Malicious Network Activity Report 2

Malicious Network Activity Report 2

Malicious Network Activity Report

Introduction

The computer network of a financial institution can be considered one of the most important components of its infrastructure. It is well known that financial institutions handle money transactions for millions of people, so it is important the network must be protected and secured, especially since most banking transactions are completed online. A representative from the Financial Services Information Sharing and Analysis Center (FS-ISAC) contacted the chief net defense liaison of the financial sector regarding reports of network intrusions occurring at various banks in the U.S. Details of the intrusions reported millions of files compromised and distributed denial of service attacks (DDoS) that impacted the banks customer websites and caused a blockage of potential transactions worth millions of dollars. USAA financial institution was among the banks affected by the recent cyber-attack, so the Federal Bureau of Investigation (FBI) cyber security sector engagement division deployed a team there to use a suite of network monitoring and intrusion tools to investigate the incident. The chief requested a report of the information obtained and a joint network defense bulletin with recommendations of prevention methods and remediation techniques for the FS-ISAC to distribute to the other financial institutions affected.

Network Architecture Overview

USAA is a financial institution based out of San Antonio, TX that offers services such as banking, insurance and investments (USAA, 2021). USAA uses premier technology to make sure their clients receive the best service possible by constantly combating malicious internet and network criminals that try to gain access to their network. USAA also offers mobile access and online platforms for their clients, so it is a priority to make sure to maintain adequate network security of the institution. USAA uses various data transmission components such as user datagram protocol (UDP), transmission control protocol/internet protocol (TCP/IP), internet packets, IP address schemes, and well-known ports and applications as part of their network architecture. Other components of their network architecture are firewalls, intrusion protection systems (IPS) and intrusion detection systems (IDS).

UDP is a connectionless transport layer protocol requiring no handshaking and allows for low latency and faster speed transmission (University of Maryland Global Campus, 2021). USAA uses UDP for domain name system (DNS) and simple network management protocol (SNMP). TCP/IP is a suite of protocols allowing computer systems to send and receive data packets simultaneously through the internet by compiling packets to send them to the correct destination (University of Maryland Global Campus, 2021). Each protocol within the suite has a specific job to complete that allows an application to function properly. Internet packets are small pieces of broken data transmitted over the internet with a source and destination address (University of Maryland Global Campus, 2021). USAA’s network splits packets of data into small segments of data to enable the message to transfer to the address of the designated destination. IP address is the unique network address given to each device connected and has two versions that are IPv4 and IPv6 (University of Maryland Global Campus, 2021). IPv4 is the oldest version and uses 32 bits address sizes. Because the internet is constantly growing and companies are on the verge of depleting their IPv4 addresses, IPv6 was created and uses 128 bits for address sizes. USAA uses the IPv4 IP address scheme for its primary IP addresses and the IPv6 IP address scheme as a secondary if and when the use of IPv6 becomes available. The current public class C scheme of 192.0.0.0 to 223.255.255.0 is used for public access at different branches and the private class A scheme of 10.0.0.0 to 10.255.255.255 (Meridian Outpost, 2021). This scheme gives USAA the flexibility to meet company needs by maximizing space and efficiency critical to ensuring IP addresses are assigned based on company needs in each department, limiting network congestion. By using public and private IPv4 addresses, it lessens the risk of unauthorized access to the internal departments. Ports are 16-bit numbers used to identify different applications and programs from an IP address and are assigned by the internet assigned numbers authority (IANA). Ports 0-1023 are reserved as the well-known ports range and is commonly used by processes or programs used by administrators. Figure 1 shows the well-known ports used by USAA.

Figure 1. Port Table

The ports mentioned in the table above are the most common ports used by USAA; however, those ports are at risk of attack because they must remain open in order USAA to conduct their normal business operations. Open ports will allow attackers the ability to eavesdrop on communications undetected in preparation for an attack on the network; these attacks include IP spoofing, DDoS and sniffing.

Since the various data transmission components were described, it is important to understand the roles of the communication process between two parties. The sender or source is the entity that encodes the data message and transmits the information through a channel to the receiver (Rocha et al., 2018). The encoder performs the encoding process where the message is formed and uses oral and written verbiage to send the message (Rocha et al., 2018). The channel or medium is the method that carries the message from the sender to the receiver, so the sender must consider the medium of the message sent. For example, if a sender wants to use email as a medium to transfer a message, the sender must ensure the receiver has email to receive the message. The receiver is the destination the message is sent to from the sender and is responsible for decoding the information from the source by translation into a readable message. The decoding mechanism is used by the receiver to interpret and translate the coded information into a readable format. When the message has been sent and read, it is considered successful communication between the two entities (Rocha et al., 2018).

There are protection devices in place that help protect the data transmission components such as intrusion detection systems (IDS), intrusion protection systems (IPS) and firewalls. An IDS is a system that monitors network traffic for malicious activity and issues an alert to an administrator when activity is discovered for further investigation (GeeksforGeeks, 2020). An IPS is a system that monitors network traffic for malicious activity and detects and prevents incidents from occurring (Forcepoint, 2021). The difference between and IDS and IPS is that an IDS only detects possible malicious activity based off the rules set by the administrator and the IPS actually can prevent certain incidents based off the set of rules set by the administrator. Firewalls are similar to IDS and IPS in away that protects malicious traffic from entering or leaving the network. Firewalls can be in the form of hardware or software and are strategically placed in different areas of the network to prevent unauthorized traffic from penetrating the network (Rocha et al., 2018). The firewalls for USAA have been established on the external perimeter of the network as a first line of defense to protect against malicious activity and unauthorized users from penetrating their network. The figure 2 below depicts the link between the operating systems, hardware and software components, firewalls and IDS that make up the network defense implementation of USAA’s network. Hardware and software enable scalability and the switches, routers, firewalls, and IDS enables the security of connectivity and communication for the employees of USAA.

Figure 2 Network Diagram (Techblast, 2019)

Network Attacks

USAA as well all financial institutions are susceptible to cyberattacks by individuals seeking to gain access to the sensitive information contained within their databases and network systems. Common cyberattacks that USAA face are spoofing, cache poisoning, session hijacking and man in the middle attacks (MITM). These attacks attempt help hackers gain unauthorized access to USAA’s network. Spoofing occurs when an attacker disguises communication from an unknown source and passes it off as coming from a legitimate source (Forcepoint, 2020). If a spoofing attack is successful, access to personal information or a spread of malicious software can be granted; however, the use of secure sockets layer (SSL) protocol and virtual private networks (VPN) helps protect against a spoofing attack. An example of a spoofing attack is domain name service (DNS) spoofing. DNS spoofing is fueled by cache poisoning; and attacker takes the cache of the DNS servers and replaces one or more IP addresses with spoofed IP addresses (University of Maryland Global Campus, 2021). The attacker will then load the addresses with malicious content that affects the users accessing the IP addresses from the DNS cache. Session hijacking is the exploitation of a web session control mechanism managed by a session token (OWASP, 2021). The web server needs a way to recognize a user’s connection and is usually recognized in a session token; the token is normally composed of a string of variable width in the URL. If successful, the attack will compromise the token by obtaining a valid session token to gain access to the web server. The session token is commonly compromised by a MITM attack; the malicious user will interrupt the communication session between the legitimate users, gain access to all the user’s information and carry out malicious activities.

A way to monitor and help circumvent the cyberattacks mentioned above and other malicious events is to place a honeypot on the network. A honeypot is a system designed to gather information about unauthorized users or attackers; specifically, it is designed to be a decoy to attract attackers and deflect attacks away from the operational systems (University of Maryland Global Campus, 2021). Honeypots are very effective; however, security mechanisms such as firewalls, IDS and even honey walls should be in place and configured correctly for protection of the real network. A smart attacker can identify an organizations honeypot and create spoofed attacks to distract attention from a real exploit to the network or feed false information to the honeypot (Kaspersky, 2021). Specific ports should be utilized for the honeypot on the network away from other ports that give access to sensitive information. The honeypot can be confirmed working properly if traffic is diverted to the specific ports and information about the attackers is available to be analyzed.

False Positives and False Negatives

It has been established that using tools such as an IDS and IPS are effective tools detecting suspicious activity on the network; however, these tools are not perfect and face two major problems which are false positives and false negatives. A false positive is where an IDS incorrectly identifies an activity to be malicious and a false negative is where an IDS fails to identify a malicious activity (University of Maryland Global Campus, 2021). A false positive and false negative can be determined by analyzing the results of an alert issued by the IDS. For example, if an alert is sent to an administrator about a successful login attempt, an analysis can be completed by the administrator to determine if the failed login attempt was malicious by identifying what IP address was used to complete the login. If the IP address is a known address, then it is a false positive; if the IP address is unknown, then that could be a false negative. False positives and false negatives can be tested by scanning the network and analyzing the results. The results of the scans can help administrators minimize false negatives which are more dangerous to the health of the network than false positives. A way to reduce the number of false positives and false negatives is to conduct a statistical analysis of the IDS in use. The numbers provided can measure the accuracy of the IDS; if the numbers are high, that could indicate the IDS is inefficient because of the extra workload put on administrators (University of Maryland Global Campus, 2021). USAA can reduce this issue by adopting a network intrusion analysis and network traffic analysis schedule using tools such as Snort and Wireshark. Snort is a free open-source program used for detecting and preventing malicious attacks on networks. If consistent scans are completed, the administrators can be able to tweak the IDS signatures reducing the number of false positives and negatives yielded. Wireshark is also a free open-source packet analyzer that can be used for network troubleshooting and analysis. Combining Wireshark with Snort provides the ability to be alerted of a possible false positive or false negative and the ability to make a concise determination.

Network Traffic Analysis

A network analysis and forensics analysis were conducted on the USAA network to try to determine what may have allowed the breach to occur. USAA uses the Snort IDS for intrusion detection and an issue encountered was that there were no alerts to notify administrators of the malicious activity. An initial scan was completed and no alerts were reported, which allowed the false negatives to occur which is displayed in figure 4 below.

Figure 4. Initial Snort Result

A review of the current rule set determined that six rule sets were commented out which is a notification to Snort to ignore that particular rule and continue with the scan. After enabling the rule sets, Snort was able to properly alert the administrator of 28,000 alerts as displayed in figure 5 below.

Wireshark was used to then analyze the network traffic by capturing packets that used the SMB, DNS and HTTP protocols. After analyzing the packets, it was determined the SMB and DNS protocols displayed numerous queries with multiple errors, so it is recommended further investigation is needed into the errors to ensure the attempts to access were from legitimate sources. HTTP displayed numerous GET requests of images, so further investigation maybe needed to analyze the images for malicious content; the program Stenographer could be used to analyze the images. It is recommended USAA conduct a review and revise of their current rule sets in order to minimize the false positive and false negative alerts. This will help administrators focus on actual real threats to the network.

Other Tools and Techniques

After analyzing USAA’s network, it appears the security methods in place to protect the network are in good standing; however, there are other tools that will help strengthen the security posture of the network. The tool Metasploit is a great tool to use that can evaluate the security status of the network, monitor the network and detect threats. Nmap is another tool to use that can monitor host traffic times, determine what ports are open and vulnerable to give a better understanding of which ports can be open or closed. Since USAA does not use an IPS, it is recommended to add it to the network to compliment the IDS that is in place. The IDS will only detect the possible malicious activity and the IPS can add an extra layer of defense by preventing some malicious activity from the network. Lastly, upgrade the current firewall to a next generation firewall such as the FortiGate 4400F. The FortiGate 4400F is a hyper-scale firewall that, manages all security risks to include 5G networks with encryption, high port density and high-speed data center interconnects (Fortinet, 2021). The mentioned tools can help USAA reduce the risk of attackers penetrating the network.