Original Post from Rapid7
Author: Darragh Delaney
Continuously monitoring your network activity for signs of attack is a great way to catch hackers and breaches before they become problems. However, network traffic data can be overwhelming based on the sheer amount generated, not to mention its confusing complexity. Wading through the noise is a top priority for security professionals so they can detect threats early and react swiftly.
Network traffic analysis (NTA) can be used to enable deeper visibility on any network and monitoring, troubleshooting both security and operational issues at any location on the network. Here are three common threats to keep an eye out for in your network data:
1. Suspicious traffic
Over the past few years, attackers have turned more and more to infiltrating networks through various protocols to wreak havoc on infrastructure. Keeping an eye on inbound and outbound traffic can help you recognize bad actors before they cause problems. Here are a few common entry points for hackers to your network:
Remote Desktop Protocol (RDP)
If your organization is a Windows shop, you probably know that Remote Desktop Protocol (RDP) is pre-installed on Windows PCs. It’s a useful tool for IT professionals to fix common issues with desktops and laptops within organizations. However, it’s also a vulnerable entry point for hackers, especially if your organization hasn’t been keeping up with security patching.
Hackers can use RDP to gain access to sysadmin passwords, and from there, they can install ransomware, setting your organization up for some major headaches. They can also sell the stolen credentials to third parties who can use them against you weeks or even months after they’ve been compromised. It is strongly advisable to continuously monitor your network traffic for use of this protocol across your network.
Microsoft SQL server (MSSQL) systems are often targeted on networks. Password dictionary attacks against the SA account are the most common. Some networks leave MSSQL ports open on firewalls to allow vendor access to databases or the MSSQL servers are used as part of the website infrastructure and are left exposed to the Internet. Data from Rapid7 research teams show that the main TCP port used by MSSQL (1433) is one of the most commonly scanned ports today.
Network traffic analysis allows you to track and alert on unusual MSSQL port activity. It is recommended to set up alerts to notify security and network administrators when external clients attempt to connect to MSSQL servers.
Telnet users are becoming rarer these days, but if you’re a die-hard lover of the old client-server protocol, you may still use it for a virtual terminal connection. Telnet is extremely easy to hack into, simply because it’s not encrypted and sends information in plaintext. You can use secure socket layers (SSL) to secure communications sessions on Telnet, but most security-minded IT professionals have opted to move to SSH instead (see below).
Secure Shell ProtocolSecure Shell Protocol (SSH), has all but replaced Telnet, at least in organizations where security is a main concern. Unlike Telnet, SSH is encrypted, and allows you to operate network services securely over an unsecured network. Because it’s so common in modern IT infrastructure, it’s also a common attack vector. Generally, hackers will use brute-force attacks to discover valid login credentials in an SSH environment.
Server Message Block
Server Message Block (SMB) gives your team shared access to files, printers, and serial ports in a network. It’s been around since the 1990s, including an iteration called Common Internet File System (CIFS), which was part of Windows NT 4.0 in 1996. Hackers can use a number of methods to infiltrate your network through the SMB protocol, including an SMB Relay Attack. Poorly configured SMBs and old, vulnerable versions (SMBv1) are also a pathway into your network that hackers would be happy to exploit.
2. Weak encryption protocols
While exploiting common network protocols is one way hackers can get into your system, weak encryption is a sure way to make yourself a target for hackers. Many professionals may believe that Secure Socket Layer (SSL) and its successor, Transport Layer Security, take care of encryption for you, if you’re still using TLS 1.0 (from 1999), your network isn’t as safe as you think it is. In fact, anything before TLS 1.1 is considered outdated, and even TLS 1.3 can leave you open to traffic eavesdropping.
3. Network misuse by employees
We’d be remiss if we wrote a security tip that didn’t remind you that employees tend to be a weak point for security breaches, and your network is no exception. If employees are using prohibited apps like BitTorrent to download content, they’re not just participating in illegal activities, but they’re also widening your attack surface, affecting your network reliability, and opening you up to various attacks. Even OS X has fallen prey to ransomware due to BitTorrent vulnerabilities. Harmless-seeming productivity and file-sharing apps like Dropbox can also be used for data exfiltration. Keep your eyes peeled for signs that employees are using your network in ways that open your organization up to hacking (or possibly legal ramifications).
With so many ways for your network to open your organization up to hackers and attacks, continuously monitoring your traffic is a no-brainer. If you’re interested in learning how to easily implement deeper visibility across all your network and instantly detect and quickly troubleshoot anomalies or suspicious activity, get a demo of InsightIDR today.
Go to Source
Author: Darragh Delaney