733 Key Terms Quiz
Moonlight Maze
Definition: Example: Significance:
Operational Preparation of the Environment (OPE)
Definition: Example: Significance:
Petya
Definition: Example: Significance:
Solar Winds
Definition: Example: Significance:
TRITON
Definition: Used in the Middle East in 2017 Discovered due to repeated shutdowns of a plant Safety Instrumented System triggers the shutdown of the plant Separate from the programmable logic controller - the device that tells the machines what to do sends and receives information from sensors and equipment under control Usually an alert system and an automated kill switch - should be able to safely shutdown the industrial process on its own The attack accidentally shut down the plant - triggering the shutdowns was an unintentional effect Example: Significance:
NotPetya
Definition: 2017 wiper attack that Russia launched on Ukraine. Sandworm (Russian group) hijacked a software group in UKR and the worm spread from there. The wiper attack destroyed (wiped) data. Example: NotPetya is an example of a wiper attack. Significance: The wiper spread automatically, rapidly, and indiscriminately. The victim knew something was happening, but did not know what/why. It was also incredibly widespread & inflicted great damage - it originated in Russia and made it around the world and back to Russia. It caused over $10B in damage.
APT10
Definition: A Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms and governments in the United States, Europe and Japan. Example: APT1 is an example of an Advanced Persistent Threat (APT), a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period of time. Significance: Most of the targets are aimed at acquiring valuable military and intelligence information as well as trade secrets
APT1
Definition: A Chinese threat group that has been attributed to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department -- commonly known as Unit 61398. This cyber espionage group has been conducting cyber espionage campaigns against a broad range of victims since at least 2006 Example: APT1 is an example of an Advanced Persistent Threat (APT), a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period of time Significance: It is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations and has demonstrate the capacity and intent to steal from dozens of organizations simultaneously
Slingshot
Definition: A complex espionage platform that exploited an unknown vulnerability in Mikrotik routers as an infection vector. It is a virtual file system that replaces a legitimate Windows library with one exactly the same size. Slingshot is a new, previously unknown cyber-espionage platform which rivals Project Sauron and Regin in complexity Slingshot has been active since at least 2012 until February 2018 Almost 100 Slingshot victims, mainly in the Middle East and Africa Attackers exploited an unknown vulnerability in Mikrotik routers as an infection vector Malicious library able to interact with a virtual file system, replaces legitimate Windows library with one exactly the same size Example: Significance:
Honeypots
Definition: A computer security mechanism to virtually trap attackers. It's a deception tech placed on a PC or network to distract hackers and keep them away from your confidential files. Example: Honeypots are an example of the Intelligence phase of Computer Network Defense (CND) Significance: It allows you to gather information about attackers and to better understand their behavior patterns. This intel can then help system administrators to protect against future attacks.
Active Directory Server
Definition: A database and a set of services that connect users within the network resources they need to get their work done. Example: Cuckoo's Egg when Clifford Stoll pulls up the directory to see who is logged in at a given time and he noticed someone no longer working there was logged in. Significance: See the health of the environment and who is in the network
Watering Hole Attack
Definition: A malicious attack that is directed toward a small group of specific individuals who visit the same website. The target visits an infected site and the server loads malicious codes via a vulnerability in the web browser. Example: Significance: Used in less targeted operations.
Air Gaps
Definition: A network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public internet or an unsecured local area network Example: At the Natanz facility in Iran, the computers connected to nuclear centrifuges were air gapped. Stuxnet crossed the air gap via a USB. Significance: It ensures 100% protection from networked threats if done properly. Important to ensure nobody else has physical access to the system and doesn't bring malware via USB drives
Protocol
Definition: A set of rules governing the exchange or transmission of data between devices. Example: full Transmission Control Protocol/Internet Protocol Significance: It allows for a set of standards for computers to interact with each other.
Command-and-Control (C2)
Definition: A stage of the intrusion model used by attackers to retain communications with compromised systems within a target network. It is usually a compromised system/host that initiates communication from inside a network to a command and control server on the public internet. Example: In Operation Ababil, the hackers remotely leased servers from companies within the United States and elsewhere that they set up for command-and-control purposes Significance: Establishing C2 is a vital step for attackers to move laterally inside a network. C2 servers also serve as the headquarters for compromised machines in a botnet.
Advanced Persistent Threat (APT)
Definition: A stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period of time Example: APT1; a Chinese threat group that has been attributed to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department -- commonly known as Unit 61398. A cyber espionage group that has been conducting cyber espionage campaigns against a broad range of victims since at least 2006 Significance: They possess a sophisticated level of expertise and significant resources and are particularly dangerous for enterprises. They have sophisticated hacking techniques that allow them to gain access to systems and remain inside for prolonged periods of time
Distributed Control System
Definition: A system of sensors, controllers or associated computers that are distributed throughout the plant's local area network. Each of these elements serves a unique purpose such as data acquisition, process control, as well as data storage and graphical display. Example:The DCS at a power plant might automatically increase steam generation capacity of multiple turbines to keep up with changing demand for electricity during hot summer days and then decrease it as outdoor temperatures cool overnight and demand subsides. Significance: The DCS is the "central brain" of a plant that makes automated decisions based on production trends it sees in real-time.
Industrial Control Systems (ICS)
Definition: A system that controls industrial processes by regulating variables (such as pressures, flow, temperature, etc.). There are 3 tiers within the ICS: Bottom: small task oriented discrete controllers Mid-level: distributed control systems which coordinate across controllers/processes Top: SCADA (supervisory control and data acquisition) which conducts operational control. They allow for 2 tasks to occur - virtualization (HMI) and recording what is happening Example: In Stuxnet, the ICS = the technology (HMI, centrifuges, code, etc) that separates isotopes of uranium Significance: ICS is where informational and operational technology merge; there is a data element and a physical element. Because there is a physical element, targeting an ICS can result in physical damage, rather than just loss of data (ex: blackout, destroyed centrifuges, etc)
Shamoon
Definition: A wiper attack claimed by the Sword of Justice targeting the Saudi Arabian energy sector. Struck Saudi Aramco and RASGas A wiper modeled on the Wiper attack If this had been done more thoroughly, it could have had a much larger impact on global commerce and cyber as a weapon Cutting Sword of Justice claimed the attack and were not formally affiliated with the Iranian government Sorta useful as a tool of statecraft - imposes some real costs in Saudi Arabia in a way that doesn't blow back on Iran super directly Example: Significance: It showed that this could be a useful tool of statecraft with some adjustments. It imposes real costs in Saudi Arabia in a way that doesn't blow back directly on Iran (proxy).
Persistence
Definition: Ability to stay in a network after you've penetrated a network. Example: Significance: When you think about traditional ops, when you're in someone else's territory, momentum kicks in. In traditional ops, you don't linger; there is more momentum in action on objective. In cyber ops, momentum may not move as fast; having access to the network takes significant resources, so state and non-state actors tend to hold that access; the momentum doesn't exist in cyber ops in comparison to traditional ops
Escalation of Privileges (EoP)
Definition: Accessing privileges above those that you should have (ex: a guest user gains access to administrator privileges) Example: In the 2015 Ukranian blackout, the hackers impersonated the users that had access to the SCADA systems. This allowed them to learn Ukraine's electricity distribution network and tailor their attack to this network. Additionally, with the higher level access, the attackers did not need malware to manipulate the system - they could simply issue commands to cause the blackout. Significance: When an attacker makes an initial entry and conducts internal recon, they can escalate privileges. If there are not internal network security measures, the attacker can escalate to make themselves an administrator.
Data-in-use
Definition: Active data stored in a non-persistent digital state typically in computer RAM, CPU caches, or CPU registers. Data that is currently being updated, processed, erased, accessed, or read by a system. Example: A user submits a transaction to a bank and the bank processes the customer's account number as part of the transaction authentication algorithm Significance: Not necessarily encrypted -- could be potential vulnerability for a hacker looking to exploit and gain access to sensitive data
Human Machine Interface (HMI)
Definition: Allows engineers to give commands to a system and allows you to display information for engineers and operators. They also permit the machines to display important information for engineers and operators. Example: In Stuxnet, the interfaces that allowed Iranian engineers to to monitor the centrifuges in action. The attackers manipulated the HMI so that the engineers would not see the effects of the attack. Significance: ICS attacks that want to remain stealthy will likely target the HMI
Development
Definition: Attackers build or acquire computer code that will enable them to gain access to their target and perform malicious activity. This may involve the use of zero-day exploits and several rounds of testing in a simulated target environment Example: In Shamoon, attackers obtained admin credentials for victim's network and built a custom wiper that leveraged credentials to spread widely Significance: Development and reconnaissance phases are typically the most time consuming phases; once initial entry occurs, things usually pick up. Development phase also allows you to customize the software to do what you want it to do: deciding the scope of the attack occurs in this phase based on how you develop the exploit.
Computer Network Attack (CNA)
Definition: Attacks intended to cause disruption to usage and access Example: Wiper, Stuxnet, DDoS, Ransomware Significance: CNA can symbolize an attempt to shape or signal to an adversary. Depending on the attack, CNA can cause irreparable damage to a country's critical infrastructure.
Exploit
Definition: Attacks that take advantage of vulnerabilities. (From the quizlet: code that has a functionality that the developer did not intend) Example: Spearfishing takes advantage of human vulnerabilities - employees that are not careful/that do not practice good opsec are an easy target for attackers to exploit. Significance: systems will always have vulnerabilities (there is no perfect system), so there will always be an opportunity to exploit vulnerabilities/breach security.
Entry
Definition: Breaking into a system in order to later deliver some sort of payload to the target. Example: Spearfishing - a seemingly legitimate email contains a link or a file that is malicious, and clicking on the malicious link/file executes the malicious code and allows the attacker to enter into the system. Significance: Once initial entry is made, an attacker can cause significant damage to a system. An attacker can establish a backdoor to maintain persistent access, can wipe/overwrite files and erase their tracks, can use the machine for another attack (in a DDoS attack), etc. Initial entry into a system unlocks essentially limitless potential for malicious activity in that system.
Servers
Definition: Computers that provide access to various network services, such as printing, data, and communications. Example: mail servers, web servers Significance:
Distributed Denial of Service (DDoS)
Definition: Conducted by multiple systems flooding the bandwidth or resources of a targeted system. Example: Estonia; Operation Ababil Significance: A DDoS attack violates the A/Availability portion of the CIA triad. During a DDoS attack, users cannot access the systems that they need.
CIA Triad
Definition: Confidentiality, Integrity, Availability (ensuring that data is private, unaltered, and accessible to authorized users). This triad is the foundation of an organization's security infrastructure - the goal should be to maintain the three aspects of the triad.
Data-at-rest
Definition: Data that is housed physically on computer data storage in any digital form Example: Files stored on file servers, records in databases, documents on flash drives Significance: Should almost always be encrypted
Computer Network Operations (CNO)
Definition: Deliberate actions taken to leverage and optimize computer networks to improve human endeavor and enterprise or, in warfare, to gain information superiority and deny the enemy this enabling capability. CNO consists of CNA, CNE and CND. Example: Stuxnet, Wiper, etc Significance: It has both civilian and military applications (?)
Kill Chain Model
Definition: Developed by Lockheed Martin. Phases of the Intrusion Kill Chain: Recon (research/identify target), Weaponization (pair malware with exploit to create a deliverable payload - ex: weaponize adobe pdf), Delivery (transmit weapon to target), Exploitation (trigger code), Installation (instal backdoor for persistent access), C2 (communicate with weapon), Actions on Objectives (achieve action of intrusion) Example: Significance: Helps defenders understand the adversary's cyber attack campaign
Operational Technology (OT)
Definition: Devices that control the physical world Example: Generators, transmission lines, transformers, etc. -- physical devices that control power/electricity Significance: Operational technology has a physical safety element, unlike IT. IT security = CIA. OT security = safety, then A, I, C.
Information Technology (IT)
Definition: Devices that manage data Example: Significance:
Computer Network Exploitation (CNE)
Definition: Enabling operations and intelligence collection capabilities that use computer networks to gather data from a target/adversary's information systems or networks Example: Using a computer network to steal a file from someone else's computer; I.E. in The Cuckoo's Egg when the hacker entered the university lab's network to steal credentials and pivot to military networks Significance: Distinguished from CNA because it is about intelligence collection and gathering data.
Confidentiality
Definition: Ensuring that data is only visible to/available to authorized users. To achieve confidentiality, you need to maintain the privacy and the lack of access to the data. Example: The Chinese hack of OPM in 2015 targeted the confidentiality of millions of private data records. The Chinese accessed and exfiltrated records that contained SSN, addresses, etc. Significance: The violation of confidentiality can cause reputational damage to an organization, and it can result in compliance issues as well.
Availability
Definition: Ensuring that information and services are accessible to authorized users in a timely manner. When an attacker violates availability, they deny access to data or systems. Example: 2012 Iranian DDoS attack against US banks made the sites/systems unavailable to customers. Significance: Availability provides an assurance that your system and data can be accessed by authenticated users whenever they're needed.
MITRE ATT&CK
Definition: Framework by MITRE that focuses on the attacker - specifically on the attacker's goals and what steps are needed to achieve the goal. It is more specific/goes further in depth than the other models. Example: Under the lateral movement phase, the ATT&CK framework offers several techniques that can be used to accomplish lateral movement such as pass the hash or remote file copy. Significance: MITRE model is unique because it focuses on the techniques associated with each tactic.
Momentum
Definition: Incentive to carry out next step once you've carried out a previous one Example:. Significance:
Ukraine 2016
Definition: Industroyer malware - dedicated for the ICS system, this is what makes it different from the Ukraine 2015 case Launcher executes 4 different payloads and also executes a data wiper Attackers were able to get into the SCADA system and send different messages uses 4 different protocol Getting below the HMI level Added layer of complexity and stealth Had a logic bomb and internal C2 structure to enable communication w/in air-gapped environment Malware had to be talking on a lot of different systems and then talk out to the hacker If the malware is talking out to the attacker, then it might be easier to detect it than if its just the systems talking internally Sandworm spends the year improving, but goes after different power stations Attack was much more targeted to Kiev, more sophistication than the 2015 attack Makes it more scalable because the malware speaks the languages & can set logic bomb, but the differences in the network set-up means that more recon was required If you do all of the legwork, don't need as many humans manually clicking things This malware is modular - can easily be adjusted to non-European power grids like the systems in North America Launcher doesn't have to send down all four, it is possible there are more than four or they could send down just the one they need Ukraine could be a testing ground for future operations against other states - be hesitant about this narrative because there are geopolitical goals that Russia has clearly defined Relatively limited scale does lend credence to this theory Also uses KillDisk malware Example: Significance: First public discovery of modularized malware targeting electric power industry. Variants with additional ICS protocols capability may already exist or likely coming.
Data-in-transit
Definition: Information that flows over the public or untrusted network such as the Internet AND data that flows in the confines of a private network such as corporate or enterprise Example: Sending a text message to another user or web browsing over a wireless connection Significance: Should almost always be encrypted. Presents unique opportunities to access data when governments control certain chokepoints through which data must pass (e.g. the British town, China forcibly routing data through China telecom, pg 78 Buchanan, Hacker and the State).
Confirmation
Definition: It is the last stage of the intrusion model. It is an after-action analysis and verification of mission success after CNE or CNA. Example: One of the components of the Shamoon code was to let the attackers know how the operation proceeded. Significance: It ensures that the operation went as planned
Sony Hack
Definition: It was an interactive attack by the Guardians of Peace that attacked Sony networks to influence Sony's release of "The Interview" which was a satirical movie about the leader of DPRK. Get in through spear phishing and move laterally Actually succeeded in altering Sony's behavior - Sony did not release it in theaters DPRK also threatened terrorist attacks on movie theaters that show the movie Much more interactive attack than we previously saw GOP claims responsibility - Guardians of Peace Pretty convincing evidence that there was North Korean involvement - servers were in Ukraine situation with attribution Hard to tell who's the most credible in terms of sources, especially during the initial reporting Interesting because of how wacky it was - as closely tied to deterrence-compellence framework as it could be - well communicated consequences and desired outcome Example: Significance: It was a government targeting and successfully influencing the behavior of a multinational corporation. Although it was operationally a success it was a strategic failure because it made the movie more popular.
Authorization
Definition: Once a user is authenticated, the system/computer/application knows who you are. Authorization determines what that user can do within the system/computer/application and what data they have access to. It's the process of giving necessary privileges to the user to access specific resources such as files, databases, locations, funds, files, etc. In simple terms, authorization evaluates a user's ability to access the system and up to what extent. Example: Access Control Lists (ACLs). An ACL specifies which users have access to particular resources. Username and details should be mentioned in the ACL to access certain data. Significance: Giving limited access to the necessary people is one of the ways to keep your system secure.
Intelligence
Definition: Part of CND; collecting data, exploiting it into information and producing intelligence Example: Honeypots; a computer security mechanism to virtually trap attackers. It's a deception tech placed on a PC or network to distract hackers and keep them away from your confidential files. It allows you to understand attacker behavior patterns Significance: Cyber threat intelligence helps organizations by giving them insights into the mechanisms and implications of threats, allowing them to build defensive strategies and frameworks and reduce their attack surface with the end goals of mitigating harm and protecting their network
Offense
Definition: Part of CND; legal countermeasures and self-defense actions against an adversary Example: "Hacking back" where legal and allowed -- a counter strike against a cyberattacker. Can include any of the following three actions: deleting or retrieving stolen data, harming the hacker's system, and identifying the hacker reporting him/her to law enforcement authorities Significance: This is often the most visible part of cyber operations.
Passive Defense
Definition: Part of CND; systems added to the architecture to provide reliable defense or insight against threats without requiring human interaction Example: Antivirus software that runs automatically on a system but can alert a human if something goes wrong Significance: Passive defense is the first line of defense when protecting a host device or an organization's network from vulnerabilities, reducing the probability of a breach, and giving insight into threat encounters
Architecture
Definition: Part of CND; the planning, establishing, and upkeep of systems with security in mind. Example: Network segmentation is the act of splitting a computer network into subnetworks to improve the security of a network's architecture. By segmenting the network, you allow users to only access specific network resources that they need to do their jobs. Significance: A robust network architecture facilitates system level functionality as well as robustness and evolvability in the face of changes in software, hardware, and application components and external environments.
Active Defense
Definition: Part of CND; the process of analysts monitoring for, responding to, and learning from adversaries internal to the network Example: Incident response -- the process by which an organization handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or breach. Significance: Allows an organization to proactively detect and derail attacks early and gather the threat intelligence required to understand the attack and prevent a similar recurrence. It's critical to being able to detect and stop not only external threat actors but also insiders and attackers with varying motivations, such as ransomware.
Internet Protocol (IP)
Definition: Physical address of a computer. It is associated with a domain name (website name). IPs can change over time, can be a gateway to a local network, and multiple domains can be associated with one IP address. Example: 123.123.123.123 (series of 4 numbers) Significance: An attacker will try to cover its tracks by spoofing its IP address so that the malicious activity cannot be associated with its real location.
Integrity
Definition: Protecting data and systems from manipulation. Data should remain unaltered. Example: North Korean banking targeted the integrity of numerous financial institutions by manipulating the financial data in the systems. Significance: Integrity ensures the accuracy of data used in business processes and transactions. Integrity is essential for data whether it is in transit, at rest or in use.
Supervisory Control and Data Acquisition (SCADA)
Definition: SCADA is an acronym for supervisory control and data acquisition, a computer system for gathering and analyzing real time data. Example: Significance: SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation.
Sands Casino
Definition: Sands Casino was an Iranian cyber attack against a private U.S. citizen in response to his political stances. -Targeted weak security link in PA and used brute force to get passwords and moved laterally and pivot to the Vegas system. -Wiped a bunch of stuff and blew up the system -Personal attack on the CEO of Sands for saying anti-Iranian stuff -WMDTeam claimed responsibility - we know it was Iran -Story breaks because of journalism - Sands keeps the extent of the attack a secret for a while Example: Significance: The targeting of a private U.S. citizen by the Iranian government
Firewall
Definition: Security measure to block traffic based on preconfigured set of rules Example: A Firewall is an example of the passive defense phase of CND Significance: By blocking off areas of the network, firewalls protect systems and data. In a DDoS attack, a firewall can be used to block all foreign traffic, if that is where the DDoS attack is coming from. This use of a firewall would help to ensure the Availability portion of the CIA triad.
Network Segmentation
Definition: Segmentation = dividing a computer network into smaller parts in order to control traffic and access across the network. Example: Network segmentation is an example of the architecture phase of CND Significance: Segmentation ensures that non-authorized users do not access parts of the network or data that they are not authorized to access.
Stuxnet
Definition: Stuxnet was a cyber attack allegedly conducted by the U.S. and Israel against centrifuges involved in the Iranian Uranium enrichment program. Stages of the Stuxnet Attack Target Recon: Dutch AIVD recruited an Iranian engineer, countries involved conducted a technological assessment of systems/target system Development: research into industrial control mechanisms, putting together the zero-days, writing the code and testing it to see if worked Authorization: code had time bomb of when it should stop and which types of systems to skip over, not attacking systems domestically Shows potential influence of lawyers, specifically US ones Initial Entry: Dutch mole plugged in a USB to the air-gapped system Command & Control: logic written into the code so that it would only execute on certain configuration of centrifuges Sending information back to two domains in Malaysia and Denmark Recon & Pivoting: Stuxnet moving within a network using USB and moving through the printers Payload Activation: 2 versions, opening and closing the valves of the centrifuges OR changing the rotational speed of the centrifuges to cause them to break down Confirmation: IAEA inspectors report that Iran is turning over the correct number of centrifuges that were attacked Example: Significance: The depth of target reconnaissance and development of an air gapped system is significant, as well as the fact that allegedly there was a person recruited to infect the target network at Natanz.
Encryption
Definition: Taking plaintext (password, a file, data, etc.) and scrambling it. Only users with the correct encryption key can unscramble the data and read the plaintext. Example: Encryption is an example of the architecture phase of Computer Network Defense (CND) Significance: Encryption prevents unauthorized users from obtaining/viewing/editing/etc information that they do not have permission to access.
Buchanan's Intrusion Model
Definition: Target Reconnaissance, Development, Authorization, (Initial) Entry, Command and Control Establishment, Internal Reconnaissance and Pivoting, Payload Delivery, Confirmation Example: https://docs.google.com/spreadsheets/d/1-hBdVGnGYZ8zWLZVm_vtMi5-lF4chuE8J5z-LfRCYiM/edit?ts=602af48c#gid=0 Significance: It helps to understand the stages an attack must go through to conduct an attack. It can also help security teams stop an attack at each stage. Intrusion models allow for intrusion researchers or professionals in charge of CND to understand what kind of CNO they are observing, i.e. TTPs tell a story and can suggest CNE or CNA. For example, initial entry: IOT things may be concerned with being used to carry out DDoS; initial entry and action on objective are at the same time.
Packet
Definition: Term given for the smallest unit of information transmitted across digital networks. It is a small chunk of information (a piece of data) that is sent to a destination. Packets (all of the pieces of data) are reassembled at their final destination. A packet has a header and a payload. The header is the information like the sender's IP address, the receiver's IP address, and the packet number. The payload is the data. Example: An email is divided into smaller components (i.e. packets) and they are sent across the internet to its destination. The packets are reassembled at the final destination so that the email can be viewed by the recipient. Significance: Larger files would be too big to send in one packet - breaking data into packets allows information to flow through the internet and still get to their destination regardless of size. Additionally, packets can travel any route - as long as they get to the destination, the routes do not matter. This ensures reliability. However, the loss or misordering of packets can be significant if the data in the packets is sensitive (ex: financial data).
Computer Network Defense (CND)
Definition: The actions taken to defend against unauthorized activity within computer networks Example: During the Estonian cyberattack in 2007, the Estonian government took active defense to move Estonian websites to "well defended" web servers to handle the excessive traffic from the DDoS attacks Significance: CND can come in many forms: strong architecture, passive defense, active defense, and intelligence (can be used to collect information on an adversary and better defend against them)
Destination IP
Definition: The address to which a frame or packet is sent over a network. Needs to be read by switches so that the receiver knows where it's coming from. Example: Significance:
DMZ Switch
Definition: The demilitarized zone is the gap between parts of the network Example: ??? Significance: ??? Protects from untrustworthy traffic. Going outside of the DMZ means you are going outside of a firewall or VPN.
Packet Header
Definition: The packet header is the smaller component that contains information about the packet, its origins, and its destination Example: sender's IP address, the receiver's IP address, and the packet number (what number out of how many packets - this is needed to reassemble all packets). Significance: the information contained in the header tells the system how and where a packet should go and how it should be reorganized once it arrives at its destination. Without the packet header, the packet would not have directions for delivery and reassembly. (ex: spotify song - you select a song on spotify - it sends the song you selected to your phone in packets. If there is an issue delivering any of the packets, the song won't play)
Attribution
Definition: The process of tracking, identifying and laying blame on the perpetrator of a cyberattack or other hacking exploit. Example: Stuxnet was attributed to the United States and Israel after the worm was discovered by a security company named VirusBlokAda in mid-June 2010 and examined by Kaspersky Lab and Symantec Significance: Effective attribution can be a highly valuable source of intelligence for cyber-breach victims. Any information gained through attribution can bring organizations and law enforcement one step closer to catching those responsible.
Payload Activation
Definition: This is the Payload phase of Buchanan's model/the Action on Objective phase of the Kill Chain model. During payload activation, the attacker executes the malicious code to accomplish the objective. Example: During a wiper attack, the payload activation is the point in the attack where the malicious code overwrites/wipes the data. Significance: This is where the most damage occurs during the attack.
Shaping
Definition: To change the state of play; changing the environment to be favorable for you Example: In the Stuxnet case, the U.S. and Israel intended to use cyber to shape the environment as it pertains to Iran's nuclear capabilities. By destroying thousands of Iran's nuclear centrifuges, the U.S. was able to delay Iran's development of a nuclear weapon by at least three years, thus alleviating the threat Iran would pose if it had nuclear weapons Significance: To understand contemporary statecraft, you need to understand the shaping operations and their strategic effects
Signaling
Definition: To hint credibly at the cards one holds in order to influence how the other side plays its hand Example: ?? Significance: Ben Buchanan believes that cyber capabilities are ill-suited for signaling a state's position and intentions.
Local Area Network (LAN)
Definition: a computer network that covers a small area Example: Significance:
Vulnerability
Definition: a flaw in a system or a software system. (it is important to note that this is different from an exploit - an exploit takes advantage of the vulnerability). Vulnerabilities can be known or unknown. Example: Significance:
N-Day Vulnerability
Definition: a known vulnerability that has not yet been patched Example: Significance: Because the vulnerability is known, a hacker does not have to put in the time and resources into discovering a flaw in the system, and since the vulnerability is unpatched, the hacker knows that there is an entry point into the system for malicious activity.
Zero-Day Vulnerability
Definition: a vulnerability that is not known, so no patch or fix exists to prevent against the exploitation of said vulnerability Example: Significance:
Incident Response
Definition: addressing a security breach or cyberattack. Example: In the Estonia DDoS attack, defenders had to determine why they were unable to access their systems. After they determined what was going on in their systems, they had to determine where the unwanted traffic was coming from. Once they knew this, they were able to block foreign traffic and block off Estonian systems, so users could access their systems again. Significance: Does not include any kind of prevention measures -- already past the point of entry. Abstract: Conventional network defense tools e.g. intrusion detection systems, anti-virus focus on the vulnerability component of risk; traditional incident response assumes intrusion was already successful APT = well-resourced and trained adversaries that "conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, or national security information" Evolution of APTs necessitates intelligence-based model Intro: two flawed assumptions of conventional incident response = 1. Response should happen after point of compromise 2. Compromise was result of fixable flaw
Wiper
Definition: an attack that wipes/overrides/removes data from the victim. Example: Wiper; Shamoon; Sony; Sands; NotPetya Significance: a wiper attack damages the code on a computer to make drives unusable. Most severe???
Trapdoor Algorithm
Definition: an encryption function that changes a password into a cypher - can go forward but not backwards Example: Data Encryption Standard Significance: Assists in password protection
Zero-Day Exploit
Definition: an exploit that takes advantage of a previously unknown vulnerability Example: Significance:
Safety Instrumented System (SIS)
Definition: identifies hazards in a system and brings it back to a safe state. Example: Significance: SIS ensures the safety element of SAIC (instead of CIA) security model for Operational technology (and the safety element is the most important concern). If the SIS fails, there is likely a physical consequence. Attack options of an SIS: 1. Use the SIS to shutdown the process; 2. Program the SIS to allow an unsafe state; 3. Reprogram the SIS to allow unsafe state while using the DCS to create an unsafe state or hazard
Man-on-the-side Attack
Definition: intercept benign requests by targets and injects malicious exploits as a means of gaining access Example: Significance:
Ransomware
Definition: malicious code (software?) that holds a user's terminal hostage until an amount of money is paid. Example: Petya - Petya acts by infecting the boot record of machines that use the Windows system. That is, it blocks the entire operating system. To unlock, you need to pay a ransom of around USD 300 per user. This type of ransomware affected different organizations in the world, such as banks and companies in the areas of transportation, oil, food and health. Let us cite as an example the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company). Significance: It blocks the user out and Petya has caused an estimated $10 billion is losses.
Spearphishing
Definition: method of sending socially-engineered messages to users so that attackers can install a malicious program or download a file Example: In Ukraine 2016, Significance: Used in more than 2/3 of cyber espionage ops and 1/5 of intrusions into systems that manage physical devices
Pivoting
Definition: moving from one point in the network to another, can be done by stealing the passwords of other network users to gain access to other parts of the network Example: When the hacker in Cuckoo's Egg used the university's network to go to the MILNET. Significance: pivoting allows the intruder to move laterally in the system and utilize deficiencies in the system to avoid detection.
Source IP
Definition: the address of where a packet was sent from. Example: An IP address that represents the device where a packet originated. Significance: A source IP can assist in identifying the origins of a packet.
Remote Code Execution
Definition: the exploitation of a vulnerability that allows the attacker to run whatever malware they want on the system Example: Significance:
Target Acquisition
Definition: would-be intruders determine which computer, server, or network is of interest to their mission. Involves learning about the target, scanning the network for information, OSINT such as employee directories, essentially recon. Example: In the Stuxnet hack, the air gapped computers were identified for the USB drive to be inserted into. Significance: Target acquisition is important because the entire operation hinges on identifying which computer/server/network is important for desired effects and how to get into it. ???
Ukraine 2015
Definition: · Blackout lasted about 6 hrs, affected a quarter of a million people First known case of a blackout caused by a cyber attack Mapping it to the ICS Kill Chain Started through spearphishing about 6-7 months before the attack Don't really know about weaponization and targeting Use VPN network to move around and get BlackEnergy 3 Pivot to the ICS side by getting credentials for the engineers' VPN into the SCADA and logged on remotely Reconfigured the uninterruptable power supply, wiped and overwrote the serial ethernet connections, TDoS of telephone system, turn off the power Hijacked an engineer's machine and started clicking off the power at stations while he was watching - phantom mouse technique Computers were running Windows XP - BlackEnergy3 was the standard malware that was manipulating a Windows XP exploit Human machine interface being manipulated Does not require specific ICS malware - as seen from video, they were messing with a system that was used for lab testing and was not actually connected to power lines Means that the attackers didn't really know where they were in the system and perhaps didn't have spectacular network mapping Do a lot of stuff to hinder the effectiveness of the response - telephone lines, wiping switches, etc. TDoS is not super common - there are better ways to monetize phone lines Even with everything, the blackout only lasted 6 hours - Sandworm group behind it and likely not everything that Russia had to throw at Ukraine Example: Significance: First public cyber attack on civilian power infrastructure. Demonstration of capability to the ICS community.
Turla
Definition: · Turla has been active for more than 8 years Complexity of tools Watering hole attacks, Uroboros rootkit, mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, satellite based C2 C2 can't be physically seized or easily determined - but satellite-based Internet is slow & can be unstable Example: Significance: