Network Service Guidance

Edit online

Category Definition

Network Services consist of applications serving protocols such as SSH, SMTP, DNS, RDP, Telnet, FTP, etc. These services are found throughout networks and provide remote interactive access, file transfer, and critical administration functions for systems’ operation. Network services are sometimes exposed to the internet to support business functions. In addition, network equipment and server configurations leave network services enabled by default.

Why a defender should care about Network Services

Any publicly exposed systems providing interactive remote access are points of possible initial access (https://attack.mitre.org/techniques/T1189/) for adversaries. File transfer services offer easy collection (https://attack.mitre.org/tactics/TA0009) and exfiltration (https://attack.mitre.org/tactics/TA0010), and administrative services can allow attackers to deploy adversary-in-the-middle (https://attack.mitre.org/techniques/T1557) techniques. Often network services have insecure default configurations, making hardening after deployment critical to security. Any network services that expose interactive login capabilities are likely to be targets of password guessing (https://attack.mitre.org/techniques/T1110/001/), password spraying (https://attack.mitre.org/techniques/T1110/003/), and credential stuffing (https://attack.mitre.org/techniques/T1110/004/) attacks.

Why an attacker is interested in Network Services

Interactive access to systems is always of interest to an attacker. Services like RDP, Telnet, and SSH offer the ability to manage systems remotely and potentially gain further access to targeted networks. Remote access services also imply that other interesting services exist behind them. Successful compromise may lead to additional credential theft (https://attack.mitre.org/techniques/T1555/) and pivoting (https://attack.mitre.org/tactics/TA0008/) into other areas of the network.

File sharing services, like FTP, NFS, SMB, or SFTP, are tempting to attackers because they allow for uploading and downloading files between computers. These Targets signal that interesting data may be present or accessible. For instance, FTP is an older service not built with security in mind. Generally, FTP is an insecure protocol because it relies on clear-text credentials for authentication and does not use encryption by default.

Simple Network Management Protocol (SNMP) is the de facto standard for monitoring network equipment and can also be used to manage equipment configuration. Attackers are interested in SNMP because it is often unencrypted, like FTP. Attackers can grab useful intelligence such as the community string used to authenticate by listening on the wire. This lack of encryption gives attackers access to valuable information on devices and, if write access is enabled, the ability to make configuration changes.

Naming services, like DNS or LDAP, are the internet’s phonebooks. DNS translates domain names to IP addresses so applications and users can access resources easily. DNS is valuable to attackers as a reconnaissance source and offers means to manipulate configurations or reconfigure network traffic. DNS servers are vulnerable to a broad spectrum of attacks, including spoofing, amplification, Denial of Service (DoS), and the interception of private personal information.