Reconnaissance AttacksReconnaissance attacks are centered around general knowledge gathering. These efforts stem from both physical reconnaissance, as well as a bit of digital research. Characteristics of this information gathering can be anything from probing the network, to social engineering, and physical surveillance. Some common examples of reconnaissance attacks include packet sniffing, ping sweeps, port scanning, phishing, social engineering, and internet information queries. It is worth noting that these attacks can be preventable as well. These can be examined further by breaking them into two categories: Logical, and Physical. Logical Reconnaissance refers to anything that is done in the digital realm and doesn’t require a human interaction element to be achieved. Ping sweeps and port scans, for example, are two methods of discovering both if the targeted system exists, and what it is looking for on the network. An example of a return on a port scan would be discovering that a server had telnet (a remote access service) enabled receiving an affirmative response on port 23. Such a response alerts an attacker to know that they can attempt exploitation geared towards that telnet service. Additionally, information queries over the internet, including leveraging public information services such as “Whois” queries make the information gathering that much easier. Of course, a Whois query exists for a legitimate purpose, but criminals exploit this for their own malicious purposes. Physical reconnaissance leans more on the efforts required for the attacker to gain access into the organization in person. Observing the locations of security cameras, activities of guards, types of door locking mechanisms, and patterns of life, all fall into the physical reconnaissance category. At this point, the attacker is going to an extreme to gain access into the organization’s information structure, but there is still the threat. This type of reconnaissance is still focused only on the collection of information from any available sources. This is important when evaluating deterrents, because if the surveyor cannot access the information easily, it may devalue the effort for the collection altogether or force them into a more logical realm. Either of these options from the surveyor would be beneficial to the network team, as it drives the reconnaissance into a more controllable atmosphere.
SolutionWhen a company registers with a domain host, they have obligations to divulge some information about their organization. However, as an administrative control, much of that information can be hidden from public view. Also, limiting information presented in banners can further protect the organization. Additionally, it is important for the information security lead of an organization to enforce technical controls over the data by turning off unused and unnecessary ports and having firewalls in place. Training all staff about the dangers of malicious activities is quite possibly the best preventative measure against reconnaissance. Additionally, a company should use the services of reputable security testers, including pen testers, and red team exercises. Doing so can greatly inform an organization’s information security leader of existing shortcomings. Most red teams achieve access by any means necessary, and this can truly highlight an attacker’s capabilities. Be sure to also conduct audits of both the logical information as well as the physical security in place. If security badges are used, access logs must be regularly reviewed to confirm that personnel are following the guidelines of the access agreements.
Access AttacksAccess attacks require intrusion capabilities. These can consist of anything as simple as gaining an account holder’s credentials, to plugging foreign hardware directly into the network infrastructure. The sophistication of these attacks ranges just as far. Often these access attacks can be compared to reconnaissance in being either logical or physical, logical being over the internet, and physical usually leaning more towards social engineering. Logical access attacks, such as exploitation through brute force attacks or testing passwords on the network using “rainbow tables” or dictionary attacks tend to create a lot of traffic on the network and can be easily spotted. It is for this reason that most logical access attacks are usually attempted only after sufficient reconnaissance or credentials have been obtained. There is also a tendency to lean on the passive side of attacking. For example, man-in-the-middle attacks to gather more information before raising too much suspicion. Physical access is either access to the infrastructure itself or access to the people. Social engineering is very dangerous and hard to defend against simply because of its insidious effectiveness. The easiest type of social engineering attack involves sending out phishing emails designed to hook someone as a leverage point that enables an attacker to begin strategically maneuvering into the company. This can happen in a variety of ways, but could include someone internal to the company opening an email that contains a malicious application that helps the attacker achieve access. Even the best of cybersecurity can fall subject to these types of attacks simply because they play on humanity as it exists, and we are not perfect beings.
SolutionProtection against this type of attack really comes down to network hardening. Most companies are limited to the capabilities of their equipment, so if your router is vulnerable to attack, then the best course of action is to know the attack type, look for it, and set rules on your network IDS/IPS to block it. Update the firmware and software within the company’s assets and ensure that patches are up to date. Additional steps include monitoring for activity of any recently recognized reconnaissance attacks. If attackers are researching your organization, there is a greater possibility of future attack attempts. An easy answer here is to use penetration testing teams to audit the current security profile of the organization. The primary difference between penetration testing and red team testing is the focus of the team. A pen test team wants to know all vulnerabilities whereas a red team wants to know if there are any at all.
Denial of Service AttacksDenial of Service (DoS) means that the information exchange has been prevented due to some form of interference. This can happen from a natural disaster event, such as an electrical failure, or a flood of packets that clogs the network’s ability to function. The irony of those two examples is that both can be malicious, and a true incident. While the power failure is very apparent, imagine a company boasting a new advertised event, then on the day of the event the servers cannot handle the inbound network traffic and result in failure. Fortunately, both can be mostly preventable with the proper implementation of protective measures. To achieve a malicious denial of service against an entire network, the attacker usually needs ample computer power on the attacking side as well. This can be achieved using a collection of networked devices that may or may not be aware of their involvement. This would be referred to as a botnet, and it can bring swift devastation to network traffic without any warning through a process called a Distributed Denial of Service (DDoS) attack. Essentially, the linked computers all generate packets into the network simultaneously. A typical modern computing resource can only perform one action at a time, so flooding the network with these packets generates a need to respond, and if the network cannot keep up with the responses, then the network simply cannot function. Another type of DoS attack aims to entirely crash a system. This full failure can cause temporary or permanent damage to a network. The purpose is to render the network inoperable.
SolutionDoS and DDoS defenses walk in parallel with access protection ideology. Preventive measures include maximizing bandwidth allocation, and network isolation based on traffic types. If an organization’s webservers are attacked, isolating those in a Demilitarized Zone (DMZ) will protect the back-end network management devices, as well as other servers that have a public presence, such as the mail servers. A DMZ combined with limited privileges and roles can be a powerful defense tactic. In the modern cloud-based world, it could be beneficial for a company with limited resources to seek out third-party hosting. Allowing a cloud service provider to manage data presentation services offers a little breathing room because of the control and protection they have at various levels in the cloud models.
ConclusionA standard tenet of security is that all systems are vulnerable to cybercrime. However, knowledge is power. When you know where your exploitable weaknesses lie, you can begin to concentrate efforts on those areas. Test your network for exploitation, and train your staff. Once you are confident about the organization’s security posture, continue to examine other areas of the organization’s security readiness, including contingency planning, and backup and recovery methods. There is no end to the preparation for an information leader, so check in often on the status of the organization, and remain alert. The common tongue of cybersecurity is now part of the taxonomy of business. However, there is always more to just “talking the talk”. Make the lexicon a reality in your organization.