3. INCIDENT CLASSIFICATION
Incident classification is the
classification of the method(s) used
by an attacker through unauthorized
access, destruction, disclosure,
modification of data, and/or denial
of service. An incident can cover one
or more types of incident
classification as described as follows.
○ Spam
○ System Compromise
○ Scan
○ Denial of Service
○ Copyright Issue
○ Phishing
○ Malware
○ XSS
○ Vulnerability
○ Fastflux
○ SQL Injection
○ Information Leak
○ Scam
○ Cryptojacking
○ Locker
○ Screenlocker
○ Wiper
4. All incidents that are processed by the information security
response team shall be classified by the information security
response team. Incident classification informs those
involved of the severity and impact of the incident, and
ensures that the incident receives the appropriate level of
attention. Classification also ensures that the incident is
reported to management in a timely manner.
INCIDENT CLASSIFICATION
5.
6. NETWORK EVENT MONITORING
Event monitoring in networking is the process of collecting,
analyzing, and signaling event occurrences to operating system
processes, active database rules, and human operators. These
event occurrences may stem from software or hardware like
operating systems, database management systems, application
software, and processors.
7. ● The following occurrences may be designated as events for reporting
purposes:
○ Changes to a system’s hardware inventory
○ Changes to a system’s software inventory
○ Application access failures
○ Failed login attempts
○ Job failures
○ Connection failures
○ No device response to polls
○ Disabled protocols
8. NETWORK EVENT MONITORING
Common Network Devices to Monitor
● Routers: Routers help connect networks via the internet.
● Switches: Switches help connect devices such as servers, computers,
printers, and more. Monitoring switches is critical to ensure network
health and performance. It’s also essential to monitor traffic and
hardware through the switch.
● Firewalls: The role of a firewall is to protect the network by
controlling incoming and outgoing traffic.
● Servers: Server monitoring helps provide information about the
network, data usage, and more.
9. What do network monitoring tools do?
Network monitoring tools collect data
in some form from active network
devices, such as routers, switches, load
balancers, servers, firewalls, or
dedicated probes, which they analyze
to understand the condition of the
network.
NETWORK MONITORING TOOLS
What are network monitoring tools?
Network monitoring tools gather and
analyze network data to provide
network administrators with
information related to the status of
network appliances, link saturation,
active devices, the structure of
network traffic or the sources of
network problems and traffic
anomalies
10. NETWORK MONITORING SOFTWARE TOOLS
1. Port Scanners
● Gather information across the network
- No special permissions requires
● Determine up/down status
- Ping or Address Resolution
Protocol (ARP)
● Check for open ports
- May indicate available services
● Scan Operating System
- Determine without logging in
● Scan services
- Version information
11. 2. Interface Monitoring
● Up or down
- The most important statistic
- No special rights or permissions required
- Green is good, red is bad
● Alarming and Alerting
- Notification in an interface fail to report
- Email, SMS
● Short-term and long-term reporting
- View availability over time
● Not focused on additional details
- Additional monitoring may require
SNMP
12. 3. Packet Flow Monitoring
● Gather traffic statistics
- Metadata of actual traffic flows
● NetFlow (v5 and v9 are most common)
- Standard collection method
- Many products and options
● Probe and collector
- Probe watches network communication
- Summary records are sent to the collector
● Usually a separate reporting application
- Closely tied to the collector
13. 4. Simple Network Management Protocol
(SNMP)
- A database of data (MIB)
● SNMP versions
- v1 = The original
- Structured tables, in-the-clear
- v2 = a good step ahead
- Data type enhancement, bulk
transfer, still in-the-clear
- v3 = The new standard
- Message integrity, authentication,
encryption
● SNMP information can be very detailed
- Access should be very limited
14. DETECTING NETWORK EVENTS
A network-based intrusion detection system is designed
to help organizations monitor their cloud, on-premise
and hybrid environments for suspicious events that could
indicate a compromise. This includes policy violations
and port scanning, plus unknown source and destination
traffic.
15. ● NIDS and NIPS
○ Network Intrusion Detection System/ Network Intrusion
Prevention System
■ Watch network traffic
● Intrusions
○ Exploits against operating systems, applications, etc.
○ Buffer overflows, cross-site scripting, other vulnerabilities
● Detection vs. Prevention
○ Detection - Alarm or alert
○ Prevention - Stop it before it gets into the network