1.4 - Given a scenario, analyze potential indicators associated with network attacks

Question 1

Evil twin

Answer 1

-rogue AP with name (SSID) similar to legit net.
-looks legit but is malicious (overpowers existing APs)
-wireless version of phishing
-usrs tricked into connecting
-perp can intercept/manipulate usrs net. traffic
-can compromise data, engage in mal. activities, steal creds, eavesdrop, monitor vics online activity

Indicators
-similar SSID
-unexpected auth/login attempts
-unusual/inconsistent net performance

Prevention
-use WPA3 encryption
-secure wifi config
-regularly monitor wifi
-employee education
-implement EAP-TLS 4 auth
-WIPS (wireless intrusion prevention sys.)
-net segmentation
-regular sec. audits

Question 2

Rogue access point

Answer 2

-unauthorized wireless AP
-intentionally/unintentionally (employees/perps)
-easy to plug in/enable with ur OS
-easy to detect wth software

Can provide;
->potential backdoor
->unauthorized net. access
->expose sensitive data + resources
->modify, insert, delete packets

Indicators
-unknown devices on net.
-unusual SSIDs
-unexpected net. activity

Prevention/Detection
-wireless intrusion detection systems
-regular network scans
-schedule periodic surveys/sec. audits
-walk around ur building
-use 3rd party tools/wireless sniffing apps
-consider using 802.1x (net access control)
->have to authenticate regardless of connection type
-net. monitoring tools
-access control policies
-disable unused ports
-wireless site surveys
-think b4 connecting to free hotspot in public
-use VPNs or HTTPS

Question 3

Bluesnarfing

Answer 3

-vics device data available 4 unauthorized access when paired with perps device
-more dangerous attack that can expose/alter usrs info

To steal info;
-contacts
-texts
-emails
-files

Indicators
-unexpected data access
-unusual bluetooth connections
-battery drain
-device lag/slow performance

Prevention
-set bluetooth to nondiscoverable mode
-update device firmware + sec. settings
-be cautious in public spaces
-monitor bluetooth connections
-sec. awareness training

Question 4

Bluejacking

Answer 4

-unsolicited msgs/data sent to device via bluetooth
-txt msgs, contact cards, etc
-functional distance ~10 meters
-relatively harmless

Prevention
-bluetooth off when not in use
-don’t accept pairing reqs. from unknown devices
-don’t open files from strangers
-set device to nondiscoverable mode

Question 5

Disassociation

Answer 5

-deauthentication attack
-target sys. forced to disassociate from AP it’s using > sys. attempts to reconnect > perp has chance to set up more powerful evil twin/capture info as it reconnects
-best way 4 perps to do this is to send deauthentication frame
-WPA2 often unencrypted which makes it easier

Indicators
-network suddenly disconnects
-repeated auth. requests

Prevention
-802.11W = required 4 802.11ac compliance
-Use WPA3 b/c requires protected mgmt frames + will prevent this type of deauthentication attack from working
-strong encryption
-sus. activity monitoring
-intrusion detection sys.

Question 6

Jamming

Answer 6

-intentional
-blocks all traffic in range/frequency it’s conducted against
-sends out powerful traffic to drown out traffic
-requires physical proximity
-reactive jamming = only when someone tries communicating
-diff. types (constant, random bits,legit frames)
-gen. prohibited by FCC
-basically wireless interference

Indicators
-sudden net. outages
-increased packet loss
-slower net. performance

Detection/Prevention
-proper equip. to hunt down (directional antenna, attenuator)
-moving away can make difference
-locate jamming source OR boost signal being jammed

Question 7

Radio frequency identification (RFID)

Answer 7

-short range wireless tech. that uses tag + receiver to exchange info
-EX: toll booths, access badges, pet IDs
-RF powers tag, ID transmits back (bidirectional comm.)
-2 types: active = signal over large distance b/c contains power source. passive = unpowered. activated by signal sent from reader.

Attacks
-capture data
-view comm.
-replay attack
-DoS
-spoof reader -> write ur own data to tag (data manipulation)
-decrypt comm. -> many default keys on google
-PRIVACY = big concern
-tags can be cloned, modified, spoofed
-readers can be impersonated

Question 8

Near-field communication (NFC)

Answer 8

-set of standards 4 contactless comm. btwn devices
-short range (~4 inch)
-threats in close proximity to NFC device
-intercepting NFC traffic, replay attacks, spoofing

Security concerns
-remote capture
-frequency jamming
-relay/replay attacks
-malicious code
-loss of NFC device control

Prevention
-NFC devices must ensure they don’t respond to queries except when desired
-encrypt sensitive data
-user awareness + malware prevention = key ctrls 4 malicious code

Question 9

Initialization vector (IV)

Answer 9

IV = random/nonrepeating value combined wth encryption key to provide additional layer of sec.
-vulns. in use/mgmt of IVs can lead to sec. issues
-type of nonce
-used 4 randomizing encryption scheme
-used in encryption ciphers, WEP, some SSL implementations
-WEP = used 24bit IV > could be reverse engineered when enough traffic from net. captured > after traffic analyzed the IV used to generate an RC4 key stream could be derived > all traffic sent on net. could be decrypted

Attacks = exploit weaknesses in IVs used in encryption algs.
-use passive statistical analysis
-can occur when IV too short + predictable + not unique
-types: IV reuse, prediction, manipulation
-not really a concern anymore since WPA2 and WPA3 don’t use week IVs making IV attack historical…

Question 10

On-path attack (previously
known as man-in-the-middle attack/ man-in-the-browser attack)

Answer 10

-redirects ur traffic > passes on to destination
-u never know ur traffic was redirected
-perp can eavesdrop, alter comms/data + pass it along
-can be used to conduct SSL stripping
-if attempted on internal net. then physical access to net. is required
-DNS can be compromised + used to redirect initial service request

Protection
-restrict access to wiring closets + switches (secure physical environ.)
-restrict DNS access to read only 4 everyone except admin.
-use encryption/secure protocols

MITB = man in the browser attack. -new type of on path attack
-relies on trojan that’s inserted into usrs browser > trojan able to access + modify info sent and received by browser
-malware/trojan does all proxy work
-trojan infects browser components (plugins)
-dangerous b/c occurs at app level on usrs sys./capable of avoiding web app ctrls
-advantage to perps: easy to proxy encrypted traffic, looks normal to vic.

Chapple 389-391
Gibson 238-240
Weiss 31, 57-59

Question 11

Layer 2 attacks

Answer 11

-data link layer
-responsible 4 transferring data btwn sys. on local net.
-packet fwdng decisions based on MAC addresses
-OSI models allows each layer to work wthout having to be considered wth the other layers > if physical layer is hacked, layer 2 suffers | if layer 2 is hacked, net. layer also compromised

Question 12

Address Resolution Protocol (ARP) poisoning (Layer 2 attacks)

Answer 12

-limited to attacks that r based locally
-perp needs physical access OR ctrl of device on local net.
-perp tricks device into thinking any IP is related to any MAC address
-can lead to: DoS and On path attacks, MAC flooding

Detection
-tools like Wireshark
-purpose built net. sec. devices that perform protocol analysis + net. monitoring

Mitigation
-monitoring tools/IDS (intrusion detection sys.) > alert u when sus. activity occurs
-small net.
-> use static/script based mappings 4 IPs + ARP tables
-large net.
-> use equipment that has port sec.
-> permit only 1 MAC address 4 each physical port on switch

Question 13

MAC cloning (Layer 2 attacks)

Answer 13

-perp changes MAC address to match an existing device
-circumvents filters
-create DoS = disrupt comm. to legit MAC
-manipulated easily thru software
-done by tools such as: macchanger and iproute2
-difficult to detect

-NAC (net. access ctrl)/other machine authentication + validation tech. can help identify

MAC randomization
-increased use of it to help preserve usr privacy
-adds complexity for net. admin. who use them to ascertain who was using a sys. when event/incident happened
-net. admin. may need more info to match usrs/sys./hardware addresses
-supposed to avoid collisions (when 2 devices select + use same MAC address), but it is possible -> collision would be indistinguishable from MAC cloning attack at first glance

Question 14

Domain hijacking

Answer 14

-unauthorized transfer/ctrl of domain name
-get access to domain registration -> u ctrl where traffic flows
-can occur when domain ownership expires
-direct attacks result of sec. issues wth domain registrar OR via social engineering OR admin portal of domain owner
-get into acct by brute force, social engineer pswd, gain access to email address that manages the acct
-perp can post mal. content from domain on the web, redirect domain to another domain, sell domain
-can intercept traffic, send/receive email, take action appearing to be legit. domain holder

Detection
-sec.tools/features provided by domain registrars to protect + monitor domains

Question 15

MAC flooding (Layer 2 attacks)

Answer 15

-targets switches by sending so many MAC addresses to switch that CAM/MAC tables is filled
-tables have limited space > flooding results in default behavior that sends traffic out to ALL ports when destination is unknown to ensure traffic keeps flowing > perps then capture traffic
-turns switch into hub

Prevention
-port security
-tools like NAC/other net. authentication + authorization tools
-VLANS (net. segmentation)
-MAC address filtering
-net. monitoring

Question 15

DNS poisoning

Answer 15

-aka DNS cache poisoning > once mal. DNS entry is in sys. cache it will continue using that info until cache is purged or updated = means that poisoning can have longer term impact EVEN IF it’s discovered + blocked by an IPS/sec. device
->future requests by comp. will redirect to fake IPs
->could be used to build botnet
->can allow 4 code injection exploits
-can be difficult to detect
-perp provides DNS response while pretending to be authoritative DNS server
-perp redirects traffic by changing IP record for a domain > allows perp to send legit traffic anywhere they want
-perp conducting mal. activity can make it look like it was ur DNS server

Two DNS server types;
authoritative = DNS servers share info
recursive = maintain info in cache

Mitigation
-DNSSEC can help by validating both the origin of DNS info and ensuring DNS responses haven’t been modified
-check DNS setup if hosting own server
-ensure DNS server isn’t open recursive b/c they respond to lookup requests wthout checking where it originates
-use diff. servers 4 authoritative/recursive lookups
-require that caches discard info except from com servers + root servers
-usr education
-MS Windows UAC (user acct ctrl) notifies usr a program is attempting to change sys. DNS settings

Question 16

Uniform Resource
Locator (URL) redirection

Answer 16

-can be used 4 legit reasons BUT can be abused
-most common is to insert alt IP into sys. host file > host file checked when sys. looks up site via DNS and will be used first which makes it powerful tool 4 perps
-make $ from ur mistakes > advertising
-sell wrongly spelled domain to ACTUAL owner (sell a mistake)
-can redirect to competitor BUT uncommon b/c legal issues
-phishing looks like real site
-phishing, fraud, malware distribution

Prevention
-prevent offsit redirects by validating input of URLs
-whitelisting
-verify legitimacy b4 clicking links
-hover over links to view actual URL it points to + check if it matches the expected destination
-modified host files can be manually checked
-monitored by sys. sec. antimalware tools
-most orgs host files r never modified from default > makes changes easy to spot
-educate usrs
-avoid clicking shortened URLs
-regularly review website settings

Question 17

Domain reputation

Answer 17

-assessment of domains trustworthiness (trusted email sender or send a lot of spam email)
-valuable tool in identifying + mitigating online threats
-helps orgs understand its own domain
-ogs may assign scores for email senders using own email sec. + antispam tools
-understanding domains deemed mal. may help with incident response + blacklisting ctrls
-infected sys. = noticed by search engines > ur domain can be flagged/removed
-usrs avoid site > sales drop > usrs avoid ur brand
-malware quickly removed BUT recovery takes much longer

email reputation
-sus activity, malware originating from the IP
-bad rep. may cause email delivery failures (rejected or dropped)
-

Question 18

Distributed denial-of-service (DDoS)

Answer 18

-launch comp. army 2 bring service down (traffic spike {use all bandwidth})
-many compromised devices (often forming botnet) coordinate flooding sys., net., or service
-DoS and DDoS often involve “Reflection” and “Amplification”

reflection = perp takes advantage of legit 3rd party services > spoofs source address to be the vics (hides perps identity)

amplification = turns small attck into big one. makes attck more potent + hard to mitigate. uses protocols wth little to no auth. checks (NTP, DNS, ICMP)

Mitigation
-monitor net. traffic 4 unusual patterns
-rate limiting/blocking mal. traffic amplifiers
-secure servers + nets. to prevent them being used as amplifiers

Question 19

Network (DDoS) + 2 types

Answer 19

-use large scale botnets
-two types: volume based + protocol based

volume based
-focus on amount of traffic causing DoS condition.
-some rely on amplification techniques.
-examples: UDP and ICMP floods

protocol based
-focus on underlying protocols used 4 networking
-SYN floods send 1st step in 3 way handshake + don’t response to SYN ACK that’s sent back > thus consuming TCP stack resources until they’re exhausted

Prevention
-ISP may provide DDoS prevention service (by default or subscription)
-ensure ur net. border sec. devices have DDoS prevention capabilities

Question 20

Application (DDoS)

Answer 20

-make app break + work hrder = increases downtime/costs
-to disrupt apps availability/functionality
-business interruptions, financial losses, reputational damage

Prevention
-traffic filtering
-rate limiting
-web app firewalls
-monitoring to detect abnormal behavior
-software patching
-usr auth/access ctrls

Question 21

Operational technology (OT) (DDoS)

Answer 21

-hardware + software 4 industrial equip. (electric grids, traffic ctrl)
-attempt to disrupt/disable critical infra + ICS (energy, transportation,manufacturing sectors)
-typically has less reporting/mgmt/fewer sec. capabilities built in
-> detecting + responding needs to be handled using external devices/tools
-risks to physical safety, prod., economic stability
-EX: power grid drops offline, all traffic lights r green
-financial gain, hacktivism, terrorism, state sponsored cyber espionage

Detection
-noticing that it’s unresponsive or appears to have fallen off net.
-using external devices + tools

Prevention
-secure ICSs
-net. segmentation
-IDs
-monitoring 4 unusual activity
-robust incident response plans
-secure OT environ.
-design + architecture planning
-use isolated VLANs
-prevent unknown devices from being added to isolated VLANs
-limiting ingress + egress of net. traffic

Question 22

Malicious code or script execution

Answer 22

-activating/running script scrips + code designed to harm, exploit, compromise comp. sys., nets, apps
-happen locally/remotely via net. connection
-leverage built in tools
->Windows Powershell + VBA
->Linux Bash + Python

Question 23

PowerShell (Malicious code or script execution)

Answer 23

-built in Windows scripting language (available by default)
-extend cmd line functions
-task automation + config. mgmt
-allows remote + local execution, net. access, etc.
-often not monitored
-attack win. sys., sys administration, active domain administration, file share access

Indicators
-unexpected/unauthorized use
-code obfuscation to avoid detection
-execution from uncommon directories/net. locations
-attempts to bypass execution policies/sec. ctrls

Prevention
-turn on logging for Powershell + Win. command line auditing
-Constrained language model
->limits sensitive cmds
-use Win. Defenders built in app ctrl or AppLocker
->to validate scripts + limit which modules/plug ins can be run

Question 24

Python (Malicious code or script execution)

Answer 24

-wide use in app. development/exploits
-gen. purpose language
-used 4 cloud orchestration
->create/tear down app instances
-attack infra
->routers, servers, switches
-can be used to create persistent remote access using bind/reverse shells

Indicators
-detect unexpected/unauthorized script execution
-obfuscated/encoded py code to evade detection
-importing/using libraries + modules known for mal. activities
-unexpected file, directory, sys. settings modifications

Prevention
-code review
-net. monitoring
-file integrity monitoring
-behavioral analysis to identify abnormal py script behavior indicative of mal. activities

Question 25

Bash (Malicious code or script execution)

Answer 25

-unix/linux shell scripting
-attack unix/linux environ.
->web, database, virtualization servers
-control OS from cmd line > malware has lots of options
-Metasploit = pop. exploit tool
->includes rootkits that leverage each of these languages

Identification
-chkrootkit + rkhunter help search for/identify rootkits

Prevention
-has built in sec. mode “Restricted shell” > limits what usrs can do

Question 26

Macros (Malicious code or script execution)

Answer 26

-popular on Windows
-automate functions in app or OS
-make apps easier to use BUT can create sec. vulns.
-perps can create automated exploits
->usr opens file >prompted to run the macro

Prevention
-MS Office disables by default
-educate usrs
-provide scanning of Office docs. received by org.

Question 27

Visual Basic for Applications (VBA) (Malicious code or script execution)

Answer 27

-popular on Windows
-automates processes within Win. apps
-interacts with OS
-run arbitrary code embedded in doc.
-easy to infect comp.

Question 28

ARP

Answer 28

-address resolution protocol
-unique 48 bit address hard coded into every net. card
-hardware address has to be associated wth IP for net. comms. to occur
-operates at layer 2 (data link layer)
-associates MAC addresses to IPs
-consists of requests + replies wthout validation
-simplicity leads to lack of sec.
-devices can accept ARP replies b4 requesting them > “unsolicited entry”