12. CONASecurity 210-260 Official Cert Guide
Recognizing Current Network Threats
Threats today are constantly changing, with new ones emerging. Moving targets are often
dificul vo zero in on but understanding the genera nature of threats can prepare you to
deal with new threats Ths section covers the various network treat categories and ident
fies some strategies o say ahead of those threats.
Potential Attackers
‘We could devote an entire book to attacks that have been launched in the past 15 minutes
somewhere in the world against a network resource, a section of critical infrastructure, ora
desired set of proprietary data. Instead of trying to list the thousands of attacks that could
threaten vulnerable networks, let’ begin by looking at the types of adversaries that may be
behind attacks
Terrorists
Criminals
Govern
ant agencies
"Nation states
Hackers
Disgruntled employees
Competitors
Anyone with aceess to a computing device (sad, but true)
Different terms are used to refer to these individuals, including hacker/cracker (criminal
hacker), scripr-kiddie, bactivist, and thelist oes on. Asa security practitioner, you want
to “understand your enemy,” Ths isnot to say that everyone should learn to be a hacker oF
‘write malware, because that is really not going to help. Instead, the point is that it is good to
understand the motivations and interests of the people involved in breaking all those things
you seek to protect, You also need to have a good understanding of your network and data
environment to know what is vulnerable and what can be targeted by the malicious actors.
Some attackers seek financial gain (as mentioned previously). Others might want the notori-
ety that comes from attacking a well-known company or brand. Sometimes attackers throw
their net wide and hurt companies both intended and unintended,
Back in the “old days,” attacks were much simpler. We had basic intrusions, war dialing, and
things lke that. Viruses were fairly new. But it was all about notoriety. The Internet was in its
fancy, and people sought to make names for themselves. Inthe late 1990s and early 2000s,
\we saw an increase in the number of viruses and malware, and it was about fame.
nd
‘More recently, many more attacks and threats revolve around actual theft of information
damage with financial repercussions. Perhaps that isa sign of the economy, or maybe itis
just an evolution of who is computer literate or incentivized to be involved. Attackers may
also be motivated by government of industrial espionage
UnknownChapter t: Networking Security Concepts
Attack Methods
‘Most attackers do not want to be discovered and so they use a variety of techniques to
attempting to compromise a network, as des
Table 1-5 Attack Methods
Action
Reconnaissance
Social
engineering
Deseript
This isthe discovery process used to find information about the network. Ie
could include scans of the network to find out which IP addresses respond,
and further scans to see which ports on the devices at these IP addresses are
‘open. This is usually the first step taken, to discover what ison the network
and to determine potential vulnerabilities,
This isa tough one because it leverages our weakest (very likely)
vulnerability ina secure system (data, applications, devices, networks): the
user. Ifthe attacker can get the user to reveal information, itis much easier
forthe attacker than using some other method of reconnaissance. This could
be done through e-mail or misdirection of web pages, which results in the
user clicking something that leads to the attacker gaining information, Social
engineering can also be done in person or over the phone.
Phishing presents a link that looks lke a valid trusted resour
When the user clicks it, the user is prompted to disclose conf
information such as usernames/passwords
Pharming is used to direct a customer's URL from a valid resource to a
malicious one that could be made to appear asthe valid site to the user.
From there, an attempt is made to extract confidential information from the
Privilege
escalation
Back doors
Code execution
This isthe process of taking some level of access (whether authorized or not)
Jand achieving an even greater level of access. An example isan attacker who
[gains user mode access to a router and then uses a brute-force attack against
the router, determining what the enable secret is for privilege level 15 access.
‘When attackers gain access toa system, they usually want future access, as
well, and they wane it to be easy. A backdoor application can be installed to
either allow future access orto collect information to use in further attacks.
Many back doors are installed by users clicking something without realizing
the link they click or the file they open i a threat. Back doors can also be
implemented as a result ofa virus of a worm (often referred to as malware).
‘When attackers can gain access to a device, they might be able to take
several actions. The type of action depends on the level of access the
attacker has, o can achieve, and is based on permissions granted to the
[account compromised by the attacker. One of the most devastating acti
available to an attacker isthe ability 10 execute code within a device. Code
execution could result in an adverse impact to the confidentiality attacker
can view information on the device), integrity (attacker can modify the
configuration of the device), and availability (attacker can create a denial of
service through the modification of code) of a device.
Unknown
1314 CONA Security 210-260 Official Cert Guide
(7
Topic
Attack Vectors
[Be aware that attacks are not launched only from individuals outside your company. They
are also launched from people and devices inside your company who have current, legitimate
user accounts, This vector is of particular concern these days with the proliferation of orga:
izations allowing employees to bring your own device (BYOD) and allowing it seamless
access t0 data, applications, and devices on the corporate networks. For more information
(on BYOD, see Chapter 4, “Bring Your Own Device (BYOD).” Perhaps the user is curious,
‘or maybe a back door is installed on the computer on which the user is logged in. In either
ortant to implementa security policy that takes nothing for granted and to be
prepared t0 mitigate risk at several levels.
‘You can implement a security policy that takes nothing for granted by requiting authen-
tication from users before their computer is allowed on the network (for which you could
use 802.1X an Control Server [ACS)). This means that the workstation the
user is on must go through a profiling before being allowed on the network. You could use
Network Admission Control (NAC) or an Identiry Service Engine (ISE) to enforce such a
policy. In addition, you could use security measures at the switch port, such as port security
and others. We cover many of these topics, in great detail, in later chapters.
Cisco Access
Man-in-the-Middle Attacks
A man-in-the-middle attack results when attackers place themselves in line between to
devices that are e with ehe intent to perform re -¢ of to manipulate
the data as it moves between them. This can happen at Layer 2 of Layer 3. The main purpose
Js eavesdropping, so the attacker can see all the traffic
If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices
‘on a LAN believe that the Layer 2 address ofthe attacker isthe Layer 2 address ofits default
gateway. This is called ARP poisoning. Frames that are supposed to go to the default gateway
are forwarded by the switch to the Layer 2 address of the attacker on the same network. AS a
courtesy, the attacker can forward the frames to the correct destination so that che client will
have the connectivity needed and the attacker now sees al the data hetween the two devices.
To mitigate this rsk, you could use techniques such as dynamic Address Resolution Protocol
(ARP) inspection (DAL) on switches to prevent spoofing of the Layer 2 addresses
The attacker could also implement the attack by placing a switch into the network and manip:
lating the Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability
to see any traffic that needs to be sent through the oot switch). You can mitigate this through
techniques such as root guard and other spanning tree controls discussed later in this book.
A man-in-the-middle attack can occur at Layer 3 by a rogue router being placed on the net-
ig the other routers into believing that the new router has a better path
This could cause network traffic to flow through the rogue router and again allow the attack
er to steal network data. You can mitigate attacks such as these in various ways, including
routing authentication protocols and filtering information from being advertised or learned
‘on specific interfaces.
To safeguard data in motion, one of the best things you can do isto use encryption for the
confidentiality of the data in transit. If you use plaintext protocols for management, such
Unknownoy
wie
Chapter t: Networking Security Concepts
as Telnet or HTTP, an attacker who has implemented a man-in-the-middle attack ean see the
contents of your cleartext data packets, and as a result will see everything that goes across
the attackers device, including usernames and passwords that are used. Using management
protocols that have encryption builtin, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS), is considered a best practi
and using VPN protection for
cleartext sensitive data is also considered a best practice.
Other Miscellaneous Attack Methods
No standards groups for attackers exist, so not all the attacks ft neatly or clearly in one
category: In fact, some attacks fit into two or more categories at the same time. Table 1-6
describes a few additional methods attackers might use
Table 1-6 Additional Attack Methods
oe
Covert
channel
Desc
method uses programs or communications in unintended ways. For
says that web traffic is allowed but peer-to-
peer messaging is not, users ean attempt to tunnel their peer-to-peer traffic
inside of HTTP traffic. An attacker may use a similar technique to hide traffic
by tunneling it inside of some other allowed protocol to avoid detection. An
[example of this isa backdoor application collecting keystroke information from
the workstation and then slowly sending it out disguised as Internet Control
[Message Protocol (ICMP). This isa covert channel
A covert channel is the legitimate use of a protocol, such asa user with a web
browser using HTTP to access a web server, for illegitimate purposes, including
cloaking network traffic from inspection.
Trust
exploitation
Brute-force
Tf the firewall has three interfaces, and the outside interface allows all traffic to
the demilitarized zone (DMZ) but not to the inside network, and the DMZ
allows aceess to the inside network from the DMZ, an attacker could leverage
that by gaining access to the DMZ and using that location to launch his attacks
from there to the inside network. Other trust models, if incorrectly configured,
may allow unintentional access to an attacker including active directory and
NFS (Nenwork File System in UNIX).
Brate-force (password -guessing) types of attacks are performed when an
(password. attackers system attempts thousands of possible passwords looking for the
guessing) |right match. This is best protected against by specifying limits on how many
attacks [unsuccessful authentication attempts can occur within a specified time frame.
Password-guessing attacks can also be done through malware, matin-the:
middle attacks using packet sniffers, or by using key loggers.
Borner | A botnet isa collection of infected computers that are ready to take instructions
from the attacker. For example, if the attacker has the malicious backdoor
software installed on 10,000 computers, from his central location, he could
instruct those computers to all send TCP SYN requests or ICMP echo requests
repeatedly to the same destination, To add insult to injury. he could also spoof
the source IP address of the request so that reply traffic is sent to yet another
victim. The attacker generally uses a covert channel to manage the individual
devices that make up the botnet.
Unknown