Anomaly Analysis
Looks for data points that stand out from the rest of the data as clear outliers (AKA Heuristic Analysis)
Trend Analysis
Looks for historical data over time
Behavioral Analysis
Looks at the user behavior to detect suspicious or unusual user activity, Signatures or Heuristic Analysis could be used for this
Availability Analysis
Provides uptime information
Data Loss Prevention (DLP)
Technology solutions that search systems and monitor networks for sensitive information that is unsecured and provide the ability to remove the information, block the transmission, or encrypt the stored data.
Host-based DLP
Uses software agents installed on a single system
Network-based DLP
Scans network transmissions for sensitive information
Two DLP Mechanisms of Action
- Pattern Matching
2. Watermarking (Electronic tagging)
Watermarking
Electronic tags are used to identify sensitive information
Network Access Control (NAC)
Intercepts network traffic coming from unknown devices and verifies that the system and user are authorized before allowing further communication. Uses 802.1x Authentication
Supplicant
Special piece of software that performs all of the NAC-related tasks on behalf of the user and system
NAC Roles
- User and Device Authentication
- Role based access (provides access to networks where needed)
- Posture Checking (Makes sure the device meets security requirements)
NAC Posture Checking
- Verifying Antivirus software present
- Validating current signatures
- Ensuring proper firewall settings
- Verifying presence of security patches
Quarantine network
Where NAC places a device that does not pass the Posture Check
Three types of NAC
- Persistent Agent - Time consuming - NAC is permanently installed on endpoint devices
- Dissolvable Agent - NAC software downloaded from a portal for temporary endpoint use - removed once the NAC process is complete.
- Agentless - NAC systems that don’t require installation of agent
Mail Gateway Actions
- Allows a message to be sent
- Block or quarantine a message
- Tag the message with a warning to the recipient is suspicious
- Encrypt the message
Mail Gateway Filtering
- Text Analysis
- Signature Detection
- URL Filtering
Steganography
Hiding information within other information
tcpdump
Open-Source command line packet sniffing tool
Two most commonly used packet sniffers (Protocol Analyzers)
Wireshark and tcpdump
Most common network mapping tool
nMap
Metasploit
Most common exploitation framework - uses modular plugins
ICMP
Internet Control Message Protocol
ARP
Address Resolution Protocol - Translates IP addresses at the network layer and MAC addresses at the Ethernet layer. (Only works on local networks)
