4.7. Understanding Signal Analysis and Intelligence
The terms signal analysis and signal intelligence refer to capturing and analyzing electronic signals. Military and governmental agencies have been doing this since the beginning of the electronic age. The purpose of analysis and intelligence is to identify and evaluate the enemy, identify and track communications patterns, and identify what types of technologies are being used to send them.
This is a game of patience and persistence. People who want to attack your system are also performing analysis and intelligence. They're trying to discover what your communications topology and infrastructure look like, what your critical or sensitive circuits are, and what you use them to do.
Attackers have many tools at their disposal; most of them are relatively easy to use. Your job is to act as a counterintelligence agent and, where possible, prevent them from gaining access to this information.
Your enemy has several common methods to gain intelligence about your network and your potential vulnerabilities. The following sections describe two of these methods.
4.7.1. Footprinting
Footprinting is the process of systematically identifying the network and its security posture. An attacker may be able to gain knowledge of the systems you use, the protocols you run, the servers you operate, and what additional software is being used by systems such as web servers, mail servers, and the like.
A simple method of footprinting might examine the source code of your website. Web servers often have plug-ins or options installed that allow entrance into a network using buffer overflows or command processing. Attackers may also be able to gain insights into your business by doing online searches of business records and filings.
For example, EDGAR, an online business research website, maintains a database of publicly available information about businesses. Your company's annual report may brag about the new infrastructure that was installed last year. Strategic relationships with business partners may provide intelligence about your business. Similar information can help attackers infiltrate your system: They can go to VeriSign/InterNic and determine the root IP address for your network as well as obtain contact information to attempt social engineering attacks. In short, anything online or in print is a potential source of information.
An attacker can query DNS servers to determine what types of records are stored about your network. This information might provide insight into the type of e-mail system you're using. Most DNS servers readily provide this information when a proper query is formed.
Individually, none of this information is damaging or discloses much about your business. Collectively, though, it may provide key pieces to the jigsaw puzzle that is your organization.
4.7.2. Scanning
Scanning is the process that attackers use to gather information about how your network is configured. They scan your network and look for paths to systems in your network using programs such as Traceroute. Traceroute can provide a detailed picture of your network, right to the demilitarized zone (DMZ).
After an attacker has a general layout of your network, they can then switch to a scan. Scans can start with a simple ping of systems with addresses near your web or mail server. If any of these machines respond, the attacker knows that you have ICMP running and, by default, TCP/IP.
After they know what systems are "alive" in your network, they can systematically attempt to find out what ports are running on these systems; this is known as a port scan. Using the information gained from the port scanner to know what ports are running, the attacker may try a few simple probes of your system to determine what vulnerabilities might provide an opportunity for attack. A vulnerability scanner is used to analyze the results from the probe.
|
After the scanning process is complete, the attacker may next choose enumeration. Enumeration will most likely provide the attacker with enough information to implement a network mapper and attack the target. The attack is the next step but might only provide the attacker with a low-level (non-root) account. If this is the case, the attacker will attempt privilege escalation. If the attacker is successful with privilege escalation, they will essentially own the computer.
While it may seem as if an attacker must have a great many tools at his disposal—protocol analyzer, port scanner, vulnerability scanner, and network mapper to name but a few—the reality is that many of these tools are bundled together or found on the same site. BackTrack (http://remote-exploit.org/backtrack.html), for example, combines all of these tools into a single application that is run from a CD.
Practicing good security techniques—such as those discussed in this chapter, and this book—can prevent events of this type from occurring.