Catch a Thief by Being One : Un-Scan It - Part III

In previous article, we understood the first phase of how an attack is launched. In this phase, attackers prepare for launching the attack by gathering as much information about the target as he can. This information may contain the OS details, DB version details, web server details and so on.

Now that attacker has all this data, he may try and identify if there are any vulnerabilities present in the environment, OS configuration details and Network architecture. This second phase of perpetrating an attack is known as Scanning.

Scanning

The objective of this phase is to find all live servers, open ports, OS and system architecture, services running on the OS and network architecture.

Before detailed scan is run, attacker run a simple Ping scan or ICMP Scan to identify all the live hosts which are responding to the ICMP echo message. Once the live hosts are identified, Full scan is run to collect the detailed information about the target.

Based on the requirement of scanning, it can be categorized primarily as:

  1. Port Scanning
  2. Vulnerability Scanning
  3. Network Scanning

Port Scanning is a method of running a scan to identify all open ports and associated services running over those ports. There are multiple tools available to run this type of scan. Once the open ports and associated services are identified, two things can be determined easily. Firstly, based on the services, function of the server can be determined such as if Apache web service is running, it can easily be said that target is a web server. Secondly, if there are unwanted and unknown ports are open, attacker can use these ports to launch the attack if the ports are vulnerable.

Vulnerability Scanning is a method of identifying the open vulnerabilities and weaknesses present in the target environment in order to determine how the attack can be prepared and vulnerabilities can be exploited successfully.

Network Scanning is a method of running a scan to understand the network architecture. Once the victim’s Network Design is prepared, attacker can easily find the gateways and loopholes in the design and once these loopholes are exploited, it can give an attacker a free pass to roam around the entire network.

Countermeasures

First of all, one should block all unwanted open ports in the firewall. Unused open ports may be used to get inside the network.

We should implement the Firewall in conjunction with IDS and IDSs should be configured in a way so that it can detect and block any network probe, ICMP traffic and SNMP traps.

Firewall Administrators should configure the firewall in a complete lockdown mode i.e. all ports and all protocols should be blocked by default. As and when the requirement comes for opening any port, it should be allowed through firewall after performing the Impact Analysis.

Firewall which is used in the network should be updated to the latest fixes and service packs.

Any sensitive data should not be put in the public domain. Firewalls must be put in a way to create multiple zones of the network such as Internal, DB, DMZ and public and these zones should be protected on the basis of the kind of server and the data it holds.

Pen testing of own network to identify if the network can be scanned by outsiders is a good way to ensure the patching of open doors for an attacker.

After Pentesting, Security Engineer can identify if unused ports are open, firewall rules are contradicting to each other and in turn impacting the performance, unveiled OS banners, and misconfigured service configurations.

Once the results of Pentesting is out, engineers can calibrate the firewall rules, block unused ports, configure the service configurations properly and customize the OS banners to counter the scanning attempts on the network.

I will leave you with a thought of an American businessman and motivational speaker Mr. Robert Kiyosaki when he said, “Knowing you need to make a change is not enough, You have got to find the guts to do it”.

Authored by Punit Dwivedi

Rate this article: 
Average: 2.3 (12 votes)
Article category: 
Keywords: 

There are 3 Comments

Excellent analyses and recommendations across this series.  However, not every organization has the skills to "be a thief" to identify their exploitable vulnerabilities.  For those organizations, they need to consider SANS CSC No. 20...specifically, Red Team testing.  Many try to do their own internal Red Team testing, with mixed results.  Preferably, the testing should be performed by a qualified and independent consultancy.  Independence is required because: 1) You don't always see you own "dirt"; and 2) You can't politically always rattle your own cage.  The cost of independent and objective testing can easily pay for itself, either through high-value findings, or by giving you the comfort in the effectiveness of your security controls.

Thanks a lot Brian for the review.
For the point you raised as, not every organization has the skills to "be a thief", I do agree with you on this one, but that's where we(TCS ESRM) come in....isn't it?
Also, this series of article is mainly focused on cascading this idea of securing the organization by thinking like a hacker and finding the holes......

Absolutely, it is where we come in. I was trying to be circumspect about it to avoid any strong appearance of "selling" in this forum.