A device is “Active” if it’s responded to traffic we’ve sent to it or if we’ve heard about the device Indirectly (via SNMP for example).
Scanning where a Collector’s Scanner places traffic on the network destined for a targeted address and listens for the responses from that address (or hops along the way in the case of Path)
For credentials (like SNMP or WMI) an alias is just the name we associate with that credential for reporting purposes. It allows us to say “secret1” in a report instead of putting the actual and presumably sensitive credentials into a report.
A collection of associated Scanners within a Zone that share a single Scanning Interface.
Commanded Packet Rate
A Scout’s network interface can be given a Commanded Packet Rate. This is the rate of scanning traffic (in packets per second) that Spectre will not exceed (at least over intervals of greater than 1 second). Depending on the targeted address space, we may not scan as quickly as the Commanded Packet Rate, but Spectre will not exceed this rate. This rate is per Scanning Interface, this interface may be shared by more than one Collector
As far as Lumeta (the product) is concerned, a Device is one or more IP addresses that we’ve decided belong together. Typically we think they belong together due to our getting SNMP data that says they’re all interface addresses for the same thing. It’s an attempt to represent a physical thing that’s attached to the network, but it’s not always a complete match (we don’t have all the information that someone sitting in front of a physical device might have).
A collection of CIDRs that dictate if further interrogation for a specified address should be performed. This is primarily used when a response is received from an address that is outside the target list and influences the decision to further interrogate this address. In other words, if we target 18.104.22.168 and hear about 22.214.171.124, we’ll target 126.96.36.199 for scanning if it’s covered by the eligible list (e.g. if we had 188.8.131.52/8 in the eligible list)
Event is an action or occurrence detected by a program. It can be “published” so that other parts of the Spectre system can act on it. At this point, it will appear as a notification.
A Target explicitly defined in a Collector’s configuration (under Discovery Spaces > Target List)
Something we know about a Device by receiving data directly from that Device. This would typically be via Active or Passive Discovery (eliding for the moment the idea that “Fact”s can be tricky things as we’re talking through the network to a Device so Facts can be altered in transit). This would also include cases where we explicitly ask another system (like DNS) about a Device
A Device is a “Forwarder” if it’s seen in a trace (generated by the Path scanner) as anything but the last hop. In other words, a device that generates an ICMP Time Exceeded message. This is a Fact rather than an Inference
Discovery where the system gets information about an address from something other than that address (e.g., BGP, DNS, or OSPF). For example, Spectre hears about device 184.108.40.206 while interrogating 220.127.116.11 via SNMP and learning about 18.104.22.168 from 22.214.171.124’s ARP table.
Something we can say about a Device that’s derived from Facts about a Device or by Indirect Discovery (or by things like MAC Vendor data etc.). Profiling data (for example) is a collection of Inferences
A CIDR learned about via SNMP (either a host or a CIDR representing a route), OSPF, or BGP.
A message presented to the user as the result of an event.
Listening to traffic without putting any packets on the network. (e.g., Broadcast). This could also be a Scanner listening to traffic on a trunk or SPAN port.
A Target that’s explicitly specified in a Collector configuration or learned about via an SNMP routing table, BGP, or OSPF. This is effectively a Host or Path target (these are the scan types that scan across entire CIDRs). Responses to a Primary Target can create Secondary Targets. That is to say, a response to Host can create targets for scan types like Port, or SNMP.
An address that’s explicitly targeted, or learned and covered by the Eligible List. An address in the Avoid List cannot be Qualified.
For a Device with more than one IP address, we pick one address to refer to it by. We pick the reference IP by the following criteria (subject to change):
1) Prefer IPv4 over IPv6
2) Prefer public (non RFC 1918) addresses
3) Prefer internal addresses
4) Prefer known addresses
5) Highest IP address
A specific bit of code (like SnmpHunter) that runs as part of a Collector on a Scout somewhere
A network interface associated with a Scout. This interface can be used by one or more Collectors. This interface can be given a Commanded Packet Rate.
A collection of Scanners and Scanning Interfaces running on a particular (virtual) machine. These scanners could be associated with any number of Zones or Command Centers. It could be a VM built and licensed as a Scout or an “Onboard Scout,” which is the Scout code running on a Command Center.
A specific network interface on a Scout. This interface can be configured to throttle some discovery traffic (at least Host, Port, Path, and SNMP)
A Target (/32 or /128) generated for a non-Host/Path scan(discovery) type as a result of Spectre learning about an address. These Targets can be generated by being discovered via Host or Path, being Indirectly or Passively discovered, or by having a device added via API. These are the Targets the system generates itself (governed by discovered addresses, Eligible List, and Avoid List).
A device that we were able to talk to and get responses with a set of SNMP credentials. If we just get an error message (an SNMPv3 credential error or a OID not found for v2) we will not be snmpAccessible though we will be an snmpResponder
This is a Tertiary Target type. If configured to do so, we will gather data from various SNMP OIDs and determine things like Interface or Route information
This is a Secondary Target type. When we do SNMP Discovery we try all the SNMP Credentials configured for a collector and report on which ones were accessible. In SNMP Discovery we will gather things like sysObjectId, sysDescr, and potentially serial number information.
A device that we got an SNMP response from even if we can’t fetch data from it with our SNMP credentials. This could happen if we attempt to communicate with a device using SNMPv3, it can respond with an authentication error of some sort, this is different from SNMPv1/2c where the device usually doesn’t send anything back in the case of an authentication failure (though ACLs can cause SNMPv2 errors).
On a Lumeta command center, the data we ingest from scanning is contained under /var/spool/esi. The files that a queued up for ingestion are at /var/spool/esi/preprocessing. These files are commonly referred to as “Spool Files” and if we’re trying to debug why the system is behaving the way it does we’ll commonly start by looking at them.
A combination of a CIDR, Scan Type, and Collector ID. This can be a Primary, Secondary, or Tertiary Target.
Once a device has been scanned using a primary scan type, it is determined to be alive. After a secondary scan type, the target has been determined to have the potential of responding to a particular protocol. The tertiary scan type asks for heavier weight responses, such as SNMP Details, HTTP banners, CIFS, or WMI.
Time of Discovery
The time a Scout discovers a Device (or information about a Device)
Time of Record
The time a discovered Device is actually available in the database for reporting (the time it’s actually visible to a client).
A set of Collectors and the data associated with them. For the most part, data is not propagated across zones.
An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
A network's steady state; equilibrium
Any computer connected to the same Ethernet repeater or switch is a member of the same broadcast domain.
The concept of monitoring information system security has long been recognized as sound management practice. Organizations review their information systems’ security controls to ensure that system changes do not have a significant negative impact on security, security plans remain effective after a change, and security controls continue to perform as intended. Continuous monitoring goes further than a traditional periodic assessment or “snapshot” audit by continuously monitoring transactions and controls, so that weak, poorly designed, or poorly implemented controls can be corrected or replaced sooner rather than later, thus enhancing an organization’s risk profile.
A dynamic map depicts discovered devices and their network connectivity and can be updated and/or refreshed to show changes as they occur on the associated network.
A process of applying a mathematical algorithm against a set of data to produce a numeric value (a ‘hash value’) that represents the data
Indicator of Compromise
An artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.
Individual networked computers to routers, cables, wireless access points, switches, backbones, network protocols, and network access methodologies.
Exchanging data between systems to improve information in each
Manually or programmatically initiated
Input-output operations per second. A measure of the disk performance that Lumeta requires of a disk or storage array.
The link state of a particular router. What’s in the LSDs. The link is NOT the hop bwn routers/nodes. It’s a statement about the link between the two hops. Is it healthy and other attributes.
A measure of congestion on a communications link is (e.g., how much of the bandwidth is being utilized). Highly occupied/congested links between a Command Center and Scout (or links in which there is an excessive round trip delay) can become a problem. To avoid issues, Lumeta recommends no more than a 70% link occupancy on a 10Mb/s link, which implies that 7Mb/s (on average) is being consumed by traffic. Lumeta also recommends a less-than 100 msec round-trip communications delay to ensure satisfactory performance.
When a domain is used in malware in place of an IP address to allow for rapid IP address rotation
Software that compromises the operation of a system by performing an unauthorized function or process.
Mental Model & Conceptual Model
This is a map of your network that can be shifted and molded, expressed in tiers or hierarchical layers of a canvas, and adapted over time to reflect your enterprise's increased understanding of its infrastructure assets under management. The conceptual model, which is a core feature in active development, will enable people to view one network segment from the perspective they find most useful. Each segment may be viewed from however many perspectives have been assembled. You may create your own conceptual models, or work from ones created by other Lumeta users in your company.
A management information base (MIB) is a virtual database used for managing the entities in a communications network.The MIB hierarchy can be depicted as a tree with a nameless root, the levels of which are assigned by different organizations. The top-level MIB OIDs belong to different standards organizations, while lower-level object IDs are allocated by associated organizations. This model permits management across all layers of the OSI reference model.
Non-Accessible SNMP Routers
Those routers that didn't respond to Lumeta's SNMP test, yet indicated the capability to speak SNMP.
CIDR blocks in the configured list of Target CIDRs, or discovered through router discovery, scanned that did not respond from any sensor. A CIDR block may respond from some locations and may not respond from others. There are several possible reasons these networks were not seen during a network scan. Some reasons include (a) the CIDR blocks may not be in use in the network (b) they may be part of a firewalled network.
Open shortest path first protocol. OSPF functions in both broadcast network and non-broadcast, multiple-access networks (NBMA), in which end-to-end points are established. OSPF needs to run on virtual circuits (PVCs) when it runs in a NBMA network. Lumeta traces to routes discovered in OSPF, unless those routes are in an Avoid list.
A Lumeta IPsonar scan of an enterprise network that is performed in a single sweep. Point-in-time scans are often scheduled to run on a repeat basis and serve to provide a historical record or audit trail for use by oversight agencies.
Notification of network events-of-interest as they occur
One of the IP addresses on the router. From OSPF perspective, it's an identifier.
The router's primary functions are to learn and propagate route information, and ultimately to forward packets via the most appropriate paths. Successful attacks against routers are those able affect or disrupt one or more of those primary functions by compromising the router itself, its peering sessions, and/or the routing information.
Routers are subject to the same sort of attacks designed to compromise hosts and servers, such as password cracking, privilege escalation, buffer overflows, and even social engineering. Most of the best practices in this document help mitigate and even prevent some of those threats.
Peering relationships are also target of attacks. For most routing protocols routers cannot exchange route information unless they establish a peering relationship, also called neighbor adjacency. Some attacks attempt to break established sessions by sending the router malformed packets, resetting TCP connections, consuming the router resources, etc. Attacks may also prevent neighbor adjacencies from being formed by saturating queues, memory, CPU and other router resources. This section of the document presents a series of best practices to protect neighbor adjacencies from those threats.
Finally, routing can also be compromised by the injection of false route information, and by the modification or removal of legitimate route information. Route information can be injected or altered by many means, ranging from the insertion of individual false route updates to the installation of bogus routers into the routing infrastructure. Potential denial of service conditions may result from intentional loops or black-holes for particular destinations. Attackers may also attempt to redirect traffic along insecure paths to intercept and modify user's data, or simply to circumvent security controls. This section also includes a collection of best practices designed to prevent the compromising of routing information.
Your business has zones, each of which typically has one Lumeta Scout
Lumeta/IPsonar had appropriate credentials that enabled it to access SNMP tables on a network.
Lumeta/IPsonar was able to generate a response from a particular port (thereby demonstrating that the port exists), but unable to illicit a response from the port.
Threat Intelligence / Feed
Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
Zombie / Bot
A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under the command and control of a remote administrator.
A Zone is any set of devices you want to monitor as a unit, for example, a subnet, an enclave, or a business unit. Typically, an organization contains multiple zones.
Zones delimit the scope of information that can be displayed on an Lumeta map. To map a particular network view, all elements belonging to that view must be contained in a single zone. When planning a zone definition, be sure to include elements you want to see on a one map as members of a single zone.
Your enterprise sets the criteria that defines which devices should belong to a particular zone.