Detection of Firewalling to Professionalize Attacks

Detection of Firewalling to Professionalize Attacks

Marc Ruef
by Marc Ruef
time to read: 5 minutes

During our security checks it’s not unusual that auditors, clients and partners discuss vulnerabilities and risks. This discussion, assuming that it is civil and all people involved respect each other, is of great importance. Because during those discussions, the quality of the project itself as well as the overall understanding of the subject of information security will talked about.

Some of our clients are less versed in recognizing the real-life risks of an attack scenario. Sometimes, the technical understanding of the attack mechanism is lacking. Other times, it’s the understanding of the psychology of an attacker.

As an example: When we find reason to believe that a firewall component is used during one our of our network analyses, then we might classify this as a medium finding. Medium means that the vulnerability presents a means for an attacker to gain advantages in preparing an conducting an attack.

There are typical indicators in network traffic that hint at the use of a packet filter:

Nmap detects a filtered port

Where is this risk that comes from using this seemingly marginal information? As an attacker, it’s important to know that the target environment is using security component, which mechanisms are deployed and predicting how those mechanisms react. In case a packet filter can be identified, it’s reasonable to assume that certain communication is limited and certain activities are protocolled or that they cause an alert. Therefore, a highly professional attacker is keen on adapting various means, mainly the following:

The example of the packet filter in this article is just that, an example. Similar effects are observable in other seemingly unimportant analyses.

It’s part of an operator’s responsibility to mask the use of security mechanisms to shield them from detection or to at least make finding them difficult. This robs highly professional attackers of the possibility to adjust to their target environment easily. The chances that the mechanisms go undetected and therefore block intruders get higher. This should be the immediate goal for vulnerabilities that, at first glance, seem to be nothing but a minor risk. Every improvement in an environment is of advantage to its operators.

About the Author

Marc Ruef

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several universities, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
Ransomware Detection, Defense, and Analysis

Ransomware Detection, Defense, and Analysis

Marc Ruef

Data Markets

Data Markets

Marc Ruef

Password Leak Analysis

Password Leak Analysis

Marc Ruef

MITRE ATT&CK

MITRE ATT&CK

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here