When it comes to targeted attacks, attackers are not omniscient. They need to gather information in the early stages to know the target they may gather information from various sources of intelligence, like Google, Whois, Twitter, and Facebook. They may gather data such as email addresses, IP ranges, and contact lists. These will then be used as lure for phishing emails, which inevitably result in gaining access in the targeted organization’s network.
Once inside, the attackers will begin the lateral movement stage. In this stage, attackers will perform port scans, services scans, network topology mapping, password sniffing, keylogging, and security policy penetration tests. The goal is to find more confidential information and find a stealthy method of access.
The lateral movement allows the attackers information they can then use to their advantage. They are now aware of existing security weak points, firewall rule setting flaws, and the wrong security equipment deployment. They also now have the latest network topology, password sets, and security policies.
They can use this new-found knowledge even after their attempts have been discovered. Often times, efforts to thwart existing and prevent new attacks involve removing the malware and monitoring for network activity. But since attackers are aware of the topology, they can try new ways to gain access easily without being noticed.
In this article, we want to tackle how network topology can aid in defending the enterprise network from risks posed by targeted attacks.
Changing the network topology
It’s not enough to change passwords and remove the malware. To protect an organization from targeted attacks, changing the network topology should also be considered.
Network topology refers to how devices are connected within a network, both physically and logically. The term refers to all devices connected to a network, be it the computers, the routers, or the servers. Since it also refers to how these devices are connected, network topology also includes passwords, security policies, and the like.
If the targeted organization changes the network topology, the attackers’ gained knowledge will become useless to their attacks. If the threat actors attempt to enter the network using the old method, it will be flagged by the new(er) security policies put in place. Changes like moving the “location” of the target data or moving segments will require a longer period of time for attackers to find the targeted data. This length of time can prove invaluable as it can give admins more time to detect the malicious activity before any real damage can be done.
Let us take for example a network topology like that of Figure 1. The network relies on a firewall to block attacks from the outside. Past the firewall, there are three computers, labeled PC-1, PC-2, and PC-3. There is also a backend document server.
Figure 1. Sample network topology.
An attacker may use a phishing email to compromise PC-1, the first step in a targeted attack (labeled here as “Step 1″). Once PC-1 has been successfully compromised, the attacker will do a service scan. The scan will allow the attacker to discover other connected devices, including PC-2, PC-3, and the server. The attacker can then compromise PC-2 and PC-3 by guessing the passwords via brute force (labeled as Step 2).
Figure 2. Attackers can (1) infiltrate a computer via a phishing email and then (2) attempt access to other devices in the network.
Should the IT admins discover the attack, they may focus their attention only on PC-1 as it was the first compromised device and acted as the point of entry. Efforts will be made to remove the malware found in PC-1. Little do they know that the attacker can later come back, this time using PC-2 or PC-3 to steal data from the document server.
Attackers can still “re-compromise” PC-1, using a new password set or by brute-force attacks. IT admins can remove the malware again by they won’t know how the attacker manages to enter and compromise the machines over and over.
To address targeted attacks, IT admins can change the network topology. Changes to the network topology can be done by adding another firewall and a proxy server and by changing the access security policy of the document server. The new security policy will allow access to the document server through the new proxy server only. Any direct form of access will by denied by the new firewall and the IT admins will be alerted.
Figure 3. Altered network topology.
Since the attacker will not be aware of the new security policy and network topology change, he will attempt to access the document server using any of the computers, like PC-2. The IT admins will be alerted (due to the new policy) and will able to remove any sign of compromise in PC-2.
Should the attacker attempt to infiltrate the network again, this time using PC-3, he will then need to spend much time rescanning the network. This is so that he can understand the function of the proxy server and also to attempt accessing the document server via trial-and-error. This amount of time may be enough for IT admins to detect the malicious activity in the network and address it accordingly.
The challenges of network topology alteration
Altering an organization’s network topology is not without challenges. A common belief among IT admins is that network topology is an impossible task. Admittedly, the task can be difficult. Changing the network topology would entail pinpointing specific connections between devices and changing aspects such as server IPs, server domain names, and client domain names. Furthermore, changing aspects of the network topology may even affect the connectivity of the whole network.
However, newer techniques like software defined network (SDN) and network functions virtualization (NFV) can reduce the degree of difficulty in changing the network topology. Admins can first change the network topology on a network simulator and emulator to ensure the alterations are okay before using an SDN policy rule to alter the topology.
Of course, changing the network topology shouldn’t be the sole security tactic that IT admins should employ. Admins can fortify the security of their networks by pairing a changed network topology with a security solution that can detect, analyze, and respond to targeted attacks in real time.
Author: Ziv Chang, Director, Cyber Safety Solution at Trend Micro.