The network infrastructure is at the core of business operations in most industries. It can be considered the nerve centre of the entire IT organisation because it centralises data, simplifies data exchange and facilitates communication between employees.
It is therefore an essential tool for the smooth running of organisations, which requires constant attention in terms of security in order to protect yourself against increasingly numerous and sophisticated external and internal attacks.
Network Infrastructure: the Ultimate Target of Cyberattacks
The only problem is that cyberattacks on the network infrastructure continue to increase in frequency, scale and impact. External and internal servers, network devices and equipment, workstations, [etc.] are targeted by novice and experienced attackers because all of these entities still have too many vulnerabilities: large attack surface, lack of employee awareness, security flaws, poor design, configuration and implementation, weak security measures, etc.
No industry is spared from security incidents, even if attackers have their own preferred targets. This is particularly the case in the healthcare, financial and retail industries, regardless of the size of the organisations operating in these fields.
To ensure the security of the network infrastructure against these attacks, specific security measures are necessary: reduction of the attack surface, network segmentation, encryption of communications, user awareness of social engineering attacks, principle of least privilege (PoLP), log monitoring, etc. Security audits or penetration tests are also a good way to detect existing flaws in your computer network in order to fix them.
In this article, we will focus on the common vulnerabilities (technical and organisational) most often exploited during internal and external attacks on the network infrastructure by illustrating them with concrete cases encountered during our penetration tests. We will also detail the best practices and measures to be implemented to reduce the risk or counter these attacks.
What are the Common Vulnerabilities in the Network Infrastructure and How to Protect Yourself?
Attack Surface Management and Risk Exposure
All computer attacks usually start with a reconnaissance phase to identify the attack surface of a target company. In other words, attackers gather as much information about the information system as possible before launching attacks on potentially vulnerable entities. The attack surface is therefore the sum of the elements exposed inside or outside your network that can be attacked to cause a security incident: servers (internal and external), applications, APIs, technologies, versions, components, technical or personal data, etc.
All of these have potential vulnerabilities that an unauthorised person could exploit, following a port scan or a careful search on Google or the Dark Web, to break into your information system.
Reducing your attack surface is a key principle in cybersecurity to protect yourself against internal and external attacks. To do this, two actions are required: on the one hand, it is essential to know your attack surface and therefore to draw up a complete map of it, which must also be continually updated because a system architecture is constantly evolving. On the other hand, it is necessary to implement measures to harden your systems and networks in order to reduce your attack surface.
Mapping your attack surface means maintaining an up-to-date list of all your assets, their versions, implementations and interlocking in your entire information system. This action is not very complex to perform. Tools such as shodan or censys facilitate this process. Only for elements that are not listed or unknown, such as tools used by your employees, possible leaks of sensitive documents or passwords, [etc.], it may be worth calling on a specialised third party to carry out a reconnaissance audit to draw up an exhaustive map of your attack surface with the aim of reducing it.
To reduce your attack surface following its identification, actions for hardening your systems and networks can be the following (non-exhaustive list):
- Changing the default passwords of all your services and devices connected to the network
- Uninstalling or removing unused applications, services and environments
- Technical and technological monitoring of new versions and vulnerabilities discovered in third-party components or services used
- Implementation of the principle of least privilege in managing access rights to servers, applications, databases, etc.
- Segmentation of the network by partitioning critical systems and applications
- Implementation of a multi-factor authentication system on your critical applications and systems
Lack of Internal Network Segmentation and Pivoting Attacks
Most networks are set up as flat networks, with each server and workstation running on the same local area network (LAN), so that each application and system on the network is able to communicate and connect to everything else.
From a security point of view, this type of practice should be avoided as most of these systems do not need to interact with each other. Furthermore, if a flat network is attacked (by an attacker or malware) and one machine is compromised, the whole information system is also at risk. Indeed, these attacks use a method called “pivoting”, which consists in using a compromised entity to access other elements and move freely in the network.
Thus, network segmentation is an essential security measure, because, even if it does not enable attacks to be avoided, it remains one of the main ways of reducing the impact of a successful attack. The principle is simple. As the name suggests, it involves dividing a computer network into smaller network segments that are isolated from each other within virtual local area networks (VLANs). This allows applications, servers, workstations, [etc.] to be grouped into network sub-partitions according to your security issues and priorities, and especially according to the criticality of these systems. IP filtering and firewalls facilitate the partitioning of areas.
The use of Wi-Fi can also provide an entry point for an IT attack. First of all, it is essential to distinguish the Wi-Fi connections of personal or visitor terminals from those of the organisation’s terminals (generally with a guest Wi-Fi), and then to filter and restrict the flows of stations connecting to the Wi-Fi network. To do this, several Wi-Fi networks can be set up (each one obviously partitioned) within your organisation in order to restrict access to certain critical resources while ensuring that only the necessary elements are accessed by the various user groups within your company.
A concrete example of segmentation tests carried out during a grey box penetration test on an internal network. As the tests were performed in grey box, the pentester in charge of the audit was given access to the guest Wi-Fi in order to test the segmentation of the network:
- During the tests, the network was well partitioned except for a printer available inside the network: the pentester, like all visitors to the client company’s premises, was thus able to print documents
- However, the administration interface of the printer was also accessible via the default credentials
- If this vulnerability had been exploited by a malicious attacker, he could have used the printer as an attack vector to compromise the internal network.
- The pentester’s recommendation was therefore to restrict access to the printer to company personnel only and to change the login credentials for the administration interface
Thus, the segmentation of the network architecture limits the consequences of an intrusion to a delimited perimeter of the information system. In the event of a cyberattack, lateral movement of the attacker or malware would be impossible, thus preventing propagation. In addition, with multiple sub-networks acting as small networks in their own right, it allows administrators to better control the flow of traffic between each of them, and therefore to more easily spot unusual events.
Nevertheless, it is important to perform tests to verify that the segmentation set up to isolate your critical systems and applications from each other is robust. An internal network pentest is the most effective way to do this. During the penetration tests, the pentesters focus on the segmentation controls, both from outside the network and from inside the network, to identify potential vulnerabilities (technical flaws, configuration or implementation flaws) that could allow access to critical systems, applications and data.
An internal penetration test ensures that critical systems and applications do not communicate with less secure networks. The objective of these tests is to confirm that the segmentation works as intended and that there are no loopholes that could be exploited by an attacker or malware.
Lack of Communications Encryption, Sniffing and Man In The Middle Attacks
Some internal networks are configured so that information is transmitted in clear text, i.e., unencrypted. This information can be account IDs and associated passwords, sensitive data (personal, banking, etc.), architectural documents and other critical information, etc. Such a practice greatly increases the risk of your information system being compromised by external attackers (having obtained access to your network) and malicious employees. The risk is even greater for Wi-Fi networks, as communications can be intercepted throughout the perimeter covered by the access point.
If a machine on the network is compromised, an attacker can retrieve all the broadcast information by using software that eavesdrops on network traffic, such as wireshark. This procesś is known as ‘sniffing’.
To increase the impact of the sniffing, the attacker places himself in a “Man in the Middle” (MitM). Man in the Middle attacks, also known as spying attacks, consist of an attacker breaking into an information transaction between two machines or servers, using tools like Ettercap. Once in the Man in the Middle position, the attacker launches Wireshark in order to listen to the traffic to exfiltrate sensitive information and data.
A concrete case encountered during a grey box penetration test on an internal network:
- Mapping the network with Nmap
- Discovery of a file server communicating with smbv2
- Man In the Middle between this server and all the machines on the network then use wireshark to intercept and analyse incoming smb communications
- Unencrypted access to files exchanged between user machines and the server (invoices, contracts, pay slips, strategic documents, etc.)
Given the extent of the risks of sniffing and Man In the Middle attacks, the encryption of information circulating on the network is necessary. Encrypting data means making it unintelligible without a decryption key. The most common security measure is to add an encryption layer to existing protocols (http, rtp, ftp, etc.) using the SSL protocol (https, sftp, srtp, etc.). In the specific case described above, the recommendation for correction made following the tests was the use of smbv3, i.e. smbv2 coupled with the SSL protocol, which enables encryption and therefore guarantees the confidentiality of communications.
Access and Identity Management
Regarding attacks on the authentication feature, including brute force attacks or password spraying, and privilege escalation, we have already detailed the mechanisms in our previous article on common web applications vulnerabilities. You can therefore refer to it as it applies to all entities in your network infrastructure that are accessible through an authentication system. In addition, we will come back to Active Directory attacks in a dedicated article.
Lack of Logging and Monitoring
The lack of logging and monitoring is both a technical and organisational flaw that allows attackers to maintain their position in a network as long as possible.
As with network segmentation, it is important to specify that good Logging and Monitoring practices do not ensure maximum protection against attacks, but they remain a good way of detecting unusual events and intrusions and therefore of reducing their impact. What are the main principles and mechanisms?
Most of the elements involved in communication within a network (information exchange, data exchange, etc.) keep information about it. Indeed, all systems and applications running “log” all events that occur. Similarly, routers, proxies and firewalls as well as access points keep track of each packet. This information is then managed by the system of the machines to which each of these entities belongs. It is stored, for a certain period of time, in dedicated files, commonly called “logs”.
An efficient attacker always erases his tracks after compromising one or more machines in a network. This is to hide his presence from the eyes of the administrator of the compromised network and to maintain his position as long as possible on the compromised machines. Good log management is therefore very useful to detect intrusions quickly and react effectively.
To facilitate the management and exploitation of logs, they should be centralised in the internal server area to allow easier administration. Then, it is necessary to implement programs (agents) to monitor and synchronise all the events listed in your log files on other machines.
This is important because, in the event of a machine being compromised, it is likely that the logs will be destroyed by the attacker. Centralising, synchronising and duplicating logs will ensure that you always have a copy.
Human Flaws and Social Engineering Attacks
Beyond technical flaws, configuration or implementation problems, the vulnerability most often exploited by attackers to compromise an information system remains human. Your company’s employees are still the weakest link in your cybersecurity, attackers know this and the news of successful cyberattacks proves it!
An IBM report on phishing attack statistics shows that the average cost of a data breach in 2018 was $3.9 million. And in their 2019 Internet Crime Report, the FBI estimated that BEC attacks (Business Email Compromise – attacks in which fraudsters pose as company executives or vendors to trick employees into transferring payments to bank accounts controlled by the attackers) would have cost companies around the world about €1.6 billion.
The principle of social engineering attacks is simple, and their implementation does not require much technical knowledge in most cases. It consists of an attacker relying on human psychological resources and then using social skills to obtain or compromise information about a company or its IT systems (applications, external infrastructure, internal network, all or part of the information system to resume).
Email remains the main attack vector. Using phishing, spear phishing (phishing on a restricted group of people), coupled with vishing (phone attacks), attackers know how to exploit our natural curiosity, our sense of duty, our professional conscience, our affection for bargains, [etc.] to persuade us to click on a link or download an attachment. With interface clones or malware, they still manage to:
- Embezzle huge amounts of money
- Obtain user IDs and passwords
- Steal, destroy or alter critical data
- Paralyse your entire information system
In recent years, there have been many examples of successful social engineering attacks on small, medium and large companies. And the consequences are often devastating and irreversible. However, there are simple ways to limit the impact of social engineering attacks.
- Firstly, think and implement a security strategy adapted to your challenges and threats. Encryption of all your systems, segmentation of your network, rigorous management of access and identities, reduction of the attack surface, [etc.] are all ways of countering attacks or reducing their impact.
- And above all, test the robustness of your systems with penetration tests on your external infrastructure or your internal network. Penetration tests remain the best way to test the security of your systems against external and internal attackers. The principle is simple: identify potential vulnerabilities and correct them quickly before they are exploited by attackers. External infrastructure penetration tests enable to search for vulnerabilities in IS components open to the outside. Internal network pentesting consists of mapping the network before carrying out security tests on the elements identified: servers, Wi-Fi, network equipment, workstations, etc. The report issued following the tests enables the mechanisms of the vulnerabilities discovered to be understood in order to reproduce and fix them.
- Then carry out social engineering tests, either internally or through a specialised third party. This allows you to evaluate the behaviour of your employees when faced with seemingly harmless emails, calls or physical intrusions into your premises (e.g. for the deposit of trapped USB keys), but with a dramatic impact if they are the result of evil hackers, as opposed to the good hackers that we are. The results of these tests can be used to optimise your teams’ awareness.
- Finally, you must continuously raise awareness and train all your employees, because cybersecurity must be everyone’s business. You can organise awareness-raising team meetings or carry out training courses, provided by your specialised teams on the subject of cybersecurity. There are also third-party training courses to raise awareness of social engineering attacks. These non-technical training courses make it easier to understand the mechanisms of cyberattacks through phishing, vishing, interface clones, ransomware, [etc.] and the best practices and postures to adopt in order to avoid taking the bait.
Contact us for any question related to a training project or penetration tests on your external infrastructure, your internal network or social engineering tests. We will discuss your needs and provide you with an intervention adapted to your security challenges and your constraints, whether budgetary or organisational.