Chapter 1: Attacks, Threats, and Vulnerabilities
Chapter 1 Objective 1.1 Phishing → Practice of sending email to trick users to submit personal information or click a link Can be done to install malware, validate email address, get money Smishing → SMS Phishing Vishing → Phone Phishing → Phishing over Voice over IP (VoIP) Spam → Unwanted / Solicited Email SPIM → Unwanted messages over Instant Messaging Channels Spear Phishing → Phishing target on specific group of people or even a single user Mitigation → Use digital signatures Dumpster diving → Practice of searching through trash & recycling to gain info from discarded items Mitigation → Shredding or Burning Paper instead of throwing it away Shoulder surfing → Looking over shoulder of someone to gain information Mitigation → Use screen filters Pharming → Manipulates DNS server or client to redirect users to different websites Changes DNS entries on a local PC or on a trusted local DNS server Tailgating → Practice of one person following closely behind another person without showing credentials Mitigation → Access Control Vestibules (Mantraps) → Allows only single person to pass at a time Eliciting information → Act of getting information without asking for it directly Active Listening → Target is encouraged to keep talking Reflective Questioning → Repeat statements as a question & encourages to talk more False Statement → Give false info hoping that the target corrects it Bracketing → Try to get specific info by stating a specific number or range of numbers Whaling → Phishing targeted on high level executives Prepending → Add something to the beginning of something else. Ex. [SAFE] [EXTERNAL] Pretexting → Adding a fictitious scenario to a conversation to make more believable request Identity Theft → When someone steals personal info about you Identity Fraud → Criminals use stolen identity information to commit identity fraud Invoice Scams → Trick people or organizations into paying for goods or services they didn’t request & usually didn’t receive Credential Harvesting → Collect usernames & passwords from users Phishing Email → Link to a website → Login with credentials → Redirect to original website & showing password is incorrect MFA helps to limit the impact of credential harvesting attacks Reconnaissance → Gathering information about target Hoax → Security threat that simply doesn’t exists Impersonation → Act of pretending to be another person Watering Hole Attack → Attempts to discover which websites people are likely to visit & infect those websites with malware that can infect the visitors Typosquatting → URL Hijacking → Occurs when someone buys a domain name that is close to the legitimate domain name Smurf Attack → A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. Occurs when the attacker floods the target network with infinite ICMP request packets A smurf attack is a DDoS attack in which an attacker attempts to flood a targeted server with Internet control message protocol (ICMP) packets. Influence campaigns → Uses variety of sources to influence public perception Hybrid Warfare → Military strategy that blends conventional warfare with unconventional methods to influence people Social Media → To spread misinformation Principles of Social Engineering Authority Impersonation → Impersonate others to get people to do something Whaling → Executives respect authorities such as legal entities Vishing → Use phone to impersonate authority Intimidation → Scaring or Bullying an individual into taking a desired action Consensus → When attacker convinces victims that they can be trusted People tend to want to do what others are doing to persuade themselves to take action → “Social Proof” Ex. Everyone in the department has clicked on the link, Then I should also Fake Testimonials → People are more willing to like something that other people like Scarcity → People are encouraged to act when they think there is limited quantity of items Urgency → Use urgency as a technique to encourage people to act Familiarity → Attackers attempts to use likability to get victim to complete the request Companies hire well-liked celebrities Trust → Attackers attempts to build a trust relationship with victim Objective 1.2 Malware Ransomware → Malware that takes control of user’s system & encrypts user’s data using Cryptomalware & demand ransom from companies Trojans → Looks like something beneficial but actually it’s malicious Rogueware masquerades as a free antivirus program. Backdoor → Methods or Tools that provide access that bypasses normal authentication & authorization procedures, allowing attackers access to systems, devices, apps, etc. Detection → Checking for unexpected open ports & services Remote access Trojan (RAT) → Malware that allows attackers to control systems from remote locations Also called as stalkerware → Used in intimate relationships to spy on their partners Worms → Self replicating malware that travels throughout the network without assistance of host application or user interaction Potentially Unwanted Programs(PUP) → Programs that users may not want it, but user is consented to download it. Some PUP are legitimate, Some are malicious like RAT Ex. Spyware, Adware, Browser Toolbar Tracking Programs, Fileless Virus → Malicious software that runs in the memory Scripts that are injected into malicious programs Memory Code Injection, Script based techniques, Windows Registry Manipulation Spread via methods like spam email & malicious websites & they exploit flaws in browser plugins & web browsers themselves Command and control → Resources used to control infected computers Cryptomalware → Malware used to encrypt user’s data Logic bombs → Script or Code that will execute in response to an event Rootkit → A group of programs that hides the fact that system has been infected by malicious code Rootkit hides its running processes to avoid detection to antivirus scans Rootkit have system level access to systems Integrity checking & data validation can be useful for rootkit detection Botnet → Remotely controlled systems or devices that have malware infection Uses command & control to operate in client-server mode Beaconing → A call home message is an indicator of compromise known as beaconing. It indicates that a workstation or server is infected and is trying to communicate with the attacker’s command and control server. A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667 Investigative authorities use DNS sinkholes to disrupt botnets and malware. Botnet Models Command & Control → Client-Server Model Peer-To-Peer → Connects bots to each other, making it harder to take down a single central server or known IP of bots Many botnets use Flux DNS → Flux DNS uses many IP addresses that are used to answer queries for one or more fully qualified DNS names Taking down the domain names is the best way to defeat Flux-DNS Virus Types Memory Resident Viruses → Remain in memory while system is running Non-Memory Resident → Execute, spread & then shut down Boot Sector Virus → Reside inside boot sector of drive or storage media Macro Virus → Use macros or code inside tools to spread Email Virus → Spread via emails via attachments or as part of email itself using flaws within email clients Spyware → Malware that is designed to obtain information about an individual, organization or a system Keylogger → Program that captures keystrokes from keyboards, although some keyloggers also capture other input like mouse movement, touchscreen inputs & credit card swipes from attached devices Rogue Anti-Virus → Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer, and to pay money for a fake malware removal tool (that actually introduces malware to the computer) Password Attacks Spraying → Single password tried on every account on the list Dictionary → List of words Brute force → Try all possible combinations of passwords Rainbow Table → Attempt to discover password from Hash Plaintext → If attacker have both plaintext & ciphertext, attacker can use it to perform plaintext attack Physical Attacks Malicious USB Cable → It has embedded WiFi Controller capable of receiving commands Malicious Flash Drive → Includes malware configured to infect a computer when a drive is plugged in Card Cloning → Making a copy of credit card Skimming → Capturing credit card data at Point of Sale (POS) Adversarial AI Adversarial AI attempts to fool AI models by supplying it with deceptive input Tainted Data for ML → Use tainted data to cause AI & ML to give inconsistent results Indicator → Sudden unexpected activity While training ML model for baselining of network, it is important to ensure that no malicious activity is occurring while baseline data capture to ensure data is not tainted Security of ML Algos → Prevent unauthorized disclosure of algorithms; Attackers can use this info to attack Best Practices to secure AIML Understand the quality & security of source data Work with the AI & ML developers to ensure that they are working in secure environments & that data sources, systems & tools are maintained in secure manner Ensure that changes to AI & ML algorithms are reviewed, tested & documented Encourage reviews to prevent intentional or unintentional bias in algorithms Engage domain experts whenever possible Supply Chain Attacks A supply chain become an attack vector if attacker can disrupt the supply chain Cloud-based vs. on-premises attacks On-Premises → Organization retains the complete control over all cloud based resources Off-Premises → Organization doesn’t know where the data is stored → Legal Implications Cryptographic Attacks Brute force → Involves trying every possible key Frequency Analysis → Refers to looking at the blocks of an encrypted message to determine if any common pattern exists Known Plaintext → This attack relies on the attacker having pairs of known plaintext along with corresponding cipher text Chosen Plaintext → Attacker attempts to derive the key used & thus decrypt other messages encrypted with that key Birthday → Attacker attempts to create a password that produces the same hash as the user’s actual password → Also known as Hash Collision Collision → Hashing algorithm creates the same hash from different inputs Downgrade → Forces a system to downgrade its security → TLS → Down → SSL Objective 1.3 Injections Dynamic-Link Library (DLL) Injection → Attack that injects a DLL into a system’s memory & causes it to run LDAP Injection → Possible when web application used to query LDAP based database Parameter Pollution → Attacker sends more than one value for the same input variable to bypass input validation Ex. http://www.mycompany.com/status.php?account=12345&account=12345'OR1=1;-- Pointer/Object Dereference → When object is null, it can cause problems if the program later tries to access the object Java → NullPointerException error C / C++ → Memory Leak in runtime Mitigation → Verify the value is not null before using it Race Conditions → Two or more applications tries to access a program at a same time, it can cause a conflict that is known as race condition Attackers exploit time of check to time of use (TOCTOU) → This is called State Attack Error Handling → Applications should show generic error messages but log detailed error messages in logging system. Replay Attack → Replay attacks capture data in a session to impersonate one of the parties in the session. Mitigation → Timestamps and sequence numbers Buffer Overflow → Writes more data to a buffer than it can hold ASLR → Address Space Layout Randomization A security technique used to prevent memory corruption vulnerabilities such as buffer overflow It randomizes the memory address used by the system & application processes, making it difficult for attackers to predict the location of functions, libraries & system calls Buffer overflows are most easily detected by conducting a static code analysis Integer Overflow → Occurs when an application receives a numeric value that is too big for application to handle Memory Leak → Causes application to consume more & more memory the longer it runs Indicator → system running slower & slower until it reboots Mitigation → A static code analyzer can check to see if all memory allocation commands (malloc, alloc , etc.) have a matching deallocation command. SSL Striping → Changes HTTPS connection to HTTP connection Driver Manipulation → Shimming → Provides a solution that makes it appear that older drivers are compatible Driver shim is additional code to be run instead of original driver → When app attempts to call the older driver, system intercepts the call & redirects it to run the shim code instead Refactoring → Process of rewriting the code’s internal processing without changing its external behavior Pass the Hash → Attacker discovers the hash of user’s password & uses it to log in to the system as the user Indicator → Event ID 4624 in Windows Security Log Objective 1.4 Wireless Evil Twin → Rogue Access Point with same SSID used to capture & exfiltrate data Rogue Access Point → An access point placed in the network without official authorization Bluetooth Attacks: Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device Bluebugging → Gains access to the phone & install a backdoor Disassociation → Removes a wireless client from wireless network RFID Attacks: Sniffing / Eavesdropping → Attacker can collect RFID data by listening Replay → Replay captured data DOS → If attacker knows the RFID frequency, attacker can launch a jamming or interference attack, flooding the frequency with noise Initialization vector (IV) → IV is the number used by encryption systems & a wireless IV attack attempts to discover the pre-shared key after discovering the IV Some wireless protocol use IV by combining it with pre-shared key to encrypt data in transit When an encryption system reuses the IV, IV attack can discover the IV easily On-Path Attack Also known as Man-In-The-Middle Attack A form of active eavesdropping SSH gives warning if previously established keys are changed Layer 2 Attacks ARP Poisoning → An attack that misleads computers or switches about the actual MAC address of a system ARP poisoning sometimes used in On-Path attacks MAC Flooding → An attack against the switch that attempts to overload it with different MAC addresses associated with each physical port Switch runs out of memory & enters a fail-open state Mitigation → Use flood guard to limit amount of memory for each port Flood guard sends Simple Network Management Protocol(SNMP) trap or error message in response to the alert. It can also disable port. MAC Cloning → Changing a system’s MAC address Domain Name System (DNS) DNS data is frequently logged to help identify compromised systems or systems that have visited known phishing sites. DNS logs can be used along with IP reputation and known bad hostname lists to identify issues like these. Domain Hijacking → Attacker changes a domain name registration without permission from owner DNS Poisoning → Attempts to modify or corrupt DNS data Mitigation → Use DNSSEC to protect DNS records & DNS poisoning attacks Domain Reputation → It helps ISP to determine the likelihood that an email being sent by a legitimate organization or is it a malicious email. Split Horizon DNS → Deploys distinct DNS servers for two or more environments, ensuring that those environments receive DNS information appropriate to the DNS view that their clients should receive. a term used when two zones for the same domain are created one zone is used by the internal network the other by the external network (usually the internet) DNS Blackholing → A method used to prevent access to malicious domains by redirecting malicious queries for those domains to a non-routable IP address, effectively blackholing the traffic Suppose an organization wants to block access to a known malicious domain malicious.example.com. They can configure their DNS server to return 127.0.0.1 for any query to malicious.example.com. DDOS SYN Flood Attacks → Attacker never completes the TCP Handshake It is a resource exhaustion attack Half-Open connection consumes server’s resources & it can crash the server Once the limit is reached, server won’t accept new connections, blocking the legitimate users Mitigation → Linux use iptables to set threshold for SYN packets → Although it protects the system from crashing, it also denies the service to legitimate users Malicious Script or Code Execution Powershell → Use verb-noun pair for command → Invoke-Command Bash → Calls /bin/bash or /bin/sh Python → Runs .py* files is a potential indicator of malicious scripts Macros → Short instruction that will run longer set of instructions. Attackers can edit macros & replace with malicious steps Visual Basic for Application (VBA) → Runs as internal programming language for Microsoft Applications such as Microsoft Words Objective 1.5 Actors & Threats Advanced Persistent Threat(APT) → A group of organized threat actors that engage in targeted attacks against organizations. Typically sponsored by nation-states or governments APT members are State Actors Shadow IT → Any unauthorized systems or applications installed on a network without authorization or approval. Insider Threat → Behavioral assessments are very useful when you are attempting to identify insider threats. An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Threat intelligence sources Closed/Proprietary intelligence → Trade secrets as an intellectual property Proprietary intelligence → This refers to the information that is owned, controlled & often generates by organization for its own use. Owned & controlled by the organization Closed intelligence → Refers to the information that is not freely accessible to public Owned by external entities → Accessed through subscriptions / permissions OSINT → Types: Vulnerability databases → National Vulnerability Database (NVD), Common Vulnerability Exposures (CVEs) maintained by MITRE corp. Automated indicator sharing (AIS): Trusted Automated eXchange of Indicator Information → TAXII → Open standard that defines a set of services & message exchanges used to share information. It provides a standard way for organizations to exchange cyber threat information but it does not specify what information organizations should exchange. TAXII is designed to support STIX data exchange Structured Threat Information eXpression (STIX) → Open Standard that identifies what cyber threat information organizations should share. It provides a common language for addressing wide range of cyber threat information. STIX data is shared via TAXII STIX is based on XML language Threat Maps → Visual Representation of active threats Objective 1.6 Third-party risks Vendor management → Vendor management systems include limiting system integration & understanding when vendor support stops Vendor Diversity → Provides cybersecurity resilience → Using more than one vendor for the same supply reduces the organizations’s risk if the vendor no longer provide the product or service Outsourced code development → Some organizations hire developers or outsource code development Legacy platforms → Primary risk is that the vendor doesn’t support them Objective 1.7 Threat Hunting It is a process of actively looking for threats within a network before an automated tool detects & reports on the threat Threat Feeds → Provides subscribers with up-to-date information about current threats Advisories and bulletins → Regularly release information on threats & vulnerabilities Adversary Tactics, Techniques & Procedures → Refers to attackers’ methods when exploiting a target Intelligence fusion → Combines all the data to create a picture of likely threats & risks for an organization Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden Vulnerability Scans Vulnerability Management → Identify, prioritize & remediate vulnerabilities Credentialed Scan → Allows the scan to check security issues at much deeper level Credentialed scans only require read-only access to target servers. Configuration review → A Configuration Compliance Scanner performs a configuration review of systems to verify that they are configured properly → Configuration Validation It is done with Credentialed Scan Vulnerability Scanner is passive, non-intrusive & has little impact on the system during test Penetration tests are active & intrusive, can potentially compromise a system. Penetration testing is more invasive that a vulnerability scan Controls that can affect vulnerability scan results: Firewall Settings Network Segmentation IDS & IPS Network Vulnerability Scanners: Nessus → Well-known widely used network vulnerability scanner Qualys → Commercial network vulnerability scanner that offers management console to run scans Nexpose → Commercial network vulnerability scanner OpenVAS → Free alternative for commercial vulnerability scanners Application Scanning Static Testing → Analyzes code without executing it Dynamic Testing → Executes code as part of a test, providing it with a input Interactive Testing → Combines static & dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces Web Application Scanning Nikto → Web application scanning tool → Vulnerability Scanning Arachni → Web application scanning tool → Used to access security of web applications CVSS → Common Vulnerability Scoring System → Industry standard for assessing the severity of security vulnerabilities 0 → None 0.1 - 3.9 → Low 4.0 - 6.9 → Medium 7.0 - 8.9 → High 9.0 - 10.0 → Critical Security Information & Event Management (SIEM) It provides a centralized solution for collecting, analyzing & managing data from multiple sources. It combines services of security event management (SEM) & security information management (SIM) solutions SEM → Provides real-time monitoring, analysis & notification of security events, such as suspected security events SIM → Provides long term storage of data, along with methods of analyzing the data looking for trends or creating reports needed to verify compliance with laws & regulations SIEM systems use scripts to automate the monitoring & reporting Capabilities: Log Collectors → SIEM collects log data from different devices throughout the network & stores these loges in searchable database Data Inputs → Firewalls, routers, network intrusion detection Log Aggregation → SIEM system collects data from multiple systems, SIEM systems can aggregate the data & store it so that it is easy to analyze & search Correlation Engine → Used to collect & analyze event log data from various systems within the network. It aggregates the data looking for common attributes It uses advanced analytics tools to detect patterns of potential security events & raise alerts. Reports → SIEM systems include built-in reports Packet Capture → SIEM includes protocol analyzer capabilities to capture network traffic User Behavior Analysis → UBA focuses what users are doing, monitor critical files looking for who accessed them & what they did & how frequently they access it. Typically looks for abnormal patterns of activity that may indicate malicious intent Sentiment Analysis → Use UBA technologies to observe user behaviors to detect unwanted behaviors Relies on AI to analyze large datasets Security Monitoring → Provides predefined alerts which can provides continuous monitoring of systems & provide notification of suspicious events If it detect a new port on server, it will send email to admin Automated Triggers → Trigger can cause an action in response to a predefined number of repeated events A SIEM includes the ability to modify predefined triggers & create new ones Time Synchronization → All servers sending data to the SIEM should be synchronized with the same time. Event Deduplication → Process of removing duplicate entities Logs / WORM → SIEM includes methods to prevent anyone from modifying log entries Elements of SIEM Dashboard: Sensors → Collects logs from devices & send it to SIEM system Alerts → Sends out an alert when trigger fires Sensitivity → Setting sensitivity levels to limit false positives while avoiding false negatives Correlation → SIEM correlates & analyzes the data Trends → By analyzing the data, SIEM can identify trends Security Orchestration, Automation & Response (SOAR) Integrates with various security tools and automate responses to threats Used to respond to low-level security events automatically SOAR tools respond automatically which frees up administrators to focus on their administrative & cybersecurity tasks. SOAR tool can open attachments within a sandbox & observe the activity SOAR can perform steps to automatically verify the threat is real or not, implement the appropriate steps to mitigate it. SOAR platform use playbook & runbooks Playbook → Provides checklist of things to check for suspected incidents It is a set of rules that determine what actions will be performed when an event occurs Runbook → Implements the playbook checklist using available tools within an organization Functions: Security Orchestration → SOAR platforms integrate with various security tools, systems, and applications, such as SIEM, firewalls, endpoint protection, and threat intelligence feeds. Automation → Automates repetitive security tasks to improve efficiency and reduce manual workload. Incident Response → Facilitates and manages the response to security incidents, including the coordination of actions across different teams and tools. Case Management → Provides a centralized system for tracking and managing security incidents, including documentation and workflow management. Threat Intelligence Management → Aggregates and analyzes threat intelligence data to provide context for incidents and improve detection capabilities. Reporting & Analysis → Generates reports and dashboards to provide insights into security operations and incident trends. SOAR Vs SIEM SOAR → Automation of incident response, workflow management, playbooks Orchestrating and automating security operations and incident response Uses data from SIEMs and other security tools to automate responses SIEM → Log collection, event correlation, threat detection Aggregating and analyzing security event data for threat detection Collects and correlates log data from multiple sources SOAR collects data and alerts security teams using a centralized platform similar to SIEM, but SIEM only sends alerts to security analysts SOAR adds automation and response capabilities to the alerts it sends. SIEM focuses on alerting and logging without automated response. SOAR uses automated playbooks and workflows to respond to incidents. SIEM: Detects suspicious activity and sends an alert for manual investigation. SOAR: Automatically isolates an infected machine and removes a phishing email based on predefined playbooks. Objective 1.8 Penetration Testing Unknown Environment → Black box testing Known Environment → White box testing Partially Known environment → Gray box testing Lateral movement → Refers to the way attackers maneuver throughout the network Persistence → Attackers ability to maintain presence in the network Cleanup → Removing all traces of penetration tester’s activities It’s common for testers to create a log of what they’re doing as they’re doing it. This makes easier to reverse all their actions Pivoting → Process of using various tools to gain additional information It is process of using exploited system to target other systems. Passive and Active Reconnaissance War Driving → Attackers use war driving to discover wireless networks they can exploit Admins use war driving as a part of wireless audit: A wireless audit is a detective control & examines the signal footprint, antenna placement & encryption of wireless traffic. Ex. Detect rogue access points & evil twins by war driving Done by walking or driving around War Flying → People fly around in private planes / Drone Same function as War Driving Footprinting → Wireless footprinting creates a detailed diagram of APs, hotspots & dead spots within an organization. Exercise Types Red Team → Attacks Blue Team → Defends Purple Team → Can either do blue team or red team activities White Team → Establishes rules of engagement for a test & oversee the testing