Module 6 - Tools and Targets Flashcards
Cyber Attack Outcome
tools and targets vary
- Function as an effective “first strike”
- Deny access to communication and information
Tools / Methods (Name 6)
- Spam and Phishing Attacks
- DDoS
- Botnets
- Fast Flux
- Domain Generation Algorithm
- Disclosing Information (method?)
Spam and Phishing Attacks
- Avg. click-through rate on these e-mails is approx. 10% ( 2010-2011)
- Individuals not real targets. (Unless spear phishing or whaling campaign.)
- For targeted, e-mails aren’t broadcasted to everyone. Particular domain accounts, e.g., usernames@osd.mil. Customers of a particular organization, e.g., a broad, sweeping e-mail labeled as Bank of America.
- Modern attacks route resulting info through victim so 1 IP
DDoS
- commoditized through tools such as LOIC.
Botnets
Hlux / Kelihos botnet - most in US (reliable)
Modified Botnets
- move away from single C2 server (centralized) to hybrid P2P (servant bots and client bots)
Botnets (Name 6)
- Zeus (3,600,000)
- BredoLab (30,000,000)
- Conficker (10,500,000)
- Mariposa (12,000,000)
- Coreflood (2,300,000)
- Cutwail (1,500,000)
Zeus
3,600,000 infections in US
- 10/2010 FBI arrested > 100 bank fraud and money laundering
- stole $70
- May 2011 source code made public
BredoLab
- 30,000,000 infections
- November 2011 Dutch seized 143 C2 servers
Conficker
10,500,000 infections
- July 2010 - suspected creator of “Butterfly bot” arrested.
Coreflood
- April 2011 - FBI had court-order issued for server shutdowns
Botnets for Hire
- Target: US Banking
- Weapon: Botnet zombie, HTTP and UDP requests
- Source: Infected UK website, Izz ad-Din al-Qassam Cyber Fighters (Iran?)
- Motive: film trailer mocking prophet Muhammad on YouTube (failure to remove)
Fast Flux (define)
Numerous IP addresses associated with a single, fully qualified domain name
IP addresses are swapped in and out with extremely high frequency, through changing DNS records
single & double
Single-flux vs double-flux
Single: Multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name.
Round-robin with short TTL
Double: Multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone
Domain Generation Algorithm
- used to periodically generate a large # of domain names to be used as rendezvous points with botnet controllers.
- makes it difficult to track and effectively shut down botnets as infected computers will attempt to contact some of these domain names every day to receive updates or commands.
Use of public key cryptography makes it impossible to mimic commands from the malware controllers
Examples:
Conficker, Murofet, BankPatch, Baboons
Domain Generation Algoritm (4 examples)
Conficker,
Murofet,
BankPatch,
Baboons
Disclosing Information
Purpose of Sharing;
- Cause embarrassment
- Inform fellow activists without direct communication
- Hope that someone – anyone – else will follow-up
Doxing
Act of publishing private information about individuals or organizations on the Internet
Traditional Targets (Name 4 with goal)
- Government websites
Show the security as being weak
Publish its own message
Obtain news coverage
- Defense systems – military advantage
- Financial systems
- Corporations with trade secretsBanks as Targets - Changing Trends
Attacks on banks are not limited to DDoS Percentage of attacks on U.S. banks, which resulted in funds transfers: 2009: 70% 2011: 12% Q1 & Q2 2012: 9% Tools: Trojans & Phishing attacks Corporate customers targeted: 2.1/1000 in Q1 & Q2 2012 3.4/1000 in 2011
Non-Traditional Targets (2)
- SCADA
- power
SCADA
Supervisory Control and Data Acquisition systems
Used to control and monitor system processes
Industrial
Infrastructure
Facilities
Power industries (3)
Electrical
Atomic
Petrochemical (oil and gas)
Large Scale Assault Option
New missile emits microwaves to overload computers and electrical systems
Cost: $38 million
