Module 2: Actor types and their motives Flashcards
4 types of actors and their motives
1. Hackers: they could be paid or not for example private
organizations could pay a group of hackers to hack a company and instruct a
database to obtain intellectual property for example and actually that’s happened in the past, there was a so-called operation Aurora, I recommend reading about it
2. Internal users (intentional or unintentional): let’s say you are working your company and you try or you forward a set of confidential documents into your personal email just to start working on those documents that’s something that is not necessarily intentional, but it’s an attack I mean you shouldn’t forward or you shouldn’t use confidential documents outside your secure company’s network; it can be difficult to
figure out if an internal user has the motive or not to perform those malicious actions
01/04/24
3. Hacktivists: is normally nobody pays to those hacktivists to perform
attacks, for example DDOS campaigns are performed a lot of nations in order to put pressure for a particular decision for example, we’re going to explore the a couple of Singapore hacks that a group of hackeractivists perform on the government websites because they’re the Singapore government was implementing new compliance regulations
4. Governments: their intentions mostly are not financial, but they normally want to spy
Motivation factors
1. Just play: demonstrate that they have the capabilities for hack into a secure system
2. Gain money: in conjunction with governments or criminal organisations
3. Political actions and movements: make a statement or fight for a specific reason
4. Hire me: demonstrate what I can do for someone to hire me or use my services.
Download and read the 2019 Ponemon Institute Study on the Cyber Resilient Organization
Major cyber attacks 2011-2017
Security attack definition
Passive attacks
- Eavesdropping: listening to messages, without modifying them
- Traffic analysis: tracking the number of pizzas delivered to the White House after 7pm
Passive attacks are difficult to detect, and they can go on for years before being detected.
Active attacks: these involve explicit interception and modification
- Masquerade: pretend to be one of interlocutors, this is a very dangerous type
- Replay: read the message, act on it, and send it to one of the parties let’s say an hour later with a correct timestamp so that party gets the message and acts on it, so it passes integrity perspective but fails on confidentiality
- Modification: modify a message
- Denial of service: a message never gets through
The goal is to detect active attacks early, we have tools to deal with them.
Security Services
Security services are technical implementation of security policies, eg access control, intended to counter security attacks, using security mechanisms. They often replicate functions associated with physical documents, eg signatures, tampering or destruction.
These classifications come from a great textbook called Network security
essentials: application and standards written by William Stallings, considered to be one of the classic books in the security repertoire.
Security Mechanisms
Stallings tells us that security mechanisms are defined as a combination of hardware, software, and processes that enhance security. These will implement a specific security policy (ID authentication. Security mechanisms use security services to enforce security policies.
Two types of users: privileged users and general users (that’s you and me), while a privileged user is somebody who can change a security policy.
Two types of security mechanisms: specific and pervasive (these are about detecting anomalies).
What is an Attack?
It is an action by a human with an intent to violate security, so it doesn’t matter whether the attack succeeds.
The term “security” is used in the sense of minimizing the vulnerabilities of assets and resources.** An asset** is anything of value.** A vulnerability** is any weakness that could be exploited to violate a system or informatiin it contains.
A threat is a potential violation of security.
Stallings - 2 forms of passive attacks and 4 forms of active attacks:
Psssive attacks:
1. Disclosure (an envelope was opened and the content of the letter was revealed), so it’s an attack of condifentiality
2. Traffic flow analysis: no revealing of the content but the obtains useful information about the message; this is also an attack on condifentiality
Active attacks:
1. Masquerade: an opponent impersonates an authorised person or system, it’s an attack on authentication
2. Replay: a copy of a legitimate message is captured by an opponent and re-transmitted at a later time, it’s an attack on integrity
3. Modification: the contents of a legitimate message is altered, it’s an attack on integrity
4. Denial of Service (DoS): an opponent prevents authorized users from accessing the system, it’s an attack on availability of the system
Security Architecture - Attack Models
a. Normal flow of information: from the source to destination.
b. Interruption: the info never arrives to the destination, it’s an active attack, both parties will have knowledge at some point that the message was not delivered, so it’s not a passive attack, this is a denial of service.
c. Interception: the information arrives but an opponent receives a copy of the message, it’s a passive attack, the potential here is disclosure, example is a Wikileaks dump.
d. Modification: an opponent intercepts the original message and forwards a modified version that appears to come from the original source, this is an active attack. This is a masquerade, it could also be a replay, and it’s a definitely a modification.
e. Fabrication: Alice, never sends Bob a message, she’s sitting there minding her own time, she may be asleep, Trudy sends Bob a message. “Let’s go to lunch”. So Trudy is appearing to represent Alice. Another example: your bank calling you up to change say, “Hey, go change your password.” Then they are going to put in place some mechanisms to intercept that password. So it appears to come from a legitimate source. This is obviously a masquerade, an active attack. It’s a dangerous type.
f. Diversion: the message never arrives at the destination, but an opponent obtains a copy. Alice sends Bob a message, Trudy intercepts it. It’s a denial of service (message delivery), active attack. Trudy can release the contents to another party, a dangerous style of attack.
Malware and Ransomware
Malware is a malicious code or material or unauthorized piece of software running on a host either to disrupt operations or to use the host resources for their own benefits.
There are many forms of malware out there, with certain features:
1. Virus: it is a piece of malicious code that spreads from one computer to another by attaching itself to other files using self-replication; note that they require human interaction to self-replicate, due to its self-replicating nature they are quite difficult to remove from the system, they also use other tactics to hide in the system, like a polymorphic code which encrypts and duplicates itself which makes it a little bit harder for the antivirus to find it, this is known as a polymorphic virus, another category is an armored virus which tries to shield itself by obscuring its true location in the system
2. Worms: worm is a self-replicating malware that does not require human interaction, their main goal is to spread and turn computers into zombies
3. Trojan horses: it is a malware that causes damage to a system or gives an attack access to the host; they are usually introduced into the environment by posing as a vending package, such as a game wallpaper or any kind of download
02/04/24
4. Spyware: the main goal of spyware is to track and rep ort the usage
of the host or to collect data that the attacker decides to obtain, it can include web browsing history or personal information or banking information
or any kind of files that attacker wants to chase
5. Adware: it is a code that automatically displays or downloads unsolicited advertisements, usually seen on a browser pop-up
6. RATS: it stands for remote access tool or remote access trojans, it allows an attacker to gain an unauthorized access and control a computer
7. Rootkit: it’s a piece of software that is intended to take full or pressure control of a system at the lowest level
Ransomware is a software that infects a host with a code that restricts
the access to the computer or the data on it; the attacker demands a ransom to be paid to get the data back, if it’s not paid in certain time, the data will be destroyed. The most recent spread was Wannacry attacks in May 2017.
https://securityintelligence.com/ransomware-response-guide/
Other Threats examples:
1. Botnets: botnets enable attackers to exploit computer resources to mount attacks, this kind of tactic was used by Blackhat hackers in order to run operations such as sending spam, doing denial service attacks, phishing
spyware, or mining personal information or cryptocurrency; the computers that are part of a botnet are also known as zombies or drones that await commands from a botmaster or a bot herder
2. Keyloggers: it is any hardware software that records every keystroke made by a user
3. Logic bombs: they are triggered by a specific event such as data and time, when the condition is met, then it detonates to perform whatever it was programmed to do, usually erasing data or corrupting
systems
4. APTs (Advanced Persistent Threats): their main goal is to get access and monitor the network to steal information, while staying
undetected for a long period of time, usually it targets organizations such as military, government, finance, or companies that have high value information; some known groups are: Fancy Bear of Russia, Lazarus group of North Korea or Periscope group of China
How do we protect against threats?
A: Technical control: any hardware or software to protect the system, eg antivirus
1. AV: antivirus
2. IPS IDS UTM: Interior Detection Systems and Unified Threat Management systems, those are systems that can look for attack signatures in progress
when you get a compromise on the environment; each implementation is unique and it depends on the organization’s security needs
3. Updates: all the software deployed needS to stay up to date to prevent creating new holes into our security, this is done by applying the security patches
B: Administrative control: these are put in place by management and depends on the staff on compliant in order to be effective one of those controls are policies
1. Policies: it is a written document issued by an organization to ensure that all its users comply with the rules and guidelines related to security, an example could be a password policy
2. Training: to make sure the users of the organization are aware of its policies or threats
3. Revisions and tracking
Internet Security Threats - Mapping
Network mapping or “casing the joint” is used by bad actors: our adversaries can scan the network to find out its topography, ie what devices are on it, what services and what protocols are on the network, using network exploration tools such as:
1. Ping: it is a utility that sends out the signal to another computer across a network and then receives the response from the computer that was pinged back to the original computer
2. Port scanning: it is a technique hackers use to discover open doors or weak points in a network by sending packets to specific ports and analyzing responses
3. nmap: to determine what hosts are on the network and what their
addresses are
Network mapping counter-measures:
1. Record traffic entering network
2. Look for suspicious activity (IP addresses, ports being scanned sequentially)
3. Use a host scanner and keep a good inventory of hosts on the network (red lights and sirens should go off when an unexpected computer appears on the network
Security Threats - Packet Sniffing:
1. broadcast media
2. promiscuous NIC reads all packets passing by
3. can read all unencrypted data (eg passwords)
4. eg C sniffs B’s packets
Counter-measures:
- all hosts in organization run software that checks periodically if host interface is in promiscuous mode
- one host per segment of broadcast media (switched Ethernet at hub)
Security Threats - IP Spoofing:
Counter-measures:
Ingress filtering
Security Threats - Denial of service
1. DOS
2. DDOS: distributed DOS
Counter-measures:
1. filter out flooded packets
2. traceback to source of floods
Security Attacks - Host insertions
Host insertion: a computer “host” with a mailicious intent is inserted in sleeper mode on the network.
Counter-measures:
What is Social Engineering?
Social engineering is the use of humans for cyber purposes.
Question is: how could you trick somebody to give you something that is private? This is something that we use normally on offensive security operations. On some occasions we deal with advanced firewalls,
advanced systems that will block all the attacks that we are delivering to the client or the victim network, so one of the easiest way to get information or try to exploit things inside the network of the victim is try to gain information from the users, for example a password or a username to login into a VPN.
The SET (Social Engineering Toolkit) is something that came in Kali Linux, but you also could install on your system without any Linux installation. This tool allows to create for example fake websites or clone websites from public internet domains or private internet domains. With a couple of tweaks, you could try to impersonate somebody and that somebody could send an email using a phishing attack to a username inside the victim network.
Social Engineering - Phishing and Vishing
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
https://www.phishing.org/what-is-phishing
Gophish is an open-source phishing campaign that will give you a
lot of tools to try to understand if your cyber security training program inside
your network is something that it’s adding value.
Vishing - or voice phishing – is a form of cyber attack that attempts to trick victims into giving up sensitive information like credit card numbers, bank account details and passwords, over the phone.
Cyberwarfare
There are a lot of actors in cyber attacks. It is important to understand that normally we talk about cyber operations by countries, there is a Cyber Command in the US, UK or China that will develop not just offensive but also defensive operations. But then we also have hackers hired by those nations to perform attacks, and this is a tricky part of cyberwarfare.
For example, Iran’s intelligence service hacked into former IDF chief, an Israeli opposition leader, Benny Gantz, on his cell phone, ahead of the Israeli elections. The Israeli intelligence detected the intelligence agency from Iran. There is a good book, Countdown to Zero Day, that tells the story of Stuxnet, which was the first major cyber attack from nation to nation. Nations prepare their military for cyberwarfare.
Very telling chart from CSIS:
https://www.csis.org/
Cybercrime Resources - these 2 are very trusted reports
1. Cybercrime resources (IBM X-Force)
2. Personalised reports (X-Force Exchange)
3. Cost of data breach (IBM website)
https://www.ibm.com/reports/data-breach
IBM Security Command Centers
IBM Security Command Centers are part of IBM X-Force Security Services.
Effective cybersecurity requires the correct people, processes, and technology. Companies often pool these three elements into a security operations center. A security operations center (SOC) is an IT security team that monitors a company’s IT infrastructure to detect, evaluate, neutralize, and prevent cybersecurity incidents. Traditionally, the term has referred to a physical space where the security team works; but today, some teams collaborate globally from separate locations, even home offices. As the distance between team members has expanded, so has the definition of SOC.
An IBM Security Command Center helps prepare a SOC and other involved stakeholders against current and future cyberthreats. These centers provide SOC facilities and virtual experiences in which participants can practice collaborating to resolve simulated breach scenarios. Teams use state-of-the-art security tools, such as pen testing, to combat cyberattacks that test not just teams’ technical expertise but their communication skills and crisis leadership. Experts provide feedback on the performance of teams and teach best practices through workshops and demonstrations.
X-Force Research
As threats multiply and increase in sophistication, it is more important than ever that organizations maintain awareness of current security trends.
IBM X-Force Threat Intelligence research reports can help you keep pace with an evolving threat landscape and learn how to protect your networks and data from the latest threats and attack vectors. Current reports are available for download, using the links below.
In 2018, many organizations across all industries faced unmanageable levels of cyberthreats brought on by the changing threat landscape, the risk of exposure, and an ever-growing attack surface. The optimum strategy to respond to this combination of factors is to make security an integral part of culture and overall structure. To help organizations better prepare for this landscape, IBM® Security has developed the X-Force® Threat Intelligence Index report to provide insight on cybersecurity issues, including what the most common types of attacks are and where they come from.
IBM Security analyzes data and insight derived from monitored security clients, incident response services and penetration testing engagements. X-Force also runs spam traps around the world and monitors tens of millions of spam and phishing attacks daily. It analyzes billions of web pages and images to detect fraudulent activity and brand abuse.
Download the X-Force Threat Intelligence Index if you have not already done so from the resource section of a previous lesson. Read the report and keep as a reference guide throughout your Cybersecurity training.
https://www.ibm.com/security/data-breach/threat-intelligence
