Attack Pattern Enumeration - Network Communications

Common Attack Patterns in Network Communications

Imagine it's Monday morning. You've just logged into your first client meeting. It's on Microsoft Teams, Zoom, or any other collaboration tool your organization uses. Fifteen minutes into the meeting, suddenly, you see a random individual waving at all the participants. 

Isn't that weird? Could she use foul language? make it even worse. What if pornography pictures appeared during the meeting? How would you explain this phenomenon to all your stakeholders? In the world of cybersecurity, this notorious act of occurrence is called "Zoom Bombing." The attack initially targeted the Zoom application. However, it became clear that IT Security and Network Security had been breached. Network intrusion attacks on communications channels can be damaging to all other communications applications.

It was only a few months in 2020 when "Zoom Bombing" took pace across multiple organizations and when COVID-19 kicked in deep down various nations, forcing them to lock down completely. Hijacking famous communication applications like Zoom was mysteriously targeted. Zoom's video conferencing feature hosted many audiences and shared over a public channel, such as internet URLs. These URLs could be easily accessible to anyone. Unfortunately, Zoom did not cater to basic security mechanisms on its platform.

Internet predators from the dark web were able to easily guess the meeting IDs and URLs of a public meeting. They were able to make an easy entry and hijack the conference meetings. This caused end-user confusion and chaos. The "One-click join" meeting feature made them pay with enough embarrassment and brand image damage. With all that said, this was only one type of cyber-attack on a communications channel that our society saw recently. However, there are multiple other attack patterns already in practice and prevalent in many industrial markets. Let's look at some of the common ones to learn more about them.

Interception

Interception is the most common type of attack pattern. Almost every cybersecurity team around the world has likely encountered it at least once a month. Interception is an attack when an intruder tries to gain unauthorized access to confidential information. Interception can be further classified into Sniffing Network Traffic, Sniffing Application Codes, Intercepting Traffic, or Modifying Cookies.

• Sniffing Network Traffic: In this type of attack, the attackers first monitor the network multicast traffic exposed to the internet. Adversaries notice vulnerabilities in network security protocol levels. To capture sensitive or confidential information, they initiate packet sniffers. These sniffers hijack standard TCP protocols, compromising the organization's IT security.
• Application Code Sniffing: This type of attack is usually targeted when adversaries explore the target's patching cycle. The attackers watch the target application's patching cycle closely. They sniff network communications and capture application codes not available to the public. This is done for obvious reasons. An attacker can use sniffed codes to gain unauthorized access to a server. They can build a trusting relationship to get hold of sensitive information. This is especially true when application codes are part of dynamic code upgrades and client-server communications occur
• Cellular Traffic Interception: This type of attack is called Cellular Traffic Interception. Adversaries are equipped with telecommunication towers that can intercept voice and data traffic from mobile devices. Additionally, the intruders use sophisticated tools to manipulate the retransmission devices via numerous methods.
• Modifying HTTP Cookies Adversaries explore target systems to obtain HTTP cookies. These cookies can be used to access confidential and sensitive client information. Such attacks can be easily triggered via packet sniffers such as Wireshark. Obtaining HTTP Cookies is often motivated by the goal of bypassing the security controls of client systems. To do this, the cookie must be modified.

Traffic Injection

In this type of attack, the adversary closely monitors the targeted network systems. As soon as they see an opportunity, a malicious code is injected at the network protocol level, forcing it to perform in the desired way. Attackers may alter a BGP setting on an internet-facing router. This allows rouge connections to flood the router, leading to a high CPU usage error. The attackers usually do not flood the network systems. This is because they want to take advantage of the infected resources and make changes to the environment. They do not want to just bring the system down without any benefit.

Unexpectedly, in a recent survey conducted by a security analyst from one of the Big 4 financial institutions in the world, it was reported that with the surge in web applications, traffic injection is one of the top 10 OWASP lists of vulnerabilities to be considered for next five years when it comes to web security.

Communication Channel Manipulation

How often have you or your security teams come across SSL exploitation attacks? I cannot deny that 34% of security attacks target communications channels. These attacks are either due to an incorrect SSL configuration or an attack on the SSL certificate. More surprising is that this number is only between May 2021 and July 2021. One can imagine how many sleepless nights it can cost our security engineers throughout the year.

This type of attack focuses on manipulating entry points of communication channels. The adversary does this by trying to obtain critical vulnerabilities from public-facing interfaces and security certificates. They use these vulnerabilities to bypass security. Digital transactions are critical for the financial and banking sector's revenue models. As such, there are many breach methods actively used in these sectors.

Detection and Mitigation

It is evident that organizations work relentlessly to stop such attacks, and there is no one size fits all type of detection and mitigation strategy. Every organization must plan for such cybersecurity services to detect, and execute all actions of protection against these attacks. This should take into account the nature of their business, user behavior, current IT security policies, and current state of security architecture along with required cybersecurity services. Things can be changed quickly. However, it requires a lot of time and planning especially if any cybersecurity consulting services company is involved.

Enterprises must begin by adopting a security maintenance strategy. This will enable them to implement security measures for the Top 10 OWASP vulnerabilities. Additionally, they must maintain and modify the security measures as the nature of the attack changes. This will help detect potential attacks well in advance. Organizations must plan an encryption strategy throughout the entire development process. This includes the application development stage and the go-live stage. Even after the product is live, organizations must continue to maintain the encryption strategy. There can be multiple complications in choosing suitable encryption methods. For example, you wouldn't want to encrypt your applications when you cannot decrypt them when needed.

Conclusion

Communication channels are critical assets to every organization for their businesses to grow. It can be fatal and frustrating enough to run a business without the proper functioning of all your communication tools, right? Planning and executing the right strategy for an organization can be daunting. This is especially true if the right set of resources is not in place to lead the project.