Avoiding Popular Network Security Errors

In mid-September, it became known about the leak of almost 2TB of data, which contained information on the operation of the operational-search measures (SORM) system in the network of one Russian telecom operator. The leak was due to an incorrectly configured rsync backup utility. Such errors are a common cause of the problems of large companies. In this article, we will analyze the seven most popular network security errors: we will explain how they can be detected and eliminated.

A common reason for the success of the development of attacks within the network is the error in configuring communication channels or data processing and storage systems, as well as violations of IS regulations. All this reduces the effectiveness of the used protective equipment and increases the chances of attackers to break into and develop an attack. During projects to investigate incidents and analyze traffic, our team of PT Expert Security Center regularly finds typical errors in the configurations of information systems and violations of corporate IS regulations. Let's see what these errors are.

7 common network security errors

As our practice shows, in 9 out of 10 organizations, regardless of their size and sphere of activity, the following errors are most often encountered:

  1. Transfer credentials over the network in clear text.
  2. Unencrypted mail messages.
  3. Using utilities for remote access.
  4. Use of broadcast protocols LLMNR and NetBios.
  5. Network configuration errors.
  6. TOR, VPN tunnels, and other tools to hide network activity.
  7. Misuse of systems (cryptocurrency miners, torrents).

The reasons for errors are insufficient attention to information security, in the absence or violation of IS and IT regulations in the organization, errors in setting up systems, and in large corporate networks due to the fact that it is difficult to control the correct configurations.

Next, we will talk about each error, what consequences they can lead to, show how they can be identified and give recommendations for their elimination.

Clear credential transmission over the network

There is still the use of network protocols in which user credentials are transmitted in plain text – these are HTTP, mail protocols with no encryption, LDAP and Telnet. According to our research, the storage of important information in open form on network resources is found in 44% of organizations in which we conducted a security analysis. In the case of a compromised network, an attacker can in a passive mode intercept credentials, consolidate his presence in the infrastructure and increase his privileges.

Example of flying credentials identified with PT NAD

In the video, we showed how to use the PT Network Attack Discovery traffic analysis system to check whether credentials are transmitted over the network in clear text. To do this, we filtered out network sessions in PT NAD based on a password. This allowed us to find the facts of the transfer of credentials for a web application, in our case, the Zabbix monitoring system. Having a privileged account on the Zabbix server, an attacker most often gets the ability to remotely execute commands on all systems connected to monitoring. Also in the demonstration, we examined an example of traffic analysis for using open network protocols (LDAP, FTP, HTTP, POP3, SMTP, Telnet) and extracting user accounts from it.

More details on the video:

There are several ways to eliminate the transfer of credentials in the clear.

  1. WEB servers: switch from HTTP to HTTPS. To switch to the secure HTTPS protocol, you need to configure an SSL certificate and forwarding from HTTP addresses to HTTPS. It is permissible to configure self-signed certificates on the organization’s internal resources by pre-setting the internal certification authority. For publicly available resources, it is best to use trusted certificates issued by a trusted certificate authority.
  2. LDAP: Configure clients to use authentication through Kerberos or use a secure version of the protocol. To configure authentication through Kerberos, you must configure clients to use the SASL authentication mechanisms GSSAPI or GSS-SPNEGO.
  3. To configure secure TLS authentication, you need to activate LDAPS on the server according to the instructions. Next, configure clients to use TLS (LDAPS) when connecting to the LDAP server.
  4. Mail protocols: configure clients and servers to use TLS. Instead of the standard POP3, IMAP and SMTP, we recommend that you configure the clients and servers of your organization to use their secure analogues POP3S, IMAPS and SMTPS according to the instructions of your mail server. It is worth noting that with the forced inclusion of TLS, letters may not be delivered to servers that do not support encryption.
  5. Telnet Protocol: Switch to SSH. You should completely abandon the use of the Telnet protocol and replace it with the secure SSH protocol.
  6. FTP: upgrade to SFTP or FTPS. FTPS is an SSL version of FTP that requires an SSL certificate for its operation. SFTP is the file transfer protocol that most often uses SSH. As a result, it requires less configuration on servers that already use SSH.

Unencrypted Mail Messages

The next common mistake is the use of open mail protocols on the way from the organization’s server to the external mail server. This leads to the fact that letters transmitted in a secure form within the network can later be transmitted over the Internet in open form. As a result, an attacker, having access to external network traffic (for example, through an Internet provider), can easily receive any information from letters.

To search for unprotected outgoing mail that is transmitted to an external network, we used PT NAD filters using the SMTP protocol, source and destination addresses. In order to exclude encrypted connections, we added a filter using the STARTTLS command. As a result, a letter was found with the attachment, transmitted in clear text.

More details on the video:

Possible solutions to the error:

  1. Configure the server to force TLS when sending mail (but in this case letters may not be delivered to servers that do not support encryption).
  2. Configure use of S / MIME – A standard for sending encrypted messages and digitally signed messages. Requires setup of the mail client and S / MIME certificate. More details here.
  3. Apply PGP. Forced use of PGP will also exclude the transmission of letters in the clear, but this requires additional configuration on clients and the transfer of the public key to recipients. This option is more suitable for use in special cases.

Using Remote Access Utilities

Employees often use remote access tools (RAT), for example, TeamViewer, Ammyy Admin, RMS and others. If this is allowed by internal IS policies, then in the case when an attacker uses the same tools, it will be difficult to distinguish their illegitimate use from their legitimate one.

Connectivity can be detected through TeamViewer using a traffic analysis system. In our case, we found two such network sessions. If the organization prohibits the use of remote control utilities, then an information security specialist should conduct an investigation to establish the source of activity.

Another mechanism for detecting RAT use cases is predefined rules. In the video with their help, we discovered the fact of using the Remote Admin utility.

More details on the video:

Recommendations for resolving the violation:

  1. Monitor the use of remote management utilities. It is necessary to develop IS regulations prohibiting the unauthorized use of utilities for remote management, as well as monitor their compliance. RAT can also be disabled at the level of some network security features, such as NGFW.
  2. Differentiate the rights of local users on workstations. If users are not granted redundant administrative rights that allow including the installation of programs on work computers, utilization of utilities will be impossible.
  3. Introduce whitelisting policy for software. The most reliable, but time-consuming method of solution. Enter a list of “white” software in the organization and ensure that all nodes use software from this list only, as well as monitor the relevance of the list. To configure, you can use the AppLocker utility, which is included with Windows. More details here.

Using LLMNR and NetBios Broadcast Protocols

Another problem with network settings for organizations is the use of spoofed LLMNR and NetBios protocols. These protocols allow, through broadcast requests in the local L2 network segment, to resolve the names of neighboring computers without using a DNS server. These protocols are also automatically used when DNS is unavailable. In the case of an intruder penetrating the internal network of the company, he will be able to conduct an attack "man in the middle" (Eng. Man in the middle, MITM). An attacker can respond to a broadcast request and thereby redirect victim requests to a server controlled by the attacker. Carrying out this attack will allow you to intercept authentication data.

We tried to identify the use of these protocols by using the “Application Protocols” widget in PT NAD. We found that, in addition to the usual protocols, the LLMNR and NBNS protocols are used. Adding them to the filter, we also found all the clients who sent requests using this protocol.

Video:

To fix this error, you need to:

one. Disable LLMNR. To do this, you must first configure the DNS on clients. You can disable LLMNR using the “Turn Off Multicast Name Resolution” group policy in the “Computer Configuration -> Administrative Templates -> Network -> DNS Client" section. To disable the policy value must be set to "Enabled".

By clicking on the picture will open in full size

2. Disable NetBios. To do this, use the dhcpmgmt.msc snap-in. Server Options: Advanced Tab -> Microsoft Windows 2000 Options -> Microsoft Disable Netbios Option. Set the value to 0x2.

3. You can also disable NetBios support by running the PowerShell script on the nodes using the Scripts group policy in the Computer Configuration -> Policies-> Windows Settings section. It is required to add a startup PowerShell script with the following contents:

$ regkey = "HKLM: SYSTEM  CurrentControlSet  services  NetBT  Parameters  Interfaces"
Get-ChildItem $ regkey | foreach {Set-ItemProperty -Path "$ regkey  $ ($ _. Pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

This script for all network adapters in the registry branch HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NetBT Parameters Interfaces sets the value of the NetbiosOptions parameter to 2.

If the infrastructure has nodes running Windows XP or Windows 2000, disabling NetBios may affect their performance.

Network configuration errors

The most common errors associated with incorrect network configuration:

  1. Unnecessarily “trusting” relationships between subnets. This includes the problems of access control between subnets, in which unauthorized network access between the organization’s internal subnets becomes possible. As a result, an attacker who compromises a small part of the network can easily take control of key nodes of the entire network.
  2. Infrastructure Node Access to External DNS Servers. When using the internal domain name system, DNS queries should be processed only on the organization’s own DNS servers. If the DNS on the clients is not configured correctly, in the event of a request to the public DNS server, there is a risk of leakage of internal domain names, as well as bypassing the filtering of known addresses of malware command servers.
  3. Network ports and service ports that are open to the outside network "out" without the need for this (for example, databases). As a result, an attacker has great opportunities for conducting an attack. For example, due to the storage of information in an insecure database, data from ambulance patients from the Moscow Region leaked to the network.

To identify such errors, we used the PT NAD Network Connections tab. All communications are presented in the form of a graph. We tried to find connections from the DMZ subnet to the user subnet. To do this, set up a filter by subnet. As a result, we found an unwanted network connection, as well as an event that triggered – scanning with the nmap utility, which serves as an indicator of network intelligence.

We also tried to find connections from the external network to the DMZ subnet. We analyzed application protocols – saw the active use of service protocols, as well as an event – an attempt to exploit the EthernalBlue vulnerability that caused the sensational WannaCry epidemic.

Next, we examined the correct operation of DNS. To do this, filter the traffic according to the protocol and select IP addresses not from the local network as the recipient. As a result, we found DNS queries to Google servers coming from a user segment.

Video:

Errors can be fixed as follows:

  1. Configure Access Control List (ACL) on network equipment to correctly distinguish access rights between subnets. An ACL is a set of permitting or denying rules for network traffic (in the context of network equipment). In most cases, access lists are used for packet filtering on the border of the Internet and a private network, but filtering may also be required on the border of DMZ and other subnets.
  2. Configure Firewall. Firewalls should also be configured not only at the border with the external network, but also between the organization’s internal subnets.
  3. Prohibit user network settings changes. To do this, configure the setting in Windows Group Policies: "User Configuration -> Administrative Templates -> Network -> Network Connections".

Traffic hiding

Traffic hiding tools can be VPN, Tor, encryption proxies and other encrypted tunnels. Their unauthorized and uncontrolled use may lead to a decrease in the effectiveness of protective equipment in the organization; loss of control over content transmitted in tunneled traffic; an attacker can get an encrypted tunnel into the organization’s internal network if the employee’s home computer is compromised.

To identify the use of these tools, the following filters are suitable: according to the tor-relays reputation list, which contains the current addresses of the Tor network nodes, as well as a filter using the TLS protocol, since Tor is masked under it. The TLS certificate used in the “suspicious” session is automatically generated, which is an indicator of the Tor network connection.

To detect VPNs and other tunnels, you can use the PPTP (Point-to-Point Protocol) keyword filter, and to detect SOCKS5 traffic, use the filter we already know by protocol. So we found a VPN session with an external host and many connections over SOCKS5.

Video:

We have already considered methods for solving this problem earlier, helping to cope:

  1. Differentiation of the rights of local users.
  2. Whitelist policy for software.
  3. Configuring a firewall.
  4. Closing network ports.

Misuse of systems

Misuse of systems includes the use of cryptocurrency miners, Bittorent clients, and online games. Despite the fact that this does not pose an immediate threat to security, it increases the load on computing systems and information transfer channels, and also entails the risk of installing malware.

The miners reputation list will help to identify the miners, which includes the addresses of well-known mining pools, as well as the blockchain nodes of various cryptocurrencies. As a result, we see a large number of DNS queries, which indicates the operation of the crypto miner. Another indicator of the operation of the crypto miner can be the worked rules.

It’s even easier with Bittorent and online games – we’ll use the Bittorent filter to search for torrent traffic, and for online games, use the servers of popular online games. This helps to calculate employees who use their working time not in the way the employer would like.

Video:

Countermeasures are almost the same as in the paragraphs above:

  1. Differentiate the rights of local users.
  2. Whitelist policy for software.
  3. Update antivirus and its database.

To summarize

In most companies, we notice problems with correctly setting up extensive corporate networks and non-compliance with IS configurations, policies and regulations. This is due to the constant growth of networks and changes within them, as well as changes in the rules and policies themselves. Here are general guidelines to avoid many errors:

  1. Minimize the use of open protocols.
  2. To control differentiation of network access.
  3. Differentiate user rights.

At the same time, there are already tools on the market that can monitor network activity within an organization and timely detect both configuration errors and malicious activity. One such system is PT Network Attack Discovery.

Author: Alexey Lednev, Senior Specialist. PT Expert Security Center

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *