INFORMATION

ASSURANCE &
SECURITY 2
 MODULE 6
NETWORK ATTACKS: A DEEPER
LOOK / PROTECTING THE
NETWORK
OBJECTIVES
Upon completion of this module, the student would be able to:
➢ Explain network traffic monitoring it importance.
➢ Explain how network monitoring is conducted.
➢ Explain how TCP/IP vulnerabilities enable network attacks.
➢ Explain how IP, TCP and UDP vulnerabilities enable network attacks.
➢ Explain how network application vulnerabilities enable network attacks.
OBJECTIVES
Upon completion of this module, the student would be able to:
➢ Explain approaches to network security defense.
➢ Explain how the defense-in-depth strategy is used to protect networks.
➢ Explain security policies, regulations, and standards.
➢ Describe access control policies.
➢ Explain how AAA is used to control network access.
➢ Use various intelligence sources to locate current security threats.
➢ Use threat intelligence to identify threats and vulnerabilities.
NETWORK MONITORING AND
TOOLS
Introduction to Network Monitoring
Network Security Topology
▪ All networks are targets and need
to be secured using a defense-in-
depth approach.
▪ Security analysts must be
intimately familiar with normal
network behavior because
abnormal network behavior
typically indicates a problem.
Introduction to Network Monitoring
Network Monitoring Methods
▪ Tools used to help discover normal
network behavior include IDS, packet
analyzers, SNMP, NetFlow, and others.

▪ Traffic information capture methods:

• Network TAPs – Network test
access points that forward all
traffic including physical layer
errors to an analysis device.
• Port mirroring – enables a
switch to copy frames of one or
more ports to a Switch Port
Analyzer (SPAN) port connected
to an analysis device.
Introduction to Network Monitoring
Network Taps
▪ A network tap is typically a
passive splitting device
implemented inline between a
device of interest and the
network. A tap forwards all
traffic including physical layer
errors to an analysis device.
▪ Taps are also typically fail-safe,
which means if it fails or loses
power, traffic between the
firewall and internal router is
not affected.
Introduction to Network Monitoring
Traffic Mirroring and SPAN
▪ Port mirroring enables the switch to copy
frames of one or more ports to a Switch
Port Analyzer (SPAN) port connected to an
analysis device.
▪ In the figure, the switch will forward ingress
traffic on F0/1 and egress traffic on F0/2 to
the destination SPAN port G0/1 connecting
to an IDS.
▪ The association between source ports and a
destination port is called a SPAN session. In
a single session, one or multiple ports can
be monitored.
Introduction to Network Monitoring Tools
Network Security Monitoring Tools
▪ Monitoring Tools:
• Protocol Analyzers – Are programs used to capture
traffic. Ex. Wireshark and Tcpdump.
• NetFlow – Provides a complete audit trail of basic
information about every IP flow forwarded on a device.
• SIEM – Security Information Event Management
systems provide real time reporting and long-term
analysis of security events.
• SNMP – Simple Network Management Protocol
provides the ability to request and passively collect
information across all network devices.

Log files – It is also common for security analysts to access

Syslog log files to read and analyze system events and
alerts.
Introduction to Network Monitoring Tools
Network Protocol Analyzers
▪ Analysts can use protocol analyzers such as Wireshark and tcpdump to see network exchanges down to the
packet level.

▪ Network protocol analyzers are also very useful for network troubleshooting, software and protocol
development, and education. In security forensics, a security analyst may reconstruct an incident from relevant
packet captures.
Introduction to Network Monitoring Tools
NetFlow
▪ NetFlow is a Cisco IOS technology that provides
24x7 statistics on packets flowing through a
Cisco router or multilayer switch.
▪ NetFlow can be used for network and security
monitoring, network planning, and traffic
analysis; however, it does not capture the
content.
▪ NetFlow collectors like Cisco Stealthwatch can
also perform advanced functions including:
• Flow stitching: It groups individual entries into
flows.
• Flow deduplication: It filters duplicate incoming
entries from multiple NetFlow clients.
• NAT stitching: It simplifies flows with NAT entries.
Introduction to Network Monitoring Tools
SIEM
▪ Security Information Event Management (SIEM) systems provide real time
reporting and long-term analysis of security events.
▪ SIEM includes the following essential functions:
• Forensic analysis – The ability to search logs and event records from sources
throughout the organization. It provides more complete information for forensic
analysis.
• Correlation – Examines logs and events from different systems or applications,
speeding detection of and reaction to security threats.
• Aggregation - Aggregation reduces the volume of event data by consolidating
duplicate event records.
• Reporting - Reporting presents the correlated and aggregated event data in real-time
monitoring and long-term summaries.
Introduction to Network Monitoring Tools
SIEM Systems
▪ Splunk is one of the more popular proprietary
SIEM systems used by Security Operation
Centers.
▪ As an open source option, this course uses the
ELK suite for SIEM functionality. ELK is an
acronym for three open source products from
Elastic:
▪ Elasticsearch - Document oriented full text
search engine
▪ Logstash - Pipeline processing system that
connects "inputs" to "outputs" with optional
"filters" in between
▪ Kibana - Browser based analytics and search
dashboard for Elasticsearch
IP Vulnerabilities and Threats
IPv4 and IPv6
▪ It is important for security analysts
to understand the different fields
in both the IPv4 and IPv6 headers
because threat actors can tamper
with packet information.
IP Vulnerabilities and Threats
The IPv4 Packet Header
▪ There are 10 fields in the IPv4
packet header:
• Version
• Internet Header length
• Differentiated Services or DiffServ
(DS)
• Total length
• Identification, Flag, and Fragment
offset
• Time-to-Live (TTL)
• Protocol
• Header checksum
• Source IPv4 Address
• Destination IPv4 Address
• Options and Padding
IP Vulnerabilities and Threats
The IPv6 Packet Header
▪ There are 8 fields in the IPv4
packet header:
• Version
• Traffic Class
• Flow Label
• Payload Length
• Next Header
• Hop Limit
• Source IPv6 Address
• Destination IPv6 Address
IP Vulnerabilities and Threats
IP Vulnerabilities
IP Vulnerabilities and Threats
ICMP Attacks
▪ ICMP was developed to carry diagnostic
messages and to report error conditions when
routes, hosts, and ports are unavailable. ICMP
messages are generated by devices when a
network error or outage occurs.
▪ Common ICMP messages of interest to threat
actors include:
• ICMP echo request and echo reply – This is used to
perform host verification and DoS attacks.
• ICMP unreachable – This is used to perform network
reconnaissance and scanning attacks.
• ICMP mask reply – This is used to map an internal IP
network.
• ICMP redirects – This is used to lure a target host
into sending all traffic through a compromised
device and create a MITM attack.
• ICMP router discovery – This is used to inject bogus
route entries into the routing table of a target host.
IP Vulnerabilities and Threats
DoS Attacks
▪ The goal of a Denial of Service (DoS)
attack is to prevent legitimate users
from gaining access to websites, email,
online accounts, and other services.
▪ There are two major sources of DoS
attacks:
• Maliciously Formatted Packets – Threat
actors craft a maliciously formatted packet
and forward it to a susceptible host,
causing the host to crash or become
extremely slow.
• Overwhelming Quantity of Traffic – Threat
actors overwhelm a target network, host,
or application, causing them to crash or
become extremely slow.
▪ A distributed DoS (DDoS) attack
combines multiple DoS attacks.
IP Vulnerabilities and Threats
Amplification and Reflection Attacks
▪ Threat actors often use
amplification and reflection
techniques to create DoS attacks.
The example in the figure
illustrates how an amplification
and reflection technique called a
Smurf attack is used to
overwhelm a target host:
1. Amplification - The threat actor
forwards ICMP echo request
messages that contain the source
IP address of the victim to a large
number of hosts.
2. Reflection - These hosts all reply
to the spoofed IP address of the
victim to overwhelm it.
IP Vulnerabilities and Threats
DDoS Attacks
▪ A DDoS attack is larger in magnitude
than a DoS attack because it
originates from multiple, coordinated
sources. DDoS attacks introduced
new terms such as botnet, handler
systems, and zombie computers.
A DDoS attack could proceed as
follows:
1. The threat actor (botmaster) builds or purchases the use of a
botnet of zombie hosts. The command-and-control (CnC) server
communicates with zombies over a covert channel using IRC, P2P,
DNS, HTTP, or HTTPS.

2. Zombie computers continue to scan and infect more targets to

create more zombies.

3. When ready, the botmaster uses the handler systems to make

the botnet of zombies carry out the DDoS attack on the chosen
target.
IP Vulnerabilities and Threats
Address Spoofing Attacks
▪ IP address spoofing attacks occur when a threat actor
creates packets with false source IP address information to
either hide the identity of the sender or to pose as another
legitimate user. The attacker can then gain access to
otherwise inaccessible data or circumvent security
configurations.
TCP and UDP Vulnerabilities
TCP

▪ TCP segment information appears immediately after the IP header.

▪ TCP provides the following services:

• Reliable delivery
• Flow control
• Stateful communication
TCP and UDP Vulnerabilities
TCP Attacks
▪ Although the TCP protocol is
a connection-oriented and
reliable protocol, there are
still vulnerabilities that can
be exploited.
▪ TCP attacks target expected
protocol behaviors:
• TCP SYN flood attack
• TCP reset attack
• TCP session hijacking
TCP and UDP Vulnerabilities
UDP and UDP Attacks
▪ UDP is a simple protocol that provides the basic transport layer functions.
UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-
time applications such as media streaming or VoIP. UDP is a connectionless
transport layer protocol.
▪ By default, UDP is not protected by any encryption. The lack of encryption
allows anyone to look at the traffic, change it, and send it on to its destination.
▪ UDP protocol attacks target the lack of protocol behaviors (UDP):
• UDP checksum attack
• UDP flood attack
• UDP DoS attacks
IP Services
ARP Vulnerabilities
▪ Hosts broadcast an ARP
Request to other hosts
on the segment to
determine the MAC
address of a host with a
particular IP address.
▪ All hosts on the subnet
receive and process the
ARP Request.
▪ The host with the
matching IP address in
the ARP Request sends
an ARP Reply.
IP Services
ARP Cache Poisoning
▪ ARP cache poisoning attacks deliberately poison the cache of another computer with spoofed IP
address to MAC address mappings.
IP Services
DNS Attacks
▪ DNS servers resolve names to IP addresses and
are a major target of attackers. Some DNS
exploits are:

• DNS Open Resolvers (public

name servers)
• DNS Stealth Attacks
• DNS Shadowing Attacks –
hijacked domains are used to
create subdomains which are
used to resolve to malicious web
sites
• DNS Tunneling Attacks - hides
malicious instructions inside DNS
queries and responses
IP Services
DNS Tunneling
▪ Threat actors who use DNS
tunneling place non-DNS traffic
within DNS traffic. This method
often circumvents security
solutions. For the threat actor to
use DNS tunneling, the different
types of DNS records such as TXT,
MX, SRV, NULL, A, or CNAME are
altered.
IP Services
DHCP
▪ A DHCP attack could result in every host on the network communicating with malicious DNS servers and gateways. A DHCP spoofing attack creates a rogue DHCP server to serve falsified
information.

1 3

2 4
Enterprise Services
HTTP and HTTPS
▪ Browsing the Web is possibly the largest vector of attack. Security analysts
should have in depth knowledge of how web attacks work.
• Malicious iFrames – an iFrame allows a page from a different domain to be opened
inline within the current page. The iFrame can be used to launch malicious code.
• HTTP 302 cushioning – allows a web page to redirect and open in a different URL. Can
be used to redirect to malicious code.
• Domain shadowing – malicious web sites are created from subdomains created from a
hijacked domain.
Enterprise Services
Email
▪ Email messages are accessed from many different devices
that are often not protected by the company’s firewall.
• Attachment-based attacks – email with
malicious executable files attached.
• Email spoofing – phishing attack where the
message appears to come from a legitimate
source.
• Spam email – unsolicited email with
advertisements or malicious content.
• Open mail relay server – massive amount of
spam and worms can be sent by misconfigured
email servers.
• Homoglyphs – phishing scheme where text
characters
(hyperlinks) look similar to real text and links.
Enterprise Services
Web-Exposed Databases
▪ Web applications commonly connect to a relational database. Because
relational databases often contain sensitive data, databases are a frequent
target for attacks.
• Command injection attacks – insecure code and web application allows OS commands
to be injected into form fields or the address bar.
• XSS Cross-site scripting attacks – insecure server-side scripting where the input is not
validated allows scripting commands to be inserted into user generated forms fields,
like web page comments. This results in visitors being redirected to a malicious website
with malware code.
• SQL injection attacks – insecure server-side scripting allows
SQL commands to be inserted into form fields where the input
is not validated.
• HTTP injection attacks – manipulation of html allows
executable code to be injected through HTML div tags, etc.
 UNDERSTANDING DEFENSE,
ACCESS CONTROL AND THREAT
INTELLIGENCE
Defense-in-Depth
Assets, Vulnerabilities, Threats
▪ Cybersecurity risk consists of the following:
• Assets - Anything of value to an organization
that must be protected including servers,
infrastructure devices, end devices, and the
greatest asset, data.
• Vulnerabilities - A weakness in a system or its
design that could be exploited by a threat.
• Threats - Any potential danger to an asset.
Defense-in-Depth
Identify Assets
▪ Many organizations only have a general idea of the assets
that need to be protected.

▪ All the devices and information owned or managed by the

organization are the assets.

▪ Assets constitute the attack surface that threat actors could

target.

▪ Asset management consists of:

• Inventorying all assets.

• Developing and implementing policies and
procedures to protect them.
▪ Identify where critical information assets are stored, and
how access is gained to that information.
Defense-in-Depth
Identify Vulnerabilities
▪ Identifying vulnerabilities includes answering the
following questions:
• What are the vulnerabilities?
• Who might exploit the vulnerabilities?
• What are the consequences if the vulnerability is
exploited?
▪ For example, an e-banking system might have the
following threats:
• Internal system compromise
• Stolen customer data
• Phony transactions
• Insider attack on the system
• Data input errors
• Data center destruction
Defense-in-Depth
Identify Threats
▪ Using a defense-in-depth approach to identify assets might include a topology with the following
devices:
• Edge router – first line of defense; configured with a set of rules specifying which traffic it allows or
denies.
• Firewall – A second line of defense; performs additional filtering, user authentication, and tracks the
state of the connections.
• Internal router – a third line of defense; applies final filtering rules on the traffic before it is forwarded to
its destination.
Defense-in-Depth
Security Onion and Security Artichoke Approaches
▪ The security onion analogy illustrates a layered
approach to security.
▪ A threat actor would have to peel away at a
network’s defense mechanisms one layer at a time.
▪ However, with the evolution of borderless networks,
a security artichoke is a better analogy.
▪ Threat actors may only need to remove certain
“artichoke leaves” to access sensitive data.
▪ For example, a mobile device is a leaf that, when
compromised, may give the threat actor access to
sensitive information such as corporate email.
▪ The key difference between security onion and
security artichoke is that not every leaf needs to be
removed in order to get at the data.
Security Policies
Business Policy
▪ Policies provide the foundation for network security by defining what
is acceptable.
▪ Business policies are the guidelines developed by an organization
that govern its actions and the actions of its employees.
▪ A organization may have several guiding policies:
• Company policies - establish the rules of conduct and the
responsibilities of both employees and employers.
• Employee policies - identify employee salary, pay schedule,
employee benefits, work schedule, vacations, and more.
• Security policies - identify a set of security objectives for a
company, define the rules of behavior for users and
administrators, and specify system requirements.
Security Policies
Security Policy
▪ A comprehensive security policy has a number of
benefits:
• Demonstrates an organization’s commitment to security.
• Sets the rules for expected behavior.
• Ensures consistency in system operations, software and
hardware acquisition and use, and maintenance.
• Defines the legal consequences of violations.
• Gives security staff the backing of management.
▪ A security policy may include one or more of the
items shown in the figure.
▪ An Acceptable Use Policy (AUP) is one of the most
common policies and covers what users are allowed
and not allowed to do on the various system
components.
Security Policies
BYOD Policies
▪ Many organizations support Bring Your Own Device
(BYOD), which enables employees to use their own
mobile devices to access company resources.
▪ A BYOD policy should include:
• Specify the goals of the BYOD program.
• Identify which employees can bring their own
devices.
• Identify which devices will be supported.
• Identify the level of access employees are granted
when using personal devices.
• Describe the rights to access and activities
permitted to security personnel on the device.
• Identify which regulations must be adhered to
when using employee devices.
• Identify safeguards to put in place if a device is
compromised.
Security Policies
BYOD Policies (Cont.)
▪ The following BYOD security best practices help
mitigate BYOD risks:
• Password protected access for each device
and account.
• Manually controlled wireless connectivity so
the device only connects to trusted networks.
• Keep software updated to mitigate against the
latest threats.
• Back up data in case device is lost or stolen.
• Enable “Find my Device” locator services that
can remotely wipe a lost device.
• Provide antivirus software.
• Use Mobile Device Management (MDM)
software to enable IT teams to implement
security settings and software configurations
on all devices that connect to company
networks.
Security Policies
Regulatory and Standard Compliance
▪ Compliance regulations and standards define
what organizations are responsible for
providing, and the liability if they fail to comply.
▪ The compliance regulations that an
organization is obligated to follow depend on
the type of organization and the data that the
organization handles.
▪ Specific compliance regulations will be
discussed later in the course.
Access Control Concepts
Communications Security: CIA
▪ Information security deals with protecting information
and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction.
▪ The CIA triad consists of:
• Confidentiality - only authorized entities can access
information.
• Integrity - information should be protected from
unauthorized alteration.
• Availability - information must be available to the
authorized parties who require it, when they require it.
Access Control Concepts
Access Control Models
▪ Basic access control models include the following:
• Mandatory access control (MAC) – applies the strictest
access control, enabling user access based on security
clearance.
• Discretionary access control (DAC) – allows users to
control access to their data as owners of that data.
• Non-Discretionary access control – access is based on
roles and responsibilities; also known as role-based
access control (RBAC).
• Attribute-based access control (ABAC) – access is based
on attributes of the resource accessed, the user
accessing it, and environmental factors, such as time of
day.
▪ Another access control model is the principle of least
privilege, which states that users should be granted the
minimum amount of access required to perform their
work function.
AAA Usage and Operation
AAA Operation
▪ Authentication, Authorization, and
Accounting (AAA) is a scalable system
for access control.
• Authentication - users and
administrators must prove that they
are who they say they are.
• Authorization - determines which
resources the user can access and
which operations the user is allowed
to perform.
• Accounting - records what the user
does and when they do it.
AAA Usage and Operation
AAA Authentication
▪ Two common AAA authentication methods include:
• Local AAA Authentication - This method authenticates users against locally stored
usernames and passwords. Local AAA is ideal for small networks.
• Server-Based AAA Authentication – This method authenticates against a central
AAA server that contains the usernames and passwords for all users. Server-based
AAA authentication is appropriate for medium-to-large networks.
▪ The process for both types are shown on the next slide.
AAA Usage and Operation
AAA Authentication (Cont.)

Local AAA Authentication Server-Based AAA Authentication

AAA Usage and Operation
AAA Accounting Logs
▪ Accounting provides more security than just authentication.
▪ AAA servers keep a detailed log of exactly what the authenticated user does on
the device.
AAA Usage and Operation
AAA Accounting Logs (Cont.)
▪ The various types of accounting information that can
be collected include:
• Network Accounting - captures information such as packet
and byte counts.
• Connection Accounting - captures information about all
outbound connections.
• EXEC Accounting - captures information about user shells
including username, date, start and stop times, and the
access server IP address.
• System Accounting - captures information about all system-
level events.
• Command Accounting - captures information about
executed shell commands.
• Resource Accounting - captures "start" and "stop" record
support for calls that have passed user authentication.
Information Sources
Network Intelligence Communities
▪ Threat intelligence organizations such as CERT, SANS, and MITRE offer detailed
threat information that is vital to cybersecurity practices.
Information Sources
Cisco Cybersecurity Reports
▪ Cisco offers their Cybersecurity Report annually,
which provides an update on the state of
security preparedness, expert analysis of top
vulnerabilities, factors behind the explosion of
attacks using adware and spam, and more.
Information Sources
Security Blogs and Podcasts
▪ Security blogs and podcasts help cybersecurity professionals understand and
mitigate emerging threats.
Threat Intelligence Services
Cisco Talos
▪ Threat intelligence services allow the
exchange of threat information such as
vulnerabilities, indicators of compromise
(IOC), and mitigation and detection
techniques.
▪ The Cisco Talos collects information about
active, existing, and emerging threats. Talos
then provides to its subscribers
comprehensive protection against these
attacks and malware.
Threat Intelligence Services
FireEye
▪ FireEye is another security company that
offers services to help enterprises secure
their networks.
▪ FireEye offers emerging threat
information and threat intelligence
reports.
Threat Intelligence Services
Automated Indicator Sharing
▪ Automated Indicator Sharing (AIS) is
program which allows the U.S. Federal
Government and the private sector to
share threat indicators.
▪ AIS creates an ecosystem where, as soon as
a threat is recognized, it is immediately
shared with the community.
Threat Intelligence Services
Common Vulnerabilities and Exposures Database
▪ Common Vulnerabilities and Exposures
(CVE) is a database of vulnerabilities
that uses a standardized naming
scheme to facilitate the sharing of
threat intelligence.
Threat Intelligence Services
Threat Intelligence Communication Standards
▪ Cyber Threat Intelligence (CTI) standards
such as STIX and TAXII facilitate the exchange
of threat information by specifying data
structures and communication protocols:
• Structured Threat Information Expression
(STIX) - specifications for exchanging cyber
threat information between organizations.
• Trusted Automated Exchange of Indicator
Information (TAXII) – specification for an
application layer protocol that allows the
communication of CTI over HTTPS. TAXII is
designed to support STIX.
• Diane Barrett/ Martin M. Weiss (2018).CompTIA Security+ SY0-501 Exam Cram (5th Edition)

• Emmett Dulaney and Chuck Easttom. CompTIA Security+ Study Guide: Exam SY0-501 7th Edition

• David L. Prowse (2018) Pearson. CompTIA Security+ SY0-501 Cert Guide (4th Edition)

• Cisco Networking Academy (Author).(June 25, 2018)CCNA Cybersecurity Operations Companion

Guide 1st Edition

• Omar Santos/ Joseph Muniz /Stefano De Crescenzo(June 17, 2017)CCNA Cyber Ops (SECFND #210-
250 and SECOPS #210-255)Official Cert Guide Library 1st Edition