We assume here that the attacker is moderately skilled and motivated to break into your network. He has targeted you due to a specific motive -- perhaps you sacked him or didn't provide adequate customer support. Hopefully this will help you figure out where your network might be attacked, and what an attacker might do once he is on the inside.
Remember that attackers will usually choose the simplest way to get into the network. The path of least resistance principle always applies.
Reconnaissance and footprintingHere the attacker will try to gather as much information about your company and network as he can without making a noise. He will first use legitimate channels, such as Google and your company Web page to find out as much about you as he can. He will look for the following information:
- on the heads of IT departments, the CEO and other people who have a lot of power. He can use this information to forge e-mail or social engineer information out of subordinates.
- Information about your partners. This might be useful information for him if he knows you have some sort of network connection to a supplier or partner. He can then include the supplier's systems in his attack and find a way in to your network from there.
- General news. This can be useful information to an attacker as well. If your Web site says that it is going down for maintenance because you are changing your Web server, it might be a clue that the new setup will be in its teething stages and the administrator may not have fully secured it yet.
He will also query the whois databases to find out what block of IP addresses you own. This will give him a general idea of where to start network level scans. After this hewill start a series of network probes. The most basic of these will determine if you have a firewall and what it protects. He will try to identify any systems you have that are accessible from the Internet.
The most important targets will be the ones that provide public services. These will be:
The more naive of the lot (or the ones who know that security logs are never looked at) may run a commercial vulnerability scanner such as Nessus or Retina over the network. This will ease their work.
Exploitation phaseAfter determining which are valid targets and figuring out what OS and version of software you are using (example which version of Apache or IIS is the web server running), the attacker can look for an exploit targeting your particular version. For example, if he finds you are running an out of date version of Sendmail, he will look for an exploit targeting that version or below.
Attackers will first look in their collection of exploits because they have tested these. If they cannot find one, they will look to public repositories such as http://www.packetstormsecurity.nl. They will probably try to choose common exploits, as these are more likely to work and they can probably test them in their own labs. They will run these exploits on the target (say the Web server) and if they work, they will have some kind of access to the network.
From here the attacker has already won half the game -- he is behind your firewall and can probably see a lot more of the internal network than you ever intended for him to. Many networks tend to be very hard to penetrate from the outside, but are woefully unprotected internally. This hard exterior with a mushy interior is a recipe for trouble -- an attacker who penetrates the first line of defense will have the full run of your network.
After getting in, he will also probably install backdoors on this first compromised system to provide him with many access points, in case his original hole gets shut down. This is why when you identify a machine that has been broken into, it should be built up again from scratch. There is no way of knowing what kind of backdoors might be installed. It could be tricky to find a program that runs itself from 2:00 am to 4:00 am every night and tries to connect to the attacker's machine. Once the attacker has successfully guaranteed his access, the hard part of the intrusion is usually over.
Privilege escalation phaseNow the attacker will attempt to increase his security clearance on the network. he will usually target the administrator accounts or perhaps a CEO's account. If he is focused on a specific target (say your database server) he will look for the credentials of anyone with access to that resource. He will most likely set up a network sniffer to capture all the packets as they go through the network.
He will also start manually hunting around for documents that will give him some interesting information or leverage. Thus, any sensitive documents should be encrypted or stored on systems with no connection to the network.
Attackers will also look for Windows machines with file sharing enabled and see what they can get out of these. Chances are if they didn't come in with a particular objective in mind (for example stealing a database), they will take whatever information they deem to be useful in some way.
Clean up phaseNow the attacker has either found what he was looking for or is satisfied with the level of access he's gained. He's made sure that he has multiple paths into the network in case you close the first hole. He will now try to cover up any trace of an intrusion. He will manually edit log files to remove entries about his actions and will make sure to hide any programs he has installed in hard to find places.
Remember, we are dealing with an intruder who is moderately skilled and is not just interested in defacing your Web site. He knows that the only way to keep access will be if you never know something is amiss. In the event that there is a log he is unable to clean up, he may risk leaving it there, or flood the log with bogus attacks, making it difficult for you to single out the real attack.
Where can I find more information?One of the best place for answers to questions relating to this article is in the Firewall.cx forums. The Security/Firewalls Forum is the best place to do this -- you can ask anything from the most basic to the most advanced questions concerning network security there. A lot of common questions have already been answered in the forums, so you will quite likely find answers to questions like "Which firewall should I use?"
Network security is a very vast field and there is seemingly limitless information on the subject. You will never find information at so-called hacker sites full of programs. The best way to learn about network security is to deal with the first word first -- you should be able to talk networking in and out, from packet header to checksum, Layer 1 to Layer 7.
Once you've got that down, you should start on the security aspect. Start by reading articles on the Internet. Take in the basics first, and make sure you keep reading. Wherever possible, try to experiment with what you have read. If you don't have a home lab, you can build one virtually. See the posts in the Firewall.cx Cool Software forum about VMware.
Also, start reading the security mailing lists such as bugtraq and security-basics. Initially, you may find yourself unable to understand a lot of what happens there, but the newest vulnerabilities are always announced on these lists. If you follow a vulnerability from the time its discovered to when someone posts an exploit for it, you'll get a very good idea of how the security community works, and you'll also learn a lot in the process.
If you're serious about security, it is imperative that you learn a programming language, or at least are able to understand code if not write your own. The best choices are C and Assembly language. However, knowing PERL and Python are also valuable skills as you can write programs in these languages very quickly.
For now, here are a few links that you can follow for more information:
A very good site with all the latest news, a very good library and tools collection as well as sections dedicated to basics, intrusion detection, penetration testing etc. Also home of the Bugtraq mailing list.
Missed lesson one, two or three? You can find them here:
Click over to Firewall.cx for more articles like this one. You don't have to register or jump through any hoops. All you do is get the networking information you want. Copyright 2004 Firewall.cx.
This was first published in March 2004