12. CONASecurity 210-260 Official Cert Guide Recognizing Current Network Threats Threats today are constantly changing, with new ones emerging. Moving targets are often dificul vo zero in on but understanding the genera nature of threats can prepare you to deal with new threats Ths section covers the various network treat categories and ident fies some strategies o say ahead of those threats. Potential Attackers ‘We could devote an entire book to attacks that have been launched in the past 15 minutes somewhere in the world against a network resource, a section of critical infrastructure, ora desired set of proprietary data. Instead of trying to list the thousands of attacks that could threaten vulnerable networks, let’ begin by looking at the types of adversaries that may be behind attacks Terrorists Criminals Govern ant agencies "Nation states Hackers Disgruntled employees Competitors Anyone with aceess to a computing device (sad, but true) Different terms are used to refer to these individuals, including hacker/cracker (criminal hacker), scripr-kiddie, bactivist, and thelist oes on. Asa security practitioner, you want to “understand your enemy,” Ths isnot to say that everyone should learn to be a hacker oF ‘write malware, because that is really not going to help. Instead, the point is that it is good to understand the motivations and interests of the people involved in breaking all those things you seek to protect, You also need to have a good understanding of your network and data environment to know what is vulnerable and what can be targeted by the malicious actors. Some attackers seek financial gain (as mentioned previously). Others might want the notori- ety that comes from attacking a well-known company or brand. Sometimes attackers throw their net wide and hurt companies both intended and unintended, Back in the “old days,” attacks were much simpler. We had basic intrusions, war dialing, and things lke that. Viruses were fairly new. But it was all about notoriety. The Internet was in its fancy, and people sought to make names for themselves. Inthe late 1990s and early 2000s, \we saw an increase in the number of viruses and malware, and it was about fame. nd ‘More recently, many more attacks and threats revolve around actual theft of information damage with financial repercussions. Perhaps that isa sign of the economy, or maybe itis just an evolution of who is computer literate or incentivized to be involved. Attackers may also be motivated by government of industrial espionage UnknownChapter t: Networking Security Concepts Attack Methods ‘Most attackers do not want to be discovered and so they use a variety of techniques to attempting to compromise a network, as des Table 1-5 Attack Methods Action Reconnaissance Social engineering Deseript This isthe discovery process used to find information about the network. Ie could include scans of the network to find out which IP addresses respond, and further scans to see which ports on the devices at these IP addresses are ‘open. This is usually the first step taken, to discover what ison the network and to determine potential vulnerabilities, This isa tough one because it leverages our weakest (very likely) vulnerability ina secure system (data, applications, devices, networks): the user. Ifthe attacker can get the user to reveal information, itis much easier forthe attacker than using some other method of reconnaissance. This could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information, Social engineering can also be done in person or over the phone. Phishing presents a link that looks lke a valid trusted resour When the user clicks it, the user is prompted to disclose conf information such as usernames/passwords Pharming is used to direct a customer's URL from a valid resource to a malicious one that could be made to appear asthe valid site to the user. From there, an attempt is made to extract confidential information from the Privilege escalation Back doors Code execution This isthe process of taking some level of access (whether authorized or not) Jand achieving an even greater level of access. An example isan attacker who [gains user mode access to a router and then uses a brute-force attack against the router, determining what the enable secret is for privilege level 15 access. ‘When attackers gain access toa system, they usually want future access, as well, and they wane it to be easy. A backdoor application can be installed to either allow future access orto collect information to use in further attacks. Many back doors are installed by users clicking something without realizing the link they click or the file they open i a threat. Back doors can also be implemented as a result ofa virus of a worm (often referred to as malware). ‘When attackers can gain access to a device, they might be able to take several actions. The type of action depends on the level of access the attacker has, o can achieve, and is based on permissions granted to the [account compromised by the attacker. One of the most devastating acti available to an attacker isthe ability 10 execute code within a device. Code execution could result in an adverse impact to the confidentiality attacker can view information on the device), integrity (attacker can modify the configuration of the device), and availability (attacker can create a denial of service through the modification of code) of a device. Unknown 1314 CONA Security 210-260 Official Cert Guide (7 Topic Attack Vectors [Be aware that attacks are not launched only from individuals outside your company. They are also launched from people and devices inside your company who have current, legitimate user accounts, This vector is of particular concern these days with the proliferation of orga: izations allowing employees to bring your own device (BYOD) and allowing it seamless access t0 data, applications, and devices on the corporate networks. For more information (on BYOD, see Chapter 4, “Bring Your Own Device (BYOD).” Perhaps the user is curious, ‘or maybe a back door is installed on the computer on which the user is logged in. In either ortant to implementa security policy that takes nothing for granted and to be prepared t0 mitigate risk at several levels. ‘You can implement a security policy that takes nothing for granted by requiting authen- tication from users before their computer is allowed on the network (for which you could use 802.1X an Control Server [ACS)). This means that the workstation the user is on must go through a profiling before being allowed on the network. You could use Network Admission Control (NAC) or an Identiry Service Engine (ISE) to enforce such a policy. In addition, you could use security measures at the switch port, such as port security and others. We cover many of these topics, in great detail, in later chapters. Cisco Access Man-in-the-Middle Attacks A man-in-the-middle attack results when attackers place themselves in line between to devices that are e with ehe intent to perform re -¢ of to manipulate the data as it moves between them. This can happen at Layer 2 of Layer 3. The main purpose Js eavesdropping, so the attacker can see all the traffic If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices ‘on a LAN believe that the Layer 2 address ofthe attacker isthe Layer 2 address ofits default gateway. This is called ARP poisoning. Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. AS a courtesy, the attacker can forward the frames to the correct destination so that che client will have the connectivity needed and the attacker now sees al the data hetween the two devices. To mitigate this rsk, you could use techniques such as dynamic Address Resolution Protocol (ARP) inspection (DAL) on switches to prevent spoofing of the Layer 2 addresses The attacker could also implement the attack by placing a switch into the network and manip: lating the Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability to see any traffic that needs to be sent through the oot switch). You can mitigate this through techniques such as root guard and other spanning tree controls discussed later in this book. A man-in-the-middle attack can occur at Layer 3 by a rogue router being placed on the net- ig the other routers into believing that the new router has a better path This could cause network traffic to flow through the rogue router and again allow the attack er to steal network data. You can mitigate attacks such as these in various ways, including routing authentication protocols and filtering information from being advertised or learned ‘on specific interfaces. To safeguard data in motion, one of the best things you can do isto use encryption for the confidentiality of the data in transit. If you use plaintext protocols for management, such Unknownoy wie Chapter t: Networking Security Concepts as Telnet or HTTP, an attacker who has implemented a man-in-the-middle attack ean see the contents of your cleartext data packets, and as a result will see everything that goes across the attackers device, including usernames and passwords that are used. Using management protocols that have encryption builtin, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), is considered a best practi and using VPN protection for cleartext sensitive data is also considered a best practice. Other Miscellaneous Attack Methods No standards groups for attackers exist, so not all the attacks ft neatly or clearly in one category: In fact, some attacks fit into two or more categories at the same time. Table 1-6 describes a few additional methods attackers might use Table 1-6 Additional Attack Methods oe Covert channel Desc method uses programs or communications in unintended ways. For says that web traffic is allowed but peer-to- peer messaging is not, users ean attempt to tunnel their peer-to-peer traffic inside of HTTP traffic. An attacker may use a similar technique to hide traffic by tunneling it inside of some other allowed protocol to avoid detection. An [example of this isa backdoor application collecting keystroke information from the workstation and then slowly sending it out disguised as Internet Control [Message Protocol (ICMP). This isa covert channel A covert channel is the legitimate use of a protocol, such asa user with a web browser using HTTP to access a web server, for illegitimate purposes, including cloaking network traffic from inspection. Trust exploitation Brute-force Tf the firewall has three interfaces, and the outside interface allows all traffic to the demilitarized zone (DMZ) but not to the inside network, and the DMZ allows aceess to the inside network from the DMZ, an attacker could leverage that by gaining access to the DMZ and using that location to launch his attacks from there to the inside network. Other trust models, if incorrectly configured, may allow unintentional access to an attacker including active directory and NFS (Nenwork File System in UNIX). Brate-force (password -guessing) types of attacks are performed when an (password. attackers system attempts thousands of possible passwords looking for the guessing) |right match. This is best protected against by specifying limits on how many attacks [unsuccessful authentication attempts can occur within a specified time frame. Password-guessing attacks can also be done through malware, matin-the: middle attacks using packet sniffers, or by using key loggers. Borner | A botnet isa collection of infected computers that are ready to take instructions from the attacker. For example, if the attacker has the malicious backdoor software installed on 10,000 computers, from his central location, he could instruct those computers to all send TCP SYN requests or ICMP echo requests repeatedly to the same destination, To add insult to injury. he could also spoof the source IP address of the request so that reply traffic is sent to yet another victim. The attacker generally uses a covert channel to manage the individual devices that make up the botnet. Unknown