Module 3

Network Intrusion Tactics

Network interception attacks

Network interception attacks work by intercepting network traffic and stealing valuable
information or interfering with the transmission in some way.

Malicious actors can use hardware or software tools to capture and inspect data in transit.
This is referred to as packet sniffing. malicious actors can also intercept network traffic and
alter it. For example, an attacker can intercept a bank transfer and change the account
receiving the funds to one that the attacker controls.

Backdoor attacks

backdoors are weaknesses intentionally left by programmers or system and network

administrators that bypass normal access control mechanisms. Backdoors are intended to help
programmers conduct troubleshooting or administrative tasks. However, backdoors can also
be installed by attackers after they’ve compromised an organization to ensure they have
persistent access.

A DoS attack is an attack that targets a network or server and floods it with network
traffic.

A distributed denial of service attack, or DDoS, is a kind of DoS attack that uses multiple
devices or servers in different locations to flood the target network with unwanted
traffic. Use of numerous devices makes it more likely that the total amount of traffic sent will
overwhelm the target server.
three common network level DoS attacks.
The first is called a SYN flood attack.
A SYN flood attack is a type of DoS attack that simulates the TCP connection and floods the
server with SYN packets. Taking a closer look at the handshake process that is used to
establish a TCP connection between a device and a server.
The first step in the handshake is for the device to send a SYN, or synchronize, request to the
server. Then, the server responds with a SYN/ACK packet to acknowledge the receipt of the
device's request and leaves a port open for the final step of the handshake. Once the server
receives the final ACK packet from the device, a TCP connection is established.
Malicious actors can take advantage of the protocol by flooding a server with SYN packet
requests for the first part of the handshake. But if the number of SYN requests is larger than the
number of available ports on the server, then the server will be overwhelmed and become unable
to function.

two other common DoS attacks

that use another protocol called ICMP.
An ICMP flood attack
is a type of DoS attack performed by an attacker
repeatedly sending ICMP packets to a network server.
This forces the server to send an ICMP packet.
This eventually uses up all the bandwidth for incoming
and outgoing traffic and causes the server to crash.
A ping of death attack is
a type of DoS attack that is caused when a hacker
pings a system by sending it
an oversized ICMP packet
that is bigger than 64 kilobytes,
the maximum size for a correctly formed ICMP packet.
Pinging a vulnerable network server with
an oversized ICMP packet
will overload the system and cause it to crash.

Read tcpdump logs

A network protocol analyzer, sometimes called a packet sniffer or a packet analyzer, is a
tool designed to capture and analyze data traffic within a network. They are commonly used
as investigative tools to monitor networks and identify suspicious activity. There are a wide
variety of network protocol analyzers available, but some of the most common analyzers
include:

 SolarWinds NetFlow Traffic Analyzer

 ManageEngine OpManager

 Azure Network Watcher

 Wireshark

 Tcpdump

tcpdump
tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it
uses little memory and has a low CPU usage–and uses the open-source libpcap library.
tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can
also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled
on many Linux distributions. tcpdump also displays the source IP address, destination IP
addresses, and the port numbers being used in the communications.

Interpreting output

tcpdump prints the output of the command as the sniffed packets in the command line, and
optionally to a log file, after a command is executed. The output of a packet capture contains
many pieces of important information about the network traffic.
Some information you receive from a packet capture includes:

 Timestamp: The output begins with the timestamp, formatted as hours, minutes,
seconds, and fractions of a second.

 Source IP: The packet’s origin is provided by its source IP address.

 Source port: This port number is where the packet originated.

 Destination IP: The destination IP address is where the packet is being transmitted to.

 Destination port: This port number is where the packet is being transmitted to.

 TCP Flag codes include:

 Flags [S] - Connection Start

 Flags [F] - Connection Finish

 Flags [P] - Data Push

 Flags [R] - Connection Reset

 Flags [.] - Acknowledgment

Common uses

tcpdump and other network protocol analyzers are commonly used to capture and view
network communications and to collect statistics about the network, such as troubleshooting
network performance issues. They can also be used to:

 Establish a baseline for network traffic patterns and network utilization metrics.

 Detect and identify malicious traffic

 Create customized alerts to send the right notifications when network issues or
security threats arise.

 Locate unauthorized instant messaging (IM), traffic, or wireless access points

A botnet is a collection of computers infected by malware that are under the control of a
single threat actor, known as the “bot-herder." Each computer in the botnet can be
remotely controlled to send a data packet to a target system. In a botnet attack, cyber
criminals instruct all the bots on the botnet to send data packets to the target system at
the same time, resulting in a DDoS attack.
Malicious packet sniffing
Packet sniffing is the practice of using software tools to observe data as it moves across a
network

Packet sniffing can be passive or active.

Passive packet sniffing is a type of attack where data packets are read in transit.

Active packet sniffing is a type of attack where data packets are manipulated in transit.
This may include injecting internet protocols to redirect the packets to an unintended port or
changing the information the packet contains.

 One way to protect against malicious packet sniffing is to use a VPN to encrypt and
protect data as it travels across the network.
 Another way to add a layer of protection against packet sniffing is to make sure that
websites you have use HTTPS at the beginning of the domain address.
 One final way to help protect yourself against malicious packet sniffing is to
avoid using unprotected WiFi. You usually find unprotected WiFi in public places like
coffee shops, restaurants, or airports.

IP Spoofing
IP spoofing is a network attack performed when an attacker changes the source IP of a data
packet to impersonate an authorized system and gain access to a network.

Some common IP spoofing attacks are on-path attacks, replay attacks, and smurf attacks

An on-path attack is an attack where the malicious actor places themselves in the middle of an
authorized connection and intercepts or alters the data in transit. On-path attackers gain access
to the network and put themselves between two devices, like a web browser and a web server.
Then they sniff the packet information to learn the IP and MAC addresses to devices that are
communicating with each other. After they have this information, they can pretend to be either of
these devices.

Another type of attack is a replay attack. A replay attack is a network attack performed when
a malicious actor intercepts a data packet in transit and delays it or repeats it at another time.

A smurf attack is a combination of a DDoS attack and an IP spoofing attack. The attacker sniffs
an authorized user's IP address and floods it with packets. This overwhelms the target computer
and can bring down a server or the entire network.

Firewalls can be configured to protect against IP spoofing

MODULE 4
Security hardening
Security hardening is the process of strengthening a system to reduce its vulnerability and
attack surface. All the potential vulnerabilities that a threat actor could exploit are referred to as a
system's attack surface.

Some common types of hardening procedures include software updates, also called patches,and
device application configuration changes. Other examples of security hardening include
removing or disabling unused applications and services, disabling unused ports, and reducing
access permissions across devices and network

Another important strategy for security hardening is to conduct regular penetration testing. A
penetration test, also called a pen test, is a simulated attack that helps identify
vulnerabilities in a system, network, website, application, and process.

OS hardening practices
 A patch update is a software and operating system, or OS, update that
addresses security vulnerabilities within a program or product.

 The newly updated OS should be added to the baseline configuration, also called the
baseline image. A baseline configuration is a documented set of specifications within a
system that is used as a basis for future builds, releases, and updates.

 Another hardening task performed regularly is hardware and software disposal. This
ensures that all old hardware is properly wiped and disposed of.

 The final OS hardening technique that we'll discuss is implementing a strong password
policy. Some systems also require multi-factor authentication, or MFA

Brute force attacks

A brute force attack is a trial-and-error process of discovering private information. There

are different types of brute force attacks that malicious actors use to guess passwords,
including:

 Simple brute force attacks. When attackers try to guess a user's login credentials, it’s
considered a simple brute force attack. They might do this by entering any
combination of usernames and passwords that they can think of until they find the one
that works.

 Dictionary attacks use a similar technique. In dictionary attacks, attackers use a list of
commonly used passwords and stolen credentials from previous breaches to access a
system. These are called “dictionary” attacks because attackers originally used a list
of words from the dictionary to guess the passwords, before complex password rules
became a common security practice.

Assessing vulnerabilities
Before a brute force attack or other cybersecurity incident occurs, companies can run a series
of tests on their network or web applications to assess vulnerabilities

Virtual machines (VMs)

Virtual machines (VMs) are software versions of physical computers. VMs provide an
additional layer of security for an organization because they can be used to run code in an
isolated environment, preventing malicious code from affecting the rest of the computer
or system. VMs can also be deleted and replaced by a pristine image after testing
malware. There’s still a small risk that a malicious program can escape virtualization and
access the host machine.

Sandbox environments
A sandbox is a type of testing environment that allows you to execute software or programs
separate from your network. They are commonly used for testing patches, identifying and
addressing bugs, or detecting cybersecurity vulnerabilities. Sandboxes can also be used to
evaluate suspicious software, evaluate files containing malicious code, and simulate
attack scenarios. Note that some malware authors know how to write code to detect if the
malware is executed in a VM or sandbox environment. Attackers can program their
malware to behave as harmless software when run inside these types of testing
environments.

Prevention measures
Some common measures organizations use to prevent brute force attacks and similar attacks
from occurring include:

 Salting and hashing: Hashing converts information into a unique value that can then
be used to determine its integrity. It is a one-way function, meaning it is impossible to
decrypt and obtain the original text. Salting adds random characters to hashed
passwords. This increases the length and complexity of hash values, making them
more secure.

 Multi-factor authentication (MFA) and two-factor authentication (2FA)

 CAPTCHA and reCAPTCHA: CAPTCHA stands for Completely Automated

Public Turing test to tell Computers and Humans Apart. It asks users to complete a
simple test that proves they are human. This helps prevent software from trying to
brute force a password. reCAPTCHA is a free CAPTCHA service from Google that
helps protect websites from bots and malicious software.

 Password policies
Network hardening

Network hardening practices

Tasks performed regularly:

 Firewall rules maintenance

 Network log analysis

 Patch updates

 Server backups

Tasks performed once:

 Port filtering on firewalls

 Network access privileges/ segmentation

 Encryption

Port filtering is a firewall function that blocks or allows certain port numbers to limit unwanted
communication. A basic principle is that the only ports that are needed are the ones that are
allowed. Any port that isn't being used by the normal network operations should be disallowed.

Security analysts also use

network segmentation to create
isolated subnets for
different departments in an organization.
For example, they might make one for
the marketing department and
one for the finance department.

Network security applications

you are going to learn about the role of four devices used to secure a network—firewalls,
intrusion detection systems, intrusion prevention systems, and security incident and
event management tools(SIEM).

Firewall

Firewalls allow or block traffic based on a set of rules. As data packets enter a network, the
packet header is inspected and allowed or denied based on its port number.

Intrusion Detection System

An intrusion detection system (IDS) is an application that monitors system activity and
alerts on possible intrusions. An IDS alerts administrators based on the signature of malicious
traffic.

The IDS is placed behind the firewall and before entering the LAN, which allows the IDS to
analyze data streams after network traffic that is disallowed by the firewall has been
filtered out. This is done to reduce noise in IDS alerts, also referred to as false positives.

Intrusion Prevention System

An intrusion prevention system (IPS) is an application that monitors system activity for
intrusive activity and takes action to stop the activity. It offers even more protection than an
IDS because it actively stops anomalies when they are detected, unlike the IDS that simply
reports the anomaly to a network administrator.

The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high
level of security because risky data streams are disrupted before they even reach sensitive
parts of the network.

However, one potential limitation is that it is inline: If it breaks, the connection between
the private network and the internet breaks.

Another limitation of IPS is the possibility of false positives, which can result in legitimate
traffic getting dropped.

Full packet capture devices

Full packet capture devices can be incredibly useful for network administrators and security
professionals. These devices allow you to record and analyze all of the data that is transmitted
over your network. They also aid in investigating alerts created by an IDS.

SIEMtools

Cloud Hardening

Network security in the cloud

cloud network is a collection of
servers or computers that stores resources and
data in a remote data center that can be accessed via the internet.

Just like regular web servers, cloud servers also require proper maintenance
done through various security hardening procedures.

One distinction between cloud network hardening and

traditional network hardening is the use of a server baseline image for
all server instances stored in the cloud.
This allows you to compare data in the cloud servers to the baseline image to
make sure there haven't been any unverified changes.

Secure the cloud

Identity access management

Identity access management (IAM) is a collection of processes and technologies that helps
organizations manage digital identities in their environment.

Configuration
The number of available cloud services adds complexity to the network. Each service must be
carefully configured to meet security and compliance requirements.

Attack surface
Cloud service providers (CSPs) offer numerous applications and services for organizations at
a low cost. Every service or application on a network carries its own set of risks and
vulnerabilities and increases an organization’s overall attack surface. An increased attack
surface must be compensated for with increased security measures.

Zero-day attacks
Zero-day attacks are an important security consideration for organizations using cloud or
traditional on-premise network solutions. A zero day attack is an exploit that was previously
unknown. CSPs are more likely to know about a zero day attack occurring before a traditional
IT organization does.

Cryptography and cloud security

Cloud security hardening

Some common cloud security hardening techniques include incorporating IAM,

hypervisors, baselining, cryptography, and cryptographic erasure.

Identity access management (IAM)

Identity access management (IAM) is a collection of processes and technologies that helps
organizations manage digital identities in their environment. This service also authorizes how
users can leverage different cloud resources.

A hypervisor abstracts the host’s hardware from the operating software environment.
There are two types of hypervisors. Type one hypervisors run on the hardware of the host
computer. An example of a type one hypervisor is VMware®'s EXSi. Type two hypervisors
operate on the software of the host computer. An example of a type two hypervisor is
VirtualBox. Cloud service providers (CSPs) commonly use type one hypervisors. CSPs are
responsible for managing the hypervisor and other virtualization components.
Baselining
A baseline is a fixed reference point. This reference point can be used to compare changes
made to a cloud environment.

Cryptography in the cloud

Cryptography can be applied to secure data that is processed and stored in a cloud
environment. Cryptography uses encryption and secure key management systems to provide
data integrity and confidentiality.

Cryptographic erasure

Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When
destroying data in the cloud, more traditional methods of data destruction are not as effective.
Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the
data are destroyed

 Trusted platform module (TPM). TPM is a computer chip that can securely store
passwords, certificates, and encryption keys.
 Cloud hardware security module (CloudHSM). CloudHSM is a computing device that
provides secure storage for cryptographic keys and processes cryptographic
operations, such as encryption and decryption.
Organizations and customers do not have access to the cloud service provider (CSP)
directly, but they can request audits and security reports by contacting the CSP.
Customers typically do not have access to the specific encryption keys that CSPs use to
encrypt the customers’ data. However, almost all CSPs allow customers to provide their
own encryption keys, depending on the service the customer is accessing. In turn, the
customer is responsible for their encryption keys and ensuring the keys remain
confidential.