Essay Sample on Packet Capture and Intrusion Detection/Prevention Systems

Introduction

My deployment as a member of the cybersecurity engagement division of the FBI comes with a privilege given the various occasions that I have handled cases of examination of networks post-cyber-attacks often in various financial institutions. According to the email sent by the FS-ISAC to the FBI, several files were compromised and have experienced denial of service (DOS) attacks, therefore, compromising the bank networks, client information and blocking several transactions of millions of dollars. The effect of this security attack is likely to devastate several banks and the economic state of the United States in general. Given the increase in the prevalence of cybersecurity threats of several financial organizations either public or private, a bank that appears according to the listing of the most alleged targets by the FBI will be assessed for their safety protocol and security services. This paper presents a report that outlines the capability and impact of the recent Cyber Offensive Operation undertaken on behalf of FS-ISAC and Capital One Bank. The objective of the operation was to bait the cybercriminals into the loopholes that were set up in the internal network of the bank.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Network Architecture

The system structure of Capital One bank is elementary and concise with clear set security standards implemented to protect the bank network. Within the bank, there is an internet router in the server room that provides internet access and connectivity hence establishing the first step of security defense within the bank network. The router within the bank is set up in a manner that after the border network router there is an Intrusion Detection System (IDS) or a firewall set up to filters out the transfer of information and only recognizes the circulation that has been filtered. Generally, Intrusion Detection and Prevention Systems (IPS/IDS) are usually set up within a network structure to enhance the prevention of unauthorized access by cyber attackers. The difference between the IDS and the IPS is that the IDS inactively monitors the network and provides reports of suspicious activities whereas IPS actively protects the network system against security threats other than just detecting the security breaches (Phatak, 2011).

Usually, information that is conveyed across the internet is subdivided into pieces referred to as data packets which are quicker and safer to transmit as compared to one large data set. According to research by Severance (2015), the most significant innovation that has enabled a faster transfer of information across a multi-hop network has been the idea of breaking each set of messages into small fragments and individually sending each fragmented piece of news. In the networking context, the little bits of signals transmitted are referred to as data packets. Each data packet is transferred according to the source and destination address, which routes them to the target destinations. Therefore, in case where a massive amount of data packets from varying sources are transferred, they travel alternatively such that each data packet from an individual sender may follow a different route and at times the packages may not get to their intended destination in order hence the designation of protocols to monitor the transfer of data packets (CCM Benchmark Group, 2016).

The port designs are 16-bit and are applicable in the purposes of identification of various implications and TCP/IP packages from an IP destination. Ports that range from 0 to 1023 are regular ports referred to as 'well-known ports' and also often called reserved ports. Such ports are usually set aside for the system processes or programs that are initiated by privileged users. Therefore, any network administrator is capable of establishing a link service to the ports of his choice. However, the commonly used and renowned ports include 21(FTP), the 25(SMTP), and 80(HTTP) together with 110(POP3). The aforementioned well-known ports are also the ports have been identified to be highly targeted. The activities and data transmission traffic through these ports are highly monitored to avoid the transmission of unusual traffic and irregular application given the large volumes of data transmission that passes through these ports (CCM Benchmark Group, 2016).

There is also a data transmission protocol known as User Datagram Protocol (UDP) which is a wireless transmission layer etiquette which involves no procedure of handshaking. Different from the transmission control protocol (TCP), UDP transfers information without the setup of a constant association or authenticating the transfer with the end-user. However, there is no assurance for the orderly delivery of the data packets or even just the delivery. Nonetheless, UDP has a low-latency and is suitable for time-critical transfer of information in cases where speed regarded essential than reliability. Some of the mutual implications of UDP include the Domain Name System (DNS) and Simple Network Management Protocol (SNMP) (UMUC, n.d).

Retrieved from (Secu, n.d)

As shown in the above illustration, there is a switch in the DMZ behind the firewall that controls the webservers of the bank, DNS server, Cache servers, the authentication servers as well as email servers. However, there is another firewall that filters the traffic between the DMZ and the LAN. Generally, this system structure and topology is a simple and typical one hence the reason as to why the Capital One bank implements it.

Security Attacks

There have been reports of cyber-attacks by the Capital One bank for a long time of endurance of cyber threats even though there have been successful attempts to stop such. Generally, the bank has been facing two types of cyber-attacks which are usually used on most network systems of which are session hijacking which is mainly spoofing or cache poisoning attacks together with the man-in-the-middle attacks. Spoofing of IP Addresses implies a scenario in which the attacker sniffs the traffic within a network to recognize the legitimate outline of the IP addresses used for that specific system. After which, the invader then counterfeits an IP address in the package headers. In any case, the system authenticates the IP destination then full access is granted to the attacker and is capable of accessing the system through the packet with a counterfeit IP address. Once access is awarded to the attacker into the network then transmission of malicious data packets into the network starts, for instance, an attacker is likely to presents a a virus like Trojan horse or a key cataloguing request to the organization set-up system after acquisition of access. The technique of spoofing is generally known to be a network layer attack (UMUC, n.d).

The other type of attack which is the man-in-the-middle (MITM) implies outbreaks in which an rival might relay, rerun, replicate, incorporate and even change the information in the protocol implementations amid two different individuals with the intention to dupe either of the communicating individuals concerning the cyber-identity of each other (NIST, 2009). MITM outbreaks usually compromise the safety of a network and can apprehend crucial statistics, for instance, the real online time banking information. Therefore, the increasing reports of cyber-attacks on Capital One bank led to the installation of a honeypot that would be used to entice cybercriminals. The term honeypot is generally used to refer to a setup like a distraction to entice rivals and to refract their outbreaks far away from the operating systems controlling the administrative operations. Honeypots are established using information that resembles generic data to comprehend the approaches used by the attacker to gather information for legal prosecution of the individual responsible for the attacks (NIST, 2013).

There are several instances of application between the IDS and the honeypot that is reported as either false positive or negative. Therefore, to prevent the security attacks to the organization network, the intrusion detection, and prevention system (IDSs) is supposed to focus on detecting suspicious activities that may pose as actual threats to the network security. According to Duquea & Omar (2015), the term "false positive" is used to refer to instances in which the IDS wrongly recognizes a compassionate activity as a threat to the system security whereas the term "false negative" is used to refer to an instance in which an IDS has failed to detect any malicious activity. Generally, false positives and false negative are vital signs for outweighing the accuracy of the IDS as well as its rate of detection of malicious activities on a system framework. However, in cases of outsized numbers of false positives as well as false negatives, the IDS is better measured faulty for the reason that it is likely to enhance the work of network administrators significantly. Therefore, the redefinition of whatever the findings must evaluate the target. However, accomplishing this process of redefinition of the goal can be tedious when searching line by line which is why the application of some techniques with the help of some tools is crucial in the process.

Target and Profile

The increasing rate of cyber-crimes is posing an intensive threat to organizations in almost all industries that engage in the virtual markets. Therefore, Capital One bank is no exception given the fact that it is in the industrial frontline in the provision of financial and banking services. However, the conventional approaches to cybersecurity have become outdated and are no longer useful in the current challenging setting of cyber threats. That implies that the security programs controlled by the industry best practice and compliance only are not adequate anymore to provide sufficient protection to an organization like Capital One bank that operates on the possession and transmission of intellectual property of high-value together with data sets of personal information. In order to ensure efficient cybersecurity protection, effective security programs must now incorporate advanced Security Operations Profile (SOP) which can proactively define the enterprise banks via responses, segregation, and remediation of prospective cyber-threats in real time.

However, Capital One bank has shown the signs of commitment towards the establishment of world-class Security Operations Profile which is equipped and prepared to protect the bank from progressive cyber threats and their possible impacts. The development and implementation of the SOP is one of the top priorities of the bank and will demand a continuing obligation and sustenance from executive administration. The overall security division of Capital One bank has offered widespread coverage for susceptibility threat recognition across various platforms to incorporate system, network, mobile, application together with the database. However, there are processed that are put in place for explanation and apprehension of intrusions into the organizational system.

Tools and Techniques

Some techniques were implemented as well as some tools that were used in the process of monitoring the system network and appliances of the bank. That legal process aimed to determine the legal proof of malicious activities of the organizational network and to find out the source of the malicious behavior. One of the approaches that were used is the Network Forensic Framework (NFS) captures and analyzes the network traffic to investigate the cyber-attacks carried out by various cyber criminals. The network legal framework (NFS) also generates information from the data traffic within a network system to create emails, messages, FTP traffic as well as other different communications. According to Khan (2014), the impl...