What Do Attackers Do?

Attackers can do many things to an unprotected IT infrastructure and its assets, but first must assess who they want to attack in the first place and why. How do attackers select a target and how do attackers carry out an attack? These are questions that only the attacker can answer, but essentially, an attacker must first conduct a risk and vulnerability assessment on the designated target IT infrastructure and IT assets. Depending on the results of the assessment and the degree of the IT infrastructure's security, the attacker may change targets if the target was found to be well protected and secure.

If the motivation is personal and intended to cause embarrassment or financial damage, the target is likely to be highly visible, such as Citibank, eBay, or PayPal. If financial gain is the motivating factor, the highest paying job or opportunity will be given consideration. Choosing the system to attack with the biggest potential payoff is a definite consideration to an attacker; however, the risk versus benefit of the attack must be considered as part of the attacker's internal risk analysis. This is especially true if the security controls and security countermeasures are more stringent on an IT system with thousands of customers' credit card information versus a system with minimal security controls but very few customers' credit card information. In this case, the reward versus the risk may not be high enough to warrant an attack on a specified target that is more secure than others.

Sasser Worm In the case of the Sasser worm, one of the most globally devastating malicious codes released, it is uncertain if the author of the malicious code went through any kind of risk analysis prior to releasing the worm. The creator of the Sasser Worm was an 18-year-old German student. The purpose of the worm is uncertain, but it appears the creation of the Sasser worm was ego driven as well as financially motivated because the creator's mother had a PC support and repair business. Unfortunately, the Sasser worm went much further than expected, disabling critical systems for airlines and hospitals. Seeing that the virus was out of control, the creator of the Sasser worm tried to create a version that would instruct users that they needed to patch their machines against the original Sasser. The plan backfired when the newer versions of Sasser also managed to disrupt machines. This one worm resulted in millions of dollars of losses and damages due to lost productivity, system rebuilds, and loss of revenue experienced by many large organizations. The Sasser worm creator is now facing a mandatory jail sentence for the crime of computer sabotage.

 

Four Kinds of Attacks

There are four kinds of attacks generally made on an IT infrastructure and its assets. The first three attack types are referred to as structured attacks because they require advance planning; the attacker studies its target and assesses the risk of getting caught prior to launching the attack. An unstructured attack is when an attacker utilizes tools, scanners, and penetration testing tools without any advance planning and specific goal or objective in mind. These four attack types are described next:

• Coordinated attack A coordinated attack involves many people and many systems in a large, well-planned attack. This is typical of the planning done by cyber-terrorists or cyber-criminals. Coordinated attacks are planned well in advance and are usually carried out by numerous remote-controlled agents that have been secretly installed (through other hacking means) on remote high-bandwidth systems. When enough agents have been deployed, the attacker issues a command to the agents to attack en masse. These attacks usually generate enough network traffic to render the target device unavailable, given that its CPU resources are absorbed responding to invalid and bogus transmissions.
• Direct attack A direct attack targets a specific known vulnerability in an IT infrastructure, which is exploited by the attacker. These attacks rely on a known problem existing in a product that has not been protected or patched during deployment and is thus vulnerable to being exploited. The Ping of Death attack was targeted to early versions of the Microsoft Windows 95 and Windows NT operating systems; workstations and servers would crash upon receipt of oversize fragmented ICMP echo request packets. Directed attacks are also done on individuals. Modern phishing scams target naïve users by coaxing them to provide confidential information under the pretense of a respected company.
• Indirect attack Indirect attacks are more frequent headline grabbers because of the high visibility that malicious code and malicious software attacks can bring to the world's IT infrastructure and assets. These attacks are a result of prebuilt self-propagating exploits of vulnerabilities in software, operating systems, and applications that are commonly used in IT infrastructures. Common indirect attacks occur in the form of viruses, worms, or Trojans that disguise themselves as trusted applications and email attachments, but that in reality are fronts for sophisticated viruses and worms. These malicious code and malicious software attacks are responsible for millions of dollars annually of lost productivity, downtime, destruction, and damage of IT assets.
• Unstructured attack An unstructured attack is exactly thatan attack usually done by a novice attacker who uses reconnaissance probes and scanners to penetrate an IT infrastructure and collect data on-the-fly in an unstructured manner. Unstructured attacks are common acts of nuisance usually conducted by Script Kiddies or Click Kiddies who initiate vulnerability assessment probing and scanning software on live production IT infrastructures and their assets. Unstructured attacks are not planned and are usually the result of novices using attack tools and password crackers to gain unauthorized access to pay-for websites or engaging in accidental DoS attacks on a targeted device.

Coordinated Attacks

An example of a coordinated attack is a Distributed Denial of Service (DDoS) attack, which affects the availability of IT systems, resources, and targeted IT assets such as a website or e-commerce website. By transmitting large quantities of bogus network traffic targeted to a specific destination IP address, a DDoS attack relies on the inherent lack of security controls and authentication that the TCP/IP family of protocols uses for communication between TCP/IP devices. This bogus traffic can be in the form of incorrectly formatted packets or part of a Smurf attack or SYN Flood attack. In a distributed attack, the attacker usually compromises Internet attached workstations to act as agents during the attack. The user is unaware that his or her workstation was compromised via a virus or Trojan program and is now participating in a distributed DDoS attack. When an attacker uses an array of Internet attached workstations to conduct an attack, this is called a botnet. Figure 6.2 depicts a DDoS attack using an array of computers, or botnet.

Figure 6.2. Distributed Denial of Service attack.

Coordinated attacks, such as a DDoS attack, utilize specific TCP/IP protocol interactions to exploit the inherent lack of security controls and authentication that the IP network layer protocol has.

Tip

The following presents some security countermeasures that organizations may want to consider as part of their risk mitigation strategy for coordinated attacks:

• Implement network ingress filtering It is a good idea to have your upstream network service provider provide network ingress filtering to stop any downstream networks from injecting spoofed IP packets. Although this does not stop the attack, it makes it easier to identify the source of the attack and terminate it.
• Rate limit network traffic IP routers or Intrusion Prevention Systems (IPS) that can shape traffic or specify the amount of allocated bandwidth so particular kinds of network traffic can be enabled (for example, Committed Access Rate in Cisco IOS software). This will minimize unnecessary ICMP and IP packets, for example, penetrating a server network segment.
• Implement Intrusion Detection System (IDS) monitoring Filters and policies can be set up as IDS alarms to look for specific TCP/IP network traffic patterns and dialogue. IDSs are excellent tools for identifying attackers who utilize compromised workstations from within the IT infrastructure as well as for identifying DDoS network traffic flows. After a DDoS attack is identified, appropriate action can be taken to respond to it. Engaging the organization's Security Incident Response Team (SIRT) is typically done in the event of a DDoS attack.

 

Direct Attacks

An example of a direct attack is the Ping of Death (PoD) attack, which sends oversized, fragmented ICMP echo request packets in an attempt to crash the targeted IP device. An ICMP echo request packet is generally 64 bytes long, but sending malformed ICMP echo request packets the size of 65,536 bytes causes fragmented IP packet transmissions that often crash the receiving IP device. Other forms of direct attacks occur when the attacker targets a specific and known vulnerability and exploits that vulnerability to gain access. Figure 6.3 depicts a PoD attack in which invalid ICMP echo request packets are transmitted to a targeted IP device in an attempt to crash the IP device.

Figure 6.3. Ping of Death (PoD) attack with invalid ICMP packet sizes.

Another example of a direct attack is an attack on an individual, or phishing, a term used to describe an attacker's attempt at obtaining personal and confidential information. This is a form of social engineering, in which the attacker attempts to force the individual into believing that an email message or telephone call from a bogus call center is authentic. Phishing attacks are con artists attempting to obtain personal and confidential information about the individual so that more damaging attacks can then be performed. Attackers often masquerade as banks and other financial institutions in an attempt to obtain personal and confidential information about the targeted user.

Other examples of direct attacks include authentication attacks, database attacks, and application attacks. These are described next:

• Authentication Attacks Direct attacks on systems and authentication techniques where user ids and passwords are compromised. Authentication attacks are easy to deploy but difficult to crack, given stringent access control methods being deployed. Authentication attacks rely on brute-force password attacks, automated password-cracking tools, and even social engineering and phishing tactics to obtain access control information from a user.
• Database Attacks Direct attacks on websites and systems that have a back-end database application that is an attractive target for an attacker because of the wealth of personal, confidential, and financial information that the attack may uncover. In many cases, database attacks can be blamed for recent identify and credit card thefts, causing major banks to terminate all credit card numbers that were compromised and initiate cancellation and reinstatement letters for its customers while issuing them new credit cards.
• Application Attacks Direct attacks on specific applications that have security defects or security limits inherent in them. These attacks are commonly caused by programming errors such as buffer overflows and poor error checking/handling of tainted input in website forms. Buffer overflows will allow malicious code or lines of code to be injected into the application. After this happens, attackers have full control and the capability to do whatever they want with the application and its data.

Indirect Attacks

Examples of indirect attacks are plenty, given that they are usually initiated in the form of malicious code and malicious software, or malware, that is developed by software-proficient attackers. Indirect attacks are highly visible because they are directly related to the creation and proliferation of viruses, worms, and Trojans, which are a result of prebuilt, preprogrammed, and self-propagating exploits in IT infrastructures and their assets. Creation of indirect attacks requires not only technical knowledge, but a devious mind and intelligence to program and develop a self-propagating indirect attack. Indirect attacks are very costly to clean up and require constant remediation and antivirus, antispyware, anti-adware, and anti-pop-up applications. Figure 6.4 depicts an indirect attack where the attack is done on a single targeted IP device. From here, the malware self-propagates and attaches itself to emails and other communications between IP connected workstations and servers, thus spreading the contamination rapidly and throughout the entire IT infrastructure and its assets.

Figure 6.4. Indirect attacks propagate malicious code or malware.

 

Unstructured Attacks

Examples of unstructured attacks include the entire family of novice attacks that novice attackers like to commit. Most novice attackers initiate unstructured attacksthey are not planned in advance and the attacker is not experienced in conducting an attack. Unstructured attacks are common to websites where the attacker probes, scans, and utilizes tools to conduct an attack such as a password-cracking tool. Password-cracking tools are typically used on e-commerce websites or websites that require user authentication via a login id and password. Unstructured attacks are also usually very targeted and narrow in scope, meaning the attacker does one thing at a time, such as website defacement, attempted password cracking, identifying the server or workstation operating system level, or attaching a virus or work to an email. These attacks are usually sloppy and can easily be identified and prevented with proper monitoring, security controls such as access control lockout when more than three invalid login attempts are tried, and security countermeasures such as an intrusion detection monitoring system, properly configured firewalls, and filtering of specific destination IP addresses.

Things That Attackers Attack

Attackers, in general, have the technical prowess to plan, launch, and conduct an attack when they know they can get away with it. Attackers typically attack only when they know there are specific weaknesses or vulnerabilities in the IT infrastructure and its assets. When an attacker launches an attack, they do so by attacking security defects, security limits, and known vulnerabilities in software. In general, anything that an attacker can attack and compromise is considered a vulnerability. Vulnerabilities, when identified and compromised, are communicated and shared with other attackers, who then attack the targeted system or IT application. This is known as a security breach or security incident, for which the organization's SIRT team is typically called on to provide a security incident response. Forensic data collection and analysis should be done only by qualified computer and data forensic specialists who can retrieve untainted evidence that may be used in a court of law if charges are filed against the attacker. The following list shows the three main things attackers attack:

• Security Defects An unintended and undocumented deficiency in a product or piece of software that ultimately results in a security vulnerability being identified. A security defect exists when a product or software has a vulnerability that, if properly identified, can be exploited. Security defects are commonplace in software used for firmware, operating systems, software applications, and configuration files, thus presenting a multitude of software defects or vulnerabilities. When a defect is discovered, it must be fixed to minimize the vulnerability window of organization. Vendors and manufacturers typically release security bulletins to notify their customers and registered software licensors that there is a known security defect or software vulnerability. Security bulletins usually are accompanied with software patches and instructions for mitigating the risk caused by the security defect.
• Security Limits A known, documented, and well-publicized "deficiency" that might pose a security threat given its vulnerability. No products are 100% secure. By documenting known limits, developers provide customers with the information they need to deploy products in an informed and secure manner. An example of a security limit is the TCP/IP family of protocols such as FTP, SMTP, and POP3 transmissions. These protocols transmit in clear text, allowing confidentiality to be easily compromised with eavesdropping or packet-sniffer devices. This is an example of a security limit inherent in the TCP/IP communication protocols.
• Software Vulnerabilities The result of software bugs and software flaws in the design or coding of the software application itself. These software bugs or software architecture flaws result in software vulnerabilities that, if discovered, can be exploited by an attacker. Bugs in software and lines of code can cause buffer overflow errors and leave applications open or vulnerable to injection of malicious codeor worse, access to confidential data can be compromised.

With knowledge of what attackers do and what they look for prior to conducting an attack, the risk and vulnerability assessor can plan risk and vulnerability assessment in accordance with known vulnerabilities in the IT infrastructure and its assets. Software bugs and software flaws result in security defects or security limits, which lead to discovered vulnerabilities in the product or software itself. These vulnerabilities are exploited by attackers and this is what each organization must combat. Remember, all IT components and devices have some kind of software in them and thus have the potential for a vulnerability to be exploited. When an attacker exploits a known vulnerability, this usually triggers a security breach or security incident. Figure 6.5 shows the relationship between software bugs and flaws, security defects and limits, and vulnerabilities, exploits, and security incidents.

Figure 6.5. Chain of events from software bug to security incident.

 

Goals and Motivations of the Attacker

Why do attackers attack? What are their goals and objectives for performing an attack? What motivates an attacker to attack? These questions are uniquely answered depending on the situation and the type of attacker. Remember, many attackers and their attacks may not have any particular interest in the target they hit. In other words, the attacker may have not been after anything in particular but simply looking for something to do. An attacker is motivated to conduct an attack for any of the following reasons:

• Intellectually motivated Not all attacks have malicious intent. Intellectually motivated attacks are done to see if the attacker can "beat the system" and gain access to IT systems and resources in an unauthorized manner. Although these attacks may not be intended to be harmful, accidental damage, loss of CPU and processing resources, and other nuisances may occur. In addition, depending on jurisdiction, unauthorized access to IT systems, resources, and data may warrant a criminal charge to the attacker, especially if monetary damage was done.
• Personally motivated This kind of attack motivation is typical of the disgruntled employee when he or she feels jilted that they didn't get a promotion or raise or if they were fired or terminated from employment without cause. Attackers of this type typically like to cause damage or embarrassment to the employer.
• Politically motivated This type of attack occurs when an individual or organization wants to bring their ideals and viewpoints to a larger, mass-media-connected audience. These attacks are meant to showcase an organization's viewpoints using the Internet and the World Wide Web as a sounding board. Website defacements, attacks on critical IT infrastructures and assets, and other cyber-terrorist or cyber-criminal acts are usually politically motivated.
• Financially motivated This type of attack is usually done for financial gain or financial damage. A blackmailer or extortionist paid to do an attack is one example of a financially motivated attack. If an attacker purposely and willingly attacked an organization and destroyed files and/or data used for e-commerce transactions, that organization would lose money and revenue if its system is unavailable during business and peak hours.
• Ego motivated This type of attack and attacker is the one that has no particular motive other than to be a nuisance. Ego can be its own motivation for an attack, especially if that attack is recognized in the various Cracker/Hacker communities and groups that share ideas and stories about their prey. Ego-motivated attacks, although perhaps without malicious intent, carry the same threats as other attacks, such as absorbing CPU resources, accidental damage to data, or embarrassment to an organization.

Note

With Internet access and World Wide Web usage growing, Internet marketers began to deploy aggressive and intrusive tactics to probe and scan individual workstations and their browser settings while examining the URLs and cookies that the user workstation has archived. Spam, pop-up ads, adware, home page hijacking, and release of spyware applications that monitor and track a workstation's use of the World Wide Web must now be combated, given their nuisance as well as intrusiveness. Although these aren't categorized as attacks, they are definitely a nuisance because they require CPU resources for blocking spam and pop-up ads, and they occupy RAM and require CPU processing power. In addition, an individual's or organization's privacy is violated by having the equivalent of eavesdropping software running in the background of the workstation's primary applications.

 

Attackers Conduct Their Own Risk Analysis

The goals and objectives of an attacker are varied, as described in this section. How an attacker plans an attack can be attributed to a risk analysis that the attacker may engage in prior to conducting an attack. Attackers are intelligent and they are good at not getting caught. This can be attributed to the fact that they conduct their own internal risk analysis, which typically includes an assessment of the following:

• Amount of visibility or exposure Attackers driven by ego or intellectual reason and motivation are concerned about how visible or how much media exposure the attack will obtain. Some attackers want high visibility and exposure for an attack that they conduct. Other attackers prefer to have their attacks remain in confidence, such as attacks on corporations that do not want to publicly announce they have been attacked or have encountered a security incident.
• Content or payoff potential Attackers who are financially motivated are concerned with how much content or intellectual property can be accessed or how much money they can obtain or steal by compromising an IT system, resource, or application. Financial reward is a great motivator for conducting an attack, especially if that reward is funded by a cyber-terrorist or cyber-criminal organization.
• Ease of access Attackers, after conducting a risk analysis, will attack only if they know what the vulnerabilities are and how to exploit them. An attacker will not attack or will terminate an attack if the target is well protected, secured, has security countermeasures throughout the IT infrastructure, layered protection, or a defense-in-depth strategy for protecting its mission critical IT assets.

After an attacker has decided to conduct an attack, planning and executing the attack must be analyzed, designed, and planned out properly. This planning and execution of an attack requires a thorough knowledge of attack methods, attack tools, and how to use them on an IT infrastructure and its assets. The next section describes how attackers attack, what attackers do, and how they do it.

How Do Attackers Attack?

Attacks on an IT infrastructure and its assets are conducted in a logical, methodical, and sequential manner, where trial-and-error and exploitation techniques are conducted on targeted and known vulnerabilities of IT assets. This section presents the three major stages of a malicious attack on an IT infrastructure and its assets and what tools attackers commonly use when conducting their attack steps. An understanding of how these vulnerability assessment tools work and how best to mitigate the risk caused by them are presented. This same understanding will assist the risk and vulnerability assessment when assessors conduct assessments on their IT infrastructure and its assets. This information will also assist in designing and implementing an appropriate security countermeasure to an identified weakness or vulnerability.

The following list describes the three stages of an attack on an IT infrastructure and its assets:

• Stage 1: Reconnaissance Probing and Scanning Prior to conducting an attack, an attacker must look for and identify a point of entry or vulnerability within the IT infrastructure that can be exploited. This preliminary stage of an attack typically requires the use of vulnerability assessment tools, DNS, SNMP, and IP discovery tools, port scanners, OS fingerprinting scanners, and the dissemination of spyware Trojan applications to collect additional reconnaissance information about workstations and servers.
• Stage 2: Access and Privilege Escalation The second stage of an attack is access, when the attacker uses a system or application exploit to gain privileged access to the IT system or application. The process of increasing a level of authority within a system and gaining system administrator or a higher level of access to a system is known as privilege escalation. An attacker with elevated privileges has access to everything that the access rights or privileges allow. Privilege escalation can occur because of any number of security defects, such as a buffer overflow or a website form reacting in an insecure manner when tainted input or malformed data is injected.
• Stage 3: Eavesdropping, Data Collection, Damage, or Theft The third stage of an attack is the actual clandestine event after access has been obtained. Then the attacker can carry out the final stage of the attack plan by causing damage, eavesdropping for confidential information, collecting information such as usernames and passwords for subsequent attacks, or stealing confidential information or data.

Tools That Attackers Use During the Stages of an Attack

The three stages of an attack typically require the use of vulnerability assessment tools, the use of some of the TCP/IP family of protocols and applications such as DNS, ICMP, and SNMP, and the use of intrusive port scanners and OS fingerprinting scanners. This section presents tools that are commonly used by attackers during the different stages of an attack on an IT infrastructure and its assets. These tools provide the attacker with the necessary information and intelligence data about an IT infrastructure and its assets, such as destination IP addresses, port numbers, applications, operating system version numbers, and application software version numbers. This intelligence data provides the necessary information for an attacker to assess whether to proceed with the next stage of an attack.

Reconnaissance Probing and Scanning Stage

Assuming that an attacker is not intimately aware, as an insider might be, of the IT infrastructure he or she is attacking, the first stage in any attack is for the attacker to conduct a reconnaissance mission to gain an understanding of the IT systems, resources, and applications and identify any potential weaknesses or vulnerabilities for exploitation. This is called the Reconnaissance Probing and Scanning stage of an attack, where attackers might employ port scanners to discover IP devices on an active network (for example, IP discovery), the services or applications that they are running, and even OS fingerprinting, which identifies the version of software running on the server or workstation. Port scanner applications such as NMAP can elude intrusion detection systems and even identify version information for remote services; however, the attacker must be careful not to expose the use of NMAP by carefully initiating targeted scans to evade detection. Sophisticated attackers stagger and limit the amount of IP scan packets that are generated (for example, low or slow mode) in an effort to go undetected by intrusion detection monitors. Other popular and frequently used vulnerability assessment and port scanner tools include freeware tools such as Nessus. Nessus even comes with its own vulnerability exploit database, which the risk and vulnerability assessor can use to combat and mitigate the threats caused by use of vulnerability assessment and port scanning tools.

In Figure 6.6, the attacker conducts initial reconnaissance probing steps as part of this initial stage of an attack. This initial reconnaissance probing is typically done externally to the IT infrastructure and its assets and must be conducted in stealth because prior authorization and approval to scan the IT infrastructure was not granted. This type of reconnaissance probing step is intrusive in that TCP/IP packets and network traffic are generated and attempt to connect and pass through the Internet ingress and the organization's egress point in the network infrastructure.

Figure 6.6. Stage 1 of an attack: reconnaissance probing and scanning.

During the reconnaissance probing and scanning stage that is engaged from an attack workstation, the attacker can use the TCP/IP family of protocols to conduct preliminary reconnaissance probing using Domain Name System (DNS) lookups and WHOIS to learn valuable information about an organization, its IP addressing information, and DNS names and their IP addresses. DNS is a hierarchy of servers that provide Internet-wide IP-address mapping to hostnames connected to the Internet on the World Wide Web. Publicly available information on registered addresses is obtainable through a number of searchable websites. Reverse DNS lookup or nslookup are additional commands that will also interrogate DNS information and provide cross-referencing to IP addresses. These services are often provided free on the Internet and can be located by searching on the command name itself. This information becomes the starting point for an attacker, collecting needed IP addressing information and the assigned IP address blocks that were provided to the organization.

TCP/IP Internet Control Message Protocol (ICMP)

Another tool that attackers use is found in the TCP/IP protocol family, the Internet Control Management Protocol (ICMP echo request and ICMP echo reply) or PING command, of which several closely related tools are readily available on most computer operating systems. It can be a key profiling tool to verify that target systems are reachable. The PING command can be used with a number of extension flags to test direct reachability between hosts or as part of the actual attack plan, as in the case of a launched Ping of Death (PoD) attack. After a target network has been located, many attackers perform a Ping Sweep of all or a range of IP addresses within the major network or subnet to identify other potential hosts that may be accessible. This information alone sometimes exposes the likely network size and topology and helps to identify mission-critical IT assets such as routers, switches, and servers that are always on. IP host devices that go on and off are often identified as workstations on an IT infrastructure, given that users typically log off after work hours.

Note

Many IT infrastructures have at the ingress/egress perimeter of the network infrastructure stringent firewall and perimeter security countermeasures that deny ICPM echo request and ICMP echo reply packets and prevent penetration of the perimeter defense. Many attackers know this, so they attempt to penetrate the perimeter defense to initiate PING or PoD attacks on IP devices from within the IT infrastructure using an agent or host device that has been compromised. Many IT infrastructures, including the perimeter of the network infrastructure, deny the transmission and permeation of ICMP echo request and ICMP echo reply packets within a network infrastructure; they only permit network management stations and devices to conduct ICMP echo request and ICMP echo reply packets internally, based on the source IP address of the network management workstations.

PING sweeps are done to identify active IP host devices. Penetrating a perimeter defense and using an agent to conduct a PING sweep is typically done by attackers because many IT infrastructures deny ICMP echo request and ICMP echo reply packets. Figure 6.7 depicts a PING sweep to identify active IP hosts. Denying ICMP echo request packets from outside of the network infrastructure is common.

Figure 6.7. PING sweeps are done to identify active IP hosts.

 

TCP/IP Simple Network Management Protocol (SNMP)

Another TCP/IP application that is commonly used in TCP/IP-based network infrastructures is the Simple Network Management Protocol (SNMP), which is an application layer protocol that facilitates the exchange of management information between an SNMP manager and SNMP manageable devices. SNMP utilizes the TCP/IP protocol suite and enables network managers to manage network performance, network availability, and configuration management for moves, additions, and changes to the SNMP devices configuration. SNMP enables network administrators to manage network performance, to find and solve network problems, and to plan for network growth. All SNMP manageable devices use the word "Public" as the default password for SNMP Read-Only (RO) community strings. The word "Private" is the default password for SNMP Read-Write (RW) community strings.

Tip

These default SNMP RO and RW community string passwords need to be changed by the SNMP Network Administrator in all SNMP manageable devices that are deployed in an IT infrastructure. This must conform to the IT organization's policies regarding password creation and password changes. This is a vulnerability that is commonly found in SNMP managed IT infrastructures where network administrators and managers forget to define security controls when deploying and implementing an enterprisewide SNMP network management system.

 

Reconnaissance Scanning and Probing Tools

Attackers utilize many automated and user-friendly tools during this stage of the attack. Attackers commonly scan IT infrastructures and IT assets to determine what services and applications are running on servers, workstations, and other IT devices connected to the network infrastructure. Scanning is typically done using automated port scanner tools or OS fingerprinting tools that send reconnaissance packets into and through an IT infrastructure, seeking information about the IT assets that are currently installed.

Note

When a remote machine connects to a server, a banner message often displays with the initial response from the server. For example, a Microsoft Exchange 5.5 Server might respond with 220 ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready.

Tip

Many IT system administrators create banner messages when a user first accesses an IT system or server. When a user attempts to connect to the IT system or server, there is often a banner message associated with the initial response from the server. Banners can reveal information about the version of the service or application that is running, the features it supports, and even software patches that have been installed. This information can be used to help make an informed decision about whether to attack.

IT system administrators should minimize the amount of data and information contained in the banner message so that an attacker cannot use this data to cross-reference with known software vulnerabilities that can be exploited.

After a target network has been identified, the attacker then commences with a port scanning step to identify the IP host devices, what applications and services are running, and what port numbers are being used by the IP host device. Several popular port scanning applications that an attacker could use are available as freeware applications. One of the most popular is Nmap (available for Unix and Windows). MingSweeper is another network reconnaissance tool for Microsoft Windows NT/2000 workstations and is designed to facilitate large address space and high-speed node discovery and identification. These tools permit an attacker to discover and identify hosts by performing PING sweeps, probing for open TCP and UDP service ports, and identifying operating systems and applications running on IP host devices. This is a wealth of information for an attacker to plan out an attack by finding weaknesses or vulnerabilities in the IT infrastructure and its assets.

Access and Privilege Escalation Stage

The second stage of an attack consists of the access and privilege escalation step, in which an attacker attempts to gain access to an IT system, resource, or device within the IT infrastructure based on a known or identifiable vulnerability in the IT device's software. An attacker who knows what IT assets are available within an IT infrastructure and has located potential entry points can proceed with this second stage of the attack. After an attacker gains access to an IT system, resource, or application, the attacker uses a system or application exploitation of a known vulnerability to gain control of the device. The process of increasing or enhancing the attacker's level of authority, administration, and user privileges in an IT system, resource, or application is called privilege escalation. An attacker with elevated privileges, such as system administrator, has access to the entire server or workstation, including being able to read and extract data from the server itself. Privilege escalation can occur because of any number of security defects in software, such as a buffer overflow or a website with data fields that react unfavorably to tainted or malformed input data.

After the attacker has obtained unauthorized access, the extent of the damage that unauthorized access can cause depends on the target and the motives for the attack. After gaining access, what can an attacker do? Examples of critical security breaches are listed next:

• A publicly traded company's financial systems and SEC filings This could be a critical security breach or security incident, given that publicly traded companies are under Sarbanes-Oxley compliancy laws, mandates, and regulations and may be subject to penalties and fines if this confidential information is leaked to the public domain.
• A website with a back-end database of customer credit card information and personal information This would be a critical security breach or security incident if the attacker was successful in exploiting a vulnerability on the website and was able to inject lines of malicious code to extract the customer database information, including credit cards and address information of individuals.
• A hospital's wireless network infrastructure where doctors and nurses access patient record information This would be a critical security breach or security incident if the attacker was successful in exploiting a vulnerability on the wireless network and was able to eavesdrop or steal patient privacy information. This would be in violation of the recent HIPAA laws, mandates, and regulations and could potentially subject the hospital to legal ramifications if the individual was damaged or hurt in any way from the hospital's negligence in protecting that patient's information.
• A bank's online banking system This would be a critical security breach or security incident if the attacker was successful in exploiting a vulnerability on the website or back-end database system that is linked to the website. This would be in violation of recent GLBA laws, mandates, and regulations and could potentially subject the bank or financial institution to legal ramifications if the banking customers' privacy data was compromised, financial loss is incurred, or the individual's personal and confidential credit history is altered in the form of identify theft.

Access in Compromised and Privilege Escalation Commences

The second stage of an attack, Access and Privilege Escalation, is solely dependent on the attacker being able to gain access to an IT device. Access to an IT device usually means compromising user ids and passwords. User ids and passwords can be compromised using various techniques and tools. Some of these are described next:

• Password guessing Password-guessing tools are one of the simplest tools an attacker can deploy. These tools will attack the public authentication interface to a system, such as a web page login prompt, a file server login prompt, an email login, and so on. Password guessing tools rely on the fact that users make bad choices for their passwords. These utilities attempt to use brute force attacks to identify easy-to-exploit accounts. Password-guessing tools are also sophisticated enough to handle simple word reversals and letter and number substitutions as well as conduct dictionary attacks using predefined lists.
• Password sniffing Password-sniffing tools allow an attacker with access to a network to watch that network's traffic for passwords visible within common protocols. Modern password-sniffing utilities incorporate encryption and decryption software. Ettercap, for example, offers support for sniffing SSH1 encrypted traffic. Remember that password sniffing tools cannot remotely sniff network traffic; they must be directly connected to the network segment being monitored.
• Password cracking Password cracking assumes the attacker has gained access to the Unix password/shadow files and/or Windows SAM system files. After these files are retrieved, they can be subject to password dictionary attacks. The password-cracking tool will take this password dictionary and hash each entry and then compare it to the hashed values found within the stolen password file. The strength of the hashing algorithm used by the victim has very little impact on the probability that the attacker will find a correct password. The attacker's success rate diminishes the longer the password is and the more stringent the password change policy is for the organization.

After this access is obtained, the objective of the attack is to increase the level of authority or access right privileges on the IT device. This can be done by exploiting a buffer overflow or some other vulnerability. In Figure 6.8, the attacker accesses the website on www.victim.com by attacking a known vulnerability on the web server itself. After access is obtained, the attacker attempts to increase the level of authority on the web server, thus allowing system administrator or increased levels of authority on the IT device itself. In essence, now the attacker has opened the door to the IT device, and the wealth of information and data on the IT device can be compromised, stolen, or damaged, depending on the motives, goals, and objectives of the attacker.

Figure 6.8. Access and privilege escalation on an IT device.

 

Eavesdropping, Data Collection, Damage, or Theft Stage

After access and privilege escalation has been achieved, the attacker can carry out the final stage of the attack plan by causing one of the following acts:

• Destruction and damage After an attacker has gained access and is successful in escalating privileges on the compromised IT system, destruction of application files, data files, or other damage to the IT system, resource, application, and data can be conducted by the attacker.
• Eavesdropping and data collection Attackers who have gained access to an IT system, resource, or application can eavesdrop or collect user id and password information, can access nonpublic domain information or data that can be used for financial gain or other purposes, and can enable Trojanlike malicious code and malware so that any individual or user who connects and communicates to the IT system, resource, or application will automatically be infected by the malicious code or malware.
• Theft After an attacker has gained access and is successful in escalating privileges on the compromised IT system, the attacker can steal any information or data on the IT system and can delete all reference to this information or data on the production server prior to leaving. This steal-and-delete attack is common in industrial espionage and other acts of a criminal nature.

Gaining unauthorized access to an organization's IT infrastructure and its assets may be a criminal charge in itself, depending on the location of the organization. In addition, after unauthorized access is achieved by an attacker, the preceding list describes common attacks done during the third stage of an attack. This is where the severity of the security breach becomes apparent. Because of the criminal nature of the preceding attacks, attackers seldom conduct direct attacks from their own IT devices, mainly because through proper subpoenas and forensic investigation techniques, the source IP address of the attacker can eventually be found. Remember that attackers are smart enough not to attack from their own IT devices but are capable of using Trojan-like applications and malicious software to gain control of other IT devices that are high speed and connected to the Internet.

An example of the third stage in an attack is a malformed data attack. If an application cannot properly handle inputted data because it was corrupt or it accepted malformed data, applications and systems can behave strangely and possibly be compromised. Malformed data attacks typically inject bad data or malformed data into data fields of the application. Improper error handling or buffer overflow errors are common defects that open an application or system as a result of this type of malformed data attack.