Attackers


A wise and prudent course of action is to become familiar with the people who pose a threat to you and your business and not underestimate them.

Those who are responsible for network attacks are known by several different names. The most common are hackers, crackers, phreaks, or attackers. This book uses the term hacker and attacker interchangeably. Attackers are those who attempt to run software with malicious intent on or against a network device that doesn't belong to them.

The sophistication of attackers ranges from people who are elite programmers to people who download and run well-documented scripts. Script downloaders are often referred to as script kiddies. Don't make the mistake of thinking that a script kiddie, who is not as experienced or knowledgeable as an elite hacker, can't break into your system. Scripted tools on the Internet are advanced and can break into almost any system with the same ease as an elite hacker. The predominant notion is that most security attacks are carried out by script kiddies.

Never underestimate attackers. Most of them are highly intelligent people and know their way around a computer or a network as well as or better than many network or computer professionals. Attackers can be creative in ways they choose to compromise computers. For this reason, you should strongly consider using the previously mentioned layered security architecture (defense in depth) to counter their exploit attempts. The good news is that most attackers look to exploit networks that are marginally secured. If you implement defense in depth and subvert initial attacks, most hackers who are randomly looking for networks to attack will give up and start looking for the next victim. Although firewall deployment is the main focus of this book, you also learn how to deploy defense in depth all the way to your hosts and servers, providing a solid security platform that will deter or stop attackers.

Motivation for Attacks

Some people might be surprised that hackers aren't all evil and don't attack sites just to cause harm. Many attackers believe that because of their efforts to subvert security, they are making the industry stronger; after all, they reason, vendors are forced to provide more sophisticated and effective security. Many times, an attacker targets operating system vendors, application vendors, or network equipment makers so that they will clean up their security flaws, resulting in tighter security for everyone.

Of course, many attackers exploit systems for fun, fame, bragging rights, profit, revenge, or just to be destructive.

Whatever the motive of the attacker, the approach to defend a network is the same. Build layers of defense to ensure that if an attacker gets past the first layer, the next layer catches the attack. Chapter 2 covers this network defense strategy in detail.

Anatomy of a Computer Attack

To know what security is required to stop an attack, you must understand how hackers launch an attack. This understanding also helps you to recognize whether networks or hosts within your network have come under attack.

The first thing to know is that there are three "basic" types of attacks, as follows:

  • Worm Propagates itself across a network and begins its malicious activity.

  • Virus Requires that a user take an action such as opening an e-mail attachment before it starts its malicious behavior. Sometimes, if a virus spreads itself outside of the infected host, it will start to propagate itself similar to a worm. Viruses that exhibit this behavior are sometimes referred to as virms (virus-borne worm), a named derived by morphing the words virus and worm together.

  • Directed attack This is when a hacker decides that he wants to attack a specific device or network. This is not a random attack. A certain device is the focus of an attack, and the hacker manually tries to exploit its vulnerabilities. This type of attack is generally done for a specific reason (for example, financial gain, revenge, or bragging rights).

Any attack against a network host or server comprises five basic parts, as illustrated in Figure 1-1.

Figure 1-1. Worm/Virus Attack Model


The list that follows provides detailed information about the five different stages of the worm/virus/directed attack model illustrated in Figure 1-1. This is a general list. All attacks fall within this attack paradigm. For example, an e-mail virus might or might not do a probe, but its insertion point is still done in the penetrate or persistence phase:

  1. Probe Hackers must learn certain basic things about your network or host before they know what attacks to run. This is called the probe phase. Normally, hackers want to know what type of traffic is allowed into a network, what servers are accessible from the outside, the operating system of the exposed servers, and the applications running on the exposed servers.

  2. Penetrate After attackers have discovered the information from the probe phase, they can check one of many databases on the Internet to find out how to exploit the exposed servers. The weaknesses in these systems are also called security vulnerabilities. In the penetrate phase, hackers run scripts or programs against the servers to put themselves into a position where they can gain access to the system. In many of the popular worms of the past few years, attackers looked to cause buffer overflows (which allow a hacker to overwrite memory with their own code) and then executed a shell script from the buffer, gaining Shell mode access with administrative rights to the exploited machine. In many cases, hackers literally have a DOS prompt from an exploited machine displayed on the device they are using to launch the attack.

  3. Persist After attackers have control of a machine they must download their malicious software and perhaps install it to the system directory or put it into the startup of the exploited machines so that even if the machine reboots the hacker can still have control of the machine. During this phase, attackers can also add usernames and passwords so that they can easily get back into the machine whenever they want. Attackers at this point have control over the device, and because the device is on the network, they could choose to exploit other devices or use a network sniffer to steal usernames and passwords from other devices.

  4. Propagate In this phase, the malicious code run in the persist stage looks for other machines with the same vulnerability to attack and infect using the same process and same malicious code. The worm called Slammer did this extremely effectively, infecting 1.4 million hosts in a short period of time. Almost all the publicized attacks in the past few years (including worms such as Slammer, Code Red, Nimda, Sasser, and Blaster) have had an efficient propagation phase.

  5. Paralyze This is potentially the most damaging stage of an attack. The objective or side effect of many worms is to use up all the network bandwidth and render entire networks unusable. However, other worms are more destructive and remove key files (causing systems to crash), create back doors, or steal customer information, such as credit card numbers, customer lists, or financial information. Imagine for a second the damage that could have been done by a worm such as Slammer. If the author had chosen to search a disk drive and steal credit card numbers on all the compromised hosts, instead of just flooding the network, there could potentially have been tens of thousands of credit cards that could have been used for fraudulent activity. In turn, that could have cost businesses and consumers untold millions of dollars.

This attack model was used in the first network attack (the Morris worm, 1988) and is still used today. This model is a classic worm attack. E-mail viruses and directed attacks use basically the same methods, except the probe phase isn't generally necessary before a virus attack.

For more in-depth information on host mitigation, see Chapter 10, "Deploying Host Intrusion Prevention."

Choosing Victims

In many cases, except for revenge or fame, hackers randomly choose their victims, looking for easily exploitable systems. If they find a network that is easy to get into, they take advantage of that and start trying to exploit that network. If hackers try to penetrate a system and can't get the basic information, in many cases, they give up after a few tries. However, don't count on this to protect your network. It is important to put pervasive end-to-end security in place to defend against an attack in case hackers don't give up and do find a vulnerability.

Hackers run network vulnerability scans for days on end using many different IP addresses. When the software reports a vulnerability that they can exploit, their target is identified. The scripted scanning software provides them the following information:

  • A report of which services or ports are being passed through the firewalls on the networks they have scanned

  • A report on the operating systems used on the open ports

  • A report on the applications used on the open port

  • (Most alarmingly) A report on which security vulnerabilities are known for that combination of operating system and application

  • The data they need to discover how to exploit the vulnerability and break into the system

The bottom line is that any company that is connected to the Internet can be a victim of a random hacker attack.



Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net