1
00:00:00,360 --> 00:00:05,900
Unfortunately attackers have many ways to infiltrate a network undetected.

2
00:00:06,720 --> 00:00:12,330
Which can obviously make it that much easier for them to succeed and that much harder for us to catch

3
00:00:12,390 --> 00:00:14,270
them in the act.

4
00:00:14,370 --> 00:00:19,440
In this section we're going to take a look at some of the techniques that hackers can use to bypass

5
00:00:19,650 --> 00:00:21,340
network security.

6
00:00:21,450 --> 00:00:26,100
Encryption is the most obvious way to bypass security devices.

7
00:00:26,100 --> 00:00:31,800
If an attacker gained access to a network and wanted to upload sensitive data to an external device

8
00:00:32,340 --> 00:00:42,000
encrypted protocols like S-sh ipe sac and HTP ass could be used HTP inspection is becoming a major requirement

9
00:00:42,000 --> 00:00:48,290
for Enterprise Networks to prevent these types of evasions.

10
00:00:48,340 --> 00:00:53,860
When you are investigating a security event the source IP address of the attacker is important to know

11
00:00:55,370 --> 00:01:00,370
network address translations can also be used to avoid detection.

12
00:01:00,590 --> 00:01:06,280
If an attacker nattered their IP then it could be difficult to detect the real source of the attack.

13
00:01:07,630 --> 00:01:15,010
One way to combat against attackers using that is stealth watches not stitching feature that stitching

14
00:01:15,010 --> 00:01:22,690
can be used to identify IP changes from Nat to track the original source IP to help prevent Nat changes

15
00:01:22,960 --> 00:01:27,310
from affecting security monitoring.

16
00:01:27,400 --> 00:01:35,760
One of the slickest methods I've seen used to hide from security devices is DNS tunneling DNS tunneling

17
00:01:35,760 --> 00:01:45,590
is when an attacker leaks data outside of a network via DNS packets since the DNS protocol ports are

18
00:01:45,590 --> 00:01:49,400
pretty much guaranteed to be allowed on firewalls and IP addresses.

19
00:01:49,400 --> 00:01:58,190
It's an easy way to leak data Tor is a technique used by many to anonymously browse the Internet by

20
00:01:58,190 --> 00:02:01,590
routing traffic through Tor relays.

21
00:02:02,300 --> 00:02:08,630
This way victim networks cannot see the real public source addresses and therefore cannot track down

22
00:02:08,690 --> 00:02:10,710
attackers.

23
00:02:10,760 --> 00:02:18,290
For example if you use the Tor browser to go to Google and I was in San Jose California my traffic could

24
00:02:18,290 --> 00:02:24,320
be relayed through Europe before it was sent to the actual destination and Google would think I was

25
00:02:24,320 --> 00:02:25,700
actually in Europe.

26
00:02:25,880 --> 00:02:33,240
Based on the IP information here I have a tor browser that I downloaded just so you could see what it

27
00:02:33,240 --> 00:02:34,330
looks like.

28
00:02:34,560 --> 00:02:40,740
If you check the resources for the section I'll have a link so you can download this Tor browser.

29
00:02:40,930 --> 00:02:45,850
So if you want to see what public IP address your computer is being nattered to.

30
00:02:46,360 --> 00:02:48,240
You can do what's my IP

31
00:02:52,510 --> 00:03:00,520
so this shows that my IP address is 176 31 39 to 49 which I can assure you is not the IP address that

32
00:03:00,550 --> 00:03:06,820
I'm connecting to the Internet with from my home network so this clearly shows me that my traffic is

33
00:03:06,820 --> 00:03:11,330
definitely being tunneled through a torch relay.

34
00:03:12,220 --> 00:03:17,470
So if I wanted to be hidden from the internet I could use this Tor browser to surf the web which I'm

35
00:03:17,470 --> 00:03:20,250
not going to because I do not do any thing malicious.

36
00:03:20,530 --> 00:03:22,990
But again like you may have heard me say before.

37
00:03:23,020 --> 00:03:28,720
The more tools you can see that malicious users might use the better it is to understand what type of

38
00:03:28,750 --> 00:03:31,600
things you need to look out for and protect your network against

39
00:03:34,630 --> 00:03:36,480
our last monitoring challenge.

40
00:03:36,520 --> 00:03:43,180
We're going to talk about is peer to peer traffic network resources are typically shared with a client

41
00:03:43,180 --> 00:03:49,740
server model P2P networks allow clients to transfer data directly between each other.

42
00:03:49,750 --> 00:03:57,010
This becomes a monitoring challenge because traffic becomes decentralized and increases the potential

43
00:03:57,190 --> 00:03:58,810
for vulnerable sources.