A network intrusion refers to any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and almost always jeopardize the security of networks and/or their data. In order to proactively detect and respond to network intrusions, organizations and their cybersecurity teams need to have a thorough understanding of how network intrusions work and implement network intrusion, detection, and response systems that are designed with attack techniques and cover-up methods in mind.
Network Intrusion Attack Techniques
Given the amount of normal activity constantly taking place on digital networks, it can be very difficult to pinpoint anomalies that could indicate a network intrusion has occurred. Below are some of the most common network intrusion attack techniques that organizations should continually look for:
- Living Off the Land: Attackers increasingly use existing tools and processes and stolen credentials when compromising networks. These tools like operating system utilities, business productivity software and scripting languages are clearly not malware and have very legitimate usage as well. In fact, in most cases, the vast majority of the usage is business justified, allowing an attacker to blend in.
- Multi-Routing: If a network allows for asymmetric routing, attackers will often leverage multiple routes to access the targeted device or network. This allows them to avoid being detected by having a large portion of suspicious packets bypass certain network segments and any relevant network intrusion systems.
- Buffer Overwriting: By overwriting certain sections of computer memory on a network device, attackers can replace normal data in those memory locations with a slew of commands that can later be used as part of a network intrusion. This attack technique is a lot harder to accomplish if boundary-checking logic is installed and executable code or malicious strings are identified before they can be written to the buffer.
- Covert CGI Scripts: Unfortunately, the Common Gateway Interface (CGI), which allows servers to pass user requests to relevant applications and receive data back to then forward to users, serves as an easy opening for attackers to access network system files. For instance, if networks don’t require input verification or scan for backtracking, attackers can use a covert CGI script to add the directory label “..” or the pipe “|” character to any file path name, allowing them to access files that shouldn’t be accessible via the Web. Fortunately, CGI is much less popular today and there are far fewer devices that provide this interface.
- Protocol-Specific Attacks: Protocols such as ARP, IP, TCP, UDP, ICMP, and various application protocols can inadvertently leave openings for network intrusions. Case in point: Attackers will often impersonate protocols or spoof protocol messages to perform man-in-the-middle attacks and thus access data they wouldn’t have access to otherwise, or to crash targeted devices on a network.
- Traffic Flooding: By creating traffic loads that are too large for systems to adequately screen, attackers can induce chaos and congestion in network environments, which allows them to execute attacks without ever being detected.
- Trojan Horse Malware: As the name suggests, Trojan Horse viruses create network backdoors that give attackers easy access to systems and any available data. Unlike other viruses and worms, Trojans don’t reproduce by infecting other files, and they don’t self-replicate. Trojans can be introduced from online archives and file repositories, and often originate from peer-to-peer file exchanges.
- Worms: One of the easiest and most damaging network intrusion techniques is the common, standalone computer virus, or worm. Often spread through email attachments or instant messaging, worms take up large amounts of network resources, preventing the authorized activity from occurring. Some worms are designed to steal specific kinds of confidential information, such as financial information or any personal data relating to social security numbers, and they then relay that data to attackers waiting outside an organization’s network.
Network Intrusion Cover-Up Methods
Once attackers have employed common network intrusion attack techniques, they’ll often incorporate additional measures to cover their tracks and avoid detection. As mentioned above, using non-malware and living off the land tools have the dual advantage of being powerful while blending into business justified usage, thus making them hard to detect. In addition, below are three practices that are frequently used to circumvent cybersecurity teams and network intrusion detection systems:
- Deleting logs: By deleting access logs, attackers can make it nearly impossible to determine where and what they’ve accessed (that is, without enlisting the help of an extensive cyber forensics team). Regularly scheduled log reviews and centralized logging can help combat this problem by preventing attackers from tampering with any type and/or location of logs.
- Using encryption on departing data: Encrypting the data that’s being stolen from an organization’s network environment (or simply cloaking any outbound traffic so it looks normal) is one of the most straightforward tactics attackers can leverage to hide their movements from network-based detections.
- Installing rootkits: Rootkits, or software that enables unauthorized users to gain control of a network without ever being detected, are particularly effective in covering attackers’ tracks, as they allow attackers to leisurely inspect systems and exploit them over long periods of time.
Network Intrusion Detection and Response Challenges
Network intrusion detection and response systems have come a long way over the years. As digital networks become more and more complex, however, such products can sometimes fall flat. For example, even though non-malware is an increasingly common attack vector, traditional network intrusion, detection, and response solutions struggle to uncover these attacks and still focus primarily on malware. Similarly, despite cloud-based applications becoming an increasingly popular entry point for attackers, traditional network intrusion detection and response systems aren’t designed to support such threats. Also, configuring a network intrusion detection and response system that will be able to recognize unexpected behavior requires understanding behaviors that are expected. To acquire this information and avoid false positives, organizations must allocate significant time and resources to continually monitor their network for behavior changes that occur over entire days and at different times of the month.
Furthermore, because traditional network intrusion detection and response systems look for patterns using different algorithms, they require maintenance and regular tuning after the initial configuration and implementation in order to reduce false positives and false negatives. Even if organizations are able to successfully integrate multiple protection systems and keep up with tuning requirements, data center management overhead and power consumption can quickly become burdensome dilemmas.
To successfully defend against the ubiquity of network intrusions in an ever-evolving threat landscape, organizations must consolidate their network security infrastructure and leverage technologies and techniques like analytics and machine learning to ensure proactive security control at scale. Automatically and continuously detecting network intrusions that would otherwise blend in with normal activity is critical, as is enabling conclusive and rapid response before the attacker has achieved his / her objective.
- 3 Takeaways from the Marriott and Starwood Breach
- Today’s SOC Is Broken: Here’s How To Fix It White Paper
- The Advent of Advanced Network Traffic Analysis & Why it Matters White Paper
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…