This article is written by Harita Mehta, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from LawSikho.
A Network Intrusion refers to any unauthorised intrusion into the computer network. During the past two decades, dependence on technology has massively increased which has created a new scope of crime relating to computers.
A Network is generally intruded due to one of three reasons:
- Hacktivism- Hacktivism is the amalgamation of the words Hacking and Activism. It is done by intruders who want to hack in order to prove a political agenda or a social cause.
- Steal Money or Data- This type of intrusion is done to steal money or data from the other party. Usually, the purpose of this is to exploit the other party of financial gain.
- Spy- Spying is state sponsored network intrusion in order to spy on their enemies and sometimes allies.
The attacks of Network intrusion can be anyone from individuals to large organisations to governments. The Cybersecurity teams of these organisations need to understand the way Network Intrusion is done in order to successfully avoid it. A Network Intrusion Detection System needs to be put in place in order to deal with the issues regarding Network Intrusions.
There are two types of systems which can help in preventing the attack on networks- Intrusion Detection Systems and Intrusion Prevention Systems.
Intrusion Detection Systems (IDS) refers to a passive system which detects malicious acts on the network and Intrusion Prevention System not only detects the said malicious activity but also prevents it.
Due to the internet being a vast place, it is very difficult to pinpoint a particular way in which Network Intrusion takes place. However, the following are some common techniques through which Network Intrusion has taken place:
- Multi-Routing- This refers to when the intruders use multiple sources to intrude which helps them avoid detection. This is also known as asymmetric routing;
- Buffer Overflow Attacks- The Buffer overflow attack refers to when certain sections of the computer’s memory code is rewritten so that they can be used as a part of the intrusion later on;
- Traffic Flooding- This type of attacks are when the intruders flood the victim’s systems with traffic that they cannot handle in order to cause chaos and confusion. When the systems have too large traffic in order to screen, then they can easily get away undetected;
- Trojan Horse Malware- Trojan Horse Malware gives provides a network backdoor to the attackers so that they get an unfettered access to the network;
- Worms- This type of virus is most common and effective. Worms usually spread through email or instant messaging and can spread throughout the network.
Rob Joyce, a senior cybersecurity advisor to the Director of National Security Agency in an event had broken down the steps by the Nation state hackers into six phases. However, even though these phases were given in terms of Nation State Hackers, these can also be used for other types of Network Intrusion. The following are the steps in which the network intrusion takes place:
The first step to a network intrusion is to understand the target. This type of understanding of the Network is not only important in a nation state hacking but also when hackers need to exploit money or data from a particular individual or organisation.
The cybersecurity teams can easily stop attacks at this phase if they understand what security network has been put in place and what are the vulnerabilities of those security networks that can be exploited.
- Initial Exploitation
As soon as the reconnaissance is done, the attackers find an opportunity for first exploitation. Often, it is believed that most hackers attack on zero-days but they can be persistent and patient with their exploit too. Sometimes it is known that the intruders were present years before they had attacked.
- Establish Persistence
An Initial Exploitation is of no use if the attackers want to steal data on a persistent basis. After the initial exploitation, in order to stay in the Network, the intruders use different ways to stay in the network such as escalating their privileges and getting into scripts.
- Install Tools
Once the intruders have developed an understanding of the system and the way in which they can establish persistence then the malware begins. At first, they install tools into the computer which further run various scripts in order to cause more damages to a system.
- Move Laterally
Once these tools are in place, then the intruders can move through the network. The intruders try to move laterally in order to achieve what they had set out for. An example of this would be the North Korean Bank Intrusion in the Bangladesh bank which would be mentioned in detail later.
- Collect Exfil and Exploit
By the time of this stage, the intruders have already established themselves on the network. The intruders now have to exploit the network and move undetected.
The Bangladesh Bank Heist which allegedly involves the North Korean state took place in February 2016. SWIFT Global Payment Network is considered as the best network in order to transfer money by the banks throughout the world.
The intruders managed to enter the Bangladesh Central Bank’s network through a phishing email sent to one of the employee’s personal email on January 16 which he opened on his office computer. This phishing email began installing a malware on the computer which helped the intruders gain access to the bank’s network. The intruders managed to enter the bank’s system in order to observe the process of payments and the credentials for bank transfer.
On the night of February 4 they entered the Bangladesh Bank on Thursday night knowing that the Bank’s employee had gone out for the weekend. The intruders through SWIFT had made 35 transactions amounting to $ 1 billion to the Federal Reserve Bank of New York. 30 of the 35 transactions were blocked due to a spelling mistake. However, the other 5 transactions amounting to $ 101 million were made to two different banks in Sri Lanka and Philippines. The amount of $ 20 million to Sri Lanka was eventually stopped but $ 81 million in the Philippines was lost.
The intruders had also hacked into an automated printer which printed real time transactions of the bank in order to stop the employees from detecting and preventing the transactions from taking place.
This is an example of network intrusion and how a small phishing email attack can cause a massive loss to an organisation.
A cybersecurity team for any organisations wants to ensure that they catch and prevent the intrusion at the earliest stages of the intrusion. In order to detect and prevent the intrusion, the following are the ways:
- Network based intrusion prevention systems (NIPS)
NIPS is a system which is used to monitor a network for malicious activity in order to protect a network from a threat of a malware or a cyber attack. NIPS is an inline detection and prevention device which monitors the activity on a network and if it finds anything suspicious then it acts according to the specific set of rules which have been provided to it. A NIPS, unlike a microprocessor is fast and application based since it runs thousands of commands at once.
- Wireless based intrusion prevention systems (WIPS)
WIPS works for Wireless Networks and helps in monitoring the radio spectrum in a radio’s wireless space to detect any unauthorised entry. This system is very effective as it can detect and shut down unauthorised entries on its own. Modern WIPS do not only help in the detection and prevention of cyberattack but also help in compliance with regulations like GDPR.
- Network Behaviour Analysis (NBA)
This system ensures the safety of a network through watching the traffic and detecting any unauthorised entry on the systems. NBA watches the network and creates data packets in order to make a detailed offline analysis. The reason for the use of the NBA is to reduce the burden of network administrators.
- Host based intrusion prevention systems (HIPS)
HIPS usually protects the host computer with regards to any malicious attack. HIPS operates from the network layer till the application layer. A HIPS uses a database of system objects monitored to identify intrusions by analyzing system calls, application logs, and file-system modifications (binaries, password files, capability databases, and access control lists).
Intruders ensure that their tracks have been covered so that it is difficult to track who was responsible for the intrusion. There are three common ways the intruders use to cover their tracks:
- Deleting the logs- Logs can be easily deleted by the intruders which will make it difficult for the individuals to know what was accessed by the intruders;
- Encryption- The use of encryption to transfer the data which makes it difficult to track their movements outside of a network;
- Rootkits- Rootkits is a software which allows the unauthorised entry to gain control without being detected.
Network intrusion is a matter of serious concern in cyberspace. In order to ensure that the intrusion is prevented, we need to understand what are the popular techniques used by the intruders and what are the steps of intrusion. Network Intrusion is often secretive and cannot be caught until the zero day. However, there are certain ways to prevent it.
The cybersecurity team for any organisation has to detect and prevent the attack from happening before the intruders exploit the network. In order to do that, anti-virus software alone is not enough. Cyber Security teams need to update their security policies regularly to ensure that such intrusion is detected and prevented in the earlier stages.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: