|Lesson 6|| Detecting attacks|
|Objective|| List ways to detect attacks.|
Detecting Hacker Attacks
Detecting an attack on a system is essential for initiating an appropriate response and limiting potential damage.
The following methods can help identify attacks on a system:
- Intrusion Detection Systems (IDS): An IDS monitors network traffic and system activity for signs of malicious activity or policy violations. By analyzing network packets and system logs, an IDS can detect known attack patterns and raise alerts for further investigation.
- Antivirus and Antimalware Software: Antivirus and antimalware programs can help detect attacks by scanning files, emails, and web content for known malicious signatures, heuristics, or behavioral patterns. Regularly updating the software and signatures is crucial to maintain effectiveness.
- Firewall Monitoring: Firewalls can help detect potential attacks by monitoring incoming and outgoing network traffic for suspicious activity. Configuring the firewall to block known malicious IP addresses or unusual traffic patterns can provide an additional layer of security.
- Security Information and Event Management (SIEM) Systems: SIEM solutions collect, aggregate, and analyze log data from various sources, such as servers, network devices, and applications. By correlating events and identifying anomalies, SIEM systems can detect potential attacks and trigger alerts for further investigation.
- File Integrity Monitoring (FIM): FIM tools track changes to critical system files, configuration files, and application files. Unexpected or unauthorized changes may indicate an attack, and FIM can alert administrators to these changes for further inspection.
- User and Entity Behavior Analytics (UEBA): UEBA solutions analyze patterns of user and system behavior to identify deviations from the norm, which may indicate an attack. By monitoring access patterns, resource usage, and other activities, UEBA can help detect potential threats or unauthorized access.
- Network Traffic Analysis: Analyzing network traffic for unusual patterns, such as unexpected data transfers, spikes in bandwidth usage, or communication with known malicious IP addresses, can help detect attacks on a system.
- System Performance Monitoring: Monitoring system performance can help identify potential attacks, as some types of attacks may result in noticeable performance degradation, such as increased CPU usage, memory consumption, or disk activity.
- Log Analysis: Regularly reviewing system, application, and security logs can help detect signs of an attack, such as failed login attempts, unexpected user account activity, or unauthorized access to sensitive data.
- Threat Intelligence Feeds: Subscribing to threat intelligence feeds can provide up-to-date information on emerging threats, vulnerabilities, and attack patterns. By incorporating this information into security tools and processes, organizations can proactively detect potential attacks and adapt their defenses accordingly.
Employing a combination of detection methods, such as intrusion detection systems, antivirus software, firewalls, SIEM solutions, file integrity monitoring, and user behavior analytics, can help organizations effectively detect attacks on their systems. Regular monitoring, log analysis, and staying informed about emerging threats are critical components of an effective cybersecurity strategy.
Attackers do not leave any Traces
A major problem in detecting attacks is that crackers normally do not leave any traces.
If a cracker steals a password, he or she will connect without leaving error traces, and the log file entries may show no unusual activity. While it may be hard to immediately destroy a log of the initial connection, tools are available that allow subsequent connections to be made with few traces.
Also, smart hackers do not show up on the user list. For example, when you use the
who commands, the crackers will not be listed; experienced crackers use tools that do not write the appropriate log entries and so do not show up when you try to trace crackers using these utilities.
Hacker acquires root access
The only way to directly detect a competent cracker is to use
netstat to identify active network connections while the cracker is online, or to use
ps to identify active processes. Neither of these commands can be easily overcome by the cracker.
However, if the cracker has
root access, even these traces can be hidden.
There are, however, things you should look out for. Watch for any unusual system activity, such as users connecting from overseas, at odd hours, or performing atypical operations. Also look for changes to the system configuration; for example, certain security measures may be disabled, or backdoors may be enabled in standard files.
Finally, there may be anomalies in log files; for example, connections without the appropriate log entries signal a possible break-in.
Luckily, there are tools that can help automate many of these checks. However, your best defense is to prevent attacks in the first place.
The following simulation shows you how to discover anomalous system behavior.
Different Techniques to detect Attacks
finger to see who is currently logged on to the system.
The finger command shows who is currently logged in by listing their logins and names. It also shows when they logged in and if they are local or remote. If the user is remote, the name of the remote machine is also listed. This completes the Simulation.
Linux/Unix finger command
Lists information about the user.
finger [-b] [-f] [-h] [-i] [-l] [-m] [-p] [-q] [-s] [-w] [username]
| -b ||Suppress printing the user's home directory and shell in a long format printout. |
|-f||Suppress printing the header that is normally printed in a non-long format printout.|
|-h||Suppress printing of the .project file in a long format printout.|
| -i ||Force "idle" output format, which is similar to short format except that only the login name, terminal, login time, and idle time are printed.|
|-l||Force long output format.|
|-m||Match arguments only on user name (not first or last name).|
|-p||Suppress printing of the .plan file in a long format printout.|
|-q||Force quick output format, which is similar to short format except that only the login name, terminal, and login time are printed.|
|-s||Force short output format.|
|-w||Suppress printing the full name in a short format printout.|
There are two nameserver configuration types:
- authoritative:Authoritative nameservers answer to resource records that are part of their zones only. This category includes both primary (master) and secondary (slave) nameservers.
- recursive: Recursive nameservers offer resolution services, but they are not authoritative for any zone. Answers for all resolutions are cached in a memory for a fixed period of time, which is specified by the retrieved resource record.
Although a nameserver can be both authoritative and recursive at the same time, it is recommended not to combine the configuration types. To be able to perform their work, authoritative servers should be available to all clients all the time. On the other hand, since the recursive lookup takes far more time than authoritative responses, recursive servers should be available to a restricted number of clients only, otherwise they are prone to distributed denial of service (DDoS) attacks.
The next lesson introduces insecure remote login services.