1 00:00:00,690 --> 00:00:06,870 The more information that is available for you or networks and hosts the easier it will be when it comes 2 00:00:06,870 --> 00:00:14,190 to Incident Response time profiling data provides a complete view of all of the information the system 3 00:00:14,190 --> 00:00:17,860 has gathered about a network or host in this lecture. 4 00:00:17,880 --> 00:00:24,150 We are going to take a look at different profiling methods that can be used to provide contextual data 5 00:00:24,390 --> 00:00:33,130 to detect and even prevent incidents throughput is the measure of how much data is successfully transferred 6 00:00:33,160 --> 00:00:35,770 between network hosts. 7 00:00:35,890 --> 00:00:42,280 So if you send a file between two computers and the rate of the transfer is 50 megabits per second then 8 00:00:42,280 --> 00:00:43,680 that would be the throughput. 9 00:00:45,500 --> 00:00:50,780 Throughput utilization can be an indicator that there has been a security incident. 10 00:00:50,810 --> 00:00:56,450 If it is monitor network management servers can collect this data historically. 11 00:00:56,630 --> 00:01:03,650 So a baseline can be created if the animous reports that a remote site had an average throughput of 12 00:01:03,650 --> 00:01:10,190 30 megabits per second for a year and then all of a sudden the site spikes to 100 megabits per second 13 00:01:10,730 --> 00:01:13,500 then you would want to investigate that network. 14 00:01:14,030 --> 00:01:19,160 Of course just because there is a large increase in traffic doesn't necessarily mean that there has 15 00:01:19,160 --> 00:01:20,740 been a security incident. 16 00:01:20,900 --> 00:01:21,970 But it is possible 17 00:01:24,880 --> 00:01:31,750 session duration is another important thing to watch out for on the network really long sessions. 18 00:01:31,750 --> 00:01:37,050 Two hosts could be a sign of a misbehaving client on the network. 19 00:01:37,330 --> 00:01:42,210 Most sessions should last past a typical eight hour workday. 20 00:01:42,550 --> 00:01:50,030 But if an attacker has a backdoor to the network then they may stay connected for long periods of time. 21 00:01:50,210 --> 00:01:59,570 One easy way you can check for sation durations is by looking at your firewalls connection statistics. 22 00:01:59,590 --> 00:02:09,640 So here I am logged into my Cisco firepower device that my internet gateway in the lab and just by running 23 00:02:09,640 --> 00:02:16,160 the command show connection detail just like you could on the same platform. 24 00:02:16,270 --> 00:02:23,740 You can see a connection or session details so I can see how long these connections are idle for and 25 00:02:23,770 --> 00:02:26,440 as was their uptime which is what I'm looking for. 26 00:02:29,460 --> 00:02:32,290 Sloyd this one for example is four days long. 27 00:02:32,380 --> 00:02:34,790 That might be what I want to look into. 28 00:02:34,870 --> 00:02:37,540 That seems a little unordinary to me. 29 00:02:37,900 --> 00:02:46,910 It could be legit traffic but I mean any connections or sessions that are up for more than a day straight. 30 00:02:47,290 --> 00:02:53,770 Might be something you want to look at to make sure that you don't have any CNC connections or any type 31 00:02:53,770 --> 00:02:56,790 of back doors connected on your network. 32 00:02:57,490 --> 00:03:04,450 Knowing what wire devices are connected to your network is a big part of network security since most 33 00:03:04,600 --> 00:03:10,140 wired networks do not require authentication or authorization for access. 34 00:03:10,150 --> 00:03:18,460 It isn't easy in for an attacker small low profile devices like Raspberry Pis can be easily tucked away 35 00:03:18,820 --> 00:03:23,840 and remain connected to the network for years without anyone noticing. 36 00:03:23,890 --> 00:03:29,320 There are even devices that can be used that are disguised as equipment like power strips and power 37 00:03:29,320 --> 00:03:34,000 Chargers to control what is plugged into a network. 38 00:03:34,090 --> 00:03:37,970 A knack solution like Cisco IOS can be implemented. 39 00:03:38,410 --> 00:03:44,080 ICE has the ability to profile what types of devices are connected to the network and permit or deny 40 00:03:44,090 --> 00:03:52,590 endpoints based on posture a common ice rule set would be to only like company own devices gain full 41 00:03:52,590 --> 00:04:00,090 network access and then all other devices would only get limited access. 42 00:04:00,160 --> 00:04:08,110 So just to give you a basic idea of what I mean when I talk about Wired authentication and authorization 43 00:04:08,590 --> 00:04:17,050 I'm going to show you a switch por that I have configured for authentication that actually talks to 44 00:04:17,050 --> 00:04:22,820 Cisco IOS to verify if users or devices should be allowed on the network. 45 00:04:26,270 --> 00:04:28,030 So it's quite the long configuration. 46 00:04:28,050 --> 00:04:36,890 But basically all these authentication commands are tweaking the switch poor saying hey when something 47 00:04:36,890 --> 00:04:48,220 plugs into the switch poor I want to authenticate them with doubt when X or MAC address authentication. 48 00:04:48,350 --> 00:04:57,020 So right now I have a phone and a computer that's plugged into the phone plugged into this poor. 49 00:04:57,150 --> 00:05:03,740 So if I run the command show authentication session and then interface 1 0 12 50 00:05:09,210 --> 00:05:16,630 then I can see the authentication and authorization status of my devices. 51 00:05:16,710 --> 00:05:24,450 So let's take a look at the so here this shows the user name of the computer that's plugged into the 52 00:05:24,450 --> 00:05:26,040 back of the phone. 53 00:05:26,700 --> 00:05:29,220 Its MAC address its IP address. 54 00:05:29,400 --> 00:05:36,200 It looks like it's authenticated properly and it received this downloadable access list from mice. 55 00:05:36,810 --> 00:05:41,550 So I don't want to get too crazy into the details here because knowing how to configure this stuff really 56 00:05:41,550 --> 00:05:44,470 isn't required for the cyber ops exam. 57 00:05:44,520 --> 00:05:50,250 I just want to share with you as much information as possible so you have a better understanding of 58 00:05:50,250 --> 00:05:54,170 how this all ties together. 59 00:05:54,180 --> 00:05:59,040 So basically my computer's authenticated and all happy and the Data Domain. 60 00:05:59,040 --> 00:06:07,470 And then I have my phone in the voice domain that has also received this permit any downloadable access 61 00:06:07,470 --> 00:06:08,070 list. 62 00:06:11,960 --> 00:06:18,050 So you saw the switchboard configuration now to actually talk to ice. 63 00:06:19,220 --> 00:06:24,100 We have some Triple-A commands that are set globally. 64 00:06:24,110 --> 00:06:31,770 So for example I have this Triple-A authentication when X and I say hey four down x requests. 65 00:06:31,790 --> 00:06:33,380 I want to talk to this group 66 00:06:35,810 --> 00:06:47,350 and that radius ice group basically has the IP address of my server so that it knows to send radius 67 00:06:47,400 --> 00:06:57,010 requests for Wired authentication to the server. 68 00:06:57,030 --> 00:07:01,250 So here I am in ice server. 69 00:07:01,310 --> 00:07:09,350 I just want to give you a quick look into what the policies look like when someone plugs into a switch 70 00:07:09,360 --> 00:07:16,220 port and the switch sons their username or MAC address twice. 71 00:07:16,450 --> 00:07:17,740 What is it going to do. 72 00:07:17,830 --> 00:07:24,940 So that device is going to deny access to the switch or is it going to push an access list to the switch 73 00:07:24,940 --> 00:07:28,030 to apply to the switch part. 74 00:07:28,030 --> 00:07:30,520 So let's take a look at my wired access policy here 75 00:07:34,230 --> 00:07:35,580 who's just a few examples here. 76 00:07:35,580 --> 00:07:42,840 I have a MAC address list here basically so that if a device like your phone doesn't have the capability 77 00:07:43,320 --> 00:07:50,820 to actually sign like username in information then I just check its MAC address against a list that 78 00:07:50,830 --> 00:07:58,530 I've compiled that doesn't match that then it looks for either Active Directory user credentials or 79 00:07:58,530 --> 00:08:00,100 a certificate or something. 80 00:08:00,260 --> 00:08:10,110 And at this point if it passes authentication and is a valid username and password then how is authorized 81 00:08:10,260 --> 00:08:11,930 to access the network. 82 00:08:12,450 --> 00:08:14,770 So then so you authenticate successfully. 83 00:08:14,970 --> 00:08:21,810 Let me go down here and then yes you can get crazy with authorization policies it's actually one of 84 00:08:21,810 --> 00:08:29,370 the bigger parts of the configuration I could send a user to a guest portal if I wanted to when they 85 00:08:29,370 --> 00:08:38,340 plug into a wired poor give them limited access or if they are a company owned asset and a valid domain 86 00:08:38,340 --> 00:08:41,580 user then give them full access. 87 00:08:41,610 --> 00:08:46,710 So now you can see with a knack solution like ice you can truly sick here. 88 00:08:46,740 --> 00:08:51,990 What is connected to them that works so that a hacker can come in off the street and go plug into a 89 00:08:52,410 --> 00:08:56,200 lobby switch poor to gain access to the network. 90 00:08:59,100 --> 00:09:08,350 Segmenting IP networks and villans based on security levels is obviously a best practice. 91 00:09:08,400 --> 00:09:14,880 For example guess users should not be on the same not work as internal servers that run critical roles 92 00:09:14,970 --> 00:09:21,900 in the environment IP address planning can take a lot of thought to make sure that address space is 93 00:09:21,900 --> 00:09:25,320 allocated for scalability and security.