2.

Network Attack Mitigations

The Defense-in-Depth Approach

To mitigate network attacks, you must first secure devices including routers,
switches, servers, and hosts. Most organizations employ a defense-in-depth
approach (also known as a layered approach) to security. This requires a
combination of networking devices and services working in tandem.
Several security devices and services are implemented to protect an
organization’s users and assets against TCP/IP threats:
• VPN
• ASA Firewall
• IPS
• ESA/WSA
• AAA Server
 Keep Backups

Backing up device configurations and data is one of the most effective ways of
protecting against data loss. Backups should be performed on a regular basis as
identified in the security policy. Data backups are usually stored offsite to protect
the backup media if anything happens to the main facility.

Upgrade, Update, and Patch

As new malware is released, enterprises need to keep current with the latest
versions of antivirus software.
The most effective way to mitigate a worm attack is to download security
updates from the operating system vendor and patch all vulnerable systems.
One solution to the management of critical security patches is to make sure all
end systems automatically download updates.
 Authentication, Authorization, and Accounting

Authentication, authorization, and accounting (AAA, or “triple A”) network

security services provide the primary framework to set up access control on
network devices.
AAA is a way to control who is permitted to access a network (authenticate),
what actions they perform while accessing the network (authorize), and making a
record of what was done while they are there (accounting).
The concept of AAA is similar to the use of a credit card. The credit card identifies
who can use it, how much that user can spend, and keeps account of what items
the user spent money on.
 Firewalls

Network firewalls reside between two or more networks, control the traffic
between them, and help prevent unauthorized access.
A firewall could allow outside users controlled access to specific services. For
example, servers accessible to outside users are usually located on a special
network referred to as the demilitarized zone (DMZ). The DMZ enables a network
administrator to apply specific policies for hosts connected to that network.
 Endpoint Security

An endpoint, or host, is an individual computer system or device that acts as a

network client. Common endpoints are laptops, desktops, servers, smartphones,
and tablets.
Securing endpoint devices is one of the most challenging jobs of a network
administrator because it involves human nature. A company must have well-
documented policies in place and employees must be aware of these rules.
Employees need to be trained on proper use of the network. Policies often
include the use of antivirus software and host intrusion prevention. More
comprehensive endpoint security solutions rely on network access control.

Securing BYOD

Smartphones, tablets, etc., are becoming substitutes for the office PC that is
behind a firewall. This trend is known as Bring Your Own Device (BYOD). To
accommodate this, Cisco developed the Borderless Network. In a Borderless
Network, access to resources can be initiated by users from many locations, on
many types of end devices, using various connectivity methods. Cisco devices
support Mobile Device Management (MDM) features:
Data Encryption -MDM features can ensure that only devices that support data
encryption and have it enabled can access the network and content.
PIN Enforcement -Enforcing a PIN lock is the first and most effective step in
preventing unauthorized access to a device.
Data Wipe -Lost or stolen devices can be remotely fully-or partially-wiped, either
by the user or by an administrator via the MDM.
Data Loss Prevention (DLP) -DLP prevents authorized users from doing careless
or malicious things with critical data.
Jailbreak/Root Detection -Jailbreaking (on Apple iOS devices) and rooting (on
Android devices) are a means to bypass the management of a device. MDM
features can detect such bypasses and immediately restrict a device’s access to
the network or assets.
 Threat Actor Tools

To exploit a vulnerability, a threat actor must have a technique or tool. Over the
years, attack tools have become more sophisticated, and highly automated.
These new tools require less technical knowledge to implement.

Ethical hacking uses many different types of tools to test the network and end
devices. To validate the security of a network and its systems, many network
penetration testing tools have been developed. However, many of these tools
can also be used by threat actors for exploitation.
 CIA TRIAD
The three goals of network security include:
• Confidentiality – only intended recipients can read the data
• Integrity – assurance that the data has not be altered with during
transmission
• Availability – assurance of timely and reliable access to data for authorized
users

The Principle of Confidentiality

Confidentiality prevents the disclosure of information to unauthorized people,

resources and processes. Another term for confidentiality is privacy.

Organizations need to train employees about best practices in safeguarding

sensitive information to protect themselves and the organization from attacks.

Methods used to ensure confidentiality include: data encryption, authentication,

and access control.
 Protecting Data Privacy

Organizations collect a large amount of data and much of this data is not sensitive
because it is publicly available, like names and telephone numbers.

Other data collected, though, is sensitive. Sensitive information is data protected

from unauthorized access to safeguard an individual or an organization.

Controlling Access

Access control defines a number of protection schemes that prevent

unauthorized access to a computer, network, database, or other data resources.
The concepts of AAA involve three security services: Authentication,
Authorization and Accounting.
Confidentiality and privacy seem interchangeable, but from a legal standpoint,
they mean different things.
Most privacy data is confidential, but not all confidential data is private. Access to
confidential information occurs after confirming proper authorization. Financial
institutions, hospitals, medical professionals, law firms, and businesses handle
confidential information.

Confidential information has a non-public status. Maintaining confidentiality is

more of an ethical duty.
Privacy is the appropriate use of data. When organizations collect information
provided by customers or employees, they should only use that data for its
intended purpose.
 Principle of Data Integrity

Integrity is the accuracy, consistency, and trustworthiness of data during its

entire life cycle.

Another term for integrity is quality.

Methods used to ensure data integrity include hashing, data validation checks,
data consistency checks, and access controls.

Need for Data Integrity

The need for data integrity varies based on how an organization uses data. For
example, Facebook does not verify the data that a user posts in a profile.

A bank or financial organization assigns a higher importance to data integrity than

Facebook does. Transactions and customer accounts must be accurate.

Protecting data integrity is a constant challenge for most organizations. Loss of

data integrity can render entire data resources unreliable or unusable.

Integrity Checks

An integrity check isa way to measure the consistency of a collection of data (a

file, a picture, or a record). The integrity check performs a process called a hash
function to take a snapshot of data at an instant in time.
Data availability is the principle used to describe the need to maintain availability
of information systems and services at all times. Cyberattacks and system failures
can prevent access to information systems and services.
Methods used to ensure availability include system redundancy, system backups,
increased system resiliency, equipment maintenance, up-to-date operating
systems and software, and plans in place to recover quickly from unforeseen
disasters.

High availability systems typically include three design principles:

• Eliminate single points of failure
• Provide for reliable crossover
• Detect failures as they occur.
Organizations can ensure availability by implementing the following:
• Equipment maintenance
• OS and system updates
• Test backups
• Plan for disasters
• Implement new technologies
• Monitor unusual activity
• Test to verify availability
 The Security Onion and The
Security Artichoke

The Security Onion

A common analogy used to describe a defense-in-depth approach is called “the

security onion.” A threat actor would have to peel away at a network’s defenses
layer by layer in a manner similar to peeling an onion. Only after penetrating
each layer would the threat actor reach the target data or system.
Note: The security onion described on this page is a way of visualizing defense-in-
depth. This is not to be confused with the Security Onion suite of network security
tools.
 The Security Artichoke

The changing landscape of networking, such as the evolution of borderless

networks, has changed this analogy to the “security artichoke”, which
benefits threat actors because they no longer have to peel away each layer.
They only need to remove certain “artichoke leaves.” The threat actor peels
away the security armor along the perimeter to get to the “heart” of the
enterprise.
 Mitigating Common Network
Attacks
Defending the Network

Constant vigilance and ongoing education are required to defend your network
against attack. The following are best practices for securing a network:
Develop a written security policy for the company.
Educate employees about the risks of social engineering, and develop strategies
to validate identities over the phone, via email, or in person.
Control physical access to systems.
Use strong passwords and change them often.
Encrypt and password-protect sensitive data.
Implement security hardware and software such as firewalls, IPSs, virtual private
network (VPN) devices, antivirus software, and content filtering.
Perform backups and test the backed-up files on a regular basis.
Shut down unnecessary services and ports.
Keep patches up-to-date by installing them weekly or daily, if possible, to
prevent buffer overflow and privilege escalation attacks.
Perform security audits to test the network.
 Mitigating Malware

Malware, including viruses, worms, and Trojan horses, can cause serious
problems on networks and end devices. Network administrators have several
means of mitigating these attacks.

Antivirus software helps prevent hosts from getting infected and spreading
malicious code. Several companies that create antivirus software, such as
Symantec, McAfee, and Trend Micro. Antivirus products have update automation
options so that new virus definitions and new software updates can be
downloaded automatically or on demand. This practice is the most critical
requirement for keeping a network free of viruses and should be formalized in a
network security policy.

These products are installed on computers and servers to detect and eliminate
viruses. However, they do not prevent viruses from entering the network.
Another way to mitigate malware threats is to prevent malware files from
entering the network at all. Security devices at the network perimeter can
identify known malware files based on their indictors of compromise. The files
can be removed from the incoming data stream before they can cause an
incident.
 Mitigating Worms

Worms are more network-based than viruses. Worm mitigation requires diligence
and coordination on the part of network security professionals. The response to a
worm attack can be broken down into four phases: containment, inoculation,
quarantine, and treatment.
 Mitigating Access Attacks

Several techniques are available for mitigating access attacks, including strong
password security, principle of minimum trust, cryptography, and applying
operating system and application patches. A surprising number of access attacks
are carried out through simple password guessing or brute-force dictionary
attacks against passwords. To defend against this, create and enforce a strong
authentication policy which includes:
Use strong passwords - Strong passwords are at least eight characters and
contain uppercase letters, lowercase letters, numbers, and special characters.
Disable accounts after a specified number of unsuccessful logins has
occurred - This practice helps to prevent continuous password attempts.

Use encryption for remote access to a network and routing protocol traffic to
reduce the possibility of man-in-the-middle attacks. Educate employees about
the risks of social engineering, and develop strategies to validate identities over
the phone, via email, or in person. Multifactor authentication (MFA) has become
increasingly common.
Lab:
-tryhackme traffic analysis:
[Link]

- Active recon:
[Link]