Malicious Network Activity Report 2

Malicious Network Activity Report 2malicious Network Activity Report

The computer network of a financial institution can be considered one of the most important components of its infrastructure. It is well known that financial institutions handle money transactions for millions of people, so it is important the network must be protected and secured, especially since most banking transactions are completed online. A representative from the Financial Services Information Sharing and Analysis Center (FS-ISAC) contacted the chief net defense liaison of the financial sector regarding reports of network intrusions occurring at various banks in the U.S.

Details of the intrusions reported millions of files compromised and distributed denial of service attacks (DDoS) that impacted the banks customer websites and caused a blockage of potential transactions worth millions of dollars. USAA financial institution was among the banks affected by the recent cyber-attack, so the Federal Bureau of Investigation (FBI) cyber security sector engagement division deployed a team there to use a suite of network monitoring and intrusion tools to investigate the incident. The chief requested a report of the information obtained and a joint network defense bulletin with recommendations of prevention methods and remediation techniques for the FS-ISAC to distribute to the other financial institutions affected.

Paper For Above instruction

Introduction

In today’s digital age, safeguarding the network infrastructure of financial institutions like USAA is paramount due to the sensitive nature of the data they handle and the financial transactions they facilitate. This report thoroughly examines USAA’s network architecture, the potential vulnerabilities it faces, recent cyber threats, and recommended strategies for enhancing security measures to prevent future attacks.

USAA’s Network Architecture and Components

USAA’s network infrastructure consists of multiple interconnected components designed to ensure secure and efficient operations. Core to its architecture are protocols such as User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP). UDP facilitates low-latency communication for services like DNS and SNMP, critical for real-time operations, whereas TCP/IP enables reliable data transmission and network functionality (University of Maryland Global Campus, 2021).

The network employs IP addressing schemes, primarily IPv4, with a secondary IPv6 setup to accommodate future expansion. USAA utilizes public class C IP address ranges for external access and private class A ranges for internal networks, effectively balancing accessibility with security (Meridian Outpost, 2021). Ports such as 22 (SSH), 53 (DNS), 80 (HTTP), 161 (SNMP), 443 (HTTPS), and 995 (POP3 over SSL) are instrumental but pose risks if left open without adequate safeguards.

Security devices incorporated include firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). Firewalls serve as the first line of defense, controlling inbound and outbound traffic. IDS monitors network activity for malicious activity, alerting administrators upon detection, whereas IPS can actively prevent or block detected threats (GeeksforGeeks, 2020; Forcepoint, 2021). These devices collectively fortify USAA’s defenses against cyber threats.

Common Cyber Attacks faced by USAA

USAA’s digital assets are vulnerable to multiple attack vectors. Spoofing attacks, such as DNS spoofing, redirect users to malicious sites by corrupting DNS caches, exploiting the dependency on DNS for domain resolution (University of Maryland Global Campus, 2021). Session hijacking involves intercepting or manipulating session tokens, allowing attackers to impersonate legitimate users and access sensitive information (OWASP, 2021).

Man-in-the-middle (MITM) attacks pose significant threats by intercepting communications between users and servers, often exploiting unsecured connections or compromised networks. Cache poisoning and other forms of data manipulation are common tactics used by cybercriminals to confuse or mislead network security tools.

To aid in deception and threat analysis, honeypots are employed as decoy systems designed to attract malicious actors, diverting them from real assets and collecting intelligence about attack methodologies (Kaspersky, 2021). However, sophisticated attackers may identify honeypots and craft spoofed attacks to obscure their true intent, necessitating comprehensive detection mechanisms.

False Positives and False Negatives in Threat Detection

The effectiveness of intrusion detection tools like IDS and IPS is pivotal, yet these systems are imperfect, often producing false positives and negatives. A false positive occurs when benign activity triggers an alert, leading to potential alert fatigue, while a false negative fails to flag actual malicious activity, increasing vulnerability (University of Maryland Global Campus, 2021).

Regular analysis of IDS logs, combined with statistical evaluations, can help pinpoint inefficiencies. For example, revising signature rules and thresholds can reduce misclassification rates. Tools such as Snort and Wireshark are essential for continuous monitoring, enabling administrators to fine-tune detection rules, distinguish genuine threats from false alarms, and maintain network integrity.

Network Traffic Analysis and Forensics

Extensive traffic analysis conducted on USAA’s network revealed critical gaps, including commented-out rules in the Snort IDS configuration, which prevented detection of malicious events. Once these rules were activated, an influx of alerts indicated ongoing malicious activity, emphasizing the importance of thorough configuration reviews (Figure 4 & 5 in original report).

Packet capture tools such as Wireshark facilitated a detailed inspection of SMB, DNS, and HTTP protocol traffic, revealing numerous error-prone queries that may signify attempts to exploit vulnerabilities or implant malicious payloads. Analyzing HTTP GET requests for images and other content can uncover hidden threats or malware delivery vectors, underscoring the need for continuous traffic monitoring (Rocha et al., 2018).

Enhancing Security Posture with Additional Tools and Techniques

While USAA’s current defenses are robust, integrating additional tools can bolster its security posture. Metasploit provides a framework for testing and evaluating system vulnerabilities by simulating attacks, helping identify weak points before malicious actors do (Ali, 2013). Nmap enables detailed scanning of open ports and services, pinpointing areas of potential exploitation.

Implementation of a next-generation firewall (NGFW), such as FortiGate 4400F, offers advanced features like high throughput, deep packet inspection, and integrated threat intelligence, creating a more resilient perimeter defense (Fortinet, 2021). Incorporating internal segmentation, multi-factor authentication, and encryption protocols further reduce the attack surface.

Deploying a comprehensive security information and event management (SIEM) system can facilitate centralized analysis of security data and faster incident response. Regular staff training on emerging threats, combined with a proactive vulnerability management program, is essential for maintaining a resilient network environment.

Conclusion

In conclusion, USAA’s diligent use of layered security measures—including firewalls, IDS/IPS, and traffic analysis—serves as a strong foundation. Nevertheless, cyber threats are continually evolving, requiring ongoing vigilance and technological upgrades. The integration of advanced tools like NGFWs, SIEM systems, and penetration testing frameworks will be pivotal in thwarting future attacks. Continuous evaluation, staff training, and adherence to best practices are essential for safeguarding critical financial data and maintaining customer trust.

References

• Ali, M. N. B. (2013). Network architecture and security issues in campus networks. Semantic Scholar. https://www.semanticscholar.org
• Forcepoint. (2021, March 11). What is an Intrusion Prevention System (IPS)? https://www.forcepoint.com
• Fortinet. (2021). Next Generation Firewall (NGFW) - See Top Products. https://www.fortinet.com
• GeeksforGeeks. (2020, January 16). Intrusion Detection System (IDS). https://www.geeksforgeeks.org
• Kaspersky. (2021, January 13). What is a honeypot? https://www.kaspersky.com
• Meridian Outpost. (2021). 5 Classes of IPv4 Addresses [Class A, B, C, D and E]. https://meridianoutpost.com
• OWASP. (2021). Session hijacking attack. https://owasp.org
• Rocha, A., Adeli, H., Reis, L. P., & Costanzo, S. (2018). Trends and Advances in Information Systems and Technologies: Volume 3. Springer.
• University of Maryland Global Campus. (2021). False Positives and False Negatives. https://umgc.edu
• USAA. (2021). Official website and network overview documentation. https://usaa.com