Attackers can do many things to an unprotected IT infrastructure and its assets, but first must assess who they want to attack in the first place and why. How do attackers select a target and how do attackers carry out an attack? These are questions that only the attacker can answer, but essentially, an attacker must first conduct a risk and vulnerability assessment on the designated target IT infrastructure and IT assets. Depending on the results of the assessment and the degree of the IT infrastructure's security, the attacker may change targets if the target was found to be well protected and secure.
If the motivation is personal and intended to cause embarrassment or financial damage, the target is likely to be highly visible, such as Citibank, eBay, or PayPal. If financial gain is the motivating factor, the highest paying job or opportunity will be given consideration. Choosing the system to attack with the biggest potential payoff is a definite consideration to an attacker; however, the risk versus benefit of the attack must be considered as part of the attacker's internal risk analysis. This is especially true if the security controls and security countermeasures are more stringent on an IT system with thousands of customers' credit card information versus a system with minimal security controls but very few customers' credit card information. In this case, the reward versus the risk may not be high enough to warrant an attack on a specified target that is more secure than others.
In the case of the Sasser worm, one of the most globally devastating malicious codes released, it is uncertain if the author of the malicious code went through any kind of risk analysis prior to releasing the worm. The creator of the Sasser Worm was an 18-year-old German student.
The purpose of the worm is uncertain, but it appears the creation of the Sasser worm was ego driven as well as financially motivated because the creator's mother had a PC support and repair business. Unfortunately, the Sasser worm went much further than expected, disabling critical systems for airlines and hospitals. Seeing that the virus was out of control, the creator of the Sasser worm tried to create a version that would instruct users that they needed to patch their machines against the original Sasser. The plan backfired when the newer versions of Sasser also managed to disrupt machines.
This one worm resulted in millions of dollars of losses and damages due to lost productivity, system rebuilds, and loss of revenue experienced by many large organizations. The Sasser worm creator is now facing a mandatory jail sentence for the crime of computer sabotage.
Four Kinds of Attacks
There are four kinds of attacks generally made on an IT infrastructure and its assets. The first three attack types are referred to as structured attacks because they require advance planning; the attacker studies its target and assesses the risk of getting caught prior to launching the attack. An unstructured attack is when an attacker utilizes tools, scanners, and penetration testing tools without any advance planning and specific goal or objective in mind. These four attack types are described next:
An example of a coordinated attack is a Distributed Denial of Service (DDoS) attack, which affects the availability of IT systems, resources, and targeted IT assets such as a website or e-commerce website. By transmitting large quantities of bogus network traffic targeted to a specific destination IP address, a DDoS attack relies on the inherent lack of security controls and authentication that the TCP/IP family of protocols uses for communication between TCP/IP devices. This bogus traffic can be in the form of incorrectly formatted packets or part of a Smurf attack or SYN Flood attack. In a distributed attack, the attacker usually compromises Internet attached workstations to act as agents during the attack. The user is unaware that his or her workstation was compromised via a virus or Trojan program and is now participating in a distributed DDoS attack. When an attacker uses an array of Internet attached workstations to conduct an attack, this is called a botnet. Figure 6.2 depicts a DDoS attack using an array of computers, or botnet.
Figure 6.2. Distributed Denial of Service attack.
Coordinated attacks, such as a DDoS attack, utilize specific TCP/IP protocol interactions to exploit the inherent lack of security controls and authentication that the IP network layer protocol has.
The following presents some security countermeasures that organizations may want to consider as part of their risk mitigation strategy for coordinated attacks:
An example of a direct attack is the Ping of Death (PoD) attack, which sends oversized, fragmented ICMP echo request packets in an attempt to crash the targeted IP device. An ICMP echo request packet is generally 64 bytes long, but sending malformed ICMP echo request packets the size of 65,536 bytes causes fragmented IP packet transmissions that often crash the receiving IP device. Other forms of direct attacks occur when the attacker targets a specific and known vulnerability and exploits that vulnerability to gain access. Figure 6.3 depicts a PoD attack in which invalid ICMP echo request packets are transmitted to a targeted IP device in an attempt to crash the IP device.
Figure 6.3. Ping of Death (PoD) attack with invalid ICMP packet sizes.
Another example of a direct attack is an attack on an individual, or phishing, a term used to describe an attacker's attempt at obtaining personal and confidential information. This is a form of social engineering, in which the attacker attempts to force the individual into believing that an email message or telephone call from a bogus call center is authentic. Phishing attacks are con artists attempting to obtain personal and confidential information about the individual so that more damaging attacks can then be performed. Attackers often masquerade as banks and other financial institutions in an attempt to obtain personal and confidential information about the targeted user.
Other examples of direct attacks include authentication attacks, database attacks, and application attacks. These are described next:
Examples of indirect attacks are plenty, given that they are usually initiated in the form of malicious code and malicious software, or malware, that is developed by software-proficient attackers. Indirect attacks are highly visible because they are directly related to the creation and proliferation of viruses, worms, and Trojans, which are a result of prebuilt, preprogrammed, and self-propagating exploits in IT infrastructures and their assets. Creation of indirect attacks requires not only technical knowledge, but a devious mind and intelligence to program and develop a self-propagating indirect attack. Indirect attacks are very costly to clean up and require constant remediation and antivirus, antispyware, anti-adware, and anti-pop-up applications. Figure 6.4 depicts an indirect attack where the attack is done on a single targeted IP device. From here, the malware self-propagates and attaches itself to emails and other communications between IP connected workstations and servers, thus spreading the contamination rapidly and throughout the entire IT infrastructure and its assets.
Figure 6.4. Indirect attacks propagate malicious code or malware.
Examples of unstructured attacks include the entire family of novice attacks that novice attackers like to commit. Most novice attackers initiate unstructured attacksthey are not planned in advance and the attacker is not experienced in conducting an attack. Unstructured attacks are common to websites where the attacker probes, scans, and utilizes tools to conduct an attack such as a password-cracking tool. Password-cracking tools are typically used on e-commerce websites or websites that require user authentication via a login id and password. Unstructured attacks are also usually very targeted and narrow in scope, meaning the attacker does one thing at a time, such as website defacement, attempted password cracking, identifying the server or workstation operating system level, or attaching a virus or work to an email. These attacks are usually sloppy and can easily be identified and prevented with proper monitoring, security controls such as access control lockout when more than three invalid login attempts are tried, and security countermeasures such as an intrusion detection monitoring system, properly configured firewalls, and filtering of specific destination IP addresses.
Things That Attackers Attack
Attackers, in general, have the technical prowess to plan, launch, and conduct an attack when they know they can get away with it. Attackers typically attack only when they know there are specific weaknesses or vulnerabilities in the IT infrastructure and its assets. When an attacker launches an attack, they do so by attacking security defects, security limits, and known vulnerabilities in software. In general, anything that an attacker can attack and compromise is considered a vulnerability. Vulnerabilities, when identified and compromised, are communicated and shared with other attackers, who then attack the targeted system or IT application. This is known as a security breach or security incident, for which the organization's SIRT team is typically called on to provide a security incident response. Forensic data collection and analysis should be done only by qualified computer and data forensic specialists who can retrieve untainted evidence that may be used in a court of law if charges are filed against the attacker. The following list shows the three main things attackers attack:
With knowledge of what attackers do and what they look for prior to conducting an attack, the risk and vulnerability assessor can plan risk and vulnerability assessment in accordance with known vulnerabilities in the IT infrastructure and its assets. Software bugs and software flaws result in security defects or security limits, which lead to discovered vulnerabilities in the product or software itself. These vulnerabilities are exploited by attackers and this is what each organization must combat. Remember, all IT components and devices have some kind of software in them and thus have the potential for a vulnerability to be exploited. When an attacker exploits a known vulnerability, this usually triggers a security breach or security incident. Figure 6.5 shows the relationship between software bugs and flaws, security defects and limits, and vulnerabilities, exploits, and security incidents.
Figure 6.5. Chain of events from software bug to security incident.
Goals and Motivations of the Attacker
Why do attackers attack? What are their goals and objectives for performing an attack? What motivates an attacker to attack? These questions are uniquely answered depending on the situation and the type of attacker. Remember, many attackers and their attacks may not have any particular interest in the target they hit. In other words, the attacker may have not been after anything in particular but simply looking for something to do. An attacker is motivated to conduct an attack for any of the following reasons:
With Internet access and World Wide Web usage growing, Internet marketers began to deploy aggressive and intrusive tactics to probe and scan individual workstations and their browser settings while examining the URLs and cookies that the user workstation has archived. Spam, pop-up ads, adware, home page hijacking, and release of spyware applications that monitor and track a workstation's use of the World Wide Web must now be combated, given their nuisance as well as intrusiveness. Although these aren't categorized as attacks, they are definitely a nuisance because they require CPU resources for blocking spam and pop-up ads, and they occupy RAM and require CPU processing power. In addition, an individual's or organization's privacy is violated by having the equivalent of eavesdropping software running in the background of the workstation's primary applications.
Attackers Conduct Their Own Risk Analysis
The goals and objectives of an attacker are varied, as described in this section. How an attacker plans an attack can be attributed to a risk analysis that the attacker may engage in prior to conducting an attack. Attackers are intelligent and they are good at not getting caught. This can be attributed to the fact that they conduct their own internal risk analysis, which typically includes an assessment of the following:
After an attacker has decided to conduct an attack, planning and executing the attack must be analyzed, designed, and planned out properly. This planning and execution of an attack requires a thorough knowledge of attack methods, attack tools, and how to use them on an IT infrastructure and its assets. The next section describes how attackers attack, what attackers do, and how they do it.
How Do Attackers Attack?
Attacks on an IT infrastructure and its assets are conducted in a logical, methodical, and sequential manner, where trial-and-error and exploitation techniques are conducted on targeted and known vulnerabilities of IT assets. This section presents the three major stages of a malicious attack on an IT infrastructure and its assets and what tools attackers commonly use when conducting their attack steps. An understanding of how these vulnerability assessment tools work and how best to mitigate the risk caused by them are presented. This same understanding will assist the risk and vulnerability assessment when assessors conduct assessments on their IT infrastructure and its assets. This information will also assist in designing and implementing an appropriate security countermeasure to an identified weakness or vulnerability.
The following list describes the three stages of an attack on an IT infrastructure and its assets:
Tools That Attackers Use During the Stages of an Attack
The three stages of an attack typically require the use of vulnerability assessment tools, the use of some of the TCP/IP family of protocols and applications such as DNS, ICMP, and SNMP, and the use of intrusive port scanners and OS fingerprinting scanners. This section presents tools that are commonly used by attackers during the different stages of an attack on an IT infrastructure and its assets. These tools provide the attacker with the necessary information and intelligence data about an IT infrastructure and its assets, such as destination IP addresses, port numbers, applications, operating system version numbers, and application software version numbers. This intelligence data provides the necessary information for an attacker to assess whether to proceed with the next stage of an attack.
Reconnaissance Probing and Scanning Stage
Assuming that an attacker is not intimately aware, as an insider might be, of the IT infrastructure he or she is attacking, the first stage in any attack is for the attacker to conduct a reconnaissance mission to gain an understanding of the IT systems, resources, and applications and identify any potential weaknesses or vulnerabilities for exploitation. This is called the Reconnaissance Probing and Scanning stage of an attack, where attackers might employ port scanners to discover IP devices on an active network (for example, IP discovery), the services or applications that they are running, and even OS fingerprinting, which identifies the version of software running on the server or workstation. Port scanner applications such as NMAP can elude intrusion detection systems and even identify version information for remote services; however, the attacker must be careful not to expose the use of NMAP by carefully initiating targeted scans to evade detection. Sophisticated attackers stagger and limit the amount of IP scan packets that are generated (for example, low or slow mode) in an effort to go undetected by intrusion detection monitors. Other popular and frequently used vulnerability assessment and port scanner tools include freeware tools such as Nessus. Nessus even comes with its own vulnerability exploit database, which the risk and vulnerability assessor can use to combat and mitigate the threats caused by use of vulnerability assessment and port scanning tools.
In Figure 6.6, the attacker conducts initial reconnaissance probing steps as part of this initial stage of an attack. This initial reconnaissance probing is typically done externally to the IT infrastructure and its assets and must be conducted in stealth because prior authorization and approval to scan the IT infrastructure was not granted. This type of reconnaissance probing step is intrusive in that TCP/IP packets and network traffic are generated and attempt to connect and pass through the Internet ingress and the organization's egress point in the network infrastructure.
Figure 6.6. Stage 1 of an attack: reconnaissance probing and scanning.
During the reconnaissance probing and scanning stage that is engaged from an attack workstation, the attacker can use the TCP/IP family of protocols to conduct preliminary reconnaissance probing using Domain Name System (DNS) lookups and WHOIS to learn valuable information about an organization, its IP addressing information, and DNS names and their IP addresses. DNS is a hierarchy of servers that provide Internet-wide IP-address mapping to hostnames connected to the Internet on the World Wide Web. Publicly available information on registered addresses is obtainable through a number of searchable websites. Reverse DNS lookup or nslookup are additional commands that will also interrogate DNS information and provide cross-referencing to IP addresses. These services are often provided free on the Internet and can be located by searching on the command name itself. This information becomes the starting point for an attacker, collecting needed IP addressing information and the assigned IP address blocks that were provided to the organization.
TCP/IP Internet Control Message Protocol (ICMP)
Another tool that attackers use is found in the TCP/IP protocol family, the Internet Control Management Protocol (ICMP echo request and ICMP echo reply) or PING command, of which several closely related tools are readily available on most computer operating systems. It can be a key profiling tool to verify that target systems are reachable. The PING command can be used with a number of extension flags to test direct reachability between hosts or as part of the actual attack plan, as in the case of a launched Ping of Death (PoD) attack. After a target network has been located, many attackers perform a Ping Sweep of all or a range of IP addresses within the major network or subnet to identify other potential hosts that may be accessible. This information alone sometimes exposes the likely network size and topology and helps to identify mission-critical IT assets such as routers, switches, and servers that are always on. IP host devices that go on and off are often identified as workstations on an IT infrastructure, given that users typically log off after work hours.
Many IT infrastructures have at the ingress/egress perimeter of the network infrastructure stringent firewall and perimeter security countermeasures that deny ICPM echo request and ICMP echo reply packets and prevent penetration of the perimeter defense. Many attackers know this, so they attempt to penetrate the perimeter defense to initiate PING or PoD attacks on IP devices from within the IT infrastructure using an agent or host device that has been compromised. Many IT infrastructures, including the perimeter of the network infrastructure, deny the transmission and permeation of ICMP echo request and ICMP echo reply packets within a network infrastructure; they only permit network management stations and devices to conduct ICMP echo request and ICMP echo reply packets internally, based on the source IP address of the network management workstations.
PING sweeps are done to identify active IP host devices. Penetrating a perimeter defense and using an agent to conduct a PING sweep is typically done by attackers because many IT infrastructures deny ICMP echo request and ICMP echo reply packets. Figure 6.7 depicts a PING sweep to identify active IP hosts. Denying ICMP echo request packets from outside of the network infrastructure is common.
Figure 6.7. PING sweeps are done to identify active IP hosts.
TCP/IP Simple Network Management Protocol (SNMP)
Another TCP/IP application that is commonly used in TCP/IP-based network infrastructures is the Simple Network Management Protocol (SNMP), which is an application layer protocol that facilitates the exchange of management information between an SNMP manager and SNMP manageable devices. SNMP utilizes the TCP/IP protocol suite and enables network managers to manage network performance, network availability, and configuration management for moves, additions, and changes to the SNMP devices configuration. SNMP enables network administrators to manage network performance, to find and solve network problems, and to plan for network growth. All SNMP manageable devices use the word "Public" as the default password for SNMP Read-Only (RO) community strings. The word "Private" is the default password for SNMP Read-Write (RW) community strings.
These default SNMP RO and RW community string passwords need to be changed by the SNMP Network Administrator in all SNMP manageable devices that are deployed in an IT infrastructure. This must conform to the IT organization's policies regarding password creation and password changes. This is a vulnerability that is commonly found in SNMP managed IT infrastructures where network administrators and managers forget to define security controls when deploying and implementing an enterprisewide SNMP network management system.
Reconnaissance Scanning and Probing Tools
Attackers utilize many automated and user-friendly tools during this stage of the attack. Attackers commonly scan IT infrastructures and IT assets to determine what services and applications are running on servers, workstations, and other IT devices connected to the network infrastructure. Scanning is typically done using automated port scanner tools or OS fingerprinting tools that send reconnaissance packets into and through an IT infrastructure, seeking information about the IT assets that are currently installed.
When a remote machine connects to a server, a banner message often displays with the initial response from the server. For example, a Microsoft Exchange 5.5 Server might respond with 220 ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready.
Many IT system administrators create banner messages when a user first accesses an IT system or server. When a user attempts to connect to the IT system or server, there is often a banner message associated with the initial response from the server. Banners can reveal information about the version of the service or application that is running, the features it supports, and even software patches that have been installed. This information can be used to help make an informed decision about whether to attack.
IT system administrators should minimize the amount of data and information contained in the banner message so that an attacker cannot use this data to cross-reference with known software vulnerabilities that can be exploited.
After a target network has been identified, the attacker then commences with a port scanning step to identify the IP host devices, what applications and services are running, and what port numbers are being used by the IP host device. Several popular port scanning applications that an attacker could use are available as freeware applications. One of the most popular is Nmap (available for Unix and Windows). MingSweeper is another network reconnaissance tool for Microsoft Windows NT/2000 workstations and is designed to facilitate large address space and high-speed node discovery and identification. These tools permit an attacker to discover and identify hosts by performing PING sweeps, probing for open TCP and UDP service ports, and identifying operating systems and applications running on IP host devices. This is a wealth of information for an attacker to plan out an attack by finding weaknesses or vulnerabilities in the IT infrastructure and its assets.
Access and Privilege Escalation Stage
The second stage of an attack consists of the access and privilege escalation step, in which an attacker attempts to gain access to an IT system, resource, or device within the IT infrastructure based on a known or identifiable vulnerability in the IT device's software. An attacker who knows what IT assets are available within an IT infrastructure and has located potential entry points can proceed with this second stage of the attack. After an attacker gains access to an IT system, resource, or application, the attacker uses a system or application exploitation of a known vulnerability to gain control of the device. The process of increasing or enhancing the attacker's level of authority, administration, and user privileges in an IT system, resource, or application is called privilege escalation. An attacker with elevated privileges, such as system administrator, has access to the entire server or workstation, including being able to read and extract data from the server itself. Privilege escalation can occur because of any number of security defects in software, such as a buffer overflow or a website with data fields that react unfavorably to tainted or malformed input data.
After the attacker has obtained unauthorized access, the extent of the damage that unauthorized access can cause depends on the target and the motives for the attack. After gaining access, what can an attacker do? Examples of critical security breaches are listed next:
Access in Compromised and Privilege Escalation Commences
The second stage of an attack, Access and Privilege Escalation, is solely dependent on the attacker being able to gain access to an IT device. Access to an IT device usually means compromising user ids and passwords. User ids and passwords can be compromised using various techniques and tools. Some of these are described next:
After this access is obtained, the objective of the attack is to increase the level of authority or access right privileges on the IT device. This can be done by exploiting a buffer overflow or some other vulnerability. In Figure 6.8, the attacker accesses the website on www.victim.com by attacking a known vulnerability on the web server itself. After access is obtained, the attacker attempts to increase the level of authority on the web server, thus allowing system administrator or increased levels of authority on the IT device itself. In essence, now the attacker has opened the door to the IT device, and the wealth of information and data on the IT device can be compromised, stolen, or damaged, depending on the motives, goals, and objectives of the attacker.
Figure 6.8. Access and privilege escalation on an IT device.
Eavesdropping, Data Collection, Damage, or Theft Stage
After access and privilege escalation has been achieved, the attacker can carry out the final stage of the attack plan by causing one of the following acts:
Gaining unauthorized access to an organization's IT infrastructure and its assets may be a criminal charge in itself, depending on the location of the organization. In addition, after unauthorized access is achieved by an attacker, the preceding list describes common attacks done during the third stage of an attack. This is where the severity of the security breach becomes apparent. Because of the criminal nature of the preceding attacks, attackers seldom conduct direct attacks from their own IT devices, mainly because through proper subpoenas and forensic investigation techniques, the source IP address of the attacker can eventually be found. Remember that attackers are smart enough not to attack from their own IT devices but are capable of using Trojan-like applications and malicious software to gain control of other IT devices that are high speed and connected to the Internet.
An example of the third stage in an attack is a malformed data attack. If an application cannot properly handle inputted data because it was corrupt or it accepted malformed data, applications and systems can behave strangely and possibly be compromised. Malformed data attacks typically inject bad data or malformed data into data fields of the application. Improper error handling or buffer overflow errors are common defects that open an application or system as a result of this type of malformed data attack.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template