Cyberattacks come in all shapes and forms. They are everywhere, and whether you know it or not, you’ve likely been a victim of one at some point. Even an occasional look at IT news will tell you just how widespread cybercrime is and how many areas of life it affects. Yet many of us don’t have more than a superficial idea of how cyberattacks work, where they originate, and how severe their repercussions can be.
Our “Cybersecurity Essentials” series is designed to (a) familiarize readers with cybersecurity terminology; (b) explain and discuss seemingly abstruse cybersecurity concepts in an easy-to-understand manner; (c) provide a periodic overview of an ever-changing threat landscape; (d) talk about important cybersecurity standards and regulations and which industries they may be relevant to; and (e) explore cybersecurity best practices and ways to guard against malicious cyber activity.
This month, we discuss network-based cyberattacks and how you can strengthen your defenses against these.
Network-based cyber attacks
Network-based attacks are attacks designed to compromise network security by either eavesdropping on or intercepting and manipulating network traffic. These may be active attacks, wherein the hacker manipulates network activity in real-time; or passive attacks, wherein the attacker sees network activity but does not attempt to modify it.
The more prevalent kinds of network attacks are:
A sniffing attack involves an attacker getting into the network data-stream and reading, monitoring or capturing full packets of data flowing between a client and a server. A hacker intercepting a network packet containing unencrypted information can cause severe damage to the organization or entity that owns the data. Data compromised may include sensitive information like account credentials, bank details, and different kinds of Personally Identifiable Information (PII). Sniffing attacks can either be active (involving both data access and manipulation) or passive (where the attacker only sees the information but does not actively interfere in its transmission). Examples of tools used for sniffing attacks are Wireshark, tcpdump, dSniff and Debookee.
Eavesdropping attacks are similar to sniffing attacks, except that they are usually passive, easier to carry out and may not involve full packets of data. They involve an attacker listening to information flowing between networks to get private information, and often target one-on-one communication. These, too, are difficult to detect. Investopedia describes eavesdropping attacks as involving a weakened connection between client and server that allows the attacking entity to send network traffic to itself. “Any device in the network between the transmitting device and the receiving device is a point of weakness, as are the initial and terminal devices themselves”, it says. Tools used to carry out these attacks include Wireshark, tcpdump, and Ettercap.
Spoofing refers to a malicious actor pretending to be a legitimate entity or someone s/he is not. In the context of network security, it usually means “a computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server”.Attackers often gain access to otherwise off-limits networks that use IP addresses for user authentication by using IP address spoofing. They may also use what is known as ARP spoofing to link their own Media Access Control (MAC) to a legit IP address, thus gaining access to data meant for a different IP owner. DNS spoofing lets hackers divert traffic to an IP address other than where it was originally directed. Spoofing attacks are used more frequently (and successfully) on unprotected non-enterprise systems than on larger enterprise systems because the latter are usually equipped with better detection and mitigation tools.
Denial-of-Service (DoS) attacks block or disrupt an organization or business’s ability to use its own resources such as network bandwidth, system resources (CPU, memory), and application resources (web server, DNS server). In a typical DoS attack, the perpetrator floods the target network with authentication requests or pings that have invalid return addresses, thus using up all the network’s resources and blocking its regular operations. Common DoS attacks include Ping attacks, Syn attacks, Flooding, and Reflection and Recursion. A Distributed Denial of Service (DDoS) attack is a more advanced form of a DoS attack where the target network is flooded by requests not from a single server or machine but from multiple attack points (sometimes to the tune of thousands).
DoS attacks can be mitigated using Firewall or Operating System rules, contacting upstream service providers to investigate the origin of the attack, backing up data from time to time to minimize damage from a potential attack, and good planning. Some organizations use a mitigation strategy known as “black hole routing” to defend against DoS attacks. The blackholing method detects and directs excessive traffic into a “black hole” or a null route, to keep the target network from crashing. However, because blackholing treats all kinds of network traffic – both malicious and legitimate – the same way, it should be used sparingly.
Network-based attacks – Defense and mitigation
The mitigation methods and tools to defend against network attacks fall into four main categories:
Manage patch application – A good patch management policy will mandate regular tracking of patch releases for all software in use by an organization and implementation of patches as soon as they are released.
Reduce attack surface – Reducing the attack surface involves removing any unused or unnecessary applications and services from all computing devices in an organization. In his book Security Engineering: A Guide to Building Dependable Distributed Systems, Ross J. Anderson says, “There is usually no reason for every workstation in your company to be running a mail server, and ftp server and DNS, and stripping things down can greatly reduce the attack surface.”
Segment the network – Segmenting is one of the easiest ways for organizations to protect their networks. It refers to the practice of splitting a larger network into small sub-networks that are independent of one another. The biggest benefit of segmentation is the extra incident-response time it provides businesses when an attack occurs. Segmenting also makes it easier for organizations to keep their sensitive data relatively more secure, and limit access to critical data.
Switch from default to secure configuration – Enterprises must, as a rule, periodically monitor and change all installed software’s security settings to the most secure configuration possible. Often, new software continues to be used with default settings for long periods of time, leading to breaches that could easily have been prevented had someone bothered to change the settings.
Firewalls – The most commonly used filtering tool to block network attacks is the firewall. The firewall acts as a filter between a local system and internet traffic that it detects to be malicious. Firewalls deal with bad network packets by (1) discarding them or modifying them to make them safe, or by (2) copying them to a log or audit trail. Firewalls or filters can act on three different levels: IP packets, the TCP session level, and the application level.
Packet filtering refers to a firewall inspecting packet addresses and port numbers to (for instance) make sure that traffic coming from IP addresses known to be “bad” is kept out, in addition to performing more routine firewalls tasks such as allowing traffic only to specific port numbers.
TCP-level filtering works by “reassembling and examining all the packets in each TCP session”. It can also be used for DNS filtering, in addition to providing Virtual Private Network (VPN) functionality for traffic encryption purposes.
Application-level filtering – Application-level filters function as proxies for one or more services and include things like email filters and web proxies. Using app-level filters comes with its own set of problems, however, one of which is the constant race between firewall manufacturers and hackers who are quick to find holes even in the latest filtering software. These filters also tend to be expensive, particularly when used on high-bandwidth web content.
Intrusion Detection Systems (IDS) scan the network for signs of compromise or an ongoing attack (such as incoming spam, packets from forged IP addresses, or someone trying to make a connection with a botnet controller) and raise an alarm if any malicious activity is detected.
The most commonly used intrusion detection mechanism is monitoring and detecting when a threshold (such as number of failed logins) is crossed.
Other categories include:
Misuse Detection systems that look for a signature or defining characteristic of an attack.
Anomaly Detection systems that look for unusual changes in behavior patterns to detect uncatalogued attacks.
Network encryption, or any kind of encryption for that matter, involves encoding data to hide it from anyone who is not authorized to see it. Encrypted data can be accessed or decrypted using a decryption key. Home networks are usually encrypted using WPA or WPA2 encryption algorithms, while web browsers use what is known as the Secure Sockets Layer (SSL) protocol. One often hears about how HTTPS is more secure than HTTP; this is because HTTPS uses an SSL certificate that encrypts all information being transmitted between the client and server. It also uses an additional security layer known as the Transport Layer Security (TLS) protocol.
A note on key length: As a general rule, the longer the decryption key, the more difficult it will be for a hacker to crack. As technology evolves, decryption keys get longer, 128-bit encryption being the current accepted standard.
The information provided in this post is by no means comprehensive and covers only the most basic types of network attacks and widely adopted mitigation strategies. We do hope, however, that it is a good starting point for businesses looking for information about network security before they dive deeper into the subject.
In our next post about network security, we will discuss some of the tools and technologies available to enterprises and small businesses to tackle network-based attacks, and how they can best leverage these tools.