Upload File

module 2: threats and exploit

23
Module 2: Threats and Exploit 2.1 Cybercrime Landscape Current Cybercrime landscape Future landscape 2.3 Threat Actors Organised Cyber Criminals Hacktivists Nation States Insider Threats 2.3 Types of Malware Worms Trojan Horses Fake Anti-Virus Viruses Spyware Ransomware o WannaCry Modern Malware Botnets 2.4 Tactics, Techniques and Procedures The Tactics, Techniques and Procedures utilised by Threat Actors and stages of an attack 2.5 Types of Attacks Brute Force Attack and calculator Denial of Service and Distributed Denial of Service Man-In-The-Middle Attacks 2.6 Social Engineering What is Social Engineering a focus on Phishing 2.7 Zero-Day Vulnerabilities Description of, timelines of, case study and how to protect against.

Upload: others

Post on 28-Jan-2022

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Module 2: Threats and Exploit

Module 2: Threats and Exploit

2.1 Cybercrime Landscape • Current Cybercrime landscape

• Future landscape

2.3 Threat Actors • Organised Cyber Criminals

• Hacktivists

• Nation States

• Insider Threats

2.3 Types of Malware • Worms

• Trojan Horses

• Fake Anti-Virus

• Viruses

• Spyware

• Ransomware o WannaCry

• Modern Malware

• Botnets

2.4 Tactics, Techniques and Procedures

The Tactics, Techniques and Procedures utilised by Threat Actors and stages of an attack

2.5 Types of Attacks • Brute Force Attack and calculator

• Denial of Service and Distributed Denial of Service

• Man-In-The-Middle Attacks

2.6 Social Engineering What is Social Engineering – a focus on Phishing

2.7 Zero-Day Vulnerabilities Description of, timelines of, case study and how to protect against.

Page 2: Module 2: Threats and Exploit

Module outline and expected learning outcomes In this module we will explore the current cybercrime landscape; the people working within this landscape, known as threat actors, or TAs and their motivations; the cyber threats that TAs utilise such as malware and phishing scams; and a few key considerations resolving around threats within the cybercrime landscape.

2.1 Cybercrime Landscape Roughly half of the world’s population use the internet every day, a figure that has doubled in the last ten years. This equates to 226 million google searches, every minute of every day, with each search using enough energy to power a standard 60W lightbulb for around 17 seconds. As you can imagine, this is a lot of activity and it’s estimated that Google’s data centres use around 1.5% of the whole planet’s energy supply. But what about activity in the darker underbelly of the internet - cybercrime? Cyber criminals make an attack every 39 seconds with nearly all featuring hacking, malware, phishing or social engineering. Even with these alarming figures, only 5% of companies’ folders are properly protected. World-wide spending on cybersecurity is forecasted to reach $133.7 billion USD by 2020, but one problem the industry is currently facing is that there is serious lack of cybersecurity professionals. Regardless of this funding, over $1.5 trillion USD in revenue is generated per year through computer-based criminal activities and is expected to grow steadily in the future. We’ll start with a very shortened history of cybercrime, focusing on some notorious developments. The Morris Worm of 1988 was one of the first documented computer worms to gain media notoriety. It was written by Robert Morris, a student at Cornell University, but launched from the computer systems at MIT in a bit to try and hide the creator’s origins. Morris claims that the code was not designed to cause damage, but as an experiment to highlight security flaws.

Page 3: Module 2: Threats and Exploit

An unfortunate and supposedly unintended consequence of the code transformed the Morris Worm from a harmless intellectual exercise into a virulent denial-of-service attack. This element of the code was in the spreading mechanism, enabling the code to infect systems multiple times. Each additional infection would slow the affected machine down to the point where many became unusable. The code infected two thousand computers in fifteen hours in a year when there were only 60,000 computers connected to the internet and was so damaging the internet had to be partitioned for several days to prevent the spread, as networks were cleaned of the worm. Moving a decade on to 1998, we see this image which shows the infamous hacker group, L0pht Heavy Industries, as they testify to the US Senate. They claimed that they were able to completely shutdown nationwide internet access in just 30 minutes, and it is very likely that they could do what they claimed. Even over 20 years ago, this would have had a significant affect on the economy and would be completely devastating. One thing of note is that this was not some basement-dwelling hacker group. Many were highly educated electrical and software engineers who went on to found successful cybersecurity companies and run government defence programs. Later in 2008, we see Alberto Gonzalez (aka “CumbaJohnny”) pictured in the penthouse suite from which he lived. He was caught in possession of over 170 million credit card, debit card and ATM details. He was actually also arrested five years earlier in 2003 when spotted by a plainclothes NYPD officer withdrawing hundreds of dollars from an ATM, then switching cards and withdrawing more, switching again and again and continually withdrawing. This initial arrest led to his employment by the United States Secret Service to bring down the international hacker group he was affiliated with, called Shadowcrew. After this he was allowed to return to normal life, however, his gift for deception meant that throughout the time he was cooperating with the Secret Service, he was also orchestrating a crew of hackers to gain access to the 170 million payment card accounts which he had stolen from large shopping chains in the US. He utilised a combination of SQL injection backdoors in order to collect network traffic from within corporate computer systems.

Page 4: Module 2: Threats and Exploit

From September 2013 to May 2014, a famous trojan ran riot infecting computers running Microsoft Windows with a ransomware called CryptoLocker. It spread through email attachments and via a preexisting network of compromised computers which had been infected by another trojan. When activated, the CryptoLocker malware would encrypt files on the effected computer, with the key to unencrypt held by the associated cyber criminals. Users of the infected machine would be presented with a message requesting payment in the form of bitcoin within a set deadline in exchange for the encryption key. The ransomware was estimated to have generated around $3mil dollars in revenue. 2019 was a year of big data breaches, with cyber attacks targeting Internet of Things Devices surging 300%. Just three attacks alone against First American, Facebook and Capital One resulted in over 1.5 billion compromised records. Compromised records, along with other illicit products, like drugs, weapons and even child pornography, is sold by cyber criminals on darknet marketplaces, such as Genesis Market and Samara Market. The future of cyber crime is incredibly hard to predict. It is a very high-stake, fast-paced industry and cybersecurity professionals need to be meticulously proactive in their research in order to stay on top of potential threats. Recently we have seen the cybersecurity industry utilise artificial intelligence and machine learning as tools to combat cyber attacks. The problem is, while machine learning defences are quite well established, it is expected than cyber criminals will also start to employ this technology to be used on the malicious offensive. Attacks may avoid detection and defences whilst increasing transmission and aggression over their lifetime through by learning from their failures. It is predicted that there will be a large increase in wetware attacks in the future as hackers target human psychology as a key route to data. Wetware is a term use to describe non-code-based approaches to obtaining information, such as an untrustworthy employee being bribed to provide confidential data, or sensitive paper documentation found in public places that weren’t appropriately destroyed. Another area of cyber crime that is expected to continue, develop and progress indefinitely is state-sponsored cyber espionage and cyber warfare.

Page 5: Module 2: Threats and Exploit

We’ll cover these in more detail shortly, but essentially, they are governments attacking each other to gather information or cause disruption. One thing that’s clear is that there is a tremendous amount of money involved and that the motivation behind attacks is evolving more and more toward pure ^CLICK^ financial gain rather than internet fame like we saw in the days of L0pht Heavy Industries. This isn’t expected to change any time soon as more internet-dependent consumables are developed each year with potential to be targeted, such as driverless cars, airplane communication modules and even medical devices like pacemakers. But who exactly will be leading the way for cybercriminals? In the next video we’ll look at the main culprits, and their motivations. 2.3 Threat Actors Types of Threat Actors Most cybercrime is committed by four main groups of criminals, known as Threat Actors. These are Organised Cyber Criminals, Hacktivists, Nation States, and Insider Threats. The different types of threat actors come equipped with their own favourite supply of attack vectors known as Tactics, Techniques, and Procedures, or TTPs for short. They are also driven by different agendas which can be generalised as financial vs non-financial. Let’s start with organized cyber criminals. When picturing a cyber criminal, most would imagine a pale, skinny nerd operating from his mum’s basement, but reality could not be further from the truth. As mentioned at the start of this module, cybercrime is estimated to generate over $1.5 trillion USD per year. That’s over three times what the illicit drug market generates! So the reality for a cyber criminal is more super-yacht than basement-dweller. You may have already guessed, the motivation of an organised cyber criminal is financial gain. Cyber criminals achieve this by running large-scale organisations with highly-skilled and well-communicating team members. In recent years, the TTP of choice for organised cyber criminals by far has been mass phishing campaigns designed to compromise as many machines

Page 6: Module 2: Threats and Exploit

as possible. Each compromise only provides potential for a small monetary gain, but when large numbers of machines are compromised, the revenue generated can be astounding. A common tactic to achieve this is using social engineering via emails to deliver malware payloads. Hacktivists The second type of threat actor aren’t interested in financial gain as they are activism-motivated, and are know as Hacktivists. The most well known hacktivists are the group Anonymous, who are a not just a collection of hackers, but also activists and general internet users. They target high profile ideological groups such as the KKK, ISIS and international arms dealers. Hacktivist’s have two main TTPs of choice. The first is defacing websites of governments, embassies, corporations or any organisation they don’t agree with. The aim of this kind of attack is to embarrass the victim which may seem like a relatively light-hearted attack, but the potential damage caused to the reputation of certain organisations such as a the police force can be severely costly. The second TTP in a hactivist’s arsenal is DDoS attacks, or Distributed Denial of Service attacks. They involve directing a large amount of traffic to overwhelm a website through simple requests, such as loading the webpage, sometimes causing it to crash. Nation States The third group of threat actors are nation states, AKA state-sponsored hackers. Nations have been obsessively spying on and attacking each other since they’ve existed, and the invention of the internet has just permitted them to up their efforts. ‘Cyber espionage’ refers to information gathering, known as intelligence, which is occurring on a massive, long-term scale. A prolific example of this would be the work being performed by the USA’s National Security Agency, or NSA. Edward Snowden is a whistleblower from the NSA who revealed that they are monitoring most of the world’s emails, phone calls, IMs and so on. Nation states also engage in what is dubbed ‘cyberwarfare’ which involves one nation state penetrating another nation’s computers or networks for the purposes of causing disruption.

Page 7: Module 2: Threats and Exploit

A recent example of this is China’s alleged state-sponsored attacks against foreign biomedical and pharmaceutical COVID-19 related research efforts in a bid to slow foreign countries’ recovery from the pandemic. Nation States often hire prolific national hackers and provide them a route to legitimate income away from cyber crime. State-sponsored hackers are highly resourced and their TTP of choice is advance persistent threat (APT) which is a term used to describe utilising multiple different attack vectors to gain long-term access to information. Insider Threats And more recently, we have found an increase in activity from the fourth category, insider threats, which are threats from within an organisation itself. The intent of this type of threat actor can range dramatically from the malicious to the best-intentions. A disgruntled employee may be tempted to steal sensitive data from their employer prior to resigning - be it to publicise the information in a smear campaign, to provide it to competitors for financial gain, or to use as a reference for personal development or self-employment going forward. On the other end of the spectrum of insider threats is an employee with helpful intent who may share too much company information which falls into the hands of competitors. As you probably guessed, the TTP of choice is nearly always information data theft. Now that you’ve learnt about the four main types of Threat actors, it’s time to dive a little deeper into the different types of Threats, Techniques and Procedures that these four TAs favour. 2.3 Types of Malware The next section of this course will cover the different types of malware. But before we start, what exactly is malware? A lot of people think that malware is the same as computer viruses, but the truth is that a computer virus is just one of many types of malware. The word malware is derived from the term ‘Malicious Software’. Malicious Software, or malware, is intrusive code designed to infect a computer, server, client or network with the aim of causing harm or stealing information.

Page 8: Module 2: Threats and Exploit

There are many different types of malware out there to be wary of, but generally we categorise them depending on some key behavioural difference. In this video we will be looking at a few types of malware including worms, trojans and ransomware Worms First we’ll cover worms, which are independent, self-contained malware programs that are able to spread functional copies of themselves through remote code execution. A worm does not require user interaction to infect a system meaning they could infect your computer without you doing anything at all. Worms often spread exponentially as the number of infected computers increases. Often the malicious intent of a worm is to create a network of infected computers, called a botnet. An attacker is able to command this network of infected machines to direct large-scale attacks in the future. We’ll cover botnets more in a short while. The harm inflicted by worms usually leads to a consumption of bandwidth causing a slowing of the infected machine, a halting of active anti-malware software, immobilising safe mode and also hindering windows auto update which may include important security updates relating to the worm itself! Pause the video in a moment and refer to Exercise 1, Question 1 in your exercise worksheet. If a worm can infect two new computers every two hours, then how many infected computers are there after 12 hours? Trojan Horse The next malware we’ll look at take their name from Ancient Greek mythology where the Greeks hid within a giant wooden horse, disguised as a gift, in order to penetrate the walls of Troy. Trojan horses are any malware that misleads its true intent and cannot self-replicate. They often utilise social engineering tactics to compromise machines, such as fake advertisements or phishing. One of the most common trojans is a user receiving an email and opening an attachment believing it to be legitimate. When they open it, however, the attacker uses the opportunity to delivers a payload that may allow them to obtain the user’s personal information, such as banking log in details and passwords A big problem in the past and good example of a trojan is Fake Anti-Virus software, or FakeAV. It is a type of rogue security software posing as legitimate software which misleads the user into believing that their machine is infected with malware. The FakeAV malware requires a payment in order to

Page 9: Module 2: Threats and Exploit

be purchased, which the victim will happily pay in order to remove the fake malware from their system, but will then install real malware on their computer as part of the FakeAV installation. Viruses The third malware we will look at today are viruses. Virus’ require user interaction Viruses are malware which hide their own code within executable programs such as .exe and com files. The virus will modify the executable so that when the program is executed, the virus spreads or replicates. A virus will spread further when the program which it is hiding within is shared and subsequently executed by others. Spyware The term spyware has been around since roughly 2000, although spyware really took off in 2003. It is any program that monitors and gathers information without the user’s knowledge. Generally, the software is installed on purpose by somebody with the intention of monitoring another user of the computer that it is being installed on. This is the key different between spyware and a trojan or backdoor - it is without the user’s knowledge, not without the user’s permission. The ambiguity is that there are multiple users. A lot of spyware is directed toward ‘concerned’ family members or a ‘suspecting spouse’. Regardless of motivation, installing spyware without an affiliate’s knowledge is a grossly unethical breach of privacy. Common damage we see caused by spyware includes the collection of personal and confidential information, the installation of unsolicited software, redirection of web browsers and also the adjustment of computer settings. Pause the video in a moment and refer to Exercise 1, Question 2 in your exercise worksheet. What do you think Sally has done, and what does she need to now do? Ransomware Ransonware is a very common current malware type. An attacker aims compromise your machine to reversibly encrypt the data within in. They will then hold your data encrypted to a ransom payment. If you pay them the defined ransom within their set timeframe, you can prevent a number of malicious actions, such as taking you or your client’s sensitive data public, or even permanently encrypting it deeming it completely unusable. The attacker will hold the key to the encryption at their control centre until proof of payment is received.

Page 10: Module 2: Threats and Exploit

A particularly effective ransomware that plagued the world in 2017 was WannaCry, which was unprecedented in scale with around 200,000 computers being infected across 150 countries It propagated through EternalBlue, an exploit developed by the NSA within older versions of Microsoft Windows, and demanded ransom payments in bitcoin for the decryption key. One institution especially effected by this ransomware was the National Health Service, or NHS, in UK. Over 70,000 devices, including MRI scanners, blood storage refrigerators and surgery equipment were affected. Later in 2017, the USA, UK and Australia asserted that the attack was state-sponsored by North Korea. Modern Malware We’ve just covered a number of main malware types. As a side note; we generally define viruses, trojans and worms by how they are delivered and propagated, but spyware, adware and ransomware by what they do. Can you guess what type or types are most common nowadays? Well, the answer is quite unfortunate for the victims of modern malware. Modern malware has evolved to become very sophisticate and nearly always draws together elements of many different malware types to produce a highly devastating attack. Blended malware is malware that utilizes multiple types of malware technology. For example, a virus these days may utilise social engineering to spread, but also include a Trojan element where the attached file has the appearance of a safe file, but once opened may run a code to hold the data on that computer ransom. That’s a virus that is also a trojan that is also a ransomware! Botnets We’ve mentioned the term ‘botnet’ a few times over the course of this module, which is a collection of compromised computers, often referred to as zombies. They are the product of malware makings rounds on the internet and infecting large numbers of computers, sometimes into the millions! The hacker who compromised these computers, referred to as the bot master or bot herder, can access and control the botnet using command and control (C&C) software to deliver DDoS attacks, send spam, orchestrate mass phishing campaigns and more! Continued learning: If you’re interested in learning about more types of malware, you can do some internet research on on any of the following types which haven’t been covered in this syllabus: Backdoors

Page 11: Module 2: Threats and Exploit

• Downloaders

• Adware

• Droppers

• Rootkits

• Dialers 2.4 Tactics, Techniques and Procedures Attackers will use a wide variety of methods to exploit vulnerabilities in a system. There are a number of steps the attacker will need to carry out in order to successfully execute and steal data. For these we will look at the Mitre Attack Framework for the most commonly used tactics including:

• Initial Access

• Execution

• Persistence

• Privilege Escalation

• Defensive Evasion

• Credential Access

• Discovery

• Lateral Movement

• Collection

• Command and Control

• Exfiltration Initial Access The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. Execution The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might

Page 12: Module 2: Threats and Exploit

use a remote access tool to run a PowerShell script that does Remote System Discovery. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. Persistence The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Example: account manipulation - Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. Privilege Escalation The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Example: Access Token manipulation, Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. Defense Evasion The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software and leverage and abuse trusted processes to hide and masquerade their malware. Example:

Page 13: Module 2: Threats and Exploit

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting. Credential Access The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Techniques used to get credentials include keylogging which allows the threat actor is gain access to user credentials Discovery The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Example: Network sniffing - Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection Lateral Movement The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Example: remote desktop protocol can be exploited to allow the threat hacker access to the remote system. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. Collection The adversary is trying to gather data of interest to their goal.

Page 14: Module 2: Threats and Exploit

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input. Example: An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Command and Control The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses. Example: data obfuscation. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. Exfiltration The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. Example: Data can be compressed and encrypted so it is less conspicuous upon inspection by the victim Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

Page 15: Module 2: Threats and Exploit

Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Example: account access removal - Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. In the following videos we will look at examples of attacks that use a combination of the tools, techniques and practices to achieve their goals 2.5 Types of Attacks In this video we will reviewing the types of attacks that threat actors carry out, what they look like and steps to mitigate them. We will look at brute force attacks, denial of service attacks, man in the middle attacks and SQL injections. Brute Force Attacks What is a brute force attack? This is a trial and error hacking technique where the hacker continually attempts to guess the credentials which includes passwords, pin codes and encryption data. The hacker uses an automated software to generate the guesses. Examples of these programmes include John the Ripper and Cain and Abel. These are run by high powered computers that can run tasks at high speed. These attacks are not very sophisticated and they do take take advantages of system vulnerabilities. Dictionary attacks use a list of common passwords and frequently used combinations of words, letters and numbers to guess passwords or patterns on the qwerty keyboard such as 1qaz. Hackers may find lists of passwords on the dark web and use these in their dictionary attacks. So let us have a look at this in practice, and demonstrate how longer passwords with a range of characters are much harder to crack with a brute force attack. The longer the password the less likely any brute force attack will ever be able to crack the password it due to the probabilities involved.

Page 16: Module 2: Threats and Exploit

So besides ensuring we have good password hygiene, how else can we protect from brute force attack?

- Two-factor authentication is considered by many to be the first line of defense against brute force attacks. Implementing such a solution greatly reduces the risk of a potential data breach. The great thing about two factor authentification is that password alone is not enough. Even if an attacker cracks the password, they would have to have access to your smartphone or email client.

- We all got used to seeing CAPTCHA on the internet. Nobody likes trying to make sense of something that looks like it’s been scribbled by a two-year-old, but tools such as CAPTCHA render automated bots ineffective. That single requirement to enter a word, or the number of traffic lights, is highly effective against bots, even though hackers have started using optical character recognition tools to get past this safety mechanism.

- Enforcing a timeout for users who exceed the maximum number of failed login attempts. By locking an account only for a set amount of time after a designated number of unsuccessful login attempts it means that automated brute force attack tools will not be as useful.

DoS and DDoS Now we are going to have a look at DOS and DDOS attacks DOS stands for Denial of Service attacks and DDOS stands for distributed denial of service attacks. The goal of these attacks is to knock the victim offline and make the targeted website unavailable to legitimate users. Now let us look at how these attacks work. When you have a session between a computer and a server, the computer will send requests to check it is online and to interact with the content from the server. A denial of service attack works by sending multiple requests, overloading the servers capabilities, resulting in it becoming unavailable and unable to respond to legitimate requests. The attacks leverage knowledge of protocols to maximise the effect of their attacks to overwhelm the bandwidth of the target. These attacks are measured by how many bits of traffic they send the target per second, depending on the attack they may be measured in Mbps, Gbps and Tbps. However not all attacks are bandwidth focused. So what is the difference between a DoS and a DDoS attack? Both attacks work by flooding a network or server with requests until the website comes inaccessible A DoS attack uses a single machine to launch the attack whereas a DDoS attack uses multiple machines A DDoS attack may use malware to affect multiple computers

Page 17: Module 2: Threats and Exploit

DDoS attacks often use multiple computers flood the target with requests distributed using botnets What are the impact of a DDoS attacks? A DDoS attack works using bots to send out multiple requests to a server causing it to be overwhelmed. The connectively becomes so slow, it will time out the session and terminate the connection. By making one site unavailable, users may use another site to seek out the content they were after. In 2016 users could not access high profile sites such Twitter, Paypal, CNN and many other websites due to a DDoS attack targeting the third party providing technical services to these sites DDoS attack have become a growing form of cyber crime, with cybercriminals monetising on this trend with DDoS for hire attacks They advertise their services on the dark web with promises to take competitors offline. In 2019 a 21-year old pleaded guilty to operating the Satori botnet, offering DDoS-for-hire services using hacked IoT devices. This botmaster had infected more than 800,000 devices including home routers, security cameras, welcomes and online gaming platforms. The Satori-controlled botnets would flood victims systems with internet traffic, taking them offline. These attacks are highly effective and can cause huge amounts of damage to the victims. With one attack an organisation or individual may be offline for a substantial amount of time causing loss in revenue, loss of communication and damage to reputation. Lets is now have a look at some of the motivation for DoS and DDoS attacks:

• Financial - a company may seek to cause a competitors website to go offline in order to increase legitimate traffic to their own website. An online retail business going offline during an end of tax year sale would cause huge financial losses. In 2017 research carried out by Kaspersky Lab revealed that more than 40% of businesses hit by DDoS attacks believed their competitors were behind it

• Political - an organisation may want to take down a website of an opponent or opposing political group so they are unable to share their political messages. In 2014, citizens in Hong Kong were invited to vote on a referendum of constitutional voting reforms which would allow all citizens to vote in elections. DDoS attacks targeted pro-democracy websites such as Popvote, with peak traffic levels hitting 500 Gbps

• Hacktivists - these are cyber activists who take sites offline in the name of their own ideologies. These attacks are often a form of ‘justice’ delivered to an organisation that the hackivisits feel wronged by. Anonymous is a hacktivist group that have been active for many years and have launched DDoS attacks against financial institutions based on the belief that capitalism is evil

Page 18: Module 2: Threats and Exploit

So how can you prevent and combat these form of attacks? Detection: abnormal traffic flows can be detected and responded to early on before major damage is done. Idenitfy: DoS attacks are easier to combat as the victim can identify and block the IP address of the particular attacker. However, DDOS attacks are harder to combat because of the sheer volume of traffic, and it is difficult to identify between legitimate traffic and attacks. Routing - Organisations can avoid a single point of failure by spreading their servers or they may increase their bandwidth to make it more difficult for the attackers to overwhelm the server. Response plan: In order to be proactive organisations should have DDoS response plan in the event of an attack or they may outsource support from companies specialise in DDos attacks. Man-In-The-Middle Attacks A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts themselves into a conversation between two parties. Generally, MITM attacks fall into two categories. Purely eavesdropping is called a “passive MITM.” The more advanced configuration is the “active MITM,” where someone can capture everything that transmits between two devices, and even modify the data in transit. A passive man in the middle attack is basically eavesdropping online. Let us look how this attack works. Two computers are sending and receiving data between each other, and then a malicious actor virtually intercepts between the two computers to receive data meant for someone else, without either party being aware of what is happening. The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. These free wi-fi spots are often named according to their location and they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange. Active MITM attacks often take place with email hijacking where the attacker gains access to email accounts, can send emails from the victims account. Here is an example of a MITM attack. The hacker impersonates both sides of the conversation allowing him to gain access to funds. This is commonly carried out with ARP spoofing. ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker. In 2015, a cyber-criminal group in Belgium stole a total of €6 million by hacking through company emails using a man in the middle attack. The

http://www.esecurityplanet.com/hackers/cybercriminals-use-man-in-the-middle-attacks-to-steal-6-million-euros.html
Page 19: Module 2: Threats and Exploit

hackers were able to gain access of corporate email accounts and request money from clients using the hacked accounts. So how do we protect against a man in the middle attack

- Avoid connections to public and free wi-fi connections - Ensure strong router login credentials – not only must they be changed

from their default settings, they must have a login credential that is not easily identifiable and a strong password. This prevents an attacker logging in and spying on any communication.

- Use a VPN connection to add another layer of security. A VPN uses key based encryption to create a subnet for secure communication

- Enforce HTTPS connection. HTTP is the primary protocol used to send data between a web browser and a website. However HTTP communications are not protected and open to interception, making them targets for MITM attacks. Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP,. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider. 2.6 Social Engineering So what is phishing? Phishing works on the process of impersonating a trustworthy party to gain access to sensitive data or install malware on a victims machine. It relies on manipulation, where the user assumes the content from the author is legitimate and has legitimate authority. The attacker is using using social engineering tactics to fool you into thinking it is safe. Humans are, by nature, trusting and often fall prey to manipulation online, which is a major risk to cybersecurity. This is what a common phishing scam might look like

- The user receives an email from a known contact or company, such as a bank

- The email includes an attachment or a link to a fake website, known as a trojan

- Once the user has clicked the link they will be directed to a fake website that will look authentic, with the use of logos and reference to legitimate company details

- The fake website will then ask the user to fill out a form with personal information, password or credentials

- The personal information is now compromised and in the hands of the threat actor who can use it for their own malicious means

https://www.cloudflare.com/learning/ddos/glossary/hypertext-transfer-protocol-http/
Page 20: Module 2: Threats and Exploit

Paypal is often used as a front for phishing scams. An example email sent has the subject line ‘You’ve added a new address to your account’. The recipient is then advised that if they didn’t add this address they must let PayPal know straight away so no-one gets into their account without their knowledge. Unsuspecting users are then sent to a fake PayPal branded website that looks legitimate asking them to enter their credentials. After they have logged in they are then asked to update their billing address and payment information. The cyber criminal now has access to log in credentials, address, mobile number and credit card information. So why is phishing so effective? According to Verizon’s 2019 Data Breach Investigations report, 32% of all cyber attacks involved phishing which shows how effective they are. Here are some of the social engineering factors that contribute to their success:

- Authority: users see legitimate company names and logos and believe that the company has the authority to ask for the information. Users trust big companies and corporations and phishing scams prey on this trust

- Familiarity: users recognise the well known company branding that is used and believe it to be legitimate

- Urgency: phishing emails often use intimidation tactics and ‘better act now’ headlines. They often scare users into believing their data has been compromised, their password has been leaked or might advertise a once in a lifetime deal with big savings or a competition to enter for a quick win. They often use dramatic language - warning in subject, threat that your account will be suspended. There are 3 main types of phishing and vary according to their target General phishing is generic and targets a large audience Spear phishing is targeted phishing of an individual. Attackers often research the target on their social media account, finding out where their work and personal information so they can make their communication seem more authentic. According to the SANS institute 95% of all attacks on enterprise networks are the result of successful spear phishing. Whaling targets high profile executives in a company like the CEO. A whaling attack example would be a hacker posing as the companies chief financial officer and asking the CEO to confirm and approve a transaction and forward onto the companies financial department. The hacker can then change the account details, allowing the money being transferred to their account Another type of targeted attack is a watering hole attack where an attacker infects websites that they know the targets frequent. So how do we detect a phishing email?

Page 21: Module 2: Threats and Exploit

There are often certain details you can spot in a phishing email, however some are very sophisticated and they replicate the real company very well.

1. Just because it says it’s coming from a person or company you trust, it doesn’t mean it is legitimate. Always check the email address and spelling of the company email to ensure it is genuine and you can confirm the true sender. If you are unsure about the domain name check the companies domain on google before interacting with any links in the email

2. Check the links BEFORE you click on them, you can hover over the link and check if it is the legitimate website

3. Look at the salutation used in the email. Phishing emails tend to use general salutations such as ‘dear valued customer’ whereas legitimate organisations will often use your full name

4. Beware of urgent language and headlines. Phishing email will often create a sense of urgency to encourage users to click on links and download attachments

5. Beware of attachments as these can contain malware. Attackers will try and trick you with attachment names that entice you. If you are not expecting an attachment, then do not open it.

Now let us have a look at this email, interact with it and see it we can spot any signs that would tell us it was a phishing email.

• Firstly, by hovering over the sender details, we can see that the email domain is @gmail.com rather than the company name and the company name has been misspelt

• When we look at the salutation we can see it is vague and does not directly greet the recipient

• As you read the email you can see that the language is used to create a sense of urgency and scare the recipient

• There are several spelling errors and poor grammar throughout. • Before clicking on the link, you can hover over it and see that it does

not take you to the legitimate Dropbox website So how do we combat phishing?

• A lot of it comes down to user education and teaching people what to look out.

• Businesses and individuals should invest in antivirus software that will filter their incoming emails to reduce the risk of users clicking of malicious links

• A quote from Ronald Reagan that summarises the approach to protect against phishing scams is ‘trust but verify’. Be cautious and investigate links and urgent requests

• In order to build awareness, individuals and businesses should report phishing scams so businesses should be aware of common phishing email addresses.

Page 22: Module 2: Threats and Exploit

2.7 Zero-Day Vulnerabilities tIn this video we will be looking at zero day vulnerabilities. So what is a zero day vulnerability? A zero day vulnerability is a security flaw in the software, hardware or firmware that has been discovered, but not yet patched. These vulnerabilities open the software to risk of exploitation by cybercriminals. We can compare it to a thief sneaking in through a backdoor that was accidently left unlocked. . The term ‘zero-day’ refers to a newly discovered vulnerability, where there is so official patch or update to fix it. The developers therefore have ‘zero days’ to fix the problem. However, in practice, the attacks don’t happen this quickly; there is a window of exposure where once the vulnerability becomes known, the vendor has to act promptly to fix the vulnerability before hackers manage to exploit the weakness, which is referred to as a zero-day attack. It is often a race between the vendors working to release a patch and threat actors trying to exploit the flaw. Let us review a zero day vulnerability.

• It begins with the development of a software by a vendor. However, the develop is not aware that the software contains a vulnerability

• The next stage is discovery. This is where the threat actor discovers a zero-day vulnerability. Often these are advertised and sold on dark web forums.

• Now the threat actors plan an attack by creating exploits and targeting systems who are vulnerable

• Once the vendor detects the vulnerability they can work on creating a patch before an attack can take place.

• Finally, the vendor created and distributes an update to patch the vulnerability.

Why are they so effective? These exploits are often reserved for high profile and high value targets such as banks and governments, as these attacks tend to have a high success rate. Due to the window of exposure available zero day exploits allow threat actors time to inflict damage unnoticed for a long time. Cyber criminals often reserve these exploits for high value targets. Threat actors value zero day exploits highly because they can often remain undetected for a long time, if they are unknown flaws. Funding and resources – zero-day exploits are often sold on the dark web for large amounts of money. Threat actors who make these transactions often have access to funds and resources to carry out highly sophisticated and effective attacks

Page 23: Module 2: Threats and Exploit

Zero day exploits are often difficult to detect because no attack signature exists. Therefore it cannot be picked up by intrusion detection systems (ISes) and intrusion prevention systems (IPSes). Successful detection often comes from monitoring user behaviour analytics and looking for unusual activity that does not follow the usual trend. In a 2018 survey by the Ponemon Institute, 76% of organisations who were compromised were due to zero day attacks. Cyber criminals are not the only ones who take advantage of zero day vulnerabilities, government intelligence agencies have also used these for their own political means. Now let us have a look at a highly sophisticated zero day attack that targeted Irans nuclear systems infrastructure. In 2010, a highly sophisticated zero-day attack used Stuxnet, which was a worm that exploited previously unknown Windows zero-day vulnerabilities. Stuxnet was undetectable and the Iranian monitoring systems never picked up the malware until it was too late. This is how it happened

1) Attackers infiltrated Windows computer systems trying to find vulnerabilities

2) Stuxnet was deployed using a worm via a USB and exploited zero day vulnerabilities in the Microsoft Windows OS

3) The vulnerabilities passed from Windows software to the nuclear control systems, allowing the malware to gain highly privileged access

4) The malware manipulated the centrifuge system, resulting in them burning themselves out and shutting down

So how do we protect against zero days attacks?

1) Use only essentials applications – the more software you use the more vulnerabilities you have. You can reduce the risk by using a minimum numbers of application

2) Keep up to date with patches and updates. Patches will fix the vulnerabilities making them less susceptible to attack

3) Behavior based detection – zero day exploits are dangerous because antivirus software doesn’t have signatures in place to identify them. Instead, by using more advanced antivirus software it can detect malware using behavior analysis, by logging suspicious patterns of behavior to detect and identify malware

4) Ensuring users practice cybersecurity hygiene. A culture of cybersecurity, which includes increasing user awareness on attacks, helps just as much as the security solutions that are deployed by the organization.


Exploit Variation

Module 2: Designing Network Security. Module Overview Overview of Network Security Design Creating a Network Security Plan Identifying Threats to Network

MOBILE THREATS AND ATTACKS. Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser

Email content/exploit checking & anti-virus. GFI MailSecurity for Exchange/SMTP Provides email content checking, exploit detection, threats analysis and

Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as

FALCON PREVENT FOR HOME USE€¦ · Exploit blocking stops the execution and spread of threats via unpatched vulnerabilities Threat intelligence prevention blocks activities known

Ce hv6 module 61 threats and countermeasures

ABOUT TRENDLABS research, development, and support centers … · 2011-12-16 · Should Know About Web Threats and Cybercrime For cybercriminals, no business is too small to exploit

Module Three Toxic Industrial Gases as Terrorist Threats

Post Exploit

Windows Exploit Mitigations - exploit.courses Exploit Mitigations Some statements:

Umbrella - SourceForgeumbrella.sourceforge.net/umbrella_doc.pdf · Two main security threats against CE devices are imposed through the exploit of errors in existing software and

ROLTA ADVIZEX AND DELL EMC: DIGITAL TRANSFORMATION … · Businesses are entering an era of advanced persistent threats that are designed to exploit traditional security models. Botnet-based

BECOME ETHICAL HACKER - HACKTECHMEDIA€¦ · Module 17 –Exploit Writing & Buffer Overflow Module 18 –Cryptography & Steganography Module 19 –Firewalls & Honey pots Module 20

Biasing power traces to improve correlation in power ...€¦ · Power analysis attacks [1] have been serious threats to cryp-tographic devices. The attacks usually exploit a set

uoptutorialstore.com file · Web view• Threats. These are potential activities that would, if they occurred, exploit specific vulnerabilities

Explore-Exploit Graph Traversal for Image Retrievalopenaccess.thecvf.com/content_CVPR_2019/papers/Chang_Explore-Exploit... · tween exploit and explore steps. The exploit step maxi-mally

ATTACKS WITH EXPLOITS: FROM EVERYDAY … · Kaspersky Lab Attacks with Exploits: From Everyday Threats to Targeted Campaigns 3 Introduction and Key Findings An ‘exploit’ is a

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

The Malware Menace - Cisco · The Malware Menace: From 30,000 Feet to the Microscope Session ID ... Cisco Public Agenda Targeted Threats Spear Phishing Malvertising Exploit Kits Ransomware

Module 8 Threats of Terrorism

Happiest Minds Enables US Firms for NIST CSF Compliance ... · Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing

Exploit Prediction Scoring System (EPSS) · We collect information about whether proof-of-concept exploit code or weaponized exploits exists. Exploit code was extracted from Exploit

2013 Threat Report R3 - bluekarmasecurity.net · The first Angler Exploit Kit to integrate CVE-2013-0074/3896 • Silence Exploit Kit • Himan Exploit Kit • Private Exploit Kit

Cybersecurity and Infrastructure Security Agency | U.S. … · 2020-07-09 · Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems,

ICC CYBER SECURITY GUIDE FOR BUSINESS · 1 Examples of external cyber security threats which are increasing are malicious software (such as Intrusion software, code injection, exploit

CloudFlare vs Incapsula: Round 2 - exploit-db.com€¦ · businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions. ... Joomla Save

Exploit Frameworks

Module 2 threats-b

Framework for Improving Critical Infrastructure … cybersecurity...63 critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of 64 critical

Module 7 Internal Troubles, External Threats—China, Ottoman Empire and Japan 1800–1914

CEHv9 Module 06 Malware Threats (1)

Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Exploit Anatomy