Interception attacks:
• Man-in-the-middle (MITM), a threat actor comes between communication links and manipulates the communication
• Session replay, makes a copy of the original message and uses it later, uses interception via the session ID.
• Man-in-the-browser (MITB), intercepts communication between parties and steals or manipulates data, usually trying to steal login or account information from a web user.
Layer 2 attacks:
• Address resolution protocol poisoning (ARP poisoning) uses the MAC address stored in the ARP cache to change the data to point an IP address to a different device.
• Media access control attacks, there are 2 main attacks. MAC cloning, spoof the MAC address of the known device and send communication. MAC flooding overflows the switch with ethernet packets from the same endpoint but appear to come from different endpoints.
DNS attacks:
• This kind of attack substitutes a DNS address to redirect a computer.
• DNS poisoning, modifies the cache table to point to a different domain
• DNS hijacking infects the DNS server and changes the IP addresses to point to malicious sites.
Distributed Denial of Service Attack:
• DDoS attack is millions of fake requests sent from different devices; this overwhelms the receiving device.
Malicious coding and scripting attacks:
• Attackers use Powershell, Visual Basic for Applications, Python, and Linux/UNIX bash
• PowerShell is a task automation and configuration management framework.
• Visual Basic for applications (VBA) is a programing language that uses events to automate processes. Used to create macros
• Python is a programing language that can perform tasks written in its code. This can be used to create scripts
• Bash is an interpreter language for Linus/UNIX os systems. Can create scripts.
Network reconnaissance and discovery tools:
• There are many different tools to used based on your OS, see table 8-3 and 8-4 for all tools
Linux file manipulation tools:
• Linux stores config in text files, this allows for manipulation within these text files, see table 8-5 for all tools
Scripting tools:
• These tools are used to facilitate tasks, some examples, PowerShell, Python, SSH, OpenSSL
Packet capture and replay tools:
• Packet analysis is used for security, there are many tools that can be used to do this analysis, one is WIreshark
External perimeter defenses:
• Barriers, different types restrict access to the structure
• Personnel, active security elements
• Robot Sentries, robotic security like a security guard with CCTV
• Sensors, detect different events to generate and alarm, see table 8-7
Internal physical controls
• Locks, electrical or physical, keep things safe.
• Secure areas, areas that are secure, usually a man trap or demilitarized zone
• Protected cable distribution, these are usually conduits that protect cables from damage or accessed
• Fire suppression, reduce the impact of fire related damage to systems.
Computer hardware security:
• Physical security specific to protecting endpoints of devices. Example, cable lock.
Summary:
Credit: see image for resource credit
• Some attacks are designed to intercept network communications. A man-in-the-middle (MITM) attack intercepts legitimate communication and forges a fictitious response to the sender or eavesdrops on the conversation. A session replay attack intercepts and uses a session ID to impersonate a user. A man-in-the-browser (MITB) attack occurs between a browser and the underlying computer. An MITB attack seeks to intercept and then manipulate the communication between the web browser and the security mechanisms of the computer.
• Layer 2 of the OSI model is particularly weak and is a frequent target of threat actors. ARP poisoning changes the ARP cache so the corresponding IP address is pointing to a different computer. In a MAC cloning attack, threat actors will discover a valid MAC address of a device connected to a switch and then spoof that MAC address on their device and send a packet onto the network. The switch will change its MAC address table to reflect this new association of that MAC address with the port to which the attackers’ device is connected. In a MAC flooding attack, threat actors will overflow the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address, each appearing to come from a different endpoint. This can quickly consume all the memory for the MAC address table and will enter a fail-open mode and function like a network hub, broadcasting frames to all ports. Threat actors could then install software or a hardware device that captures and decodes packets on one client connected to the switch to view all traffic.
• DNS poisoning modifies a local lookup table on a device to point to a different domain, which is usually a malicious DNS server controlled by a threat actor that will redirect traffic to a website designed to steal user information or infect the device with malware. DNS hijacking is intended to infect an external DNS server with IP addresses that point to malicious sites. A distributed denial of service (DDoS) attack involves a device being overwhelmed by a torrent of fake requests so that it cannot respond to legitimate requests for service.
• Several successful network attacks come from malicious software code and scripts. PowerShell is a task automation and configuration management framework from Microsoft. The power and reach of PowerShell make it a prime target for threat actors who use it to inject malware. Visual Basic for Applications (VBA) is an “event-driven” Microsoft programming language that is used to automate processes that normally would take multiple steps or levels of steps. VBA is most often used to create macros. A macro is a series of instructions that can be grouped together as a single command. Macros are still used to distribute malware. Python is a popular programming language that can run on several different OS platforms. There are several “best practices” to follow when using Python so that the code does not contain vulnerabilities. Bash is the command language interpreter (called the “shell”) for the Linux/UNIX OS. Bash scripting is using Bash to create a script (a script is essentially the same as a program, but it is interpreted and executed without the need for it to be first compiled into machine language). Exploits have taken advantage of vulnerabilities in Bash.
• There are several different assessment tools for determining the strength of a network. Text files are a fundamental element when using the Linux OS. Because virtually all configuration files in Linux are text files, changing the configuration of a security application involves modifying the text configuration file. Thus, being able to manipulate text is an important skill in managing Linux security, as well as other applications and even the OS itself. There are a variety of different tools that can be used to create scripts that facilitate tasks. One tool that supports scripting is OpenSSL, a cryptography library that offers open source applications of the TLS protocol.
• Collecting and analyzing data packets that cross a network can provide a wealth of valuable information. Packet analysis can also be used extensively for security. Wireshark is a popular GUI packet capture and analysis tool. Tcpdump is a command-line packet analyzer. Tcpreplay is a tool for editing packets and then “replaying” the packets back onto the network to observe their behavior.
• An often-overlooked consideration when defending a network is physical security: preventing a threat actor from physically accessing the network is as important as preventing the attacker from accessing it remotely. External perimeter defenses are designed to restrict access to the areas in which equipment is located. Fencing is usually a tall, permanent structure to keep out unauthorized personnel. It is usually accompanied by signage that explains the area is restricted and proper lighting so the area can be viewed after dark. A barricade is generally designed to block the passage of traffic. A bollard is a short but sturdy vertical post that is used to as a vehicular traffic barricade to prevent a car from ramming into a secured area.
• While barriers act as passive devices to restrict access, personnel are considered active security elements. Human security guards who patrol and monitor restricted areas are most often used as an active security defense. Using two security guards is called two-person integrity/control. Some guards are responsible for monitoring activity captured by video surveillance cameras that transmit a signal to a specific and limited set of receivers called closed circuit television (CCTV). High-end video surveillance cameras only record when they detect movement (motion recognition) while others can identify a suspicious objective and sound an alert. Increasingly, drones/unmanned aerial vehicles (UAV) with cameras are also being used for monitoring activity. Robot sentries that patrol and use CCTV with object detection are increasingly being used in public areas. A receptionist who staffs a public reception area can also provide a level of active security. To supplement the work of security guards, sensors can be placed in strategic locations to alert guards by generating an audible alarm of an unexpected or unusual action.
• In the event that unauthorized personnel defeat external perimeter defenses, they should then face internal physical access security. A variety of types of locks can be used to restrict access. Physical locks that require a key or other device to open doors or cabinets are the most common types of physical locks. However, physical locks that use keys can be compromised if the keys are lost, stolen, or duplicated. A more secure option is to use an electronic lock. These locks use buttons that must be pushed in the proper sequence to open the door.
• A demilitarized zone (DMZ) is an area that separates threat actors from defenders (also called a physical air gap). A mantrap is designed as an air gap to separate a nonsecure area from a secured area. A mantrap device monitors and controls two interlocking doors to a vestibule. A protected cable distribution is a system of cable conduits used to protect classified information that is being transmitted between two secure areas. Damage inflicted as a result of a fire is a constant threat to persons as well as property. Fire suppression includes the attempts to reduce the impact of a fire. In a data center that contains electronic equipment, using a handheld fire extinguisher is not recommended because the chemical contents can contaminate the equipment. Instead, stationary fire suppression systems are integrated into the building’s infrastructure and release fire suppressant in the room.
• A cable lock can be inserted into the security slot of a portable device and rotated so that the cable lock is secured to the device. When storing a laptop, it can be placed in a safe or a vault, which is a ruggedized steel box with a lock. Some offices have safes in employee cubicles for the users to lock up important papers when away from their desks, even for a short period of time. A Faraday cage is a metallic enclosure that prevents the entry or escape of an electromagnetic field.