Ways To Get Past The Perimeter

[izatt82]

Hello This topic to discuss ways attackers are getting past the firewall now days. I know spam/phishing is still big, but just to get a nice list how are you guys doing it or what kind of attempts are you seeing?

You might ask where is this coming from well I am trying to make sure I am not missing something I didn't know about. I try to keep as up to date on attacks, but thought I would post a question here and get some community feedback.

I will start it off by saying currently I am seeing targeted spam mostly with hyperlinks generally pointing to either java or adobe exploits. A lot of these hyperlinks are located on very low traffic websites all over the web mostly inside the USA. I have contacted the companies and they never call me back most likely figure he doesn't know what he is talking about. Most of this spam is coming from Brazil, but not all of it. Most of the links have a file inside the root of the web directory with a name like file-index.htm or something close with index in the name.

What are you guys seeing whether it is during pentests or inside business you deal with?

Thanks

[izatt82]

On the spam issues, we are currently working to resolve that issue with a vendor. Basically I just wanted this to be kind of an open forum for people to discuss ways to get past the firewall. I figured I would know most of the ways, but maybe there would be some that i didn't and could learn about them. Either way thanks for your reply any ideas and opinions are great. I am just trying to school myself as I wear many hats so sometimes it is hard to keep up with the changing security world. :D

[blackass]

Do you mean spam filters?

I think that may have been confusing. Firewalls and spam are not related, but spam and spam filters are.

[izatt82]

Do you mean spam filters?

I think that may have been confusing. Firewalls and spam are not related, but spam and spam filters are.

Right two different things didn't mean to make that confusing. spam filters to help with spam and then the firewall/web filter for for other stuff.

[izatt82]

Agreed. I am pretty impressed that IPS vendors are catching up and our building modules to check traffic on a port to verify what it really is. For example trying to send a reverse shell over port 80 will get caught in these systems now. The real problem for us is we can't do deep packet inspection on SSL traffic because we have sites that do mutual authentication and of course it breaks those sites. So if an attacker sent traffic out 443 it is hard to track unless it make a little to much noise or is going to a weird IP. On the spam note we use hosted exchange and I am not impressed with the services. We are switching, but until then I get to fight them on why the SPAM solution isn't doing a good job 50-60% block rate is what they told us once they looked at our domain report. It should be 85-95% IMO I know spam filtering is hard and just like with any security someone will get around it just a matter of time, but that doesn't mean do not try.