Successful Attacks: Gaining Access
Without gaining access to the target network an attack can barely be considered an attack; it definitely would not be considered successful. Because of this, the third phase of network attacks is the most critical. It is in this phase that the attack will actively participate in penetrating the target network and reach a given goal. While gaining access to the target network an attacker will likely use a variety of tools and exploits. Some of these tools will be recognized from the Phase Two overview: Metasploit, and the Zed Attack Proxy come to mind here, but there will also be a number of new tools that the attacker will use. Many of these tools are more abstract than a simple program. Many networks are breached when an attacker sends a file to a user, complete with an email making the file look official, that carries a payload containing a trojan, zombie program, or any sort of backdoor generator. There are a number of applications on the internet today that stuff files of all kinds with payloads to avoid detection by the best anti-virus softwares. If performed carefully, the attacker will entice the user to open the file on their machine while connected to the network. This is a common methodology when the attacker did not find any useful information in phase two that would allow them to penetrate the network.
Other attackers will use the exploits and open ports they found in the last phase. By using various tools (specific to the exploits found), a knowledge of a number of network protocols, and knowledge about various operating systems(These things are gained mostly by experience. Always assume an attacker is an expert on their choice attack vector.) The methods used here are far too many to detail. Although there are commonalities between most attacks.
- Attackers are very likely to be using remote shell access versus a remote GUI. This lightens the network traffic and makes it harder to detect the attack. Further, using a shell you can often accomplish tasks far more easily and rapidly.
- Attackers will often work from an endpoint that is not their target. For instance, it is most likely that an attacker is going to be controlling an end user's machine on the target network than operating directly on the server; even if the attacker is remotely controlling the server from the owned machine.
- Attackers are almost certainly going to be after performing some type of file manipulation. They will likely be copying files, moving files, deleting files,or modifying files to manipulate or gain information. A notable exception to this are Denial of Service (DoS) style attacks, where the goal is to disrupt access to a service.
As a good exercise think about how you would get around the administrative rights on one of your servers and what information would be useful to a competing company or entity. Challenge yourself to do whatever you considered an attacker would do; when you succeed you will have some idea of how the attackers will think and operate. Detecting these attacks usually requires active monitoring, and that can be expensive. The expense will certainly be worth it when (not if) an attack occurs. The kind of monitoring that an entity attempting to avoid an attack will do involves file auditing, network monitoring, access logging, and regular manual auditing. File audits are usually applications or scripts that run through and listen for changes to occur in key files. When a file that is not regularly changed, or should only be changed with proper reasoning or permission these auditing tools alert administrators that a change has been made. If the change was expected,then the alert can be ignored. However, unexpected changes almost always will require thorough investigation.
Network monitoring is just what it sounds like, and largely as explained in phase two. Monitoring is usually accomplished by a variety of scripts and applications working in conjunction and reporting back to a centralized location. This location gives network administrators a single place to watch and look for changes. When a service goes down, or irregular network traffic is detected, the network administrators will be able to react fairly quickly. Often, instead of relying on the administrators to be constantly watching the monitors, network monitoring tools will alert administrators to any abnormal events.
Access logging is an important step to detecting illicit network access. This is where administrators will set up servers, network appliances, and sometimes even end-user machines to keep logs of any successful, or failed, attempts to utilize the device. In the event of an attack, often, leading up to the attack the logs will show a higher than normal number of failed login attempts. (If you want to know why this is referenced as "higher than normal" turn on access logging on any machine, even a personal machine, and look at the number of failed attempts. There are a number of automated tools out there and script kiddies who will be looking for easy access to a machine. By "higher than normal" it is meant that there will be a number of focused failed login attempts, in the thousands, often with a variety of usernames.) These logs can be crucial to preventing an attack before it occurs.
What good would logs be if no one ever read them? Regular manual audits of the logs will also provide a key indicator if an attack is happening, has happened,or is imminent. These logs can be read by a person in ways a machine can not begin to do. A person can notice that logs have very large gaps, or very small gaps, that are out of place. They can notice that common events either did not take place or took place at an irregular time. Essentially, they have intuition. A person can read the logs and think "I have a bad feeling about this."Something a machine simply can not do.
Preventing access gain is often accomplished the same way detecting it is. By performing the above steps, and paying due diligence, an entity trying to avoid an attack will be able to read the writing on the wall and notice that an attack is imminent. Once this happens, it is not terribly difficult to determine the attack vector and harden that avenue. There will, however, be attackers that know this and will leave breadcrumbs heading one direction when their vector is something very different. The best thing to do if it appears an attack is coming is to take a good hard look at the at risk network and do everything that can be done to harden it.
Finally, by ensuring that the prior two steps, Reconnaissance and Network Scanning, are adequately defended against an entity will likely have a good baseline defense against anyone attempting to gain network access. It would behoove anyone intent on securing a network from re-reading the two prior sections. This will both ensure that the knowledge from these sections is well covered and that the reader will be able to view that information in new context. Specifically, the context of understanding the next step in the path.