When it comes to targeted attacks, attackers are not omniscient. They need to gather information in the early stages to know the target they may gather information from various sources of intelligence, like Google, Whois, Twitter, and Facebook. They may gather data such as email addresses, IP ranges, and contact lists. These will then be used as lure for phishing emails, which inevitably result in gaining access in the targeted organization’s network.
Once inside, the attackers will begin the lateral movement stage. In this stage, attackers will perform port scans, services scans, network topology mapping, password sniffing, keylogging, and security policy penetration tests. The goal is to find more confidential information and find a stealthy method of access.
The lateral movement allows the attackers information they can then use to their advantage. They are now aware of existing security weak points, firewall rule setting flaws, and the wrong security equipment deployment. They also now have the latest network topology, password sets, and security policies.
They can use this newfound knowledge even after their attempts have been discovered. Often times, efforts to thwart existing and prevent new attacks involve removing the malware and monitoring for network activity. But since attackers are aware of the topology, they can try new ways to gain access easily without being noticed.
Earlier, we posted an entry detailing how IT administrators can protect enterprises from targeted attacks and breaches via looking at their network vulnerabilities. In this blog post, we want to tackle how network topology can aid in defending the enterprise network from risks pose by targeted attacks.
Changing the Network Topology
It’s not enough to change passwords and remove the malware. To protect an organization from targeted attacks, changing the network topology should also be considered.
Network topology refers to how devices are connected within a network, both physically and logically. The term refers to all devices connected to a network, be it the computers, the routers, or the servers. Since it also refers to how these devices are connected, network topology also includes passwords, security policies, and the like.
If the targeted organization changes the network topology, the attackers’ gained knowledge will become useless to their attacks. If the threat actors attempt to enter the network using the old method, it will be flagged by the new(er) security policies put in place. Changes like moving the “location” of the target data or moving segments will require a longer period of time for attackers to find the targeted data. This length of time can prove invaluable as it can give admins more time to detect the malicious activity before any real damage can be done.