Chapter 3: Evaluating Network Attacks

In today's information superhighway, there is a voluminous amount of data housed on our systems, and traveling over networks and the internet. Because of this, we must face the fact that it's not a matter of whether there will be an attack, it's a matter of when an attack will occur. The reality is that not all attacks are the same. In this chapter, we'll outline how a network can fall victim to either a passive or active attack, and we'll review examples of both. We'll see that while a passive attack may not seem serious, it can be a precursor to an active attack.

In addition, we'll see that there are many attack vectors that, if not properly protected, can lead to data exfiltration or exposure of confidential information. You'll learn that, today, data is in many places and is growing at an exponential rate, and with this growth comes a greater need to protect the data. Finally, you'll get a better understanding of the meaning of risk, threats, and vulnerabilities. You'll then appreciate how reducing risk in an organization helps prevent data from being changed, destroyed, or lost in an unauthorized or accidental manner.

In this chapter, we're going to cover the following main topics:

  • Comparing passive and active attacks
  • Protecting sensitive data
  • Maintaining integrity

Comparing passive and active attacks

An attack on an information system can be against any of the following services: confidentiality, integrity, availability, or authentication. To further define the types of attacks, there are two broad categories, passive and active:

  • Passive attacks do not interfere with the system or data integrity, and include activity such as scanning or eavesdropping using packet analysis.
  • Active attacks seek to disrupt services, modify, steal, or destroy data, and include attacks such as a Denial of Service (DoS) attack, or releasing malware.

In this section, we'll compare each of the categories and provide some examples of each, along with ways to protect against the various attacks.

Let's start with a discussion on passive attacks.

Carrying out a passive attack

With an active attack, there may be some network instability, system disruption, or data modification. However, with a passive attack, the objective is to do the following:

  • Conduct a reconnaissance exercise to monitor and observe the network traffic for information on network devices.
  • Capture sensitive information that is in plain text, such as usernames and passwords.

Let's see what's involved during reconnaissance.

Conducting reconnaissance

Before launching an active attack, a malicious actor might conduct a reconnaissance exercise to find out more information on the target network. This is achieved by scanning the network using a variety of tools that help identify weaknesses or vulnerabilities on network hosts.

During reconnaissance, an attacker might scan the network using one of several scans to obtain more information about the network. Let's take a look at some examples of network scans next.

Scanning the network

One of the first types of scans that are done during reconnaissance is called a ping sweep.

Important note

The term "ping" is related to the concept of using sound navigation ranging (SONAR). SONAR can sound like a "ping" when used underwater to identify the presence of objects or life forms.

When using a ping sweep, the malicious actor will use an app to send out a series of Internet Control Message Protocol (ICMP) packets to see whether any hosts are up and responding. As shown in the following diagram, one of the hosts on the Local Area Network responds:

Figure 3.1 – Malicious actor using a ping sweep

Figure 3.1 – Malicious actor using a ping sweep

Once the attacker identifies a host that is up and responding, the next step is to use a port scan to see whether the host has any Transmission Control Protocol (TCP) ports that are open and listening. The port scan generally scans the well-known ports that are in the range 1-1023; however, the malicious actor can set the app to scan a larger range.

As shown in the following diagram, the port scan will query a responding host, and then report back to the malicious actor on which ports are open:

Figure 3.2 – A host responding to a port scan

Figure 3.2 – A host responding to a port scan

Important note

A host with open ports can be a vulnerability. If, while scanning the network, a malicious actor discovers open ports, they might seek to take the next step and connect with the host by using the open port. To mitigate this vulnerability, the network administrator should disable any ports that aren't required.

Another scan that helps to learn more about the network and identify vulnerabilities is operating system (OS) fingerprinting. Fingerprinting gathers information and then makes a best guess as to what OS is in use on each host. As shown in the following diagram, the OS of the responding host is identified as Windows 10:

Figure 3.3 – Identifying a host during OS fingerprinting

Figure 3.3 – Identifying a host during OS fingerprinting

Many times, while performing the various scans, the software will also map the network and create a map of the topology. Also called network mapping, this scan builds a map that identifies all hosts on the network:

Figure 3.4 – Results from mapping the network

Figure 3.4 – Results from mapping the network

For scanning the network, there are a variety of tools available today. One well-known tool is called Network Mapper (Nmap), which is a free, open source scanner that can identify listening hosts and determine open ports. As shown in the following screenshot, the Nmap scan shows the open and listening ports on host 10.0.0.167:

Figure 3.5 – Nmap scan report for host 10.0.0.167

Figure 3.5 – Nmap scan report for host 10.0.0.167

Important note

You can find out more information on Nmap at https://nmap.org/. In addition, you can find out how to close or disable unused ports by doing a search on close or disable unused TCP ports.

The reconnaissance scans aren't always done in any particular order; however, the ping sweep is generally completed before a port scan. In addition, depending on the objective, there may only be one scan that is run.

Important note

Many of the same tools used by malicious actors are also used by network administrators to monitor the network.

When scanning the network, the app will often generate activity, as many of the scans use protocols, generally TCP and ICMP, to attempt to communicate with other hosts.

However, in some cases, a passive attack does not generate any activity. The attacker might simply eavesdrop on the network by using packet analysis. Packet analysis is also called sniffing, and is used to gather network traffic to obtain information that is traveling across the network. Next, let's see how an attacker can use packet sniffing to obtain information.

Sniffing network traffic

Packet sniffing can be done using software such as Wireshark, an open source packet analysis tool. During this exercise, the attacker can obtain a variety of information that can include network device configuration, or even sensitive information.

Sniffing network traffic can help the attacker learn the types and versions of devices on the network. This is possible because some devices communicate with one another and offer information about their OS, hostname, Internet Protocol (IP) address, and other information specific to that device. Protocols such as Cisco Discovery Protocol (CDP) and Simple Service Discovery Protocol (SSDP) provide information that can help the attacker learn about network devices.

Eavesdropping using packet sniffing is done in order to try and capture interesting data, such as a phone call, credentials, email, or documents. By using Wireshark to monitor the traffic, they might be able to obtain a username and password that is sent across the network.

For example, in the following screenshot, we see within the stream a username ([email protected]) and a password (Password2010), being sent in plain text:

Figure 3.6 – Username and password

Figure 3.6 – Username and password

Important note

When you see %40 in the email address, this translates to the @ symbol. For more details, visit https://grox.net/utils/encoding.html.

To defend against packet sniffing, data should be encrypted. However, not all devices encrypt traffic when communicating on the network, which can lead to exposure of information.

During a passive attack, the victim may not be aware that anything is happening. However, a passive attack can be dangerous as it can identify system weaknesses and be a precursor to an active attack.

Next, let's see an overview on the types of active attacks that can take place.

Launching an active attack

An active attack seeks to destroy, steal, or modify the integrity of a system. The types of attacks can vary, and each type can have a different objective. In an active attack, system resources and/or data can be damaged or destroyed, which can affect normal operations. Common attacks include social engineering, malware, and DoS attacks.

Social engineering is commonly used by cybercriminals to get a victim to perform some action. They may try to encourage them to click on a link to visit a web page, or prompt them to sign into a bank site to check account information. This takes advantage of an individual's trusting nature, and includes techniques such as phishing, pharming, popups, and fake websites. Social engineering is dangerous, and is the leading cause of ransomware attacks.

Another attack commonly used is malware, which continues to improve in sophistication in order to get into our systems. Let's outline the different types of malware next.

Understanding malware

Malware is malicious software and includes the following:

  • Rootkits provide a backdoor into a system to allow access to a host.
  • Spyware records activities such as keystrokes, screenshots, authentication credentials, and other information, and sends the data to a remote site.
  • Trojans appear as useful programs or utilities; however, concealed within the program or utility, there is code that allows the cybercriminal to take control of the victim's computer remotely.
  • Viruses can self-replicate yet need a way to propagate to other hosts. Worms are a virus subclass that can spread on their own. Both can cause a range of activity, such as consuming system resources that can slow or even halt tasks.
  • Ransomware prevents access to a system, generally by using some form of encryption, and holds the system hostage until some type of ransom is paid.

Every day, hundreds of thousands of new malware variants are discovered, as seen in this chart: https://www.av-test.org/en/statistics/malware/. In addition, much of the malware today is polymorphic, in that it changes its form and behavior to elude detection. This makes it even harder to protect against ongoing threats.

Another threat is a DoS attack, which prevents legitimate requests from accessing the server. Let's take a look.

Locking out legitimate users

A DoS attack sends hundreds of requests per second to a target system. More commonly known as a Distributed Denial of Service (DDoS), this attack uses hundreds of thousands of bots (or zombies). The goal is to flood the system with so many bogus requests that legitimate users are locked out.

To launch a DoS attack, a cybercriminal first needs an army of bots. The malicious actor creates the army by first infecting millions of unknowing hosts with malware so they become zombies, which then become part of a large botnet. The botnet is controlled by a Command and Control (C&C) server. The attack occurs when, at a predefined time, or at a go signal from the C&C server, the zombies launch an attack on an unsuspecting victim.

The reality is that attacks can occur at any layer of the Open System Interconnection (OSI) model. Today, there are many different types of cyber threats; some are lesser known, and some are older. However, malicious actors will try all exploits to gain control of a system, as they may feel our defenses are down, or we may have forgotten about the exploit.

The key is, anything is possible, and over the years, we have seen an escalation of cyberattacks, which has resulted in businesses losing billions of dollars.

As a result, it's imperative for businesses to understand all possible attack vectors. Once the attack vectors are identified, the next step is to lock down and defend the organization. Doing so will reduce the effect of an attack and subsequent exposure of sensitive data. Let's explore this concept next.

Protecting sensitive data

Because of the expanding networks, additional devices, and the Internet of Things (IoT), data is in many places. Data lives within an organization, on storage devices, or even in our cars and homes, and is growing at an exponential rate. Along with this growth comes the real concern of the threat of unauthorized access to data.

Many individuals feel that data is the new gold. Cybercriminals are constantly seeking ways to gain access to our data, for a variety of reasons. Reasons include data theft, along with a newer threat, data modification. Unlike theft, data modification seeks to alter the integrity of data, for example, changing the details of blueprints or intellectual property.

In this section, we'll take a look at the many attack vectors that provide a way for data to be compromised in some way. Then we'll take a look at a few key methods to defend against data loss or modification.

Let's start with a discussion of the ways someone can gain access to data.

Understanding attack vectors

An attack vector is a path or means by which a malicious actor can access a system. Today, there are many attack vectors, including storage devices, email, mobile devices, cloud storage, malware, wireless networks, and the user.

Data exists in a variety of locations, within an organization, in the cloud, on storage devices, and computer systems. When not at rest on a storage medium, it is in motion over the network, or held in memory. Wherever it exists, there is a threat that someone can gain access and modify or extract the data in some way.

When dealing with data, there are a few main concerns. We need to ensure data is kept in the following way:

  • Confidential,which protects against unauthorized disclosure
  • Unaltered, which ensures that data is not modified, lost, or destroyed
  • Available, which ensures data can be accessed by authorized objects

It's important to be aware of the many ways someone or something can gain access to data, so you can take steps to employ appropriate security mechanisms.

Some of the attack vectors include the following:

  • Mobile devices: Our small, handheld devices contain our photos, contacts, and apps that allow us to shop, bank, and communicate. Malicious actors target vulnerable mobile devices as a way to a more lucrative target, such as a corporate intranet.
  • Wireless networks: These provide an attractive attack vector as Wi-Fi is characteristically insecure. Malicious actors tempt users to join open access points located in coffee shops and airports, to gain information such as usernames and passwords.
  • The user: This is the most vulnerable attack vector as it is the weakest link in any system. Every day, millions of people around the world fall victim to some sort of cybercrime, including scams, malware, phishing attacks, and credit card fraud.

A malicious actor will go through a process to gain control of a system, as shown in the following diagram:

Figure 3.7 – The process of moving from an attack vector to system compromise

Figure 3.7 – The process of moving from an attack vector to system compromise

The steps to gain access to a system are as follows:

  1. The process begins by a malicious actor seeking out a vulnerable target, by using one of many attack vectors.
  2. Once identified, the malicious actor will exploit the vulnerability, by launching an attack (or multiple attacks), to gain access to the system.
  3. After the malicious actor gains control of the system, the next step is to extract sensitive information, including passwords or credit card data.
  4. The malicious actor might even create a backdoor on the compromised system so they can return to access the system at a later date.

We now see the many attack vectors that can allow a malicious actor to gain access to a system. The next step is to outline the ways we can prevent data loss.

Providing defense mechanisms

While no defense method is totally threatproof, good practices will help hamper a potential attack. Most experts generally suggest using a layered approach with a variety of proven methods.

Defense mechanisms include logical and physical security and security appliances, along with policies that outline proper behavior. The mechanisms are defined as follows:

  • Logical security includes access control techniques that ensure authentication, authorization, and accounting (AAA) in an information system.
  • Physical security methods limit access to buildings and equipment by using physical controls such as locks, lighting, gates, and smartcards.
  • Security appliances include intrusion detection/prevention systems, gateways, and firewalls that are tuned to allow or deny traffic based on a set of rules.
  • Policies define a set of rules of conduct for anyone or anything that interacts with the system resources. Policies can include topics such as password complexity, antivirus guidelines, or user education.

Logical network defenses, security appliances, and anti-malware protection continue to improve in their ability to defend systems. Many devices have built-in artificial intelligence (AI) that monitors the network and quickly identifies unusual or suspicious behavior, and then sends an alert. This then helps the network administrator to be more responsive.

Let's take a look at how a layered defense combines protection methods to help prevent attacks.

Using a layered approach

When we layer our defenses, we use more than one method to defend against attacks. For example, imagine an attacker trying to get malware onto a server. They may be able to do the following:

  1. Provide stolen credentials and get authenticated on the network.
  2. Pass through the firewall and head to the server.

However, once at the server, they would be stopped by the anti-malware protection, as shown in the following diagram:

Figure 3.8 – Using a layered approach to provide enhanced security

Figure 3.8 – Using a layered approach to provide enhanced security

As we can see, malicious activity might be able to spoof a system or circumvent a firewall. That is why a layered defense posture helps provide protection in case one or more defense methods fail.

In addition to the protection methods already in place, an organization should create security policies. Policies help maintain a structure for the management and administration of the security of the network.

Let's see what's involved when creating security policies.

Creating and maintaining policies

Policies are designed to protect the infrastructure, by defining how an organization's people, processes, and devices access and interact with system resources. When creating policies, the organization should create a security plan, then policies and procedures, as shown in the following diagram:

Figure 3.9 – Progression from plan to procedures

Figure 3.9 – Progression from plan to procedures

For an optimal security posture, the progression should go as follows:

  1. The key stakeholders should sit down and think about the overall security posture of an organization, and then create a security plan. To see a set of guidelines that can help with this process, visit https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf.
  2. From the findings determined when creating the security plan, the team will develop security policies that define rules of proper behavior using an interdepartmental team approach.
  3. If required, the team should develop security procedures that define the way the policy should be executed.

Keep the policies in line with the objectives of the organization. In addition, it's best to have the support of upper-level management during their creation. You'll want to consider the following when creating the policies:

  • Who is the audience? Is the policy designed for trade workers, middle management, or consultants who work with the system?
  • How should the policy be shared? Will you share the policy by sending an email or use a paper memo that is displayed in a common area?
  • What is the key message? What is the policy is trying to convey, for example, use of passwords, internet access, or acceptable use?
  • Is the policy driven by regulations? If so, management should outline a clear definition of the requirements involved and the rationale.

The team should write the policy using clear and concise language with no use of jargon. Once written and approved, you'll need to disseminate the policy and train all users. In addition, it's best to assign responsibility to monitor, enforce, and periodically review the policy.

Creating a security policy can be overwhelming, but there is help. SANS.org is a respected source for information security training. They have some templates that are free to use and will step you through the process. To see an extensive list, visit https://www.sans.org/information-security-policy.

As outlined, policies help define proper behavior. However, writing and implementing policies isn't always enough. It's also important to train your users, so they can act as a human firewall. Let's take a look.

Strengthening the human firewall

As logical and physical system defenses improve, malicious actors use social engineering to try and penetrate a softer target: the people in an organization, including employees, customers, and contractors. A skilled malicious actor will most likely use social engineering to obtain access to a system, before using more complex methods, such as password cracking.

To protect against a social engineering attack, put in place a solid user education program for new and existing employees. Discuss good practice guidelines when dealing with system resources, including the following:

  • Don't click on suspicious links in an email or online.
  • Use caution when using public Wi-Fi networks.
  • Secure your mobile devices.
  • Change your password often and don't use the same password for all sites.

Run periodic tests to see whether your employees can be spoofed. Many resources are available online. One site is here at SonicWall's phishing IQ test: https://www.sonicwall.com/en-us/phishing-iq-test-landing.

Social engineering is one of the hardest threats to defend against as humans can be our weakest link. However, steps can be taken to strengthen the human firewall to better protect the data.

As outlined, the one constant security goal in an organization is to maintain the integrity of the system, by taking steps to prevent a breach. In the next section, let's see how using encryption helps protect the data and decrease the risk of data exposure.

Maintaining integrity

It's essential to keep data in its original, unaltered form. Although there may be threats to the organization, encryption can ensure data integrity and prevent data from being changed, destroyed, or lost in an unauthorized or accidental manner. Organizations seek to protect the data and system resources, by implementing security strategies.

In this section, we'll take a look at just what's at stake, by first outlining the meaning of assets. We'll then clarify the definition of risk, which is a product of threats and vulnerabilities. You'll then understand how decreasing vulnerabilities will reduce overall risk.

Let's start with defining assets.

Protecting assets

When implementing security strategies, an organization seeks to protect their assets from threats such as cyberattacks or theft. Assets are either tangible or intangible goods that can be assigned a value:

Figure 3.10 – Tangible and intangible assets

Figure 3.10 – Tangible and intangible assets

Tangible assets are more common and easier to understand as they represent something you can touch. Tangible assets include the following:

  • Furniture, cash, and jewelry
  • Computers, servers, and printers

Intangible assets are goods that you can't touch or see; however, they still represent value to the company. Intangible assets are more difficult to monetize, but in some ways, they may be more valuable than the tangible assets. Intangible assets include the following:

  • Trade secrets, databases, and client lists
  • Company records and brand reputation

It's good practice to periodically conduct an inventory of your assets, so you truly understand the value of what you are trying to protect. In the next section, let's define risk, and learn one key strategy for decreasing overall risk.

Managing risk

Risk is the potential that something unpleasant or dangerous can happen. The outcome can range in severity as follows:

  • Risk can have a minor (non-catastrophic) outcome. For example, there is a risk you will get wet if you go out in the rain without an umbrella.
  • Risk can have a serious outcome, such as a financial loss, disruption to the supply chain, or even loss of life.

Risk is a function of threats and vulnerabilities, according to this formula:

Figure 3.11 – Formula to determine risk

Figure 3.11 – Formula to determine risk

A threat is an event, object, or individual that is capable of causing harm or damage. Threats can include malware, mischief, human error, and natural disasters. Threats exist; however, they are impossible to control.

A vulnerability is a flaw or weakness. When dealing with an information system, a vulnerability can include software bugs, unpatched systems, missing antivirus, or even human behavior. In many cases, we can fix vulnerabilities.

So that you can better understand the three terms in context, we'll use an example of a risk analysis exercise.

Performing a risk assessment

Risk is a function of threats and vulnerabilities. In general, although threats exist, we cannot control them. We can, however, minimize or control the vulnerabilities. Therefore, if we reduce the vulnerabilities, we will reduce overall risk.

To show you how threats and vulnerabilities work together to produce risk, we'll use an example. We'll see how using different levels of antimalware protection on a system will alter the risk:

  • One system will be protected using a free antivirus with no automatic updates.
  • One system will be protected using a paid antivirus with automatic updates.
  • One system will be protected using a unified threat management (UTM) appliance with automatic updates.

In each case, there is a 100% chance that malware will be a threat. Knowing this, let's build our matrix. As shown in the following screenshot, I have assigned each of the systems a vulnerability rating as to how easily malware will infect the system:

Figure 3.12 – Anti-malware protection – Risk analysis

Figure 3.12 – Anti-malware protection – Risk analysis

As illustrated, the system using the free antivirus was the most vulnerable, and the risk of infection was 90%. The system using free antivirus had a 40% risk of being infected. However, the system using the UTM was minimally vulnerable, and therefore had only a 10% risk rating.

When providing security strategies, the goal is to decrease risk. As illustrated, when you decrease the vulnerabilities, you decrease overall risk.

Summary

In this chapter, we examined the differences between active and passive attacks. We saw how a passive attack is done to either learn information about devices on the network, or pick up confidential information, such as usernames and passwords. We then learned the different types of active attacks, which can modify the integrity of our systems and lead to data loss or compromise.

So that you can understand why encryption is so important, we outlined just what is at risk. We learned the different types of attack vectors, and the different defense mechanisms such as logical and physical security, security appliances, along with policies. Finally, we learned how organizations seek to protect assets and maintain system integrity, and how using countermeasures can reduce vulnerabilities and reduce overall risk.

In the next chapter, we'll discover symmetric encryption. We'll start with briefly covering some of the early ciphers, Lucifer and Feistel, and their influence on the Data Encryption Standard (DES). We'll then examine common algorithms including AES, DES, Blowfish, and Twofish. You'll learn the difference between a block and a stream cipher. We'll also cover how a stream cipher has different modes of operation such as cipher block chaining (CBC) and electronic code book (ECB). Finally, we'll take a look at how a stream cipher secures wireless communications and discuss some common protocols in use today.

Questions

Now it's time to check your knowledge. Select the best response, then check your answers, found in the Assessment section at the end of the book:

  1. _____ attacks do not interfere with the system or data integrity and include activity such as scanning or eavesdropping using packet analysis.

    a. Vector

    b. Modified

    c. Active

    d. Passive

  2. _____ attacks seek to disrupt services, modify, steal, or destroy data, and include attacks such as Denial of Service (DoS) attacks or releasing malware.

    a. Vector

    b. Modified

    c. Active

    d. Passive

  3. An attack _____ is a path or means by which a malicious actor can access a system and includes storage devices, email, mobile devices, cloud storage, and malware.

    a. vector

    b. stage

    c. appliance

    d. wall

  4. Network _____ that protect our networks include intrusion detection/intrusion prevention systems, along with firewalls that are tuned to allow or deny traffic based on a set of rules.

    a. stages

    b. policies

    c. attacks

    d. appliances

  5. A _____ is a flaw or weakness when dealing with an information system, and can include software bugs, unpatched systems, missing antivirus, or even human error.

    a. threat

    b. appliance

    c. vulnerability

    d. cage

  6. When you decrease the _____, you decrease overall risk.

    a. threats

    b. vulnerabilities

    c. procedures

    d. attacks

  7. _____ is one of the hardest threats to defend against, as humans can be our weakest link.

    a. Social engineering

    b. Cages

    c. Viruses

    d. Worms

Further reading

Please refer to the following links for more information:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.238.228.191