🛡 Defence Mechanisms

🧹 Containment, Eradication and Recovery

This section is dedicated to limiting and cleaning up the mess. It’s presumed that initial investigation has been conducted and now we have enough information to perform cleaning up.

Cloud Security Intro

Storage Compute VM AWS EC2 and GCP Cloud Compute. Containers Logs API logs AWS Cloudtrail, GCP Cloud Audit Logs.

Firewalls

Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.

Host-based IDP/IPS

Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.

IDS and IPS as firewall’s filters. There are Control Plane (looks after the OS and routing table) and the Forwarding Plane (makes decisions on routing and discarding). If something happens to the Control Plane, the device will still forward the traffic (really???).

By default IDS only listens 👂 the traffic. It’s usually connected to the span port on a switch. Looks for anomalies and sends alerts. Won’t take any actions by default, but can be configured in such a way. If the IDS is down, nothing is changed for the rest of the network, it’s still operating.

IPS takes actions on its own. It is not connected to the span port, but rather is a gateway. Before it inspects and allows a packet through, nothing can move forward. So, if IPS is down, everyone is down (unless there is some load balancing enabled or may be some policy for such cases). Positioned right after the router, edge device or a firewall.

macOS Defense

In this article I will assemble everything I know about macOS defense mechanisms (both built-in and 3rd party).

Network-based

A network-based IDS usually monitors the network, logs it and alerts the admin if something catches its eye.