In this lesson, I'll talk about network based attacks. In this lesson, I'll discuss network based attacks. By the end of the lesson, you'll be able to explain how the network can be the source of an attack, discuss how attacks work at a high level and understand the options that you have in the prevention of network based attacks. Let's talk about the common types of attacks first on networks. There's really two different kinds of attacks. There's active attacks and there's passive attacks. Active attacks are much more common, because we're trying to get information real time. Because what happens on a network, something changes and we're no longer being able to produce that password or somebody changed some information. So real time attacks on network are what we're going to talk about when and really are the brunt of the attacks that we see for active attacks from the network. So active attacks are where an attacker has the ability to see or manipulate real time traffic. Conversely, we have passive attacks. Passive attacks are when an attacker can read the data from an active attack and use the information obtained for other purposes. In active attacks we see this in sniffing, eavesdropping, spoofing and denial of service attacks, whereas passive attacks, what is seen there is more compromised data. So password manipulation for example. Let's dive into each one of these. Our first active attack is going to be sniffing. Sniffing is the most common type of active attack. It is reading, monitoring or capturing the full packets from a network device. So that could be from a computer, that could be from a switch or a router or other, well, it could be from a webcam. Who knows? It just could be on the network. Well-known tools to use on this type of attack are Wireshark and tcpdump. How common is this type of attack? Most network attacks come from somebody being able to get into the traffic stream. This is very difficult. We're going to talk about wireless attacks. We see this much more on the wireless side than we see on the wired side. Okay, on the wired side, it's a little bit more complicated because we have to get to the networking device. We just can't plug into a wall and see packets traversing back and forth. That's not how switching works these days. From a complexity level, it's very simple providing you have the ability to actually get into the data stream. So, sniffing is very difficult to actually get into the data stream, but once you're there, it's simple to actually actively attack that. For the risk, it's a real serious threat. Sniffing is non-intrusive. We can sniff traffic all day long and nobody would ever know because, even though it's an active attack, it's passively listening. Eavesdropping. Eavesdropping is another active attack on networks. It's similar to sniffing and may be used in the same manner. However, we may not see the full packets. This could be somewhere where we might be sniffing little bits and pieces of a conversation. This is eavesdropping in one-to-one communication. The well-known tools again used in this type of attack are going to be tcpdump, Wireshark and in some cases, ettercap. How common is this type of attack? Well, most network attacks were in the form of sniffing and eavesdropping is a form of that. However, it's not used as much as overall sniffing because sniffing provides you the actual full packet. In the complexity, again the data stream can be difficult to get into. And the risk, it's a serious threat because we're sniffing, we're getting information passively even though it's an active attack. However, eavesdropping is a little bit touchier here because if you perform eavesdropping wrong as an attacker, you actually can be detected because you mess up the other side's connection. So we'll talk about this in the next slide here, which we call spoofing. So, spoofing is pretending to be someone or something that you are not. This is seen in the case of ARP spoofing, Address Resolution Protocol. Address Resolution Protocol says every time a computer gets on the network, it says, hey, here's my physical address at layer two, and that's going to be the MAC address of that computer. And it's going to talk to the layer three side and the router that says, okay, who has this address? So here is my address. Who has the router's address? And what you can do in spoofing and ARP spoofing, is you can be an attacker and get in the middle of that three-way or that two-way conversation and say, No, the router or the gateway is not the source of information, I am the source of information. So they can not only eavesdrop and snoop traffic, but they can also manipulate traffic. Okay, this is not complex at all because of software out there. It's typically done via, well there's many different tools to do them, but the most common is ettercap. Okay? It may and it only usually works on non-enterprise systems or enterprise systems that aren't set up well enough to handle that type of security. Enterprise systems have detection mechanisms. These detection mechanisms are called a dynamic ARP inspection for this kind of spoofing, or you also have a form of dynamic ARP inspection on the wireless side as well. However, you don't have that in consumer based products. Additionally, in some of these lower end business or small business type systems don't have the detection and mitigation tools built into them. So, spoofing is a serious threat because it is more of an active attack. So, we're not only actively, passively listening if that makes sense from snooping or a sniffing point of view rather; however, we can actually get into the middle of a conversation and be able to mimic everything that that person is doing. So we can manipulate data and we can steal information and make actually information not go to the source. However, if you mess up ARP spoofing, then you actually have destroyed the other connection. So, somebody will know that something's up on the other end. The last type of activity that I'll talk about is denial of service. And denial of service is another concern, so we're actually going to talk about it in another lesson, but what it is, it affects the ability to use resources. Well-known tools that have been used are really specifically botnets. But, when we see a mass organization using denial of service tactics, we see High Orbit Ion Cannon and Low Orbit Ion Cannon as well. Those are two pieces of software, HOIC and LOIC as well. And you can look those two up. How common is this type of attack? Well, it's really not common because we have resource constraints and attacker has to have a high level of resources available to them to actually produce a denial of service attack. Okay, the risk to the organization is that you can lose business because of resource availability if your systems are not secured. Passive attacks are a lot less. So, passive attacks usually stem from previously performed active attacks. So for sniffing the transactions or looking at a packet capture and we say, okay, here's all the information that I have here. Oh, look, here's a password that I'm getting out of the network connection. That is a passive attack because they're using the information obtained from an active attack to then do something else passively. The attacker uses the data where the information obtained via sniffing or eavesdropping for things like password attacks, replay attacks or other information that could be used against you. We see this much more commonly in wireless networks as well because wireless networks are much easier to obtain sniffing wise on an unsecured connection than it is on the wired side. Let's talk about protection for a minute. If you are an enterprise, you need to keep up with the latest security patches. This is not only your operating system patches, this is your network security patches. Your network is always going to be there, it's how we get data back and forth, but if we're not paying attention, maybe we can introduce something that allows to sniff or get in the middle of traffic. We need to use enterprise grade hardware. If you are a small business, you need to ask the questions about how secure is their overall hardware, especially on a wired connection. Does it have dynamic ARP inspection available to you? What about segmenting your network? Segmenting your network is one of the simplest ways that you can use to protect yourself, because then we're only sniffing a small segment of information. Protecting your network physically is also something that you need to do. If we have physical access to a piece of equipment, we may be able to break-in via console cable or something like that and guess the username and password for that piece of networking equipment and use that against somebody. If you were a small business or an individual that cannot afford to purchase enterprise grade hardware, understand who is on your network. Understand who is using your network. Don't allow outsiders to connect to your private networks. This is especially the case in wireless networks.