Network Security Concepts

Module 3: Network Security Concepts - Instructor Materials

Module Objectives

  • Explain how vulnerabilities, threats, and exploits can be mitigated to enhance network security.

Topic Objectives:

  • Current State of Cybersecurity: Describe the current state of cybersecurity and vectors of data loss.

  • Threat Actors: Describe tools used by threat actors to exploit networks.

  • Malware: Describe malware types.

  • Common Network Attacks: Describe common network attacks.

  • IP Vulnerabilities and Threats: Explain how IP vulnerabilities are exploited by threat actors.

  • TCP and UDP Vulnerabilities: Explain how TCP and UDP vulnerabilities are exploited by threat actors.

  • IP Services: Explain how IP services are exploited by threat actors.

  • Network Security Best Practices: Describe best practices for protecting a network.

  • Cryptography: Describe common cryptographic processes used to protect data in transit.

Ethical Hacking Statement

  • Learners may be exposed to tools and techniques in a “sandboxed” virtual machine environment to demonstrate cyber attacks.

  • Experimentation is at the discretion of the instructor and local institution.

  • Learners should contact their instructor prior to any experimentation.

  • Unauthorized access to data, computer, and network systems is a crime.

  • Learners are responsible for being compliant with computer use laws.

3.1 Current State of Cybersecurity

Current State of Affairs

  • Cyber criminals have the expertise and tools to take down critical infrastructure and systems.

  • Their tools and techniques continue to evolve.

  • Maintaining a secure network ensures the safety of network users and protects commercial interests.

  • All users should be aware of security terms.

Security Terms

  • Assets: Anything of value to the organization (people, equipment, resources, data).

  • Vulnerability: Weakness in a system or its design that could be exploited by a threat.

  • Threat: Potential danger to a company’s assets, data, or network functionality.

  • Exploit: Mechanism that takes advantage of a vulnerability.

  • Mitigation: Counter-measure that reduces the likelihood or severity of a potential threat or risk. Network security involves multiple mitigation techniques.

  • Risk: Likelihood of a threat to exploit the vulnerability of an asset, with the aim of negatively affecting an organization. Risk is measured using the probability of the occurrence of an event and its consequences.

Vectors of Network Attacks

  • An attack vector is a path by which a threat actor can gain access to a server, host, or network.

  • Attack vectors originate from inside or outside the corporate network.

  • Internal threats have the potential to cause greater damage than external threats because internal users have direct access to the building and its infrastructure devices.

Data Loss

  • Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world.

Data Loss Results

  • Brand damage and loss of reputation

  • Loss of competitive advantage

  • Loss of customers

  • Loss of revenue

  • Litigation/legal action resulting in fines and civil penalties

  • Significant cost and effort to notify affected parties and recover from the breach

Data Loss Prevention (DLP)

  • Network security professionals must protect the organization’s data.

  • Various Data Loss Prevention (DLP) controls must be implemented which combine strategic, operational and tactical measures.

Data Loss Vectors

  • Email/Social Networking: Intercepted email or IM messages could be captured and reveal confidential information.

  • Unencrypted Devices: If the data is not stored using an encryption algorithm, then the thief can retrieve valuable confidential data.

  • Cloud Storage Devices: Sensitive data can be lost if access to the cloud is compromised due to weak security settings.

  • Removable Media: One risk is that an employee could perform an unauthorized transfer of data to a USB drive. Another risk is that a USB drive containing valuable corporate data could be lost.

  • Hard Copy: Confidential data should be shredded when no longer required.

  • Improper Access Control: Passwords or weak passwords which have been compromised can provide a threat actor with easy access to corporate data.

3.2 Threat Actors

The Hacker

  • Hacker is a common term used to describe a threat actor

Hacker Types

  • White Hat Hackers: Ethical hackers who use their programming skills for good, ethical, and legal purposes. Report security vulnerabilities to developers.

  • Gray Hat Hackers: Individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. May disclose a vulnerability to the affected organization after compromising their network.

  • Black Hat Hackers: Unethical criminals who compromise computer and network security for personal gain, or for malicious reasons, such as attacking networks.

The Evolution of Hackers

  • Hacking Term and Description

    • Script Kiddies: Teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit.

    • Vulnerability Broker: Usually gray hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.

    • Hacktivists: Gray hat hackers who publicly protest organizations or governments by posting articles, videos, leaking sensitive information, and performing network attacks.

    • Cyber criminals: Black hat hackers who are either self-employed or working for large cybercrime organizations.

    • State-Sponsored: White hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate to some degree in state-sponsored hacking.

Cyber Criminals

  • Cyber criminals steal billions of dollars from consumers and businesses.

  • They operate in an underground economy where they buy, sell, and trade attack toolkits, zero day exploit code, botnet services, banking Trojans, keyloggers, and much more.

  • They also buy and sell the private information and intellectual property they steal.

  • Cyber criminals target small businesses and consumers, as well as large enterprises and entire industries.

Hacktivists

  • Two examples of hacktivist groups are Anonymous and the Syrian Electronic Army.

  • Although most hacktivist groups are not well organized, they can cause significant problems for governments and businesses.

  • Hacktivists tend to rely on fairly basic, freely available tools.

State-Sponsored Hackers

  • State-sponsored hackers create advanced, customized attack code, often using previously undiscovered software vulnerabilities called zero-day vulnerabilities.

  • An example of a state-sponsored attack involves the Stuxnet malware that was created to damage Iran’s nuclear enrichment capabilities.

3.3 Threat Actor Tools

Introduction to Attack Tools

  • To exploit a vulnerability, a threat actor must have a technique or tool.

  • Attack tools have become more sophisticated and highly automated.

  • These new tools require less technical knowledge to implement.

Evolution of Security Tools

  • Penetration Testing Tool and Description

    • Password Crackers: Used to crack or recover passwords. Examples: John the Ripper, Ophcrack.

    • Wireless Hacking Tools: Used to intentionally hack into a wireless network to detect security vulnerabilities. Examples: Aircrack-ng, Kismet.

    • Network Scanning and Hacking Tools: Used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples: Nmap, SuperScan.

    • Packet Crafting Tools: Used to probe and test a firewall’s robustness using specially crafted forged packets. Examples: Hping, Scapy.

    • Packet Sniffers: Used to capture and analyze packets within traditional Ethernet LANs or WLANs. Examples: Wireshark, Tcpdump.

    • Rootkit Detectors: Directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter.

    • Fuzzers to Search Vulnerabilities: Tools used by threat actors to discover a computer’s security vulnerabilities. Examples: Skipfish, Wapiti.

    • Forensic Tools: Used by white hat hackers to sniff out any trace of evidence existing in a computer. Example of tools include Sleuth Kit, Helix.

    • Debuggers: Tools used by black hats to reverse engineer binary files when writing exploits. Also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg.

    • Hacking Operating Systems: Specially designed operating systems preloaded with tools optimized for hacking. Examples: Kali Linux, BackBox Linux.

    • Encryption Tools: Use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data. Examples: VeraCrypt, OpenSSH.

    • Vulnerability Exploitation Tools: Identify whether a remote host is vulnerable to a security attack. Examples: Metasploit, Core Impact.

    • Vulnerability Scanners: Scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples: Nipper, Core Impact.

Attack Types

  • Eavesdropping Attack: When a threat actor captures and “listens” to network traffic. Also referred to as sniffing or snooping.

  • Data Modification Attack: If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.

  • IP Address Spoofing Attack: A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.

  • Password-Based Attacks: If threat actors discover a valid user account, the threat actors have the same rights as the real user. Threat actors could use that valid account to obtain lists of other users, network information, change server and network configurations, and modify, reroute, or delete data.

  • Denial of Service Attack: A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.

  • Man-in-the-Middle Attack: This attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.

  • Compromised-Key Attack: If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.

  • Sniffer Attack: A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet.

3.4 Malware

Overview of Malware

  • This topic introduces you to different types of malware that hackers use to gain access to end devices.

  • End devices are particularly prone to malware attacks.

  • It is important to know about malware because threat actors rely on users to install malware to help exploit the security gaps.

Viruses and Trojan Horses

  • The first and most common type of computer malware is a virus. Viruses require human action to propagate and infect other computers.

  • The virus hides by attaching itself to computer code, software, or documents on the computer. When opened, the virus executes and infects the computer.

  • Viruses can:

    • Alter, corrupt, delete files, or erase entire drives.

    • Cause computer booting issues, and corrupt applications.

    • Capture and send sensitive information to threat actors.

    • Access and use email accounts to spread.

    • Lay dormant until summoned by the threat actor.

Types of Viruses

  • Boot sector virus: Virus attacks the boot sector, file partition table, or file system.

  • Firmware viruses: Virus attacks the device firmware.

  • Macro virus: Virus uses the MS Office macro feature maliciously.

  • Program viruses: Virus inserts itself in another executable program.

  • Script viruses: Virus attacks the OS interpreter which is used to execute scripts.

Trojan Horses

  • Threat actors use Trojan horses to compromise hosts.

  • A Trojan horse is a program that looks useful but also carries malicious code.

  • Trojan horses are often provided with free online programs such as computer games.

Types of Trojan Horses:

  • Remote-access: Trojan horse enables unauthorized remote access.

  • Data-sending: Trojan horse provides the threat actor with sensitive data, such as passwords.

  • Destructive: Trojan horse corrupts or deletes files.

  • Proxy: Trojan horse will use the victim's computer as the source device to launch attacks and perform other illegal activities.

  • FTP: Trojan horse enables unauthorized file transfer services on end devices.

  • Security software disabler: Trojan horse stops antivirus programs or firewalls from functioning.

  • Denial of Service (DoS): Trojan horse slows or halts network activity.

  • Keylogger: Trojan horse actively attempts to steal confidential information, such as credit card numbers, by recording key strokes entered into a web form.

Other Types of Malware

  • Adware

    • Distributed by downloading online software.

    • Displays unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a webpage to a different website.

    • Pop-up windows may be difficult to control as new windows can pop-up faster than the user can close them.

  • Ransomware

    • Typically denies a user access to their files by encrypting the files and then displaying a message demanding a ransom for the decryption key.

    • Users without up-to-date backups must pay the ransom to decrypt their files.

    • Payment is usually made using wire transfer or crypto currencies such as Bitcoin.

  • Rootkit

    • Used by threat actors to gain administrator account-level access to a computer.

    • Very difficult to detect because they can alter firewall, antivirus protection, system files, and even OS commands to conceal their presence.

    • Provide a backdoor to threat actors giving them access to the PC, and allowing them to upload files and install new software to be used in a DDoS attack.

    • Special rootkit removal tools must be used to remove them, or a complete OS re-install may be required.

  • Spyware

    • Like adware but, used to gather information about the user and send to threat actors without the user’s consent.

    • Can be a low threat, gathering browsing data, or it can be a high threat capturing personal and financial information.

  • Worm

    • A self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate software.

    • Uses the network to search for other victims with the same vulnerability.

    • The intent of a worm is usually to slow or disrupt network operations.

3.5 Common Network Attacks

Overview of Common Network Attacks

  • When malware is delivered and installed, the payload can be used to cause a variety of network related attacks.

  • To mitigate attacks, it is useful to understand the types of attacks. By categorizing network attacks, it is possible to address types of attacks rather than individual attacks.

  • Networks are susceptible to the following types of attacks:

    • Reconnaissance Attacks

    • Access Attacks

    • DoS Attacks

Reconnaissance Attacks

  • Reconnaissance is information gathering.

  • Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks.

Techniques used by malicious threat actors to conduct reconnaissance attacks

  • Perform an information query of a target: The threat actor looking for initial information about a target using tools like Google search, organization's website, whois.

  • Initiate a ping sweep of the target network: The information query usually reveals the target’s network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.

  • Initiate a port scan of active IP addresses: This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

  • Run vulnerability scanners: This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Core Impact, Nessus, SAINT, and Open VAS.

  • Run exploitation tools: The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

Access Attacks

  • Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of these types of attacks is to gain entry to web accounts, confidential databases, and other sensitive information.

  • Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status.

    • Password Attacks: In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools.

    • Spoofing Attacks: In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

    • Other Access attacks: Trust exploitations, Port redirections, Man-in-the-middle attacks, Buffer overflow attacks

Social Engineering Attacks

  • Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Some social engineering techniques are performed in-person while others may use the telephone or internet.

  • Social engineers often rely on people’s willingness to be helpful. They also prey on people’s weaknesses.

Social Engineering Attack Types

  • Pretexting: A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

  • Phishing: A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

  • Spear phishing: A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

  • Spam: Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.

  • Something for Something: Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in exchange for something such as a gift.

  • Baiting: A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.

  • Impersonation: This type of attack is where a threat actor pretends to be someone they are not to gain the trust of a victim.

  • Tailgating: This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.

  • Shoulder surfing: This is where a threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other information.

  • Dumpster diving: This is where a threat actor rummages through trash bins to discover confidential documents

The Social Engineering Toolkit (SET)

  • The Social Engineering Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks.

  • Enterprises must educate their users about the risks of social engineering and develop strategies to validate identities over the phone, via email, or in person.

DoS and DDoS Attacks

  • A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications. There are two major types of DoS attacks:

    • Overwhelming Quantity of Traffic: The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service.

    • Maliciously Formatted Packets: The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.

  • DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.

  • A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources.

3.6 IP Vulnerabilities and Threats

IPv4 and IPv6

  • IP does not validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. Security analysts must understand the different fields in both the IPv4 and IPv6 headers.

IP Attack Techniques

  • ICMP attacks: Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.

  • Amplification and reflection attacks: Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks.

  • Address spoofing attacks: Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing.

  • Man-in-the-middle attack (MITM): Threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication. They could eavesdrop by inspecting captured packets, or alter packets and forward them to their original destination.

  • Session hijacking: Threat actors gain access to the physical network, and then use an MITM attack to hijack a session.

ICMP Attacks

  • Threat actors use ICMP for reconnaissance and scanning attacks. They can launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall. Threat actors also use ICMP for DoS attacks.

  • Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.
    Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. In the case of large networks, security devices such as firewalls and intrusion detection systems (IDS) detect such attacks and generate alerts to the security analysts.

ICMP Messages used by Hackers

  • ICMP echo request and echo reply: This is used to perform host verification and DoS attacks.

  • ICMP unreachable: This is used to perform network reconnaissance and scanning attacks.

  • ICMP mask reply: This is used to map an internal IP network.

  • ICMP redirects: This is used to lure a target host into sending all traffic through a compromised device and create a MITM attack.

  • ICMP router discovery: This is used to inject bogus route entries into the routing table of a target host.

Amplification and Reflection Attacks

  • Threat actors often use amplification and reflection techniques to create DoS attacks.

  • Threat actors also use resource exhaustion attacks to either to crash a target host or to consume the resources of a network.

Address Spoofing Attacks

  • IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user. Spoofing is usually incorporated into another attack such as a Smurf attack.

  • Spoofing attacks can be non-blind or blind:

    • Non-blind spoofing: The threat actor can see the traffic that is being sent between the host and the target. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.

    • Blind spoofing: The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.

  • MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host.

3.7 TCP and UDP Vulnerabilities

TCP Segment Header

  • TCP segment information appears immediately after the IP header.

The following are the six control bits of the TCP segment:

  • URG - Urgent pointer field significant

  • ACK - Acknowledgment field significant

  • PSH - Push function

  • RST- Reset the connection

  • SYN - Synchronize sequence numbers

  • FIN - No more data from sender

TCP Services

  • Reliable delivery: TCP incorporates acknowledgments to guarantee delivery. If a timely acknowledgment is not received, the sender retransmits the data. Requiring acknowledgments of received data can cause substantial delays. Examples of application layer protocols that make use of TCP reliability include HTTP, SSL/TLS, FTP, DNS zone transfers, and others.

  • Flow control: TCP implements flow control to address this issue. Rather than acknowledge one segment at a time, multiple segments can be acknowledged with a single acknowledgment segment.

  • Stateful communication: TCP stateful communication between two parties occurs during the TCP three-way handshake.

TCP attacks

  • TCP SYN Flood Attack

    1. The threat actor sends multiple SYN requests to a webserver.

    2. The web server replies with SYN-ACKs for each SYN request and waits to complete the three-way handshake. The threat actor does not respond to the SYN-ACKs.

    3. A valid user cannot access the web server because the web server has too many half-opened TCP connections.

Terminating a TCP session uses the following four-way exchange process:

  1. When the client has no more data to send in the stream, it sends a segment with the FIN flag set.

  2. The server sends an ACK to acknowledge the receipt of the FIN to terminate the session from client to server.

  3. The server sends a FIN to the client to terminate the server-to-client session.

  4. The client responds with an ACK to acknowledge the FIN from the server.

  • A threat actor could do a TCP reset attack and send a spoofed packet containing a TCP RST to one or both endpoints.

TCP session hijacking

  • Although difficult to conduct, a threat actor takes over an already-authenticated host as it communicates with the target. The threat actor must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host. If successful, the threat actor could send, but not receive, data from the target device.

UDP Segment Header and Operation

  • UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media streaming or VoIP. UDP is a connectionless transport layer protocol. It has much lower overhead than TCP because it is not connection-oriented and does not offer the sophisticated retransmission, sequencing, and flow control mechanisms that provide reliability.

  • These reliability functions are not provided by the transport layer protocol and must be implemented elsewhere if required.

  • The low overhead of UDP makes it very desirable for protocols that make simple request and reply transactions.

UDP attacks

  • UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by default. The lack of encryption means that anyone can see the traffic, change it, and send it on to its destination.

UDP Flood Attacks

  • The threat actor uses a tool like UDP Unicorn or Low Orbit Ion Cannon. These tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet. The program will sweep through all the known ports trying to find closed ports. This will cause the server to reply with an ICMP port unreachable message. Because there are many closed ports on the server, this creates a lot of traffic on the segment, which uses up most of the bandwidth. The result is very similar to a DoS attack.

3.8 IP Services

ARP Vulnerabilities

  • Hosts broadcast an ARP Request to other hosts on the segment to determine the MAC address of a host with a particular IP address. The host with the matching IP address in the ARP Request sends an ARP Reply.

  • Any client can send an unsolicited ARP Reply called a “gratuitous ARP.” When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables.

  • This feature of ARP also means that any host can claim to be the owner of any IP or MAC. A threat actor can poison the ARP cache of devices on the local network, creating an MITM attack to redirect traffic.

ARP Cache Poisoning

  • ARP cache poisoning can be used to launch various man-in-the-middle attacks.

    1. PC-A requires the MAC address of its default gateway (R1); therefore, it sends an ARP Request for the MAC address of 192.168.10.1.

    2. R1 updates its ARP cache with the IP and MAC addresses of PC-A. R1 sends an ARP Reply to PC-A, which then updates its ARP cache with the IP and MAC addresses of R1.

    3. The threat actor sends two spoofed gratuitous ARP Replies using its own MAC address for the indicated destination IP addresses. PC-A updates its ARP cache with its default gateway which is now pointing to the threat actor’s host MAC address. R1 also updates its ARP cache with the IP address of PC-A pointing to the threat actor’s MAC address. The ARP poisoning attack can be passive or active.

  • Passive ARP poisoning is where threat actors steal confidential information.

  • Active ARP poisoning is where threat actors modify data in transit or inject malicious data.

DNS Attacks

  • The Domain Name Service (DNS) protocol defines an automated service that matches resource names, such as www.cisco.com, with the required numeric network address, such as the IPv4 or IPv6 address. It includes the format for queries, responses, and data and uses resource records (RR) to identify the type of DNS response.

  • Securing DNS is often overlooked. However, it is crucial to the operation of a network and should be secured accordingly.

  • DNS attacks include the following:

    • DNS open resolver attacks

    • DNS stealth attacks

    • DNS domain shadowing attacks

    • DNS tunneling attacks

DNS Open Resolver Attacks:

  • A DNS open resolver answers queries from clients outside of its administrative domain. DNS open resolvers are vulnerable to multiple malicious activities described in the table.

DNS Resolver Vulnerabilities

  • DNS cache poisoning attacks: Threat actors send spoofed, falsified record resource (RR) information to a DNS resolver to redirect users from legitimate sites to malicious sites. DNS cache poisoning attacks can all be used to inform the DNS resolver to use a malicious name server that is providing RR information for malicious activities.

  • DNS amplification and reflection attacks: Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the volume of attacks and to hide the true source of an attack. Threat actors send DNS messages to the open resolvers using the IP address of a target host. These attacks are possible because the open resolver will respond to queries from anyone asking a question.

  • DNS resource utilization attacks: A DoS attack that consumes the resources of the DNS open resolvers. This DoS attack consumes all the available resources to negatively affect the operations of the DNS open resolver. The impact of this DoS attack may require the DNS open resolver to be rebooted or services to be stopped and restarted.

DNS Stealth Attacks:

  • To hide their identity, threat actors also use the DNS stealth techniques described in the table to carry out their attacks.

DNS Stealth Techniques

  • Fast Flux: Threat actors use this technique to hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts. The DNS IP addresses are continuously changed within minutes. Botnets often employ Fast Flux techniques to effectively hide malicious servers from being detected.

  • Double IP Flux: Threat actors use this technique to rapidly change the hostname to IP address mappings and to also change the authoritative name server. This increases the difficulty of identifying the source of the attack.

  • Domain Generation Algorithms: Threat actors use this technique in malware to randomly generate domain names that can then be used as rendezvous points to their command and control (C&C) servers.

DNS Domain Shadowing Attacks:

  • Domain shadowing involves the threat actor gathering domain account credentials in order to silently create multiple sub-domains to be used during the attacks. These subdomains typically point to malicious servers without alerting the actual owner of the parent domain.

DNS Tunneling

  • Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often circumvents security solutions when a threat actor wishes to communicate with bots inside a protected network, or exfiltrate data from the organization. This is how DNS tunneling works for CnC commands sent to a botnet:

    • The command data is split into multiple encoded chunks.

    • Each chunk is placed into a lower level domain name label of the DNS query.

    • Because there is no response from the local or networked DNS for the query, the request is sent to the ISP’s recursive DNS servers.

    • The recursive DNS service will forward the query to the threat actor’s authoritative name server.

    • The process is repeated until all the queries containing the chunks of are sent.

    • When the threat actor’s authoritative name server receives the DNS queries from the infected devices, it sends responses for each DNS query, which contain the encapsulated, encoded CnC commands.

    • The malware on the compromised host recombines the chunks and executes the commands hidden within the DNS record.

  • To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. Pay close attention to DNS queries that are longer than average, or those that have a suspicious domain name..

DHCP

  • DHCP servers dynamically provide IP configuration information to clients.

  • In the figure, a client broadcasts a DHCP discover message. The DHCP responds with a unicast offer that includes addressing information the client can use. The client broadcasts a DHCP request to tell the server that the client accepts the offer. The server responds with a unicast acknowledgment accepting the request.

DHCP Attacks

  • A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:

    • Wrong default gateway - Threat actor provides an invalid gateway, or the IP address of its host to create a MITM attack. This may go entirely undetected as the intruder intercepts the data flow through the network.

    • Wrong DNS server - Threat actor provides an incorrect DNS server address pointing the user to a malicious website.

    • Wrong IP address - Threat actor provides an invalid IP address, invalid default gateway IP address, or both. The threat actor then creates a DoS attack on the DHCP client.

DHCP Attacks Cont.

Assume a threat actor has successfully connected a rogue DHCP server to a switch port on the same subnet as the target clients. The goal of the rogue server is to provide clients with false IP configuration information.

  1. The client broadcasts

  1. The client broadcasts a DHCP Discover message. This message requests a DHCP server to provide IP addressing information.

  2. The rogue DHCP server receives the DHCP Discover message. Because it’s a rogue, it responds before the authorized (real) DHCP server with a DHCP Offer. It is offering the client an IP address, subnet mask, default gateway, and DNS server IP address. However, the values are false and under the control of the threat actor.

  3. The client receives the false DHCP Offer and sends a DHCP Request to accept the offered parameters. This is an attempt to lease the rogue IP address.

  4. The rogue DHCP server receives the DHCP Request. It then sends a DHCP ACK, acknowledging the request and finalizing the rogue IP address lease. The client is now at the mercy of the threat actor and is vulnerable to a variety of attacks on the network. These attacks can be a DoS attack, a MITM attack, or the redirection of the client to a malicious website.

3.9 Network Security Best Practices
Physical Security

  • Limit access to devices that provide network access.

  • Secure wires in conduits.

  • Video surveillance.

  • Alarm systems on doors and windows to help deter unauthorized entry.

  • Security guards.

  • Secure all wireless access points.

Administrative Security

  • Develop strict password policies.

  • Perform frequent security audits.

  • Always encrypt sensitive data in transit and at rest.

Technical Security

  • Implement firewalls to filter traffic.

  • Implement intrusion detection systems (IDS) and intrusion prevention systems (IPS).

  • Implement network segmentation to isolate critical assets.

  • Configure AAA (Authentication, Authorization, and Accounting) to control network access.

  • Implement port security to restrict access to switch ports.

  • Use anti-malware software and keep it updated.

  • Implement network monitoring tools to detect anomalies.

Network Segmentation

  • Security zones divide access to the network based on user roles.

  • Access control lists (ACLs) control the traffic between security zones.

  • Security zones are based on the following three zone types: - The Enterprise Edge Zone: The enterprise edge zone includes devices that provide remote access to internal corporate network resources. Devices in the enterprise edge zone include VPN servers, remote access servers, and internet facing web servers.

    • The Corporate Zone: The corporate zone is the core of the corporate network. Most internal users and servers reside in the corporate zone. The corporate zone may be further segmented using VLANs.

    • The DMZ Zone: The DMZ is a security design which isolates servers from both the internet and the internal network. The DMZ is a buffer zone between the internet, where no access control exists, and the internal network, where strict access control is implemented. Examples of servers located in the DMZ include email, web, and DNS. Firewall rules are configured to permit access to these servers from the internet. The DMZ zone decreases the possibility of internal network devices (such as file servers and internal databases) from being directly exposed to outside threat actors.

  • Microsegmentation is a network security technique of creating secure zones in data centers and cloud deployments which allows organizations to isolate workloads and limit the impact of successful attacks.

Firewall Configuration

  • A firewall is used to isolate an organization's internal network from the internet. A firewall examines network traffic passing through it, and permits or denies traffic based on a preconfigured rule set. Firewalls are a front line of defense in network security and are available as hardware or software.

  • Firewalls can be configured to address several security requirements in the network including: - Traffic Filtering: ACLs permit or deny traffic based on source and destination IP address, protocol, and port number. Example: Allow only traffic from the internal network to the internet on port 80 (HTTP) and port 443 (HTTPS).

    • Network Address Translation (NAT): NAT is not only used to conserve public IP addresses, but also hides the internal IP addressing scheme from the outside world.

    • VPN Termination: Most firewalls can act as a VPN server for remote access and site-to-site VPNs, and can provide encryption between sites.

    • Stateful Packet Inspection (SPI): Modern firewalls must perform SPI to ensure only legitimate traffic is allowed into the network. SPI firewalls examine each packet entering or leaving the network and compare it to an approved list of characteristics.

Intrusion Detection and Prevention Systems

  • An intrusion detection system (IDS) passively monitors traffic on a network. When a threat is identified, the IDS sends an alert to the administrator to investigate. An IDS is similar to a burglar alarm.

  • An intrusion prevention system (IPS) actively monitors traffic on a network. When a threat is identified, the IPS takes action to prevent the attack from continuing. An IPS is similar to an alarm that automatically calls the police.

IDS and IPS can be:

  • Network Based: Network-based systems monitor traffic passing through the network. They compare this traffic to a database of known attacks. If an attack or suspicious traffic is detected, an alert is sent to the administrator.

  • Host Based: Host-based systems run on individual devices. They monitor traffic coming in and out of the device. If an attack or suspicious traffic is detected, an alert is sent to the administrator.

  • Signature Based: Signature-based systems compare traffic to a database of known attacks. If a match is found, an alert is sent to the administrator.

  • Anomaly Based: Anomaly-based systems compare traffic patterns to a baseline of normal behavior. If traffic patterns deviate significantly from the baseline, an alert is sent to the administrator.

AAA Implementation

  • AAA (authentication, authorization, and accounting) is a framework for controlling access to network resources. AAA provides a way to:

  • Authenticate users (verify who they are).

  • Authorize users (grant them access to specific resources).

  • Account for user activity (track what they do on the network).

Port Security

  • Port security limits the number of valid MAC addresses allowed on a port. By default, a switch port dynamically learns MAC addresses and adds them to the MAC address table.

  • Port security can be configured in one of the following modes:

    • Static: Manually configure MAC addresses for a port.

    • Dynamic: The switch dynamically learns and adds MAC addresses to the MAC address table.

    • Sticky: The switch dynamically learns MAC addresses and saves them to the running configuration.

Antimalware Software

  • Anti-malware software is used to:

  • Prevent malware from being installed on a device.

  • Scan a device for malware.

  • Remove malware from a device.

  • Keep device software updated.

3.10 Cryptography
Cryptography is the science of concealing information.

  • Plaintext is the original message that is easy for humans to read. Ciphertext is the scrambled message that is the result of applying an algorithm to the plaintext.

  • Encryption is the process of converting plaintext into ciphertext. Decryption is the process of converting ciphertext back into plaintext.

Encryption Algorithms

  • Symmetric Encryption Algorithms: Use the same key to encrypt and decrypt data. Examples: DES, 3DES, AES.

  • Asymmetric Encryption Algorithms: Use two different keys (public and private) to encrypt and decrypt data. Examples: RSA, DSA, Diffie-Hellman, ECC.

Hashing Algorithms

  • Hashing Algorithms: Provide integrity by creating a one-way hash of the data. Examples: MD5, SHA-1, SHA-2, SHA-3.

Digital Signatures

  • Digital signatures are used to provide authentication, integrity, and non-repudiation.

Digital Certificates

  • Digital certificates are used to verify the identity of a website or server. They are issued by a Certificate Authority (CA) and contain the public key of the website or server.

VPN Encryption

  • VPNs use encryption to provide secure communication between two devices. VPNs can be used for remote access or site-to-site connections.