SEC504: Hacker Tools, Techniques, and Incident Handling

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsAttackers don't always use sophisticated techniques to infiltrate organizations. They may simply purchase or steal passwords and test credentials against points of entry. Multi-factor authentication decreases the risk of an attacker logging in successfully, but doesn't address a critical issue: how can an organization detect an attacker who has already entered the network with legitimate credentials? This paper will explore the concept of combining the attributes of passively intercepted network packets with a user profile to increase the Level of Assurance (LOA) in a user's unique identity. A user profile developed from network behavior can be used to detect an intrusion, or to enhance identity assurance with 'step-up authentication'. Newer intrusion detection technologies can detect anomalies in network events, adding context and risk-based analysis to login attempts and user actions. Correlating network traffic characteristics with normal user behavior may be the key to stopping a 'wolf in sheep's clothing'.