1. Network Attack and Defence Strategies_5b216ab83f3be329cc564a0d1db8c960.pdf

Full Transcript

Network Attack and Defense Strategies
 Essential Terminologies

1. Asset:
Definition: Anything of value to an organization that requires protection.
Examples: Customer data, intellectual property, network infrastructure, or financial records.

2. Threat:
Definition: A potential danger or event that could harm an asset by exploiting a vulnerability.
Examples: A cyber attack on a company’s servers or natural disasters affecting data centers.
 Threat Sources
Natural Threats:
Definition: Naturally occurring events that can harm assets.
Example: Earthquakes, floods, or hurricanes that damage physical servers.
Unintentional Threats:
Definition: Harm caused accidentally by individuals or systems.
Example: A staff member mistakenly deleting critical files or misconfiguring a security setting.
Intentional Threats:
Internal Threats:
Definition: Malicious actions taken by individuals within the organization.
Example: An employee stealing sensitive data or sabotaging systems.
External Threats:
Definition: Attacks from individuals or groups outside the organization.
Example: Hackers launching a ransomware attack or competitors engaging in industrial
espionage.
 Threat Actors/Agents
Hacktivists
Cybercriminals
Nation-state actors
Insider threats
Script kiddies
Organized crime groups
Terrorist organizations
Competitors
Disgruntled employees
Cyber espionage groups
 Vulnerability

TCP/IP Protocol Vulnerabilities: Weaknesses in the design of TCP/IP protocols
(e.g., IP spoofing, SYN flooding) can be exploited for attacks like denial-of-
service (DoS) or man-in-the-middle (MITM).

Operating System Vulnerabilities: Flaws or misconfigurations in OS software
can be exploited for privilege escalation, unauthorized access, or malware
installation.

Network Device Vulnerabilities: Routers, switches, or firewalls with outdated
firmware or misconfigurations are susceptible to attacks, such as unauthorized
access or traffic interception.
 Vulnerability

4. Default Password Vulnerabilities: Failure to change default passwords on
devices or software allows attackers to easily gain control over systems.

5. User Account Vulnerabilities: Weak passwords, lack of multi-factor
authentication, or excessive permissions make user accounts vulnerable to
compromise and unauthorized access.

6. Unwritten Policy: Lack of formalized security policies can lead to inconsistent
security practices, leaving the organization exposed to risks.
 Vulnerability

Politics: Internal conflicts or bureaucracy can hinder the implementation of
consistent and effective security measures, exposing the organization to threats.

Lack of Awareness: Employees' lack of cybersecurity knowledge or training can
lead to risky behavior, like falling victim to phishing attacks or mishandling
sensitive data.
 Risk
Refers to the potential for loss, damage, or harm to an asset when a threat
exploits a vulnerability.
It represents the likelihood that an attack or adverse event will negatively
impact the organization or system.
Formula: Risk = Asset + Threat + Vulnerability
Asset: Anything valuable that needs protection (e.g., data, infrastructure).
Threat: Potential dangers (e.g., hackers, natural disasters).
Vulnerability: Weaknesses or flaws that can be exploited (e.g., unpatched software).
 Risk

Examples of Risk:
Asset: Customer data
Threat: Cybercriminals conducting a data breach
Vulnerability: Unpatched web application vulnerability
Risk: Loss of customer data leading to legal penalties, reputational damage,
and financial loss.
 Cyber Attack

A cyber attack is an attempt by malicious actors to damage, disrupt, steal, or gain
unauthorized access to systems, networks, or data.

Motives Behind Cyber Attacks:
Financial Gain: Stealing money, data for ransom (ransomware), or fraud.
Espionage: Stealing sensitive information (corporate or state secrets).
Political or Ideological Reasons (Hacktivism): Protesting or promoting political agendas.
Disruption: Causing operational downtime (e.g., DDoS).
Revenge or Sabotage: Insiders or competitors harming an organization.
 Cyber Attack

Attack = Motive (Goal) + Method (TTPs) + Vulnerability
Motive (Goal): The attacker’s objective (e.g., stealing data, causing disruption).

Method (TTPs): The Tactics, Techniques, and Procedures used (e.g., phishing, malware).

Vulnerability: The weakness exploited (e.g., unpatched software, weak passwords).
 Examples of Network-level Attack Techniques

Reconnaissance attacks
Attackers gather information about a target system or network.
The goal is to identify potential vulnerabilities that can be exploited in future attacks.
These attacks are passive or active, depending on whether they directly interact with
the target.
Types of Reconnaissance Attacks:
Passive Reconnaissance: The attacker gathers information without directly
interacting with the target, making it harder to detect.
Examples:
Social engineering: Gathering information from social media, websites, or public records.
DNS queries: Collecting domain name server information.
 Examples of Network-level Attack Techniques

Active Reconnaissance: The attacker interacts with the target system to gather
more detailed information, which is more likely to trigger detection.

Examples:
Port scanning: Identifying open ports and services on the target.
Ping sweeps: Determining which IP addresses are active.
Network mapping: Creating a layout of the network architecture.
 Network Sniffing Attack

The attacker intercepts and monitors network traffic to capture sensitive
information such as usernames, passwords, or financial data.

How It Works: The attacker uses a tool called a "sniffer" to capture unencrypted
data as it travels across the network.

Targeted Data: Sensitive data like login credentials, personal information, or
confidential communications.
 Man-in-the-Middle (MitM) Attack
A Man-in-the-Middle (MitM) Attack occurs when an attacker secretly intercepts
and potentially alters communication between two parties who believe they are
directly communicating with each other.

How It Works: The attacker positions themselves between the sender and
receiver, eavesdropping or manipulating the data in transit.

Targeted Data: Login credentials, financial information, or any sensitive
communication.

Types:
Eavesdropping: Simply listening to the communication.
Session Hijacking: Taking over an active session between two users.
SSL Stripping: Downgrading secure HTTPS connections to unencrypted HTTP.
 Password Attack

A Password Attack is an attempt by an attacker to gain unauthorized access to a
system or account by cracking or guessing a user's password.

Common Types of Password Attacks:
Brute-Force Attack: Trying every possible password combination until the correct one is
found.
Dictionary Attack: Using a pre-defined list of commonly used passwords or words to guess
the password.
Credential Stuffing: Using stolen credentials from previous data breaches to log into different
accounts.
Phishing: Tricking users into revealing their passwords through deceptive emails or websites.
Keylogging: Capturing keystrokes to steal passwords.
 Privilege Escalation Attack

Privilege escalation involves gaining elevated access rights or permissions beyond
what was initially granted.
Attackers exploit vulnerabilities or misconfigurations to achieve this.

Example (Windows Exploit):
Suppose an attacker finds a vulnerability in a Windows operating system that allows them to
execute commands as a standard user but with elevated privileges.
By exploiting this vulnerability, the attacker can gain administrative access and perform
actions such as installing malware or accessing sensitive data.
 DNS Poisoning Attack

DNS poisoning corrupts the DNS cache with false information.
This causes DNS queries to resolve to incorrect IP addresses, leading users to
malicious or incorrect sites.

Example (Phishing Redirection)
An attacker poisons the DNS cache of a network to redirect users from a legitimate banking
website to a fake phishing site.
When users enter their credentials on the fake site, the attacker can steal their login
information.
 ARP Poisoning Attack

ARP poisoning involves sending fake ARP messages to associate a malicious
MAC address with an IP address on a local network.

This causes network traffic intended for that IP to be sent to the attacker’s
machine.
Example (Man-in-the-Middle Attack)
An attacker sends ARP replies to a local network, associating their MAC address with the IP
address of the default gateway.
As a result, network traffic meant for the gateway is intercepted by the attacker, allowing them
to monitor or alter the traffic.
 DHCP Starvation Attack

In a DHCP starvation attack, the attacker sends many DHCP requests to exhaust
the pool of IP addresses available for assignment.

This prevents legitimate devices from obtaining IP addresses and connecting to the
network.
Example (Denial of Service):
An attacker on a network floods the DHCP server with requests using spoofed MAC
addresses.
The server’s IP address pool is depleted, and new devices cannot obtain IP addresses, leading
to a network outage or loss of connectivity for legitimate users.
 MAC Spoofing Attack

MAC spoofing involves changing the MAC address of a network interface to
impersonate another device.
This can bypass MAC address-based security controls or cause confusion in
network management.

Example (Bypassing MAC Filtering):
Suppose a network uses MAC address filtering to allow only certain devices to connect.
An attacker can spoof the MAC address of a permitted device, allowing their own device to
bypass the filter and gain unauthorized network access.
 SQL Injection Attack

SQL injection occurs when an attacker inserts malicious SQL queries into an input
field, tricking the database into executing unintended commands.
Example:
Login Bypass: An attacker enters ' OR '1'='1 into a login form's username field.
If the application’s SQL query is SELECT * FROM users WHERE username =
'username' AND password = 'password', this query will always return true,
allowing the attacker to bypass authentication and gain unauthorized access.
 Cross-site Scripting (XSS) Attack

XSS attacks involve injecting malicious scripts into web pages viewed by other
users.
These scripts execute in the context of the victim’s browser.

Example:
Cookie Theft: An attacker injects a script into a comment field on a blog.
When another user views the comment, the script runs and sends the user's cookies to the
attacker’s server.
The attacker can then use these cookies to impersonate the victim.
 Social Engineering Attack
Social engineering manipulates individuals into revealing confidential information
or performing actions compromising security.
Common tactics include impersonation and shoulder surfing.
Example:
Calling for Information: An attacker calls an employee pretending to be from IT support,
asking for login credentials to "fix" an issue.
The employee provides the credentials, which the attacker then uses to access sensitive
systems.
Over-the-Shoulder Viewing: An attacker observes users entering their password on a public
computer terminal.
By watching over their shoulder, the attacker captures the password and uses it to gain
unauthorized access.
 Email Attacks
Malicious Email Attachments: These attacks involve sending emails with
attachments that contain malware.
Opening these attachments can compromise the recipient's system.
Example
Ransomware: An email with an attachment labeled "Invoice.pdf" contains ransomware.
When opened, the attachment encrypts the victim’s files and demands a ransom for the
decryption key.
Phishing: Send fraudulent emails that appear to come from legitimate sources to
trick recipients into revealing sensitive information or clicking malicious links.
Example:
Credential Theft: An attacker sends an email that looks like it is from a bank, asking the
recipient to verify their account details by clicking a link.
The link leads to a fake bank website designed to capture login credentials.
 Mobile Specific Attacks

Rooting and Jailbreaking: Rooting (Android) and jailbreaking (iOS) involve
gaining unauthorized access to the device’s operating system and bypassing built-
in security measures.
Rooting Example:
Malicious Applications: An attacker creates an application that requests root access.
Once installed, it gains full control over the device and can steal data or install further
malware.
Jailbreaking Example:
Unrestricted App Installation: A user jailbreaks their iPhone to install applications not
approved by Apple.
These apps might contain malware that can steal personal information or compromise the
device’s security.
 Wireless Network Attacks

Rogue Access Point Attack: A rogue access point is an unauthorized Wi-Fi access
point set up to intercept or manipulate network traffic.
Example:
Evil Twin: An attacker sets up a Wi-Fi network with the same SSID as a
legitimate network.
Users unknowingly connect to this rogue access point, allowing the attacker to intercept their
data or perform man-in-the-middle attacks.
 Wireless Network Attacks

Jamming Signal Attack: Jamming involves using a device to broadcast
interference on the same frequency as a wireless network, disrupting its
communication.
Example:
Denial of Service: An attacker uses a jamming device to send continuous radio
signals on the Wi-Fi frequency, causing legitimate devices to lose connectivity and
rendering the network unusable.
 Goals of Network Defense
Apply rules and measures to protect the CIA of the network’s information systems.
Protect Confidentiality: Ensure that sensitive information is only accessible to
authorized individuals.
Maintain Integrity: Ensure that data is accurate and unaltered by unauthorized parties.
Ensure Availability: Network resources are accessible when authorized users need them.
Detect and Respond to Threats: Identify and address security incidents promptly to
minimize impact.
Compliance: Adhere to legal and regulatory requirements for data protection and
security.
Enhanced Security: Protects against unauthorized access, data breaches, and other
security threats.
Reduced Risk: Mitigates potential impacts of cyber threats and vulnerabilities.
 Information Assurance (IA) Principles

Confidentiality: Ensuring that information is only accessible to those authorized
to view it.
Integrity: Ensuring that information is accurate and has not been tampered with.
Availability: Ensuring information and resources are available to authorized users
when needed.
Authentication: Ensures the identity of an individual is verified by the system or
service
Non-repudiation: Ensuring that actions or transactions cannot be denied after
they have occurred.
 Network Security Approaches

Preventive Approaches: Measures taken to prevent security incidents before they
occur.
Examples: Firewalls, antivirus software, encryption.

Reactive Approaches: Measures taken to respond to and mitigate the effects of
security incidents after they occur.
Examples: Incident response plans and forensic analysis.
 Network Security Approaches

Retrospective Approaches: Measures taken to analyze and learn from past
security incidents to improve future defenses.
Examples: Post-incident reviews and threat intelligence analysis.

Proactive Approaches: Measures taken to anticipate and address potential
security threats before they materialize.
Examples: Regular security audits, vulnerability assessments, threat hunting.
Thank You!
Essential Terminologies