Challenges in the Security Operations Center (SOC)

This chapter covers the following topics:

• Security Monitoring Challenges in the SOC

• Additional Evasion and Obfuscation Techniques

There are several security monitoring operational challenges, including encryption, Network Address Translation (NAT), time synchronization, Tor, and peer-to peer communications. This chapter covers these operational challenges in detail. Attackers try to abuse system and network vulnerabilities to accomplish something; however, there is another element that can make or break the success of the attack. Attackers need to be stealthy and be able to evade security techniques and technologies. Attackers must consider the amount of exposure an attack may cause as well as the expected countermeasures if the attack is noticed by the target’s defense measures. They need to cover their tracks.

In this chapter, you learn how attackers obtain stealth access and the tricks used to negatively impact detection and forensic technologies.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 12-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 12-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

1. 1. Which of the following are benefits of encryption?

   • a. Malware communication

   • b. Privacy and confidentiality

   • c. Malware mitigation

   • d. Malware identification

2. 2. Why can encryption be challenging to security monitoring?

   • a. Encryption introduces latency.

   • b. Encryption introduces additional processing requirements by the CPU.

   • c. Encryption can be used by threat actors as a method of evasion and obfuscation, and security monitoring tools might not be able to inspect encrypted traffic.

   • d. Encryption can be used by attackers to monitor VPN tunnels.

3. 3. Network Address Translation (NAT) introduces challenges in the identification and attribution of endpoints in a security victim. The identification challenge applies to both the victim and the attack source. What tools are available to be able to correlate security monitoring events in environments where NAT is deployed?

   • a. NetFlow

   • b. Cisco Stealthwatch System

   • c. Intrusion prevention systems (IPS)

   • d. Encryption protocols

4. 4. If the date and time are not synchronized among network and security devices, logs can become almost impossible to correlate. What protocol is recommended as a best practice to deploy to mitigate this issue?

   • a. Network Address Translation

   • b. Port Address Translation

   • c. Network Time Protocol (NTP)

   • d. Native Time Protocol (NTP)

5. 5. What is a DNS tunnel?

   • a. A type of VPN tunnel that uses DNS.

   • b. A type of MPLS deployment that uses DNS.

   • c. DNS was not created for tunneling, but a few tools have used it to encapsulate data in the payload of DNS packets.

   • d. An encryption tunneling protocol that uses DNS’s UDP port 53.

6. 6. Which of the following are examples of DNS tunneling tools? (Select all that apply.)

   • a. DeNiSe

   • b. dns2tcp

   • c. DNScapy

   • d. DNStor

7. 7. What is Tor?

   • a. A blockchain protocol

   • b. A hashing protocol

   • c. A VPN tunnel client

   • d. A free tool that enables its users to surf the Internet anonymously

8. 8. What is a Tor exit node?

   • a. The encrypted Tor network

   • b. The last Tor node or the gateways where the Tor-encrypted traffic exits to the Internet

   • c. The Tor node that performs encryption

   • d. The Tor browser installed in your system to exit the Internet

9. 9. What is a SQL injection vulnerability?

   • a. An input validation vulnerability where an attacker can insert or inject a SQL query via the input data from the client to the application or database

   • b. A type of vulnerability where an attacker can inject a new password to a SQL server or the client

   • c. A type of DoS vulnerability that can cause a SQL server to crash

   • d. A type of privilege escalation vulnerability aimed at SQL servers

10. 10. Which of the following is a distributed architecture that partitions tasks or workloads between peers?

    • a. Peer-to-peer networking

    • b. P2P NetFlow

    • c. Equal-cost load balancing

    • d. None of these answers are correct.

11. 11. Which of the following describes when the attacker sends traffic more slowly than normal, not exceeding thresholds inside the time windows the signatures use to correlate different packets together?

    • a. Traffic insertion

    • b. Protocol manipulation

    • c. Traffic fragmentation

    • d. Timing attack

12. 12. Which of the following would give an IPS the most trouble?

    • a. Jumbo packets

    • b. Encryption

    • c. Throughput

    • d. Updates

13. 13. In which type of attack does an IPS receive a lot of traffic/packets?

    • a. Resource exhaustion

    • b. DoS (denial of service)

    • c. Smoke and mirrors

    • d. Timing attack

14. 14. Which of the following is not an example of traffic fragmentation?

    • a. Modifying routing tables

    • b. Modifying the TCP/IP in a way that is unexpected by security detection devices

    • c. Modifying IP headers to cause fragments to overlap

    • d. Segmenting TCP packets

15. 15. What is the best defense for traffic fragmentation attacks?

    • a. Deploying a passive security solution that monitors internal traffic for unusual traffic and traffic fragmentation

    • b. Deploying a next-generation application layer firewall

    • c. Configuring fragmentation limits on a security solution

    • d. Deploying a proxy or inline security solution

16. 16. Which of the following is a TCP-injection attack?

    • a. Forging a TCP packet over an HTTPS session

    • b. Replacing legitimate TCP traffic with forged TCP packets

    • c. Adding a forged TCP packet to an existing TCP session

    • d. Modifying the TCP/IP in a way that is unexpected by security detection

17. 17. A traffic substitution and insertion attack does which of the following?

    • a. Substitutes the traffic with data in a different format but with the same meaning

    • b. Substitutes the payload with data in the same format but with a different meaning, providing a new payload

    • c. Substitutes the payload with data in a different format but with the same meaning, not modifying the payload

    • d. Substitutes the traffic with data in the same format but with a different meaning

18. 18. Which of the following is not a defense against a traffic substitution and insertion attack?

    • a. De-obfuscating Unicode

    • b. Using Unicode instead of ASCII

    • c. Adopting the format changes

    • d. Properly processing extended characters

19. 19. Which of the following is not a defense against a pivot attack?

    • a. Content filtering

    • b. Proper patch management

    • c. Network segmentation

    • d. Access control

20. 20. Which security technology would be best for detecting a pivot attack?

    • a. Virtual private network (VPN)

    • b. Host-based antivirus

    • c. NetFlow

    • d. Application layer firewalls

Foundation Topics