Adversarial Review


During an adversarial review, we look for ways an attacker might make use of the devices and the configurations of those devices that you have used to create your network. This process is especially important for those devices you have used to implement your security infrastructure. Remember that the overall security of your network relies on the individual components that make up the network. Security settings on one device can have a dramatic effect on the security of another device. To gain a complete view of the security of the entire network, you must take a careful look at each of the devices that implement your security infrastructure and then analyze how the interaction between devices affects security. Adversarial review provides a useful method for exploring the impact of these interactions.

We are not actually attacking the network during an adversarial review. Instead, we are conducting an analytical thought process that allows us to develop scenarios that someone else might use to attack the network. By creating these scenarios and identifying measures that could be used to prevent them, we can locate flaws in the architecture of the perimeter or potentially weak links that do not follow defense-in-depth principles.

To conduct an adversarial review, you must perform the following activities:

  1. Decide what you are trying to prevent. For example, the goal of your adversarial review might be to find a way to deface a website, access an internal database, or perform a denial of service (DoS) attack.

  2. Decide where to start the attack. The attack conceived during the adversarial review is frequently launched from the Internet, but it is also useful to start from an internal network segment to see how to defend against the insider threat.

  3. From the viewpoint of the attacker, determine the access that remains after all the security device configurations have been taken into account. For example, if your goal is to access a system located behind a firewall, and the firewall only allows TCP port 80 traffic through to this system, your review will have to find a way to either attack the server using TCP port 80 or locate a vulnerability in the firewall to circumvent this restriction. To complete this step, you must review configurations and research vulnerabilities for each device you can communicate with. If you discover vulnerabilities, you must make a judgment about how feasible an attack based on these vulnerabilities is.

  4. Determine the impact of taking advantages of any misconfigurations or exploiting any vulnerabilities. Any increases in access gained can then be used to attack additional systems on the network. For example, if you locate a vulnerability that would allow you to take control of an internal server, you can now consider that server under your control and proceed with the review using the system to reach other systems on your network.

  5. Repeat steps 3 and 4 as necessary until you have reached the maximum amount of access to the network that you can.

  6. Identify additional security controls that would have prevented any of the attacks from succeeding.

One of the most time-consuming parts of the review is step 3. To determine the amount of access an attacker has, you must conduct a detailed analysis of each security device on your network. You will be looking for three key pieces of information:

  • What access does the device have to provide to allow normal network usage? For example, a border firewall normally needs to allow TCP port 80 traffic to the public web server.

  • What extraneous access is the device providing? Too frequently, the configuration of security devices is overly permissive, allowing access that is not required but is useful to the attacker. For example, a firewall might allow TCP port 80 traffic to the entire De-Militarized Zone (DMZ), not just to the public web server. If a device on the DMZ is running a vulnerable service on port 80, an attacker can exploit it even though access to the device may be unnecessary to the operation of the network.

  • Does the device have any vulnerabilities that would allow you to circumvent the security controls? You can use many sources of information on the Internet to research vulnerabilities, including Carnegie Mellon's Computer Emergency Response Team (CERT) at http://www.cert.org and the vulnerability database maintained by SecurityFocus at http://www.securityfocus.com/bid. If you find a vulnerability announcement for your device, you need to carefully review the information to see whether it applies to your environment and, if it does, what you should do to mitigate the problem.

In step 4, you use the access you have discovered to "attack" your network. Thinking like the attacker, you attempt to see whether the access that remains after you have considered each device is sufficient to do significant damage.

Even if you did not find exploitable access in step 3, it is occasionally useful to act as if you had and proceed with the review anyway. New vulnerabilities are discovered in software every day. As an example, consider Microsoft's Internet Explorer web browser. If you were using it in the spring of 2004, you would have had no way of knowing it exposed your network to attack due to an exploitable vulnerability in its drag-and-drop feature (http://www.securityfocus.com/bid/10973). You would have had to wait until the August 2004 for the vulnerability to be made public. This vulnerability had actually been in the software since version 5, which was released in 1999. This means that sites that installed this version or its successors (up to version 6) might have been vulnerable to this attack for over five years. Simulating vulnerabilities during your review allows you to experiment with the impact that an undiscovered vulnerability would have on your network.

Step 5 is an iterative process that requires you to look at where the attacker starts to determine how far he can penetrate the network. If you were analyzing your exposure to an external attack, you would likely start the attack with your public systems. These systems normally come under attack first because they are the most exposed to the Internet. If you have (or simulate that you have) a vulnerability in one of these systems, your next step is to think what attackers could do if they were able to exploit the vulnerability successfully.

Gaining control of one of these systems would allow you to start launching more attacks using the public system as the source. If the access you have discovered during the review allows this public system to attack other computers on your network, and these other systems also have exploitable vulnerabilities, you would be able to control these other systems, moving further into your network. You continue this thought process until you run out of systems that an attacker could access or until you have circumvented the security controls that you care about. At this point, you can look to see how far you, as the attacker, got in the network and what security controls you could implement that would have stopped the attack at each step in the process. Assuming their implementation, you can re-run the analysis to see whether you can figure out any other ways to attack your network. When you have run out of ideas, you are done.

Step 6 ends the adversarial review with the identification of the additional security controls necessary to protect your network. Especially for reviews in which you have included simulated vulnerabilities, the review helps you identify the controls necessary to implement defense in depth. This is the real power of the adversarial review: the identification of the layers of defense needed to help protect you against the unknown.



    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net