DACS 2201 - Networking Threats and Defenses

Learning Objectives

  • Describe the OSI networking model in detail.
  • Explain various types of networking-based attacks, including interception and Layer 2 attacks.
  • List the physical security defenses used to deter and delay attackers, covering external, internal, and hardware categories.
  • Explain the inherent limitations of physical security defenses.

Networking Review - The OSI Model

  • The Open Systems Interconnection (OSI) model is a conceptual framework that describes how dissimilar computers connect on a network.
  • It separates networking steps into a series of 77 distinct layers.
  • Each layer performs a specific task and passes control to the next layer sequentially.
  • Protocols are situated within these layers to define how data is formatted and moved from one layer to another.
  • Headers: A protocol often adds its own control information in an area at the beginning of the payload called a header.
  • Layer Addresses:
    • Transport Layer: Addresses messages using port numbers that reference the sending/receiving application.
    • Network Layer: Addresses messages using IP (Internet Protocol) addresses.
    • Data Link Layer: Addresses messages using MAC addresses.
    • Media Access Control (MAC) Address: Also referred to as the physical address.

Networking Review - Journey of a Message

  • A message journey begins when it is created by an application; for example, a web browser generating an HTTP request.
  • Encapsulation Process: The message moves down from one layer to the next in the sending device. Each protocol encapsulates the payload within a header and sometimes a trailer:
    • Layer 44 (Transport Layer): Adds a TCP header containing the sender and receiver port numbers. The unit of data here is called a Segment or Datagram.
    • Layer 33 (Network Layer): Adds an IP header containing the sender and receiver IP addresses. The unit of data is called a Packet.
    • Layer 22 (Data Link Layer): Adds a header and a trailer containing the sender and receiver MAC addresses. The unit of data is called a Frame.
    • Layer 11 (Physical Layer): The data is converted to signals for transmission across the medium.
  • Network Devices:
    • Switches: These are typical Layer 22 devices. They decapsulate the message to inspect MAC addresses and forward the frame to the recipient identified by the destination MAC address.
    • Routers: These are typical Layer 33 devices. They decapsulate the message to inspect IP addresses and forward the packet to the recipient identified by the destination IP address.
  • Recipient Decapsulation: When the message reaches the destination device, the Operating System (OS) decapsulates the message to look at the port number, forwarding it to the intended application (e.g., a web server application).

Attacks on Networks

  • Networks are constant targets for threat actors because exploiting a single network vulnerability can potentially expose hundreds or thousands of connected devices.
  • Major categories of network attacks include:
    • Interception attacks
    • Layer 22 attacks
    • DNS attacks
    • Distributed Denial of Service (DDoS) attacks

Interception Attacks

  • Man-in-the-Middle (MITM) Attack:
    • A threat actor positions themselves in the communication stream between two parties.
    • The goal is to eavesdrop on conversations or impersonate one of the parties.
    • MITM attacks can be passive (reading data) or active (altering data).
    • There are two primary phases:
      1. Intercepting the traffic.
      2. Decrypting the transmissions to allow the attacker to read the data.
  • Session Replay Attack:
    • Similar to MITM, but the actor makes a copy of the transmission before sending it to the recipient. This copy is used to replay the transmission later.
    • Example: Capturing logon credentials to use for unauthorized login at a later time.
    • Session ID Replay: The attacker captures a Session ID to impersonate a user. A Session ID is a unique number assigned by a web server to a user for the duration of a visit (session).
    • Techniques for stealing Session IDs:
      • Network attacks (using MITM to hijack communications).
      • Endpoint attacks (using Trojans, cross-site scripting (XSS), and other malicious JavaScript).
  • Man-in-the-Browser (MITB) Attack:
    • Typically begins with the installation of a Trojan browser extension.
    • The extension provides a valid function, so the user does not recognize it as malicious.
    • It waits for the user to visit specific webpages (e.g., a financial institution).
    • When the user enters data (account numbers, passwords) and clicks "Submit," the extension captures all field data from the form.
    • The software may modify data in real-time, such as changing a money transfer destination.
    • MITB software is hard to detect by standard antimalware because it resides exclusively within the web browser and may remain dormant for months.

Layer 2 Attacks

  • Address Resolution Protocol (ARP) Poisoning:
    • ARP maps logical IP addresses to physical MAC addresses.
    • If a sender knows the IP but not the MAC, it broadcasts an ARP request. The receiver replies with its MAC, which is stored in an ARP cache.
    • In poisoning, the attacker impersonates the receiver and sends their own MAC address, tricking the sender into directing all future messages to the attacker.
  • MAC Cloning:
    • A threat actor discovers the valid MAC address of a device connected to a switch.
    • The attacker spoofs this MAC address on their own device and sends a packet to the switch.
    • The switch updates its table to associate that MAC address with the attacker's port.
    • Packets intended for the victim are then routed to the attacker.
  • MAC Flooding:
    • The attacker overflows the switch with Ethernet frames containing different spoofed MAC addresses.
    • This quickly exhausts the switch's memory for the MAC address table.
    • The switch then enters a fail-open mode, where it broadcasts frames to all ports, allowing the attacker to sniff all network traffic.

DNS Attacks

  • DNS Poisoning:
    • Modifies the lookup table in the hosts file on a local device to point to a different domain.
    • Attackers may redirect the user to a fraudulent site IP or a malicious DNS server to control all of the user's web traffic.
  • DNS Hijacking:
    • Infects an external DNS server with IP addresses pointing to malicious sites.
    • The attacker exploits protocol flaws to convince an authentic DNS server to accept fraudulent entries from the attacker's DNS server.
    • If the authentic server does not validate that responses come from an authoritative source, it stores and serves the fraudulent entries to users and potentially spreads them to other DNS servers.

Distributed Denial of Service (DDoS) Attack

  • Denial of Service (DoS): A deliberate attempt to prevent authorized users from accessing a system by overwhelming it with bogus requests.
  • Distributed DoS (DDoS): Uses hundreds or thousands of devices to flood a server.
  • Botnets: Participation often involves botnets where devices are infected and controlled by threat actors without the owners' knowledge.
  • In some instances, multiple users may collaborate to launch a single campaign.

Physical Security Controls

  • Significance: Physical security prevents actors from physically accessing devices/networks. Physical access often allows for more damage than remote access.
  • Categories:
    • External perimeter defenses.
    • Internal physical security controls.
    • Computer hardware security.

External Perimeter Defenses

  • Industrial Camouflage: Making buildings appear nondescript to hide their importance.
  • Barriers: Passive devices like fencing with signage and lighting for nighttime security.
  • Personnel: Security guards for active defense. They take action when needed and monitor video surveillance via Closed Circuit Television (CCTV), drones, or robot sentries.
  • Sensors:
    • Thermal cameras, motion sensors, and noise detectors supplement guards.
    • Environmental sensors (temperature and moisture) detect fire or water leaks.

Internal Physical Security Controls

  • Locks:
    • Physical locks: Require a key.
    • Electronic locks: Use buttons, keypads, or RFID cards.
    • Smart locks: Use smartphones to send codes via Bluetooth.
    • Fingerprint locks: Feature a scanning pad for biometric authentication.
    • Mantraps: Designed as an air gap separation between a non-secure and a secured area.
  • Protected Cable Distribution:
    • A system of conduits to protect classified information transmitted between secure areas.
    • Conduits must be sealed (welded) or equipped with specialized optical fibers that trigger alarms upon vibration detection.
  • Fire Suppression:
    • Water and handheld extinguishers are discouraged in data centers due to equipment contamination risk.
    • Alternatives include dry chemicals (fine powder) or clean agent systems that remove heat, isolate oxygen, or inhibit chemical reactions.

Computer Hardware Security

  • Cable Locks: Inserted into a laptop\'s security slot and rotated to secure the device to a fixture.
  • Storage Locks: Laptops and portable devices can be stored in cabinets or vaults.
  • Printer Isolation: Multifunction printers can be housed in secure rooms with access limited to authorized employees.

Physical Security Limitations

  • Deter and Delay: Mechanisms like locks and cameras are designed to deter and delay casual attackers, providing time to assess and respond.
  • Evidence: Cameras and recordings serve as evidence for prosecution.
  • Ineffectiveness: These measures do not stop determined opponents and do not prevent attacks entirely.