Attack Pattern Enumeration - Network Communications


Common Attack Patterns in Network Communications

Imagine it's a beautiful Monday morning, and you just logged in your first client meeting on Microsoft Teams or Zoom or, for that matter, any collaboration tool of your organization. Fifteen minutes into the meeting, suddenly, you see a random individual waving at all the participants. Isn't that weird? Well, how about some foul language from her, or let's make it worst, how about some pornography pictures popping up during the meeting? How would you explain this phenomenon to all your stakeholders? In the world of cyber security, this notorious act of occurrence is called "Zoom Bombing." Although the attack first targeted the Zoom application, it was evident that the intrusion attack on a communications channel can be problematic to every other communications application in the market.

It was only a few months in 2020 when "Zoom Bombing" took pace across multiple organizations and when COVID-19 kicked in deep down various nations, forcing them to lock down completely. Hijacking famous communication applications like Zoom was mysteriously targeted when their video conferencing feature that hosted many audiences shared over a public channel, i.e., internet URLs that could be accessible to anyone easily did not cater to basic security mechanisms on its platform. The meeting IDs and URLs of a public meeting were easily guessed by internet predators from the dark web who made an easy entry, hijacking such conference meetings to create end-user confusion and chaos. The "One-click join" meeting feature made them pay with enough embarrassment and brand image damage.

With all that said, this was only one type of cyber-attack on a communications channel that our society saw recently. However, there are multiple other attack patterns already in practice prevalent in many industrial markets. Let's look at some of the common ones to learn more about them.

Interception The interception type of an attack pattern is the most recurrent one that almost every security team across the globe must have come across at least once every month. Interception is an attack when an intruder tries to gain unauthorized access to confidential information. Interception can be further classified into Sniffing Network Traffic, Sniffing Application Codes, Intercepting Cellular Traffic, or Modifying HTTP Cookies. Let's look at these classifications one by one.

  • Sniffing Network Traffic: In this type of attack, the attackers first monitor the network multicast traffic exposed to the internet. Then, when an adversary notices vulnerabilities at the network protocol level, they initiate the packet sniffers to hijack standard TCP protocols in an attempt to capture sensitive or confidential information.
  • Application Code Sniffing: This type of attack is usually targeted when adversaries explore the target's patching cycle. The attackers closely monitor the target application's patching cycle, carefully sniff network communications and capture application codes that are not accessible to the general public for obvious reasons. An attacker can then use these sniffed codes to gain unauthorized access to a server by building a trust relationship to get hold of sensitive information, especially when such application codes are also a part of dynamic code upgrades where client-server communications take place.
  • Cellular Traffic Interception: In this type of attack, adversaries are well equipped with telecommunication towers that can sniff cellular traffic of voice and data from any mobile device. Additionally, the intruders use sophisticated tools to manipulate the retransmission devices via numerous methods.
  • Modifying HTTP Cookies The adversaries explore the target's critical client systems and try to obtain HTTP cookies that could be further used to access confidential and sensitive client information. Such attacks can be easily triggered via packet sniffers such as Wireshark. However, the most common motivation to obtain HTTP Cookies is to get the cookie and then modify it to an extent where it is capable enough to bypass the security controls of the targeted client systems.

Traffic Injection

In this type of attack, the adversary closely monitors the targeted network systems. As soon as they see an opportunity, a malicious code is injected at the network protocol level, forcing it to perform in the desired way. For instance, the attackers may change a BGP setting on one of the internet-facing routers that enable rouge connections to flood the router resulting in a high CPU usage error. However, the attackers tend to refrain from flooding the network systems, which may result in the systems going down just because they intend to make use of the injected network system resources and perform the desired changes to the environment and not just bring it down without taking any advantage out of the infected resources.

Unexpectedly, in a recent survey conducted by a security analyst from one of the Big 4 financial institutions in the world, it was reported that with the surge in web applications, traffic injection is one of the top 10 OWASP lists of vulnerabilities to be considered for next five years when it comes to web security. Well, even though he's just a security analyst, I concur with him.

Communication Channel Manipulation

How often have you or your security teams come across SSL exploitation attacks? I'm sure your response would be "umpteenth" times! I cannot deny that at least 34% of security attacks on communications channels are targeted on an incorrect SSL configuration or an attack on the SSL certificate itself. More surprising is that this number is only between May 2021 and July 2021. One can imagine how many sleepless nights it can cost our security engineers throughout the year. I pity them! In this type of attack, the adversary focuses on manipulating the entry points of every communication channel by trying to obtain critical vulnerabilities from public-facing interfaces and security certificates and manipulating them to bypass security. For instance, such breach methods are very active in the financial and banking sectors, where digital transactions are crucial in their revenue models.

Detection and Mitigation

It is evident that organizations work relentlessly to stop such attacks, and there is no one size fits all type of detection and mitigation strategy. Every organization must plan, detect and execute all actions considering the nature of business and user behavior: their current security policies and their current state of security architecture. Things can be changed right away but with incredible time and planning. To start with, enterprises must adopt a security maintenance strategy that can benefit them to implement security measures for Top 10 OWASP vulnerabilities and maintain and modify the security measures as and when the nature of the attack changes that can be detected well in advance. Organizations must plan a sane encryption strategy from the application development stage until its go-live stage and continue maintaining them post-production. There can be multiple complications in choosing suitable encryption methods. For example, you wouldn't want to encrypt your applications when you cannot decrypt them when needed.


Communication channels are critical assets to every organization for their businesses to grow. It can be fatal and frustrating enough to run a business without the proper functioning of all your communication tools, right? In addition, it can be daunting to plan and execute the right strategy for your organization when you may not even have the right set of resources in place who can lead the show.

Network Controls can save your day Any Time
Cybersecurity is best when seeded into Business Functions. fnCyber™ assures you Direct and Uncomplicated Cybersecurity Consulting.

Contact Us

Get in Touch

Level 1, Salarpuria Knowledge City, InOrbit Mall Road, HITEC City, Hyderabad, Telangana 500081 India

Follow us on Social Media