Malicious Network Activity Report

I. Malicious Network Activity Report
Deliverables:
• Malicious Network Activity Report: 8 to 10-page double-spaced Word document with
citations, include figures, diagrams, tables. APA format. The page count does not include
figures, diagrams, tables, or citations.
Part 1: Create a Network Architecture Overview
Describe the various data transmission components including User Datagram Protocol
(UDP) Transmission Control Protocol/Internet Protocol (TCP/IP) Internet packets IP
Address Schemes Well-Known Ports and Applications
As part of your assignment to report on prevention methods and remediation techniques for the
banking industry, you would have to travel to the various bank locations and gain access to their
networks. However, you must first understand the network architecture of these banks.
Provide a network architecture overview along with diagrams. Your overview can be
fictitious or based on an actual organization. The goal is to provide an understanding of the
network architecture.

Writing Plan (NB: all points mandatory)
Address the meaning and relevance of:
• The sender or source that transmits a message
• The encoder used to code messages
• The medium or channel that carries the message
• The decoding mechanisms used
• The receiver or destination of the messages
Describe:
• Intrusion detection system (IDS),
• The intrusion prevention system (IPS)
• The firewalls that have been established
• The link between the operating systems, the software, and hardware components in the
network, firewall, and IDS that make up the network defense implementation of the banks’
networks.
Identify:
• How banks use firewalls.
• How banks use IDSs
• The difference between these technologies
Include:
• The network infrastructure information
• The IP address schemes which will involve the IP addressing assignment model
• The public and private addressing and address allocations
• Identify potential risks in setting up the IP addressing scheme
Additionally identify:
• Any well-known ports and applications that are used
• The risks associated with those ports and applications being identified and possibly targeted
General consideration:

  1. User Datagram Protocol (UDP). “…User datagram protocol (UDP) is a connectionless
    transport layer protocol that requires no handshaking process. Unlike transmission control
    protocol (TCP), UDP transmits data without setting up a dedicated connection or verifying the
    transmission with the receiver. Consequently, there is no guarantee that data packets are
    delivered in the right order, or delivered at all.
    However, UDP has low latency and is suitable for time-critical transmission where speed is more
    important than reliability. Common applications of UDP include Domain Name System (DNS)
    and Simple Network Management Protocol (SNMP).”
  2. Internet Packets – Data transmitted over the internet is broken into small pieces or packets. It
    is faster and more secure to transfer several small packets, rather than one large message.
    According to Severance (2015): The most important innovation that allowed messages to move
    more quickly across a multi-hop network was to break each message into small fragments and
    send each fragment individually. (p. 6)
    Each packet is transmitted with the source and destination address, which routes it to the
    intended destination. Since a large amount of packets (from different sources) travel
    simultaneously, each packet from a single sender may take a different route, and these packets
    may not arrive at their destination in order.
    References:
    Severance, C. (2015). Introduction to networking. http://do1.dr-chuck.net/net-intro/EN_us/netintro.pdf.
  3. IP Address Schemes – An Internet Protocol (IP) address is the unique network address given
    to each device connected to the internet. The most popular versions of IP addresses are IPv4 and
    IPv6. According to Ellingwood (2014): IPv4, which is the fourth version of the protocol,
    currently is what the majority of systems support. The newer, sixth revision, called IPv6, is being
    rolled out with greater frequency due to improvements in the protocol and the limitations of IPv4
    address space. Simply put, the world now has too many internet-connected devices for the
    amount of addresses available through IPv4.
    Since “IPv6 provides for extended network address sizes of 128 bits, a substantial increase over
    the 32-bits address sizes that are available with IPv4,” it can “handle the growth rate of the
    internet and the demanding requirements of services, mobility, and end-to-end security for
    network communications” (Radack, 2011).
    References:
    Ellingwood, J. (2014). Understanding IP addresses, subnets, and CIDR notation for networking.
    Digital Ocean. https://www.digitalocean.com/community/tutorials/understanding-ip-addressessubnets-and-cidr-notation-for-networking.
    Radack, S. (2011). Internet Protocol version 6 (IPv6): NIST guidelines help organizations
    manage the secure deployment of the new network protocol. National Institute of Standards and
    Technology. US Department of Commerce. http://csrc.nist.gov/publications/nistbul/January2011-
    ITLBulletin.pdf.
  4. Well-Known Ports and Applications – Port numbers are 16-bit numbers that are used to
    identify different applications and TCP/IP programs from an IP address. The port numbers are
    assigned by the Internet Assigned Numbers Authority (IANA) and divided into three ranges
    (Port, n.d.):
  5. well-known ports (from 0 to 1023);
  6. registered ports (from 1024 to 49151); and
  7. dynamic and/or private ports (from 49152 to 65535)
    According to CCM Benchmark Group (2016):
    Ports 0 to 1023 are the ‘well known ports’ or reserved ports. Generally speaking, they are
    reserved for system processes (daemons) or programs executed by privileged users. A network
    administrator can nevertheless link services to the ports of his choice.
    Commonly used well-known ports include 21 (FTP), 25 (SMTP), 80 (HTTP) and 110 (POP3).
    References:
    CCM Benchmark Group. (2016). Port/ports TCP/IP.
    http://ccm.net/contents/281-port-ports-tcp-ip.
    Port (Computer Networking). In Wikipedia. (n.d.). https://en.wikipedia.org/wiki
    Port_(computer_networking)
    Part 2: Identify Network Attacks
    Writing Plan:
    Provide techniques for monitoring the identified attacks
    Propose and describe a honeypot environment to lure hackers to the network and include the
    following in your proposal:
    • Explain how a honeypot environment is set up.
    • Explain the security and protection mechanisms a bank would need for a
    honeypot.
    • Discuss some network traffic indicators that will tell you that your honeypot
    trap is working.
    References:
    Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Computer security:
    Guide to cyber threat information sharing: Special Publication 800-150, 2nd draft. National
    Institute for Standards and Technology. http://csrc.nist.gov/publications/drafts/800-150/
    sp800_150_second_draft.pdf
    Hoeper, K., & Chen, L. (2009). Recommendation for EAP methods used in wireless network
    access authentication: Special Publication 800-120. National Institute of Standards and
    Technology. . http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-120.pdf
    Part 3: Identify False Positives and False Negatives
    Writing Plan (mandatory):
    • Identify what are false positives and false negatives
    Discuss how false positives and false negatives are determined?
    • Discuss how false positives and false negatives are determined?
    • Which is riskier to the health of the network, a false positive or a false negative?
    • Describe your analysis about testing for false negatives and false positives using tools such as
    IDSes and firewalls
    • Discuss the concept of performing statistical analysis of false positives and false negatives.
    • Explain how banks can reduce these issues.
    General consideration:
    Describe your analysis about testing for false negatives and false positives using tools such as
    IDSs and firewalls, and include this as recommendations for the banks in your public service
    Discuss the concept of performing statistical analysis of false positives and false negatives.
    Explain how banks can reduce these issues. Research possible ways to reduce these events and
    include this information as recommendations in the Malicious Network Activity Report.
    Network intrusion analysis is often done with a tool such as Snort. Snort is a free and opensource intrusion detection/prevention system program. It is used for detecting and preventing
    malicious traffic and attacks on networks, analysis, and education. Such identification can be
    used to design signatures for the IDS, as well as to program the IDS to block this known bad
    traffic.
    Network traffic analysis is often done using tools such as Wireshark. Wireshark is a free and
    open-source packet analyzer. It is used for network troubleshooting, analysis, software and
    communications protocol development and education. Cybersecurity professionals must know
    False Positives and False Negatives.
    A “false positive is an instance where an IDS incorrectly identifies a benign activity to be
    malicious, while a false negative occurs when the IDS fails to detect a malicious
    activity” (Duquea & bin Omar, 2015).
    False positives and false negatives are important indicators for measuring an IDS’s accuracy and
    rate of detection. If the numbers of false positives and false negatives are high, the IDS can be
    considered inefficient because it may increase the work of network administrators.
    how to perform network forensics analysis.
    References:
    Duquea, S., & bin Omar, M. N. (2015). Using data mining algorithms for developing a model for
    intrusion detection system (IDS). Procedia Computer Science, 61, 46–51. http://
    www.sciencedirect.com/science/article/pii/S1877050915029750
    Phatak, P. (2011). The importance of intrusion prevention systems. http://opensourceforu.com/
    2011/01/importance-of-intrusion-prevention-systems/
    Atlassian Documentation. (n.d.). How to capture HTTP traffic using Wireshark or Fiddler.
    https://confluence.atlassian.com/kb/how-to-capture-http-traffic-using-wireshark-orfiddler-779164332.html.
    Network Startup Resource Center. (n.d.). Wireshark: Network forensic exercise. https://nsrc.org/
    workshops/2016/apricot2016/raw-attachment/wiki/Track5Wireless/wireshark-lab.pdf.
    Khan, S., Shiraz, M., Wahab, A., Gani, A., Han, Q., & Rahman, Z. (2014). A comprehensive
    review on adaptability of network forensics frameworks for mobile cloud computing. The
    Scientific World Journal. https://www.hindawi.com/journals/tswj/2014/547062/.
    Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Computer security: Guide to integrating
    forensic techniques into incident response (Special Publication 800-86). National Institute of
    Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/
    Legacy/SP/nistspecialpublication800-86.pdf.
    II. Joint Network Defense Bulletin
    Deliverables:
    • Joint Network Defense Bulletin: two-page, double-spaced document, World, APA.
    Compile the information you have gathered, taking care to eliminate any sensitive bank-specific
    information. The Joint Network Defense Bulletin is an educational document for the financial
    services consortium. This bulletin should be addressed to the FBI chief and the FS-ISAC
    representative.

Leave a Reply