The Hacker Approach to Attacking Networks

Attackers choose the path of least resistance when attacking a network. They start with efforts to discover the architecture of the network and then attempt to exploit any weaknesses they find. Most attackers possess a limited set of attack methods (exploits), which they can use only when particular technologies and configurations (preconditions) exist on their target's network. The discovery process enables them to find out whether the network possesses any of the required prerequisites, so the first line of defense for a network is to prevent as much discovery activity as possible. You can reduce an attacker's ability to learn whether your network is vulnerable by limiting the unnecessary information your network releases using techniques such as filtering ICMP messages, changing application headers, and employing split DNS configurations.

The attacker who gets by your anti-discovery defenses begins to map out the vulnerabilities on your network and match them up against the available exploit techniques. If the attacker finds a match, he can launch the exploit in an attempt to subvert some part of your network. An attacker who does manage to gain some access can use it to leverage more access into the network. The attacker repeats this discovery/exploit process until he runs out of techniques or achieves his attack goals. One of your goals when designing the security for your network should be to frustrate attackers long enough that they go away in search of an easier target. Failing that, slowing them down gives you a chance to detect them.

The designs that we review in this chapter are already good at frustrating attackers. It is our job to see if we can add some additional frustration into their lives by thinking about how they might subvert our networks and using this knowledge to design additional security controls.