Tải bản đầy đủ - 0 (trang)
Chapter 7. Attack Vectors and Mitigation Techniques

Chapter 7. Attack Vectors and Mitigation Techniques

Tải bản đầy đủ - 0trang

particularpieceofsoftware,amisconfigurationorloosely

configureddevice,orperhapsaninherentflawinaprotocol.

TheTCP/IPprotocolisagoodexample.Theprotocolwas

developedalongtimeagowhendesignersdidnotpay

particularattentiontothesecurityconcernsweobservetoday.

ExamplesofleveragingflawsinprotocolsincludeIPspoofing,

sourcerouting,SYNfloods,smurfattacks,applicationtunneling,

andmuchmore.Beforewetakeacloserlookatthemitigation

techniques,however,wewillbeginwithaquickoverviewof

someoftheattackvectors.



ClassesofAttacks

Threemajortypesofattacksfollow:

Reconnaissance:Reconnaissanceattacksarethefirststep

intheprocessofintrusionandinvolveunauthorized

discoveryandmappingofsystems,services,or

vulnerabilities.Thesediscoveryandmappingtechniquesare

commonlyknownasscanningandenumeration.Common

tools,commands,andutilitiesthatareusedforscanning

andenumerationincludeping,Telnet,nslookup,finger,

rpcinfo,FileExplorer,srvinfo,anddumpacl.OtherthirdpartypublictoolsincludeSniffer,SATAN,SAINT,NMAP,and

netcat.Inaddition,customscriptsareusedinthisprocess.

Access:Accessattacksrefertounauthorizeddata

manipulationthatgivestheattackersystemaccessor

privilegeescalationonavictimorcompromisedhost.

Unauthorizeddataretrievalissimplytheactofreading,

writing,copying,ormovingfilesthatarenotallowedor

authorizedtotheintruder.Somecommonactivities

performedinthisphaseincludeexploitingpasswords,

accessingconfidentialinformation,exploitingpoorly

configuredorunmanagedservices,accessingaremote

registry,abusingatrustrelationship,andIPsourcerouting

andfilesharing.

DenialofService:ADoSattacktakesplacewhenan



attackerintentionallyblocks,degrades,disables,orcorrupts

networks,systems,orserviceswiththeintenttodenythe

servicetoauthorizedusers.Theattackisgearedtoimpede

theavailabilityoftheresourcetotheauthorizeduserby

crashingthesystemorslowingitdowntothepointwhereit

isunusable.CommonexamplesofDoSattacksincludeTCP

SYNfloods,ICMPpingfloods,andbufferoverflow,toname

afew.

Atypicalattackpatternconsistsofgainingaccesstoauser

account,escalatingprivilege,exploitingthevictim'ssystem,or

usingitasalaunchplatformforattacksonothersystemsor

sites.



AttackVectors

Attackvectorsareroutesormethodsusedtogetintocomputer

andnetworksystemstoleverageunexpectedopeningsfor

misuse.Attackvectorscanbegenerallyclassifiedasfollows:

Viruses:Avirusisamalicioussoftwareprogramorpieceof

codethatcausesanunanticipatednegativeeventand

usuallyiscapableofcausingdamagetodataorother

programsontheinfectedsystem.

Worms:Acomputerwormisaself-replicatingmalicious

softwareprogram,similartoacomputervirus.Wormsare

virusesthatcanresideintheactivememoryofasystem

andarecapableofself-duplicatingandself-propagating

fromonecomputersystemtothenextoveranetwork.

Wormsareoftendesignedtoexploitthefiletransmission

capabilities,suchase-mailfoundonmanycomputer

systems.

Trojans:ATrojanhorseisamaliciousprogramthat

pretendstobeabenignapplication.Trojansareseemingly

harmlessprogramsthathideamaliciousactivity,suchasa

keystrokeloggerthatcouldcaptureallpasswordsorany

othersensitiveinformationentered,withouttheknowledge



oftheuser.

Passwordcracking:Passwordattackscanbe

implementedusingseveralmethods,includingbruteforce

attacks,Trojanhorseprograms,IPspoofing,andpacket

sniffers.Generally,passwordattacksrefertorepeated

attemptstoidentifyavaliduseraccountorpassword.

Theserepeatedattemptsarecalledbruteforceattacks.

Bufferoverflows:Buffersarememorylocationsina

systemthatareusedtostoredataandgenerallyholda

predefinedamountoffinitedata.Abufferoverflowoccurs

whenaprogramattemptstostoredatainabuffer,when

dataislargerthanthesizeoftheallocatedbuffer.An

analogyisfillinganemptyglass(buffer)of1litercapacity

with1.5litersofliquid(data).Theinitial1literwillbeheld

withnoproblem,withthe0.5litersspillingover,justas

withbufferoverflow.

IPspoofing:AnIPspoofingattackoccurswhenanintruder

attemptstodisguiseitselfbypretendingtohavethesource

IPaddressofatrustedhosttogainaccesstospecified

resourcesonatrustednetwork.IPspoofingisoneofthe

mostcommonactsofonlinecamouflage.

AddressResolutionProtocol(ARP)spoofing:ARP

spoofingoccurswhenanintruderattemptstodisguiseits

sourcehardwareaddress(MACaddress)toimpersonatea

trustedhost.Thisisoneoftheprimarystepsthataids

manyoftheotherattacks.

Man-in-the-middleattack(TCPhijacking):Theman-inthe-middle(MITM),alsoknownasaTCPhijackingattack,is

awell-knownattackinwhichanintruderintercepts

legitimatecommunicationbetweentwopointsandcan

modifyorcontroltheTCPsessionwithouttheknowledgeof

eitherthesenderortherecipientofthesession.TCP

hijackingisanexploitthattargetsthevictims'TCP-based

applicationssuchasTelnet,FTP,SMTP(e-mail),orHTTP



sessions.Anintrudercanalsobe"inline"inanongoingTCP

sessionbetweenthesenderandthereceiverwhileusinga

sniffingprogramtowatchtheconversation.

Pingsweeps:Apingsweep,alsoknownasanInternet

ControlMessageProtocol(ICMP)sweep,isascanning

techniqueusedtodeterminelivehosts(computers)ina

network.Apingsweep,consistsofICMPECHOrequests

senttomultiplehosts(oneatatime,unlessabroadcastIP

addressisused).Ifagivenaddressislive,itwillreturnan

ICMPECHOreplyconfirmingalegitimatelivehost.Ping

sweepsarewidelyusedinthereconnaissancephaseofthe

attackprocess.

Portscanning:Portscanningisamethodusedto

enumeratewhatservicesarerunningonasystem.An

intrudersendsrandomrequestsondifferentports,andif

thehostrespondstotherequest,theintruderconfirmsthat

theportisactiveandinlisteningmode.Theattackercan

thenplanexploitstoanyknownvulnerabilitiesbytargeting

theseports.Aportscannerisapieceofsoftwaredesigned

tosearchanetworkhostforopenports.Portscanningis

alsooneoftheprimaryreconnaissancetechniques

attackersusetodiscoverservicesthatcanbeexploited.

Sniffing:Apacketsnifferissoftwarethatusesanetwork

adaptercardinpromiscuousmodetopassivelycaptureall

networkpacketsthatarebeingtransmittedacrossthe

network.

Flooding:Floodingoccurswhenanexcessiveamountof

unwanteddataissent,resultingindisruptionofdata

availability.

DoS/DDoSAttacks:Inmostcases,theobjectiveofaDoS

attackistodeprivelegitimateuseraccesstoservicesor

resources.DoSattacksdonottypicallyresultinintrusionor

theillegaltheftofinformation,butaregearedtoprevent

accesstoauthorizedusersbymeansoffloodingthevictim



withanexcessivevolumeofpackets.

DistributedDoS(DDoS)attacksamplifyDoSattacksinthat

alargenumberofcompromisedsystemscoordinate

collectivelytofloodthevictim,therebycausingdenialof

serviceforusersofthetargetedsystems.Commonformsof

DoS/DDoSattacksincludeSYNfloodattacks,smurfattacks,

landattacks,viruses,andworms.



AttackersFamily

Itisimportanttoidentifytheattackersresponsibleforall

computerandnetworkabuse,asthisidentificationassistsin

characterizingtheattackandthelevelofdamageitcancause.

Itisalsousefultotrackthemdownbyunderstandingtheir

motivesandactions.Attackerscanbeclassifiedinthreebroad

categories:

Scriptkiddies(aspiringhackers):Theseareamateur

membersoftheattackercommunitywithnodeep

knowledgeofthetechnology.Theyusereadilyavailable

programsandtoolsdevelopedbyothersforthepurposeof

intrusiveactivities.Theyaremovtivatedtotestlimitsandto

benoticed.

Truehackers:Thisgroupofattackersiswellversedand

hasthoroughknowledgeofthetechnologywithwelldevelopedcompetencetoperformintrusions.Hackersin

thiscategoryaremotivatedbythepursuitofrecognition

andnotoriety.Theyoftenseehackingasachallengeanda

competition.

Professionals(theelite):Thistypeisasmallgroupof

attackersalsoknownastheelite.Membersofthisgroup

arehighlymotivatedandinmostcasesremuneratedfor

theirservicesthatincludeorganizedcrime,aswellas

attacksonthemilitary,intelligenceorganizations,law

enforcement,andothergroups.Themainmotivationfor

thesetypesofhackersisremuneration.



RiskAssessment

Itisimperativetoauditthenetworkandevaluateitssecurity

posturefortherisksandthreatsinanenvironmenttobeable

topreemptivelydeterminethelikelihoodandramificationsofa

securitybreach.Thisshouldbeaniterativeprocessinwhich

youevaluateandrankeachthreatandidentifyanappropriate

mitigationtechniqueaccordingly.Asyoufacetherisk

assessmentprocess,keepinmindthefollowingfactsabout

commonnetworkattacks:

75%to80%goundetected.

15%to20%areinstigatedbyoutsiders.

80%to85%arelaunchedbyinsiders—peoplewith

authorizedtrust.

80%to90%arevindictivescriptkiddyattacks.10%areof

amoreseriousDDoStype.

1%to5%hittheinfrastructuredirectly.

Threatmodelinginvolvesidentifyingandrankingthreats

accordingtotheirlikelihoodandthedamagetheycould

potentiallycause.Thefollowingstepscanhelpidentifypotential

attackvectorsinanetwork.

Step1. Identifyvulnerabilities,threats,potentialattack

vectors,andtheirpotentialimpactonthenetworkand

performance.

Step2. Categorizeeachthreatbycriticality—thatis,howmuch

damageanattackofthisnaturecouldcauseandthe

likelihoodofoccurrence.Forexample,assignanumber

between1and10forcriticality,with10beingthemost

severe.

Step3. Usingthefollowingformula,calculatetheassumedrisk



bydividingthecriticalitybythechanceofoccurrence:

AssumedRisk=Criticality/Likelihood

Step4. Identifyanappropriatetechniqueortechnologyto

mitigateeachthreat.Eachthreathasspecific

mitigationtechniqueswithvariedoptions.Choosethe

solutionwisely,understandingitsprosandcons.

Step5. RepeatfromStep1asyoumoveon.Makingonlyone

passthroughthisprocesscanpotentiallyleavethe

networkvulnerabletootherunidentifiedrisksand

attacks.

Therearenomagicknobs,silverbullets,orsupervendor

technologyfeaturesthatwillsolveallsecurityproblems.

ThefundamentallawoftheInternetdrivesthedesignof

securityintothenetworkandhowtorespondtosecurity

incidents.Itisallaboutthepacket.Afterapacketisonthe

networkwire,someoneorsomethingsomewherehastoeither

deliverordropthepacket.

Inthecontextofanintrusionorattack,thequestioniswhowill

dropthepacketandwherewillthepacketbedropped?



Chapter7.AttackVectorsandMitigation

Techniques

Oneofthebiggestproblemsinnetworksecuritytodayisthat

networkmanagersthinkofsecurityassomethingtoimplement

afteranetworkisdesigned.Security,therefore,tendstobean

afterthoughtatbestand,inmostcases,isoftenforgotten

completely.Thishasledtomanyinsecurenetworkdesignsand

solutions.

Anattackvectorisavulnerability,exploit,ormodethatisopen

toabuse.Vulnerabilities,threats,andexploitsleadtonetwork

attacksandareproblemsthathavenoeasysolution,mainly

becausetheyarenativetothedesignoftheTCP/IPsuite.

Understandinghowandwhytheseattacksarelaunched,

coupledwiththeproactivepreventionmechanisms,canhelp

youprotectthenetworkfromthesemaliciouscloakingand

crackingtechniques.

Effectivemitigationofsuchattacksisanespeciallypressing

problemontheInternet,andexpertshaveresearchedand

proposedvariousmethodstopreventthem.Thischapter

providesinsightintotechnologiesandtechniquesavailableon

CiscodevicestocombatnetworkattacksonLayer3andLayer2

devices.

ThechapteralsocoversdetailsofhowtousetheSecurity

IncidentResponseFrameworktorespondtoasecurityincident

andtounderstandandbepreparedforanysecurityeventby

usinganincidentresponsemethodologyandtheformationof

anIncidentResponseTeam(IRT).



Vulnerabilities,Threats,andExploits

Itisdisconcertingtorealizethatitisdifficult,ifnotimpossible,

totrackdownandeliminateallpossiblesecurityholes,because

intrudersneedonlyonesecurityholetobreakin.Incertain

cases,anintrudercantakeadvantageofthedesignofa



particularpieceofsoftware,amisconfigurationorloosely

configureddevice,orperhapsaninherentflawinaprotocol.

TheTCP/IPprotocolisagoodexample.Theprotocolwas

developedalongtimeagowhendesignersdidnotpay

particularattentiontothesecurityconcernsweobservetoday.

ExamplesofleveragingflawsinprotocolsincludeIPspoofing,

sourcerouting,SYNfloods,smurfattacks,applicationtunneling,

andmuchmore.Beforewetakeacloserlookatthemitigation

techniques,however,wewillbeginwithaquickoverviewof

someoftheattackvectors.



ClassesofAttacks

Threemajortypesofattacksfollow:

Reconnaissance:Reconnaissanceattacksarethefirststep

intheprocessofintrusionandinvolveunauthorized

discoveryandmappingofsystems,services,or

vulnerabilities.Thesediscoveryandmappingtechniquesare

commonlyknownasscanningandenumeration.Common

tools,commands,andutilitiesthatareusedforscanning

andenumerationincludeping,Telnet,nslookup,finger,

rpcinfo,FileExplorer,srvinfo,anddumpacl.OtherthirdpartypublictoolsincludeSniffer,SATAN,SAINT,NMAP,and

netcat.Inaddition,customscriptsareusedinthisprocess.

Access:Accessattacksrefertounauthorizeddata

manipulationthatgivestheattackersystemaccessor

privilegeescalationonavictimorcompromisedhost.

Unauthorizeddataretrievalissimplytheactofreading,

writing,copying,ormovingfilesthatarenotallowedor

authorizedtotheintruder.Somecommonactivities

performedinthisphaseincludeexploitingpasswords,

accessingconfidentialinformation,exploitingpoorly

configuredorunmanagedservices,accessingaremote

registry,abusingatrustrelationship,andIPsourcerouting

andfilesharing.

DenialofService:ADoSattacktakesplacewhenan



attackerintentionallyblocks,degrades,disables,orcorrupts

networks,systems,orserviceswiththeintenttodenythe

servicetoauthorizedusers.Theattackisgearedtoimpede

theavailabilityoftheresourcetotheauthorizeduserby

crashingthesystemorslowingitdowntothepointwhereit

isunusable.CommonexamplesofDoSattacksincludeTCP

SYNfloods,ICMPpingfloods,andbufferoverflow,toname

afew.

Atypicalattackpatternconsistsofgainingaccesstoauser

account,escalatingprivilege,exploitingthevictim'ssystem,or

usingitasalaunchplatformforattacksonothersystemsor

sites.



AttackVectors

Attackvectorsareroutesormethodsusedtogetintocomputer

andnetworksystemstoleverageunexpectedopeningsfor

misuse.Attackvectorscanbegenerallyclassifiedasfollows:

Viruses:Avirusisamalicioussoftwareprogramorpieceof

codethatcausesanunanticipatednegativeeventand

usuallyiscapableofcausingdamagetodataorother

programsontheinfectedsystem.

Worms:Acomputerwormisaself-replicatingmalicious

softwareprogram,similartoacomputervirus.Wormsare

virusesthatcanresideintheactivememoryofasystem

andarecapableofself-duplicatingandself-propagating

fromonecomputersystemtothenextoveranetwork.

Wormsareoftendesignedtoexploitthefiletransmission

capabilities,suchase-mailfoundonmanycomputer

systems.

Trojans:ATrojanhorseisamaliciousprogramthat

pretendstobeabenignapplication.Trojansareseemingly

harmlessprogramsthathideamaliciousactivity,suchasa

keystrokeloggerthatcouldcaptureallpasswordsorany

othersensitiveinformationentered,withouttheknowledge



oftheuser.

Passwordcracking:Passwordattackscanbe

implementedusingseveralmethods,includingbruteforce

attacks,Trojanhorseprograms,IPspoofing,andpacket

sniffers.Generally,passwordattacksrefertorepeated

attemptstoidentifyavaliduseraccountorpassword.

Theserepeatedattemptsarecalledbruteforceattacks.

Bufferoverflows:Buffersarememorylocationsina

systemthatareusedtostoredataandgenerallyholda

predefinedamountoffinitedata.Abufferoverflowoccurs

whenaprogramattemptstostoredatainabuffer,when

dataislargerthanthesizeoftheallocatedbuffer.An

analogyisfillinganemptyglass(buffer)of1litercapacity

with1.5litersofliquid(data).Theinitial1literwillbeheld

withnoproblem,withthe0.5litersspillingover,justas

withbufferoverflow.

IPspoofing:AnIPspoofingattackoccurswhenanintruder

attemptstodisguiseitselfbypretendingtohavethesource

IPaddressofatrustedhosttogainaccesstospecified

resourcesonatrustednetwork.IPspoofingisoneofthe

mostcommonactsofonlinecamouflage.

AddressResolutionProtocol(ARP)spoofing:ARP

spoofingoccurswhenanintruderattemptstodisguiseits

sourcehardwareaddress(MACaddress)toimpersonatea

trustedhost.Thisisoneoftheprimarystepsthataids

manyoftheotherattacks.

Man-in-the-middleattack(TCPhijacking):Theman-inthe-middle(MITM),alsoknownasaTCPhijackingattack,is

awell-knownattackinwhichanintruderintercepts

legitimatecommunicationbetweentwopointsandcan

modifyorcontroltheTCPsessionwithouttheknowledgeof

eitherthesenderortherecipientofthesession.TCP

hijackingisanexploitthattargetsthevictims'TCP-based

applicationssuchasTelnet,FTP,SMTP(e-mail),orHTTP



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 7. Attack Vectors and Mitigation Techniques

Tải bản đầy đủ ngay(0 tr)

×