Hello,
This is a two part questions. First I will need the discussion question answer which will be below in bold, 300 words APA format. For those response I will need two responses of at least 175 words each.
Network activity can be classified as normal, suspicious, or malicious. How is network activity differentiated? Provide examples.
Part two
Student one:
Network activity can be classified as normal, suspicious, or malicious. How is network activity differentiated? Provide examples.
What an organization first must do is create a network baseline. This is done through the study of normal network activity with assets, users, and interaction by the network systems. This creates patterns such as when users are mostly on or now much data on a day to day basis is generated. At this point, we will be able to identify network activity as normal due to the baseline of what was classified as normal. When the network is analyzed, anything the deviates from this baseline is going to be classified as suspicious. Depending on the network capture, at this point, is can also be classified as malicious. A further investigation will need to take place and an analysis of the network capture will be conducted to further classify if suspicious or malicious.
A signature scan can passively scan the network with its database of signatures. This is important in network monitoring because if the signature matches anything on the network, it can flag a network capture and block certain network traffic before it enters the organization’s intranet or leaves. Intrusion detection and prevention systems monitor the network and utilizes a baseline to determine whether the network traffic is normal, suspicious, or malicious.
Examples of suspicious activities would be a user deviating from normal work hours. If this user works 8-5 and is now logged in at 0300, this may cause a flag and be classified as suspicious activity. Another example would be an unusual amount of data from a certain workstation or the organization as a whole. Again, this would be off the baseline that was conducted to determine if this is suspicious.
Examples of malicious activity would be a sudden loss of network activity. This could be the starting point of a DDoS attack. Another example would also be connections to the organizations network from unusual places and locations. Additionally, as I talked about users making connections during unusual times, as it could first be deemed suspicious, it could easily turn into malicious due to such attacks as privilege escalation or social engineering.
I look forward to reading all your comments and hope you have a great rest of your week.
Reference
Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond intrusion detection. Boston, MA: Addison-Wesley.
Network traffic provides early indication of malware infection. (2017, May 22). Retrieved April 6, 2020, from https://www.sciencedaily.com/releases/2017/05/1705…
Von Ogden, J. (2018, June 12). Monitoring for Suspicious Network Activity. Retrieved April 6, 2020, from https://www.cimcor.com/blog/monitoring-for-suspici…
Student two:
Bejtlich (2005) states that there are three classification of network activities. They are normal, suspicious and malicious. Normal network activity is the baseline of what the analyst expects to see in the network. But what is normal network activities? According to Gates (2019), normal network activities is a baseline of previous network activities that have been ruled to be normal. To determine if network activities is normal the analyst will be looking at three factors: First “who are communications occurring between – source/destination IP”, second “what are those communications – protocol, port, frequency, volume”, third “at what time should communications be occurring – time of day”
Suspicious network activity is anything that is not normal traffic within the system. Suspicious network traffic is analyzed to determine what caused the abnormality in the network traffic, and to determine if the traffic was malicious, unintentional or a new baseline forming. Malicious traffic is anything that is intended to harm your network.
Examples of suspicious activities but not necessarily malicious activities that the analyst will need to look at are employees starting to use remote access or logging in at different times of the day (e.g. this pandemic as created a “new” baseline normal for a lot of networks with so many people working from home). Suspicious activities that goes right to malicious would be detection of malware or a virus. Suspicious activities that could go either way are abnormal database activities, file configuration changes and unauthorized port access (Ogden, 2016).
References:
Bejtlich, Richard. The Tao of Network Security Monitoring: Beyond Intrusion Detection. [Chegg]. Retrieved from https://ereader.chegg.com/#/books/9780132702041/
Gates, N. (2019, December 17). Normal Network Traffic – Traffic Analysis. Retrieved from https://www.nicgates.com/post/normal-network-traffic
Ogden, J. (2016, June 02). Identifying Suspicious Network Changes: 8 Red Flags to Watch For. Retrieved from https://www.cimcor.com/blog/identifying-suspicious-network-changes-red-flags