Open Systems Interconnection Model

(OSI)Troubleshooting

and Mitigation Review

K. Green5/20

1

2

4

5

Urgency

Cyber Kill Chain

3 Troubleshooting Process

Adversaries

OSI

Prioritize Your Response

Eisenhower Priority Matrix: before becoming President, Dwight D. Eisenhower was an Army general and World War II Allied Forces Supreme Commander

Prioritize Your Response -1 - UrgencyURGENT + IMPORTANT- Do It Now SEVEREImminent ThreatSignificant HarmCritical InfrastructureGovernment StabilitySafety/EconomyPhysical ConsequenceDamage Hardware/Network

IMPORTANT + Not Urgent- Schedule Time HIGHDemonstrable ImpactNational SecuritySafety/EconomyForeign RelationsCivil Liberties/ConfidenceData Corruption/DestructionDoS Key System/Service

URGENT + Not Important- Delegate MEDIUMMay ImpactNational SecuritySafety/EconomyForeign RelationsCivil Liberties/ConfidenceData Theft / Financial Crime

Not Urgent +Not Important- Later LOWUnlikely to ImpactNational SecuritySafety/EconomyForeign RelationsCivil Liberties/ConfidenceDefacement / Nuisance DoS

Lockheed Martin Cyber Kill Chain Controls

Prioritize Your Response - 2 - Cyber Kill Chain

Prioritize Your Response - 3 - Troubleshooting Process

Identify Problem

Theorize Probable

Cause

Test Theory to

Determine Cause

Plan

Actions

VerifyFunctionality

Question User & Listen to Details

Research Based on Symptoms

Test & Evaluate –Least Invasive

Write & Follow Plan

Verify Functionality & Be Preventative

Document

Prioritize Your Response - 4 - Adversaries

Randy Seftas and Joshua Krage, NASAPMC, 2007

TCP/IP vs OSI Models

Network InterfacePhysical

Data Link

OSI

7 layers

System Architecture

NetworkInternet

TransportTransport

Session

Presentation

Application

Application

OSI

7 layers

System Architecture

TCP / IP / US DoD

4 layers

Network Protocols

OSI Model Layers

Physical

Data Link

Network

Transport

Session

Presentation

Application

A guide so products, programs, and tools will interoperate. Starting with Physical...

Please

Do

Not

Throw

Sausage

Pizza

Away

Please Do Not Throw Sausage Pizza Away

OSI Model - Physical LayerNetworkingBits Bluetooth Copper Cable DSL / ISDN Fiber Cable Wireless Signal

SecurityBluejacking / Bluesnarfing

Environmental ControlJamming

KeyloggerPhysical Damage

Power Brownout/ Loss/ SurgeRogue Access Points

TheftWireless Sniffing/ Tapping

Physical

Data Link

Network

Transport

Session

Presentation

Application

Binary Transmission, Data Bits, Media

OSI Model - Physical LayerNetworkingBits Bluetooth Copper Cable DSL / ISDN Fiber Cable Wireless Signal

SecurityBluejacking / Bluesnarfing

Environmental ControlJamming

KeyloggerPhysical Damage

Power Brownout/ Loss/ SurgeRogue Access Points

TheftWireless Sniffing/ Tapping

Physical

Data Link

Network

Transport

Session

Presentation

Application

Binary Transmission, Data Bits, Media

OSI Model - Physical LayerTroubleshootingIs it plugged in?Is it using the right cable?Is the cable damaged?Is it turned on? (check wall plug/ power bar/ surge protector/ circuit breaker/ fuse)Is there interference/ blockage?

MitigationCover unused wall ports

Environmental ControlOptical Fiber vs Copper Wire

Physical Security(doors, locks, badges, RFID)Redundant Hardware

UPS Uninterruptible Power SupplyWeather Preparedness

Physical

Data Link

Network

Transport

Session

Presentation

Application

Binary Transmission, Data Bits, Media

OSI Model - Physical LayerTroubleshootingIs it plugged in?Is it using the right cable?Is the cable damaged?Is it turned on? (check wall plug/ power bar/ surge protector/ circuit breaker/ fuse)Is there interference/ blockage?

MitigationCover unused wall ports

Environmental ControlOptical Fiber vs Copper Wire

Physical Security(doors, locks, badges, RFID)Redundant Hardware

UPS Uninterruptible Power SupplyWeather Preparedness

Physical

Data Link

Network

Transport

Session

Presentation

Application

Binary Transmission, Data Bits, Media

OSI Model - Data Link LayerNetworkingFrames (Switches)Ethernet ARP CDP Cisco Discover ProtocolATM / FDDI / Frame-RelayHDLC PPP SDN / OpenFlowSTP Spanning Tree Protocol Token Ring

SecurityARP Poisoning

Broadcast StormDouble Encapsulation

MAC Flooding / MAC SpoofingMulticast Brute Force

Spanning Tree AttacksVLAN Trunk Attacks

VLAN Hopping AttacksWEP Cracking

Physical

Data Link

Network

Transport

Session

Presentation

Application

Encapsulation, Organize / Transmit Data

Logical Link Layer

OSI Model - Data Link LayerOSI Model - Data Link LayerMedia Access Control

OSI Model - Data Link LayerNetworkingFrames (Switches)Ethernet ARP CDP Cisco Discover ProtocolATM / FDDI / Frame-RelayHDLC PPP SDN / OpenFlowSTP Spanning Tree Protocol Token Ring

SecurityARP Poisoning

Broadcast StormDouble Encapsulation

MAC Flooding / MAC SpoofingMulticast Brute Force

Spanning Tree AttacksVLAN Trunk Attacks

VLAN Hopping AttacksWEP Cracking

Physical

Data Link

Network

Transport

Session

Presentation

Application

Encapsulation, Organize / Transmit Data

Logical Link Layer

OSI Model - Data Link LayerOSI Model - Data Link LayerMedia Access Control

OSI Model - Data Link LayerTroubleshootingConfirm correct protocol (ethernet, wi-fi, bluetooth)

Confirm connection settings (has it reverted to earlier settings?)

Is a firewall/ appliance blocking?NIC configuration/replacement

MitigationACL Access Control List

(MAC, port, VLAN)Broadcast Storm Control

Deactivate unused switch portsDHCP Snooping

Dynamic ARP InspectionMAC Filter/ Port Security

PVLAN Protected PortSpanning Tree BPDU/ Root Guard

VLAN Segment Physical

Data Link

Network

Transport

Session

Presentation

Application

Encapsulation, Organize / Transmit Data

Logical Link Layer

Media Access Control

OSI Model - Data Link LayerTroubleshootingConfirm correct protocol (ethernet, wi-fi, bluetooth)

Confirm connection settings (has it reverted to earlier settings?)

Is a firewall/ appliance blocking?NIC configuration/replacement

MitigationACL Access Control List

(MAC, port, VLAN)Broadcast Storm Control

Deactivate unused switch portsDHCP Snooping

Dynamic ARP InspectionMAC Filter/ Port Security

PVLAN Protected PortSpanning Tree BPDU/ Root Guard

VLAN Segment Physical

Data Link

Network

Transport

Session

Presentation

Application

Encapsulation, Organize / Transmit Data

Logical Link Layer

Media Access Control

OSI Model - Network Layer NetworkingPackets (Routers)Path DeterminationDVMRP Distance Vector MulticastICMPIGMPIPv4 / IPv6 IPSecIPX

SecurityAddress Spoofing

Black Hole RoutingICMP / Ping Flood / Smurf

Man In The MiddleOpen/ Unencrypted Transmission

Replay AttackRoute SpoofingTeardrop Attack

Unauthorized Access

Physical

Data Link

Network

Transport

Session

Presentation

Application

IP Address, Packet Forwarding, Routing

OSI Model - Network Layer NetworkingPackets (Routers)Path DeterminationDVMRP Distance Vector MulticastICMPIGMPIPv4 / IPv6 IPSecIPX

SecurityAddress Spoofing

Black Hole RoutingICMP / Ping Flood / Smurf

Man In The MiddleOpen/ Unencrypted Transmission

Replay AttackRoute SpoofingTeardrop Attack

Unauthorized Access

Physical

Data Link

Network

Transport

Session

Presentation

Application

IP Address, Packet Forwarding, Routing

OSI Model - Network LayerTroubleshootingConfirm name/ IP addressConfirm gateway/ DNS serverConfirm domain/ workgroupConfirm wi-fi SSIDICMP (ping, traceroute)

MitigationContent FilteringICMP Rate Limit

IPSecNetwork IDS

Secure Router Access

Physical

Data Link

Network

Transport

Session

Presentation

Application

IP Address, Packet Forwarding

OSI Model - Network LayerTroubleshootingConfirm name/ IP addressConfirm gateway/ DNS serverConfirm domain/ workgroupConfirm wi-fi SSIDICMP (ping, traceroute)

MitigationContent FilteringICMP Rate Limit

IPSecNetwork IDS

Secure Router Access

Physical

Data Link

Network

Transport

Session

Presentation

Application

IP Address, Packet Forwarding

OSI Model - Transport LayerNetworkingSegment / DatagramAppleTalkSCTP(Stream Control Transmission Protocol)TCP (connection oriented)

( 3 way handshake )UDP (fast-DNS, SNMP, streaming)MultiplexingVirtual Circuit Management

SecurityFingerprinting/ Host Enumeration

Port ScanRouting Protocol Attacks

Sequence # InjectionService Enumeration

SYN FloodTCP Desynchronization

TCP Hijacking

Physical

Data Link

Network

Transport

Session

Presentation

Application

Error Checking, Flow Control, Reliable Delivery/Sequencing

OSI Model - Transport LayerNetworkingSegment / DatagramAppleTalkSCTP(Stream Control Transmission Protocol)TCP (connection oriented)

( 3 way handshake )UDP (fast-DNS, SNMP, streaming)MultiplexingVirtual Circuit Management

SecurityFingerprinting/ Host Enumeration

Port ScanRouting Protocol Attacks

Sequence # InjectionService Enumeration

SYN FloodTCP Desynchronization

TCP Hijacking

Physical

Data Link

Network

Transport

Session

Presentation

Application

Error Checking, Flow Control, Reliable Delivery/Sequencing

OSI Model - Transport LayerTroubleshootingLatency/ Congestion TTL Time to LiveTriggered backup/ virus scan

MitigationACL Access Control List

Blackhole by ISPDecrease confirmation wait time

Increase unconfirmed connectionsNetwork Firewall

Physical

Data Link

Network

Transport

Session

Presentation

Application

Error Checking, Flow Control, Reliable Delivery/Sequencing

OSI Model - Transport LayerTroubleshootingLatency/ Congestion TTL Time to LiveTriggered backup/ virus scan

MitigationACL Access Control List

Blackhole by ISPDecrease confirmation wait time

Increase unconfirmed connectionsNetwork Firewall

Physical

Data Link

Network

Transport

Session

Presentation

Application

Error Checking, Flow Control, Reliable Delivery/Sequencing

OSI Model - Session LayerNetworkingData L2F Layer 2 ForwardingL2TP Layer 2 TunnelingNetwork File System (NFS)PAP RPC Remote Procedure CallSCP Session Control ProtocolSIP Session Initiation ProtocolSequenced Query Language (SQL)

Server Message Block (SMB)

Zone Information Protocol

SecurityBrute force attacks on credentials

DNS FloodPass session credentials in clear

Portmapper ExploitsRoot Privilege Access

RPC WormsSession Hijacking

SSL FloodSSL Renegotiation

Weak/ no authentication Physical

Data Link

Network

Transport

Session

Presentation

Application

Authentication, Authorization, Connection, Port, Session

OSI Model - Session LayerNetworkingData L2F Layer 2 ForwardingL2TP Layer 2 TunnelingNetwork File System (NFS)PAP RPC Remote Procedure CallSCP Session Control ProtocolSIP Session Initiation ProtocolSequenced Query Language (SQL)

Server Message Block (SMB)

Zone Information Protocol

SecurityBrute force attacks on credentials

DNS FloodPass session credentials in clear

Portmapper ExploitsRoot Privilege Access

RPC WormsSession Hijacking

SSL FloodSSL Renegotiation

Weak/ no authentication Physical

Data Link

Network

Transport

Session

Presentation

Application

Authentication, Authorization, Connection, Port, Session

OSI Model - Session LayerTroubleshootingDid a device standby/sleep? Server/ cluster failover session

MitigationPatch/ Update by Manufacturer

Physical

Data Link

Network

Transport

Session

Presentation

Application

Authentication, Authorization, Connection, Port, Session

OSI Model - Session LayerTroubleshootingDid a device standby/sleep? Server/ cluster failover session

MitigationPatch/ Update by Manufacturer

Physical

Data Link

Network

Transport

Session

Presentation

Application

Authentication, Authorization, Connection, Port, Session

OSI Model - Presentation LayerNetworkingData Text to ASCII charactersText to EBCDICHTTPS / SSLGIF / JPG / MPEG

SecurityClear Text Extraction

Malformed SSL RequestsSSL to tunnel HTTP attacksUnexpected input crash app

Unexpected input allow controlVirus / Worm Transmission

Physical

Data Link

Network

Transport

Session

Presentation

Application

Compression, Data Conversion, Encryption

OSI Model - Presentation LayerNetworkingData Text to ASCII charactersText to EBCDICHTTPS / SSLGIF / JPG / MPEG

SecurityClear Text Extraction

Malformed SSL RequestsSSL to tunnel HTTP attacksUnexpected input crash app

Unexpected input allow controlVirus / Worm Transmission

Physical

Data Link

Network

Transport

Session

Presentation

Application

Compression, Data Conversion, Encryption

OSI Model - Presentation LayerTroubleshootingChanged encryption keyUpdate to unsupported service (ex: outdated browser can't use a script or encoding standard)

MitigationAuditing

EncryptionHost Intrusion Detect/ Prevent

Physical

Data Link

Network

Transport

Session

Presentation

Application

Compression, Data Conversion, Encryption

OSI Model - Presentation LayerTroubleshootingChanged encryption keyUpdate to unsupported service (ex: outdated browser can't use a script or encoding standard)

MitigationAuditing

EncryptionHost Intrusion Detect/ Prevent

Physical

Data Link

Network

Transport

Session

Presentation

Application

Compression, Data Conversion, Encryption

OSI Model - Application LayerNetworkingData BitcoinBitTorrentFTP / TFTPHTTP / TORLDAPRIP Routing Information ProtocolSMTP SNMPTelnet

SecurityApplication Vulnerabilities

Back DoorClock Skewing

DDoSDNS Poisoning

Excessive/ Insufficient AccessFile System Bugs

PhishingSQL Injection

Selective Message Forward URL Redirect

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interacts With User

OSI Model - Application LayerNetworkingData BitcoinBitTorrentFTP / TFTPHTTP / TORLDAPRIP Routing Information ProtocolSMTP SNMPTelnet

SecurityApplication Vulnerabilities

Back DoorClock Skewing

DDoSDNS Poisoning

Excessive/ Insufficient AccessFile System Bugs

PhishingSQL Injection

Selective Message Forward URL Redirect

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interacts With User

OSI Model - Application LayerTroubleshootingServer date/ time, NTP serverCorrupted cacheCorrupted application files(patch, repair, update, reinstall)Unable to connect to updater

service or third party

MitigationAntivirus

Application FirewallApplication Monitoring

Corporate PoliciesDynamic Firewall Rules

(ports not always open)IDS Intrusion Detect

IPS Intrusion PreventOS Hardening/ Patch/ Update

User Education Physical

Data Link

Network

Transport

Session

Presentation

Application

Interacts With User

OSI Model - Application LayerTroubleshootingServer date/ time, NTP serverCorrupted cacheCorrupted application files(patch, repair, update, reinstall)Unable to connect to updater

service or third party

MitigationAntivirus

Application FirewallApplication Monitoring

Corporate PoliciesDynamic Firewall Rules

(ports not always open)IDS Intrusion Detect

IPS Intrusion PreventOS Hardening/ Patch/ Update

User Education Physical

Data Link

Network

Transport

Session

Presentation

Application

Interacts With User

Open Systems Interconnection Model

(OSI)Troubleshooting and Mitigation

K. Greenkndrkim@gmail.com

https://www.linkedin.com/in/kim-g-5799006