Cybersecurity is becoming more of a common tongue term in today’s industry. It is being passed around the executive meetings along with financial information and projected marketing strategies. Here are some common attack vectors plaguing the industry when it comes to network infrastructure. It does not really matter the infrastructure type you have. If there is value to the data you are transferring within, someone wants to get it.
1. Reconnaissance Attacks
Reconnaissance attacks are general knowledge gathering attacks. These attacks can happen in both logical and physical approaches. Whether the information is gathered via probing the network or through social engineering and physical surveillance, these attacks can be preventable as well. Some common examples of reconnaissance attacks include packet sniffing, ping sweeping, port scanning, phishing, social engineering and internet information queries. We can examine these further by breaking them into the two categories of logical and physical.
Logical Reconnaissance refers to anything that is done in the digital spectrum and doesn’t require a human on the other side to complete the reconnaissance attack. Ping sweeps and port scans, for example, are two methods of discovering both if the system is there and what it is looking for on the network. An example of a return on a port scan would be discovering that an IP address was listening on port 443 for HTTPS traffic. That allows the hacker to know that they can attempt exploitation geared towards HTTPS.
Additionally, here we see information queries over the internet. These are sometimes called whois queries. All domains registered to independent companies belong to a domain provider somewhere, as regulation of these domains must occur. The problem is like patenting a product name where company A wants to use a specified domain and company B already owns that domain. These domain management platforms handle the exchanges and maintenance of domain names from conception to expiration. These domain hosting services typically offer a lot of information relative to an organization to include points of contact and contact information. All of this makes the information gathering that much easier when you contact a company having legitimate information of persons of interest.
Physical Reconnaissance crosses the lines of what a network admin has control of. There are elements that will never be protected fully like locations as well as security elements like cameras, mantraps, door locks or guards. However, these can play into physically securing a network.
For example, bank security may be limited in the ability to stop an extremely well-orchestrated heist attempt to what that security team has prepared for, but the simple fact that a bank has security in place creates the potential to deter most lower to mid-level criminals who would make the attempt. That is the same idea that goes into most physical security measures for network protection. Reconnaissance, as we have established, is the collection of information from any available sources. If the surveyor cannot access the information easily, it can deter the collection altogether or force them into a more logical realm. Either of these options from the surveyor would be beneficial to the network team, as it drives the reconnaissance into a more controllable atmosphere.
For these kinds of attacks, there is really a limited effort that can be done, as some details and company information absolutely need to be out there. However, through training and simple steps at the developmental level, mitigation steps can be taken to prevent this from compounding into a bigger issue.
Try to limit the information posted about a company’s contact information. Edit banner returns for banner-grabbing attacks so the information is limited to the attacker. If all the information for contacting the network admin or company representative is required, be sure those personnel are trained up on how to spot social engineering attacks. This training needs to be extended out to all employees, as anyone is a risk of sharing company secrets if a social engineer is charismatic enough.
Additionally, a company can outsource red teams and pen testers. Doing so can greatly inform an organization leader what shortcomings exist. Most red teams achieve access by any means necessary, and this can truly highlight what an attacker is capable of. Be sure to also conduct audits of both the logical information as well as the physical security in place. If badges are being used, check logs and be sure personnel are following the guidelines of the access agreements.
2. Access Attacks
Access attacks require some sort of intrusion capability. These can consist of anything as simple as gaining an account holder’s credentials to plugging foreign hardware directly into the network infrastructure. The sophistication of these attacks ranges just as far. Often these access attacks can be compared to reconnaissance in being either logical or physical, logical being over the net and physical usually leaning more towards social engineering.
Logical access attacks like exploitation through brute force attacks or testing passwords on the net by rainbow tables or dictionary attacks tend to create a ton of traffic on the network and can be easily spotted by even a lower experienced level network monitor. It is for this reason that most of the logical access attacks are usually put forward after enough reconnaissance or credentials have been obtained. There is also a tendency to lean on the passive side of attacking like man in the middle attacks to try to gather more information before becoming overly suspicious.
Physical access is really either access to the hardware or access to the people. Social engineering is very dangerous and hard to defend against simply because your users are usually the weakest link in cybersecurity. The easiest type of social engineering attack involves sending out phishing emails designed to hook someone that way or getting a key logger on a person inside’s computer to gain credentials that may escalate privileges of the attacker. Even the best of cybersecurity can fall subject to these types of attacks simply because they play on humanity as it exists, and we are not perfect begins without mistakes.
This type of attack really comes down to network hardening. Most companies are limited to the capabilities of their equipment, so if your Cisco router is vulnerable to attack, then the best course of action is to know that attack, look for it and set rules on your network IDS/IPS for it. Update often and regularly. This cannot be stressed enough in the computer industry. Additional steps include monitoring the probing from any recently recognized reconnaissance attacks. If hackers are researching you, there is a greater possibility of future attack attempts. Again, bring in outsourced teams to test and audit current security standings.
3. Denial of Service Attacks
Denial of service means that the network cannot move traffic in any capacity. This can happen from power failure or flooding the network with junk traffic that clogs the network’s ability to function. Both historically have happened without any malicious intent, and both can be prevented with physical and logical blockers.
To achieve a denial of service against an entire network, the attacker usually needs ample computer power on their end as well and often achieves this from a comparable network of devices that may or may not know they are involved. This would be referred to as a botnet, and it can bring swift devastation to a network without any warning through a process called the distributed denial of service. Essentially, the linked computers all fire off packets into the network simultaneously. A computing resource may seem superior to humankind, but like us, a computer can only perform one action at a time, so flooding the network with these packets generates a need to respond, and if the network cannot keep up with the responses, then the network simply cannot function.
Another type of denial of service attack would be a crash to the system. This system crash can cause temporary or permanent damage to a network. The idea is like a flood where the attacker simply wants to render the network inoperable. The permanent damage would be considered a destructive denial of service where the temporary denial of service is just a crasher.
DoS and DDoS attack defense walk in parallel with access attack defense ideology. Protecting against these attacks can include a few options from maximizing bandwidth allocation to network isolation based on traffic types. If your webserver is attacked, you do not want that to affect the mail server or back end network management devices. Combine this effort with limiting privileges and roles.
Hardening network devices is always a best practice as previously mentioned. Ensuring all systems hardware and software is updated and patched regularly is a good habit for an organization. Controlling traffic flows is a great way to stop these attacks. Also, know the vulnerabilities that can affect you.
It is a pipe dream to believe a network infrastructure is invulnerable; however, the possibility of being protected is within grasp. Fundamentally, it comes down to knowledge of what can happen to your network, knowing your equipment and training up the staff.
About the Author: Allen Britt is a decorated veteran who has been expertly trained in multiple disciplines of cybersecurity, computer science, electrical and mechanical engineering. His diverse background has afforded him opportunities to work within some unique areas of focus within government customers. He currently operates as a field support engineer utilizing his subject matter expertise to advice consumers.
Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc