Lec-2: Cyber SecurityMr. Islahuddin Jalal

MS (Cyber Security) – UKM Malaysia

Research Title – 3C-CSIRT Model for Afghanistan

BAKHTAR UNIVERSITY د باخترپوهنتون

Types of Cyberattacks

• Cyberattacks compromise• Confidentiality by stealing money

• Integrity by modifying data

• Availability by denying access to data, services and systems

• Some attacks may combine two or more of these types in a single attack but these three are the building block for most malicious cyberactivities.

Types of Cyber Attack

• Phishing/spearphing

• Drive-By / Watering Hole / Malvertising

• Code Injection / Webshell

• Keyloggig / Session hijacking

• Pass-the-Hash and Pass-the- ticket

• Credential harvesting

• Gate-crashing

• Malware /Botnet

• DDoS

• Identity Theft

• Industrial Espionage

• Pickpocket

• Bank Heist

• Ransomeware

Phishing / Spearphishing

• Phishing and spearphishing are some of the most effective ways of getting into an enterprise’s network.

• Attackers send e-mail to the victims (targeted e-mail to a specific person if it’s spearphishing), and the e-mail takes control of the victim’s computer.

Phishing / Spearphishing

• Impact: • Gain control of a personal computer inside the enterprise’s network• Spearphishing, this control includes a computer belonging to a specific person, such as an

executive or systems administrator.

• Methods and Consequences: • There are three techniques commonly used for phishing and spearphishing attacks.

• Email message containing malicious attachment• Email to contain a link to a web page• Email to contain a link to a web page that asks for the victim to type his / her logon credentials

• Potential Defense• Training to help users recognize when they are being phished• Educating executives and systems administrators on the threats• Protecting email and web gateways• Hardening endpoint computers

Drive-By / Watering Hole / Malvertising

• A drive-by or watering hole attack involves compromising a victim’sweb site and then configuring that website to deliver malware topeople who visit the site.

• When unsuspecting users visit the site, their computers are infectedwith malware and the attackers are able to move their attackforward.

• A malvertising attack has the same effect, but rather than directlycompromising the site, attackers deliver malware through advertisingfeeds displayed on the web page alongside the victim’s content.

Drive-by / Watering Hole / Malvertising

• Impact: • Victim enterprise is an intermediary in an attack while targeting the people who visit the website• Victim will get collateral damage• Victim Enterprise’s reputation will be damaged when the story comes out

• Methods and Consequences:

There are two techniques commonly used for such kinds of attacks.• Web sites with vulnerabilities are exploited to get control of the site directly from the internet• Compromise the victim enterprise to get access to the computers and accounts with administrative control over the site

• Potential Defense• Web site operators need to have strong configuration control over public-facing web sites• Advertising networks should strongly filter their content and prevent unexpected and unacceptable behavior• Surfing the web carefully using non-administrative credentials• Fully patched endpoint computers• Hardening endpoint computers

Code Injection / Webshell

• Servers are potentially just as vulnerable as endpoint computers, and they can becompromised using some of the same techniques.

• Two attacks unique to servers are• Code injection• Webshells.

• Code injection compromises a vulnerable web site by modifying requests to the site sothey contain either scripting code or SQL code that is executed by the server withoutchecking it.

• If the server executes this code using administrative privileges, then the attackers can usethe attack to take control of the server.

• Once the attackers get control of the server, they can place a webshell into the server’sweb site.

• Webshell is a back door that allows attackers to come back to the server’s web site andexecute commands directly on the server.

Code Injection / Webshells

• Impact: • Gain the administrative control over an internet facing server• Provide backdoor into the enterprise that is always open and operational for the attacker• Data and information can be compromised

• Methods and Consequences: • Commonly used techniques for code injection and Webshells is as follow:

• Attacker toolkits is used which contain exploits designed to test internet facing web sites for vulnerabilities

• Periodically re-scan the sites to catch vulnerabilities (due to bad patch or coding mistakes)

• Once the vulnerability is found then starting exploitation of that vulnerability and compromise the server and then install backdoor

• Potential Defense• Strict configuration control of internet-facing servers is the best defense• Periodically scan the web sites for the vulnerabilities

Keylogging / Session Hijacking

• Keylogging: can be used to capture usernames and passwords of accounts with single-factor authentication,

• Session hijacking: can be used to exploit accounts protected by multi-factor authentication.

• Once attackers gain control of a victim’s endpoint computer, they can use a variety of methods to gain use of the victim’s online accounts.

Keylogging / Session Hijacking

• Impact: • Gain control over the victim’s online account• This control include

• Victim’s address book• E-mail• Financial account and money

• Methods and Consequences: • Commonly used techniques for keylogging and session hijacking is as follow:

• Finding methods to install keylogger in victim’s system• If successful, then the attacker will know each and every button pressed by the victim• Attacker will wait, until the credentials found• Once these logons occurred, attackers can impersonate the user and make use of the accounts

• Potential Defense• Secure endpoint to never be infected in the first place• Use unprivileged accounts• Protect end system by Anti-virus, anti-malware, intrusion prevention etc• Use multi-factor authentication systems

Pass-the-Hash and Pass-the-Ticket

• Pass-the-hash and pass-the-ticket are attack techniques that enable attackers to exploit credentials on an enterprise network.

• These credentials are stored in computer memory and on hard drives.

• These attacks effectively bypass the authentication mechanism of certain enterprise applications.

Pass-the-Hash and Pass-the-ticket

• Impact: • Attacker move laterally within enterprise IT environments from computer to

computer

• Methods and Consequences: • Commonly used techniques for Pass-the-Hash and Pass-the-ticket is as follow:

• Try to gain administrative control of the victim’s computer• Scan the memory and hard drives for hashes and tickets belongs to user• Once hashes and tickets found, then use them to connect to other computers on the

enterprise network and move laterally.

• Potential Defense• Reduce vulnerabilities• Try to avoid storing hashes and tickets on hard drives• Try to store hashes and tickets over a network which is more difficult

Credential Harvesting

• Credential harvesting is a technique whereby attackers compromise systems that a large number of users visit.

• They then harvest user credentials from those systems.

• In this way, attackers can get the user credentials for a large portion of the enterprise, all in a single step.

Credentials Harvesting

• Impact: • Large number of user credentials compromising in a single step.• Afford them to access administrator credentials

• Methods and Consequences: • Two common approaches for conducting credential harvesting attack

• First, to target public-facing systems with large numbers of users (such as: e-mail, web portal, virtual desktop systems)

• Exploit vulnerability to gain control, and then start capturing user credentials

• Second, to get inside the enterprise and target vulnerabilities in authentication systems• Once authentication system is compromised, can get access to credential hashes, ticket, and usernames and

passwords

• Potential Defense• Understanding the enterprise IT systems collect large numbers of user logons.• Protect those systems• Successful compromise should be detected and responded to in a timely fashion• Use multi-factor tokens for authentication

Gate-Crashing

• Gate-crashing attacks involve attackers positioning themselves so they can exploit a vulnerability or a defender mistake to get past a particular security defense.

• Due to the realities of security technology maintenance and human errors, almost every preventive defense gets disabled sometime, either intentionally or by accident. The gate-crashers make sure they are there to take advantage when it occurs.

Gate-crashing

• Impact: • To slip past defenses when the opportunity arises• The attacker waits multiple times for just the right vulnerability or mistake to occur

• Methods and Consequences: • Two common approaches for conducting Gate-crashing attack

• Manually: must have active command-and-control connections to systems inside the victim’s network

• Automatically: intelligent malware watches the victim network for openings and then exploits those opening when occurs

• Potential Defense• Defense layering• Active monitoring• Security administrator must be educated on gate-crashing

Malware / Botnet

• Malware is a generic term for malicious software, and it can include viruses, worms, Trojans, and others.

• There is an extensive malware industry with commodity and custom toolkits that can be integrated together to perform remote control, session hijacking, credential harvesting, maintain persistence, and other functions.

• It’s also important to consider remote control functions built into most modern operating systems as well since, with the right administrator credentials, those functions can be used for malicious purposes as well.

• Once computers are infected with malware, they may be tied into a botnet so they can be accounted for and access to them can be sold to the highest bidder. Botnets can contain hundreds, thousands, or even millions of compromised machines that can then be used for any attacker purpose.

Malware / Botnet

• Impact: • Monitor all activity on the victim computer• Record any credentials and accounts used by the victim• Allow the attacker to use the computer, either on its own or in conjunction with other machines in a botnet

• Methods and Consequences: • Install the malware by exploiting the vulnerability or by the user of the computer willingly from malicious web

site, email attachment or web link.• Malware may be custom-built or morphed so it is not recognized by signature-based anti-virus• Once compromised and joined to a botnet, the computer and its data become available to the botnet

operator

• Potential Defense• Hardening OS• Anti-virus• Anti-Malware• User privilege limitation and application

Distributed Denial of Service (DDoS)

• DDoS involves flooding the victim’s computers with so much web traffic—generated from a distributed network—that the victim is unable to continuing delivering services over the Internet.

DDoS

• Impact: • Targeted web site is often rendered unusable• Web sites become unavailable to its own user, customer or partners

• Methods and Consequences: • Compromise the computers and also thousands of compromised computers

available on the internet to hire.• Point the hired compromised network towards the target

• Potential Defense• There are two approaches to defend against DDoS:

• The first approach is to utilize content distribution networks that are hard to target and have the distributed capacity to resist all but the largest DDoS attacks.

• The second approach is to respond quickly to block DDoS traffic at the network layer, thus mitigating its impact and allowing services to stay operational.

Identity Theft

• Identity theft is one of the most common professional cyberattacks since stolen identities—particularly • social security numbers,

• credit card numbers, and medical records

• can be easily sold on the black market for cash.

• Such attacks tend to focus on• Centralized IT systems

• Databases

• Hacking into point-of-sale (PoS)

• Other critical systems to obtain identity information.

Identity Theft

• Impact: • Severe for victim enterprises

• Data disclosure• Compensation to victims• Possibly penalties

• Methods and Consequences: • Gain access to victim networks and get privileged access to victim data.

• Potential Defense• Protect data using different security mechanisms• Should thing through the life cycle of the data from capture to disposal• Monitor the traffic• Take regular backup• Look your data from the adversary’s perspective

Industrial Espionage

• Industrial espionage is a common attack performed by professional and nation-state attackers to gain advantages in international business.

• In the international marketplace, such advantages can be big business,indeed, with billions of dollars and entire market segments at stake.

Industrial Espionage

• Impact: • Difficult to measure since it is often difficult to differentiate• Competitors reading each other’s playbooks• Economic impact of players who gain the advantage of knowing their competitors every

move.• Data is stolen (meeting schedules, enterprise processes etc) can be just as useful in defeating

competitors in the international marketplace

• Methods and Consequences: • Target victim networks to achieve an initial entry• Then exploit the entry to move laterally and gain privilege within the victim networks.• Once, administrative control is taken then stealing business information

• Potential Defense• Detective and preventive measure is needed

Pickpocket

• A “pickpocket” attack involves hacking victim systems to steal relatively small amounts of money across a large number of transactions.

• Some common examples of this attack include redirecting direct deposit accounts, payroll, or accounts payable accounts to send money to the attackers’ accounts instead.

Pickpocket

• Impact: • The attackers quickly get away with a large amount of money when the many

transactions involved are added up. • When this money is transferred via wire transfer or direct deposit, it can be difficult

or even impossible to trace and recover.

• Methods and Consequences: • Trying to intercept and redirect the financial transactions (payroll , accounts payable

system etc.)• By the time the victim enterprise catches the redirection, the money is often gone.

• Potential Defense• Rapid alerting and auditing system is need to catch unauthorized changes before

money is moved• Acquire help from financial institution by imposing time delays between when

account information is changed and the change become effective.

Bank Heist

• While a pickpocket attack involves changing financial destinations andintercepting the victim’s money, a bank heist involves simply gettingdirect access to the victim’s bank accounts and stealing it.

Bank Heist

• Impact: • Victim losing money from their accounts partially or completely.

• Poor safeguards afforded to consumer’s accounts by financial institutions

• Methods and Consequences: • Compromise victim systems with privileges to access business financial accounts

• Once successful, transfer large sums of money out via hard-to-trace methods such as wire transfer

• Potential Defense• Closely guarding the computers and credentials

• Securely manage corporate financial accounts or allowing financial personnel to manage these accounts from their personal computers used to surf the web.

Ransomware

• Ransomware compromises victim computers• Encrypts the data

• Charges a ransom to get the keys to decrypt the data.

• It can be expensive for individuals.

• It can be devastating at an enterprise level.

Ransomware

• Impact: • Large amount of corporate data are accessible by large numbers of employees.• Employee having write access and compromised ending up encrypting it for

everyone

• Methods and Consequences: • Common type of malware that is out on the internet, constantly used to get into

victim computers and enterprises.

• Potential Defense• Hardening end points• Training users to not get infected • Having good segmentation and access controls• Good backup for recovery

CONCLUSION

• Be flexible and adaptable to changing threats!

• Don’t ignore Information Security principles!

• Mature your Threat and Vulnerability Mgmtprocess!

• Conduct frequent incident response exercises!

• Invest in people & training!

• Delay the adversary!

Thank YouFor Your Patience