2.2 Common Threat Vectors

Question 1

Threat vectors

Answer 1

A method used by the attacker
– Gain access or infect to the target
– Also called “attack vectors”
* A lot of work goes into finding vulnerabilities in these vectors
– Some are more vulnerable than others
* IT security professional spend their career watching these
vectors
– Protect existing vectors
– Find new vectors

Question 2

Message-based vectors

Answer 2

Phishing attacks
– People want to click links
– Links in an email, links send via text or IM
* Deliver the malware to the user
– Attach it to the email
– Scan all attachments, never launch untrusted links
* Social engineering attacks
– Invoice scams, cryptocurrency scams

Question 3

Image-based vectors

Answer 3

Easy to identify a text-based threat
– It’s more difficult to identify the threat in an image
* Some image formats can be a threat
– The SVG (Scalable Vector Graphic) format
– Image is described in XML (Extensible Markup Language)
* Significant security concerns
– HTML injection
– Javascript attack code
* Browsers must provide input validation
– Avoids running malicious code

Question 4

File-based vectors

Answer 4

More than just executables
– Malicious code can hide in many places
* Adobe PDF
– A file format containing other objects
* ZIP/RAR files (or any compression type)
– Contains many different files
* Microsoft Office
– Documents with macros
– Add-in files

Question 5

Voice call vectors

Answer 5

Vishing
– Phishing over the phone
* Spam over IP
– Large-scale phone calls
* War dialing
– It still happens
* Call tampering
– Disrupting voice calls

Question 6

Removable device vectors

Answer 6

Get around the firewall
– The USB interface
* Malicious software on USB flash drives
– Infect air gapped networks
– Industrial systems, high-security services
* USB devices can act as keyboards
– Hacker on a chip
* Data exfiltration
– Terabytes of data walk out the door
– Zero bandwidth used

Question 7

Vulnerable software vectors

Answer 7

Client-based
– Infected executable
– Known (or unknown) vulnerabilities
– May require constant updates
* Agentless
– No installed executable
– Compromised software on the server
would affect all users
– Client runs a new instance each time

Question 8

Unsupported systems vectors

Answer 8

Patching is an important prevention tool
– Ongoing security fixes
* Unsupported systems aren’t patched
– There may not even be an option
* Outdated operating systems
– Eventually, even the manufacturer won’t help
* A single system could be an entry
– Keep your inventory and records current

Question 9

Unsecure network vectors

Answer 9

The network connects everything
– Ease of access for the attackers
– View all (non-encrypted) data
* Wireless
– Outdated security protocols (WEP, WPA, WPA2)
– Open or rogue wireless networks
* Wired
– Unsecure interfaces - No 802.1X
* Bluetooth
– Reconnaissance, implementation vulnerabilities

Question 10

Open service ports

Answer 10

Most network-based services connect over
a TCP or UDP port
– An “open” port
* Every open port is an opportunity for the attacker
– Application vulnerability or misconfiguration
* Every application has their own open port
– More services expand the attack surface
* Firewall rules
– Must allow traffic to an open port

Question 11

Default credentials

Answer 11

Most devices have default usernames and passwords
– Change yours!
* The right credentials provide full control
– Administrator access
* Very easy to find the defaults for your access point or router
– https://www.routerpasswords.com

Question 12

Supply chain vectors

Answer 12

Tamper with the underlying infrastructure
– Or manufacturing process
* Managed service providers (MSPs)
– Access many different customer networks from one
location
* Gain access to a network using a vendor
– 2013 Target credit card breach
* Suppliers
– Counterfeit networking equipment
– Install backdoors, substandard performance and availability
– 2020 - Fake Cisco Catalyst switches

Question 13

Phishing

Answer 13

Social engineering with a touch of spoofing
– Often delivered by email, text, etc.
– Very remarkable when well done
* Don’t be fooled
– Check the URL
* Usually there’s something not quite right
– Spelling, fonts, graphics

Question 14

Business email compromise

Answer 14

We trust email sources
– The attackers take advantage of this trust
* Spoofed email addresses
– Not really a legitimate email address
– professor@professormessor.com
* Financial fraud
– Sends emails with updated bank information
– Modify wire transfer details
* The recipient clicks the links
– The attachments have malware

Question 15

Tricks and misdirection

Answer 15

How are they so successful?
– Digital slight of hand - It fools the best of us
* Typosquatting
– A type of URL hijacking - https://professormessor.com
* Pretexting - Lying to get information
– Attacker is a character in a situation they create
– Hi, we’re calling from Visa regarding an automated payment
to your utility service…

Question 16

Phishing with different bait

Answer 16

Vishing (Voice phishing) is done over the phone or voicemail
– Caller ID spoofing is common
– Fake security checks or bank updates
* Smishing (SMS phishing) is done by text message
– Spoofing is a problem here as well
– Forwards links or asks for personal information
* Variations on a theme
– The fake check scam, phone verification code scam,
– Boss/CEO scam, advance-fee scam
– Some great summaries on https://reddit.com/r/Scams

Question 17

The pretext

Answer 17

Before the attack, the trap is set - There’s an actor and a story
* “Hello sir, my name is Wendy and I’m from Microsoft Windows.
This is an urgent check up call for your computer as we have
found several problems with it.”
* Voice mail: “This is an enforcement action executed by the US
Treasury intending your serious attention.”
* “Congratulations on your excellent payment history! You now
qualify for 0% interest rates on all of your credit card accounts.”

Question 18

Impersonation

Answer 18

Attackers pretend to be someone they aren’t
– Halloween for the fraudsters
* Use some of those details from reconnaissance
– You can trust me, I’m with your help desk
* Attack the victim as someone higher in rank
– Office of the Vice President for Scamming
* Throw tons of technical details around
– Catastrophic feedback due to the depolarization of the
differential magnetometer
* Be a buddy - How about those Cubs?

Question 19

Eliciting information

Answer 19

Extracting information from the victim
– The victim doesn’t even realize this is happening
– Hacking the human
* Often seen with vishing (Voice Phishing)
– Can be easier to get this information over the phone
* These are well-documented psychological techniques
– They can’t just ask, “So, what’s your password?”

Question 20

Identity fraud

Answer 20

Your identity can be used by others
– Keep your personal information safe!
* Credit card fraud
– Open an account in your name, or use your
credit card information
* Bank fraud
– Attacker gains access to your account or opens
a new account
* Loan fraud
– Your information is used for a loan or lease
* Government benefits fraud
– Attacker obtains benefits on your behalf

Question 21

Protect against impersonation

Answer 21

Never volunteer information
– My password is 12345
* Don’t disclose personal details
– The bad guys are tricky
* Always verify before revealing info
– Call back, verify through 3rd parties
* Verification should be encouraged
– Especially if your organization owns valuable
information

Question 22

Watering hole attack

Answer 22

What if your network was really secure?
– You didn’t even plug in that USB key from
the parking lot
* The attackers can’t get in
– Not responding to phishing emails
– Not opening any email attachments
* Have the mountain come to you
– Go where the mountain hangs out
– The watering hole
– This requires a bit of research

Question 23

Executing the watering hole attack

Answer 23

Determine which website the victim group uses
– Educated guess - Local coffee or sandwich shop
– Industry-related sites
* Infect one of these third-party sites
– Site vulnerability
– Email attachments
* Infect all visitors
– But you’re just looking for specific victims
– Now you’re in!

Question 24

Because that’s where the money is

Answer 24

January 2017, Polish Financial Supervision Authority,
National Banking and Stock Commission of Mexico,
State-owned bank in Uruguay
– The watering hole was sufficiently poisoned
* Visiting the site would download malicious JavaScript files
– But only to IP addresses matching banks and other
financial institutions
* Did the attack work?
– We still don’t know

Question 25

Watching the watering hole

Answer 25

Defense-in-depth
– Layered defense
– It’s never one thing
* Firewalls and IPS
– Stop the network traffic before things get bad
* Anti-virus / Anti-malware signature updates
– The Polish Financial Supervision Authority attack code
was recognized and stopped by generic signatures in
Symantec’s anti-virus software

Question 26

Misinformation/disinformation

Answer 26

Disseminate factually incorrect information
– Create confusion and division
* Influence campaigns
– Sway public opinion on political and social issues
* Nation-state actors
– Divide, distract, and persuade
* Advertising is an option
– Buy a voice for your opinion
* Enabled through Social media
– Creating, sharing, liking, amplifying

Question 27

Brand impersonation

Answer 27

Pretend to be a well-known brand
– Coca-cola, McDonald’s, Apple, etc.
* Create tens of thousands of impersonated sites
– Get into the Google index, click an ad,
get a WhatsApp message
* Visitors are presented with a pop-up
– You won! Special offer! Download the video!
* Malware infection is almost guaranteed
– Display ads, site tracking, data exfiltration