Black and White Lists
|
|
- Katherine Watson
- 6 years ago
- Views:
Transcription
1 Black and White Lists Open Source Sensor Grids and Highly Predictive Black Lists Marcus H. Sachs SANS Internet Storm Center
2 Black Lists A collection of source IP addresses that have been deemed undesirable Typically these addresses have been observed as the source of previous illicit activities The concept of blacklisting is a wellestablished defensive measure Compiling and sharing lists of the worst offenders of unwanted traffic is a blacklisting strategy that has remained virtually unchanged since the early years of the Internet
3 White Lists A collection of source IP addresses that have been deemed desirable Typically these addresses belong to internal resources or well known friendly computers on the Internet The concept of whitelisting has also been a wellestablished defensive measure since the origins of the Internet community Whitelists are the allow portion of a firewall rule set Most security professionals prefer a deny all rule to start with, then allow only known IP addresses inside
4 A Source of B/W Lists: DShield SANS Internet Storm Center uses the DShield distributed incident detection technology The database receives over ten million log lines daily from intrusion detection systems run by volunteers world wide Thousands of system administrators send in additional observations and findings via and the web Volunteer incident handlers analyze detected problems and anomalies, then post a daily diary of analysis Analysis also feeds SANS research efforts Direct feed to courseware, Top20 list, and weekly newsletters Service is free to the Internet community
5 A Short Digression: The SANS Internet Storm Center SANS ISC analysis parallels weather analysis Small sensors in as many places as possible Sensors send raw information to multiple regional data collection points for early analysis and correlation Regional collection feeds a national or global watch center DShield sensors see tcp or udp flows, then the SANS ISC infers developing situations There is no content monitoring capability
6 SANS ISC Statistics: Reports Submitted Past 30 Days: 414,196,491 log lines Past Seven Days: 95,558,962 log lines Past 24 Hours: 11,906,713 log lines All submitted by volunteer collectors!
7 The SANS ISC Process Data Collection Analysis Dissemination DShield Users DShield.org
8 SANS ISC Services Sensor software for dozens of popular devices Private website and report generation capability for participants Fightback program with major ISPs Large incident database with preconfigured queries and search capabilities
9 Sensor Software DShield client software is available for over 60 different devices Most popular hardware and software devices are included, such as Linksys NetGear Cisco Snort ZoneAlarm Checkpoint SonicWall PortSentry BlackIce Norton Personal Firewall Windows Firewall Client software includes an installation program and directions for use If you have a device or software that is not supported we will write the code needed to build a sensor
10 Private Reporting and Analysis Each participant receives a custom view of the DShield database Users can compare own data with information from thousands of other sensors All submitted data is available for later retrieval and analysis Pre generated data visualization templates make viewing past events very easy for most users
11 Sensor Report
12 Fightback Capability Unique to DShield, participants can assist in locating and stopping the worst offenders Participating sites include their own IP address information in the submitted data By aggregating attack data, the SANS ISC can provide strong evidence to ISPs willing to stop abuse coming from their networks Feedback is returned to participants when an attacker is successfully stopped
13 Where Did That Attack Come From?
14 SANS ISC Incident Database Data collected over the past few years are contained in a database that can be queried by any Internet user Some pre configured queries include Top ten offending sites Top ten targeted ports History of reported activity on any port Summary information about any user supplied IP address
15 Survival Time
16 Simple Blacklists Sites such as DShield.org compile global worst offender lists (GWOL) of the most prolific attack sources, and regularly post firewall parsable filters of these lists to help the Internet community fight back Another common practice is for a local network to create its own local worst offender list (LWOL) of those sites that have attacked it the most
17 Top Offending IP Addresses: A Simple GWOL
18 Improving the Blacklist LWOLs have the property of capturing repeat offenders that are indeed more likely to return to the local site in the future But do not react well to new encounters with previously unseen attackers GWOLs have the potential to inform a local network of highly prolific attackers And also have the potential to provide a subscriber with a list of addresses that may not yet have been encountered
19 Highly Predictive Blacklists Highly Predictive Blacklists (HPBs) represent a radically different approach to blacklist formulation HPBs are derived uniquely per DShield contributor, and rank each attacker in the blacklist based on an estimation of the probability that the attacker will visit the contributor s network in the future The HPB algorithm exploits a correlation relationship observed when compiling firewall logs from thousands of Internet contributors
20 Link Analysis HPBs employ a link analysis algorithm similar to Google s PageRank scheme used to find the most relevant web pages given a user s query Instead of web queries, the firewall logs of DShield contributors are cross compared with one another in search of overlaps among the attackers they report The attacker addresses included within an HPB are selected by favoring the inclusion of those attackers who have been encountered by other contributors who share degrees of overlap with the HPB owner
21 How Does It Work? Within the DShield repository, there are groups of networks that share various degrees of common attacker overlap, which can be called correlated victims To build an HPB for a network "A", we treat attack sources that have reportedly made attacks on networks correlated with "A" differently from attack sources that attacked the same number but uncorrelated networks The former are more probable to attack "A" and should be included in A's HPB with high priority Traditional blacklisting approaches such as GWOL treat these two attackers equally, therefore, ignore the characteristics of individual networks shown in the alert history
22 An Attack Table v 5 s 1 X X s 2 s 3 s 4 s 5 s 6 s 7 v 1 v 2 v 3 v 4 X X X X X X X X X X
23 Attack Correlation The rows represent attack sources and the columns represent the targeted networks (attack victims) An ``X'' in the table cell indicates that the corresponding source has reportedly attacked the corresponding network Consider s2 and s7 Although they have attacked the same number of victims, from the viewpoint of v1, one may say that s2 is more likely to attack than s7, because s2 has attacked v2, which shares more common attackers with v1
24 Attack Correlation (cont.) Compare the source s5 to s7 Both sources attacked only one network None of these networks share common attacks with v1 However, for v1, s5 and s7 are not equal Notice that v2 shares common attacks with v1, and v3 shares common attacks with v2 A path v3 v2 v1 connects s5 to v1 One may say that s5 is more likely to attack for v1.
25 HPB Summary The full HPB system implements many other practical considerations for blacklisting The source ranking and the probability estimation by random walk are the heart of the system Experiments show that the HPB exhibits a higher hit count than traditional blacklists for most of the contributors The experiments also show that HPB's performance is consistent over time, and these advantages remain stable across various list lengths and predict windows
26 An Invitation to Participate The SANS ISC s success is based on the active participation of thousands of users All Internet users, information analysis and sharing centers, and others willing to participate in a large distributed data collection and analysis project are invited to join Details about the SANS ISC are online at More information about HBLs are at ta.org/releases/hpb
Obstruction of Undesired Traffic by Filtering Source Prefixes on the Internet
Obstruction of Undesired Traffic by Filtering Source Prefixes on the Internet Dhanya P J & M S Gayathri Department of Computer Science and Engineering, K C G College of Technology, Karapakkam, Chennai
More informationAnalyzing Dshield Logs Using Fully Automatic Cross-Associations
Analyzing Dshield Logs Using Fully Automatic Cross-Associations Anh Le 1 1 Donald Bren School of Information and Computer Sciences University of California, Irvine Irvine, CA, 92697, USA anh.le@uci.edu
More informationNetwork Security Terms. Based on slides from gursimrandhillon.files.wordpress.com
Network Security Terms Based on slides from gursimrandhillon.files.wordpress.com Network Security Terms Perimeter is the fortified boundary of the network that might include the following aspects: 1. Border
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationSpatial-Temporal Characteristics of Internet Malicious Sources
Spatial-Temporal Characteristics of Internet Malicious Sources Zesheng Chen Florida International University zchen@fiu.edu Chuanyi Ji Georgia Institute of Technology jic@ece.gatech.edu Paul Barford University
More informationMultidimensional Investigation of Source Port 0 Probing
DIGITAL FORENSIC RESEARCH CONFERENCE Multidimensional Investigation of Source Port 0 Probing By Elias Bou-Harb, Nour-Eddine Lakhdari, Hamad Binsalleeh and Mourad Debbabi Presented At The Digital Forensic
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationConfiguring the Botnet Traffic Filter
CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationNation State Level Honeypotting: Emulating Vulnerable Web Applications at Scale. Johannes B. Ullrich Ph.D. Dean of Research, STI
Nation State Level Honeypotting: Emulating Vulnerable Web Applications at Scale Johannes B. Ullrich Ph.D. Dean of Research, STI jullrich@sans.edu About Me Dean of Research, SANS Technology Institute SANS
More informationVisual Geolocation Based Black and White Listing. Abstract
Visual Geolocation Based Black and White Listing Karl Cronburg Dept. of Computer Science, Tufts University, Medford MA 02155 Abstract Various commercial and open-source tools are available for managing
More informationI Know Where You are and What You are Sharing
I Know Where You are and What You are Sharing Exploiting P2P Communications to Invade Users Privacy Stevens Le Blond, Chao Zhang, Arnaud Legout, Keith Ross, Walid Babbous CS558 Presentation Natasa Ntagianta
More informationChapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)
SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate
More informationIBM Proventia Management SiteProtector Policies and Responses Configuration Guide
IBM Internet Security Systems IBM Proventia Management SiteProtector Policies and Responses Configuration Guide Version2.0,ServicePack8.1 Note Before using this information and the product it supports,
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks Computer Sciences Department University of Wisconsin, Madison Introduction Outline Background Example Attack Introduction to the Attack Basic Probe
More informationCIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration
CIS Top 20 #12 Boundary Defense Lisa Niles: CISSP, Director of Solutions Integration CSC # 12 - Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More information/08/$ IEEE 630
Sharing data between organization is important aspect of network protection that is not currently occurring since it is unsafe. This talk is about a suite of tools that can be used to scrub data (using
More informationSTIX/TAXII feed processing
Detecting network intruders with STIX/TAXII feed processing A Guide www.manageengine.com/products/eventlog/ Introduction In today's evolving threat landscape, the key to efficient threat mitigation is
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationDetecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.
More informationCYBERBIT P r o t e c t i n g a n e w D i m e n s i o n
CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n CYBETBIT in a Nutshell A leader in the development and integration of Cyber Security Solutions A main provider of Cyber Security solutions for the
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationData Retrieval Firm Boosts Productivity while Protecting Customer Data
Data Retrieval Firm Boosts Productivity while Protecting Customer Data With HEIT Consulting, DriveSavers deployed a Cisco Self-Defending Network to better protect network assets, employee endpoints, and
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationConfiguring Botnet Traffic Filtering Using Cisco Security Manager 4.0
Configuring Botnet Traffic Filtering Using Cisco Security Manager 4.0 First Published: June 2010 Abstract Botnets are a collection of malicious software or bots covertly installed on endpoints and controlled
More informationSCA Reporter Templates
APPENDIXD This appendix describes the Cisco Service Control Application Reporter (SCA Reporter) report templates. Information About Report Templates, page D-1 Global Monitoring Template Group, page D-7
More informationMcAfee Network Security Platform 9.2
Revision B McAfee Network Security Platform 9.2 (9.2.7.9-9.2.7.10 Manager-Virtual IPS Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationThis shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict
1 This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict access between segments This creates a layered defense
More informationTHE ACCENTURE CYBER DEFENSE SOLUTION
THE ACCENTURE CYBER DEFENSE SOLUTION A MANAGED SERVICE FOR CYBER DEFENSE FROM ACCENTURE AND SPLUNK. YOUR CURRENT APPROACHES TO CYBER DEFENSE COULD BE PUTTING YOU AT RISK Cyber-attacks are increasingly
More informationConfiguring Event Action Rules
CHAPTER 7 This chapter explains how to add event action rules policies and how to configure event action rules. It contains the following sections: Understanding Security Policies, page 7-1 Event Action
More informationVulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.
Vulnerabilities To know your Enemy, you must become your Enemy. "The Art of War", Sun Tzu André Zúquete Security 1 Information security: Vulnerabilities & attacks threats Discouragement measures difficult
More informationCisco Threat Intelligence Director (TID)
The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident
More informationCatalyst Views. 1. Open your web browser and type in the URL address line:
Catalyst Views ACCESSING CATALYST 1. Open your web browser and type in the URL address line: www.nrcpicker.com 2. Click on the Catalyst button towards the top right portion of your screen or in the lower
More informationChapter X Security Performance Metrics
Chapter X Security Performance Metrics Page 1 of 10 Chapter X Security Performance Metrics Background For many years now, NERC and the electricity industry have taken actions to address cyber and physical
More informationConfiguring Event Action Rules
CHAPTER 8 This chapter explains how to add event action rules policies and how to configure event action rules. It contains the following sections: Understanding Policies, page 8-1 Understanding Event
More informationO N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationIntroduction to Antispam Practices
By Alina P Published: 2007-06-11 18:34 Introduction to Antispam Practices According to a research conducted by Microsoft and published by the Radicati Group, the percentage held by spam in the total number
More informationFundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring
Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.
More informationCisco IOS Login Enhancements-Login Block
The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service
More informationShadowserver reports automated tool
Shadowserver reports automated tool August 2016 Author: Viktor Janevski Supervisor(s): Sebastian Lopienski Stefan Lueders CERN openlab Summer Student Report 2016 Project Specification Every day, CERN receives
More informationReduce Your Network's Attack Surface
WHITE PAPER Reduce Your Network's Attack Surface Ixia's ThreatARMOR Frees Up Security Resources and Personnel The Threat Landscape When you re dealing with network security, one of the primary measurements
More informationOpportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies
Opportunities for Exploiting Social Awareness in Overlay Networks Bruce Maggs Duke University Akamai Technologies The Akamai Intelligent Platform A Global Platform: 127,000+ Servers 1,100+ Networks 2,500+
More informationA Comprehensive Guide to Remote Managed IT Security for Higher Education
A Comprehensive Guide to Remote Managed IT Security for Higher Education About EventTracker EventTracker enables its customers to stop attacks and pass IT audits. EventTracker s award-winning product suite
More informationA manual for understanding and using the Impex Control Center. SYSCTL AB - version 1.5
A manual for understanding and using the Impex Control Center SYSCTL AB - version 1.5 CONTENTS Contents Introduction 4 History....................................................... 4 Components.....................................................
More informationIPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions
IPS Effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of defense that helps you protect
More informationEnabling ALGs and AICs in Zone-Based Policy Firewalls
Enabling ALGs and AICs in Zone-Based Policy Firewalls Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection
More informationDemystifying Service Discovery: Implementing an Internet-Wide Scanner
Demystifying Service Discovery: Implementing an Internet-Wide Scanner Derek Leonard Joint work with Dmitri Loguinov Internet Research Lab Department of Computer Science and Engineering Texas A&M University,
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationQ WEB APPLICATION ATTACK STATISTICS
WEB APPLICATION ATTACK STATISTICS CONTENTS Introduction...3 Results at a glance...4 Web application attacks: statistics...5 Attack types...5 Attack trends...8 Conclusions... 11 2 INTRODUCTION This report
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,
More informationAccess Control. Access Control Overview. Access Control Rules and the Default Action
The following topics explain access control rules. These rules control which traffic is allowed to pass through the device, and apply advanced services to the traffic, such as intrusion inspection. Overview,
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationManaging Caching DNS Server
This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS. Configuring
More informationEmpower stakeholders with single-pane visibility and insights Enrich firewall security data
SonicWall Analytics Transforming data into information, information into knowledge, knowledge into decisions and decisions into actions SonicWall Analytics provides an eagle-eye view into everything that
More informationIntroduction to Computer Security
Introduction to Computer Security Instructor: Mahadevan Gomathisankaran mgomathi@unt.edu CSCE 4550/5550, Fall 2009 Lecture 10 1 Announcements Project Group Due today Attendance Mandatory Ave. 85% ( 4 absentees
More informationEnabling ALGs and AICs in Zone-Based Policy Firewalls
Enabling ALGs and AICs in Zone-Based Policy Firewalls Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationPALANTIR CYBERMESH INTRODUCTION
100 Hamilton Avenue Palo Alto, California 94301 PALANTIR CYBERMESH INTRODUCTION Cyber attacks expose organizations to significant security, regulatory, and reputational risks, including the potential for
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationCSN15: Using ArcSight ESM for Malicious Domain Detection. Chris Watley Information Assurance Engineer US Government
CSN15: Using ArcSight ESM for Malicious Domain Detection Chris Watley Information Assurance Engineer US Government Agenda Problem defined Snort versus ArcSight ESM Rule creation Active lists Variables
More information6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are
PROGRAM Objective Cyber Security is the most sought after domain, and NASSCOM projects a requirment of over 1 million trained professionals by 2025. Tevel training program is an industry & employability
More informationZimperium Global Threat Data
Zimperium Global Threat Report Q2-2017 700 CVEs per Year for Mobile OS 500 300 100 07 08 09 10 11 12 13 14 15 16 17 Outdated ios Outdated ANDROID 1 of 4 Devices Introduces Unnecessary Risk 1 out of 50
More informationDetecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a
More informationINTELLIGENT CYBER THREAT DEFENSE. Fight tomorrow s cyber threats in real time with cutting edge machine learning
INTELLIGENT CYBER THREAT DEFENSE Fight tomorrow s cyber threats in real time with cutting edge machine learning ARE YOU PREPARED? Businesses are being targeted by cyber criminals at an ever-increasing
More informationIP Profiler. Tracking the activity and behavior of an IP address. Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP)
Security Intelligence June 2005 IP Profiler Tracking the activity and behavior of an IP address Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP) Page 2 Contents 3 Profiling
More informationConfiguring the Botnet Traffic Filter
CHAPTER 51 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationRSA NetWitness Platform
RSA NetWitness Platform Event Source Log Configuration Guide Cisco Sourcefire Defense Center (formerly Sourcefire Defense Center) Last Modified: Monday, November 5, 2018 Event Source Product Information:
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationNetDefend Firewall UTM Services
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content
More informationSubscriber Data Correlation
Subscriber Data Correlation Application of Cisco Stealthwatch to Service Provider mobility environment Introduction With the prevalence of smart mobile devices and the increase of application usage, Service
More informationPositive Technologies Telecom Attack Discovery DATA SHEET
Positive Technologies Telecom Attack Discovery DATA SHEET PT TELECOM ATTACK DISCOVERY DATA SHEET CELLULAR NETWORK SECURITY COMPLICATIONS As is shown in the network analysis performed by Positive Technologies
More informationImproving the Effectiveness of Log Analysis with HP ArcSight Logger 6
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 A SANS Product Review Written by Dave Shackleford April 2015 Sponsored by HP 2015 SANS Institute Introduction Most organizations today
More informationChoosing The Best Firewall Gerhard Cronje April 10, 2001
Choosing The Best Firewall Gerhard Cronje April 10, 2001 1. Introduction Due to the phenomenal growth of the Internet in the last couple of year s companies find it hard to operate without a presence on
More informationSecurity Bulletin Relating to Worldwide Botnet Dialing H.323-Capable Systems
SECURITY BULLETIN Worldwide H.323 Botnet Calling H.323 Systems as cisco and other Variants Version 1.2 Security Bulletin Relating to Worldwide Botnet Dialing H.323-Capable Systems DATE PUBLISHED: December
More information30 Must Have Plugins in
30 Must Have Plugins in 2016-17 Every business owner know that the right set of tools can make his life a lot easier and help take your business to the next level. If you have a Wordpress theme installed,
More informationZone-Based Firewall Logging Export Using NetFlow
Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses
More informationDotNetNuke (DNN) Development & Technology Environment. Web Platform for Employee Portals and Benefit Websites
DotNetNuke (DNN) Development & Technology Environment Table of Contents Our Development Environment... 3 Employee Portal Solutions... 3 What is DotNetNuke?... 3 The Process... 3 Step 1: Assess Client Needs...
More informationAligning with the Critical Security Controls to Achieve Quick Security Wins
Aligning with the Critical Security Controls to Achieve Quick Security Wins Background The Council on CyberSecurity s Critical Security Controls for Effective Cyber Defense provide guidance on easy wins
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationIntroduction to Cisco ASA Firewall Services
Firewall services are those ASA features that are focused on controlling access to the network, including services that block traffic and services that enable traffic flow between internal and external
More informationA senior design project on network security
Michigan Technological University Digital Commons @ Michigan Tech School of Business and Economics Publications School of Business and Economics Fall 2007 A senior design project on network security Yu
More informationSecurity Advisory Relating to Worldwide Botnet Dialing H.323-Capable Systems
SECURITY ADVISORY Worldwide H.323 Botnet Calling H.323 Systems Version 1.0 Security Advisory Relating to Worldwide Botnet Dialing H.323-Capable Systems DATE PUBLISHED: This information applies only to
More informationConfiguring Event Action Rules
CHAPTER 6 This chapter explains how to configure event action rules. It contains the following sections: Understanding Event Action Rules, page 6-1 Signature Event Action Processor, page 6-2 Event Actions,
More informationIPS Event Analysis R Administration Guide
IPS Event Analysis R70.20 Administration Guide 21 December, 2009 More Information The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=10506 For additional
More informationAccess Control Lists and IP Fragments
Access Control Lists and IP Fragments Document ID: 8014 Contents Introduction Types of ACL Entries ACL Rules Flowchart How Packets Can Match an ACL Example 1 Example 2 fragments Keyword Scenarios Scenario
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More informationSIEM Solutions from McAfee
SIEM Solutions from McAfee Monitor. Prioritize. Investigate. Respond. Today s security information and event management (SIEM) solutions need to be able to identify and defend against attacks within an
More informationGrandstream Networks, Inc. UCM6100 Security Manual
Grandstream Networks, Inc. UCM6100 Security Manual Index Table of Contents OVERVIEW... 3 WEB UI ACCESS... 4 UCM6100 HTTP SERVER ACCESS... 4 PROTOCOL TYPE... 4 USER LOGIN... 4 LOGIN TIMEOUT... 5 TWO-LEVEL
More informationSiteAdvisor Enterprise
SiteAdvisor Enterprise What Is SAE?... 2 Safety icons show threats while searching... 2 View site report while searching... 2 SiteAdvisor Enterprise button shows threats while browsing... 3 Access SiteAdvisor
More informationChapter X Security Performance Metrics
Chapter X Security Performance Metrics Page 1 of 9 Chapter X Security Performance Metrics Background For the past two years, the State of Reliability report has included a chapter for security performance
More informationManaging an Active Incident Response Case. Paul Underwood, COO
Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationA Open Source Threat Intelligence System
A Open Source Threat Intelligence System Sabari Girish Nair MBA-ITBM Student, SCIT, Pune sabari.nair@associates.scit.edu Dr.PritiPuri Assistant Professor, SCIT,Pune priti@scit.edu Abstract With more and
More information