12/09/2024

Network Defense

Course Overview

1
 12/09/2024

Course Overview

• Course ID: IT4831E

• Credits: 2(2-1-0-4)
• Lecturer
• Bùi Trọng Tùng, Department of Computer Engineering,
SoICT
• Office: 405 – B1
• Email: tungbt@[Link]
• Course on MOOC

Learning Objectives

• Computer Network Defense(CND)

Fundamentals: CND triad, Defense-in-depth,
Network Monitoring
• Technical Control: VPN, Firewall, IDPS
• Physical Control
• Security Operation: Hardening, Backup and
Restore, Incident Response
• Design Security Policy
• Design Secure Network

2
 12/09/2024

Other courses

• Prerequisites:
• IT3080E: Computer networks
• IT4010E: Introduction to Cryptography and Security
• IT4260E: Network Security
• Relevances:
• IT4450E: Digital Forensics
• IT4413E: Penetration Testing Practice
• IT4651E: Network Design and Implementation

Grading Structure

• Mid-term: 40%
• Execises: 3 homeworks in total, weighted equally
• Quizzes: gradescope with instant feedback, you can
keep trying until you get the answer right:
• Complete all quizzes: +1 point
• Not complete 1-2 quizzes: +0 point
• Not complete 3-4 quizzes: -1 point
• Not complete from 5 quizzes: -2 point
• No credit for submitting late, unless you have an
extension
• Final-term: 60%

3
 12/09/2024

Lecture 01.
Network defense fundamentals

Objectives

• Explain the goals of information security

• Describe the threats to network security
• Explain the goals of network defense
• Explain the benefits and challenges of network
defense
• Overview of different types of network defense
approaches
• Describe the different types of network security
controls

4
 12/09/2024

1.1. Introduction to
Information Security

Information Security

• Security = state of being secure, free from danger.

• Information Security: practice of defending digital
information from unauthorized
• Goal of security:

CONFIDENTIALITY ASSURANCE

CIA triad AAA triad …

10

10

5
 12/09/2024

CNSS security model

• CNSS = Committee on National Security Systems

• McCumber Cube – Rubik’s cube-like detailed model for
establishment and evaluation of information security
• to develop a secure system, one must consider not only key
security goals (CIA) but also how these goals relate to various
states in which information resides and full range of available
security measures

11

11

Security threats

• Security threat – any action/inaction that could

cause disclosure, alteration, loss, damage or
unavailability of a company’s/individual’s assets
• There are three components of threat:
• Targets: organization’s asset that might be attacked
• information (its confidentiality, integrity, availability),
software, hardware, network service, system resource, etc.
• Agents: people or organizations originating the threat
– intentional or non-intentional
• employees, ex-employees, hackers, commercial rivals,
terrorists, riminals, general public, customers
• Events: type of action that poses the threat

12

12

6
 12/09/2024

Threat events

• Forces of Nature
• Fire, flood, earthquake, hurricane, tsunami,
electrostatic, discharge, dust contamination
• Organization must implement controls to limit damage
as well as develop incident response plans and
business continuity plans
• Hardware and Software Failures and Errors
• Cannot be controlled or prevented by the organization
• Best defense: maintain, keep up-to-date about latest
hardware /software vulnerabilities

13

13

Threat events (cont.)

• Act of Human Error or Failure:

• Organization’s own employee’s are one of its greatest
threats
• Examples:
• entry of erroneous data
• accidental deletion or modification of data
• failure to protect data
• storing data in unprotected areas
• Much of human error or failure can be prevented
• Training and ongoing awareness activities
• Enhanced control techniques:
• Instrusions/Attacks

14

14

7
 12/09/2024

Security vulnerability

• Weaknesses in the system that can be exploited

to compromise security
• Some causes of vulnerabilities:
• Inadequate policies
• Design flaws
• Drawback of technology
• Improper implementation and operation

15

15

Security attacks

• Footprinting: These are actions Footprint

that an attacker performs to
collect information about the
system: users, customers, Scan &
business activities, information Enumera
about the organization... te

• Can be repeated periodically Grant

until there is an opportunity to access
attack more easily
• Active footprinting : interaction Maintain
with the target presence

• Passive footprinting : no Clean

interaction with the target and
hide

16

16

8
 12/09/2024

Footprinting (cont.)

• Search engines: Google, Footprint

Shodan, Censys
• Social networks: FB, Tweetter, Scan &
Linkedin Enumera
te
• Target's website, Email system
• WHOIS, DNS Grant
access
• Social Engineering
Maintain
presence

Clean
and
hide

17

17

Defensive strategies

• Be careful about what information is made public.

• Train employees to be cautious about what they
share online.
• Regularly check what information about the
company is available through these tools.
• Use privacy settings on social media and company
websites.

18

18

9
 12/09/2024

Scanning & Enumerating

• Scanning to identify information Footprint

about the system based on the
information collected from the
footprinting Scan &
Enumera
• The attacker has a more detailed te
view of the system: the services
provided, the open service ports, Grant
access
IP addresses, operating systems
and software…
Maintain
• Extracting information from this presence
stage allows the attacker to plan
in detail to carry out the attack Clean
and
hide

19

19

Defensive strategies

• Keep all software up to date to fix known

weaknesses.
• Only keep necessary services running and close
unused ports.
• Use firewalls and other security tools to hide
information from scans.
• Regularly do their own scans to see what an
attacker might find.

20

20

10
 12/09/2024

Access granting

• Exploit and gain access to the Footprint

system at different levels:
network level, operating system
level, application level Scan &
Enumera
• Escalate Privileges: obtains te

further access to corporate Grant

systems and data within the access
environment
Maintain
presence

Clean
and
hide

21

21

Defensive strategies

• Implement strong perimeter defenses like firewalls,

intrusion detection systems (IDS), and intrusion
prevention systems (IPS)
• Apply strict access control policies, such as multi-
factor authentication (MFA) and role-based access
control (RBAC)
• Regularly patching and updating software
• Implement endpoint detection and response (EDR)
solutions,
• Continuous monitoring of system logs
• Conduct regular penetration testing and vulnerability
assessments

22

22

11
 12/09/2024

Maintain presence

• Change, interfere with system Footprint

operations
• Install spyware Scan &
• Conceal system activities Enumera
te
• Scan deeply into the system
Grant
• Expand the attack scope access
• Escalate the attack
Maintain
presence

Clean
and
hide

23

23

Defense strategies

• Deploy endpoint detection and response (EDR)

systems
• Real-time monitoring and behavioral analytics
• Regular system audits and integrity checks
• Network segmentation and isolation of critical
assets
• Maintain up-to-date backups and implement
incident response plans
• Continuous staff training and awareness
programs for employees

24

24

12
 12/09/2024

Clean and hide

• Goal: erase traces of their Footprint

activities and cover their
tracks to avoid detection and
maintain long-term access Scan &
• Delete or modify system logs, Enumera
te
• Remove the evidence of
exploit technique, and obscure Grant
access
any changes made to the
system
• Employ techniques such as Maintain
presence
rootkits, fileless malware, and
encrypted communication Clean
channels and
hide

25

25

Defense strategies

• Robust logging and monitoring systems in place

that are resistant to tampering
• Using secure log storage
• Deploy SIEM
• Version control and system integrity monitoring
• Regular forensic audits
• Implement advanced threat detection, such as ML
model
• Employ encryption and MFA
• Maintain well-practiced incident response plan
that includes regular system backups and
snapshots

26

26

13
 12/09/2024

1.2. Fundamental concepts of

Network Defense

27

27

CNSSI 4009-2022: Cyberspace Operation (CO)

• “The employment of cyberspace capabilities

where the primary purpose is to achieve
objectives in or through cyberspace.”
• “Comprised of cyberspace attack, cyberspace
defense, and related cyberspace exploitation
enabling operations”
Cyberspace Operation = Cyber Attack +
Cyberspace Exploitation + Cyberspace Defense

28

28

14
 12/09/2024

CNSSI 4009-2022: CO (cont.)

• Cyber Attack: Actions taken in cyberspace that

create noticeable denial effects (i.e., degradation,
disruption, or destruction) in cyberspace or
manipulation that leads to denial that appears in a
physical domain, and is considered a form of fires.
• Cyberspace Exploitation: Actions taken in
cyberspace to gain intelligence, maneuver, collect
information, or perform other enabling actions
required to prepare for future military operations.

29

29

CNSSI 4009-2022: Cyberspace defense

• “Actions taken within protected cyberspace to

defeat specific threats that have breached or are
threatening to breach cyberspace security
measures and include actions to detect,
characterize, counter, and mitigate threats,
including malware or the unauthorized activities
of users, and to restore the system to a secure
configuration.”

30

30

15
 12/09/2024

Essentials of Network defense

• Goal: A completely secure and robust network

can be designed with proper implementation and
cofiguration of network security elements.
• Elements of network security
• Network devices
• Network protocols
• Network security control
• Network security is not just a terminology, but is
a process that organization perform to defend the
network in the context of reality.

31

31

Network defense benefits

• Protect information assets

• Comply with government and industry specific
regulations
• Ensure secure communication with clients and
suppliers
• Reduce the risk of being attacked
• Gain competitive edge over competitor by
providing more secure services

32

32

16
 12/09/2024

Network defense challenges

• Distributed computing environments

• Networks are becoming vast and complex
• Information assets are widely distributed across
multiple locations.
• Enemies are not only distributed but also remain
anonymous
• Potential threats to the network evolve each day
• Lack of security skills
• TCP/IP protocol stack is not completely secure

33

33

Types of network defense approaches

• Preventive approaches: methods are used to

avoid threats or attacks on the target network
• Cryptography
• Authentication and Authorization
• Traffic filtering
• Hardening
• Vulnerabilities scanning and patching

34

34

17
 12/09/2024

Types of network defense approaches (cont.)

• Reactive approaches: methods are used to detect

attacks on the target network
• Cryptography
• System monitoring
• Logging and auditing
• Honeypot
• Intrusion Detection System
Detect if you can’t prevent

35

35

Types of network defense approaches (cont.)

• Retrospective approaches: examine causes for

attacks, and contain, remediate, eradicate, and
recover from damage caused by attacks.
• Backup and Restore
• Digital Forensic
• Incident Response/Incident Handling

36

36

18
 12/09/2024

Types of network defense approaches (cont.)

• Proactive approaches: methods are used to make

informed decisions on potential attacks in the
future:
• Threat hunting
• Threat intelligence
• Risk management
• Security policy

37

37

Components of network defense: Technologies

• Evaluated products
• Configuration management systems
• Firewalls
• IDS
• Access control systems
• Content filtering software
• Hardened/patched operating systems
• Encryption mechanism
• Authentication system

38

38

19
 12/09/2024

Components of network defense: People

• Security Architects
• Security Engineers
• End-users
• CND Operations Staff
• Network Technicians
• Security Analysts
• Informed Leadership
• Developer
•…

39

39

Components of network defense: Operations

• Security policy
• Standard operating procedures
• Business continuity plans
• Disaster Recovery
• Continuity of Operations
• Configuration Control Boards
• Incident response processes
• Forensics capabilities
• Security training
• Security as a culture

40

40

20
 12/09/2024

1.3. Defense-in-depth
principle

41

41

Defense-in-depth(DID) principle

• There is no one-size-fits-all solution that can

protect against all types of attacks
• Defense in depth (DID): Cyber-attack prevention
solutions need to be built with multiple layers of
protection:
• Each layer performs a number of tasks
• Layers must coordinate to form a common strength for
the system
• Gradually weaken the attack capability
• Attacks become increasingly difficult to access the
inner layers
• Distinguishing from prevention

42

42

21
 12/09/2024

DID principle

• DID should be designed based on the components

of CND:
• People
• Operation People
• Technology
Operation

Technology

Asset

43

43

DID principle

44

44

22
 12/09/2024

Network security controls

• Administrative securiy controls: the management

implements administrative access control to
ensure the safety of the organization
• Regulatory framework compliance
• Security policy
• Employee monitoring and supervising
• Assets classification
• Security awareness and training

45

45

Network security controls (cont.)

• Physical security controls: a set of security

measures taken to prevent unauthorized access
to physical devices
• Locks
• Fences
• Badge system
• Security guards
• Mantrap doors
• Lighting
• CCTV camera
• Motion detectors
• Alarm
• ….

46

46

23
 12/09/2024

Network security controls (cont.)

• Technical security controls:

• Access controls: Authentication – Authorization -
Auditing
• Security protocols
• Network Segmentation
• VPN
• Firewall
• IDS/IPS
• Honeypot
• Antivirus/Anti-malware software

47

47

24