Introduction
Attackers have a method that they work by. They follow phases to ensure success when attempting to breach a network. Many
other aspects of these phases that don't fit conveniently into any rigid categories. The five phases of an attack are:
- Reconnaissance
- Scanning
- Gaining Access
- Maintaining Access
- Clearing Tracks
To thwart the attempts of an attacker, the principals of preventing access must be understood.
Firewall Classes
Understanding Firewalls
Firewalls can be either software based or hardware devices that are used in the enforcement of security policies. Both
can filter traffic based on a set of rules as traffic passes through them.
Routers are not firewalls and should never be considered as such. Network based firewalls will route traffic but this
is only if the policy allows. Single hosts can be protected from both incoming and outgoing traffic by use of a host
based firewall. Regardless of whether the firewall is software or hardware, all can create a troubleshooting nightmare
should they not be configured carefully or correctly. This is the keystone to a business objective driven policy when
it comes to firewall configuration.
Improvised configurations do not work well with firewalls. The configurations must be carefully thought through and any
impact caused by the configuration must be considered. This should be done before the implementation of any firewall
policies.
Physical or social engineering attacks cannot be protected against by any firewall. The most common weaknesses in any
firewall are either leaving them in their default configurations or by careless implementation. Attackers are looking
hard for these weaknesses and the best defensive measure it to prevent them from finding them by changing the default
settings or by careful firewall configurations. Of equal importance is to understand both the benefits and the limitations
of firewalls and prevent being lulled into the false sense of security by thinking their mere presence is equal to network
security and protection.
Firewall Classes
Different types of firewalls exist each having their own niche in the market. Some products are multi-functional providing
features such as routing and Demilitarized Zones (DMZ). These are the four common firewall classes:
- Packet Filters
- Circuit Level Gateways
- Application Level Firewalls
- Stateful Multilayer Inspection Firewalls
Packet Filters - Packet filters search for protocol information in the delivery and transport layers.
The idea behind this is to filter out the obvious items first. Since every packet is a discreet single logical unit,
packet filters only look at one delivery at a time. This method is computationally cheap very efficient.
Circuit Level Gateways - Circuit Level Gateways are a unique set of firewalls that protect the
integrity of each end of the session, all without invading the confidentially of the data that is being exchanged. It
is a socket level proxy as it creates entirely new connections that are based on the synchronizing of IP addresses and
ports.
This method works by including a new translation of the sequence numbers that are tracked by TCP to help the receiving
host reassemble all of the segments of data. It also prevents session hijacking and also helps obscure the true endpoints
of any observed conversation.
Application Level Firewalls - Application Level Firewalls work on the Layer 7 level by looking at the
content of each network packet. This includes all client server requests and information content that is delivered on
the network.
Application Level Firewalls are computationally expensive as many factors ride far beyond simple a string pattern that
must be matched and incorporated. Factors also include context and policies such as user profiles and time of day
constraints. Once a policy violation is detected, there is a consideration as to whether or not log the evidence in a
forensically sound manner, to redirect the user to another source or to log the alert allowing manual intervention in
the determination as to what action should be taken.
Stateful Multilayer Inspection Firewalls - This class of firewall is a combination of all of the other
three types of firewalls. They act by filtering packets at the network layer ridding the easiest data first and then
send the remaining packets to the deep packet inspection engine. Deep packet inspection is a form of network
packet filtering that examines the data of a packet searching for protocol non-compliance, viruses, spam, intrusions or
defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination.
Intrusion Detection Systems (IDS) Classes
IDS Classes
Acting as a passive technique, intrusion detection is a critical part of network monitoring. It will only
inform when an event has occurred but does not prevent or correct the situation by default. On the other hand,
intrusion prevention systems perform on an active level. Sometimes using false positives turning these
systems against the owners, this configuration and testing actively seeks out anything considered abnormal.
If trying to decide between the two, keep in mind that there is no "right choice." The decision has to be made by the
consideration of its purpose and the best fit. While passive IDSs are prone to false positives and relay on administrative
overhead in the form of analysis, it can look for a broad range of suspicious activity whereas active IDSs can create DoS
situations if false positives are present and therefore must be tuned finely thus seeking out a much narrower scope of
events.
Placement of these detection agents also play a role in the type of system that is chosen. The DMZ should alway have an
agent present and one should also be in place to the inside of the firewall that will screen all internal networks.
There are several approaches to intrusion detection. Here are seven of the most common:
- Signature Recognition
- Anomaly Detection
- Statistical Detection
- Network-Based Intrusion Detection
- Host-Based Intrusion Detection
- Log File Monitoring
- File Integrity Checking
Signature Recognition - Signatures are primarily recognizable characters of a packet such as a particular
series of bytes or characters. The position, or offset of particular bytes can be of significance as well as specified
fields values or protocol flag combinations.
Signal detection occurs in real time. After a suspect packet is detected, alerts can be placed in a log file almost
immediately. If in place, an Incident Response Plan is activated and notifications can be sent. All of this is most
often the greatest weakness of an IDS implementation. This weakness is because by the time the attack is noticed,
the objective may have already been met and the attacker might be gone or at least changed the nature of their presence.
Should the IDS be running in "in-line" mode, it could interact with firewall software to implement new policy rules to
block the attack. This is the function of an Intrusion Prevention System (IPS).
There is a drawback to signature detection and this is in the complexity and of the amount of the rule set that must be
used. With it having to be constantly updated, it will not detect zero-day exploits, which are exploits that there are
no signature rules yet available.
Anomaly Detection - Unusual events are what this type of IDS looks for. This means that it is critical
to have a knowledge of what traffic is considered "normal." A baseline metric is needed and normal, expected traffic is
given to the IDS. The IDS then will provide an alert if events other than what the baseline predicts take place.
This type of monitoring has an advantage as to where certain types of attacks that would normally evade signature
analysis would be detected. Some of these attacks would be ARP poisoning or heavily fragmented packets that would
cause unusual traffic. The disadvantage is that this IDS is only as good as it's baseline.
Statistical Detection - This IDS notices attacks that occur over time. Should an attacker try and scan
very slowly, alerts are still triggered. Analysis, however, takes time and the attack may not be discovered until they
have been completed, however at least the target will know the event has happened.
Network-Based Intrusion Detection - Considered "passive", this IDS just listens on the wire. Any form
of analysis can be used.
Host-Based Intrusion Detection - This IDS is considered active since it can be invasive in order to
monitor the behavior or actions of a host. As an example, if multiple emails are sent without a subject or content, the
HIDS will block all email activity, notify the user and have the user confirm whether the actions were intended or not.
Log File Monitoring - Since log files have thousands of formats and each one is unique to the service
that is being monitored, they present a challenge to analyze. Commercial tools are available that know of many popular
formats and thus make reporting much easier, and they can provide real-time reporting as well.
File Integrity Checking - The class of IDS that keeps a database of hashes computed from critical files
or directories on the system is the System Integrity Verifier (SIV). It recalculates these hashes either periodically or
whenever the file is accessed. It then presents an alert when changes have been detected.
SIVs discover files that have been replaced, altered or corrupted. Unfortunately, files that change often are much
more difficult to monitor. Fortunately, OS system files and program libraries are not subject to frequent changes and
a new hash database must be computed after accepting patches or other security updates.
Interpreting Alerts
It is up to human intervention and analysis to determine if a response action is necessary or appropriate, and if so,
to determine what the response should be should an alert to an alarm be triggered. If there is an immediate overreaction
to the alert resulting in wasted time in a response to non-issues, not only is it a waste of time but can also create
new problems.
The following are categories that are used for IDS alerts.
- True Positive: An event triggering an alert for a real and present threat.
- False Positive: An event triggering an alert showing a real threat when in fact it was not.
- True Negative: An event not triggering an alert and in reality not a threat at all.
- False Negative: An event not triggering an alert when in fact it was a real threat.
Events to Look for During An Analysis
Redundancy and different methods of detection are included in most of the best monitoring programs. Each threat possesses
it's own risk factors to the organization. With this variance, each asset should be monitored differently.
Putting this into an example, consider a public web server and a database server. The web server will most likely be
accessed by many people. Certain types of access is expected, however certain access types, such as directory traversals
indicate one of the visitors is searching for documents or detect other flaws. Again, this could only be a search engine
spider. Regardless, if we know from testing, there is nothing to find and most activities such as this is expected and
should be ignored.
Now, looking at the database server, it should only be accessed by authorized processes and only when those processes are
running correctly. They are only to attempt and perform certain actions. If anything outside of that is taking place it
may be an indication that an attacker may have gained access and has a better position on the network, the query source has
been compromised and the database must also be analyzed for any successful breaches.
You must be familiar with the threats and remember to not overreact. Just because a computer reboots on it's own does not
necessarily mean it has been breached; it could be that the RAM needs reseated. On the other hand, you must remember that
attackers may also try to cause a diversion and waste an administrator's time with false positives. These false positives
will only be detected by redundant IDSs that are using different methods of detection. True positives must be responded
to by an Incident Response Program (IRP) or and external team like a Computer Security Incident Response Team (CSIRT).
Here is a list of the most common items that a security team should be monitoring. Consider which form of detection would
be the best and how an attacker might trigger a false positive or evade detection.
- Modifications to system software and configuration files
- Gaps in accounting systems
- Unfamiliar user names
- Arbitrary data in log files
- Unusually slow performance
- System crashes or reboots
- Repeated probes on the available services on the machine
- Missing logs
- Repeated login attempts from the remote hosts
- Short or incomplete logs
- Unfamiliar processes
- Logs containing strange timestamps
- Missing files
- Logs with incorrect permission or ownership
- Abnormal system performance
- Rogue files on the system that do not correspond to your master list of signed files
- Unusual displays or text messages
- The presence of new, unfamiliar files or programs
- Change in file permissions
- Unexplained changes in file size
- Connections from unusual locations
Honeypots
The Nature of Honeypots
Honeypots are designed to attract attackers with the idea that monitoring systems will allow the attacker to be observed.
Honeypots come in different scales with a honeypot being a host, a honeynet is a network and a
honeytoken is a piece of monitored data.
Before the deployment of a honeypot, a company or organization needs to verify that they are not violating the privacy
rights of the attacker, (go figure...) Convert honeyposts deployed by third party projects rest in a different category.
The art to setting up a decoy victim is to make it appear legitimate. It must not stand out or seem in any way unusual
or the attacker will notice and avoid it. With this, honeypots are not necessarily entirely exposed to risks, where a
bastion host is used to describe one that is since it is completely exposed and completely hardened because it
is getting no help. Honeypots cannot create additional risks or they could, and would be used against their attacker.
Honeypot Types
There are four different honeypot varieties that exist, all a matter of choice and a balance of risk, accuracy and
administrative distraction from the production hosts. These levels are:
- Physical Honeypots
- Virtual Honeypots
- Low Interaction
- High Interaction
Physical Honeypots - These types are considered physical tests, fully functional and heavily monitored.
They can be as simple as an unlocked bicycle leaning against a wall. Though it is there and unsecured, this does not
mean the owner has given any permissions for anyone to take it.
Virtual Honeypots - Thus type is a sacrificial host setup on a network having real services running
on a real OS but only containing fictional information, if any at all. Though this honeypots comes with great risk, it
is the most convincing form of honeypot.
This type of honeypot will appear as a rogue infrastructure and cause internal time wasting should it not be formalized
in configuration, release and without change management processes in place.
This IDS may have been told to pass all traffic coming from the honeypot and this can be a big mistake should the honeypot
be compromised while remaining undetected. In this state, it could be used as a weapon against the network.
Low Interaction - This form appears to an attacker as an access point. It only logs probing activity,
however, and since this host is of no production value, all access attempts are considered suspicious.
High Interaction - This form can be of great risk. Being able to be fully compromised, it must be
separated from any network segment that has production value. The monitoring capabilities of this type of honeypot
facilitates the gathering of information that would not be noticed by NIDS. By diligently monitoring the honeypot,
detection of the larger plan of the attacker is possible and if the attacker manages to evade the network-based
intrusion detection, hopefully the diversion will be discovered and attacked.
Testing and Evasion Techniques
Scanning for Firewalls, IDS and Honeypots
Knowing where the filters are is critical to the attacker. This is also a primary difference between the white hat
penetration test and the true attack as the filters are moved for simple assessments.
Playing a major role in the scanning phase of the attack, the attacker wants to know where their barriers are located.
By knowing this, the attack can either be graceful and never discovered or one that will cause alarms to be triggers and
thus prompting a rapid escape and retreat.
There are five basic ways to fingerprint firewalls. These are:
- Traceroute
- Banner Grabbing
- Look for any accessible open port
- Port Scanning
- Firewalking
Traceroute - It is important to know the path to a target host when interpreting the results of all other
scans. By using traceroute, the attacker can make sure that they don't inadvertently attack a host that don't belong
to the target organization. It also aids in distinguishing hosts and gateways which will determine the different scanning
techniques used.
Should two or more hops with the same IP address show, this suggests that a load balancer or cluster is in place. Though
this may not influence the attack, this information is still good to know.
Banner Grabbing - Using a tool like telnet, an attacker can try to connect to any access point that
has been discovered and attempt to gather information. The proper instructions must be sent relative to the expected
service to achieve full interaction, but even those that return only errors often divulge important information.
Look for any accessible open port - The two major issues with a routing firewall is the firewall itself
and the hosts.
An attacker can gain clues about the nature of the possible routing firewall by determining which ports are showing as being
open. IP protocol ID 47 shows support for Generic Router Encapsulation (GRE) and is often accompanied by TCP ports 1723 or
1701 that could reveal a potential VPN gateway.
The most common way to find a series of routers is by using the traceroute command. It is equally important to be
able to use a variey of scanning techniques including the ICMP type 8 and other ACK scans. If it is shown that two hosts
with the same IP source address exists, this can be an indication of a Network Address Translation (NAT) server or a load
balancer.
Port Scanning - Port scanning can be conducted against both the routing firewalls and the hosts that are
possibly running software firewalls themselves. The attacker is interested about what they can access.
Firewalking - The firewalk scan requires three hosts: the scanner, the gateway and the destination.
Traffic is sent to the destination by the scanner and informs the firewall tool what the gateway is. Firewalk sets the
Time to Live (TTL) value of each packet it send to one hop past the gateway of the destination. If this traffic is passed
by the gateway, the destination will respond with an ICMP type 11, which is the Time Exceeded, and the attacker knows
the port is open. If not, the packet is dropped from the gateway.
Simple Evasion Techniques
Signature-based analyzers and other real time IDS systems can be fooled if they are not set up correctly or are not
installed on hardware that is designed to handle the load on their segment. in this case, simple command line tools can
can play havoc in these circumstances.
- Fragmented Traffic
- Encryption
- Decoy Traffic
- Denial of Service
Fragmented Traffic - Available for Linux, fragrouter is a command line tool that allows the
attacker to ensure that all packets sent to a particular host will be fragmented to the size the attacker specifies. The
IDS must then reassemble the fragments before full analysis can take place and therefore keeps the IDS busy. During this
period other packets might be able to pass through during the time of high network load.
It is important not to confuse fragrouter with the tool fragroute. Fragroute is capable of being an
inline packet modification tool otherwise known as a packet sharper.
Encryption - Whether encryption is mandated or forbidden is dictated by security policies. This is
the only way any traffic can be flagged as suspicious even when a determination cannot be made as to what the attack
is exactly.
Encryption countermeasures can sometimes be used to create covert channels for attackers. If the host end points that
have established tunnels are compromised, the attacker might not need to even care about encryption, in fact it is
sometimes even a benefit to them. Unless given the ability to decode the packets, IDS tools cannot analyze encrypted
traffic. This action will expose the keys to more risk or further complicates key issuance and management.
Decoy Traffic - There are tools such as nmap that includes options for generating packets
that have random IP addresses and port numbers that are used to mix with the attack packets. This could cause the IDS
to log many false positives so the analyst has to figure out what is real and what is not.
Denial of Service - The IDS might be Denial of Service based on the underlying operating system or on a
flaw in the IDS code itself. If attention is paid, this problem will be fixed quickly. Usually this issue can be fixed
by a member of the Security Operations Center (SOC), however it might be just enough time for the attacker that is
conducting the access step to plant the maintaining access code.
Packet Crafting
Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry
points into a targeted system or network. This is done by manually generating packets to test network devices and
behavior instead of using existing network traffic. Testing may target a firewall, IDS, TCP/IP stack, router or any
other component of the network.
There are many ways to craft packets such as languages like PERL or Python created by programmers to automate crafting
traffic and have complete control over the system. Comprised of a series of bits, a packet can be captured, manipulated,
parsed, adjusted, created and sent in any way attackers might need as long as they know what is required for a given
attack.
One of the easiest command line tools is Hping that comes with Backtrack Linux. It can be used to test firewalls and
IDS.
Signature Changing
A quicker approach than Packet Crafting is to change the signature. Signatures that are based on a sequence of bytes
in the data layer can be circumvented if the bytes under analysis are changed.
Adding bytes into the data is known as an Injection Attack. Should the signature bee too strict, the attacker
might be able to change some values that have nothing to do with the signature but would cause the analysis rule to
decide on a false negative. Some of these tools are:
- SideStep: Is a tool that generates Metasploit payloads encrypted using the CryptoPP library and uses
several other techniques to evade the Anti Virus.
- ADMutate: Will attempt to encode the shell code with a simple mechanism so the shell code will be
unique to any NIDS sensor.
- Fragrouter: This is just a one-way fragmenting router. IP packets get sent from the attacker to
the fragrouter which transforms them into a fragmented data stream to forward to the victim.
- NIDSBench: This tool implements several well known attacks against passive network monitoring and
allows for the instrumentation of trace-driven network attack simulations.
Tunnels and Reverse Shells
Tunnels - Tunnels, or tunneling, which is also known as port forwarding is the transmission of
data intended for a private, corporate network through a public network. It is achieved in such a way that the routing
nodes in the public network are completely unaware that the transmission is part of a private network.
Reverse Shells - Reverse Shells is the connection of one computer to another where the initiating
computer forwards their shell to the destination. It is common that a reverse shell happens during an attack or as part
of a penetration test. This kind of attack allows an attacker an interactive shell on a machine that they should not
have had access to inside of the hardened area.
Packets can be enveloped within one another. Protocols that specify arbitrary data in the payload area can also be used
in tunnels.
An ICMP type 8 message, which is a ping request, does not specify what should be echoed as the RFC just refers to "data".
Loki is a tool that is able to split a message, split it up into pieces and send each piece as a part of the echo
request in a type 8 message.
There is one thing that should be noted and that is that something on the receiving end has to understand the encapsulation.
This is the same principle that applies to Virtual Private Networks (VPNs) as they can also be applied to covert attack
channels.
Stateful Packet Inspection (SPI) firewalls are the reason reverse shells happen. SPI firewalls prevent incoming connection
attempts but will allow traffic generated from requests. Essentially, this is a way of telling the attacker that the
target wants to be attacked. This is where social engineering comes into play.