Introduction
In the data center there is more of a need for an east-west traffic architecture instead of the traditional three-layer north-south traffic architecture. This is where the spine-leaf design comes into play and a concept that works with the modern data center fabric design. Micro-services and container orchestration typically break the more traditional approach by requiring an overlay network and using VXLANs to segment across the underlay network.
Physical Topology
Traditional campus networking architecture consists of a Core, Distribution, and Access Layers. Within the spine-leaf architecture there are only two layers, the spine and the leaf. There are three rules when designing with this approach, leaf switches can never connect to leaves, spines can never connect to spines, and each leaf must connect to all of the spines in the topology.
Leaf switches act as the access layer in this topology along with the backbone being the spine switches. There are some disadvantages to the spine-leaf in which the scale is limited by the number of ports that a single spine switch has. This is a limiting factor; however, the benefits of east-west traffic patterns make up for this in more of a data center context.
Why the Spine-Leaf Architecture?
Traditional campus architecture is stopped by spanning tree which is something that comes into play by forcing 50% of the redundant links to be idle per VLAN. By having more of a spine-leaf design there is no more need for STP and layer three can be brought into the mix for better convergence times. With Rapid Per-VLAN Spanning Tree there are some more improvements to the original STP but these idle backup ports are still a drag on the networks performance.
Routing to the leaf switches unlocks the equal-cost-multi-pathing or ECMB. This is the technology that is used for edge routing cases. Having a topology that has nothing more than two hops away provides a reduction in latency and is beneficial for data center operations. There are some more types of architecture like the collapsed core where core and distribution are merged together and have an access layer.
Overlay Network
The overlay network is something that happens across the underlay network which are the physical devices and cabling. For the underlay network, there are routers and switches that the overlay network uses to transmit the virtual machines from one data center or server to another. The overlay network is something that uses VXLANs which are layer three VLANs essentially. The Virtual-Extensible Local Area Networks provide an overlay network segmentation to transfer virtual machines across the underlay network.
Layer three boundaries restrict layer two broadcasts and the way to use VXLANs then becomes available by encapsulating UDP with layer two frames. This bypasses the layer three boundary and the overlay network is usable. The control plane is then established by MP-BGP EVPN and acts as an overlay database to block flood-and-learn discovery overhead.
Conclusion
Spine-leaf architecture is needed to provide for east-west traffic in a data center for less latency where the traditional campus architecture has some bottlenecks in this approach. To make sure that you are getting up to speed with this architecture you would need to verify the underlay routing protocol. Then you would also need to audit subscription rates on the ports that a spine switch needs along with planning for an overlay mechanism like VXLANs.
This completes the discussion on the spine-leaf architecture. By providing more information about the spine-leaf architecture I encourage you to learn more with online courses, books or getting some lab time. When you get a chance try to set up a spine-leaf architecture on Packet Tracer and note where the traffic distribution works for east-west traffic. Compare this to another lab for the traditional campus architecture and note where the traffic distribution is more north-south oriented.
Threat Actors
Which threat actors are attacking is one of the fundamental questions that incident response attempts to answer when an attack is occurring. In order to answer this question, there are certain threat actors that we should know about. These include script kiddies, hacktivists, cyber criminals, nation state actors, and insider threats. The threats involved include defacement of websites, ransomware, DDoS attacks, and many others.
Script Kiddies
Script kiddies go more for bragging rights than anything and can use scripts that someone else has written. They are typically less sophisticated and have a low monetary value. An example would be a teenager that starts a DDoS attack using free tools or pre-existing scripts. Script kiddies are often low paid and are doing it for respect or bragging rights in the hacker subculture.
Hacktivists
These threat actors are more politically motivated and might do it for social or ideological reasons. The hacktivists are somewhat skilled but will more likely expose corruption, protest or make a political statement. Hacktivists could do something like website defacement or leak corporate data to the public.
Cybercriminals
These threat actors are more in it for the money with direct financial gain in mind. They may attack more illegally and tie themselves to organized crime. This could be something more like ransomware or phishing campaigns to get credit card information. There are also attacks that include individuals that turn to hacking for financial gain.
Nation State Actors
The Nation State Actors are usually the most well-funded. They may attack other groups or organizations and attack more for espionage or geopolitical reasons. These are highly structured and government-backed groups. There are some nation states that get a good portion of their government funds by sponsoring hacking groups like North Korea.
Insider Threats
Insider Threats are where the attack comes from within a group or organization. These are more rooted in sabotage or revenge. The insider threats could be current or disgruntled employees or contractors that have more data about the company network and may use this knowledge for personal gain.
Conclusion
While threat actors are out there, knowing which way they are attacking is something that will remain a question for incident response. The threat actors seem to evolve just like the technology that they are using evolves. These threats can be mitigated and the knowledge of them should help you in your IT journey. With threat actors, you can study them by using the MITRE ATT&CK framework. Study well and be a lifelong learner.
Social Engineering Attacks
There are many types of attacks and social engineering attacks are most common. These include phishing, pretexting, baiting, quid pro quo, tailgating, and dumpster diving. The commonly used phishing techniques include phishing, spear phishing, whaling, vishing and smishing. When using these techniques an attacker can do business email comprise attacks which is more of a secondary type of social engineering attack.
Some of the best defenses for social engineering attacks are a layered approach with Verification, Technology and Policy. For the verification domain, trust but verify, be skeptical of any urgency and watch out for red flags. In the technology domain, use things like Multifactor Authentication (MFA), email filtering and endpoint protection. Using the principle of least privilege, awareness training and clear reporting channels are done for the Policy domain.
Phishing
By using mass phishing, the attacker tries to get sensitive information about the victims. When spear phishing, an attacker tries to target specific individuals like a middle manager while whaling is a phishing technique to target the CEO or other C-Suite officers. Vishing attacks are phishing attempts by voice messages or by phone with smishing there is an attack by text messages.
Social Engineering
Pretexting is a social engineering technique to get a sense of trust from the attacker, and the victim is tricked into revealing sensitive information. Baiting is where there is something that is for free if they tell the attacker their information. Quid pro quo or something for something is an attack where the attacker gives a service or benefit for information.
Physical Attacks
Tailgating or piggybacking is where an unauthorized person enters areas where they follow behind someone that has access. Another physical social engineering attack is dumpster diving where an attacker gains information that comes from a dumpster. In order to prevent tailgating and piggybacking there are some things that can deter these attacks which are mantraps or card access and security guards.
Conclusion
The types of attacks that occur with social engineering are mainly done by phishing and some other kind of social engineering attack. This information is something that needs to be learned so that as a defender you can understand attacks as they happen and quickly respond to them. Working with social engineering attacks has been something to learn from the CCST Cybersecurity exam that I have currently.
There are more social engineering attacks that are used more in types of phishing attacks, but they are easier to understand with things like vishing that is over voice and smishing is over text messages. Doing the CCST Cybersecurity has prepared me in my cybersecurity knowledge by being tested on these social engineering attacks.
Attack Attribution Models
There are three attack attribution models. These are the Cyber Kill Chain, MITRE ATT&CK Matrix, and the Diamond Model. The Cyber Kill Chain is Lockheed Martin’s seven steps of a cyber-attack model. The MITRE ATT&CK Matrix is a knowledge base designed to categorize adversary tactics, techniques and procedures. The TTP’s are a way to categorize the type of attack, the attack patterns and how malicious actors use them to commit crimes.
Along with the Cyber Kill Chain and the MITRE ATT&CK Matrix the Diamond Model is a way to analyze events according to the relationship between the adversary, capability, infrastructure, and victim. These are the main three attack attribution models. The CCST Cybersecurity exam covers these and other cybersecurity concepts. In the Diamond Model, there are some individual events that happen in an attack which are analyzed by the relationships between events and attributing them to certain adversaries.
Cyber Kill Chain
The Cyber Kill Chain has seven steps in the process. These are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Reconnaissance is where the attacker gets information about a target network and looks for vulnerabilities. The Weaponization step is where the attacker makes an exploit for the Delivery step which is next.
The trigger is used in the Exploitation step to trigger the exploit and move into the Installation step that includes planting the backdoor. The Command-and-Control step is next that allows for a way to exfiltrate data and remotely control the device. The last step is the Actions on Objectives step which is where there are objectives being met.
MITRE ATT&CK Matrix and Diamond Model
The MITRE ATT&CK Matrix is something that is tested on the CCST Cybersecurity exam by application. This is essentially the identifying organizational defense and weaknesses in addition to attack attribution and understanding how a red team or a blue team interprets the attacks. The Diamond Model goes over the adversary, the how, the what, and the target of the attack.
Conclusion
These attack attribution models are something that the CCST Cybersecurity goes over in the Incident Handling domain. The three models are covered in some detail, but the exam covers the basics of these models. Further study is needed if you want to go for additional certifications or job skills. I do have the CCST Cybersecurity certification and will be doing the CCNA Cybersecurity exam later this year.