Unit 2 Threats, Attacks, and Vulnerabilities
Pretexting, Preloading, and Impersonation - Pretexting
Pretexting is conducting research and information gathering to create convincing identities, stories, and scenarios to be used on selected targets.
Phishing - Vishing
Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
Black hat
A skilled hacker who uses skills and knowledge for illegal or malicious purposes.
Persistent threat
A threat that seeks to gain access to a network and remain there undetected.
Targeted attack
A type of threat in which threat actors actively pursue and compromise a target entity's infrastructure while maintaining anonymity.
Elicitation - Compliments
An attacker may give a target a compliment about something the target did. The attacker waits for the target to take the bait and elaborate on the subject. Even if the target downplays the skill or ability involved, talking about it might give the attacker valuable information.
Types of Attackers - Nation state
Attacks from nation states have several key components that make them especially powerful. Typically, nation state attacks: -Are highly targeted. Identify a target and wage an all-out war. -Are extremely motivated. -Use the most sophisticated attack techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. -Are well financed.
Historic Malware Events - Code Red
The 2001 Code Red worm was designed to attack and exploit vulnerabilities within Microsoft Web IIS servers. It replicated from port to port with remarkable speed, infecting over 250,000 systems in under 9 hours.
Attack Strategies - Breach the system
A breach is the penetration of system defenses. It is often achieved by using information gathered by through reconnaissance.
Identity theft
A crime in which an attacker commits fraud by using someone else's name or existing accounts to obtain money or to purchase items.
Script kiddie
A less-skilled (usually younger) hacker that often relies on automated tools or scripts written by crackers to scan systems at random to find and exploit weaknesses.
White hat
A skilled hacker who uses skills and knowledge for defensive purposes only. The white hat hacker interacts only with systems for which express access permission is given.
Opportunistic attack
An attack in which the threat actor is almost always trying to make money as fast as possible and with minimal effort.
Types of Motivation Techniques - Common ground and shared interest
Common ground and shared interest work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.
Network Vulnerabilities - Default accounts and passwords
Default accounts and passwords are factory defaults that are pre-configured for a new network device. Default account names and passwords should be changed immediately when hardware or software is turned on for the first time.
Open-source intelligence (OSINT)
Information that is readily available to the public and doesn't require any type of malicious activity to obtain.
Availability loss
Loss of access to computer resources due to the network being overwhelmed or crashing.
Preloading
Preloading is influencing a target's thoughts, opinions, and emotions before something happens.
SMiShing
SMiShing, or SMS phishing, is doing phishing through an SMS message. In other words, tricking a user to download a virus, Trojan horse, or malware onto a cell phone.
Data loss
The loss of files and documents either accidentally or through malicious acts.
Data exfiltration
The unauthorized transfer of information or files from a computer.
Network Vulnerabilities - Weak passwords
Weak passwords are passwords that are blank, too short, dictionary words, or simple. In other words, they are passwords that can be quickly identified using password cracking tools. Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system. To avoid this vulnerability enforce complex password requirements. Complex passwords are typically over eight characters and a mix of character types (letters, numbers and symbols). Also require that the passwords are not words, variations of words, or derivatives of the user name.
Phishing - Whaling
Whaling is another form of phishing. It targets senior executives and high-profile victims.
Network Vulnerabilities - Cloud-based and third-party systems
When dealing with cloud-based or other third-party systems, you need to make special provisions. If an organization is using a cloud-based system, that means the organization doesn't own the system and cannot legally provide permission for a penetration test to be carried out on that system. The penetration tester must make sure to get the explicit permission of the cloud provider before performing any tests. Other third-party systems can cause issues for the penetration tester. If systems are interconnected, such as in a supply chain, the penetration tester needs to ensure they do not accidentally access the third party's systems. The penetration tester can also discover vulnerabilities that affect the third party. In this scenario, the penetration tester should report findings to the client and let the client handle the reporting. As you identify threats and evaluate vulnerabilities, consider risks that can occur at any point in the company's supply chain. The chain typically includes those supplying raw materials; manufacturing products; and selling and distributing the products to end customers.
Types of Motivation Techniques - Social proof
With a social proof technique, the attacker uses social pressure to convince the target that it's okay to share or do something. In this case, the attacker might say, "If everybody is doing it, then it's okay for you to do it, too."
Threat Agent Attributes - Internal vs. external
-Internal threat agents are authorized individuals that carry out an attack by exploiting their inherent privileges. This category includes employees (both current and former), janitors, security guards, and even customers. -External threat agents are individuals or groups that attack a network from the outside and seek to gain unauthorized access to data.
Potentially unwanted program(PUP)
A PUP is a software inadvertently installed that contains adware, installs toolbars, or has other objectives. PUP is software that contains adware, installs toolbars, or has other unclear objectives. A PUP is different from malware because the user gives consent to download it. If you download a program from the internet but forget to read the download agreement, you may end up with unwanted programs being downloaded. A few signs that you have PUPs on your computer include browser popups recommending fake updates or other software; webpages you typically visit not displaying properly; and ads appearing where they shouldn't. A PUP, or Potentially Unwanted Program, is software that contains adware, installs toolbars, or has other unclear objectives. A PUP is different from malware because the user consents to downloading it. If a user downloads a program from the internet but forgets to read the download agreement, they may end up downloading additional unwanted programs. A few signs that you have PUPs on your computer include browser popups recommending fake updates or other software, web pages displaying improperly, and ads appearing where they shouldn't.
Network Vulnerabilities - Backdoor
A backdoor is an unprotected access method or pathway. Backdoors: -Include hard-coded passwords and hidden service accounts. -Are often added during development as a shortcut to circumvent security. If they are not removed, they present a security problem. -Can be added by attackers who have gained unauthorized access to a device. When added, the backdoor can be used at a future time to easily bypass security controls. -Can be used to remotely control the device at a later date. -Rely on secrecy to maintain security. To protect against backdoors, do not allow programmers to bypass security during development. Carefully examine the code before release to remove any traces of backdoors that might have been included.
Types of Threat Actors - Competitor
A competitor threat actor carries out attacks on behalf of an organization and targets competing companies. For example, a payment processing company could hire someone to carry out a DDoS attack on a competing payment processing company to force users to choose the attacker's product. The motive behind such attacks include financial gain, competitor defamation, or stealing industry secrets.
Hacktivist
A hacktivist is a hacker with a political motive.
Trojan horse
A malicious program that is disguised as legitimate or desirable software. A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A Trojan horse: -Cannot replicate itself. -Does not need to be attached to a host file. -Often contains spying functions, such as a packet sniffer, or backdoor functions that allow a computer to be remotely controlled from the network. -Often is hidden in useful software, such as screen savers or games. A wrapper is a program that is used legitimately, but has a Trojan attached to it. The Trojan infiltrates the computer that runs the wrapper software. -Relies on user decisions and actions to spread. It usually comes in the form of a useful application hiding malicious code. It may be explicit or run invisibly. Trojans don't self-replicate like worms, and they aren't attached to a file like a virus. But they can create back doors for an attacker, allowing remote control of the infected machine.
Cracker
A person actively engaged in developing and distributing worms, Trojans, and viruses; engaging in probing and reconnaissance activities; creating toolkits so that others can hack known vulnerabilities; and/or cracking protective measures.
Types of Threat Actors - White hat
A skilled hacker who uses knowledge and skills only for defensive purposes. A white hat hacker obtains explicit permission to interact a system or systems. These are the ethical hackers.
Cybercriminal
A subcategory of hacker threat agents. Cybercriminals are willing to take more risks and use more extreme tactics for financial gain. A person (or team of individuals) who use technology to steal sensitive information for a profit. Cybercriminals are often associated with large organized crime syndicates such as the mafia.
Attack Types - Targeted
A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the attackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target. This attack type is typically used by an organized crime group.
Competitor
A threat agent who carries out attacks on behalf of an organization and targets competing companies.
Insider
A threat agent who has authorized access to an organization and either intentionally or unintentionally carries out an attack.
White hat hacker
A white hat hacker is a professional who helps companies find the vulnerabilities in their security. Also known as an ethical hacker.
Elicitation - Being a good listener
An attacker may approach a target and carefully listen to what the target has to say, validate any feelings the target expresses, and share similar experiences, which may be real or fabricated. The point is to be relatable and sympathetic. As the target feels more connected to the attacker, barriers go down and trust builds. This leads the target to share more information.
Attack Strategies - Exploit vulnerabilities
An exploitation takes advantage of known vulnerabilities in software and systems. Once a vulnerability has been exploited, an attacker can often: -Steal information -Deny services -Crash systems -Modify/alter information
Types of Threat Actors - Insider
An insider is any individual who has authorized access to an organization and either intentionally or unintentionally carries out an attack. The most common type of insider is a full-time employee; however, other inside actors include customers, janitors, security guards, and even former employees. Possible motives for an insider threat actor can include: -Disgruntlement with an employer -Bribery by a competitor -Personal financial gain Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them. -Require mandatory vacations. -Create and follow onboarding and off-boarding procedures. -Employ the principal of least privilege. -Have appropriate physical security controls in place. -Require security awareness training that is tailored for the role of the employee (role-based awareness training). Typical roles include: --Data owner --System administrator --System owner --User --Privileged user --Executive user Sometimes an employee can become an insider threat actor without knowing it. This is known as an unintentional insider threat actor. Proper security training can help protect against unintentional insider threat actors.
Types of Threat Actors - Organized Crime
An organized crime threat actor consists of a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last several months, are well-funded, and are extremely sophisticated. A common tactic used by organized crime is a targeted phishing campaign. Once access is gained, the group will either steal data and threaten to release it, or use ransomware to hold data hostage. Due to the level of sophistication and amount of funding, attacks from organized crime groups are extremely hard to protect against. In many cases, it's simply a matter of time until a data breach occurs or ransomware takes hold. Because of this, many companies that need immediate access to their data (such as hospitals and financial institutions) stockpile digital currency in case of an attack. Specific protections against organized crime threat actors include: -Proper user security training -Implementing email filtering systems -Properly secure and stored data backups In July 2017, an organized crime group hacked HBO's network and stole a purported 1.5 terabytes of data. The group then demanded HBO pay it a hefty ransom in bitcoins, or it would release the data to the public.
Elicitation - Feigning ignorance
Attackers might make a wrong statement and then admit to not knowing much about the subject. The intent is to get the target to not only correct the attacker, but also explain in detail why the attacker is wrong. The explanation might help the attacker learn, or at least have a chance to ask questions without looking suspicious.
Types of Motivation Techniques - Authority and fear
Authority techniques rely on power to get a target to comply without questioning the attacker. The attacker pretends to be a superior with enough power that the target will comply right away without question. The attacker could also pretend to be there in the name of or upon the request of a superior. Authority is often combined with fear. If an authority figure threatens a target with being fired or demoted, the target is more likely to comply without a second thought.
Impacts of Vulnerabilities - Availability loss
Availability loss occurs when an attacker performs a malicious act to make the network so busy that the system goes down. This is also referred to as denial of service. When this happens, employees are unable to accomplish their tasks. Also, customers are unable to access the company's services. Loss of availability can be accomplished with malware.
Impacts of Vulnerabilities - Data breach
Data breach occurs when confidential or protected data is exposed. Examples of confidential information include Social Security numbers, bank account numbers, credit card numbers numbers, health information, passwords, and email. Data breach allows criminals to access sensitive information and profit from it. It can be intentional or accidental.
Impacts of Vulnerabilities - Data exfiltration
Data exfiltration occurs when information or files are transferred from a computer without authorization. It can be done manually, if the attacker has physical access to the computer; or, it can be automated over a network by an attacker using malware. A common tactic attackers use for data exfiltration is DNS tunneling.
Impacts of Vulnerabilities - Data loss
Data loss is often caused by a virus or malware. Data loss is particularly problematic because it's hard to detect the extent of the loss and it's costly for businesses to repair damaged files.
Interview and Interrogation - Observation
During these interviews and interrogations, the hacker pays attention to every change the target displays. This allows the attacker to discern the target's thoughts and topics that should be investigated further. Every part of the human body can give a clue about what is going on inside the mind. Most people don't realize they give many physical cues, nor do they recognize these cues in others. A skilled observer pays close attention and puts these clues together to confirm another person's thoughts and feelings.
Network Vulnerabilities - Application flaws
Flaws in the validation and authorization of users present the greatest threat to security in transactional applications. When you assess this type of vulnerability, evaluate deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. You can use both open-source and commercial tools for this assessment.
Footprinting
Footprinting uses social engineering to obtain as much information as possible about an organization.
Types of Attackers - Hacker
Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. Types of hackers include: -Those motivated by bragging rights, attention, and the thrill. -Hacktivists with a political motive. -Script kiddies, who use applications or scripts written by much more talented individuals. -A white hat hacker, who tries to help a company see the vulnerabilities that exist in its security. -Cybercriminals, who are motivated by significant financial gain. They typically take more risks and use extreme tactics. Corporate spies are a sub-category of cybercriminal.
Network Vulnerabilities - Inherent vulnerabilities
Identify inherent vulnerabilities or systems that lack proper security controls. For example, if your organization needs to use an older version of Windows for a particular application, then you should identify that system as a vulnerability. IoT and SCADA devices are both systems that lack proper security controls and must be dealt with appropriately.
Impacts of Vulnerabilities - Identity theft
Identity theft refers to an attacker accessing information to commit fraud. Examples of fraud include creating false credentials, opening new accounts in someone else's name, or using someone's existing accounts. Many attackers use data breach to get the information they need to commit identity theft. There are several types of identity theft such as criminal, medical, tax, and child identity theft.
Pretexting, Preloading, and Impersonation - Impersonation
Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target to ask for sensitive information or access to protected systems.
Phishing - SMS phishing
In SMS phishing (smishing), the attacker sends a text message with a supposedly urgent topic to trick the victim into taking immediate action. The message usually contains a link that either installs malware on the victim's phone or extracts personal information.
Phishing - Spear phishing
In spear phishing, an attacker gathers information about the victim, such as the online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.
Interview and Interrogation - Interview vs interrogation
In the interview phase, the attacker lets the target do the talking while the attacker mostly listens. In this way, the attacker has the chance to learn more about the target and how to best extract information. Then the attacker leads the interview phase into an interrogation phase. It's most effective when done smoothly and naturally, and when the target feels a connection and trusts the attacker. In the interrogation phase, the attacker talks about the target's statements. The attacker is mostly leading the conversation with questions and statements that will flow in the direction the attacker needs to obtain information.
Types of Motivation Techniques - Likeability
Likeability works well because humans tend to do more to please a person they like as opposed to a person they don't like.
Ransomware
Malware that denies access to a computer system until the user pays a ransom. Ransomware denies access to a computer system until the user pays a ransom. It allows a hacker to gain access to a system, plant a virus that encrypts all user data, and then demand a payment for decrypting the data. If the victim doesn't pay, the hacker threatens to destroy the data. But there's no guarantee that the hacker will actually send the decryption key once the victim's paid for it. There's also no guarantee that the victim will pay the ransom. If they have a backup still intact, they may choose not to pay. Because of this, ransomware is becoming less prevalent and cryptomalware is gaining popularity.
Adware
Malware that monitors a user's personal preferences and sends pop-up ads that match those preferences.
Other Social Engineering Attacks - Social networking
Many attackers are turning to applications such as Facebook, Twitter, Instagram, to steal identities and information. Also, many attackers use social media to scam users. These scams are designed to entice the user to click a link that brings up a malicious site the attacker controls. Usually, the site requests personal information and sensitive data, such as an email address or credit card number.
Manipulation Tactics - Offering something for very little to nothing
Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.
Other Social Engineering Attacks - Pharming
Pharming involves the attacker executing malicious programs on the target's computer so that any URL traffic redirects to the attacker's malicious website. This attack is also called phishing without a lure. The attacker is then privy to the user's sensitive data, like IDs, passwords, and banking details. Pharming attacks frequently come in the form of malware such as Trojan horses, worms, and similar programs. Pharming is commonly implemented using DNS cache poisoning or host file modification. -In DNS cache poisoning, the attacker launches the attack on the chosen DNS server. Then, in the DNS table, the attacker changes the IP address of a legitimate website to a fake website. When the user enters a legitimate URL, the DNS redirects the user to the fake website controlled by the attacker. -In host file modification, the attacker sends malicious code as an email attachment. When the user opens the attachment, the malicious code executes and modifies the local hosts file on the user's computer. When the user enters a legitimate URL in the browser, the compromised hosts file redirects the user to the fraudulent website controlled by the attacker.
Pretexting
Pretexting is a fictitious scenario to persuade someone to perform an action or give information.
Network Vulnerabilities - Privilege escalation
Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that aren't typically available to that user. Examples of privilege escalation include: -A user who accesses a system with a standard user account but is able to access functions reserved for higher-level user accounts such as administrative features. -A user who is able to access content that should be accessible only by a different user. -A user with administrative access who can access content that should be available only to a regular user. Privilege escalation does not occur when a user is able to steal or hack administrator credentials and is therefore able to access administrative functions. Privilege escalation refers to accessing features with an account that normally should not have access to those features.
Attack Strategies - Perform reconnaissance
Reconnaissance is the process of gathering information about an organization, including: -System hardware information -Network configuration -Individual user information
Social engineering
Social engineering is an attack involving human interaction to obtain information or access.
Malware
Software designed to take over or damage a computer without the user's knowledge or approval.
Spyware
Software installed without the user's consent or knowledge and is designed to intercept or take partial control of the user's computer. Spyware is software that is installed without the user's consent or knowledge. It is designed to intercept or take partial control over the user's interaction with the computer. Spyware: -Is installed on a machine when the user visits a particular web page or runs a particular application. -Collects various types of personal information, such as internet surfing habits and passwords. It sends the information back to its originating source. -Uses tracking cookies to collect and report a user's activities. -Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity. This is computer software installed without the user's consent or knowledge. It's designed to intercept data or take partial control of the user's computer. Spyware often collects personal information about the user, like internet surfing habits and passwords. It uses tracking cookies to collect information about the user's activities and report it to the hacker. It can also interfere with a user's control in other ways, such as installing additional software, changing computer settings, and redirecting web browsers.
Attack Strategies - Stage computers
Staging a computer involves preparing it to perform additional tasks in the attack, such as installing software designed to attack other systems. This is an optional step.
Historic Malware Events - Stoned
The 1987 Stoned virus was one of the first viruses. It was very common and widespread in the early 1990s. The virus infects the master boot record of a hard drive and floppy disks.
Historic Malware Events - Michelangelo
The 1991 Michelangelo virus was designed to infect MS-DOS systems and remain dormant until March 6, the birthday of Renaissance artist Michelangelo. The virus infects the master boot record of a hard drive. Once a system becomes infected, any floppy disk inserted into the system becomes immediately infected, as well.
Historic Malware Events - CIH/Chernobyl Virus
The 1999 Chernobyl virus was the first computer virus that affected computer hardware. It infected executable files, then spread after the file was executed. After it was initiated, CIH would continue until the entire hard drive was erased. Then it would overwrite the system BIOS, causing machines to crash.
Interview and Interrogation - Environment
The environment the attacker chooses for conducting an interview and interrogation is essential to setting the mood. -The location should not be overly noisy or overly crowded. -The environment should be a relaxing and stress-free setting that puts the target at ease. -The attacker shouldn't sit between the target and the door. The target should never feel trapped in any way. -Lighting should be good enough for both parties to see each other clearly. This will allow the attacker to better read the target's micro expressions and movements. It will also inspire trust in the target.
Data breach
The exposure of confidential or protected data, either accidentally or through malicious acts.
Network Vulnerabilities - Misconfigurations
The primary cause of misconfiguration is human error. Web servers, application platforms, databases, and networks are all at risk for unauthorized access. Areas to check include outdated software, unnecessary services, incorrectly authenticated external systems, security settings that have been disabled, and debug enabled on a running application.
Defense methodologies - Principle of least privilege
The principle of least privilege states that users or groups are given only the access they need to do their jobs and nothing more. When assigning privileges, be aware that it is often easier to give a user more access when it is needed than to take away privileges that have already been granted.
Network Vulnerabilities - Root account
The root account has all system privileges and no barriers. It is also referred to as superuser. To prevent accidental damage to the system, an administrator using root must precisely and expertly perform tasks on the system. Also, the administrator should be the only one using the root account. Because there's no safety net when using root, it's important to make backups of any files or directories you're working with. Another danger of using root frequently is that most apps and programs have several programming errors (because of the amount of code required and its complexity). An attacker can find and exploit these errors to gain control of a system when a program runs with root privileges instead of an ordinary user account, which has very limited privileges. To avoid unnecessary risk, use the root account only when absolutely necessary. This includes experienced administrators. Have administrators log in with the admin account and use the su command. This command gives root privileges only as needed, without requiring a new login.
Elicitation - Misinformation
Using the misinformation tactic, the attacker makes a statement with the wrong details. The attacker's intent is for the target to provide the accurate details that the attacker wants to confirm. The more precise the details given by the attacker, the better the chance that the target will take the bait.
Attack Types - Opportunistic
An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities. Known vulnerabilities can include old software, exposed ports, poorly secured networks, and default configurations. When a vulnerability is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out. This type of attack is typically used by a single hacker.
Hacker
Any threat agent who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. A person who commits crimes through gaining unauthorized access to computer systems.
Manipulation Tactics - Innate human trust
Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.
Manipulation Tactics - Ignorance
Ignorance means the target is not educated in social engineering tactics and prevention, so the target doesn't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance.
Impersonation
Impersonation is pretending to be somebody else and approaching a target to extract information.
Defense methodologies - Randomness
Randomness in security is the constant change in personal habits and passwords to prevent predictable behavior.
Social Engineering Attacks - Eavesdropping
Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.
Elicitation
Elicitation is a technique to extract information from a target without arousing suspicion.
Attack Strategies - Escalate privileges
Escalating privileges is a primary objective of an attacker. Once an attacker has breached the system, obtaining higher privileges allows the attacker to access more information and gain greater control within the system.
Pretexting, Preloading, and Impersonation - Preloading
Preloading is used to set up a target by influencing the target's thoughts, opinions, and emotions.
Attack Strategies - Use social engineering
Social engineering is the process of manipulating others into providing sensitive information. Social engineering tactics include: -Intimidation -Sympathy
Types of Threat Actors - Black hat
This hacker is also very skilled, but uses knowledge and skills for illegal or malicious purposes. A black hat is also known as a cracker. They are highly unethical.
Zero-day vulnerability
Zero-day is a software vulnerability that is unknown to the vendor.
Prevent and Repair
-Latest version of browser -Latest patches -Antivirus -Anti-spyware -Anti-rootkit -Firewall -Pop-up blocker -Regular scans -Quarantine or delete First, use the latest version and patch level for your web browser. Then install the latest patches for your operating system. You should also install antivirus, anti-spyware, anti-rootkit, and personal firewall software. On all anti-malware software, be sure to keep your definitions up to date for the latest threats. Use a pop-up blocker to prevent adware. Use software to control cookies on your system. Schedule regular scans to constantly detect malware. If a scan does detect malware, quarantine or delete the malicious software. Malware may cause permanent damage to the system. Even though anti-malware software can scan, detect, and delete malware for you, the system may still need repairs. You might have to reinstall applications or even reinstall the entire operating system. Many companies image their operating systems, so if malware is detected, they'll simply send down a brand new image that overrides the entire operating system.
Threat Agent Attributes - Persistent vs. non-persistent
-The goal of persistent threats is to gain access to a network and retain access undetected. With this type of threat, attackers go to great lengths to hide their tracks and presence in the network. -The goal of non-persistent threats is to get into a system and steal information. The attack is usually a one-time event. The attacker typically doesn't care if the attack is noticed. An advanced persistent threat (APT) is a type of persistent threat carried out by a nation state. An APT has the goal of continually stealing information without being detected. The tactics used are much more advanced than a traditional persistent threat.
Zombie
A computer that is infected with malware and is controlled by a command and control center is called a zombie master. A zombie is a malware-infected computer that allows remote software updates and control by a command and control center called a zombie master. A zombie: -Is also known as a bot, short for robot. -Commonly uses Internet Relay Chat (IRC) channels, also known as chat rooms), to communicate with the zombie master. -Is frequently used to aid spammers. -Is used to commit click fraud. The internet uses a form of advertising called pay-per-click, in which a developer of a website places clickable links for advertisers on the website. Each time the link is clicked, a charge is generated. Zombie computers can be used to commit click fraud by imitating a legitimate user clicking an ad. -Is used for performing denial-of-service attacks.
Fileless virus
A fileless virus uses legitimate programs to infect a computer. A fileless virus uses legitimate programs to infect a computer. Because it doesn't rely on files, it leaves no footprint, making it undetectable by most antivirus, whitelisting, and other traditional endpoint security solutions. Fileless malware works in a similar way as a traditional virus, but it operates in memory. It never touches the hard drive. Attackers use social engineering schemes to get users to click a link in a phishing email. When the webpage opens, the virus gets into the inner recesses of a trusted application such as PowerShell or Windows script host executables. It uses legitimate programs to infect a computer. Because it doesn't rely on files, it leaves no footprint, making it undetectable by most antivirus, whitelisting, and other traditional endpoint security solutions. Fileless malware isn't a traditional virus, but it works in a similar way by operating in memory. It never even touches the hard drive. Many hackers use social engineering to get users to click on a link in a phishing email. When the web page opens, the virus gets into the inner recesses of a trusted application such as PowerShell or Windows script host executables.
Botnet
A group of zombie computers that are commanded from a central control infrastructure. A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet: -Operates under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order the bots to perform actions. -Is detected through the use of firewall logs to determine if a computer may be acting as a zombie participating in external attacks. A bot is a computer infected with a Trojan that allows software updates remotely. Bots commonly use IRC channels to communicate with the bot master, the hacker. When several computers get infected with the same Trojan, they're called a botnet. Botnets are under a command and control infrastructure of the bot master. They use botnets for spamming, committing click fraud, and performing distributed denial-of-service attacks. You can examine a system's firewall logs to determine if it's acting as a bot. In the log, you'll see traffic from the bot traveling out through the firewall.
Types of Threat Actors - Hacktivist
A hacktivist is any individual whose attacks are politically motivated. Instead of seeking financial gain, hacktivists are looking to defame; shed light on; or cripple an organization or government. Often times, hacktivists work alone. Occasionally, they create unified groups of like-minded hackers. For example, the website wikileaks.org is a repository of leaked government secrets, some of which have been obtain by hacktivists.
Hoax
A hoax is a type of malicious email with some type of urgent or alarming message to deceive the target. Email hoaxes are often easy to spot because of the bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.
Script kiddy
A less-skilled hacker who often relies on automated tools or scripts written by crackers to scan systems and exploit weaknesses.
Virus
A program that attempts to damage a computer system and replicate itself to other computer systems.
Scareware
A scam to fool a user into thinking there is some form of malware on the system. Scareware is a scam to fool users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.
Types of Threat Actors - Script kiddie
A script kiddie is an individual who carries out an attack by using scripts or programs written by more advanced hackers. Script kiddies typically lack the skills and sophistication of legitimate hackers. Script kiddies are usually motivated by the chance to impress their friends or garner attention in the hacking community. Because script kiddies lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defending against script kiddies involves keeping systems up-to-date and using standard security practices.
Worm
A self-replicating malware program. A worm is a self-replicating program. A worm: -Does not require a host file to propagate. -Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without any user assistance. -Infects one system and spreads to other systems on the network. A worm propagates without a file. It travels across computer networks without any user assistance, and it automatically replicates itself. Worms are one of the deadliest malware types because they can quickly spread to millions of computers. They usually take advantage of unpatched vulnerabilities in computer systems. To avoid a worm infection, keep your systems patched.
Rootkit
A set of programs that allows attackers to maintain hidden, administrator-level access to a computer. A rootkit is a set of programs that allows attackers to maintain permanent administrator-level, hidden access to a computer. A rootkit: -Is almost invisible software. -Resides below regular antivirus software detection. -Requires administrator privileges to install and maintains those privileges to allow subsequent access. -Is not always malicious. -Often replaces operating system files with alternate versions that allow hidden access. This malicious software hides in the system and alters the system's processes and registry entries. A rootkit is almost invisible. It resides below antivirus software detection. This makes it difficult to detect and very dangerous. Special Anti-rootkit software can help detect rootkits.
Gray hat
A skilled hacker who falls in the middle of white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.
Nation state
A sovereign state threat agent that may wage an all-out war on a target and have significant resources for the attack.
Attack Strategies - Use technical approaches
A technical approach to obtaining information includes using software or utilities to find vulnerabilities in a system. Methods often used by hackers are: -Port scan -Ping sweep
Internal threat
A threat from authorized individuals (insiders) who exploit assigned privileges and inside information to carry out an attack.
External threat
A threat from individuals or groups not associated with the organization, who seek to gain unauthorized access to data.
Non-persistent threat
A threat that focuses on getting into a system and stealing information. It is usually a one-time event, so the attacker is not concerned with detection.
Manipulation Tactics - Threatening
An attacker may try to intimidate a target with threats to make the target comply with a request. This is especially the case when when moral obligation and innate human trust tactics are not effective.
Manipulation Tactics - Moral obligation
An attacker uses moral obligation and a sense of responsibility to exploit the target's willingness to be helpful.
Types of Attackers - Insider
An insider could be a customer, a janitor, or even a security guard; but most of the time, it's an employee. Employees pose one of the biggest threats to any organization. There are many reasons why an employee might become a threat. The employee could: -Be motivated by a personal vendetta because they are disgruntled. -Want to make money. -Be bribed into stealing information. Sometimes, an employee can become a threat actor without even realizing it. This is known as an unintentional threat actor. The employee may create security breaches doing what seems to be harmless day-to-day work. An unintentional threat actor is the most common insider threat.
Threat Agent Attributes - Open-source intelligence (OSINT)
Before carrying out an attack, a threat actor typically gathers open-source intelligence (OSINT) about the target. OSINT is information that is readily available to the public and doesn't require any type of malicious activity to obtain. Sources of OSINT include the following: -Media (newspapers, magazines, advertisements) -Internet (websites, blogs, social media) -Public government data (public reports, hearings, press conferences, speeches) -Professional and academic publications (journals, academic papers, dissertations)
Attack Strategies - Create a backdoor
Creating a backdoor is an alternative method of accessing an application or operating system for troubleshooting. Hackers often create backdoors to exploit a system without being detected.
Defense methodologies - Variety
Defensive layers should incorporate a variety of methods. Implementing multiple layers of the same defense does not provide adequate protection against attacks.
Social Engineering Process - Exploitation
In the exploitation phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way. Some examples include disclosing password and username; introducing the attacker to other personnel, thus providing social credibility for the attacker; inserting a USB flash drive with a malicious payload into a organization's computer; opening an infected email attachment; and exposing trade secrets in a discussion. If the exploitation is successful, the only thing left to do is to wrap things up without raising suspicion. Most attackers tie up loose ends, such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. A well-planned and smooth exit strategy is the attacker's goal and final act in the exploitation phase.
Social Engineering Process - Research
In the research phase, the attacker gathers information about the target organization. Attackers use a process called footprinting, which takes advantage of all resources available to gain information. Footprinting includes going through the target organization's official websites and social media; performing dumpster diving; searching sources for employees' names, email addresses, and IDs; going through a tour of the organization; and other kinds of onsite observation. Research may provide information for pretexting. Pretexting is using a fictitious scenario to persuade someone to perform an unauthorized action such as providing server names and login information. Pretexting usually requires the attacker to perform research to create a believable scenario. The more the attacker knows about the organization and the target, the more believable a scenario the attacker can come up with.
Defense methodologies - Layering
Layering involves implementing multiple security strategies to protect the same asset. Defense in depth or security in depth is based on the premise that no single layer is completely effective in securing assets. The most secure system/network has many layers of security and eliminates single points of failure.
Logic bomb
Malware designed to execute only under predefined conditions. It is dormant until the predefined condition is met. A logic bomb is designed to execute only under predefined conditions. It lies dormant until the predefined condition is met. A logic bomb: -Uses a trigger activity such as a specific date and time, the launching of a specific program, or the processing of a specific type of activity. -Does not self-replicate. -Is also known as an asynchronous attack. This is a piece of malicious code designed to execute only under pre-defined conditions. It'll lay dormant until the pre-defined condition is met, such as a certain time or date. Logic bombs can range from benign, such as pranks, to dangerous, such as driver formatters. One example is a piece of code that lies dormant until it executes once per year, perhaps on someone's birthday. Another example is a user opening a certain program that activates it, deleting the contents of disk drives.
Crimeware
Malware designed to perpetrate identity theft. It allows a hacker access to online accounts at financial services, such as banks and online retailers. Crimeware is designed to perpetrate identity theft to allow access to online accounts at financial services, such as banks and online retailers. Crimeware can: -Use keystroke loggers to capture keystrokes, mouse operations, or screenshots and transmit those actions back to the attacker to obtain passwords. -Redirect users to fake sites. -Steal cached passwords. -Conduct transactions in the background after logon. Crimeware is designed to a user's steal identity by accessing their online accounts and financial services companies, such as PayPal, banks, and online retailers. Hackers use the information gathered by crimeware to remove funds from those accounts or make unauthorized transactions. It often contains key loggers and other software to obtain passwords.
Remote accessTrojan (RAT)
Malware that includes a back door to allow a hacker administrative control over the target computer. A RAT is a malware program that includes a back door that allows administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program, such as a game or an email attachment. A RAT can: -Use keystroke loggers that capture keystrokes, mouse operations, or screenshots, and transmits those actions back to the attacker to obtain passwords. -Access confidential information, like credit card and social security numbers. -Format drives. -Activate a system's webcam and record video. -Delete, download, or alter files and file systems. -Distribute viruses and other malware. The Remote Access Trojan, or RAT, is a common virus. A RAT is designed to give the attacker remote desktop access, including a GUI. It gives the hacker complete control over the system and allows them to view all communications, webcam footage, files, and emails. Since a RAT requires the hacker to connect to the user through a port that isn't commonly used for internet access, if the user is behind a firewall, this often prevents the hacker from connecting. If the hacker can get around the firewall and open that port, then they're able connect.
Crypto-malware
Ransomware that encrypts files until a ransom is paid. Crypto-malware is ransomware that encrypts files until a ransom is paid. The difference between ransomware and cryptomalware is that crypto operates quietly in the background and keeps going indefinitely until it's noticed. This is called cryptomining. Mining cryptocurrency wears down a system substantially. It eats up bandwidth and processing power, which slows the system down and affects productivity. If it goes on long enough it can even cause graphic cards to die, processors to burn out, and memory to act unpredictably.
SPIM
SPIM is similar to spam, but the malicious link is sent to the target over instant messaging instead of email.
Types of Motivation Techniques - Scarcity
Scarcity appeals to the target's greed. If something is in short supply and will not be available, the target is more likely to fall for it.
Defense methodologies - Simplicity
Security measures should provide protection, but not be so complex that it is difficult to understand and use them.
Social Engineering Attacks - Shoulder surfing
Shoulder surfing involves looking over someone's shoulder while that person works on a computer or reviews documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.
Historic Malware Events - Melissa
The 1999 Melissa worm was the first widely distributed macro virus that was propagated in the form of an email message containing an infected Word document as an attachment.
Historic Malware Events - ILOVEYOU
The 2000 ILOVEYOU worm was propagated in the form of an email message containing an infected VBScript (Microsoft Visual Basic Scripting) attachment. When executed, the VBScript would alter the registry keys to allow the malware to start up at every boot. It would also search for and replace *.jpg, *.jpeg, *.vbs, *.vbe, *.js, *.jse, *.css, *.wsh, *.sct, *.doc, and *.hta files with copies of itself while appending the file name with a .vbs extension.
Historic Malware Events - Nimda
The 2001 Nimda worm took advantage of weaknesses found in the Windows platform and propagated itself in several ways, including email, infected websites, and network shares. It also left multiple back doors to allow for additional attacks.
Historic Malware Events - Klez
The 2001-2002 Klez worm propagated through email. It infected executables by creating a hidden copy of the original host file and then overwriting the original file with itself. It attacked unpatched versions of Outlook and Outlook Express to allow attackers to control the system.
Social Engineering Process - Development
The development phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets. Usually, attackers select people who not only will have access to the desired information or object, but who also show signs of being frustrated, overconfident, arrogant, or somehow easy to extract information from. Once a target is selected, the attacker will start forming a relationship with the target through conversations, emails, shared interests, and so on. The relationship helps build the target's trust in the attacker, allowing the targets to be comfortable, relaxed, and more willing to help.
Types of Threat Actors - Gray hat
The gray hat hacker falls in the middle of the white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.
Types of Motivation Techniques - Urgency
To create a sense of urgency, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.
Social Engineering Attacks - USB and keyloggers
When on site, a social engineer also has the ability to stealing data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.
Social Engineering Attacks - Spam and spim
When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.