CompTIA Security + - Chapter 2 Attacks

Indicators of compromise (IOCs)

* Unusual outbound network traffic • Anomalies in privileged user account activity • Geographical irregularities in network traffic • Account login red flags • Increases in database read volumes • HTML response sizes • Large numbers of requests for the same file • Mismatched port-application traffic, including encrypted traffic on plain ports • Suspicious registry or system file changes • Unusual DNS requests • Unexpected patching of systems • Mobile device profile changes • Bundles of data in the wrong place • Web traffic with nonhuman behavior • Signs of DDoS activity, even if temporary

Four major categories of attack:

1) social engineering attacks against the people/user component 2) application/service attacks against specific types of components 3) wireless attacks against the network connection 4) cryptographic attacks

Attacks on computer systems and networks can be grouped into two broad categories: They are?

1: Attacks on specific software (such as an application or the operating system) 2: Attacks on a specific protocol or service.

Shimming

A driver manipulation method. It uses additional code to modify the behavior of a driver.

Spoofing and Sequence Numbers

A sequence number is a 32-bit number established by the host that is incremented for each packet sent. Packets are not guaranteed to be received in order, and the sequence number can be used to help reorder packets as they are received and to refer to packets that may have been lost in transmission. If the attacker is inside of the network and can observe the traffic with which the target host responds, the attacker can easily see the sequence number the system creates and can respond with the correct sequence number. If the attacker is external to the network and the sequence number the target system generates is not observed, it is next to impossible for the attacker to provide the final ACK with the correct sequence number.

Near Field Communication (NFC)

A set of wireless technologies that enables smartphones and other devices to establish radio communication over a short proximity, typically a distance of 10 cm (3.9 in) or less. Now that NFC has become the mainstream method of payments via mobile phones, it is becoming ubiquitous, and in many cases connected directly to financial information, the importance of understanding and protecting this communication channel is paramount.

Amplification

A trick where an attacker uses a specific protocol aspect to achieve what a single machine cannot by itself.

Polymorphic Malware

A type of malicious software capable of changing its underlying code in order to avoid detection.

Phishing

A type of social engineering in which an attacker attempts to obtain sensitive information from users by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users. Usually an attempt to get passwords, usernames, bank info or private info

media access control address (MAC address)

A unique identifier assigned to network interfaces or network interface controller (NIC) for communications at the data link layer of a network segment.

Social engineering attacks

An attack against a user, and typically involves some form of social interaction. At its heart involves manipulating the very social nature of interpersonal relationships. Ex. Piggybacking/Tailgating, mirroring behavior, crying babies, flirting, hiding in plain sight (the janitor, plant waterer, pizza delivery person) Defense: comprehensive training and awareness programs

Clickjacking

An attack against the design element of a user interface. Clickjacking tricks a web browser user into clicking something different from what the user perceives, by means of malicious code in the web page.

Brute Force

An attack in which the password-cracking program attempts all possible password combinations. (best used when password is not in the dictionary) With the increase in computer speed, however, generating password combinations is much faster, making it more feasible to launch brute force attacks against certain computer systems and networks.

Pass the Hash

An attack in which the user sends the hash to the remote system to then be authenticated on an NTLM system. This is a highly technical attack, targeting the Windows authentication process, injecting a copy of the password hash directly into the system. The attacker does not need to know the password, but instead can use a captured hash and inject it directly, which will verify correctly, granting access.

Driver Manipulation

An attack on a system by changing drivers, thus changing the behavior of the system. Drivers may not be as protected as other parts of the core system, yet they join it when invoked.

Dictionary

Another method of determining passwords is to use a password-cracking program that uses a list of dictionary words to try to guess the password, hence the name dictionary attack. The words can be used by themselves, or two or more smaller words can be combined to form a single possible password. Rules can also be defined so that the password-cracking program will substitute special characters for other characters or combine words. The ability of the attacker to crack passwords is directly related to the method the user employs to create the password in the first place, as well as the dictionary and rules used.

Weak Implementations

Another problem associated with backward compatibility. The best example of this is SSL. SSL, in all of its versions, has now fallen to attackers. TLS, an equivalent methodology that does not suffer these weaknesses, is the obvious solution, yet many websites still employ SSL.

Whaling

Attack where the target is a high-value person, such as a CEO or CFO. Whaling attacks are not performed by attacking multiple targets and hoping for a reply, but rather are custom-built to increase the odds of success.

Cryptographic Attacks

Attacks designed to take advantage of two specific weaknesses. First, users widely view cryptography as magic, or otherwise incomprehensible "stuff," leading them to trust the results without valid reasons. Second, although understood by computer scientists, algorithmic weaknesses that can be exploited are frequently overlooked by developers.

Social Attack Tools

Authority - convincing someone they are the "boss" Intimidation - subtle or direct expectation of superiority Consensus- group-wide decisions Scarcity - short supply increases value Familiarity - building trust and connection Trust - understanding how something will act under specific conditions Urgency - can drive and prompt shortcuts

Buffer Overflow

Buffer overflows are input validation attacks, designed to take advantage of input routines that do not validate the length of inputs. Surprisingly simple to resolve, all that is required is the validation of all input lengths (input validation) prior to writing to memory. This can be done in a variety of manners, including the use of safe library functions for inputs. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University estimates that nearly half of all exploits of computer programs stem historically from some form of buffer overflow. The generic classification of buffer overflows includes many variants, such as static buffer overruns, indexing errors, format string bugs, Unicode and ANSI buffer size mismatches, and heap overruns. the input buffer that is used to hold program input is overwritten with data that is larger than the buffer can hold. The root cause of this vulnerability is a mixture of two things: poor programming practice and programming language weaknesses.

Replay (Wireless Attack)

By repeating information, one can try to get repeated behavior from a system. Because wireless systems are not constrained by wires, attackers can copy traffic rather easily between endpoints and the wireless access point. Replay protections are essential in wireless systems to prevent exploitation of the open signal. The best method for defending against replay attacks is through the use of encryption and short time frames for legal transactions.

Help Desk/Tech Support

Calls to or from these units can be used to elicit information. Posing as an employee, an attacker can get a password reset, information about some system, or other useful information.

Hybrid Attack - Password

Dictionary attack with addition and substitution of special characters and numbers. Most cracking tools have this option built in, first attempting a dictionary attack, and then moving to brute force methods.

Denial-of-service (DoS)

Exploit a known vulnerability in a specific application or operating system, or they can attack features (or weaknesses) in specific protocols or services. In a DoS attack, the attacker attempts to deny authorized users access either to specific information or to the computer system or network itself.

Social Attack Defenses

Have processes in place that require employees to ask to see a person's ID before engaging with them if the employees do not personally known them. That includes challenging people such as delivery drivers and contract workers. Don't let people in through the door, piggybacking, without checking their ID. The key to this defense is to make the training periodic and to tailor it to what is currently being experienced, rather than a generic recitation of best practices.

Hijacking and Related Attacks

Hijacking is a form of attack where the attacker hijacks a user's experience, typically after the exchange of credentials, or in the background in a manner where the user is not even aware of the attack process.

IP Address Spoofing

IP is designed to work so that the originators of any IP packet include their own IP address in the From portion of the packet. While this is the intent, nothing prevents a system from inserting a different address in the From portion of the packet.

Replay (wireless attacks)

If an attacker can record a series of packets and then replay them, what was valid before may well be valid again. There is a wide range of defenses against replay attacks, and as such this should not be an issue. But developers that do not follow best practices can create implementations that lack replay protections, enabling this attack path to persist.

Known Plaintext/Ciphertext

If an attacker has the original plaintext and ciphertext for a message, then they can determine the key used through brute force attempts targeting the keyspace. One defense is the use of large keyspaces, making the brute force spanning of the keyspace, or even a significant portion of it, no longer possible.

Spoofing and Trusted Relationships

If two systems are configured to accept the authentication accomplished by each other, an individual logged on to one system might not be forced to go through an authentication process again to access the other system. Because of this type of attack, administrators are encouraged to strictly limit any trusted relationships between hosts. Firewalls should also be configured to discard any packets from outside of the firewall that have From addresses indicating they originated from inside the network (a situation that should not occur normally and that indicates spoofing is being attempted).

Online Attacks

Impersonation can be employed in these attacks as well. In these cases, technology plays an intermediary role in the communication chain.

Smurf Attack

In the Smurf attack, the request is sent to all systems on the network, so all will respond with an echo reply to the target system. The attacker has sent one packet and has been able to generate as many as 254 responses aimed at the target. Should the attacker send several of these spoofed requests, or send them to several different networks, the target can quickly become overwhelmed with the volume of echo replies it receives.

Application/Service Attacks

In the beginning of the computer security era, most attacks were against the network and operating system layers because both had easily exploitable vulnerabilities and were relatively ubiquitous. Establishing the security of an application begins with secure coding techniques and then adding security controls to provide defense in depth.

Watering Hole Attack

Involves the infecting of a target website with malware Are complex to achieve and appear to be backed by nation states and other high-resource attackers the typical attack vector will be a zero day attack to further avoid detection.

Contractors/Outside Parties

Many organizations have outside contractors clean the building, water the plants, and do other routine chores. In many of these situations, without proper safeguards, an attacker can simply put on clothing that matches a contractor's uniform.

Privilege Escalation

Most attacks begin at a privilege level associated with an ordinary user. From this level, the attacker exploits vulnerabilities that enable them to achieve root- or admin-level access. The use of sniffers to grab credentials, getting the SAM or etc/passwd file, is one method of obtaining "better" credentials. Another method is through vulnerabilities or weaknesses in processes that are running with escalated privilege. Injecting malicious code into these processes can also achieve escalated privilege.

Spoofing

Nothing more than making data look like it has come from a different source. This is possible in TCP/IP because of the friendly assumptions behind the protocols. When a packet is sent from one system to another, it includes not only the destination IP address and port but the source IP address as well. You are supposed to fill in the source with your own address, but nothing stops you from filling in another system's address. This is one of the several forms of spoofing.

Cross-Site Scripting (XSS)

One of the most common web attack methodologies. The cause of the vulnerability is weak user input validation. If input is not validated properly, an attacker can include a script in their input and have it rendered as part of the web process. • Non-persistent attack The injected script is not persisted or stored, but rather is immediately executed and passed back via the web server. • Persistent attack The script is permanently stored on the web server or some back-end storage. This allows the script to be used against others who log in to the system. • DOM-based attack The script is executed in the browser via the Document Object Model (DOM) process as opposed to the web server. Controls to defend against attacks include the use of anti-XSS libraries to strip scripts from the input sequences. Various other ways to mitigate XSS attacks include limiting types of uploads and screening the size of uploads, whitelisting inputs

Online vs. Offline Attacks

Online brute force attacks tend to be very noisy and easy to see by network security monitoring, and are also limited by system response time and bandwidth. Offline, brute force can be employed to perform hash comparisons against a stolen password file. This has the challenge of stealing the password file

Vishing

Phishing attacks committed using telephone calls or VoIP systems. Takes advantage of peoples trust in telephone networks. Seeks credit card numbers and sensitive info

Radio Frequency Identification (RFID)

RFID tags have multiple security concerns. First and foremost, because they are connected via RF energy, physical security is a challenge. Security is an important issue for RFID tag systems because they form a means of identification and there is a need for authentication and confidentiality of the data transfers. Two main attacks are replay and eavesdropping. In a replay attack, the RFID information is recorded and then replayed later. In the case of eavesdropping, the data can be collected, monitoring the movement of tags for whatever purpose needed by an unauthorized party. There are several standards associated with securing the RFID data flow, including ISO/IEC 18000 and ISO/IEC 29167 for cryptography methods to support confidentiality, untraceability, tag and reader authentication, and over-the-air privacy, while ISO/IEC 20248 specifies a digital signature data structure for use in RFID systems.

Rainbow Tables

Rainbow tables are precomputed tables or hash values associated with passwords. Using rainbow tables can change the search for a password from a computational problem to a lookup problem. This can tremendously reduce the level of work needed to crack a given password. The best defense against rainbow tables is salted hashes, as the addition of a salt value increases the complexity of the problem by making the precomputing process not replicable between systems. A salt is merely a random set of characters designed to increase the length of the item being hashed, effectively making rainbow tables too big to compute.

Spear Phishing

Refer to a phishing attack that targets a specific group with something in common. By targeting a specific group, the ratio of successful attacks (that is, the number of responses received) to the total number of e-mails or messages sent usually increases.

DDoS (Distributed Denial of Service)

Service is denied by overwhelming the target with traffic from many different systems. A network of attack agents (sometimes called zombies) is created by the attacker, and upon receiving the attack command from the attacker, the attack agents commence sending a specific type of traffic against the target. One defense approach involves changing the time-out option for TCP connections so that attacks such as the SYN flooding attack are more difficult to perform, because unused connections are dropped more quickly. A final option you should consider that will address several forms of DoS and DDoS attacks is to block ICMP packets at your border, since many attacks rely on ICMP. Carefully consider this approach before implementing it, however, because it will also prevent the use of some possibly useful troubleshooting tools.

Tailgating (or piggybacking).

Simple tactic of following closely behind a person who has just used their own access card or personal identification number (PIN) to gain physical access to a room or building. A more sophisticated countermeasure is a mantrap, which utilizes two doors to gain access to the facility.

Session Hijacking

TCP/IP hijacking and session hijacking are terms used to refer to the process of taking control of an already existing session between a client and a server. The advantage to an attacker of hijacking over attempting to penetrate a computer system or network is that the attacker doesn't have to circumvent any authentication mechanisms, since the user has already authenticated and established the session.

MAC Spoofing

The act of changing a MAC address to bypass security checks based on the MAC address.

Domain Hijacking

The act of changing the registration of a domain name without the permission of its original registrant.

DNS Poisoning

The changing of where DNS is resolved can be a DNS poisoning attack. The challenge in detecting these attacks is knowing what the authoritative DNS entry should be, and detecting when it changes in an unauthorized fashion. Using a VPN can change a DNS source, and this may be desired, but unauthorized changes can be attacks. Looking at DNS as a complete system shows that there are hierarchical levels from the top (root server) down to the cache in an individual machine. DNS poisoning can occur at any of these levels, with the effect of the poisoning growing wider the higher up it occurs. DNS poisoning is a variant of a larger attack class referred to as DNS spoofing. In DNS spoofing, an attacker changes a DNS record through any of a multitude of means.

man-in-the-browser (MitB)

The first element is a malware attack that places a Trojan element that can act as a proxy on the target machine. This malware changes browser behavior through browser helper objects or extensions.

Poor Password Choices

The least technical of the various password-attack techniques consists of the attacker simply attempting to guess the password of an authorized user of the system or network. It is surprising how often this simple method works, and the reason it does is because people are notorious for picking poor passwords. Users need to select a password that they can remember, so they create simple passwords, such as their birthday, their mother's maiden name, the name of their spouse or one of their children, or even simply their user ID itself.

Password Attacks

The most common form of authentication is the user ID and password combination. While it is not inherently a poor mechanism for authentication, the combination can be attacked in several ways. All too often, these attacks yield favorable results for the attacker, not as a result of a weakness in the scheme but usually due to the user not following good password procedures.

Refactoring

The process of restructuring existing computer code without changing its external behavior. Refactoring is a means by which an attacker can add functionality to a drive, yet maintain its desired functionality. Although this goes against the original principle of refactoring, improving code efficiency, it speaks to the ingenuity of attackers.

URL Hijacking

There are a wide range of URL-based attacks, from malware manipulations, to typo squatting, to ad-based attacks that make the user think they are clicking the correct link. The net result is the same: the user thinks they are asking for content A, and they get B instead.

Initialization Vector (IV)

Used in wireless systems as the randomization element at the beginning of a connection. Attacks against the IV aim to determine it, thus finding the repeating key sequence. IV is the primary reason for the weaknesses in WEP. The IV is sent in the plaintext part of the message, and because the total keyspace is approximately 16 million keys, the same key will be reused. AirSnort is a modified sniffing program that takes advantage of this weakness to retrieve the WEP keys. The biggest weakness of WEP is that the IV problem exists regardless of key length, because the IV always remains at 24 bits.

Third-Party Authorization

Using previously obtained information about a project, deadlines, bosses, and so on, the attacker arrives with 1) something the victim is quasi-expecting or would see as normal, 2) uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as someone not to upset, and 3) they name-drop "Mr. Big," who happens to be out of the office and unreachable at the moment, avoiding the reference check.

Cross-site request forgery (XSRF)

Utilize unintended behaviors that are proper in defined use but are performed under circumstances outside the authorized use. Relies upon several conditions to be effective. It is performed against sites that have an authenticated user and exploits the site's trust in a previous authentication event. Then, by tricking a user's browser to send an HTTP request to the target site, the trust is exploited. Mitigation techniques that can be employed, from limiting authentication times, to cookie expiration, to managing some specific elements of a web page like header checking. The strongest method is the use of random XSRF tokens in form submissions.

Typo Squatting

When an attacker has registered the mistyped URL, then you would land on the attacker's page. This attack pattern is also referred to as URL hijacking, fake URL, or brandjacking if the objective is to deceive based on branding.

Man-in-the-Middle

When attacker is able to place himself in the middle of two other hosts that are communicating. Ideally (from the attacker's perspective), this is done by ensuring that all communication going to or from the target host is routed through the attacker's host (which can be accomplished if the attacker can compromise the router for the target host). One of the common methods is via session hijacking, which can occur when information such as a cookie is stolen, allowing the attacker to impersonate the legitimate session. This attack can be a result of a cross-site scripting attack, which tricks a user into executing code resulting in cookie theft. The amount of information that can be obtained in a man-in-the-middle attack will be limited if the communication is encrypted.

ARP (Address Resolution Protocol) Poisoning

When the ARP table gets a reply, it automatically trusts the reply and updates the table. Some operating systems will even accept ARP reply data if they never heard the original request. There is no mechanism to verify the veracity of the data received. An attacker can send messages, corrupt the ARP table, and cause packets to be misrouted.

Impersonation

When the attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victim's biases against their better judgment to follow procedures. It can occur in person, over a phone, or online.

Replay

When the attacker captures a portion of a communication between two parties and retransmits it at a later time. Generally, replay attacks are associated with attempts to circumvent authentication mechanisms, such as the capturing and reuse of a certificate or ticket. The best way to prevent replay attacks is with encryption, cryptographic authentication, and time stamps.

Downgrade Attack

When the attacker takes advantage of a commonly employed principle to support backward compatibility, to downgrade the security to a lower or nonexistent state. As part of a Transport Layer Security/Secure Sockets Layer (TLS/SSL) setup, there is a specification of the cipher suite to be employed.

Injection

When user input is used without input validation, this results in an opportunity for an attacker to craft input to create specific events to occur when the input is parsed and used by an application. Command injection attacks can occur when input is used in a fashion that allows command-line manipulation. This can give an attacker command-line access at the privilege level of the application.

zero day attack

Zero day attacks are critical as there is no known defense to the vulnerability itself, leaving the only security solution to be secondary solutions, such as catching subsequent hacker activity.

Jamming

a form of denial of service that specifically targets the radio spectrum aspect of wireless. Just as other DoS attacks can manipulate things behind the scenes, so can jamming on a wireless AP

WPS

a network security standard that was created to provide users with an easy method of configuring wireless networks. Designed for home networks and small business networks, this standard involves the use of an eight-digit PIN to configure wireless devices. WPS consists of a series of Extensible Authentication Protocol (EAP) messages and has been shown to be susceptible to a brute force attack. Currently, the only effective mitigation is to disable WPS.

Application/Service Attacks

application layer was a much less homogenous target because there were many different applications Establishing the security of an application begins with secure coding techniques and then adding security controls to provide defense in depth.

SYN flooding attack

attacker sends fake communication requests to the targeted system. Each of these requests will be answered by the target system, which then waits for the third part of the handshake. Since the requests are fake (a nonexistent IP address is used in the requests, so the target system is responding to a system that doesn't exist), the target will wait for responses that never come. The number of connections a system can support is finite, so when more requests come in than can be processed, the system will soon be reserving all its connections for fake requests.

Denial-of-service (DoS)

attacks can exploit a known vulnerability in a specific application or operating system, or they can attack features (or weaknesses) in specific protocols or services. In a DoS attack, the attacker attempts to deny authorized users access either to specific information or to the computer system or network itself.

Disassociation

attacks designed to disassociate a host from the wireless access point, and from the wireless network An attacker only needs to have the MAC address of the intended victim, which enables them to send a spoofed message to the access point, specifically spoofing the MAC address of the victim machine. This results in the disconnection of the victim machine, making this attack a form of denial of service. Disassociation attacks are not typically used alone, but rather in concert with another attack objective.

Rogue AP (access point)

attempt to get clients to connect to it as if it were authorized and then simply authenticate to the real AP, a simple way to have access to the network and the client's credentials.

Hoax

can be very damaging if it causes users to take some sort of action that weakens security often also advises the user to send it to their friends so that they know about the issue as well—and by doing so, they help spread the hoax.

TCP three-way handshake

establishes a connection between two systems. Under normal circumstances, the first system sends a SYN packet to the system with which it wants to communicate. The second system responds with a SYN/ACK if it is able to accept the request. When the initial system receives the SYN/ACK from the second system, it responds with an ACK packet, and communication can then proceed.

Dumpster Diving

going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt An organization should have policies about discarding materials. Sensitive information should be shredded and the organization should consider securing the trash receptacle so that individuals can't forage through it.

Evil Twin

in essence an attack against the wireless protocol via substitute hardware. This attack uses an access point owned by an attacker that usually has been enhanced with higher-power and higher-gain antennas to look like a better connection to the users and computers attaching to it.

Shoulder Surfing

involves the attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard.

Bluesnarfing

similar to bluejacking in that it uses the same contact transmission protocol. The difference is that instead of sending an unsolicited message to the victim's phone, the attacker copies off the victim's information, which can include e-mails, contact lists, calendar, and anything else that exists on that device. They differ in that bluejacking is the sending of unauthorized data via Bluetooth, whereas bluesnarfing is the unauthorized taking of data over a Bluetooth channel.

Malware (Malicious Software)

software that has been designed for some nefarious purpose (delete files or create a backdrop) Several different types can be used, such as viruses, Trojan horses, logic bombs, spyware, and worms, and they differ in the ways they are installed and their purposes.

Bluejacking

term used for the sending of unauthorized messages to another Bluetooth device. This involves sending a message as a phonebook contact, text message, image or audio messages. If Bluetooth is turned off, or if the device is set to nondiscoverable, bluejacking can be avoided.

Collision Attack

where two different inputs yield the same output of a hash function. Through the manipulation of data, creating subtle changes that are not visible to the user yet create different versions of a digital file and the creation of many different versions, then using the birthday attack to find a collision between any two of the many versions

Birthday Attack

which states that in a group of at least 23 people, the chance that two individuals will have the same birthday is greater than 50 percent. Mathematically, we can use the equation 1.25k1/2 (with k equaling the size of the set of possible values), and in the birthday paradox, k would be equal to 365 (the number of possible birthdays). This same phenomenon applies to passwords, with k (number of passwords) being quite a bit larger.

Two major, independent systems for communicating IOC information exist:

• OpenIOC Originally developed by Mandiant (acquired by FireEye) to facilitate information of IOC data. Mandiant subsequently made OpenIOC open source. • STIX/TAXII/CybOx MITRE designed Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and Cyber Observable Expression (CybOX) to specifically facilitate automated information sharing between organizations.