This article has been written by Mayank Bhandari pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. This article has been edited by Zigishu Singh (Associate, Lawsikho) and Ruchika Mohapatra (Associate, Lawsikho).
Table of Contents
In today’s world where humanity is veering towards digitization, the protection of digital data has become of utmost priority. Almost all the industries, sectors, and lines of work have a digital presence either through social media or a website. While the digital world seems to be running smoothly, Network intrusion enters in the picture and disrupts digital peace by jeopardizing the security of the networks and stealing valuable information and data from the encroached network. Cyber security plays a pivotal role in thwarting intrusion attempts and protecting network resources and data. It is a constant tussle between the cyber-security personnel and the intruders or hackers, and viewing the situation in a different light, it is almost a test of skills for both sides and a layman would easily become the victim of such an intrusion without a cyber-security professional beside him. We need to be more attuned to the idea of such intrusions and should have a brief idea about the various intrusion stratagems and Network intrusions. Network intrusions are at an all-time high as the majority of businesses and industries are digitized in our contemporary world and a multiplicity of laws have also been enacted in various nations across the globe including India.
Why should one be concerned about data breach?
Any company that has an internet connection is vulnerable to network intruders. Blocking services you don’t need at your network’s entry point (through a network firewall) or on your machine is the best approach to stop them (by a personal firewall). An intruder, on the other hand, may try to break in by using services you use regularly, such as online surfing or email. In this instance, an intrusion prevention system (IPS) is required to prevent unauthorized access.
The cost of a data breach is increasing. According to a recent IBM report, the average cost of a data breach has increased by 12% in the last five years, reaching $3.92 million per event. Furthermore, data breaches resulting from hostile digital assaults were both the most prevalent and the most expensive examples of security events, according to this report. The cost of these breaches was $4.45 million per event, roughly one million dollars higher than the cost of a breach caused by a system flaw or human error. Here are 6 phases through which the attacker initiates and executes a network intrusion:
- In the first phase, the attacker studies the type of network they are looking to intrude, trying to understand the functionalities of the network and finding vulnerabilities to exploit. A lot of research is generally done in the process.
- In the second phase, the hackers seek an initial exploitation route to obtain access to their target’s network. Spear-phishing, water-holing attacks, leveraging a known CVE(Common Vulnerabilities and Exposures) vulnerability, or SQL(Structured Query Language) injection are common examples of this phase.
- In the third phase, attackers that succeed in gaining initial exploitation want to stay in the network for a long time. They usually accomplish this through increasing privileges, locating Run Keys, or gaining access to scripts.
- In the fourth phase, the hackers are certain that they can remain undetected on a network; they may begin their nefarious activity by installing tools. Attackers frequently start with simple tools and work their way up to heavier, more complicated scripts and programs that do the “real” job.
- In the fifth phase, the hacker starts moving laterally in and around the network to look for what they are really after.
- In the sixth phase, the attacker completely controls their target and all they need to do is look for what they are after and leave the network undetected.
Various ways through which attackers tend to intrude on the networks
- Stolen data: Attackers generally utilize the existing data, devices and processes and stolen credentials when compromising networks. These devices, like operating system utilities, business productivity software and scripting languages do not tend to pop up on the radar as malware and have very legitimate usage as well. In reality, in the majority of the situations; the use is justified by business, allowing an attacker to blend in.
- Absence of a single route: If a network allows for asymmetric routing, attackers will frequently use numerous routes to get access to the targeted device or network. By having a substantial fraction of suspicious packets transit particular network segments and any relevant network intrusion systems, they can avoid being noticed.
- Buffer overwriting: Attackers can substitute regular data in specified parts of computer memory on a network device with a barrage of commands that can subsequently be utilised as part of a network incursion by overwriting certain memory locations. If boundary-checking logic is introduced and executable code or malicious strings are recognised before they can be put to the buffer, this attack approach becomes much more difficult to execute.
- Protocol attacks: Protocols like ARP(Address Resolution Protocol), IP(Internet Protocol), TCP(Transmission Control Protocol), UDP(User Datagram Protocol), ICMP(Internet Control Message Protocol), and many application protocols might leave network breaches accidentally exposed, For example, attackers frequently mimic protocols or spoof protocol messages in order to undertake man-in-the-middle attacks and get access to data they wouldn’t otherwise have, or to crash targeted devices on a network.
- Flooding: Attackers can cause chaos and congestion in network settings by producing traffic loads that are too enormous for systems to fully filter, allowing them to carry out assaults without being discovered.
There are a plethora of known and unknown techniques through which attackers indulge in network intrusions. After the completion of such intrusions the attackers initiate the cover up process via:
- Deletion of Logs: Attackers can make it virtually hard to figure out where and what they have accessed by erasing access records (that is, without enlisting the help of an extensive cyber forensics team). Regular log reviews and centralised logging can assist mitigate this issue by preventing attackers from tampering with logs of any type or location.
- Use of encryption: One of the simplest strategies attackers may execute to mask their movements from network-based detections is to encrypt data taken from an organization’s network environment (or just cloak any outgoing traffic so it seems normal).
- Use of Root-kits: Root-kits, or software that allows unauthorized users to obtain control of a network without being noticed, are especially successful at hiding attackers’ footprints since they allow them to explore and exploit systems at their leisure.
Detection and prevention of network intrusion
The IPS is generally installed immediately behind the firewall and acts as a second layer of inspection, filtering out potentially harmful information. Unlike its predecessor, the Intrusion Detection System (IDS), which is a passive system that analyses traffic and alerts threats, the IPS is installed inline (directly between source and destination), actively evaluating and taking automatic actions on all traffic flows that enter the network. These activities are more specific:
- An alarm is sent to the administrator (as would be seen in an IDS) getting rid of the harmful packet traffic from the source address.
- Re-establishing the link to avoid decreasing network performance, the IPS must function efficiently as an inline security component.
It must also be quick, because exploits might occur in real time. In order to reduce threats and false positives, the IPS must detect and respond properly (legitimate packets misread as threats).
Unified Threat Management (UTM) from Seqrite is a one-stop shop for all business security needs, with intrusion detection and prevention included as standard. The built-in IDS and IPS components of UTM keep businesses safe by Real-time threat monitoring, evaluation, and detection Denial of Service (DoS) and avoidance of Distributed Denial of Service (DDS) attacks.
Keeping attackers from discovering open ports, Seqrite UTM’s IPS functions as a security barrier against unauthorised network intrusions and prevents a wide range of DoS and DDoS assaults from gaining access to your network. This level of security may benefit a company in a number of ways, including; providing a quick picture of network security within the network and protection of enterprise assets Triggers are set off when a suspected breach or activity in the network is detected. There a number of methods and systems to prevent network intrusions:
- NIPS (network-based intrusion prevention system): It analyses protocol behaviour to monitor the whole network for suspicious traffic.
- Wireless intrusion prevention system (WIPS): It analyses wireless networking protocols to monitor a wireless network for suspicious traffic.
- Network Behavior analysis (NBA) analyses network data to identify threats that cause anomalous traffic patterns, such as distributed denial of service assaults, certain types of malware, and policy breaches.
- HIPS stands for host-based intrusion prevention system. It’s a built-in software package that monitors a single host for suspicious behavior by examining events that take place on that host.
The Bangladesh Bank robbery, sometimes known as the Bangladesh Bank cyber heist, was a theft that occurred in February 2016. Security hackers used the SWIFT network to send 35 bogus orders to transfer over $1 billion from a Federal Reserve Bank of New York account belonging to Bangladesh Bank, the country’s national bank. Five of the thirty-five forged orders were successful in moving US$101 million, with US$20 million going to Sri Lanka and US$81 million going to the Philippines. Due to suspicions prompted by a misspelt command, the Federal Reserve Bank of New York denied the remaining thirty transactions, totaling US$850 million. Since then, all of the money sent to Sri Lanka has been retrieved. However, only around $18 million of the $81 million sent to the Philippines has been retrieved as of 2018. The majority of the money sent to the Philippines ended up in four personal accounts controlled by single people, rather than firms or corporations.
Network Intrusions are going to pose an even greater threat in the times to come and corporations, government and individuals need to become more vigilant about their digital data and networks. As the attackers perpetually invent and discover new methods to intrude and break in the system, the defenders should simultaneously tackle such attacks and intrusions and strive to build a robust security system consisting of both preventive and detection functionalities. Network protection will be of utmost importance in times to come if it isn’t already.
- IBM Study Shows Data Breach Costs are on the Rise (tripwire.com)
- 6 Stages of Network Intrusion and How to Defend Against Them (tripwire.com)
- Network Intrusion Definition & Examples | Awake Security.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9