Your network through the eyes of a hacker

Text by Geraldo Bravo, CyberArk sales executive.

Is your network fully protected? You should probably already be careful of microsegmentations, strict firewall policies, and have some kind of EDR solution that provides visibility and monitoring for suspicious activities, such as malware and cyber attacks. As well as allowing access only on secure connections that depend on encrypted protocols.

If you are one of those who take your company’s security seriously, you should probably perform a regular routine of updating your protection systems, or even have a qualified SOC team that monitors all of these systems 24 hours a day, 7 days a week and sends a report every week showing all the activities carried out in the system, but often these results may have been examined and characterized as false positives. But what if these processes don’t guarantee that your data is completely secure?

A hacker attack can use three techniques to invade your system without being noticed. For this, it is important that you learn how to expand this knowledge in a way that allows you to keep your network always protected from possible attacks. To do this, you need to understand how a hacker’s mind thinks to understand its strategies.

Hacker’s perspective

One of the characteristics of a skilled attacker is patience. Maintaining secrecy is an important ingredient in an APT (Advanced Persistent Threat) attack, as it allows the attacker to use continuous and sophisticated techniques and intrusion to gain access to a system and stay within it for an extended and potentially destructive period.

An attacker who has managed to pass the first line of defense and gained initial access, will endeavor to escape existing defense systems. Meanwhile, they will not make a move until they are sure they have not been discovered. And more than that, when they make a move, they will make sure that you are not aware of anything that is happening.

It all depends on the amount of data the attacker has, an easy scenario is when he has enough information to make decisions about his movements and future plans. The most problematic scenario is when there is not enough intelligence data. In this situation, the best way for an attacker to stay off the radar is to use the “mandatory” resources of an organizational network, such as shared folders, ping messages and DNS queries.

But why would an attacker use this? Since these protocols are used very often, do not require an intelligence system before its operation. Even if one of your defense systems detects something unusual, it is likely that your SOC team will have a hard time investigating exactly what happened. Looking for an unusual pattern in the network traffic of these protocols is like looking for a needle in a haystack.

There are three examples of common protocols used by an attacker to gain an advantage in accessing systems. The first one is SMB, which can be used over the TCP / IP protocol, allows access to files or other resources on a remote server; the second is DNS, which allows the translation of domain names into IP addresses; and finally, ICMP, which authorizes the creation of IP-related messages, error messages and test packages.

What to do against these types of attacks

There are two main methods that are worth pointing out and that can help address these challenges. The first one is the Deep Packet Inspection (DPI), which is a technology used to capture network packets as they pass through routers and other network devices, in addition to performing packet filtering to examine data and detect malicious packet usage.

Another method is Behavior Based Safety (Behavior Based Safety) which is a methodology to increase the preventive performance of safety in organizations, allowing a proactive automated approach, in which it is possible to detect behavioral anomalies in the network.

However, the most important issue is that you need to take the perspective that an attacker can use to access your system. Look for properties on the network that are “obvious”, trivial types of traffic and those that are difficult to filter out unusual patterns.