Threats, Attacks, Vulnerabilities Flashcards
Social Engineering with a touch of spoofing
- Often delivered by email, text, etc
- Very remarkable when well done
Usually there’s something that is not quite right
-Spelling, fonts, graphics
How are they so successful?
-Digital slight of hand - it fools the best of us
Sending a false email pretending to be legitimate to steal valuable information from the user
Phishing
A type of URL hijacking
Typosquatting
Lying to get information
Attacker is a character in a situation they create
Hi, we’re calling from Visa regarding an automated payment to your utility service
Pretexting
Redirects a legit website to a bogus site
- Poisoned DNS server or client vulnerabilities
Harvest large groups of people
Difficult for anti-malware software to stop
Pharming
Voice phishing over the phone or voicemail
- Caller ID spoofing is common
- Fake security checks or bank updates
Attack through a phone or voice communications
Vishing
Done by text messages
- Spoofing is a problem here as well
- Forwards links or asks the personal information
Variations on a theme
- Fake check scam, phone verification code scam
- Boss/CEO scam, advance fee scam
Smishing
Gather information on the victim
Reconnaissance
Targeted phishing with inside information
- Makes the attack more believable
Attack that targets specific users
Spear Phishing
Spear Phishing the CEO
Attack on a powerful or wealthy individual
Whaling
Before the attack, the trap is set
- There’s an actor and a story
Attackers pretend to be someone they aren’t
- Halloween for fraudsters
Use some of those details from reconnaissance
Attack the victim as someone higher in rank
Throws tons of technical details around
Impersonation
Extracting information from the victim
- Victim doesn’t even realize this is happening
- Hacking the human
Often seen with vishing
- Can be easier to get this info over the phone
Well documented psychological techniques
Eliciting information
Your identity can be used by others
- Keep your personal information safe
Credit Card Fraud
- Open an account in your name, or use your credit card information
Bank Fraud
-Attacker gains access to your account of opens a new account
Loan Fraud
- Your infromation is used for a loan or lease
Government benefits fraud
- Attacker obtains benefits on your behalf
Identity Fraud
Mobile garage bin
Important information thrown out with trash
Gather details that can be used for a different attack
- Impersonate names, use phone numbers
Timing is important
- Just after end of month, end of quarter
- Based on pickup schedule
If it is in the trash, its open season
- Nobody owns it
Dumpsters on privact property or “No Trespassing” signs may be restricted
- You can’t break the law to get rubbish
Dumpster Diving
You have access to important information
- Many people want to see
- Curiosity, industrial espionage, competitive advantage
This is surprisingly easy
- Airports/Flights
- Hallway-Facing Monitors
- Coffee Shops
Surf from afar
- Binoculars/Telescopes
- Easy in the big city
- Webcam monitoring
To prevent
- Control your input
- Use privacy filters
- Keep your monitor out of sight
- Don’t sit in front of me on your flight
Shoulder Surfing
Threat that does not actually exist
- But seems like it could be real
Still often consume lots of resources
- Forwarded email messages, printed memorandums, wasted time
Often an email
- Or Facebook wall post, tweet, etc
Some will take your money
- But not through electronic means
Can waste as much time as a regular virus
Spam filters can help
If it sounds too good to be true…
Hoaxes
Have the mountain come to you
- This requires a bit of research
Determine which website the victim group uses
- Educated guess - Local coffee or sandwich shop
- Industry related sites
Infect one of these third party sites
- Site vulnerability
- Email attachments
Infect all visitors
- But you’re just looking for specific victims
Defense-in-depth
- Layered defense
- It’s never one things
Firewalls and IPS
- Stop the network traffic before things get bad
Anti-virus/Anti-malware signature updates
Watering Hole Attacks
Unsolicited messages
- Email, forums
- Spam over Instant Messaging (SPIM)
Various content
- Commercial advertising
- Phishing attempts
Significant technology issues
- Security concerns
- Resource utilization
- Storage costs
- Managing the spam
Unsolicitated email
- Stop it on the gateway before reaching user
- On-site or cloud based
Allowed list
- Only receive email from trusted senders
SMTP standards checking
- Block anything that doesn’t follow RFC standards
SPAM
Sway public opinion on political or social issues
Nation-state actors
- Divide, distract, and persuade
Advertising is an option
- Buy a voice for your opinion
Embedded through social media
- Creating, sharing, liking
- Amplification
Influence Campaigns
Military strategy
- A broad description of the techniques
- Wage war non-traditionally
Not a new concept
- The internet adds new methods
Cyberwarfare
- Attack an entity with technology
Influence with a military spin
- Influencing foreign elections
- Fake News
Hybrid Warfare
Use an authorized person to gain unauthorized access to a building
- Not an accident
No tech hacking
- Blend in with clothing
- 3rd-party with a legitimate reason
- Temporarily take up smoking
Once inside, little to stop attacker
- Most security stops at the border
Policy for visitors
- You should be able to identify anyone
One scan, on person
- A matter of policy or mechanically required
Mantrap/Airlock
- You don’t have a choice
Don’t be afraid to ask
- Who are you and why are you here?
Tailgaiting
Starts with a bit of spear phishing
- Attacker knows who pays the bills
Attacker sends a fake invoice
- Domain renewal, toner cartridges
- From: address is spoofed version of CEO
Accounting pays the invoice
- It was from the CEO after all
Might include a link to pay
- Now the attacker has payment details
Invoice Scams
Also called password harvesting
- Attacker collects login credentials
There are alot of stored credentials on your computer
- Chrome, Firefox, Outlook, etc
User received an email with malicious Word doc
- Opening document runs macro
- Macro downloads credential harvesting malware
User has no idea
- Everything happens in background
Credential Harvesting
The social engineer is in charge
- I’m calling from the help desk/office of the CEO/police
Authority - Social Engineering principle
There will be bad things if you don’t help
- If you don’t help me, the payroll checks won’t be processed
Intimidation - Social Engineering principle
Convince based on what’s normally expected
- Your coworker Jill did this for me last week
Consensus - Social Engineering principle
The situation will not be this way for long
- Must make the change before time expires
Scarcity - Social Engineering principle
Works alongside scarcity
Act quickly, don’t think
Urgency - Social Engineering principle
Someone you know, we have common friends
Familiarity - Social Engineering principle
Someone who is safe
- I’m from IT and here to help
Trust - Social Engineering principle
Operating system and browser based virus
Script virus
Stealth virus
- Does a good job of avoiding anti-virus detection
Operates in memory
- But never installed in a file or application
Steps:
1. User clicks on malicious website link
2. Website exploits a vulnerability
3. Launches Powershell and downloads payload in RAM
4. Runs PowerShell scripts and executables in memory
5. Adds an auto-start to registry
Fileless virus
Malware that self-replicates
- Doesn’t need you to do anything
- Uses the network as a transmission medium
- Self-propagates and spreads quickly
- Can take over many systems very quickly
Firewalls and IDS/IPS can mitigate many infestations
- Doesn’t help much once it gets inside
Steps:
1. Infected computer searches for vulnerable system
2. Vulnerable computer is exploited
3. Backdoor is installed and downloads this
A self-contained infection that can spread itself through networks, emails, and messages
Worms
Attackers want your money
- They’ll take your computer in the meantime
May be a fake ransom
- Locks your computer “by the police”
Ransom may be avoided
- A security professional may be able to remove these kinds of malware
Protection tips:
Always have a backup
- An offline backup, ideally
Keep your OS up to date
- Patch those vulnerabilities
Keep your application up to date
- Security patches
Keep your anti-virus/anti-malware signatures up to date
- New attacks every hour
Denies access to a computer system or data until a ransom is paid
Can be spread through a phishing email or unknowingly infected website
Ransomware
A newer generation of ransomware
- Your data is unavailable until you provide cash
Malware encrypts your data files
- Pictures, documents, music, movies, etc
- Your OS remains available
- They want you running, but not working
You must pay the bad guys to obtain the decryption key
- Untraceable payment system
- An unfortunate use of public-key cryptography
Malicious program that encrypts programs and files on the computer in order to extort money from the user
Crypto-malware
Software that pretends to be something else
- So it can conquer your computer
- Doesn’t really care much about replicating
Circumvents your existing security
- Anti-virus may catch it when it runs
- The better ones are built to avoid and disable AV
One it’s inside it has free reign
- And it may open the gates for other programs
Form of malware that pretends to be a harmless application
Trojans
Identified by anti-virus/anti-malware
- Potentially undesirable software
- Often installed along with other software
Overly aggressive browser toolbar
A backup utility that displays ads
Browser search engine hijacker
Potentially Unwanted Program (PUP)
Often placed on your computer through malware
- Some malware software can take advantage of this these created by other malware
Some software includes this
- Old Linux kernal included this
- Bad software can have this as part of app
Allows for full access to a system remotely
Backdoors
Remote Administration Tool
- The ultimate backdoor
- Administrative control of the device
Malware installs the server/service/host
- Attacker connects with the client software
Control a device
- Key logging
- Screen recording/screenshots
- Copy files
- Embed more malware
A remotely operated Trojan
Remote Access Trojans (RATs)
Originally a Unix technique
Modifies core system files
- Part of the kernel
Can be invincible in the OS
- Won’t see it in Task Manager
Also invisible to traditional anti-virus utilities
- If you can’t see it, you can’t stop it
Finding and removing:
Look for the unusual
- Anti-malware scans
Use a remover specific to this
- Usually built after this is discovered
Secure boot with UEFI
- Security in the BIOS
Backdoor program that allows full remote access to a system
Rootkits
Malware that spies on you
- Advertising, identity theft, affiliate fraud
Can trick you into installing
- Peer to peer, fake security software
Browser monitoring
- Capture surfing habits
Keyloggers - Capture every stroke
- Send it back to the mother ship
Protection:
Maintain your anti-virus/anti-malware
- Always have the latest signatures
Always know what you’re installing
- And watch your options during the installation
Where’s your backup?
- You might need it someday
Software that installs itself to spy on the infected machine, sends the stolen information over the internet back to the host machine
Spyware
Once the computer is infected, it becomes this
- You may not even know
How does it get on your computer?
- Trojan Horse
- You run a program that you thought was legit
- OS or application vulnerability
A day in the life
- Sit around and check in with the Command and Control (C&C) server and wait for instructions
AI that when inside an infected machine performs specific actions as part of a larger entity
Stopping these:
Prevent the initial infection
- OS and application patches
Anti-virus/anti-malware and updated signatures
Identify an existing infection
- On-demand scans, network monitoring
Prevent command and control (C&C)
- Block at the firewall
- Identify at the workstation with a host-based firewall or host-based IPS
Bot
Waits for a predefined event
- Often left by someone with a grudge
Time bomb
- Time or date
User event
Difficult to identify
- Difficult to recover if it goes off
Preventing these:
Difficult to recognize
- Each is unique
- No predefined signatures
Process and procedures
- Formal change control
Electronic monitoring
- Alert on changes
- Host-based intrusion detection, Tripwire, etc
Constant auditing
- An administrator can circumvent existing systems
A malicious program that lies dormant until a specific date or event occurs
Logic bombs
Try to login with an incorrect password
- Eventually you’re locked out
Attack an account with the top three (or more) passwords
- If they don’t work, move to the next account
- No lockouts, no alarms, no alerts
Spraying
Try every possible password combination until the hash is matched
Might take some time
- A strong hashing algorithm slows things down
Online:
Keep trying the login process
Very slow
Most accounts will lockout after a number of failed attempts
Offline:
Obtain the list of users and hashes
Calculate the password hash, compare it to a stored hash
Large computational resource requirement
Password-cracking program that tries every possible combination of characters A to Z
Brute Force
Use a dictionary to find common words
- Passwords are created by humans
Many common wordlists available on the ‘net
- Some are customized by language or line of work
The password crackers can substitute letters
This takes time
- Distributed cracking and GPU cracking is common
Discover passwords for common words
- This won’t discover random character passwords
Password attack that creates encrypted versions of common dictionary words and then compares them against those in a stolen password file
Guessing using a list of possible passwords
Dictionary attacks
Optimized, pre-built set of hashes
- Saves time and storage space
- Doesn’t need to contain every hash
- Contains pre-calculated hash chains
Remarkable speed increase
- Especially with longer password lengths
Need different tables for different hashing methods
- Windows is different from MySQL
Large pregenerated data sets of encrypted passwords used in password attacks
Rainbow tables
Stealing credit card information, usually during a normal transaction
- Copy data from the magnetic stripe
- Card number, expiration date, card holder’s name
Includes a small camera to watch for your pin
Attackers use the card information for other financial transactions
- Fraud is the responsibility of the seller
Always check before using card readers
Skimming
Get card details from a skimmer
- The clone needs an original
Create a duplicate of the card
- Looks and feels like the original
- Often includes the printed CVC
Can only be used with magnetic stripe cards
- The chip can’t be cloned
Cloned gift cards are common
- A magnetic stripe technology
Card cloning
Our computers are getting smarter
- They identify patterns in data and improve their predictions
This requires a lot of training data
- Face recognition requires analyzing a lot of faces
In use every day
- Stop spam
- Recommend products from an online retailer
- Prevents car accidents
Machine Learning
The chain contains many moving parts
- Raw materials, suppliers, manufacturers, distributors, customers, consumers
Attackers can infect any step along the way
- Infect different parts of the chain without suspicion
- People trust their suppliers
One exploit can infect the entire chain
Security:
Can you trust your new server/router/switch/firewall/software
Use a small supplier base
- Tighter control of vendors
Strict control over policy and procedures
- Ensure proper security is in place
Security should be part of the overall design
- There’s a limit to trust
Supply chain attacks
Centralized and costs less
- No dedicated hardware, no data center to secure
Data is in a secure environment
- No physical access to the data center
- Third-party may have access to the data
- Automated signature and security updates
- User must follow security best practices
Limited downtime
- Extensive fault-tolerance and 24/7/365 monitoring
Scalability security options
- One-click security deployments
- This may not be as customizable as necessary
Cloud Based
Put the security burden with the client
- Data center security and infrastructure costs
Customize your security posture
- Full control when everything is in-house
On-site IT team can manage security better
- The local team can ensure everything is secure
- A local team can be expensive and difficult to staff
Local team maintains uptime and availability
- System checks can occur at any time
- No phone calls for support
Security changes can take time
- New equipment, configurations, and additional costs
On-Premise
You’ve encrypted data and sent it to another person
The attacker does not have the combination or key
- So they break the safe
Finding ways to undo the security
- There are many potential shortcomings
- Problem is often the implementation
Cryptographic attacks
In a digital world, this is a hash collision
- A hash collision is the same hash value for two different plaintexts
- Find a collision through brute force
The attacker will generate multiple versions of plaintext to match the hashes
- Protect yourself with a large hash output size
Used to find collisions in hashes and allows the attacker to be able to create the same hash as the user. Exploits that if the same mathematical function is performed on two values ad the result is the same, then the original values are the same
Birthday attack
Hash digests are supposed to be unique
- Different input data should never create the same hash
When two different inputs produce the same hash value
Collisions
Instead of using perfectly good encryption, use something that’s not so great
- Force the systems to downgrade their security
Forces a system to lessen its security, this allows for the attacker to exploit the lesser security control. It is often associated with cryptographic attacks due to weak implementations of cipher suites. Example is TLS > SSL, a man-in-the-middle POODLE attack exploiting TLS v1.0 - CBC mode
Downgrade attack
Gain higher-level access to a system
- Exploit a vulnerability - Might be a bug or design flaw
Higher-level access means more capabilities
- This commonly is the highest-level access
- This is obviously a concern
These are high-priority vulnerability patches
- You want to get these holes closed very quickly
- Any user can be an administrator
Horizontal escalation
- User A can can access User B resources
Mitigating escalation:
Patch quickly
- Fix the vulnerability
Updated anti-virus/anti-malware software
- Block known vulnerabilities
Data Execution Prevention
- Only data in executable areas can run
Address space layout randomization
- Prevent a buffer overrun at a known memory address
An attack that exploits a vulnerability that allows them to gain access to resources that they normally would be restricted from accessing
Privilege Escalation
Information from one site could be shared with another
One of the most common web application development errors
- Takes advantage of the trust a user has for a site
- Complex and varied
Malware that uses JavaScript
Protection:
Be careful when clicking untrusted links
- Never blindly click in your email inbox
Consider disabling JavaScript
- Or control with an extension
- This offers limited protection
Keep your browser and applications updated
- Avoid the nasty browser vulnerabilities
Validate input
- Don’t allow users to add their own scripts to an input field
Found in web applications, allows for an attacker to inject client-side scripts in web pages
Cross-site scripting (XSS)
Web site allows scripts to run in user input
- Search box is a common source
Attacker emails a link that takes advantage of this vulnerability
- Runs a script that sends credentials/session IDs/cookies to the attacker
Script embedded in URL executes in the victim’s browser
- As if it came from the server
Attacker uses credentials/session IDs/cookies to steal victim’s information without their knowledge
- Very sneaky
Non-persistent (reflected) XSS attacks
Attacker posts a message to a social media network
- Includes the malicious payload
It’s now “persistent” - Everyone gets the payload
No specific target - All viewers to the page
For social networking, this can spread quickly
- Everyone who views the message can have it posted to their page
- Where someone else can view it and propagates it further
Persistent (stored) XSS attack
Adding your own information into a data stream
Enabled because of bad programming
- The application should properly handle input and output
So many different data types
HTML, SQL, XML, LDAP, etc
Code Injection
Modifying SQL requests
- Your application shouldn’t really allow this
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application
Is prevented through input validation and using least
privilege when accessing a database
If you see ` OR 1=1; on the exam, it’s this
SQL Injection
Set of rules for data transfer and storage
Modifying XML requests
XML Injection
Created by the telephone companies
Now used by almost everyone
Modify LDAP requests to manipulate application results
LDAP Injection
A Windows library containing code and data
Many applications can use this library
Inject this and have an application run a program
- Runs as part of the target process
Allows for the running of outside code
DLL Injection
Overwriting a buffer of memory
- Spills over into other memory areas
Developers need to perform bounds checking
- Attackers spend a lot of time looking for openings
Not a simple exploit
- Takes times to avoid crashing things
- Takes time to make it do what you want
A really useful one of these is repeatable
- Which means that a system can be compromised
Too much data for the computer’s memory to buffer
A program attempts to wire more data that can be held in fixed block of memory
Buffer overflow
Useful information is transmitted over the network
- A crafty hacker will take advantage of this
Need access to the raw network data
- Network tap, ARP poisoning, malware on the victim computer
The gathered information may help the attacker
- Replay the data to appear as someone else
This is not an on-path attack
- The actual replay doesn’t require the original workstation
Avoid this type of attack with a salt
- Use a session ID with the password hash to create a unique authentication hash each time
This is a passive attack where the attacker captures wireless data, records it, and then sends it on to the original recipient without them being aware of the attacker’s presence
Replay Attacks
Client authenticates to the server with a username and hashed password
During authentication, the attacker captures the username and password hash
Attacker sends his own authentication request using the captured credentials
An authentication attack that captures and uses the hash of a password. The attacker then attempts to log on as the user with the stolen hash. This type of attack is commonly associated with the Microsoft NTLM protocol
Pass the Hash
Steps:
1. Victim authenticates to the server
2. Server provides a session id to the client
3. Attacker intercepts the session ID and uses it to access the server with the victim’s credentials
An attack in which an attacker attempts to impersonate the user by using their legitimate session token
Session hijacking
One click attack, session riding - XSRF, CSRF (sea surf)
Takes advantage of the trust that a web application has for the user
- The web site trusts the browser
- Requests are made without your consent or knowledge
- Attacker posts a Facebook status on your account
Significant web application development oversight
- The application should have anti-forgery techniques added
- Usually a cryptographic token to prevent a forgery
Steps:
1. Attacker creates a funds transfer request
2. Request is sent as a hyperlink to a user who may already be logged into the bank web site
3. Visitor clicks the link and unknowingly sends the transfer request to the bank web site
4. Bank validates the transfer and sends the visitor’s funds to the attacker
Unauthorized commands are send from a user that is trusted by the website.
Allows the attacker to steal cookies and harvest passwords
Cross-site request forgery
Attacker finds a vulnerable web application
- Sends requests to a web server
- Web server performs the request on behalf of the attacker
Caused by bad programming
- Never trust the user input
- Server should validate the input and the responses
- There are rate, but can have critical vulnerabilities
Steps:
1. Attacker sends a request that controls a web application
2. Web server sends request to another service, such as cloud file storage
3. Cloud storage sends response to Web Server
4. Web Server forwards response to attacker
Server-side request forgery (SSRF)
Traditional anti-virus is very good at identifying known attacks
- Checks the signature
- Block anything that matches
There are still ways to infect and hide
- It’s a constant war
- Zero-day attacks, new attack types, etc.
Your drivers are powerful
- The interaction between the hardware and your operating system
- They are often trusted
- Great opportunity for security issues
Hardware interactions contain sensitive information
- Video, keyboard, mouse
Driver manipulation
Filling in the space between two objects
- A middleman
Windows includes this
- Backward compatibility with previous Windows versions
- Application Compatibility Shim Cache
Malware authors write their own
- Get around security
The process of injecting alternate or compensation code into a system in order to alter its operations without changing the original or existing code
Shimming
Metamorphic malware
- A different program each time it’s downloaded
Make it appear different each time
- Add NOP instructions
- Loops, pointless code strings
Can intelligently redesign itself
- Reorder functions
- Modify the application flow
- Recorder code and insert unused data types
Difficult to match with signature-based detection
- Use a layered approach
Rewrites the internal processing of code without changing its behavior
Refactoring
Combines an on-path attack with a downgrade attack
- Difficult to implement, but big returns for the attacker
Attacker must sit in the middle of the conversation
- Must modify data between victim and web server
- Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.
Victim does not see any significant problem
- Except the browser page isn’t encrypted
This is a client and server problem
- Works on SSL and TLS
SSL Striping
A programming conundrum
- Sometimes, things happen at the same time
- This can be bad if you’ve not planned for it
Time-of-check to time-of-use attack (TOCTOU)
- Check the system
- When do you use the results of your last check?
- Somethings might happen between the check and the use
The behavior of a software, electronic, or another system’s output is dependent on the timing, sequence of events, or factor out of the user’s control
Race Conditions
Unused memory is not properly released
Begins to slowly grow in size
Eventually uses all available memory
System crashes
Leaves the system unresponsive
Memory leak
Programming technique that references a portion of memory
Application crash, debug information displayed, DOS
Failed dereference can cause memory corruption and the application to crash
NULL Pointer dereference
Read files from a web server that are outside of the website’s file directory
Users shouldn’t be able to browse the Windows folder
Web server software vulnerability
- Won’t stop users from browsing past the web server root
Web application code vulnerability
- Take advantage of badly written code
Directory traversal
Errors happen
- And you should probably know about it
Messages should be just informational enough
- Avoid too much detail
- Network information, memory dump, stack traces, database dumps
This is an easy one to find and fix
- A development best-practice
The error messages display sensitive or private information that give the user too much data
Improper error handling
Many applications accept user input
- We put data in, we get data back
All input should be considered malicious
- Check everything. Trust nobody.
Allowing invalid can be devastating
- SQL injections, buffer overflow, denial of service, etc.
It takes a lot of work to find that can be used maliciously
- But they will find it
The system does not properly validate data, allows for an attacker to create an input that is no expected
Allows for parts of the system vulnerable to unintended data
Improper input handling
Attackers look for vulnerabilities in this new communication path
- Exposing sensitive data, DoS, intercepted communication, privileged access
API attacks
A specialized DoS attack
- May only require one device and low bandwidths
A denial of service occurs, the amount of resources to execute an action are expended, making it unable for the action to be performed
Resource exhaustion
Unauthorized wireless access point
- May be added by an employer or an attacker
- Not necessarily malicious
- A significant potential backdoor
Very easy to plug in a wireless AP
- Or enable wireless sharing in your OS
Schedule a periodic survey
- Walk around your building/campus
- Use third-party tools/WiFi Pineapple
Consider using 802.1X (Network Access Control)
- You must authenticate, regardless of the connection type
An unauthorized WAP or Wireless Router that allows for attackers to bypass many of the network security configurations and opens the network and its users to attacks
Rogue Access Points
Looks legitimate, but actually malicious
- The wireless version of phishing
Configure an access point to look like an existing network
- Same (or similar) SSID and security settings/captive portal
Overpower the existing access points
- May not require the same physical location
WiFi hotspots (and users) are easy to fool
- And they’re wide open
You encrypt you communication, right?
- Use HTTPS and a VPN
Has same SSID as a proper access point (AP). Once a user connects to it, all wireless traffic goes through it instead of the real AP
Wireless Evil Twin
Sending of unsolicited messages to another device via Bluetooth
- No mobile carrier required!
Typical functional distance is about 10 meters
- More or less depending on antenna and interference
Third party software may also be used
Sending unauthorized messages to a Bluetooth device
Bluejacking
Access a Bluetooth-enabled device and transfer data
- Contact list, calendar, email, pictures, video, etc.
First major security weakness in Bluetooth
Serious security issue
- If you know the file, you can download it without authentication
Gathering unauthorized access to, or stealing information from a Bluetooth device
Bluesnarfing
Denial of Service
- Prevent wireless communication
Transmit interfering wireless signals
- Decrease the signal-to-noise ratio at the receiving device
- The receiving device can’t hear the good signal
Sometimes it’s not intentional
- Interference, not jamming
- Microwave over, fluorescent lights
Jamming is intentional
- Someone wants your network to not work
RF jamming
Many different types
- Constant, random bits/Constant, legitimate frames
Data sent at random times
- Random data and legitimate frames
Reactive jamming
- Only when someone else tries to communicate
Needs to be somewhere close
- Difficult to be effective from a distance
Time to go fox hunting
- You’ll need the equipment to hunt down the jam
- Directional antenna, attenuator
Disabling a wireless frequency with noise to block the wireless traffic
Wireless jamming
It’s everywhere
- Access badges
- Inventory/Assembly line tracking
- Pet/Animal identification
- Anything that needs to be tracked
Radar technology
- Radio energy transmitted to the tag
- RF powers the tag, ID is transmitted back
- Bidirectional communication
- Some tag formats can be active/powered
Communicates with a tag placed in or attached to an object using radio signals
RFID
Data capture
- View communication
- Replay attack
Spoof the reader - Write your own data to the tag
Denial of Service - Signal jamming
Decrypt communication
- Many default keys are on Google
Can be jammed with noise interference, the blocking of radio signals, or removing/disabling the tags themselves
RFID Attacks
Two-way wireless communication
- Builds on RFID, which is mostly one-way
Payment systems
- Many options available
Bootstrap for other wireless
- NFC helps with Bluetooth pairing
Access token, identity “card”
- Short range with encryption support
Remote capture
- It’s a wireless network
Frequency jamming
- Denial of service
Relay/Replay attack
- On-path attack
Wireless technology that allows for smartphones and other devices to establish communication over a short distance
NFC Attack
A type of nonce
- Used for randomizing an encryption scheme
- The more random the better
Used in encryption ciphers, WEP, and some SSL implementations
A random number used to increase security by reducing predictability and repeatibility
IV (Initialization Vector)
How can an attacker watch without you knowing?
- Formally known as man-in-the-middle
Redirects your traffic
- Then passes it to the destination
- You never know your traffic was redirected
On-path network attack
On-path attack on the local IP subnet
The act of falsifying the IP-to-MAC address resolution system employed by TCP/IP
Attack that exploits the IP address to MAC resolution in a network to
steal, modify, or redirect frames within the local area network
▪ Allows an attacker to essentially take over any sessions within the LAN
Prevented by VLAN segmentation and DHCP snooping
ARP poisioning
What if the middleman was on the same computer as the victim?
- Malware/Trojan does all of the proxy work
- Formally known as man-in-the-browser
Huge advantages for the attackers
- Relatively easy to proxy encrypted traffic
- Everything looks normal to the victim
Malware in your browser waits for you to login to your bank
- And cleans you out
On-path browser attack
The MAC table is only so big
- Attacker starts sending traffic with different source MAC addresses
- For out the legitimate MAC addresses
The table fills up
- Switch begins flooding traffic to all interfaces
This effectively turns the switch into a hub
- All traffic is transmitted to all interfaces
- No interruption in traffic flows
Attacker can easily capture all network traffic!
Flooding can be restricted in the switch’s port security settings
MAC flooding
An attacker changes their MAC address to match the MAC address of an existing device
- A clone/spoof
Circumvent filters
- Wireless or wired MAC filters
- Identify a valid MAC address and copy it
Create a DoS
- Disrupt communication to the legitimate MAC
Easily manipulated through software
- Usually a device driver option
The attacker falsifies the MAC address of a device
MAC cloning/spoofing
Modify the DNS server
- Requires some crafty hacking
Modify the client host file
- The host file takes precedent over DNS queries
Send a fake response to a valid DNS request
- Requires a redirection of the original request or the resulting response
Type of attack that exploits vulnerabilities in the domain name system to divert internet traffic away from legitimate servers and towards fake ones
DNS poisoning
Get access to the domain registration, and you have control where the traffic flows
- You don’t need to touch the actual servers
- Determines the DNS names and DNS IP addresses
Many ways to get into the account
- Brute force
- Social engineer the password
- Gain access to the email address that manages the account
The act of changing the registration of a domain name without the permission of the victim
Domain hijacking
Make money from your mistakes
- There’s alot of advertising on the ‘net’
Sell the badly spelled domain to the actual owner
- Sell a mistake
Redirect to a competitor
- Not as common, legal issues
Phishing site
- Looks like the real site, please login
Infect with drive-by download
Redirects the user to a false website based on mispelling the URL, and is also called typoquatting
URL hijacking
The internet is tracking your security posture
- They know when things go sideways
Email reputation
- Suspicious activity
- Malware originating from the IP address
A bad reputation can cause email delivery to fail
- Email rejection or simply dropped
Check with the email or service provider to check the reputation
- Follow their instructions to remediate
Infected systems are noticed by the search engines
- Your domain can be flagged or removed
Users will avoid the site
- Sales will drop
- Users will avoid your brand
Malware might be removed quickly
- Recovery takes much longer
Domain reputation
Launch an army of computers to bring down a service
- Use all the bandwidth or resources - traffic spike
This is why the attackers have botnets
- Thousands or millions of computers at your command
- At its peak, Zeus botnet infected over 3.6 million PCs
- Coordinated attack
Asymmetric threat
- The attacker may have few resources than the victim
Multiple different sources attack one victim
Network DDOS
Make the application break or work harder
- Increase downtime and costs
Overuse a measured cloud source
- More CPU/memory/network is more money
Increase the cloud server response time
- Victim deploys a new application instance - repeat
Application DoS
The hardware and software for industrial equipment
- Electric grids, traffic control, manufacturing plants, etc
This is more than a web server failing
- Power grid drops offline
- All traffic lights are green
- Manufacturing plant shuts down
Requires a different approach
- A much more critical security posture
Operational Technology (OT) DoS
Command line for system administrators
- .ps1 file extension
- Included with Windows 8/8.1 and 10
Extend command-line functions
- Uses cmdlets (command-lets)
- Standalone executables
Attack Windows systems
- System administration
- Active Domain administration
- File share access
Windows Powershell
General-purpose scripting language
- .py file extension
Popular in many technologies
- Broad appeal and support
Commonly used for cloud orchestration
- Create and tear down application instances
Attack the infrastructure
- Routers, servers, switches
Python
Scripting the Unix/Linux shell
- Automate and extend the command line
- Bash, Bourne, Korn, C
Starts with a shebang or hash-bang #!
- Often has a .sh file extension
Attack the Linux/Unix environment
- Web, database, virtualization servers
Control the OS from the command line
- Malware has a lot of options
Shell script
Automate functions within an application
- Or OS
Designed to make the application easier to use
- Can often create security vulnerabilities
Attackers create automated exploits
- They just need the user to open the file
- Prompts to run the macro
Macros
Automates processes within Windows applications
- Common in Microsoft Office
A powerful programming language
- Interacts with the operating system
VBA (Visual Basic for Applications)
More than just password on sticky notes
- Some are out for no good
Sophistication may not be advanced, but has institutional knowledge
- Attacks can be directed at vulnerable systems
- They know what to hit
Someone who is inside the company who has intricate knowledge of the company and how its network works. They can pinpoint a specific vulnerability and may even have access to multiple parts of the network
Insiders
Governments
- National security, job security
- Always an external entity
Highest sophistication
- Military control, utilities, financial control
Constant attacks
- Commonly an APT
These are massively security risks that can cost companies and countries millions of dollars. Nation states have very sophisticated hacking teams that target the security of other nations. They often attack military organizations or large security sites, they also frequently attack power plants.
Nation states
A hacker with a purpose
- Social change or a political agenda
- Often an external entity
Can be remarkably sophisticated
- Very specific hacks
- DoS, web site defacing, release of private documents, etc
Funding is limited
- Some organization have fundraising options
An individual who is someone who misuses computer systems for a socially or politically motivated agenda. They have roots in the hacker culture and ethics. Hacker on a mission.
Hacktivist
Runs pre-made scripts without any knowledge of what’s really happening
- Not necessarily a youngster
Can be internal or external
- But usually external
Not very sophisticated
No formal funding
- Looking for low hanging fruit
Motivated by the hunt
- Working the ego, trying to make a name
A person who uses pre-existing code and scripts to hack into machines, because they lack the expertise to write their own
Script kiddies
Professional criminals
- Motivated by money
- Almost always an external entity
Very sophisticated
- Best hacking money can buy
Crime that’s organized
- One person hacks, one person manages the exploits, another person sells the data, another handles customer support
Lots of capital to fund hacking efforts
These are professionals motivated ultimately by profit. They have enough money to buy the best gear and tech. Multiple people perform specific roles: gathering data, managing exploits, and one who actually writes the code
Organized crime/Criminal syndicate
Experts with technology
- Often driven by money, power, and ego
Authorized
- An ethical hacker with good intentions
- And permission to hack
Unauthorized
- Malicious, violates security for personal gain
Semi-authorized
- Finds a vulnerability, doesn’t use it
Hackers
Going rogue
- Working around the internal IT organization
IT can put up roadblocks
- Use the cloud
- Might also be able to innovate
Not always a good thing
- Wasted time and money
- Security risks
- Compliance issues
- Dysfunctional organization
Shadow IT
Many different motivations
- DoS, espionage, harm reputation
High level of sophistication
- Based on some significant funding
- The competitive upside is huge (and very unethical)
Many different intents
- Shut down your competitor during an event
- Steal customer lists
- Corrupt manufacturing databases
- Take financial information
Rival companies, can bring down the network or steal information through espionage
Competitors
Method used by the attacker
- Gain access or infect to the target
A lot of work goes into finding vulnerabilities in these vectors
- Some are more valuable than others
IT security professional spend their career watching these vectors
- Closing up existing vectors
- Finding new ones
Attack vectors
There’s a reason we lock the data center
- Physical access to a system is a significant attack vector
Modify the operating system
- Reset the administrator password in a few minutes
Attack a keylogger
- Collect usernames and passwords
Transfer files
- Take it with you
Denial of service
- This power cable is in the way
Direct access attack vectors
Default login credentials
- Modify the access point configuration
Rogue access point
- A less-secure entry point to the network
Evil twin
- Attacker collects authentication deteails
- On-path attacks
Wireless attack vectors
One of the biggest (and most successful) attack vectors
- Everyone has email
Phishing attacks
- People want to click links
Delivery the malware to the user
- Attach it to the message
Social engineering attacks
- Invoice scams
Email attack vectors
Tamper with the underlying infrastructure
- Or manufacturing process
Gain access to network using a vendor
Malware can modify the manufacturing process
Counterfeit networking equipment
- Install backdoors, substandard performance and availability
Supply chain attack vectors
Attackers thank you for putting your personal information online
- Where you are and when
- Vacation pictures are especially telling
User profiling
- Where were you born?
- What is the name of your school mascot?
Fake friends are fake
- The inner circle can provide additional information
Social media attack vectors
Get around the firewall
- The USB interface
Malicious software on USB flash drives
- Infect air gapped networks
- Industrial systems, high security services
USB devices can act as keyboards
- Hacker on a chip
Data exfiltration
- Terabytes of data walk out the door
- Zero bandwidth used
Removable media attack vectors
Publicly-facing applications and services
- Mistakes are made all the time
Security misconfigurations
- Data permissions and public data stores
Brute force attacks
- Or phish the users of the cloud service
Orchestration attacks
- Makes the cloud build new application instances
Denial of service
- Disable the cloud services for everyone
Cloud attack vectors
Research the threats - and the threat actors
Data is everywhere
- Hacker group profiles, tools used by the attackers, and much more
Make decisions based on this intelligence
- Invest in the best prevention
Used by researchers, security operations teams, and others
Threat intelligence
Open source
- Publicly available resources
- A good place to start
Internet
- Discussion groups, social media
Government data
- Mostly public headings, reports, websites, etc
Commercial data
- Maps, financial reports, databases
Open-source intelligence (OSINT)
Someone else has already compiled the threat information
- You can buy it
Threat intelligence services
- Threat analytics, correlation across different data sources
Constant threat monitoring
- Identify new threats
- Create automated prevention workflows
Closed/proprietary intelligence
Researchers find vulnerabilities
- Everyone needs to know about them
Common Vulnerabilities and Exposures (CVE)
- A community managed list of vulnerabilities
- Sponsored by DHS and CISA
US National Vulnerability Database (NVD)
- Summary of CVEs
- Also sponsored by DHS and CISA
NVD provides additional detail over the CVE list
- Patch availability and severity scoring
Vulnerability databases
Public threat intelligence
- Often classified information
Private threat intelligence
- Private companies have extensive resources
Need to share critical security details
- Real-time, high-quality cyber threat information sharing
Cyber Threat Alliance (CTA)
- Members upload specifically formatted threat intelligence
- CTA scores each submission and validates across other submissions
- Other members can extract the validated data
Public/private information-sharing centers
Intelligence industry needs a standard way to share important threat data
- Share information freely
Structured Threat Information eXpression (STIX)
- Describes cyber threat information
- Includes motivations, abilities, capabilities, and response information
Trusted Automated eXchange of Indicator Information (TAXII)
- Securely shares STIX data
Automated indicator sharing (AIS)
Dark web
- Overlay networks that use the Internet
- Requires specific software and configurations to access
Hacking groups and services
- Activities
- Tools and techniques
- Credit card sales
- Accounts and passwords
Monitor forums for activity
- Company names, executive names
Dark web intelligence
An event that indicates an intrusion
- Confidence is high
- He’s calling from inside the house
Indicators
- Unusual amount of network activity
- Change to file hash values
- Irregular international traffic
- Changes to DNS data
- Uncommon login patterns
- Spikes of read requests to certain files
Indicators of Compromise (IOC)
Analyze large amounts of data very quickly
- Find suspicious patterns
- Big data used for cybersecurity
Identify patterns
- DNS queries, traffic patterns, location data
Creates a forecast for potential attacks
- An early warning system
Often combined with machine learning
- Less emphasis on signatures
Predictive analysis
Identify attacks and trends
- View worldwide perspective
Created from real attack data
- Identify and react
Threat maps
See what the hackers are building
- Public code repositories, GitHub
See what people are accidentally releasing
- Private code can often be published publicly
Attackers are always looking for this code
- Potential exploits exist
- Content for phishing attacks
File/code repositories
Vendors and manufacturers
- They wrote the software
They know when problems are announced
- Most vendors are involved in the disclosure process
They know their product better than anyone
- They react when surprises happen
- Scrambling after a zero-day announcement
- Mitigating and support options
Vendor websites
Watch and learn
- An early warning of things to come
Researchers
- New DDoS methods, intelligence gathering, hacking the latest technologies
Stories from the trenches
- Fighting and recovering from attacks
- New methods to protect your data
Building relationships - forge alliances
Conferences
Research from academic professionals
- Cutting edge security analysis
Evaluations of existing security technologies
- Keeping up with the latest attack methods
Detailed post mortem
- Tear apart the latest malware and see what makes it tick
Extremely detailed information
- Break apart topics into their small pieces
Academic journals
Published by the Internet Society (ISOC)
- Often written by the Internet Engineering Task Force (IETF)
Not all are standards documents
- Experimental, Best Current Practice, Standard Track, and Historic
Request for Comments (RFC)
Gathering of local peers
- Shared industry and technology, geographical presence
Associations
- Information Systems Security Association, Network Professional Association
- Meet others in the area, discuss local challenges
Industry user groups
- Cisco, Microsoft, VMware, etc
Local industry groups
Hacking group conversations - Monitor the chatter
Honeypot monitoring on Twitter
- Identify new exploits attempts
Keyword monitoring - CVE-2020-*, bugbounty, 0-day
Analysis of vulnerabilities - Professionals discussing the details
Command and control - User social media as the transport
Social media
Monitor threat announcements - Stay informed
Many sources of information
Threat feeds
Tactics, techniques, and procedures
- What are adversaries doing and how are they doing it?
Search through data and networks
- Proactively look for threats
- Signatures and firewall rules can’t catch everything
Different types of of these
- Information on targeted victims (Finance for energy companies)
- Infrastructure used by attackers (DNS and IP addresses
- Outbreak of a particular malware variant on a service type
TTP
Many applications have vulnerabilities
- We’ve just not found them yet
Someone is working hard to find the next big vulnerability
- The good guys share these with developers
Attackers keep these yet-to-be-discovered holes to themselves
- They want to use these vulnerabilities for personal gain
Vulnerability has not been detected or published
Zero-day attacks
Very easy to leave a door open
- Hackers will always find it
Increasingly common with cloud storage
- Statistical chance of finding this
Open permissions Vulnerability
The Linux root account
- The administrator or superuser account
Can be a misconfiguration
- Intentionally configuring and easy-to-hack password
Disable direct login to the root account
- Use the su or sudo option
Protect accounts with root or administrator access
- There should not be a lot of these
Unsecured root accounts Vulnerability
Encryption protocols (AES, 3DES, etc)
- Length of the encryption key (40 bits, 128 bits, 256 bits)
- Wireless encryption (WEP, WPA)
Some cipher suites are easier to break than others
- Stay updated with the latest best practices
TLS is one of the most common issues
- Over 300 cipher suites
Which are good and which are bad?
- Weak or null encryption (less than 128 bit key sizes), outdated hashes (MD5)
Weak encryption Vulnerability
Some protocols aren’t encrypted
- All traffic sent in the clear - Telnet, FTP, SMTP, IMAP
Verify with packet capture
- View everything sent over the network
Use the encrypted versions - SSH, SFTP, IMAPS, etc
Insecure protocols Vulnerability
Every application and network device has a default login
- Not all of these are ever changed
Default settings Vulnerability
Services will open ports
- It’s important to manage access
Often managed with a firewall
- Manage traffic flows
- Allow or deny based on port number or application
Firewall rulesets can be complex
- It’s easy to make a mistake
Always test and audit
- Double and triple check
Open ports and services Vulnerability
Often centrally managed
- The upgrade server determine when you patch
- Test all of your apps, then deploy
- Efficiently manage bandwidth
Firmware - The BIOS of the device
Operating system - Monthly and on-demand patches
Applications
- Provided by the manufacturer as-needed
Improper patch management Vulnerability
Some devices remain installed for a long time
- Perhaps too long
Legacy devices
- Older operating systems, applications, middleware
Many be running end-of-life software
- Risk needs to be compared to the return
May require additional security protections
- Additional firewall rules
- IPS signature rules for older operating systems
Legacy platforms Vulnerability
Professional installation and maintenance
- Can include elevated OS level
Can be on-site
- With physical or virtual access to data and systems
- Keylogger installations and USB flash drive data transfers
Can run software on the internal network
- Less security on the inside
- Port scanners, traffic captures
- Inject malware and spyware, sometimes inadvertently
System integration risk
Security requires diligence
- The potential for a vulnerability is always there
Venders are the only ones who can fix their products
- Assuming they know about the problem
- And care about fixing it
Lack of vendor support
You can’t always control security at a third-party location
- Always maintain local security controls
Hardware and software from a vendor can contain malware
- Verify the security of new system
Counterfeit hardware is out there
Supply chain risk
Accessing the code base
- Internal access over the VPN
- Cloud-based access
Verify security to other systems
- The development systems should be isolated
Test the code security
- Check for backdoors
- Validate data protection and encryption
Outsourced code development
Consider the type of data
- Contact information
- Healthcare details, financial information
Storage at a third-party may need encryption
- Limits exposure, adds complexity
Transferring data
- The entire data flow needs to be encrypted
Data storage
Vulnerability: Unsecured databases
- No password or default password
Thousands of databases are missing
Overwrites data with iterations
- No messages or motivational content
Data loss
Getting hacked isn’t a great look
- Organizations are often required to disclose
- Stock prices drop, at least for the short term
Reputational impact
Outages and downtime - Systems are unavailable
The pervasive ransomware attack
- Brings down the largest networks
Availability loss
The constant game of cat and mouse
- Find the attacker before they find you
Strategies are constantly changing
- Firewalls get stronger, so phishing gets better
Intelligence data is reactive
- You can’t see the attack until it happens
Speed up the reaction time
- Use technology to fight
Threat hunting
An overwhelming amount of security data
- Too much data to properly detect, analyze, and react
Many data types
- Dramatically different in type and scope
Separate teams
- Security operations, security intelligence, threat response
Fuse the security data together with big data analytics
- Analyze massive and diverse datasets
- Pick out the interesting data points and correlations
Intelligence fusion
Collect the data
- Logs and sensors, network information, internet events, intrusion detection
Add external sources
- Threat feeds, government alerts, advisories and bulletins, social media
Correlate with big data analytics
- Focus on predictive analysis and user behavior analytics
- Mathematical analysis of unstructured data
Fusing the data
In the physical world, move troops and tanks
- Stop the enemy on a bridge or shore
In the virtual world, move firewalls and operating systems
- Set a firewall rule, block an IP address, delete malicious software
Automated maneuvers
- Moving at the speed of light
- The company reacts instantly
Combined with fused intelligence
- Ongoing combat from many fronts
Cybersecurity maneuvers
Usually minimally invasive
- Unlike a penetration test
Port scan
- Poke around and see what’s open
Identify systems
- And security devices
Test from the outside and inside
- Don’t dismiss insider threats
Gather as much information as possible
Vulnerability scanning
Gather information, don’t try to exploit a vulnerability
Non-intrusive scans
You’ll try out the vulnerability to see if it works
Intrusive scans
The scanner can’t login to the remote device
Non-credentialed scans
You’re a normal user, emulates an insider attack
Credentialed scan
Scans desktop or mobile apps
Application scan
Scans software on a web server
Web application scan
Scans misconfigured firewalls, open ports, vulnerable devices
Network scans
Quantitative scoring of a vulnerability - 0 to 10
The scoring standards change over time
Common Vulnerability Scoring System (CVSS)
Vulnerability is identified that doesn’t really exist
Different from low severity where its real but not highest priority
False positive
Vulnerability exists but you didn’t detect it
Update to the latest signatures
- If you don’t know about it, you can’t see it
Work with the vulnerability detection manufacturer
- They may need to update their signatures for your environment
False negative
Validate the security of device configurations
- It’s easy to misconfigure one thing
- A single unlocked window puts the entire home at risk
Workstations
- Account configurations, local device settings
Servers - Access controls, permission settings
Security devices - Firewall rules, authentication options
Configuration review
Logging of security events and information
Log collection of security alerts
- Real-time information
Log aggregation and long-term storage
- Usually includes advanced reporting features
Data correlation - link diverse data types
Forensic analysis - Gather details after an event
Data inputs
- Server authentication attempts
- VPN connections
- Firewall session logs
- Denied outbound traffic flows
- Network utilizations
Packet captures
- Network packets
- Often associated with a critical alert
- Some organizations capture everything
SIEM
Standard for message logging
- Diverse systems, consolidated log
Usually a central log collector
- Integrated into the SIEM
You’re going to need a lot of disk space
- Data storage from many devices over an extended timeframe
Syslog
Constant information flow
- Important metrics in the incoming logs
Track important statistics
- Exceptions can be identified
Send alerts when problems are found
- Email, text, call, etc
Create triggers to automate responses
- Open a ticket, reboot a server
Security monitoring
Detect insider threats
Identify targeted attacks
Catches what the SIEM and DLP systems might miss
User and entity behavior analytics (UEBA)
Public discourse correlates to real-world behavior
- If they hate you, they hack you
- Social media can be a barometer
Sentiment analysis
Security orchestration, automation, and response
- Automate routine, tedious, and time insensitive activities
Orchestration
- Connection many different tools together
Automation
- Handle security tasks automatically
Response
- Make changes immediately
Security orchestration, automation, and response (SOAR)
Pentest
- Simulate an attack
Similar to vulnerability scanning
- Except we actually try to exploit the vulnerabilities
Often a compliance mandate
- Regular penetration testing by a 3rd-party
Penetration testing
An important document
- Defines purpose and scope
- Makes everyone aware of the test parameters
Type of testing and schedule
- On-site physical breach, internal test, external test
- Normal working hours, after 6 PM only, etc
The rules
- IP address ranges
- Emergency contacts
- How to handle sensitive information
- In-scope and out-of-scope devices or applications
Rules of engagement
Move from system to system
The inside of the network is relatively unprotected
Lateral movement
Once you’re there, you need to make sure there’s a way back in
Set up a backdoor, build user accounts, change or verify default passwords
Persistence
Gain access to systems that would normally not be accessible
Use a vulnerable system as a proxy or relay
Occurs when an attacker moves onto another workstation or user
account
Pivot
Leave the network in its original state
Remove any binaries or temporary files
Remove any backdoors
Delete user accounts created during the test
Cleanup
A reward for discovering vulnerabilities
Earn money for hacking a system
Document the vulnerability to earn cash
Bug bounty
Learn as much as you can from open sources
- There’s a lot of information out there
- Remarkably difficult to protect or identify
Social media
Corporate web site
Online forums, Reddit
Social engineering
Dumpster diving
Business organizations
Passive footprinting
Combine WiFi monitoring and a GPS
- Search from your car or plan
- Search from a drone
Huge amount of intel in a short period of time
- And often some surprising results
All of this is free
- Kismet, inSSIDer
- Wireless Geographic
- Logging Engine
- http://wigle.net
Wardriving/warflying
Gathering information from many open sources
- Find information on anyone or anything
- The name is not related to open-source software
Data is everywhere
Automated gathering - Many software tools available
Open Source Intelligence (OSINT)
Trying the doors
- Maybe one is unlocked
- Don’t open it yet
- Relatively easy to be seen
Visible on network traffic and logs
Ping scans, port scans, DNS queries, OS scans, OS fingerprinting, Service scans, versions scans
Active footprinting
Cybersecurity involves many skills
- Operational security, penetration testing, exploit research, web application hardening, etc
Become an expert in your niche
- Everyone has a role to play
The teams
- Red team, blue team, purple team, white team
Security teams
Offensive security team - The hired attackers
Ethical hacking - Find security holes
Exploit vulnerabilities - Gain access
Social engineering - Constant vigilance
Web application scanning - Test and test again
Red team
Defensive security - Protecting the data
Operational security - Daily security tasks
Incident response - Damage control
Threat hunting - Find and fix the holes
Digital forensics - Find data everywhere
Blue team
Red and blue teams
- Working together
Competition isn’t necessarily useful
- Internal battles can stifle organizational security
- Cooperate instead of compete
Deploy applications and data securely
- Everyone is on-board
Create a feedback loop
- Red informs blue, blue informs red
Purple team
Not on a side
- Manages the interactions between red teams and blue teams
The referees in a security exercise
- Enforces the rules
- Resolves any issues
- Determines the score
Manages the post-event assessments
- Lessons learned
- Results
White team
A technical method used in social engineering to trick users into entering
their username and passwords by adding an invisible string before the
weblink they click
ThIS STRING string (data:text) converts the link into a Data URL (or Data
URL) that embeds small files inline of documents
Prepending
The use by one person of another person’s personal information, without
authorization, to commit a crime or to deceive or defraud that other
person or a third person
Identity theft involves stealing another person’s identity and using it as
your own
Identity fraud and identity theft are commonly used interchangeably
these days
Identify fraud
The weaponized code establishes an outbound channel to a
remote server that can then be used to control the remote access
tool and possibly download additional tools to progress the attack
Command and control
Attack that targets an individual client connected to a network, forces it
offline by deauthenticating it, and then captures the handshake when it
reconnects
Used as part of an attack on WPA/WPA
Disassociation
