CySA+ domain #2: Network-based attacks
Hosted by CompTIA and currently on its first exam version, the Cyber Security Analyst + certification (or CySA+) is new among the forefront of cybersecurity certifications available. One of the most prevalent, real-world examples of cybersecurity issues organizations encounter is network-based attacks, so it should come as no surprise that this material will be covered on the CySA+ certification exam.
This article will detail detecting scans and probes, DoS and DDoS attacks, mitigating denial of service attacks, detecting other network-based attacks, and rogue network devices. If you are taking the CySA+ certification exam, or simply want a concise refresher on network-based attacks, this article is for you.
Please note that this article is only a general guide and should not be used as your sole method of exam preparation.
Network-based attacks defined
In its simplest form, the term “network-based attacks” can be defined as attacks that are launched and controlled from a device other than the device that is under attack. To further explain the different nuances and common strategies for how to respond to said attacks, don’t worry — this article won’t let you down.
Detecting scans and probes
Cybersecurity analysts would quickly become bogged down by examining all of the traffic coming into a network that may be a potential attack or is conducting information gathering. This can be easily avoided by setting up a solid detection system for your organization.
In and of themselves, scans and probes do not pose much risk to a network. However, they are often harbingers of future attacks. While simpler network scans are easily detectable — such as by connecting to multiple IP addresses within a network and sequential service port testing — others are stealthier and can be difficult to detect over general network noise.
The good thing is that many commonly used network devices, from firewalls to network security appliances and IDS and IPS systems, have built-in network scan detection functionality. While enabling this functionality will probably result in mostly network noise, organizations generally just send this information to a SIEM solution for further analysis.
Denial of Service (DoS) attacks
DoS attacks come in many forms, but they all have the same goal — stopping users from accessing a system or service. As such, detecting and preventing DoS attacks has become an essential skill set for cybersecurity analysts. DoS attacks can come in the following different forms:
- Attempting to use the sheer volume of traffic or requests to overwhelm a network or service
- Attacks on specific vulnerabilities to cause a specific service or system to fail
- Attacks upon an intermediary network or system to prevent traffic between the two different locations
Distributed Denial of Service (DDoS) attacks
While distributed denial of service (DDoS) attacks may sound enough like DoS attacks, they are quite different. Unlike DoS attacks, DDoS attacks originate from many systems and networks simultaneously. This makes them much harder to detect and stop, especially in light of network noise.
DDoS are often launched by compromised systems in botnets. This means attacks can potentially come from hundreds of thousands of systems or more.
Detecting DoS/DDoS attacks
Building solid DoS and DDoS detection capability normally involves multiple monitoring systems and tools because of the many flavors of DoS and DDoS attacks. This can include:
- Performance monitoring through the use of service performance monitoring tools
- Using local system or application logs for connection monitoring
- Network and system bandwidth monitoring
- IDS, IPS and other dedicated tools with DoS and DDoS detection enabled
Mitigating DoS and DDoS attacks
Unfortunately, DoS and DDoS attacks are facts of life in today’s internet-connected business world. Luckily, there are two commonly used methods that will help an organization mitigating these attacks. These methods are:
- Implementing a dedicated service that uses a large distributed network (typically of endpoints) that ensures access to the service even if one or more locations goes down
- Deploying DoS/DDoS mitigation technology or devices that sit in-line between protected systems and the internet and analyze flows
Detecting other network attacks
Network-based attacks that are not DoS and DDoS attacks can be detected using the following methods:
- Using IDS or IPS solutions
- Feeding firewall, switch, router and other network devices to a log monitoring and analysis system
- By using a SIEM solution to automatically alarm when problematic traffic occurs
- By monitoring SNMP, flows and other network information for suspicious behavior
Rogue network devices
Rogue devices are defined as devices that should not be connected to a network; they are either prohibited by policy or because an attacker has added them to the network. The key to organizations controlling this aspect of network-based threats is to detect and find these devices.
You will be responsible for the following commonly used methods of tracking down and identifying rogue devices on the CySA+ certification exam:
- Network scanning: Scanning to identify new devices, typically performed with a tool such as Nmap
- Valid MAC address checking: This checks MAC address provided to network devices against a list of known MAC addresses to validate them
- Vendor information MAC address checking: Device vendors often use vendor prefixes for their devices — in part so they can be easily identified. Remember that MAC addresses can be changed, so what you see may not be the legitimate MAC address for the device. One such site used to look up vendors from MAC addresses can be found here
- Traffic analysis: You can analyze traffic to identify unexpected, suspicious or irregular behavior
- Site surveys: This entails a physical review of devices at a site by either manual verification or checking wireless networks
The wireless rogue device problem
What may be considered the biggest challenge involving wireless rogue devices is the fact that they can spoof legitimate networks and make the network think the rogue device is part of the network. To prevent this from opening up your network to attackers, organizations should use a wireless controller to detect this incursion. In some cases, wireless controllers can even automatically overpower wireless rogue devices from spoofing.
Network-based attacks are a key aspect to cybersecurity, and as such, it is a key part of earning a passing score on the CySA+ certification exam. While understanding what network-based attacks are will get your foot in the door, you must have a working knowledge of detection of network-based threats to master this material. By using this article as a guide for the network-based threats material for the CySA+ certification exam, you will be leaps and bounds ahead of the exam candidates who chose another path of exam preparation.
- CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
- CompTIA CySA+, CompTIA
- Security Threats: Network Based Attacks, George Berg and Sanjay Goel