD information systems. There are four topics in this lesson. After you have completed the Introduction, you will learn what an IDS is, why it is important, and how it fits into the DoD's Defense-in-Depth strategy. Then, you will learn about the various types of hackers and other attackers. Finally, you will learn about the types of attacks that put DoD information and information systems at risk, and the measures to take to prevent those attacks. Please use the up and down arrows to navigate through the Introduction to D O D I D S Analysis Course, Intrusion Detection Systems and the D O D. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description, and then select the play audio narration button to continue. You can access the glossary and a list of resources at any time without losing your place in the course. Screen 1 of 9. Topic title: Introduction. Screen title: Objectives and Topics. Bulleted text and text boxes appear with objectives and topics in support of audio. Text box appears with References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products. idsl2_02 2 The DoD goes to great lengths to protect its information and information systems with a layered approach called Defense-in-Depth. This layered approach includes preventive layers such as firewalls and anti-virus protection that actually stop attacks. While preventing successful attacks is critical, preventive measures are not 100 percent effective, which is why detective layers are necessary. To protect DoD information and information systems, you need to be able to identify when a system has been attacked and or compromised despite its defenses. An intrusion detection system, or IDS, is a tool to help you identify when a system or network has been attacked. Network IDSes, which are the focus of this course, examine network traffic to look for anomalies that can indicate that the network has been attacked or even breached. When the IDS detects an anomaly, it sends you an alert. It is your job to analyze those alerts and determine which alerts indicate malicious activity. Once you are aware of malicious activity, necessary actions can be initiated to limit the damage to the confidentiality, integrity, and availability of DoD information and information systems. Screen 2 of 9. Topic title: I D S's and the D o D Overview. Screen title: Why are I D S's Important? Image of a generic computer network appears. Image representing Defense in Depth approach appears as ten concentric circles. The top half of the circles are labeled as, starting with the inner most circle, your data, data back up; disaster recovery; anti malware; firewalls; e mail security and filtering; wireless security; web security and filtering; user education, application, updates and patching; and security policy in the outer most circle. On the bottom half of the circles, the labels are your data in the center circle; local and off site; business continuity; clients, servers and mobile devices; gateway and P C; spam, viruses, fishing and backup; P D A, smart phones and laptops; browsing and on line activities; and best security practices O S Browser Apps in the outer most circle. Circles are highlighted in support of audio. Image of a masked man with a laptop appears, with an animated line moving toward the computer network image. Text box displays Alert Suspicious Activity, and then Malicious Code Found and Removed. Text box displays bulleted text in support of audio. Rollover for I D S displays intrusion detection system. idsl2_03 3 Knowledge Check 1 500 625 Which of the following explains why IDSes are important within the DoD? Select the best response and then select Done. IDSes can proactively identify and stop malicious attacks on DoD systems IDSes prevent SPAM and phishing emails from entering DoD systems IDSes alert you to anomalies that can indicate malicious activity IDSes provide a preventative layer of defense in the defense-in-depth model Correct. IDSes detect and alert you to anomalies in network traffic that can indicate malicious activity. Incorrect. IDSes detect and alert you to anomalies in network traffic that can indicate malicious activity. Now, check your understanding of the importance of intrusion detection systems. Screen 3 of 9. Topic title: I D S's and the D o D Overview. Screen title: Knowledge Check. This is a multiple choice question with four possible choices. Use the down arrow key to move through the options. Use the enter key to make your selection. idsl2_04 4 It's important to have an understanding of who and what you are up against when you are trying to protect DoD information systems. DoD systems and networks are constantly under attack by hackers, terrorists, foreign nation-states, criminals, and organizations dealing in espionage. DoD information systems are threatened by several different types of attackers including black hats, hacktivists, script-kiddies, crackers, and insider threats. Criminals have discovered that making money online is easier and poses less risk than other types of crimes. For example, robbing a bank in person is risky, but robbing a bank, company, or an individual through the Internet is relatively low risk. In particular, criminals from foreign countries are unlikely to be apprehended and extradited to the U.S. for justice. Terrorists who want to do harm to the U.S. are also a tremendous threat to DoD information systems. They can impact mission success by taking systems offline, or use the information they obtain from breaking into systems to launch attacks against Americans at home or abroad. Information systems and the networks that transmit information are integral to the success of the DoD mission. Both foreign nation-states and other adversarial organizations seek to compromise that mission by penetrating those systems and networks in search of intelligence on capabilities and emerging technology. Select each type of attacker to learn more about them and the risks they pose to information systems. idsl2_04_01 4 Black hats are those hackers who intentionally break into systems for malicious purposes. Black hats may take advantage of the intrusion by stealing or destroying data, preventing legitimate users from gaining access to a system or network, and committing a variety of other acts of fraud, theft, vandalism, and other illegal activity. Black HatPopup 1 of 5. Popup title: Black Hat. Image of a black hat appears with text and bullet points in support of audio. idsl2_04_02 4 Hacktivists are those hackers who are politically or socially motivated to break into and/or attack information systems. Hacktivists may launch a denial of service attack on an organization or change content on an organization's web site as a means of protest against that organization. They may also perform other acts that can cause damage to or limit the availability of information or information systems. HacktivisitPopup 2 of 5. Popup title: Hacktivist. An image of a person wearing a t shirt with text G 33 K S unite on it appears with text and bullet points in support of audio. idsl2_04_03 4 Script-kiddies can be considered a sub-set of black hats. They are inexperienced hackers who use pre-packaged tools for breaking into systems. They don't always understand how the tools and technologies work, but they can still do significant damage using tools readily available on the Internet. Script KiddiePopup 3 of 5. Popup title: Script Kiddie. An image of a young man wearing a baseball cap working on a computer appears with text and bullet points in support of audio. idsl2_04_04 4 Insider threats have some sort of legitimate or authorized access to an organization's network or information systems. Insider threats usually include disgruntled or, former employees, or those coerced in some way into performing malicious acts. The damage done by an insider can take many forms that threaten the DoD mission. Insiders can introduce malware such as worms and viruses; exfiltrate sensitive data; corrupt, delete, or alter data; and provide access to adversaries of the United States for further malicious activity. Insider ThreatsPopup 4 of 5. Popup title: Insider Threats. A silhouette of a man wearing a suit holding a clipboard appears with text and bullet points in support of audio. idsl2_04_05 4 Crackers are hackers who attempt to circumvent or break security measures for malicious purposes. The term hacker has, incorrectly, become a pejorative to describe individuals attacking and exploiting our networks and computer systems. Request for Comments, or RFC, 1392, describes a hacker as "a person who delights in having an intimate understanding of the internal workings of a system, computers, and computer networks." Crackers can cause harm by breaking into systems, by modifying or stealing data, or by making those systems unavailable to DoD users. CrackerPopup 5 of 5. Popup title: Cracker. An image of a document with text e x e on it appears with text and bullet points in support of audio. Screen 4 of 9. Topic title: Types of Attacks. Screen title: Who Attacks D O D Systems? An image of a masked man working on a laptop computer appears with a question mark overlaid on the mask. An animation of data flow connects the laptop to an image of a generic network comprising three workstations and a server. Images appear with labels, including an image of a masked man labeled criminals, a flag labeled foreign nation states, an image of the United States flag overlaid on a United States map with a null sign over it labeled terrorists, binoculars labeled espionage organizations. A text box displays Attackers. Five images with labels appear below it including an image of a black hat labeled black hat, a person wearing a t shirt with text G 33 K S unite on it labeled hacktivist, a young man wearing a baseball cap working on a computer labeled script kiddie, an image of a document with text e x e on it labeled cracker, and a silhouette of a man wearing a suit holding a clipboard labeled insider threats. Instructions appear to select each type of attacker to learn more. idsl2_05 5 Not all attackers are trying to achieve the same goal, but they often leverage a fairly consistent methodology. There is a large variety of objectives and techniques that attackers use to achieve their overall goal. The various techniques can be grouped into phases of an overall attack. Attackers will first perform reconnaissance, leveraging public information to better understand the target environment, systems, and personnel. Techniques used during reconnaissance include DNS interrogation, Google Hacking, Whois lookups, and reviewing the organization's presence in social networks such as Facebook and LinkedIn. The second phase involves scanning target organizations to determine which systems are live systems, services that those systems are running, as well as applications that might be present. Host Discovery, Port Scanning, and Operating System Fingerprinting are example techniques performed during the scanning phase. During the next phase, enumeration, the attacker further interrogates the systems to determine what vulnerabilities might be present. Network and Web Application Vulnerability Scanning are the primary techniques used in this phase. The exploitation phase occurs when the attacker actually takes advantage of the vulnerabilities discovered on a system. Exploitation of these vulnerabilities is often used to gain shell access to a system or perhaps to run code of the attacker's choosing. The attacker's actions during the post-exploitation phase will vary depending upon the overall goal of the attack, as well as the system that was exploited. Often, the system first compromised by the attacker is not the true target, and the attacker will attempt to gain further access in the organization through pivoting, privilege escalation, or stealing password hashes for password cracking. The post-exploitation phase will often lead the attacker back into the scanning phase, but from the vantage point of the compromised system. Finally, the password attacks phase is often performed in parallel with the other attack phases. Techniques such as Password Guessing, Password Cracking, and Pass the Hash can allow an attacker to gain access to systems without exploiting a patchable vulnerability. Before moving forward, take a moment to review the different methodologies and specific techniques attackers use to meet their objectives. Note that the phases represent the linear progression of a successful attack. While attackers might not take all of these steps and use all of these techniques, depending on the skills and objectives of the attackers, the attack can progress through all of these phases. Screen 5 of 9. Topic title: Types of Attacks. Screen title: What are Attackers Trying to Achieve? Images and text labels from the previous screen appear, including an image of a masked man working on a laptop computer appears with a question mark overlaid on the mask. An animation of data flow connects the laptop to an image of a generic network comprising three workstations and a server. Images appear with labels, including an image of a masked man labeled criminals, a flag labeled foreign nation states, an image of the United States flag overlaid on a United States map with a null sign over it labeled terrorists, binoculars labeled espionage organizations. A text box displays Attackers. Five images with labels appear below it including an image of a black hat labeled black hat, a person wearing a t shirt with text G 33 K S unite on it labeled hacktivist, a young man wearing a baseball cap working on a computer labeled script kiddie, an image of a document with text e x e on it labeled cracker, and a silhouette of a man wearing a suit holding a clipboard labeled insider threats. These images and labels are replaced by a table with three columns labeled Phase, Objectives, and Example techniques. Each phase and its objectives and example techniques appear highlighted in the table in support of audio. idsl2_06 6 An attack vector is the method that an attacker uses to gain access to an information system or to deliver a malicious payload. The different types of attack vectors include server-side attacks, client-side attacks, and malicious software. With server-side attacks, the attacker exploits a vulnerability in a listening service, such as a web service, by sending malicious packets to it. Client-side attacks target client-side applications such as web browsers, office productivity suites, document readers, or Rich Internet Application frameworks. Client-side attacks trick unsuspecting users into downloading malicious data or files. Delivery of client-side attacks most commonly leverage web servers hosting malicious data or malicious files being delivered via email, workstations, or clients. Note that malicious software can be delivered by client-side and server-side attacks without the physical presence of an attacker. While malicious software isn't truly a separate attack vector, malware is a distinct method commonly used to deliver the attacker's payload. Malicious software includes worms, viruses, and Trojans. Worms are malicious computer programs that can replicate themselves, spreading without any interaction from the user. In addition to typical malware payloads, worms can also negatively impact organizations with the speed and volume of their attempts to infect additional hosts. Viruses are malicious computer programs that can copy themselves onto an infected computer, damage data on a computer system, and then infect other computers. Viruses can be spread either through networks or through removable media. Trojans are computer programs that look harmless, and may perform some legitimate function, but ultimately perform malicious activity without the user's knowledge, such as providing access to the system. Select each type of attack vector to learn more about it. idsl2_06_01 6 Server-side attacks are frontal attacks in which the attacker targets vulnerable listening services, such as web services, regardless of whether that service is on a server or on a workstation. Server-side attacks were quite successful in the early and mid 2000s. Since that time, we have become more savvy at preventing these types of attacks. Firewalls and better patch management help mitigate server-side attacks. Regardless, we can't get complacent, and must stay vigilant in defending against server-side attacks. Now, server-side attacks are commonly used against internal systems due to slower patch management and less effective use of firewalls. Server Side AttacksPopup 1 of 2. Popup title: Server Side Attacks. A server image labeled Malicious Server appears with a line connecting to a computer image labeled vulnerable system, and another line connecting to another server image. Text and bullet points appear in support of audio. idsl2_06_02 6 Because it has been more difficult to directly compromise servers due to firewalls and patching, attackers have changed techniques by launching more client-side attacks than server-side attacks. Attackers now target client applications, such as web browsers, email clients, office productivity suites, and document readers. Typically, attackers leverage social engineering techniques to trick users into accessing content and pulling it down to their system. The content that the user pulls down contains the malicious attack. Basically, this turns the firewall inside out, making it ineffective in most cases. Classic firewall design does a poor job of mitigating client-side attacks since attackers are basically invited in by the users. Client Side AttacksPopup 2 of 2. Popup title: Client Side Attacks. Server image labeled Malicious server appears with a line connecting to a computer labeled vulnerable system. Another server image appears with animated lines connecting to an image of a person working at a computer. Text and bullet points appear in support of audio. Screen 6 of 9. Topic title: Types of Attacks. Screen title: What are Attack Vectors. Tex box displays Attack vector equals method attacker uses to gain access or deliver malicious payload. Four text boxes appear with text and bullet points in support of audio. The Malicious Software text box displays a desktop computer and monitor image with ones and zeros on the screen. The Server Side Attacks text box displays an image of server labeled malicious server with two lines connecting it to a desktop computer image labeled Vulnerable system. A Client Side Attacks text box displays a server image labeled malicious server and an image of a person working on a computer. Text box displays Types of Attack Vectors and instructional text displays Select each type of attack vector to learn more. Server side attacks and client side attacks appear selectable as popups. idsl2_07 7 So what can you or your system administrators do to protect your network against server-side and client-side attacks? To prevent server-side attacks, you need to ensure that your network, and in particular, your demilitarized zone, or DMZ, are properly designed. Internet-facing servers should be placed on DMZ networks. DMZs are semi-trusted buffer zones between the outside, untrusted traffic and the internal, trusted part of the network. Firewalls in the DMZ can prevent malicious traffic from getting to the trusted part of the network. You also always need to harden your server. Since providing security isn't the primary purpose of a server, a baseline of security for your servers needs to be implemented. Server hardening refers to taking certain actions to create that security baseline such as: removing unnecessary services, drivers, or software; setting security parameters on the server; and adding anti-virus software. In addition, you need to perform frequent patching of your server. To prevent client-side attacks, you need to frequently patch all client software. This includes not just Windows, but also all MS Office software, and all third party software such as Flash, Adobe Reader, and alternate Internet browsers. Please refer to the DoD Security Technical Implementation Guides, or STIGs, for more guidance. Screen 7 of 9. Topic title: Types of Attacks. Screen title: Preventing Attacks. Three images and their labels appear, including in image of a simple network comprising three computer workstations labeled How to Prevent?, a server labeled Server Side Attacks, and a server connected to a computer workstation with someone working on it labeled Client Side Attacks. Images are replaced with an image of three workstations with clouds overlaying them labeled Untrusted, connected to a device labeled boundary router, connected to an image of a wall with fire above it labeled External firewall, connected to a tube image labeled D M Z connected to a server labeled S M T P server. The D M Z tube also appears connected to another image of a wall with fire above it labeled Internal firewall, which is connected to another image of three workstations with clouds overlaying them labeled Trusted. Two text boxes labeled Preventing Server Side Attacks and Preventing Client Side Attacks appear with bulleted text in support of audio. A text box displays For more guidance access h t t p colon slash slash I a s e dot dissa dot mil slash stigs slash. Rollover text for D M Z displays Demilitarized Zone. A semi-trusted network between a trusted network, such as a corporate LAN or Local Area Network, and an untrusted network, such as the Internet. A D M Z contains internally controlled servers accessible to public entities. These include web, mail, and F T P servers. Rollover text for server hardening displays Server hardening are techniques used to establish a security baseline on a system, particularly those connected to semi or untrusted networks. These techniques include, but are not limited to, disabling unnecessary services; preventing use of unsecure services; up to date patching; and strong password policies. Rollover text for patching displays Patching is the application of software and or firmware updates that correct coding errors and bugs. The most common types of patches are those that correct security vulnerabilities. idsl2_08 8 Knowledge Check 1 500 625 Attacks vulnerable listening services directly Client-Side Attack Server-Side Attack Correct. Server-side attacks are attacks on vulnerable listening services. Incorrect. Server-side attacks are attacks on vulnerable listening services. Tricks the user into accessing malicious data or content Client-Side Attack Server-Side Attack Correct. Client-side attacks trick users into downloading malicious content. Incorrect. Client-side attacks trick users into downloading malicious content. Are more easily mitigated by firewalls and patch management Client-Side Attack Server-Side Attack Correct. Server-side attacks can be mitigated by firewalls and patch management. Client-side attacks are not usually prevented by firewalls. Incorrect. Server-side attacks can be mitigated by firewalls and patch management. Client-side attacks are not usually prevented by firewalls. Attacks user-driven applications on a system Client-Side Attack Server-Side Attack Correct. Client-side attacks target user-driven applications on a system. Incorrect. Client-side attacks target user-driven applications on a system. Now check your knowledge of the difference between client-side and server-side attacks. Screen 8 of 9. Topic title: Types of Attacks. Screen title: Knowledge Check. This knowledge check presents four statements. For each statement there are two possible answers, client side attack or server side attack. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selection. idsl2_09 9 Congratulations! You have completed the Intrusion Detection Systems and the DoD lesson. You should now be able to identify why and how intrusion detection systems, or IDSes, are used within the DoD. You also should be able to identify who attacks DoD systems, and the different types of attacks that those attackers use to try to gain access to DoD information systems. Screen 9 of 9. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text and bullet points display lesson objectives. Bullet points turn into checkmarks in synch with audio.