Poor Configuration– Cisco Attacks and Threats

Poor configuration, including poor passwords, is the primary cause of breaches. Basic rules in this area include

• Make certain attack surfaces are well understood and each apparent vulnerability is blocked through configuration.

• Eliminate default configurations and passwords.

• Enforce good passwords.

• Use tools to find and replace compromised passwords.

In general, network engineers should always reduce risk by making every entry point into the network secure.

Man-in-the-Middle Attacks

Man-in-the-middle (MITM ) attacks force traffic through a third party, unencrypting and re-encrypting traffic transparently.

Figure 19-2 illustrates an MITM.

Figure 19-2 Man-in-the-Middle Attack

Before the MITM in Figure 19-2, host  A and server B are encrypted using a shared private key. This connection is secure; outside parties cannot see the data transmitted between A and B.

After the MITM in Figure 19-2:

• Host A believes it has a secure session with server B, but it has a secure session with the attacker’s server, G.

• Server B believes it has a secure session with host A, but it has a secure session with the attacker’s server, G.

Because G is unencrypting data from A and then re-encrypting it to transmit it to B, the attacker can see the transmitted data in the clear. The attacker can access credentials, account numbers, usernames, and any other information transmitted from host A to server B. The attacker can use all this information to breach B’s or A’s networks.

The attacker can also inject new information into the secured session. In particular, the attacker could bundle malware in a website or even replace an executable file with malware.

Note

Chapter 16, “Names and Time, ” describes MITM in relation to the Domain Name System (DNS).

Lateral Movement

Access to a single device in a network is not necessarily very useful for an attacker. Once the attacker has gained access to a single device, they must find and gain access to either a lot of systems or a small set of systems with critical data.

 Lateral movement is moving from the initial beachhead further into the network by compromising additional devices in the network.

Figure 19-3 illustrates an example of the lateral movement process.

Figure 19-3 Lateral Movement

In Figure 19-3:

1.  The attacker uses a zero-day exploit, phishing campaign, physical access, or attack against a single user. Once the attacker has gained access to this first beachhead in the network, they will explore the network using internal tools like local DNS caches, DNS queries, local IPv4 Address Resolution Protocol (ARP) caches, and IPv6 Neighbor Discovery (ND) caches. The attacker can then explore local username and password stores, such as the credentials stored in a web browser.

2.  By exploring the network, the attacker discovers an internal web server. The attacker assumes this server is essential because the user regularly connects. Attempting to connect to the server through a command line reveals information about the web server installed on the server and the server’s operating system. This information leads the attacker to a prebuilt exploit for the version of a web server or operating system installed on the server. Using this exploit, the attacker gains access to the web server.

3.  Because the web server does not store data locally, it must connect to a database server to build user web pages. To connect to this database server, some processes on the web server must have an account on the server, which must be stored in some file. Once the attacker finds this information,  they can log in to the database server as a trusted process. The web server draws on an identity store to provide internal directory services in this case. Hence, the attacker has access to the personal information of every user in the network. If there are known vulnerabilities for this identity store or some exploit available, the attacker can access the entire identity store, including usernames and passwords.

Lateral movement through the network is critical for attackers who want to maximize the disruption they cause or the information they gather.

Attack Actions

What options does an attacker have who has breached a network and moved laterally through at least a few systems?

The following sections describe a few alternatives.

Command and Control

The first thing any attacker does is build a Command and Control (C2) system, which will allow them to re-access the network if the operator discovers them, tracks down how they breached the network, and attempts to block future access.

Most C2 systems configure the compromised system to contact an external server periodically for instructions, such as creating a secure tunnel between the compromised system and the attacker’s server. Security systems almost never inspect traffic from inside a network as thoroughly as from outside the network.

Sometimes attackers will leave a back door, often in the form of an innocuous-sounding username and password.

Once the network is breached, the attacker aims to increase their dwell time—the amount of time they can stay inside the network without detection. Some attackers have dwelled in networks for years without discovery.

Data Exfiltration

An attacker’s second goal is often to exfiltrate data, or copy it from internal sources to a place where the attacker can examine and analyze it. Once data has been exfiltrated, it can be

• Held for ransom. If the organization does not pay the attacker some money, the attacker will release the data “into the wild.”

Holding data for ransom normally means posting the data on some publicly available server. The organization will be highly motivated to pay the ransom if the stolen data includes private information, such as bank or medical records, or source code for a popular product. Of course, like all kidnapping situations, there is no reason to believe an attacker will keep their end of the bargain, even once any ransom has been paid.

• Sold off to people who will use it to scam legitimate users, use the information to breach other systems, or even use the exfiltrated usernames and passwords to break into users’ other accounts.

 Data exfiltration can occur in many ways, including

• Through a custom-built VPN tunnel

• Through physical USB thumb drives via an accomplice

• Through DNS queries (very slow, but it still works)

Clever attackers can often exfiltrate data without the operator noticing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post