Module Four Lab Worksheet Guidelines

Overview

These labs represent skills and tasks that a network administrator will routinely perform. It is extremely important for a practitioner to have skills in these areas to inform security policy and procedures.

Review your worksheet template and complete the subsequent labs:

• Identifying and Analyzing Network Host Intrusion Detection System Alerts
• Intrusion Detection Using Snort
• Detecting Malware and Unauthorized Devices

Prompt

Complete the Module Four Lab Worksheet, which is linked in the Lab Worksheet assignment in Module Four of your course.

What to Submit

Submit your completed worksheet. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.

Module Four Lab Worksheet Word Document

Lab: Identifying & Analyzing Network Host Intrusion Detection System Alerts

Lab: Intrusion Detection Using Snort

Detecting Malware and Unauthorized Devices

IDS technology is designed to protect your system in a reactionary way by monitoring the internal network for discrepancies or anomalies. The purpose of the IDS is to alert the security specialist that there is an issue with the system. The security specialist will then begin the incident response procedures.

For your initial post, select a host intrusion detection system (HIDS) or a network intrusion detection system (NIDS) and use your adversarial mindset to explain the attack you would execute to circumvent the system if you were an attacker. Justify your selection.

In your response posts, assuming your peer's attack was successful, what changes would you make to the IDS settings to detect their attack?

Sample Post

Hello everyone,

Intrusion Detection Systems (IDS) are critical in a cybersecurity strategy, identifying and alerting administrators to potential threats. In particular, Network Intrusion Detection Systems (NIDS) monitor network traffic to detect anomalies. However, no system is foolproof, and attackers often exploit weaknesses in NIDS to infiltrate systems undetected. This discussion explores a common technique used to circumvent an NIDS, focusing on evasion through packet fragmentation while drawing on real-world examples to highlight the practical implications. 

Packet fragmentation is a widely known evasion technique targeting NIDS. In this approach, attackers divide malicious payloads into smaller packets that conform to standard traffic patterns. The fragmented packets can bypass inspection thresholds or confuse detection algorithms, especially if the NIDS is configured with insufficient reassembly capabilities. For example, the 2010 attack against the South Korean defense network utilized fragmented packets to bypass perimeter NIDS, demonstrating the efficacy of this technique (Kim et al., 2012). Tools like FragRoute enable attackers to automate fragmentation, emphasizing the need for robust NIDS configurations. 

Another notable case involved the infamous Stuxnet malware. By leveraging fragmented packets and obfuscating payloads, Stuxnet circumvented monitoring systems to infiltrate critical infrastructure (Langner, 2013). These examples underscore the importance of advanced NIDS solutions capable of reconstructing fragmented packets accurately and analyzing their content in real time. 

In conclusion, while NIDS provides significant protection against unauthorized access, adversaries can exploit configuration weaknesses and limitations in detection mechanisms. Packet fragmentation exemplifies the sophistication of evasion techniques, as demonstrated in high-profile cases like Stuxnet and the South Korean defense breach. Organizations must invest in updated NIDS solutions and proactive monitoring to mitigate these threats effectively. Cybersecurity professionals can better secure their networks against such vulnerabilities by understanding adversarial methods. 

References: 

Kim, J., Park, S., & Lee, H. (2012). Advanced evasion techniques for intrusion detection systems. Journal of Computer Security, 20(1), 25-36. 

Langner, R. (2013). To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve. Langner Group. 

Scarfone, K., & Mell, P. (2012). Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94. 

Sample Reponse

Hi [peer's name],

Thank you for the post and examples provided of a successful attack using packet fragmentation to evade an IDS. It is especially fascinating to hear about an attack that was even able to evade government-level detection systems. 

Packet fragmentation seems to be an ongoing issue for even modern IDS systems to handle. From what I can tell, one of the defenses to this kind of attack is to use application-level monitoring with deep packet inspection to look into packets and determine if their contents could be reconstructed as malicious code (EcyberTekTrooper, 2024). Another defense for packet fragmentation techniques is to incorporate anomaly-based detections. Even though fragmented packets may not be flagged as matching malicious code signatures, they are still an anomaly on the network (EcyberTekTrooper, 2024). 

Lastly, it is important to remember that even if an attack technique is able to evade existing detection methods, such as in the case of a zero-day vulnerability, following recommended guidelines and security frameworks will likely lesson the damage of successful attacks. Things like segmented networks, routine network audits, and cultivating a security aware culture are all effective methods for reducing the impact of attacks that evade network detection methods (EcyberTekTrooper, 2024).

Thanks for the great post!

Reference

EcyberTekTrooper. (2024, March 20). Evading Detection with Nmap’s Advanced Packet Fragmentation. Medium. https://medium.com/@flyparamotorguillermo/evading-detection-with-nmaps-advanced-packet-fragmentation-6bf1aec9833b

CYB 310 Project One Stepping Stone 

Network Troubleshooting Practice

Overview

Troubleshooting practice will help you develop the adversarial mindset that is essential for a cybersecurity analyst to have. Troubleshooting any situation helps prepare you to handle similar situations when they arise. The faster you can fix an issue, the less likely it is to cause harm throughout the event. In a sandbox environment, it is easy to experiment with causing and solving problems to test your peers or other members of an organization. You can also use a sandbox to challenge your skills and test your network defense competence. The GNS3 environment provides a virtual network that also incorporates host operating systems. The environment gives you the ability to interface with the operating systems of devices.

For this stepping stone, you will practice network troubleshooting in a sandbox environment. The sandbox is a safe place to practice your skills, as you won’t have to worry about damaging a production environment. You will use the same sandbox environment for Project One.

Scenario

You are interviewing for a cybersecurity analyst position. As part of the interview process, the company tests all candidates’ troubleshooting capabilities. The company provides you with a GNS3 virtual network in a sandbox environment and asks you to demonstrate your troubleshooting skills. Open the CYB 310 Sandbox and click on the GNS3 icon. Open the Project One Stepping Stone file to troubleshoot and resolve the following issues:

1. Only users in the Sales and Customer Service departments need access to the Customer Data folder on the CS FTP server. The Human Resources department users should not have access. 
2. Three of the four workstations in the Human Resources department cannot ping the Cloud IP address due to an IP address or switch misconfiguration. Find and correct the misconfigurations.

Prompt

You must address the following rubric criteria:

1. Network Deficiencies
   1. Issue One 
      1. Identify the configuration error causing the issue by providing appropriate screenshot(s).
      2. Troubleshoot the issue and provide screenshots of a resolution.
      3. Explain your approach to troubleshooting the issue and justify your resolution.
   2. Issue Two
      1. Identify the configuration error causing the issue by providing appropriate screenshot(s).
      2. Troubleshoot the issue and provide screenshots of a resolution.
      3. Explain your approach to troubleshooting the issue and justify your resolution.

What to Submit

Your submission should be 2 to 3 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.

CYB 310 : 3-2 Lab Worksheet Assignment

Module Three Lab Worksheet 

Overview

These labs represent skills and tasks that a network administrator will routinely perform. It is extremely important for a practitioner to have skills in these areas to inform security policy and procedures.

Review your worksheet and complete the subsequent labs:

• Performing a Denial-of-Service Attack from the WAN
• Implementing NAT and Allowing Remote Access

CYB 310 Module Three Lab Worksheet

Complete this worksheet by replacing the bracketed phrases in the Response column with the relevant information.

Lab: Performing a Denial-of-Service Attack From the WAN

Lab: Implementing NAT and Allowing Remote Access

CYB 310 : 3-1 Discussion: Denying DoS Attacks

One of the biggest assets of an organization is information. Stopping the flow of that information can be detrimental to a business. If your organization experiences a denial-of-service (DoS) attack, it may be at risk to lose customers, revenue, and reputation. It is challenging for organizations to report a cyber incident and, even when they do, what they publish can be missing key facts to understanding the full attack picture.

For your initial post:

• Find a resource outside of your assigned reading that describes a recent DoS attack. Post the link and summarize the attack for your peers.
• Identify possible missing information from the resource that would help you prevent similar attacks in your organization.
• Explain why there is no incentive for organizations to report these types of attacks.

In your response posts, is there any other missing information you can identify? Alternatively, what other steps could you take to protect an organization's data from a DoS attack?

Sample Post

Hello everyone!

One attack I was able to find some information is the DDoS attack on South Korea's Joint Chiefs of Staff (JCS) website on November 5, 2024, at approximately 5:30pm. 

Massive DDoS Attack Cripples South Korea’s Defense Site—North Korea or Russia?

Though it was affected initially, prompting an investigation from the Cyber Operations Command, the DDoS countermeasures were activated and allowed the site to remain operational for the public, though there were slower loading times and connectivity issues. The IP address was blocked, says a military spokesperson, and the department is focusing their efforts on finding the culprit responsible for the attacks. This attack is following a warning from the Korea Internet & Security Agency on October 1, which previously had alerted organization to increase cyber defenses in anticipation of an uptick of cyber threats, possibly due to the deployment of North Korean troops to Russia. People are speculating that the attacks maybe have originated from, or at least been linked to, North Korea or Russia. 

The article is unfortunately quite lacking on information, such as the countermeasures that were deployed to circumvent the attacks or if the website had protocols in place for responding to such cyber threats. It was incredibly difficult to find an article reporting recent DDoS attacks in the first place, let alone one with a lot of information. There are, however, many best practices to put in place to protect against DDoS attacks, such as prioritizing security over performance, bolstering your protection tactics, and embracing threat intelligence to stay ahead of potential attackers. 

There are quite a few reasons why organizations may not want to report on DDoS attacks. For instance, it could give a public perception of weakness for the organization, which could lead to an escalation of attacks. DDoS attacks are generally used as part of "stress" testing for servers, and if they report that the attack was successful in disrupting services, attackers could use that information to mark that organization as a viable target for future attacks. Additionally, there are no legal requirements to report such attacks, meaning most organization may opt to handle the problems internally to avoid the consequences that could result from disclosure. 

Thank you!

Sample Reponse

Hello,

Thank you for sharing such an insightful example! The DDoS attack on South Korea's Joint Chiefs of Staff is a strong reminder of the need for robust cybersecurity measures, especially amidst heightened geopolitical tensions involving North Korea and Russia. Another key piece of missing information is whether the organization performed a post-incident analysis to identify and address vulnerabilities exposed during the attack. Additionally, it would be valuable to know the scale of the attack, such as the traffic volume or duration, as this could provide insight into the attackers’ capabilities and intentions. Sharing more details about the countermeasures—such as traffic filtering or reliance on cloud-based mitigation—could also help other organizations enhance their defenses.

To prevent or mitigate DoS attacks, organizations can take several proactive steps. Implementing redundancy by distributing server resources across multiple locations can reduce the risk of single points of failure. Real-time traffic monitoring tools can detect and neutralize unusual patterns before they escalate. Rate limiting helps control excessive requests from individual users, while partnering with ISPs can block malicious traffic closer to its origin. Moreover, having a robust incident response plan, regularly tested through drills, ensures organizations can act swiftly and effectively. These measures, combined with international collaboration and information sharing, could significantly strengthen collective defenses against such threats. What are your thoughts on the potential benefits of increased transparency and cooperation between organizations in mitigating attacks like these?

Thanks.

CYB 310 Module Two Lab Worksheet

Overview

These labs represent skills and tasks that a network administrator will routinely perform. It is extremely important for a practitioner to have skills in these areas to inform security policy and procedures.

Review your worksheet and complete the subsequent labs:

• The OSI Model
• Network Troubleshooting
• TCP/IP Protocols – The Core Protocols

Prompt

Complete the Module Two Lab Worksheet, which is linked in the Lab Worksheet assignment in Module Two of your course.

What to Submit

Submit your completed worksheet. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.

Module Two Lab Worksheet Word Document 

    
In your reading this week, you will explore multiple network and port scanners. If you could create the network or port scanner of your dreams, what aspects of the tools you read about this week would you include and why? Make sure you name your creative and groundbreaking new tool!

In your response posts, describe how you could use the new tools developed by your peers, and suggest a new feature for each tool.

Sample Post

Hello Everyone, 

I hope this week is treating you all well. As we delve deeper into the world of network and port scanning, I can not help but imagine the perfect scanner that would combine the best features of all the tools we have encountered. If I could create my dream scanner, I would call it "ZymNet"

ZymNet would be a powerhouse scanner with the following features:

• Speed and Efficiency: ZymNet would incorporate the lightning fast scanning capabilities of tools like nmap, allowing for quick identification of active hosts and open ports on a network.
• Versatility: It would support a wide range of scan types, including TCP, UDP, SYN and ACK scans, similar to nmap, to cater to different network environments and security needs.
• Stealth and Evasion: ZymNet would excel at evading detection by intrusion Detection System (IDS) and firewalls, drawing inspiration from advanced scanners that employ techniques like packet fragmentation and source address spoofing.
• Comprehensive OS and Service Detection: It would accurately identify operating systems and services running on target machines, providing valuable information for vulnerability assessment and penetration testing.
• User Friendly Interface: Unlike some command line scanners, ZymNet would feature an intuitive graphical user interface (GUI) that makes it accessible to both novice and experienced users.
• Customizable Reporting: It would generate detailed and customizable reports that can be tailored to specific audiences and purposes.
• Integration with Other Tools: ZymNet would seamlessly integrate with other security tools, such as vulnerability scanners and exploitation frameworks, to streamline the security assessment process.

In essence ZymNet would be the ultimate all in one scanner that combines speed, versatility, accuracy and user friendliness. It would be the go to tools for network administrators, security professionals and ethical hackers alike.

Sample Reply

Hello,

Great work on conceptualizing ZymNet. It sounds like this would be a great tool for any offensive security specialist, especially as a starting point to begin an offensive operation. 

One thing that stood out to me about ZymNet was its user-friendly UI and customizable reporting. These features could make ZymNet a good fit for corporate pen-testing environments. A robust UI would help offensive teams to train new members. The GUI could also be helpful in tweaking and recreating steps within a particular attack. Lastly, the customizable reports could save significant time and make the lives of the team members much better. From what I have heard, offensive security teams can spend half of their time or more just writing reports. These reports are obviously extremely important (and ultimately what the client is paying for), but integrated assistance in generating reports could prove highly popular amongst red teams. 

One feature that could be added on to what you have outlined with ZymNet is a portable version of the software package that could be stored on a USB or similar drive and used in physical penetration tests. While not every test will have physical access to a client's hardware, the ability to scan for open ports within a network could be valuable when access allows for it. 

Thank you for the thorough post!

CYB-310-18578-M01 Network Defense 2024 C-6

1-1 Discussion: Introduction and Networking Experience 

In your initial post, briefly introduce yourself.

Next you will consider your IT networking experience. We all experience network problems, either as a user or as a professional in the field. Provide an example of your personal or professional experience with networking, and describe a situation where you had to troubleshoot or resolve an issue. Include details about how you approached the problem. Feel free to draw on previous coursework for your examples.

In your response posts, what other techniques to solving the problems described by your peers could you suggest from your experience? Alternatively, what questions would you ask to help diagnose or solve the problem?