Network Attack Surface and Best Practices for Network Security
Network attacks are unauthorised activities on internet materials connected within a corporate network. These attacks are carried out by attackers with intentions of modifying, destroying, or extracting private data, gaining access and privileges or taking over a network for other malicious activities.
Spoofing Attacks
Spoofing is a form of attack where an attacker masquerades as a trusted entity manipulating an already-established connection to gain access to sensitive information, obtain privileges or carry out other nefarious activities. Attackers use spoofing to steal identities or hijack legitimate internet addresses as camouflage.
Different Kinds of Spoofing Attacks
- Email spoofing attack
In an email spoofing attack, an attacker sends an email that has been compromised to appear as though it came from a known source. This cyber attack deals with falsifying email sender addresses that appear to be from the original of a genuine sender to addresses that may bounce to a stranger whose email credentials may have been stolen or hijacked. Why attackers use email spoofing basically because they want the receiver to think the email was sent by a reliable source.
Email spoofing is broken into different categories - phishing, Business Email Compromise, spamming, Vendor Email compromise, and CEO Fraud.
Email spoofing is prominent as attackers use it to carry out their phishing schemes and just one successfully launched phishing attack is enough to disrupt an organization's working systems or utterly destroy a business. organizations should enforce workable tactics for detecting spoofed emails and verifying the authenticity of the source. Continuous Awareness of phishing schemes and detailed analyses of senders' email addresses to ascertain genuity of senders' addresses should be made a habit.
- MAC(Media Access Control) Address Spoofing
In a MAC address spoofing attack, a hacker searches a network infrastructure or connection for authentic and legitimate MAC addresses and gets through to gain an advantage in an access control system while pretending to be one of the legitimate MAC addresses. Also, by circumventing an authentication in the default gateway, the attacker can unidentifiably copy data and the communication shared in the connection.
Usually, in a network connection of two or multiple hosts, the attacker intercepts the communication between systems using some packet-capturing tools. In this, the attacker can change his mac address posing as host B to receive requests from host A and readily forward the compromised response to the legitimate host B while also pretending to be the legitimate host A.
It is healthy to maintain security by manually binding mac addresses to specific ports so that only traffic and requests that binds with the specified mac predefined rule can be accepted. Also, traffic analyzers and bandwidth monitors can be very instrumental in detecting mac address spoofing attacks.
- Domain Name System(DNS) Spoofing
DNS servers are like a database of domain names mapped to a public IP address which users can obtain through their browsers to request web pages of the websites they want to visit.
Domain Name Server (DNS) spoofing, also known as DNS cache poisoning, involves using manipulated DNS records to reroute website traffic to a fake domain that closely looks like the original target.
When visitors are redirected to this fake website, they are directed to log into their accounts, granting the attacker the opportunity to obtain their login credentials and other kinds of confidential. This fake website also serves as an avenue for the victims to download viruses or worms onto their devices, granting the attacker continuous access to computer systems and the information it can record.
Also, in this DNS compromise, an attacker can hijack a DNS server which he could configure to return a malicious IP address.
DNS attacks can be identified by monitoring the routine connection between the name servers and the recursive TLD and root servers. Checking the quality and behaviour of connections, and setting alerts for quick prompts when there are traces of malicious behaviours. Datadogs, Nagios, SolarWinds, etc are good examples of DNS monitoring tools.
- IP Address Spoofing
Computers and other electronic devices that connect to the internet are identified by their IP(Internet Protocol) address. This IP address serves as a unique name which is used in communication and information sharing between clients and servers, senders and receivers or hosts that communicate within a local or wide area network.
Through Ip address spoofing, an attacker masquerades as another user by hijacking their IP address range and uses it to establish an illegitimate connection in the network while appearing legitimate. IP address spoofing can aid in perpetuating other types of network attacks such as Denial of Service(DoS) attacks, Man in the Middle(MITM) attacks and more.
You can keep an eye on regular traffic patterns on your network and spot unusual traffic when it appears. This serves as a warning that something is odd so you may look into it more thoroughly.
Preventing Spoofing Attacks
Spoofing attacks are widespread, thus it's vital to understand how they work so you can stop them or fix them if they do happen. Watch out for typical spoofing attack warning signals so you can defend yourself better.
- Use packet filtering tools -During transmission, packet filters examine the packets being sent and delivered. They restrict and drop packets with erroneous source addresses and this filtering can assist in combating these spoofing attacks.
IP packets are analysed via packet filtering, and those with unknown source information are blocked. This is a smart approach to get rid of faked IP packets since malicious packets, despite what the ids they indicate, will travel from outside the network. Most packet-filter tools like tcpdump perform in-depth filtering through a rule-based approach which lets you block many different types of IP spoofing attacks.
Employ spoofing detection software - Some software programs aid in the early detection of spoofing attacks. Tools like NetCut or arpwatch are effective for spoofing attacks to examine and authenticate legitimate data before it is received by a victim device.
- Use secure communication protocols - Several secure communication protocols such as Secure Shell, Internet Protocol Security, and Transport Layer Security (TLS), are utilized by HyperText Transfer Protocol
Secure(HTTPS) and File Transfer Protocol Secure (FTPS). When properly implemented, these protocols validate the program or machine being connected to and encrypt transmitted data and internet traffic thereby lowering the possibility that a spoofing attack would be carried out successfully.
Firewall Bypass
A firewall is a hardware- or software-based network security tool or infrastructure that defends a network or an application against unwanted access or communications by keeping track of all incoming and outgoing internet traffic and allowing, blocking, or dropping it in line with a predetermined set of rules.
It serves as a partition between trusted and unsecured networks, though hackers employ several techniques to circumvent these firewalls, among these many tools, these attacks can be successful due to application vulnerabilities, misconfigurations and certain human errors.
Using firewall bypass techniques, one can access network resources or other sensitive information without being detected. There are several ways to bypass a firewall: port forwarding and mac address spoofing.
An important type of defence for any business trying to protect its assets should still be a sophisticated firewall. Though basic and highly necessary, the use of firewalls in systems, applications, or network protection should not be a standalone solution. Since firewalls won't be sufficient to shield an organization against all of the attacks they face. Hackers employ sophisticated tools and new techniques to bypass firewall protections for their malicious and data exfiltration activities in networks.
Denial of Service(DoS) Attack
A DoS is when a hacker prevents users from accessing information systems, devices, or other network resources. DoS attacks could incur a business loss of financial and time resources while their services, business operations and resources remain unavailable.
A denial-of-service attack involves overwhelming a computer or network to cause it to crash or render it inaccessible. Hackers accomplish this by flooding the target network with more traffic than it can tolerate. Email accounts, internet banking systems, websites, and applications, rely on an organization's overall network to thrive.
DoS attacks can target network resources to exhaust all the available resources built in and are utilised in the network system such as storage resources or flood a network with very many packets—more than the network can handle. Attackers can employ the use of a botnet to send an overwhelming attack payload to a network in a more sophisticated method called a DDoS attack.
Types of DoS Attacks
Smurf Attacks - Smurf attacks are DoS attacks where the attacker uses a faked source Internet Protocol (IP) address that is the target machine's IP address to deliver packets with a high volume of traffic causing the targeted device to become inoperable when the participating hosts try to request or respond to the connection.
Layer 7 DoS Attack (Application Layer Attack) - is an attack on the application layer of the OSI model which targets a single service rather than the entire network. It deliberately attempts to overload servers or networks with traffic to break them mostly the HTTP traffic. by sending tons of requests for a specific webpage per second until the server becomes overrun and unable to handle them all.
The severity of Layer 7 DDoS attacks tends to surpass that of other types of DDoS attacks because layer 7 attacks overwhelm servers and networks with HTTP traffic, these traffic overruns are often more difficult to detect than other DoS attack types which makes mitigating them from start more challenging yet highly imperative.
- SYN DoS attack - A SYN message opened up the floor of communication in the three-way handshake used by TCP/IP connection between server/client in a network. In this DoS attack type, the attacker opens many SYN connections with the target server but never completes the handshake. masquerading as a legitimate client, the attacker sends an SYN message. When the server responds with an SYN-ACK, the fake client system does not complete the connection with the ACK message. In this way, the server is forced to keep numerous connections open. The connection port is now in a saturated state and not open to receive new requests due to the unfinished handshake. This prevents other clients from connecting, the attacker will continue to send requests and saturate the ports.
Preventing DoS Attacks
A DoS attack can be detected more quickly and at the beginning, if you are familiar with the overall behaviour of your network traffic, especially the incoming traffic. To keep a model of your network behaviour, there should be constant monitoring using network detection and response technologies in real-time to spot anomalous traffic spikes at the earliest.
Use firewall perimeters to set network or application rules for inbound traffic requests.
Watch out for spoofed addresses through the source-destination address mapping.
Protect all endpoints through the continuous update and patch requirements.
Man In Middle Attack
A man-in-the-middle (MITM) attack is a kind of attack in which attackers eavesdrop on or masquerade as a legitimate participant to intercept an already established connection or data sharing and by doing so, the attacker can discreetly capture data.
Through MiTM attackers can:
Inject themselves into an ongoing, legal connection or data transmission as gateways or intermediaries.
Carry out a form of hijacking of legitimate user sessions.
Take advantage of the real-time nature of chats and data transfers to steal sensitive information without being detected.
Gain the opportunity to inject backdoors and other malicious resources that are difficult to differentiate from genuine data.
Preventive Measures for MiTM Attack
Encrypt sensitive data in transit.
Never use a public Wi-Fi network for important transactions requiring your personal information, especially Wi-Fi networks without password protection.
Use a Virtual Private Network (VPN) when connecting to the internet, VPNs could encrypt your online traffic and hide your private information.
Use a firewall to set traffic rules.
Network Security Best Practices
Separate Your Network into different subnets or sections and protect them per security needs. This network segregation makes it difficult for an attacker to launch a full-scale attack on the organization's entire network.
Use a proxy to filter all requests and monitor user behaviour.
Use security tools that can detect threats automatically, analyze their behaviour, and also give full insight into all inbound, outbound, and corporate network traffic. Using results from two or more security tools to co combine results will present a holistic view of what occurs on the network.