Network protocols are less harmless than we think

Sheila Zabeu -

August 11, 2022

They may seem harmless, just responsible for establishing connection and communication rules. However, on the contrary, they can be the source of a lot of headaches and losses. Looking on a more optimistic side, they can also be a kind of thermometer of the cybersecurity maturity of organizations.

We are talking about network protocols. They are the mechanism that ensures different equipment and services are able to communicate when networked, but they are also responsible for a critical part of network security. This is where the neuralgic point of cybersecurity comes in. When incorrectly configured or not updated frequently enough, they can unintentionally expose data, users and the entire network and open the way for cybercriminals.

Many widely used protocols were developed decades ago, long before the emergence of more modern means of intrusions and cybercrime, such as today’s ransomware cases. As a result, they suffer from vulnerabilities that, when left unpatched, can compromise the security of network services.

However, the use of these protocols is not inherently a problem, as highlighted in a recent report by ExtraHop. If networked devices using these protocols are configured correctly, i.e. have their ports (identifiers uniquely assigned to a point on the connection where data is routed over the network to be submitted to a specific service) properly protected, there is little risk to the organization. However, for various reasons, many of these ports are left open indiscriminately for communication from any point on the Internet, including from malicious attackers.

These attackers often use scanning tools, sending test messages to ports that are commonly left open. They then analyse the responses to determine how the network is configured and what opportunities there are to attack. Hence, we talked earlier that these protocols measure the maturity of network protection. “Ports and protocols are essentially openings and corridors that attackers use to exploit poorly protected networks,” says the report.

ExtraHop researchers investigated the prevalence of sensitive protocols with the goal of reducing attack risks. Four types of protocols were evaluated: File Server Protocols, Directory Protocols, Database Protocols, and Remote Control Protocols.

And the results were not as bad as imagined – the total number of devices with vulnerable protocols was generally low. The point is, exposed devices are usually servers or equipment responsible for essential, or critical, resources. Furthermore, having a vulnerable device as an entry point is enough for cybercriminals to compromise the entire network.

Report ExtraHop
Source: ExtraHop

In the File Server class, for example, ExtraHop found, in its audit of corporate networks, that the SMB (Server Message Block) protocol left 64 of the 10,000 devices analysed exposed to the Internet. In Windows environments, SMB is a common attack vector. There are three versions known as SMBv1, SMBv2 and SMBv3. The first is notoriously insecure and is the protocol that the WannaCry and NotPetya malware variants use to break into networks, according to the report. A recent ExtraHop survey revealed that 68% of organizations still use SMBv1.

In the class of Directory Protocols, which allow you to search for information about users and resources on the network, one of the most popular services is Active Directory (AD), developed by Microsoft and proprietary. To access AD, two protocols are used, LDAP (Lightweight Directory Access Protocol) and Kerberos. Windows systems use LDAP to search for usernames in AD. By default, these queries are done via plain text, giving attackers the chance to discover usernames and then perform brute force attacks to generate name and password matches.

ExtraHop recommends, if possible, configuring devices to use LDAPS, which queries and receives responses using encryption. ExtraHop found that the LDAP protocol left 13 of the 10,000 devices analysed exposed to the Internet, while Kerberos left four.

In the Database Protocols class, ExtraHop found that TDS (Tabular Data Stream) left 3 out of 10,000 devices analysed exposed to the Internet. Developed by Microsoft, this protocol transmits data in plain text, making it vulnerable to interception. To avoid authentication credentials being discovered, TDS traffic should be incorporated into the HTTPS protocol. Another best practice is to always require clients and database servers to use an encrypted version of TDS.

Finally, in the Remote Control Protocols class, ExtraHop found that SSH (Secure Shell) left 32 of the 10,000 devices analysed exposed to the Internet. According to ExtraHop, this is a well-designed protocol with good encryption to access devices remotely securely. It is available on all Linux distributions and also on other operating systems. As it is widely used, it is also widely attacked. To protect it, it is recommended to keep it always up to date.

Recommendations on how to analyse network configurations, devices, and traffic patterns to better understand risks and take steps towards cybersecurity readiness, can be found here.