Module 06[ECIH]

Handling and Responding to Network Security Incidents

Introduction to Handling Network Security Incidents

 Network security incidents could cause potential damage to organizational data, resources, and reputation
 Incident handlers must be prepared to handle such incidents before they cause further damage to the corporate network
 Organizations require a proper network incident handling and response (IH&R) process to promptly detect and contain
network attacks to minimize data loss and maintain business continuity

Module 06[ECIH-V3]….. By Leena Rane Page 1

Module 06[ECIH-V3]….. By Leena Rane Page 2
Module 06[ECIH-V3]….. By Leena Rane Page 3
Module 06[ECIH-V3]….. By Leena Rane Page 4
Module 06[ECIH-V3]….. By Leena Rane Page 5
Module 06[ECIH-V3]….. By Leena Rane Page 6
Module 06[ECIH-V3]….. By Leena Rane Page 7
Module 06[ECIH-V3]….. By Leena Rane Page 8
 Containment of Unauthorized Access Incidents
1. Isolate the affected systems. 1.Review and update IDS/IPS rule configurations to
2. Disable the affected service to prevent further stop the ongoing attack.
damage.
2.Deploy a network segmentation mechanism to
3. Limit the number of network access attempts and
separate the infected section of the network from
block access to these resources during incidents.
others.
4. Check for new accounts, if any, created by attackers
during the incident and disable them. 3.Block the identified port immediately after
5. Enhance physical security measures. identifying suspicious attempts.

Module 06[ECIH-V3]….. By Leena Rane Page 9

 Eradication of Unauthorized Access Incidents
Physical Security Measures Authentication and Authorization Measures
- Prepare appropriate password policies.
 Restrict access to critical resources by
implementing physical security measures. - Implement strong authentication for accessing critical
 Secure hardware, programs, networks, and data at an resources.
organizational level. - Change the default passwords to highly secured and
 Deploy proper physical security measures in the complex passwords.
- Create authentication and authorization standards for
required areas to safeguard information assets.
 Ensure that no networking device or cable is
physically accessible without proper surveillance. employees and contractors to follow when evaluating or
developing software.
- Establish procedures for provisioning and de-
provisioning user accounts.
Host Security Measures Network Security Measures
 Eliminate all components of the incident from  Design networks such that they block suspicious traffic.
systems using various techniques.  Properly secure all remote access methods, including
 Regularly perform various security assessments to modems and VPNs.
identify vulnerabilities and risks.  Move all publicly accessible systems and services to a
 Disable unwanted services on hosts. secured demilitarized zone (DMZ).
 Apply the account lockout mechanism to prevent  Use private IP addresses for all hosts located on
systems from brute-force password guessing attacks. internal networks.
 Run services with the least privileges possible to  Install an IDS to create alerts for unauthorized access
reduce the immediate impact of successful exploits. attempts.
 Disable unwanted services.

Recovery after Unauthorized Access Incidents

 Incident responders should identify the type of attack and vulnerabilities exploited and mitigate them.
 In case of data loss, data should be recovered from data backup.
o Restore all systems to the ready-to-work state.
o Apply patches to all systems and update them to the latest software version.
o Replace the affected files with clean files from backups.
 Restore and secure hardware, programs, networks, and data.
o Confirm that the affected systems are functioning normally.
o Implement additional monitoring to look for related activities in the future.
o Formulate and regularly update security policies and protection mechanisms.

Module 06[ECIH-V3]….. By Leena Rane Page 10

Module 06[ECIH-V3]….. By Leena Rane Page 11
Module 06[ECIH-V3]….. By Leena Rane Page 12
Module 06[ECIH-V3]….. By Leena Rane Page 13
Module 06[ECIH-V3]….. By Leena Rane Page 14
Containment of Inappropriate Usage Incidents

1. Immediately turn off all malware-infected systems present in the network

2. Filter the ports and secure the protocols affecting the network
3. Filter the email server to block unauthorized mails
4. Install URL filtering software and spam filter software on the email server
5. Block malicious website URLs
6. Limit the user privileges of employee computers and systems to prevent the spread of malicious or unwanted
programs
7. Change the passwords of misused accounts
8. Block communication with the external network and suspicious IP addresses

Module 06[ECIH-V3]….. By Leena Rane Page 15

 9. Disconnect or isolate compromised systems or network services
10. Configure firewall rulesets to block malicious traffic

Eradication of Inappropriate Usage Incidents

1. Install firewall and IDS/IPS to block the use of services that violate organizational policies.
2. Configure email servers such that they block outbound spam.
3. Deploy URL filtering to prevent access to inappropriate or malicious websites.
4. Limit outbound connections that use encrypted protocols such as SSH, HTTPS, and IPsec.
5. Use VPN and other secure network channels only.
6. Register user activity logs and keep monitoring them regularly.
7. Enable authentication for sharing files across a network.
8. Enforce the latest data protection and internet usage policies.

Recovery after Inappropriate Usage Incidents

1. Communicate the situation to the organization’s legal department representatives regarding liability issues.
2. Consult the human resources and legal department representatives regarding the procedures for handling
inappropriate usage incidents.
3. Provide training to employees to ensure proper usage and warn them to understand the legal liabilities of such
incidents.
4. Train employees to verify site security before trying to log in or upload personal or professional details.
5. Provide proper guidelines and policies about downloading objectionable content using the organization’s system and
networks.
6. Keep the anti-virus database updated.
7. Implement protective monitoring of critical services.
8. Enforce the latest data encryption policies to protect data from unauthorized users.
9. Conduct regular security audits to reduce network security risks.
10. Upgrade the systems and applications to the latest software version.

Module 06[ECIH-V3]….. By Leena Rane Page 16

Module 06[ECIH-V3]….. By Leena Rane Page 17
 Containment of DoS/DDoS Incidents

Absorb Attacks: Divert Traffic: Block Attacks:

Provide additional bandwidth to network Divert traffic by redirecting URLs and
Deploy automated tools (such as advanced
devices and increase the capacity of servers to requests to similar servers placed at other
firewall and IDS solutions) to block attacks.
absorb attacks. locations or use cloud scrubbing services.
Shutdown Services: Degrade Services:
Simply shut down all services until an attack has subsided. Identify critical services and customize the network, systems, and
application designs to cut down noncritical services.
Post-attack Forensics
 Traffic Pattern Analysis: Helps incident handlers develop new filtering techniques for preventing attack traffic from
entering or leaving their networks. The output helps in updating load balancing and throttling countermeasures to
enhance efficiency and protection ability.

 Packet Traceback: Similar to reverse engineering, it helps identify the true source of the attack and taking
necessary steps to block further attacks.

Module 06[ECIH-V3]….. By Leena Rane Page 18

  Event Log Analysis: Helps identify the source of DoS traffic and enables recognition of the type of DDoS attack or
combination of attacks used.

Eradicating DoS/DDoS Incidents: Blocking Potential Attacks

Egress Filtering: Ingress Filtering: TCP Intercept: Rate Limiting:
-Scans the headers of IP packets
leaving a network;
- Prevents source address - Protects TCP servers - Controls the rate of outbound
spoofing for Internet from TCP SYN-flooding or inbound traffic in a
traffic; - protects against attacks; network interface controller;
-ensures unauthorized or
malicious traffic never leaves the
flooding attacks originating
from valid prefixes (IP
- By configuring TCP - It reduces high-volume
internal network. intercepr features, DoS inbound traffic caused by
addresses).
attacks can be prevented DDoS attacks.
- packets do not reach the target
- It enables the originator to by intercepting and
be traced to its true source validating TCP
address if they do not meet the
necessary specifications. connection requests.

Eradicating DoS/DDoS Incidents: Neutralizing Handlers

 Network Traffic Analysis: Analyze communication protocols and traffic patterns to identify network nodes that may
be infected by handlers.
 Neutralize Botnet Handlers: In comparison to the number of agents, fewer DDoS handlers are deployed, By
neutralizing some handlers, multiple agents can be rendered useless, thwarting DDoS attacks.
 Spoofed Source Address: There is a decent probability that the spoofed source address of DDoS attack packets does
not represent a valid source address of the definite sub-network.

Recovery after DoS/DDoS Incidents

1. Determine the extent of impact on different sources, their ability to function, and the risks involved in using
compromised resources
2. Devise various recovery methods depending on different factors such as severity of incident, systems affected, and
systems and devices required
3. Communicate with the incident response team to select the best recovery plan and obtain the required permissions
from cyber security authorities
4. Use backup resources efficiently to replace compromised systems
5. Check the functionality of all restored systems
6. Implement additional monitoring to look for related activity in future
7. Erase unwanted DDoS detection logs recorded across security solutions after responding to the DDoS attack
8. Restart the BGP protocol to send a keepalive message after restoring websites from DoS attacks

Detecting Wireless Network Security Incidents

 Access Point Monitoring:

Audit all access point devices used to establish wireless networks and list their details, including MAC address,
SSID, and network transmission information, to create a baseline

 Wireless Client Monitoring:

Monitor all clients connected to an access point and their activities over the wireless network

 General Wireless Traffic Monitoring:

Monitor wireless networks to detect malicious attempts (such as DoS attacks) using techniques such as de-
authentication, de-association, and erroneous authentication

Containment of Wireless Network Security Incidents

1. Disable wireless access/SSID broadcasting until the detection of intrusion

Module 06[ECIH-V3]….. By Leena Rane Page 19

 2. Enable credentials or password security protocols such as WPA3 on wireless devices
3. Update wireless access point devices
4. Whitelist authorized user devices to recognize unauthorized or unknown devices in a network
5. Configure MAC address filtering on every network
6. Turn off suspected privileges on the router for wireless configuration settings
7. Utilize the URH security tool for wireless protocol investigation
8. Use WIPS to disconnect authorized users from rogue APs

Eradication of Wireless Network Security Incidents

1. Select a complex passphrase with a minimum length of 20 characters
2. Always use the Wi-Fi Protected Access 3 (WPA3) security protocol in wireless networks
3. Use the virtual-private-network (VPN) technology
4. Deny wireless service to new clients
5. Block the switch port to which APs are connected
6. Use non-regular patterns as PIN keys while pairing a device
7. Use wireless network auditing tools such as Kismet and Wireshark to scan wireless network traffic
8. Update and install access point (AP) software with the latest patches

Recovery after Wireless Network Security Incidents

 Update all routers and Wi-Fi devices with the latest security patches
 Change the default SSID after WLAN configuration
 Use SSID cloaking to prevent certain default wireless messages from broadcasting the ID to everyone
 Set the router access password and enable firewall protection
 Enable encryption on APs and frequently change the passphrase
 Select Wi-Fi Protected Access 3 (WPA3) instead of WPA and WPA2
 Place wireless APs in a secure location
 Enable encryption when establishing bluetooth connection to your PC

Module Summary
 In this module, we discussed the importance of handling network security incidents
 We defined the general preparation steps for handling network security incidents and reviewed general detection
techniques
 This module detailed the detection, containment, and eradication of unauthorized access incidents, along with recovery
steps after such incidents
 We also examined the detection, containment, and eradication of inappropriate usage incidents, along with recovery
steps after such incidents
 Moreover, we explained the detection, containment, and eradication of DoS/DDoS incidents, along with recovery
steps after such incidents
 We further described the fundamentals of wireless network security incidents along with their detection, containment,
eradication, and recovery steps
 In the next module, we will discuss how to handle and respond to various web application security incidents in detail

Module 06[ECIH-V3]….. By Leena Rane Page 20