Home / Blogs

Network Security: How Attackers Gain Access from Inside

Most people—mistakenly—believe that they are perfectly safe behind a firewall, network address translation (NAT) device or proxy. The fact is quite the opposite: if you can get out of your network, someone else can get in. Attackers often seek to compromise the weakest link in a network and then use that access to attack the network from the inside, commonly known as a “pivot-and-attack.”

Two Common Ways Attackers Use “Pivot-and-Attack”

Phishing is a common avenue for attackers to gain an inside pivot point. Attackers often use two phishing techniques to enter a network in order to pivot and attack:

  • An attacker may send an email to an individual distribution list with the goal of luring users to follow a URL or execute a program/attachment that loads a specific type of malware via their web browser. Once the malware is loaded, it can be used as a gateway into your internal network. Not all computers that are infected by malware are the target of an attack; some are just stepping stones to gain access to the internal network where pivot-and-attack will begin.

OR

  • An attacker may use vulnerable plug-ins that may be targeted by using a phishing technique where the attacker could be waiting to scan your browser for vulnerable plug-ins. Once a vulnerable plug-in has been located, the attacker can enter your system and migrate from the browser to another process.

A favorite next step for attackers is to migrate to an anti-virus process, because most anti-virus programs do not self scan, thereby making it even easier to avoid detection. Migrating to another process enables the hacker to maintain the connection to the user’s computer, even after the browser is closed. The hacker will then either attempt to elevate privileges and load a root kit or simply use that system to pivot and attack.

Where are the Vulnerabilities?

The most common cause behind the presence of vulnerable applications: failing to stay on top of security updates, either because of lack of time; an administrative policy failing to allow for frequent updates; or updates breaking custom programs/applications.

Why Should You Worry About Traffic Coming From Inside Your Network?

It is common for companies to think that no one inside the company would initiate an attack on the internal network. With a large amount of companies configuring their firewall rules to protect their internal assets only from external sources, attackers “on the inside” have an excellent vector from which to pivot and attack.

Keeping up to date on patches and security updates is a good start toward protecting your network. Installing an intrusion detection system (IDS) or intrusion prevention system (IPS) is a good way to catch some of the internal intrusions, but any security control needs to be re-assessed periodically to make sure it is catching everything. It is important, for example, to know that your IDS/IPS rules are capturing known exploit command executions and even common machine-level shell code that is being executed from within the exploit.

Network security is a balancing act between security and accessibility. There is no hard and fast way to achieve and/or maintain perfect security on any network. The goal of any security controls and countermeasures should be to defend your network while maintaining ease of use and accessibility. The most important idea to take away from this article is that you must maintain security from the inside just as you do from the outside.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Josh Wilson, Engineer, Professional Services at NeuStar

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC