UNIT

15 Defense and Analysis Techniques – II

Names of Sub-Units

Honeypots, Malicious Code Naming, Automated Malicious Code Analysis Systems, Physical or Virtual
Machines, Intrusion Detection Systems

Overview

Defense and Analysis Techniques is explained in this chapter. The relevance, history and characteristics
of Defense and Analysis Techniques are Man-in-the-Middle Attacks, Detecting and Preventing MITM
Attacks are all discussed in this unit.

Learning Objectives

In this unit, you will learn to:

 Explain the meaning of Honeypots
 Discuss about the Malicious Code Naming
 State the meaning of Intrusion Detection Systems
 Describe Physical or Virtual Machines
JGI JAIN
DEEMED-TO-BE UNIVERSIT Y
Cyber Security: Concepts and Practices

Learning Outcomes

At the end of this unit, you would:

 Evaluate the meaning of Honeypots
 Determine the significance of Automated Malicious Code Analysis Systems
 Assess the Malicious Code Naming
 Analyse to Physical or Virtual Machines
 Examine Intrusion Detection Systems

Pre-Unit Preparatory Material

 https://www.imperva.com/learn/application-security/honeypot-honeynet/
 https://www.intego.com/mac-security-blog/how-does-malware-naming-work/

15.1 INTRODUCTION
Security analytics is a proactive approach to cybersecurity that uses data collection, aggregation and
analysis capabilities to perform critical security functions that identify, analyse and mitigate cyber
threats. Security analysis tools, such as threat detection and security monitoring, are used to identify
and investigate security incidents and potential threats, such as external malware, targeted attacks
and malicious insiders. Identifying these threats at an early stage gives security professionals the
opportunity to stop them before they can penetrate the network infrastructure, compromise valuable
data and assets, or harm the organisation.

Security analytics solutions collect data from a variety of sources, including endpoint and user
behavioral data, business applications, operating system event logs, firewalls, routers, virus scanners,
external threat intelligence and textual data. By combining and correlating this data, organisations can
use an initial data set and security professionals can apply the appropriate algorithms to create rapid
searches and identify early signs of an attack. In addition, machine learning technology can be used to
perform threat detection and data analysis in real time.

Data from a variety of cyber security systems is used to analyse events that take place in their
environments (e.g., IDS alerts, firewalls, network traffic logs).

It is possible that individuals in this job are referred to as informal or formal:

 Computer Network Defense (CND) Analyst
 Cybersecurity Analyst
 Incident Analyst
 Network Defense Technician
 Network Security Engineer

2
UNIT 15: Defense and Analysis Techniques – II JGI JAIN
DEEMED-TO-BE UNIVERSIT Y

 Security Analyst
 Security Operator
 Sensor Analyst
 Senior Network Security Engineer
 Focused Operations Security Analyst

15.2 HONEYPOTS

What is a Honeypot?

Intruders are enticed by a virtual trap set up with the aid of honeypots. In order to improve your security
procedures, having a computer system purposefully hacked is a useful tool. Honeypots may be used to
any computing resource, including software, networks and file servers.

If you use honeypots, you can have a better idea of how an attacker is acting. Security teams can employ
honeypots to get information on how hackers operate. False positives are less probable with these
methods than with more traditional ones, as only malicious activity will be detected. In order to trick
hackers into believing they’re dealing with a legitimate system and so attract them in, honeypots come
in many shapes and sizes.

Types of Honeypot Deployments

Honeypots can be used by threat actors to conduct a wide range of damaging activities:
 It is a “pure honeypot” when the network link connecting the honeypot to the network is bug-tapped.
They don’t have a good handle on the facts.
 In order to entice crooks, honeypots like this one mimic real-world services and infrastructure. Using
them, harmful software like botnets and worms may be collected without the user being aware of it.
 Honeypots that imitate the complexity and interactivity of real-world infrastructure. The ability
to carry out a wide range of cyberattacks while still providing useful cybersecurity information
to a cybercriminal. In order to keep hackers away of the actual system, it is necessary to utilise
specialised employees and technological tools like virtual machines in order to maintain these types
of defences.

Honeypot Limitations

Detection and identification of attackers are two of the honeypot’s limitations, as it cannot discover
security flaws in regular systems. There is also a fear that an attacker may get past the honeypot and
into the production network. This may be avoided by properly separating honeypots.

With the help of additional security measures, honeypots can aid in the efficiency of your business. By
exchanging multiple copies of sensitive material with suspected moles or whistleblowers, for example,
the canary trap strategy helps to discover information breaches.

3
JGI JAIN
DEEMED-TO-BE UNIVERSIT Y
Cyber Security: Concepts and Practices

Honeynet: A Network of Honeypots

Honeynets are decoy networks with honeypots. A small number of computers host the network, each
representing a different environment, yet it looks to be a real network with numerous systems.. Consider
a honeypot machine running Windows, Mac OS X, or Linux as an example of this technique.

Network traffic is monitored by honeywalls, which divert it to honeypot instances. To make it simpler for
an attacker to get into a honeynet, flaws may be added.

Any system on the honeynet can be accessed by an attacker. Attacks on the real network are redirected
to the honeynet, which collects and analyses information on the attackers. Honeynets, as opposed to
only honeypots, cover a larger region and provide the impression of a more realistic network.

As a result, honeynets are an ideal option for huge and complicated networks since they give attackers
with an alternative corporate network that they may find more interesting than the genuine one.

15.3 MALICIOUS CODE NAMING

Some people may find it difficult to keep track of how many different words and phrases are used to
describe the same subject. What are the standards by which we choose the titles of our blogs? In this
section, we’ll quickly go over some of the fundamentals. To learn more about this issue, visit CARO’s
website. Look at OSX/Imuler, a new strain of malware.

If you were to look at detection names from other vendors, you’ll notice some of these names for this file:
 Trojan-Dropper:OSX/Revir.C
 Backdoor:MacOS_X/Imuler.C
 OSX/Imuler.D
 OSX/Imuler-D
 OSX_IMULER.B
 OSX.Revir
 Trojan.Muxler.6

15.4 AUTOMATED MALICIOUS CODE ANALYSIS SYSTEMS

The quantity of damaging code has steadily increased as malicious code technology has progressed.
A hazardous code analysis system should, in other words, replace the current manual technique.
These publications describe AMCAS, an automated method for identifying potentially harmful code.
This includes static, dynamic and network analysis. For the first time, this system takes into account
network activity when doing its evaluations, something that previous automated systems do not. In
order to retrieve the unpacked binary code and CallGraph of malicious programmes, static, dynamic
and network behaviour analysers can all be utilised. It was discovered that a test run of this system
might yield potentially harmful code information. The triage process and forensic investigations may
be expedited and saved time using automated malware analysis technologies, such as sandboxes. It is
possible for analysts to make use of the specimen’s capabilities to determine where they should focus

4
UNIT 15: Defense and Analysis Techniques – II JGI JAIN
DEEMED-TO-BE UNIVERSIT Y

their subsequent efforts. The following is a comprehensive list of online providers that do automated
virus analysis for free:
 AMAaaS (Android files)
 Any.run (Community Edition)
 Binary Guard True Bare Metal
 Intezer Analyse (Community Edition)
 IRIS-H (focuses on document files)
 CAPE Sandbox
 Comodo Valkyrie
 Detux Sandbox (Linux binaries)
 FileScan.IO (static analysis)
 Gatewatcher Intelligence
 Hatching Triage (Individual and researcher licenses)
 Hybrid Analysis
 InQuest Labs Deep File Inspection
 Joe Sandbox Cloud (Community Edition)
 Manalyser (static analysis)
 sandbox.pikker.ee
 SandBlast Analysis
 SecondWrite (free version)
 SNDBOX
 ThreatConnect
 ThreatTrack
 ViCheck
 VirusTotal
 Yomi”

15.4.1 Passive Analysis

Passive cybersecurity is the most important part of a system’s defence against outside threats. Firewalls,
anti-malware systems, intrusion prevention systems, anti-virus protection and intrusion detection
systems restrict security gaps and exposure to threats. Security techniques that do not require human
interaction are referred to as “passive.” The security of a computer isn’t always the responsibility of
those in the information technology industry (IT). To begin, passive cybersecurity alerts you to any
threats that have already been recognised, helping to keep an attack at bay. Attackers have a harder
time getting past many layers of defence. An example of passive cybersecurity is a home security

5
JGI JAIN
DEEMED-TO-BE UNIVERSIT Y
Cyber Security: Concepts and Practices

system. The sensors, cameras and alarms installed in your home will keep it safe even if you aren’t there
to monitor it yourself. Even if your first line of defence is vital, understand that it’s not always sufficient.
Cybersecurity that is fully functioning is the answer to this problem.

15.4.2 Active Analysis

It is necessary to have a staff of security analysts who respond to alerts and analyse hazards. Businesses
need to have the right personnel in place to cope with a rising variety of risks, which are becoming
increasingly difficult to address. Analysts in active cybersecurity employ their skills, information from
both the outside world and our own internal networks in real-time, in order to gather intelligence and
prevent such assaults as far as protecting your house from invaders, prevention is better than response.
A proactive cybersecurity strategy may be difficult for any firm to implement. An alternative is to use a
managed security services provider to plug any holes in the security skills of the people on your staff. In-
house cybersecurity teams, like police departments in the United States, may benefit from the knowledge
of outside consultants. Firms of all sizes face cybersecurity challenges as the threat landscape evolves.
In order to get access to a computer system, hackers use a variety of methods. Firms must use both
passive and active methods to safeguard their systems against vulnerabilities in cybersecurity.

15.5 PHYSICAL OR VIRTUAL MACHINES

What is a Virtual Machine?

Virtual machines (VMs) execute programmes and distribute applications on virtual machines rather
than on a physical computer. It is possible to host one or more “guest” computers on a physical machine.
A single host can have several virtual machines, each of which has its own operating system and runs
independently of the others. In other words, a physical PC might run a virtual MacOS system. On-
premises and cloud-based virtual computers are used for a broad variety of tasks. Virtual machines
are increasingly being used to provide virtual application resources to multiple users simultaneously as
public cloud services grow more adaptable and cost-effective.

There are several advantages to using a virtual computer. For the following reasons, virtual computers
are more convenient to run and maintain than actual ones:

By using a virtual machine, you may save on space, time and administrative costs (VMs).

Upgrading existing software is made more affordable by running it in a virtual machine on a new
operating system. A Linux distribution can be used as a guest operating system on a server running
another operating system, such as Microsoft Windows. Virtual machines can also be used for disaster
recovery and application provisioning.

Disadvantages of using a virtual machine:

 The benefits of virtual machines outweigh the drawbacks, though.
 Infrastructure requirements must be addressed if many virtual machines are running on a single
real computer to avoid uneven performance.
 As compared to an actual computer, virtual computers are less efficient and slower. In order to
maximise efficiency and minimise risk, nearly every business makes use of both physical and virtual
infrastructure.

6
UNIT 15: Defense and Analysis Techniques – II JGI JAIN
DEEMED-TO-BE UNIVERSIT Y

It is possible to categorise virtual machines into two types:

Physical and virtual

 Both system and process virtual machines can be used by users.
 In order to create a platform agnostic programming environment, a process virtual machine (PVM)
is used to disguise the host computer’s hardware and operating system. Process virtual machines,
such as the Java Virtual Machine, may run Java programmes on any operating system.
 A virtual machine is an exact duplicate of a physical computer. A system platform enables several
virtual machines, each running its own copy of the operating system, to share a single host computer.
A bare-metal hypervisor, such as the VMware ESXi hypervisor, can be utilised in this virtualisation
procedure.

15.6 INTRUSION DETECTION SYSTEMS

What is an Intrusion Detection System?

Unusual behaviour on a network can be detected by an intrusion detection system (IDS), which can be
implemented as a piece of hardware or software. A security information and event management system
(SIEM) is widely used to report or gather information about potentially risky actions or violations
(SIEM). Instantaneous response is possible with some intrusion detection systems (IDS). One of them is
an intrusion detection system (IDS) (IPS).

Detection Methods for IDS

There is AN ID for every requirement, from anti-virus software to network traffic monitoring. In terms
of frequency, these are the most popular:
 Network intrusion detection systems (NIDS): A network traffic analysis system.
 Host-based intrusion detection systems (HIDS): A mechanism for keeping tabs on crucial files in
the operating system.
 Signature-based: Signature-based Byte sequences and known malicious instruction sequences are
only two examples of patterns that might be utilised to spot possible threats. These patterns are known
as signatures by anti-virus software. A signature-based ID prevents the discovery of new threats.
 Anomaly-based: As the number of malware threats grows, new technologies must be developed
that can identify and respond effectively to emerging attacks. Using machine learning, this detection
method creates a model of dependable behaviour, which is then compared to new activities. Detection
of previously unknown dangers might lead to false positives if previously accepted behaviour is
wrongly categorised as dangerous by this approach.

IDS Usage in Networks

When placed at a key location inside a network, IDS will monitor all incoming and outgoing traffic and
compare it to a database of known threats. When an attack or unexpected behaviour is identified, an
alarm can be generated to the administrator.

7
JGI JAINDEEMED-TO-BE UNIVERSIT Y
Cyber Security: Concepts and Practices

Evasion Techniques

Knowing how cyber thieves break a protected network can assist IT teams understand how IDS systems
might be misled into not detecting actionable threats and it can be beneficial in the following ways:
 Detection systems are unable to detect attackers that deliver a high number of fragmented packets.
 A port utilised by a protocol, for example, may not always be an indication of the protocol being
transmitted. If an attacker modifies the trojan to use a different port, the IDS may be unable to
detect its presence.
 Multiple attackers can work together to conduct a low-bandwidth attack by spreading ports or hosts
among themselves. The IDS can’t determine that a network scan is taking place if it can’t correlate
the captured packets.
 Using a poorly secured or incorrectly configured proxy server may mask the origin of the attack.
Fake or bouncing servers might be difficult to detect if the source cannot be verified.
 By changing their patterns, an attacker might escape being detected by IDS, which uses pattern
matching to identify assaults. To avoid detection, it is feasible to make slight changes in the attack
architecture.

Why Intrusion Detection Systems are Important

The safe and secure transmission and sharing of information between different firms functioning in
a networked business environment requires high levels of security. When typical security measures
fail, intrusion detection systems step in. The ever-changing nature of cyber-attacks necessitates the
evolution of protective systems.

Conclusion 15.7 CONCLUSION

 Security analytics is a proactive approach to cybersecurity that uses data collection, aggregation
and analysis capabilities to perform critical security functions that identify, analyse and mitigate
cyber threats. Security analysis tools, such as threat detection and security monitoring, are used
to identify and investigate security incidents and potential threats, such as external malware,
targeted attacks and malicious insiders. Identifying these threats at an early stage gives security
professionals the opportunity to stop them before they can penetrate the network infrastructure,
compromise valuable data and assets, or harm the organisation.
 Intruders are enticed by a virtual trap set up with the aid of honeypots. In order to improve your
security procedures, having a computer system purposefully hacked is a useful tool. Honeypots may
be used to any computing resource, including software, networks and file servers.
 Some people may find it difficult to keep track of how many different words and phrases are used to
describe the same subject. What are the standards by which we choose the titles of our blogs? In this
section, we’ll quickly go over some of the fundamentals. To learn more about this issue, visit CARO’s
website. Look at OSX/Imuler, a new strain of malware.
 The quantity of damaging code has steadily increased as malicious code technology has progressed.
A hazardous code analysis system should, in other words, replace the current manual technique.

8
UNIT 15: Defense and Analysis Techniques – II JGI JAIN
DEEMED-TO-BE UNIVERSIT Y

These publications describe AMCAS, an automated method for identifying potentially harmful
code. This includes static, dynamic and network analysis. For the first time, this system takes into
account network activity when doing its evaluations, something that previous automated systems
do not. In order to retrieve the unpacked binary code and CallGraph of malicious programmes,
static, dynamic and network behaviour analysers can all be utilised. It was discovered that a test
run of this system might yield potentially harmful code information. The triage process and forensic
investigations may be expedited and saved time using automated malware analysis technologies,
such as sandboxes. It is possible for analysts to make use of the specimen’s capabilities to determine
where they should focus their subsequent efforts.
 Virtual machines (VMs) execute programmes and distribute applications on virtual machines rather
than on a physical computer. It is possible to host one or more “guest” computers on a physical
machine. A single host can have several virtual machines, each of which has its own operating
system and runs independently of the others. In other words, a physical PC might run a virtual
MacOS system. On-premises and cloud-based virtual computers are used for a broad variety of
tasks. Virtual machines are increasingly being used to provide virtual application resources to
multiple users simultaneously as public cloud services grow more adaptable and cost-effective.
 Unusual behaviour on a network can be detected by an intrusion detection system (IDS), which can
be implemented as a piece of hardware or software. A security information and event management
system (SIEM) is widely used to report or gather information about potentially risky actions or
violations (SIEM). Instantaneous response is possible with some intrusion detection systems (IDS).
One of them is an intrusion detection system (IDS) (IPS).

15.8 GLOSSARY

 Virtual machines: They execute programmes and distribute applications on virtual machines
rather than on a physical computer
 Virtual honeypot: Intruders are enticed with a virtual honeypot, which is set up to catch them. The
only way to find out if a system has any security issues is to have an attacker enter the system in
question. You may set up honeypots all across your computer network, including your routers and
switches as well as your file servers and networks
 IDS: IDSs monitor a network for suspicious activity or policy violations and can be hardware or
software-based, depending on the needs of the network

15.9 SELF-ASSESSMENT QUESTIONS

A. Essay Type Questions

1. Explain the definition of Honeypots.
2. Define Malicious Code Naming.
3. Discuss about to Physical or Virtual Machines.

9
 JGI JAINDEEMED-TO-BE UNIVERSIT Y
Cyber Security: Concepts and Practices

15.10 HINTS FOR SELF-ASSESSMENT QUESTIONS

Hints for Essay Type Questions

1. Intruders are enticed by a virtual trap set up with the aid of honeypots. In order to improve your
security procedures, having a computer system purposefully hacked is a useful tool. Honeypots may
be used to any computing resource, including software, networks and file servers. Refer to Section
Honeypots
2. Some people may find it difficult to keep track of how many different words and phrases are used to
describe the same subject. What are the standards by which we choose the titles of our blogs? In this
section, we’ll quickly go over some of the fundamentals. To learn more about this issue, visit CARO’s
website.) Look at OSX/Imuler, a new strain of malware. Refer to Section Malicious Code Naming
3. Virtual machines (VMs) execute programmes and distribute applications on virtual machines rather
than on a physical computer. It is possible to host one or more “guest” computers on a physical
machine. A single host can have several virtual machines, each of which has its own operating
system and runs independently of the others. In other words, a physical PC might run a virtual
MacOS system. On-premises and cloud-based virtual computers are used for a broad variety of
tasks. Virtual machines are increasingly being used to provide virtual application resources to
multiple users simultaneously as public cloud services grow more adaptable and cost-effective.
Refer to Section Physical or Virtual Machines

@ 15.11 POST-UNIT READING MATERIAL

 http://www.cse.chalmers.se/edu/year/2015/course/EDA263/oh15/L02%20-%20Malicious%20
Code%20%28Malware%29%20--%20print.pdf
 https://sites.cs.ucsb.edu/~chris/research/doc/malware05_behavior.pdf

15.12 TOPICS FOR DISCUSSION FORUMS

 Discuss the importance and applications of defense and analysis techniques and their necessity in
a modern world.

10