Lesson 1: Comparing & Contrasting Attacks Flashcards
information security
refers to protection of available information or information resources from unauthorized access, attack, theft, or data damage
primary goals or functions of information security
- Prevention: personal information, company information, and information about intellectual property must be protected
- Detection: detection occurs when a user is discovered trying to access unauthorized data or after information has been lost
- Recovery: when there is a disaster or an intrusion by unauthorized users, system data can become compromised or damaged
assets
- Tangible assets: these are physical items, such as buildings, furniture, computer equipment, software licenses, machinery, inventory (stock), and so on
- Intangible assets: information resources, including IP, accounting information, plans and designs, and so on, can also include company’s reputation or brand
- Employees: human capital
data assets
- Product development, production, fulfilment, and maintenance
- Customer contact information
- Financial operations and controls (collection and payments of debts, payroll, tax, financial reporting)
- Legal obligations to maintain accurate records for a given period
- Contractual obligations to third parties (Service Level Agreements)
CIA Triad
- Confidentiality: certain information should only be known to certain people
- Integrity: data is stored and transferred as intended and that any modification is authorized
- Availability: information is accessible to those authorized to view or modify it
non-repudiation
subject cannot deny doing something, such as creating, modifying, or sending a resource
steps in establishing a security policy
- Obtain genuine support for and commitment to such policy throughout organization
- Analyze risks to security within organization. Risks are components, processes, situations, or events that could cause loss, damage, destruction, or theft of data or materials
- Implement controls that detect and prevent losses and procedures that enable organization recover from losses (or other disasters) with minimum interruption to business continuity
- Review, test, and update procedures continually
information security roles and responsibilities
- Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security or Chief Information Security Officer (CISO) | responsibility for security might have been allocated to an existing business unit, such as Information and Communications Technology (ICT) or accounting
2, Managers may have responsibility for a domain, such as building control, ICT, or accounting
- Technical and specialist staff have responsibility for implementing, maintaining, and monitoring policy (notable job roles are Information Systems Security Officer [ISSO] and Cybersecurity Analyst (CySA)
- Non-technical staff have responsibility of complying with policy and with any relevant legislation
- External responsibility for security (due care or liability) lies mainly with directors or owners, though again, it is important to note that all employees share some measure of responsibility
information security competencies
- Participate in risk assessments and testing of security systems and make recommendations
- Specify, source, install, and configure secure devices and software
- Set up and maintain document access control and user privilege profiles
- Monitor audit logs, review user privileges, and document access controls
- Manage security-related incident response and reporting
- Create and test business continuity and disaster recovery plans and procedures
- Participate in security training and education programs
vulnerability
- weakness that could be triggered accidentally or exploited intentionally to cause a security breach
- ex:
- Improperly configured or installed hardware or software
- Delays in applying and testing software and firmware patches
- Untested software and firmware patches
- Misuse of software or communication protocols
- Poorly designed network architecture
- Inadequate physical security
- Insecure password usage
- Design flaws in software or operating systems, such as unchecked user input
threat
potential for a threat agent or threat actor (something or someone that may trigger a vulnerability accidentally or exploit it intentionally) to “exercise” a vulnerability (that is, to breach security). Path or tool used by threat actor can be referred to as threat vector
risk
likelihood and impact (or consequence) of a threat actor exercising a vulnerability
control
system or procedure put in place to mitigate risk
attributes of threat actors
- Viruses
- Rootkits
- Trojans
- Botnets
- DDoS
- Specific software vulnerabilities
Script Kiddies, Hackers, and Hacktivists
- Hacker and attacker are related terms for individuals who have skills to gain access to computer systems through unauthorized or unapproved means
- Black Hat or cracker: malicious
- White Hat: non-malicious
- Script kiddie: someone that uses hacker tools without necessarily understanding how they work or having ability to craft new attacks
- Newbie (n00b): bare minimum of experience and expertise
- Hacktivist: groups using cyber weapons to promote political agenda | might attempt to obtain and release confidential information to public domain, perform Denial of Service (DoS) attacks, or deface websites
- Anonymous
- WikiLeaks
- LulzSec
Organized Crime and Competitors
- Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail
- Most competitor-driven espionage is thought to be pursued by nation-state backed groups, but it is not inconceivable that a rogue business might user cyber espionage against its competitors
Nation State Actors/Advanced Persistent Threats
- Nation states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals
- Advanced Persistent Threat (APT): to understand behavior underpinning modern types of cyber adversaries | ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques
- Nation state actors have been implicated in many attacks, particularly on energy and health network systems
- Goals include espionage, strategic advantage, commercial gain (like North Korea)
- Nation state actors will work at arm’s length from state sponsoring and protecting them, maintaining “plausible deniability,” likely to pose as independent groups or even as hactivists
Malicious Insider Threats
- Perpetrator of an attack is a member of, ex-member of, or somehow affiliated with organization’s own staff, partners, or contractors
- Computer Emergency Response Team (CERT) definition of malicious insider
- Current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in manner that negatively affected the confidentiality, integrity, or availability of organization’s information or informations systems
- CERT identifies main motivators for insider threats
- Sabotage
- Financial gain
- Business advantage
- Implementing operation and management controls (especially secure logging and auditing) is essential
Kill Chain
- several models for describing general process of an attack on systems security (following influential paper Intelligence-Driven Computer Network Defense)
- Planning/scoping: attacker determines what methods s/he will use to complete phases of attack
- Reconnaissance/discovery: attacker discovers what s/he can about how target is organized and what security systems it has in place
- Weaponization: phase attacker utilizes an exploit to gain access | comprised of several steps
- Exploit: run code on target system to exploit a vulnerability and gain elevated privileges. Point of access (a compromised computer or user account, for instance) referred to as pivot point
- Callback: establish covert channel to an external Command and Control (C2 or C&C) network operated by attacker
- Tool download: install additional tools to pivot to maintain covert access to system and progress attack
- Post-exploitation/lateral discovery/spread: if attacker obtains pivot point, next phase is typically to perform more privileged assets of interest
- Action on objectives: attacker typically uses access s/he has achieved to covertly copy information from target systems (data exfiltration). However, an attacker may have other motives or goals to achieve
- Retreat: once attacker has achieved his or her initial aims without being detected, s/he may either maintain an APT or seek to withdraw from network, removing any trace of his or her presence to frustrate any subsequent attempt to identify source of attack
Indicator
pattern of observables that are “of interest”; or worth of cybersecurity analysis
Incident
pattern of indicators form a discrete cybersecurity event. Incident is defined both by indicators involved and assets affected. Incident will be assigned a ticket and priority, and parties involved in response and incident handling will be identified
Tactics, techniques, and procedures (TTP)
known adversary behaviors, starting with overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and incidents
Campaign and Threat Actors
adversaries launching cyber-attacks. Actions of Threat Actors utilize multiple TTPs against same target or same TTP against multiple targets may be characterized as a campaign
Exploit Target
system vulnerabilities or weaknesses deriving from software faults or configuration errors
Course of Action (CoA)
mitigating actions or use of security controls to reduce risk from Exploit Targets or to resolve an incident
Passive reconnaissance
attacker can “cyber-stalk” his or her victims to discover information
Open Source Intelligence (OSINT)
publicly available information and tools for aggregating and searching
Deep web
any part of World Wide Web that is not indexed by search engine
Dark net
network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about existence of network or analyzing any activity taking place over network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity
Dark web
sites, content, and services accessible only over a dark net
Bitcoin currency
exploited as a means of extracting funds from victims without revealing threat actor’s identity
Threat Intelligence Resources
- Alien Vault https://www.alienvault.com/solutions/threat-intelligence
- SecureWorks https://www.secureworks.com/capabilities/counter-threat-unit
- FireEye https://www.fireeye.com/solutions/cyber-threat-intelligence-subscriptions.html
- Symantec
http: //symantec.com/security-intelligence - Microsoft
https: //www.microsoft.com/en-us/wdsi - DarkReading
https: //www.darkreading.com - SANS
https: //www.sans.org/newsletters
Social Engineering
“Hacking the human” refers to means of getting users to reveal confidential information
Impersonation
- Pretending to be someone else is one of the basic social engineering techniques
- Familiarity/Liking
- natural charisma
- Consensus/Social Proof
- Refers to the fact that without an explicit instruction to behave in certain way, many people will act just as they think others would act | Tailgating | for example, an attacker may be able to fool a user into believing that a malicious website is actually legitimate by posting numerous fake reviews and testimonials praising site
- Authority and Intimidation
- Many people find it difficult to refuse a request by someone they perceive as superior in rank or expertise
- Scarcity and Urgency
- Often deployed by salespeople, creating a false sense of scarcity or urgency can disturb people’s ordinary decision-making process | “limited time” or “invitation-only”
Dumpster diving
refers to combing through an organization’s (or individual’s) garbage to try to find useful documents (or even files stored on discarded removable media)
Shoulder surfing
refers to stealing a password or PIN (or other secure information) by watching user type it | use of high-powered binoculars or CCTV to directly observe target remotely
Lunchtime attack
user leaves a workstation unattended while logged on, an attacker can physically gain access to system
Tailgating
entering a secure area without authorization by following close behind person that has been allowed to open door or checkpoint | piggy backing
Phishing
combination of social engineering and spoofing (disguising one computer resource as another)
Spear phishing
- phishing scam where attacker has some information that makes an individual target more likely to be fooled by attack
- Spear phishing attack directed specifically against upper levels of management in organization (CEOs and other “big beasts”) is sometimes called whaling
Vishing
phishing attack conducted through voice channel (telephone or VoIP, for instance)
SMishing
fraudulent SMS texts
Pharming
redirects users from a legitimate website to a malicious one
Watering hole attack
relies on circumstance that group of targets may use an unsecure third-party website
Hoaxes
security alerts or chain emails
Malicious code
undesired or unauthorized software, or malware, that is placed into a target to disrupt operations or to redirect system resources for attacker’s benefit
Boot sector viruses
attack disk boot sector information, partition table, and sometimes file system
Program viruses
sequences of code that insert themselves into another executable program. When application is executed, virus code becomes active. Executable objects can also be embedded or attached within other file types, such as document formats like Microsoft Word (DOC), Portable Document Format (PDF), and Rich Text Format (RTF)
Script viruses
scripts are powerful languages used to automate OS functions and add interactivity to web pages. Scripts are executed by an interpreter rather than self-executing. Most script viruses target vulnerabilities in interpreter. Note that some document types, such as PDF, support scripting and have become common vector
Macro viruses
uses programming features available in Microsoft Office documents. Recent versions of Office enforce restrictions against enabling potentially dangerous content by default, but some users may have disabled these protections
Multipartite viruses
use both boot sector and executable file infection methods of propagation
type of viruses have in common is that they must infect a host file
- Disk
- Network
- Email attachment
- IM attachment
Payload
- perform any action available to host process
- ex:
- a boot sector virus might be able to overwrite existing boot sector, an application might be able to delete, corrupt, or install files, and a script might be able to change system settings or delete or install files
Computer Worms
Memory-resident viruses that replicate over network resources | worm is self-contained; that is, it does not need to attach itself to another executable file | worms typically target some sort of vulnerability in an application, such as a database server or web browser. Primary effect of worm infestation is to rapidly consume network bandwidth as worm replicates. May be able to crash an operating system or server application (performing a Denial of Service attack). Like viruses, worms can also carry a payload that may perform some other malicious action, such as installing a backdoor
Trojan horse malware
- malware code concealed within an application package that the user thinks is benign, such as a game or screensaver | purpose not to replicate, but either to cause damage to a system or to give an attacker a platform for monitoring and/or controlling a system
- Rogueware or scareware
- fake anti-virus, where a web pop-up claims to have detected viruses on computer and prompts user to initiate full scan, which installs attacker’s Trojan
Remote Access (or Administration) Trojan (RAT)
- function as backdoor applications | mimics functionality of legitimate remote control programs, but are designed specifically for stealth installation and operation
- Allows attacker to access PC, upload files, and install software on it
- Could allow attacker to use computer in botnet, to launch Distributed Denial of Service (DDoS) attacks, or mass-mail spam
- Attacker must establish some means of secretly communicating with compromised machine (covert channel)
- Command and Control (C2 or C&C)
Spyware
- program that monitors user activity and sends information to someone else
- May also be able to take screenshots or activate recording devices, such as microphone or webcam
Keyloggers
actively attempt to steal confidential information; for example, as a user enters a credit card number into a webform, it records keystrokes, thereby capturing credit card number
- ex
- KeyGhost hardware to perform keylogging
KeyGrabber hardware to perform keylogging - KeyGhost hardware to perform keylogging
KeyGrabber hardware to perform keylogging
Adware
type of software or browser plug-in that displays commercial offers and deals
Rootkits
- Many Trojans cannot conceal their presence entirely and will show up as a running process or service
- Represents a class of backdoor malware that is harder to detect and remove
- Rootkits work by changing core system files and programming interfaces
- Contain tools for cleaning system logs, further concealing presence of rootkit
- Most powerful rootkit operate in kernel mode, infecting a machine through a corrupted device driver or kernel patch
- Rootkits can reside in firmware (either computer firmware or firmware of any sort of adapter card, hard drive, removable drive, or peripheral device)
Ransomware
- type of Trojan malware that tries to extort money from victim
- uses payment methods, such as wire transfer, bitcoin, or premium rate phone lines to allow attacker to extort money without revealing his or her identity or being traced by local law enforcement
Crypto-malware
class of ransomware attempts to encrypt data files on any fixed, removable, and network drives | if attack is successful, user will be unable to access files without obtaining private encryption key, which is held by attacker
Logic bomb
type of malware that is not triggered automatically | they wait for a preconfigured time or date (time bomb) | logic bombs also need not to be malware code | scripted trap that runs in event his or her account is deleted or disabled. Anti-virus software is unlikely to detect this kind of malicious script or program; this is referred to as a mine
