Examining Network Attack Methodologies
Who are hackers? What motivates them? How do they do it? How do they manage to breach the measures we have in place to ensure confidentiality, integrity, and availability? Which best practices can we adopt to defeat hackers? These are some of the questions we try to answer next.
Adversaries, Motivations, and Classes of Attack
A vulnerability is a weakness in a system or its design that can be exploited by a threat. Vulnerabilities are sometimes found in the protocols themselves, as in the case of some security weaknesses in TCP/IP. Often, the vulnerabilities are in the operating systems and applications.
A threat is an external menace to that system. For example, a hacker actively scouting the Internet for a specific buffer-overflow vulnerability found in web servers would be considered a threat.
A risk is the likelihood that a particular threat using a specific attack will exploit a particular vulnerability of a system that results in an undesirable consequence. Although the roof of the data center might be vulnerable to being penetrated by a falling meteor, for example, the risk is minimal because the likelihood of that threat being realized is essentially almost none.
An exploit happens when computer code is developed to take advantage of a vulnerability. For example, suppose that a vulnerability exists in a piece of software, but nobody knows about this vulnerability. Although the vulnerability exists theoretically, there is no exploit yet developed for it. Because there is no exploit, there really is no problem yet.
| Note |
|
When you analyze system vulnerabilities, it helps to categorize them in classes to better understand the reasons for their emergence. You can categorize the main vulnerabilities of systems as one of the following:
- Design errors
- Protocol weaknesses
- Software vulnerabilities
- Misconfiguration
- Hostile code
- Human factor
These are just a few of the vulnerability categories. For each of these categories, many additional vulnerabilities could be listed.
People are social beings, and it is quite common for systems to be compromised through social engineering. Harm can be caused by people just trying to be “helpful.” For example, in an attempt to be helpful, people have been known to give their passwords over the phone to attackers who have a convincing manner and say they are troubleshooting a problem and need to test access using a real user password. The end user must be trained, and reminded, that the ultimate security of a system depends on their behavior.
Of course, people often cause harm within organizations intentionally:
- Most security incidents are caused by insiders.
- Strong internal controls on security are required.
- Special organizational practices might need to be implemented.
An example of a special organizational practice that helps to provide security is the separation of duty, where critical tasks require two or more persons to complete them, thereby reducing the risk of insider threat. People are less likely to attack or misbehave if they are required to cooperate with others.
Unfortunately, users frequently consider security too difficult to understand. Software often does not make security options or decisions easy for end users. Also, users typically prefer “whatever” functionality to no functionality.
Adversaries
To defend against attacks on information and information systems, organizations must begin to define the threat by identifying potential adversaries. These adversaries can include the following:
- Terrorists
- Criminals
- Hackers
- Corporate competitors
- Disgruntled employees
- Government agencies
Hackers comprise the most well-known outside threat to information systems. They are not necessarily geniuses, but they are persistent people who have taken a lot of time to learn their craft.
Many titles are assigned to hackers:
- Hackers: Hackers are individuals who break into computer networks and systems to learn more about them. Some hackers generally mean no harm and do not expect financial gain. Unfortunately, hackers may unintentionally pass valuable information on to people who do intend to harm the system.
- Crackers (criminal hackers): Crackers are hackers with a criminal intent to harm information systems. Crackers are generally working for financial gain and are sometimes called black hat hackers.
- Phreakers (phone breakers): Phreakers pride themselves on compromising telephone systems. Phreakers reroute and disconnect telephone lines, sell wiretaps, and steal long-distance services.
Note When describing individuals whose intent is to exploit a network maliciously, these individuals are often incorrectly referred to as hackers. In this lesson, the term hacker is used, but might refer to someone more correctly referred to as a cracker, or black hat hacker. - Script kiddies: Script kiddies think of themselves as hackers, but have very low skill levels. They do not write their own code; instead, they run scripts written by other, more skilled attackers.
- Hacktivists: Hacktivists are individuals who have a political agenda in doing their work. When government websites are defaced, this is usually the work of a hacktivist.
In computer security, a hacker is a person who specializes in work with the security mechanisms for computer and network systems.
The release of the movie WarGames in 1983 raised the public’s awareness that computer security hackers (especially teenagers) could be a threat to national security. Unfortunately, this concern became real when a gang of teenage crackers known as the 414s broke into computer systems throughout the United States and Canada, including Los Alamos National Laboratory, Memorial Sloan-Kettering Cancer Center, and Security Pacific Bank. The case drew worldwide media attention, and a 17-year-old emerged as the spokesman for the gang. An American magazine, Newsweek, wrote an article in which the word hacker first appeared. Since that time, all forms of media refer to every class of attacker as a hacker.
Because of news coverage, the U.S. House of Representatives called for an investigation and new laws to cover computer hacking. Because of these laws, white hat, gray hat, and black hat hackers try to distinguish themselves from each other, depending on the legality of their activities.
When referring to the events of the 414 gang, Ken Thompson said the following:
I would like to criticize the press in its handling of the “hackers,” the 414 gang, the Dalton gang, and so on. The acts that are performed by these kids are vandalism at best and probably trespass and theft at worst. ... I have watched kids testifying before Congress. It is clear that they are completely unaware of the seriousness of their acts.
In the academic hacker culture, a computer hacker is a person who enjoys designing software and building programs with a sense for aesthetics and playful cleverness. After 1980, this subculture coalesced with the culture of UNIX. Since the mid-1990s, it has been largely coincident with what is now referred to as the free software and open source movement.
Academic hackers usually work openly and use their real name, whereas computer security hackers prefer secretive groups and identity-concealing aliases. Also, their activities in practice are largely distinct. Academic hackers focus on creating new infrastructure and improving existing infrastructure (especially the software environment they work with), whereas computer security hackers primarily and strongly emphasize the general act of circumventing security measures.
The academic hacker community sees secondary circumvention of security mechanisms as legitimate if it is done to get practical barriers out of the way for doing actual work. However, the primary focus in these activities is not one of their interests. A further difference is that, historically, academic hackers were working at academic institutions and used the computing environment there. In contrast, the typical computer security hacker operates out of their home.
Within the academic hacker culture, the term hacker is also used for a programmer who reaches a goal by employing a series of modifications to extend existing code or resources. In a universal sense, a hacker also refers to someone who makes things work beyond perceived limits in a clever way.
The hobby hacking subculture relates to the home computing of the late 1970s. The hobbyist focuses mainly on computer and video games, software cracking, and the modification of computer hardware and other electronic devices, also known as modding.
Motivations
To defend against attacks on information and information systems, organizations must define the threat in terms of motivation. Motivations can include intelligence gathering, theft of intellectual property, denial of service (DoS), embarrassment of the company or clients, and pride in exploiting a notable target.
There are many different kinds of attackers. They mainly differ by how much funding they have and which targets they pick. You can roughly divide these attackers in to three groups:
- Casual crackers (script kiddies)
- Motivated or paid crackers (lone criminals, industrial spies, organized crime)
- Military, government intelligence, information warfare, or cyberterrorism
Casual crackers pick almost any target and have low funding. Their motivation usually lies in learning, discovering, and generally exploiting things “because they were there.” They are normally not capable of attacking highly secure systems because they lack the resources and knowledge. Still, they can produce substantial damage in money and lost time.
Motivated crackers are usually well paid and possess adequate resources. They are likely to attack carefully selected targets, based on the instructions of their employer. These actions are not always for profit. In recent history, attacks have been made to further a specific agenda. They can produce severe damage and can be extremely difficult to trace.
Military or government intelligence has almost unlimited funding. It is believed that, because of their state-of-the-art equipment, they can crack most low-end codes in nearly real time.
Classes of Attack and Methodology
The goal of any hacker is to compromise the intended target or application. Hackers begin with little or no information about the intended target, but by the end of their analysis, they have accessed the network and have begun to compromise their target. Their approach is usually careful and methodical, not rushed and reckless. The seven-step process that follows is a good representation of the methods that hackers use:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To successfully hack into a system, as a first step hackers generally want to know as much as they can about the system. Hackers can build a complete profile or “footprint” of the company security posture. Using a range of tools and techniques, an attacker can discover the company domain names, network blocks, IP addresses of systems, ports and services that are used, and many other details that pertain to the company security posture as it relates to the Internet, an intranet, remote access, and an extranet. By following some simple advice, network administrators can make footprinting more difficult.
After the hacker has completed a profile, or footprint, of your organization, they use tools, such as those in the list that follows, to enumerate additional information about your systems and networks. All these tools are readily available to download, and the security staff should know how these tools work. Additional tools, introduced later in this chapter in the “Security Testing Techniques” section, can also be used to gather information and therefore hack:
- Netcat: Netcat is a featured networking utility that reads and writes data across network connections.
- Microsoft EPDump and Microsoft Remote Procedure Call (RPC) Dump: These tools provide information about Microsoft RPC services on a server.
- GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows locally or across a network.
- DumpSec by SomarSoft: This application is a security auditing program for Windows NT, Windows XP, and Windows 2000 or later systems.
- Software development kits (SDK): SDKs provide hackers with the basic tools that they need to learn more about systems.
Another common technique that hackers use is to manipulate users of an organization to gain access to that organization. There are countless cases of unsuspecting employees providing information to unauthorized people simply because the requesters appear innocent or to be in a position of authority. Hackers find names and telephone numbers on websites or domain registration records by footprinting. Hackers then directly contact these people by phone and convince them to reveal passwords. Hackers gather information without raising any concern or suspicion. This form of attack is called social engineering.
The next thing the hacker typically does is review all the information about the host that they have collected, searching for usernames, passwords, and Registry keys that contain application or user passwords. This information can help hackers escalate their privileges on the host or network. If reviewing the information from the host does not reveal useful information, hackers may launch a Trojan horse attack in an attempt to escalate their privileges on the host. This type of attack usually means copying malicious code to the user system and giving it the same name as a frequently used piece of software.
After the hacker has higher privileges, the next task is to gather additional passwords and other sensitive data. The targets now include such things as the local security accounts manager database or the active directory of a domain controller. Hackers use legitimate tools such as pwdump and lsadump applications to gather passwords from machines running Windows. By cross-referencing username and password combinations, the hacker is able to obtain administrative access to all the computers in the network.
If hackers are detected trying to enter through the “front door,” or if they want to enter the system without being detected, they try to use “back doors” into the system. A back door is a method of bypassing normal authentication to secure remote access to a computer while attempting to remain undetected. The most common backdoor point is a listening port that provides remote access to the system for users (hackers) who do not have, or do not want to use, access or administrative privileges.
After hackers gain administrative access, they enjoy hacking other systems on the network. As each new system is hacked, the attacker performs the steps that were outlined previously to gather additional system and password information. Hackers try to scan and exploit a single system or a whole set of networks and usually automate the whole process.
In addition, hackers will cover their tracks either by deleting log entries or falsifying them.
In 2005, David Sternberg hacked the Postal Bank in Israel by physically breaking into one of the bank’s branches in Haifa, Israel, and connecting a wireless access point in the branch’s IT infrastructure. Sternberg rented office space about 100 feet from the bank and proceeded to transfer funds to bank accounts in his name or in friends’ names.
So instead of trying for months to break into the IT security of the bank, Sternberg thought outside of the box and broke through physical security to gain access to the IT system.
Sternberg was discovered when bank auditors noticed regular transfers from the main bank account to the same individual accounts.
I guess that Sternberg had not heard about the security axiom that says “predictability is the enemy of security.”
0 comments
Post a Comment