The explosive growth in networks, connectivity and communications that has paved the way for the unprecedented shift in business, personal and government services into electronic web-enabled forums. This growth in e-business, and e-commerce greatly expanded the threat surface that fraudsters, criminals, unscrupulous business competitors, nation states and non-nation state actors can use to take harmful actions against others around the world that cuts towards the defenders. But the other edge, which cuts toward the attackers, keeps those e-functions safe, secure and resilient while also keeping their use of telecommunications and network services secure. But, it only defends effectively when it's sharpened strong. For several decades, the world has operated on almost a network monoculture. One set of protocols and standards are used to power the vast majority of the internet, the world wide web, e-commerce, and e-business. These standards known as ISOs Open Systems Interconnection seven layer model and the IETS Transmission Control Protocol over internet protocol or TCP over IP model are used by almost every laptop, smartphone, smart house, smart car and other such end-points to communicate with servers and applications in businesses and governments. These models or protocol stacks therefore, become our map of the threat surface.
1. Physical Layer
At the physical layer, bits are encoded and decoded through transmitting and receiving devices and media. Media and device types may potentially use signals that include light, radio, or electrical. Transmission techniques determine if the bits are transmitted via baseband or broadband. The physical layer receives and processes data from and going to the data link layer. Traffic management on the physical media is another layer one function.
At the Physical Layer, threat actors need to enter into (intrude) the physical space or immediate vicinity of the physical media itself. For wired (bound) media, this can be done by a visitor, vendor, janitor, or subcontractor placing sniffer taps onto cables, plugging in USB devices, or using their smartphone as a reconnaissance platform. Intrusions can also happen at some distance from your physical premise, if high-gain antennas are used to increase Wi-Fi reception (and transmission) ranges. Drones may also be used by an intruder to enter into your RF or lightwave communications spaces.
2. Data Link Layer
At this layer, packets are received from higher layers in the stack. Encapsulated with address information into frames and then these frames are sent onto the physical layer for transmission. Receiving a frame from the physical layer, the data link layer unpacks address information from the header, strips the header away from the data and passes the data as a packet to the next layer up in the stack. At this layer every device needs to have a unique address known as the media access control or MAC address. And this allows sending devices to unambiguously identify themselves and to request the data they are preparing be sent to the specific destination. Data link layer communication is strictly one-to-one, one MAC address sends to a specified receiver.
Key threats at this layer involve the following:
• MAC address spoofing or cloning (to redirect traffic)
• MAC flooding (sending large numbers of Ethernet frames with bogus MAC source address values)
• VLAN hopping (also called 802.1Q attacks)
• Broadcast storms (similar to MAC flooding but attempting to overload the network segment)
• Reconnaissance probes can use MAC sniffing (to capture copies of frames as they go by)
3. Network Layer
It is responsible for moving packets between hosts, devices on the network. Payload data from higher layers in the protocol stack come into the network layer as segments. The layer then breaks those down into packets when the segment's length is too long to fit into one packet.
.It is responsible for moving packets between hosts, devices on the network. Payload data from higher layers in the protocol stack come into the network layer as segments. The layer then breaks those down into packets when the segment's length is too long to fit into one packet.
Threats at Layer 3 can exploit protocol or network vulnerabilities by means of:
• Routing (RIP) attacks
• ICMP attacks
• Ping flooding
• Smurf attacks (using multiple attack platforms to attempt to overwhelm the target with echo requests)
• IP address spoofing
• Packet sniffing
Countermeasures at Layer 3 can include the following:
• Securing ICMP
• Proper router configuration
• Better packet filtering and inspection (NGFW, perhaps)
• Use router access control lists (ACLs) more effectively
• Proper VLAN configuration
• Layer 2 Intrusion detection/prevention
• Move toward zero trust architecture
• Microsegmentation of LAN
4. Transport Layer
The transport layer delivers end-to-end services through segments transmitted in a stream of data and controls streams of data to relieve congestion, through elements that include Quality of Service or QoS.
Attacks on the Transport Layer of the Open Systems Interconnection (OSI) model (Layer 4) seek to manipulate, disclose, or prevent delivery of the payload. This can, for instance, happen by reading the payload (as would happen in a sniffer attack) or changing it (which could happen in a man-in-the-middle attack). While disruptions of service can be executed at other layers as well, the Transport Layer has become a common attack ground via ICMP.
Threats at this layer can include:
• Routing protocol attacks (such as against RIP)
• ICMP attacks, such as ping floods
• Network Time Protocol (NTP) desynchronization attempts
• Fraggle (UDP broadcast flood)
• TCP sequence prediction
• IP address spoofing, packet sniffing, and port scanning
Countermeasures should include:
• TCP intercept and filtering
• DoS prevention services
• Using allowed and blocked lists for IP addresses, URLs, and URIs
• More complete, properly configured use of TLS
• Secure versions of all protocols for file transfer and shell program access (i.e., SFTP instead of file transfer protocol (FTP), SSH instead of Telnet)
• Fingerprint scrubbing
5. Session Layer
The Session layer provides a logical persistent connection between peer hosts. It's responsible for creating, maintaining, and tearing down the session. The activities performed by the session layer may not be required depending on the type of information being communicated between hosts. The handling of local and remote application's interaction is done in this layer. In case of weak authentication methods, it can help attackers to perform a brute force.
Attacks against Session Layer activities are on the increase, as attackers seek to find additional paths across their target’s threat surfaces. These include but are not limited to:
• Session hijack, man-in-the-middle (MITM)
• ARP, DNS, and poisoning of local hosts files
• SSH downgrade attempt
• Man-in-the-Browser (MITB): Trojans in browser helpers, add-ons or other software
Attacks at Layer 5 continue to facilitate an overall attack strategy that makes use of eavesdropping and reconnaissance to identify resources worthy of further hostile action. Denial of Service, along with attacks that attempt session or transaction replay, can enable an attacker to corrupt data en route or otherwise make use of information they discover.
Countermeasures at the Session Layer include:
• Replace weak password authentication protocols
• Migrate to strong identity management and access control
• Use PKI
• Verify DNS is correctly configured
• Active monitoring and alarm of Session Layer
• More robust IDS, IPS (and SIEM alarms)
6. Presentation Layer
The presentation layer of the OSI seven layer model was created to consolidate the design of protocols and services that connect dissimilar hosts for data sharing. The presentation layer was created before the creation or widespread adoption of Unicode for example. This is used to standardize data with the help of various conversion schemes.
Threats and Countermeasures to Presentation Layer of OSI Model
Attacks at this layer primarily are focused on causing a data breach or compromise of the integrity or value of an organization’s information. Attacks can also seek to gain access to other systems and resources, or to facilitate their ongoing attacks. Network Basic Input Output Systems (NetBIOS), Server Message Blocks (SMB), and SSL have been favorite targets of attackers.
Many data breach attacks use the inherent capabilities of the target system to encrypt data for exfiltration, which could be by using a Layer 6 service. Deep packet inspection and effective end user behavioral modeling could reveal that a connection that normally does not send much encrypted data has started to do so.
Other notable threats include exploiting vulnerabilities in cross-layer protocols, injecting SQL queries, attempts to downgrade session encryption to a lower, more easily broken type, and path traversal attacks. Cross-site scripting attacks can also take place in this layer.
Countermeasures might include:
• Replace/upgrade apps using weak authentication or protection
• Deep inspection of application traffic for:
o Signs of attack?
o Policy violations?
• Migrate to more secure applications protection:
o Web Application Firewall (WAF)
o Applications Delivery Platform (ADP)
• Migrate to zero trust architecture
7. Application Layer
Protocols in the protocol stacks like HTTP and HTTPS are seen in the eyes of the designers as applications that reside or are defined at this layer. Remember that these layers are design ideas or statements about an overall architecture.
It cannot be stressed enough: The Application Layer is the target-rich environment for hackers of all levels of sophistication. It is where they come to find exploitable information — data they can exfiltrate and use to attack other targets, monetize for criminal intent, or use as part of the fingerprints of the targets’ own systems. The Application Layer enables the transport of mobile code and executable content, which brings great power and flexibility but also great risk.
The Application Layer demonstrates that the systems we build and use are complex; the ways in which we use them are even more complex. The more complex a system becomes, the greater the likelihood that its inherent vulnerabilities in design, construction, and use can be discovered and exploited by a hostile party.
Threats at this level include:
• SQL injection
• Encryption downgrade attempts
• Rogue DHCP service, DNS poisoning, Lightweight Directory Access Protocol (LDAP) injection, or other attacks on address and name resolution services
• Simple Network Management Protocol (SNMP) abuse
• HTTP floods, DDoS, parameter tampering, or malformed input attacks on applications and web pages
• Cross-site scripting attacks, session hijacks, malware (including drive-by malware attacks)
Any and all of these threat vectors can further an attacker’s goals via alteration or exfiltration of data, or by gaining access to other systems and resources.
Countermeasures should include at a minimum:
• Monitor and block access to suspicious or hazardous sites
• Block known or suspected bots
• Implement stronger access control (multifactor)
• Perform deep inspection of application traffic
• Migrate to more secure applications protection:
o Web Application Firewall (WAF)
o Applications Delivery Platform (ADP)
• Migrate to zero trust architecture
• Strengthen end users’ security skills and attitudes
