Open Systems Interconnection Model (OSI) · Open Systems Interconnection Model (OSI)...
Transcript of Open Systems Interconnection Model (OSI) · Open Systems Interconnection Model (OSI)...
Open Systems Interconnection Model
(OSI)Troubleshooting
and Mitigation Review
K. Green5/20
1
2
4
5
Urgency
Cyber Kill Chain
3 Troubleshooting Process
Adversaries
OSI
Prioritize Your Response
Eisenhower Priority Matrix: before becoming President, Dwight D. Eisenhower was an Army general and World War II Allied Forces Supreme Commander
Prioritize Your Response -1 - UrgencyURGENT + IMPORTANT- Do It Now SEVEREImminent ThreatSignificant HarmCritical InfrastructureGovernment StabilitySafety/EconomyPhysical ConsequenceDamage Hardware/Network
IMPORTANT + Not Urgent- Schedule Time HIGHDemonstrable ImpactNational SecuritySafety/EconomyForeign RelationsCivil Liberties/ConfidenceData Corruption/DestructionDoS Key System/Service
URGENT + Not Important- Delegate MEDIUMMay ImpactNational SecuritySafety/EconomyForeign RelationsCivil Liberties/ConfidenceData Theft / Financial Crime
Not Urgent +Not Important- Later LOWUnlikely to ImpactNational SecuritySafety/EconomyForeign RelationsCivil Liberties/ConfidenceDefacement / Nuisance DoS
Lockheed Martin Cyber Kill Chain Controls
Prioritize Your Response - 2 - Cyber Kill Chain
Prioritize Your Response - 3 - Troubleshooting Process
Identify Problem
Theorize Probable
Cause
Test Theory to
Determine Cause
Plan
Actions
VerifyFunctionality
Question User & Listen to Details
Research Based on Symptoms
Test & Evaluate –Least Invasive
Write & Follow Plan
Verify Functionality & Be Preventative
Document
Prioritize Your Response - 4 - Adversaries
Randy Seftas and Joshua Krage, NASAPMC, 2007
TCP/IP vs OSI Models
Network InterfacePhysical
Data Link
OSI
7 layers
System Architecture
NetworkInternet
TransportTransport
Session
Presentation
Application
Application
OSI
7 layers
System Architecture
TCP / IP / US DoD
4 layers
Network Protocols
OSI Model Layers
Physical
Data Link
Network
Transport
Session
Presentation
Application
A guide so products, programs, and tools will interoperate. Starting with Physical...
Please
Do
Not
Throw
Sausage
Pizza
Away
Please Do Not Throw Sausage Pizza Away
OSI Model - Physical LayerNetworkingBits Bluetooth Copper Cable DSL / ISDN Fiber Cable Wireless Signal
SecurityBluejacking / Bluesnarfing
Environmental ControlJamming
KeyloggerPhysical Damage
Power Brownout/ Loss/ SurgeRogue Access Points
TheftWireless Sniffing/ Tapping
Physical
Data Link
Network
Transport
Session
Presentation
Application
Binary Transmission, Data Bits, Media
OSI Model - Physical LayerNetworkingBits Bluetooth Copper Cable DSL / ISDN Fiber Cable Wireless Signal
SecurityBluejacking / Bluesnarfing
Environmental ControlJamming
KeyloggerPhysical Damage
Power Brownout/ Loss/ SurgeRogue Access Points
TheftWireless Sniffing/ Tapping
Physical
Data Link
Network
Transport
Session
Presentation
Application
Binary Transmission, Data Bits, Media
OSI Model - Physical LayerTroubleshootingIs it plugged in?Is it using the right cable?Is the cable damaged?Is it turned on? (check wall plug/ power bar/ surge protector/ circuit breaker/ fuse)Is there interference/ blockage?
MitigationCover unused wall ports
Environmental ControlOptical Fiber vs Copper Wire
Physical Security(doors, locks, badges, RFID)Redundant Hardware
UPS Uninterruptible Power SupplyWeather Preparedness
Physical
Data Link
Network
Transport
Session
Presentation
Application
Binary Transmission, Data Bits, Media
OSI Model - Physical LayerTroubleshootingIs it plugged in?Is it using the right cable?Is the cable damaged?Is it turned on? (check wall plug/ power bar/ surge protector/ circuit breaker/ fuse)Is there interference/ blockage?
MitigationCover unused wall ports
Environmental ControlOptical Fiber vs Copper Wire
Physical Security(doors, locks, badges, RFID)Redundant Hardware
UPS Uninterruptible Power SupplyWeather Preparedness
Physical
Data Link
Network
Transport
Session
Presentation
Application
Binary Transmission, Data Bits, Media
OSI Model - Data Link LayerNetworkingFrames (Switches)Ethernet ARP CDP Cisco Discover ProtocolATM / FDDI / Frame-RelayHDLC PPP SDN / OpenFlowSTP Spanning Tree Protocol Token Ring
SecurityARP Poisoning
Broadcast StormDouble Encapsulation
MAC Flooding / MAC SpoofingMulticast Brute Force
Spanning Tree AttacksVLAN Trunk Attacks
VLAN Hopping AttacksWEP Cracking
Physical
Data Link
Network
Transport
Session
Presentation
Application
Encapsulation, Organize / Transmit Data
Logical Link Layer
OSI Model - Data Link LayerOSI Model - Data Link LayerMedia Access Control
OSI Model - Data Link LayerNetworkingFrames (Switches)Ethernet ARP CDP Cisco Discover ProtocolATM / FDDI / Frame-RelayHDLC PPP SDN / OpenFlowSTP Spanning Tree Protocol Token Ring
SecurityARP Poisoning
Broadcast StormDouble Encapsulation
MAC Flooding / MAC SpoofingMulticast Brute Force
Spanning Tree AttacksVLAN Trunk Attacks
VLAN Hopping AttacksWEP Cracking
Physical
Data Link
Network
Transport
Session
Presentation
Application
Encapsulation, Organize / Transmit Data
Logical Link Layer
OSI Model - Data Link LayerOSI Model - Data Link LayerMedia Access Control
OSI Model - Data Link LayerTroubleshootingConfirm correct protocol (ethernet, wi-fi, bluetooth)
Confirm connection settings (has it reverted to earlier settings?)
Is a firewall/ appliance blocking?NIC configuration/replacement
MitigationACL Access Control List
(MAC, port, VLAN)Broadcast Storm Control
Deactivate unused switch portsDHCP Snooping
Dynamic ARP InspectionMAC Filter/ Port Security
PVLAN Protected PortSpanning Tree BPDU/ Root Guard
VLAN Segment Physical
Data Link
Network
Transport
Session
Presentation
Application
Encapsulation, Organize / Transmit Data
Logical Link Layer
Media Access Control
OSI Model - Data Link LayerTroubleshootingConfirm correct protocol (ethernet, wi-fi, bluetooth)
Confirm connection settings (has it reverted to earlier settings?)
Is a firewall/ appliance blocking?NIC configuration/replacement
MitigationACL Access Control List
(MAC, port, VLAN)Broadcast Storm Control
Deactivate unused switch portsDHCP Snooping
Dynamic ARP InspectionMAC Filter/ Port Security
PVLAN Protected PortSpanning Tree BPDU/ Root Guard
VLAN Segment Physical
Data Link
Network
Transport
Session
Presentation
Application
Encapsulation, Organize / Transmit Data
Logical Link Layer
Media Access Control
OSI Model - Network Layer NetworkingPackets (Routers)Path DeterminationDVMRP Distance Vector MulticastICMPIGMPIPv4 / IPv6 IPSecIPX
SecurityAddress Spoofing
Black Hole RoutingICMP / Ping Flood / Smurf
Man In The MiddleOpen/ Unencrypted Transmission
Replay AttackRoute SpoofingTeardrop Attack
Unauthorized Access
Physical
Data Link
Network
Transport
Session
Presentation
Application
IP Address, Packet Forwarding, Routing
OSI Model - Network Layer NetworkingPackets (Routers)Path DeterminationDVMRP Distance Vector MulticastICMPIGMPIPv4 / IPv6 IPSecIPX
SecurityAddress Spoofing
Black Hole RoutingICMP / Ping Flood / Smurf
Man In The MiddleOpen/ Unencrypted Transmission
Replay AttackRoute SpoofingTeardrop Attack
Unauthorized Access
Physical
Data Link
Network
Transport
Session
Presentation
Application
IP Address, Packet Forwarding, Routing
OSI Model - Network LayerTroubleshootingConfirm name/ IP addressConfirm gateway/ DNS serverConfirm domain/ workgroupConfirm wi-fi SSIDICMP (ping, traceroute)
MitigationContent FilteringICMP Rate Limit
IPSecNetwork IDS
Secure Router Access
Physical
Data Link
Network
Transport
Session
Presentation
Application
IP Address, Packet Forwarding
OSI Model - Network LayerTroubleshootingConfirm name/ IP addressConfirm gateway/ DNS serverConfirm domain/ workgroupConfirm wi-fi SSIDICMP (ping, traceroute)
MitigationContent FilteringICMP Rate Limit
IPSecNetwork IDS
Secure Router Access
Physical
Data Link
Network
Transport
Session
Presentation
Application
IP Address, Packet Forwarding
OSI Model - Transport LayerNetworkingSegment / DatagramAppleTalkSCTP(Stream Control Transmission Protocol)TCP (connection oriented)
( 3 way handshake )UDP (fast-DNS, SNMP, streaming)MultiplexingVirtual Circuit Management
SecurityFingerprinting/ Host Enumeration
Port ScanRouting Protocol Attacks
Sequence # InjectionService Enumeration
SYN FloodTCP Desynchronization
TCP Hijacking
Physical
Data Link
Network
Transport
Session
Presentation
Application
Error Checking, Flow Control, Reliable Delivery/Sequencing
OSI Model - Transport LayerNetworkingSegment / DatagramAppleTalkSCTP(Stream Control Transmission Protocol)TCP (connection oriented)
( 3 way handshake )UDP (fast-DNS, SNMP, streaming)MultiplexingVirtual Circuit Management
SecurityFingerprinting/ Host Enumeration
Port ScanRouting Protocol Attacks
Sequence # InjectionService Enumeration
SYN FloodTCP Desynchronization
TCP Hijacking
Physical
Data Link
Network
Transport
Session
Presentation
Application
Error Checking, Flow Control, Reliable Delivery/Sequencing
OSI Model - Transport LayerTroubleshootingLatency/ Congestion TTL Time to LiveTriggered backup/ virus scan
MitigationACL Access Control List
Blackhole by ISPDecrease confirmation wait time
Increase unconfirmed connectionsNetwork Firewall
Physical
Data Link
Network
Transport
Session
Presentation
Application
Error Checking, Flow Control, Reliable Delivery/Sequencing
OSI Model - Transport LayerTroubleshootingLatency/ Congestion TTL Time to LiveTriggered backup/ virus scan
MitigationACL Access Control List
Blackhole by ISPDecrease confirmation wait time
Increase unconfirmed connectionsNetwork Firewall
Physical
Data Link
Network
Transport
Session
Presentation
Application
Error Checking, Flow Control, Reliable Delivery/Sequencing
OSI Model - Session LayerNetworkingData L2F Layer 2 ForwardingL2TP Layer 2 TunnelingNetwork File System (NFS)PAP RPC Remote Procedure CallSCP Session Control ProtocolSIP Session Initiation ProtocolSequenced Query Language (SQL)
Server Message Block (SMB)
Zone Information Protocol
SecurityBrute force attacks on credentials
DNS FloodPass session credentials in clear
Portmapper ExploitsRoot Privilege Access
RPC WormsSession Hijacking
SSL FloodSSL Renegotiation
Weak/ no authentication Physical
Data Link
Network
Transport
Session
Presentation
Application
Authentication, Authorization, Connection, Port, Session
OSI Model - Session LayerNetworkingData L2F Layer 2 ForwardingL2TP Layer 2 TunnelingNetwork File System (NFS)PAP RPC Remote Procedure CallSCP Session Control ProtocolSIP Session Initiation ProtocolSequenced Query Language (SQL)
Server Message Block (SMB)
Zone Information Protocol
SecurityBrute force attacks on credentials
DNS FloodPass session credentials in clear
Portmapper ExploitsRoot Privilege Access
RPC WormsSession Hijacking
SSL FloodSSL Renegotiation
Weak/ no authentication Physical
Data Link
Network
Transport
Session
Presentation
Application
Authentication, Authorization, Connection, Port, Session
OSI Model - Session LayerTroubleshootingDid a device standby/sleep? Server/ cluster failover session
MitigationPatch/ Update by Manufacturer
Physical
Data Link
Network
Transport
Session
Presentation
Application
Authentication, Authorization, Connection, Port, Session
OSI Model - Session LayerTroubleshootingDid a device standby/sleep? Server/ cluster failover session
MitigationPatch/ Update by Manufacturer
Physical
Data Link
Network
Transport
Session
Presentation
Application
Authentication, Authorization, Connection, Port, Session
OSI Model - Presentation LayerNetworkingData Text to ASCII charactersText to EBCDICHTTPS / SSLGIF / JPG / MPEG
SecurityClear Text Extraction
Malformed SSL RequestsSSL to tunnel HTTP attacksUnexpected input crash app
Unexpected input allow controlVirus / Worm Transmission
Physical
Data Link
Network
Transport
Session
Presentation
Application
Compression, Data Conversion, Encryption
OSI Model - Presentation LayerNetworkingData Text to ASCII charactersText to EBCDICHTTPS / SSLGIF / JPG / MPEG
SecurityClear Text Extraction
Malformed SSL RequestsSSL to tunnel HTTP attacksUnexpected input crash app
Unexpected input allow controlVirus / Worm Transmission
Physical
Data Link
Network
Transport
Session
Presentation
Application
Compression, Data Conversion, Encryption
OSI Model - Presentation LayerTroubleshootingChanged encryption keyUpdate to unsupported service (ex: outdated browser can't use a script or encoding standard)
MitigationAuditing
EncryptionHost Intrusion Detect/ Prevent
Physical
Data Link
Network
Transport
Session
Presentation
Application
Compression, Data Conversion, Encryption
OSI Model - Presentation LayerTroubleshootingChanged encryption keyUpdate to unsupported service (ex: outdated browser can't use a script or encoding standard)
MitigationAuditing
EncryptionHost Intrusion Detect/ Prevent
Physical
Data Link
Network
Transport
Session
Presentation
Application
Compression, Data Conversion, Encryption
OSI Model - Application LayerNetworkingData BitcoinBitTorrentFTP / TFTPHTTP / TORLDAPRIP Routing Information ProtocolSMTP SNMPTelnet
SecurityApplication Vulnerabilities
Back DoorClock Skewing
DDoSDNS Poisoning
Excessive/ Insufficient AccessFile System Bugs
PhishingSQL Injection
Selective Message Forward URL Redirect
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interacts With User
OSI Model - Application LayerNetworkingData BitcoinBitTorrentFTP / TFTPHTTP / TORLDAPRIP Routing Information ProtocolSMTP SNMPTelnet
SecurityApplication Vulnerabilities
Back DoorClock Skewing
DDoSDNS Poisoning
Excessive/ Insufficient AccessFile System Bugs
PhishingSQL Injection
Selective Message Forward URL Redirect
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interacts With User
OSI Model - Application LayerTroubleshootingServer date/ time, NTP serverCorrupted cacheCorrupted application files(patch, repair, update, reinstall)Unable to connect to updater
service or third party
MitigationAntivirus
Application FirewallApplication Monitoring
Corporate PoliciesDynamic Firewall Rules
(ports not always open)IDS Intrusion Detect
IPS Intrusion PreventOS Hardening/ Patch/ Update
User Education Physical
Data Link
Network
Transport
Session
Presentation
Application
Interacts With User
OSI Model - Application LayerTroubleshootingServer date/ time, NTP serverCorrupted cacheCorrupted application files(patch, repair, update, reinstall)Unable to connect to updater
service or third party
MitigationAntivirus
Application FirewallApplication Monitoring
Corporate PoliciesDynamic Firewall Rules
(ports not always open)IDS Intrusion Detect
IPS Intrusion PreventOS Hardening/ Patch/ Update
User Education Physical
Data Link
Network
Transport
Session
Presentation
Application
Interacts With User
Open Systems Interconnection Model
(OSI)Troubleshooting and Mitigation
https://www.linkedin.com/in/kim-g-5799006