Threats, Attacks, Vulnerabilities Flashcards by Bryan Kruep

Social Engineering with a touch of spoofing
- Often delivered by email, text, etc
- Very remarkable when well done

Usually there’s something that is not quite right
-Spelling, fonts, graphics

How are they so successful?
-Digital slight of hand - it fools the best of us

Sending a false email pretending to be legitimate to steal valuable information from the user

Phishing

How well did you know this?

Not at all

Perfectly

A type of URL hijacking

Typosquatting

How well did you know this?

Not at all

Perfectly

Lying to get information
Attacker is a character in a situation they create

Hi, we’re calling from Visa regarding an automated payment to your utility service

Pretexting

How well did you know this?

Not at all

Perfectly

Redirects a legit website to a bogus site
- Poisoned DNS server or client vulnerabilities

Harvest large groups of people

Difficult for anti-malware software to stop

Pharming

How well did you know this?

Not at all

Perfectly

Voice phishing over the phone or voicemail
- Caller ID spoofing is common
- Fake security checks or bank updates

Attack through a phone or voice communications

Vishing

How well did you know this?

Not at all

Perfectly

Done by text messages
- Spoofing is a problem here as well
- Forwards links or asks the personal information

Variations on a theme
- Fake check scam, phone verification code scam
- Boss/CEO scam, advance fee scam

Smishing

How well did you know this?

Not at all

Perfectly

Gather information on the victim

Reconnaissance

How well did you know this?

Not at all

Perfectly

Targeted phishing with inside information
- Makes the attack more believable

Attack that targets specific users

Spear Phishing

How well did you know this?

Not at all

Perfectly

Spear Phishing the CEO

Attack on a powerful or wealthy individual

Whaling

How well did you know this?

Not at all

Perfectly

Before the attack, the trap is set
- There’s an actor and a story

Attackers pretend to be someone they aren’t
- Halloween for fraudsters

Use some of those details from reconnaissance

Attack the victim as someone higher in rank

Throws tons of technical details around

Impersonation

How well did you know this?

Not at all

Perfectly

Extracting information from the victim
- Victim doesn’t even realize this is happening
- Hacking the human

Often seen with vishing
- Can be easier to get this info over the phone

Well documented psychological techniques

Eliciting information

How well did you know this?

Not at all

Perfectly

Your identity can be used by others
- Keep your personal information safe

Credit Card Fraud
- Open an account in your name, or use your credit card information

Bank Fraud
-Attacker gains access to your account of opens a new account

Loan Fraud
- Your infromation is used for a loan or lease

Government benefits fraud
- Attacker obtains benefits on your behalf

Identity Fraud

How well did you know this?

Not at all

Perfectly

Mobile garage bin

Important information thrown out with trash

Gather details that can be used for a different attack
- Impersonate names, use phone numbers

Timing is important
- Just after end of month, end of quarter
- Based on pickup schedule

If it is in the trash, its open season
- Nobody owns it

Dumpsters on privact property or “No Trespassing” signs may be restricted
- You can’t break the law to get rubbish

Dumpster Diving

How well did you know this?

Not at all

Perfectly

You have access to important information
- Many people want to see
- Curiosity, industrial espionage, competitive advantage

This is surprisingly easy
- Airports/Flights
- Hallway-Facing Monitors
- Coffee Shops

Surf from afar
- Binoculars/Telescopes
- Easy in the big city
- Webcam monitoring

To prevent
- Control your input
- Use privacy filters
- Keep your monitor out of sight
- Don’t sit in front of me on your flight

Shoulder Surfing

How well did you know this?

Not at all

Perfectly

Threat that does not actually exist
- But seems like it could be real

Still often consume lots of resources
- Forwarded email messages, printed memorandums, wasted time

Often an email
- Or Facebook wall post, tweet, etc

Some will take your money
- But not through electronic means

Can waste as much time as a regular virus

Spam filters can help

If it sounds too good to be true…

Hoaxes

How well did you know this?

Not at all

Perfectly

Have the mountain come to you
- This requires a bit of research

Determine which website the victim group uses
- Educated guess - Local coffee or sandwich shop
- Industry related sites

Infect one of these third party sites
- Site vulnerability
- Email attachments

Infect all visitors
- But you’re just looking for specific victims

Defense-in-depth
- Layered defense
- It’s never one things

Firewalls and IPS
- Stop the network traffic before things get bad

Anti-virus/Anti-malware signature updates

Watering Hole Attacks

How well did you know this?

Not at all

Perfectly

Unsolicited messages
- Email, forums
- Spam over Instant Messaging (SPIM)

Various content
- Commercial advertising
- Phishing attempts

Significant technology issues
- Security concerns
- Resource utilization
- Storage costs
- Managing the spam

Unsolicitated email
- Stop it on the gateway before reaching user
- On-site or cloud based

Allowed list
- Only receive email from trusted senders

SMTP standards checking
- Block anything that doesn’t follow RFC standards

SPAM

How well did you know this?

Not at all

Perfectly

Sway public opinion on political or social issues

Nation-state actors
- Divide, distract, and persuade

Advertising is an option
- Buy a voice for your opinion

Embedded through social media
- Creating, sharing, liking
- Amplification

Influence Campaigns

How well did you know this?

Not at all

Perfectly

Military strategy
- A broad description of the techniques
- Wage war non-traditionally

Not a new concept
- The internet adds new methods

Cyberwarfare
- Attack an entity with technology

Influence with a military spin
- Influencing foreign elections
- Fake News

Hybrid Warfare

How well did you know this?

Not at all

Perfectly

Use an authorized person to gain unauthorized access to a building
- Not an accident

No tech hacking
- Blend in with clothing
- 3rd-party with a legitimate reason
- Temporarily take up smoking

Once inside, little to stop attacker
- Most security stops at the border

Policy for visitors
- You should be able to identify anyone

One scan, on person
- A matter of policy or mechanically required

Mantrap/Airlock
- You don’t have a choice

Don’t be afraid to ask
- Who are you and why are you here?

Tailgaiting

How well did you know this?

Not at all

Perfectly

Starts with a bit of spear phishing
- Attacker knows who pays the bills

Attacker sends a fake invoice
- Domain renewal, toner cartridges
- From: address is spoofed version of CEO

Accounting pays the invoice
- It was from the CEO after all

Might include a link to pay
- Now the attacker has payment details

Invoice Scams

How well did you know this?

Not at all

Perfectly

Also called password harvesting
- Attacker collects login credentials

There are alot of stored credentials on your computer
- Chrome, Firefox, Outlook, etc

User received an email with malicious Word doc
- Opening document runs macro
- Macro downloads credential harvesting malware

User has no idea
- Everything happens in background

Credential Harvesting

How well did you know this?

Not at all

Perfectly

The social engineer is in charge
- I’m calling from the help desk/office of the CEO/police

Authority - Social Engineering principle

How well did you know this?

Not at all

Perfectly

There will be bad things if you don’t help
- If you don’t help me, the payroll checks won’t be processed

Intimidation - Social Engineering principle

How well did you know this?

Not at all

Perfectly

Convince based on what's normally expected - Your coworker Jill did this for me last week

Consensus - Social Engineering principle

The situation will not be this way for long - Must make the change before time expires

Scarcity - Social Engineering principle

Works alongside scarcity Act quickly, don't think

Urgency - Social Engineering principle

Someone you know, we have common friends

Familiarity - Social Engineering principle

Someone who is safe - I'm from IT and here to help

Trust - Social Engineering principle

Operating system and browser based virus

Script virus

Stealth virus - Does a good job of avoiding anti-virus detection Operates in memory - But never installed in a file or application Steps: 1. User clicks on malicious website link 2. Website exploits a vulnerability 3. Launches Powershell and downloads payload in RAM 4. Runs PowerShell scripts and executables in memory 5. Adds an auto-start to registry

Fileless virus

Malware that self-replicates - Doesn't need you to do anything - Uses the network as a transmission medium - Self-propagates and spreads quickly - Can take over many systems very quickly Firewalls and IDS/IPS can mitigate many infestations - Doesn't help much once it gets inside Steps: 1. Infected computer searches for vulnerable system 2. Vulnerable computer is exploited 3. Backdoor is installed and downloads this A self-contained infection that can spread itself through networks, emails, and messages

Worms

Attackers want your money - They'll take your computer in the meantime May be a fake ransom - Locks your computer "by the police" Ransom may be avoided - A security professional may be able to remove these kinds of malware Protection tips: Always have a backup - An offline backup, ideally Keep your OS up to date - Patch those vulnerabilities Keep your application up to date - Security patches Keep your anti-virus/anti-malware signatures up to date - New attacks every hour Denies access to a computer system or data until a ransom is paid Can be spread through a phishing email or unknowingly infected website

Ransomware

A newer generation of ransomware - Your data is unavailable until you provide cash Malware encrypts your data files - Pictures, documents, music, movies, etc - Your OS remains available - They want you running, but not working You must pay the bad guys to obtain the decryption key - Untraceable payment system - An unfortunate use of public-key cryptography Malicious program that encrypts programs and files on the computer in order to extort money from the user

Crypto-malware

Software that pretends to be something else - So it can conquer your computer - Doesn't really care much about replicating Circumvents your existing security - Anti-virus may catch it when it runs - The better ones are built to avoid and disable AV One it's inside it has free reign - And it may open the gates for other programs Form of malware that pretends to be a harmless application

Trojans

Identified by anti-virus/anti-malware - Potentially undesirable software - Often installed along with other software Overly aggressive browser toolbar A backup utility that displays ads Browser search engine hijacker

Potentially Unwanted Program (PUP)

Often placed on your computer through malware - Some malware software can take advantage of this these created by other malware Some software includes this - Old Linux kernal included this - Bad software can have this as part of app Allows for full access to a system remotely

Backdoors

Remote Administration Tool - The ultimate backdoor - Administrative control of the device Malware installs the server/service/host - Attacker connects with the client software Control a device - Key logging - Screen recording/screenshots - Copy files - Embed more malware A remotely operated Trojan

Remote Access Trojans (RATs)

Originally a Unix technique Modifies core system files - Part of the kernel Can be invincible in the OS - Won't see it in Task Manager Also invisible to traditional anti-virus utilities - If you can't see it, you can't stop it Finding and removing: Look for the unusual - Anti-malware scans Use a remover specific to this - Usually built after this is discovered Secure boot with UEFI - Security in the BIOS Backdoor program that allows full remote access to a system

Rootkits

Malware that spies on you - Advertising, identity theft, affiliate fraud Can trick you into installing - Peer to peer, fake security software Browser monitoring - Capture surfing habits Keyloggers - Capture every stroke - Send it back to the mother ship Protection: Maintain your anti-virus/anti-malware - Always have the latest signatures Always know what you're installing - And watch your options during the installation Where's your backup? - You might need it someday Software that installs itself to spy on the infected machine, sends the stolen information over the internet back to the host machine

Spyware

Once the computer is infected, it becomes this - You may not even know How does it get on your computer? - Trojan Horse - You run a program that you thought was legit - OS or application vulnerability A day in the life - Sit around and check in with the Command and Control (C&C) server and wait for instructions AI that when inside an infected machine performs specific actions as part of a larger entity Stopping these: Prevent the initial infection - OS and application patches Anti-virus/anti-malware and updated signatures Identify an existing infection - On-demand scans, network monitoring Prevent command and control (C&C) - Block at the firewall - Identify at the workstation with a host-based firewall or host-based IPS

Bot

Waits for a predefined event - Often left by someone with a grudge Time bomb - Time or date User event Difficult to identify - Difficult to recover if it goes off Preventing these: Difficult to recognize - Each is unique - No predefined signatures Process and procedures - Formal change control Electronic monitoring - Alert on changes - Host-based intrusion detection, Tripwire, etc Constant auditing - An administrator can circumvent existing systems A malicious program that lies dormant until a specific date or event occurs

Logic bombs

Try to login with an incorrect password - Eventually you're locked out Attack an account with the top three (or more) passwords - If they don't work, move to the next account - No lockouts, no alarms, no alerts

Spraying

Try every possible password combination until the hash is matched Might take some time - A strong hashing algorithm slows things down Online: Keep trying the login process Very slow Most accounts will lockout after a number of failed attempts Offline: Obtain the list of users and hashes Calculate the password hash, compare it to a stored hash Large computational resource requirement Password-cracking program that tries every possible combination of characters A to Z

Brute Force

Use a dictionary to find common words - Passwords are created by humans Many common wordlists available on the 'net - Some are customized by language or line of work The password crackers can substitute letters This takes time - Distributed cracking and GPU cracking is common Discover passwords for common words - This won't discover random character passwords Password attack that creates encrypted versions of common dictionary words and then compares them against those in a stolen password file Guessing using a list of possible passwords

Dictionary attacks

Optimized, pre-built set of hashes - Saves time and storage space - Doesn't need to contain every hash - Contains pre-calculated hash chains Remarkable speed increase - Especially with longer password lengths Need different tables for different hashing methods - Windows is different from MySQL Large pregenerated data sets of encrypted passwords used in password attacks

Rainbow tables

Stealing credit card information, usually during a normal transaction - Copy data from the magnetic stripe - Card number, expiration date, card holder's name Includes a small camera to watch for your pin Attackers use the card information for other financial transactions - Fraud is the responsibility of the seller Always check before using card readers

Skimming

Get card details from a skimmer - The clone needs an original Create a duplicate of the card - Looks and feels like the original - Often includes the printed CVC Can only be used with magnetic stripe cards - The chip can't be cloned Cloned gift cards are common - A magnetic stripe technology

Card cloning

Our computers are getting smarter - They identify patterns in data and improve their predictions This requires a lot of training data - Face recognition requires analyzing a lot of faces In use every day - Stop spam - Recommend products from an online retailer - Prevents car accidents

Machine Learning

The chain contains many moving parts - Raw materials, suppliers, manufacturers, distributors, customers, consumers Attackers can infect any step along the way - Infect different parts of the chain without suspicion - People trust their suppliers One exploit can infect the entire chain Security: Can you trust your new server/router/switch/firewall/software Use a small supplier base - Tighter control of vendors Strict control over policy and procedures - Ensure proper security is in place Security should be part of the overall design - There's a limit to trust

Supply chain attacks

Centralized and costs less - No dedicated hardware, no data center to secure Data is in a secure environment - No physical access to the data center - Third-party may have access to the data - Automated signature and security updates - User must follow security best practices Limited downtime - Extensive fault-tolerance and 24/7/365 monitoring Scalability security options - One-click security deployments - This may not be as customizable as necessary

Cloud Based

Put the security burden with the client - Data center security and infrastructure costs Customize your security posture - Full control when everything is in-house On-site IT team can manage security better - The local team can ensure everything is secure - A local team can be expensive and difficult to staff Local team maintains uptime and availability - System checks can occur at any time - No phone calls for support Security changes can take time - New equipment, configurations, and additional costs

On-Premise

You've encrypted data and sent it to another person The attacker does not have the combination or key - So they break the safe Finding ways to undo the security - There are many potential shortcomings - Problem is often the implementation

Cryptographic attacks

In a digital world, this is a hash collision - A hash collision is the same hash value for two different plaintexts - Find a collision through brute force The attacker will generate multiple versions of plaintext to match the hashes - Protect yourself with a large hash output size Used to find collisions in hashes and allows the attacker to be able to create the same hash as the user. Exploits that if the same mathematical function is performed on two values ad the result is the same, then the original values are the same

Birthday attack

Hash digests are supposed to be unique - Different input data should never create the same hash When two different inputs produce the same hash value

Collisions

Instead of using perfectly good encryption, use something that's not so great - Force the systems to downgrade their security Forces a system to lessen its security, this allows for the attacker to exploit the lesser security control. It is often associated with cryptographic attacks due to weak implementations of cipher suites. Example is TLS > SSL, a man-in-the-middle POODLE attack exploiting TLS v1.0 - CBC mode

Downgrade attack

Gain higher-level access to a system - Exploit a vulnerability - Might be a bug or design flaw Higher-level access means more capabilities - This commonly is the highest-level access - This is obviously a concern These are high-priority vulnerability patches - You want to get these holes closed very quickly - Any user can be an administrator Horizontal escalation - User A can can access User B resources Mitigating escalation: Patch quickly - Fix the vulnerability Updated anti-virus/anti-malware software - Block known vulnerabilities Data Execution Prevention - Only data in executable areas can run Address space layout randomization - Prevent a buffer overrun at a known memory address An attack that exploits a vulnerability that allows them to gain access to resources that they normally would be restricted from accessing

Privilege Escalation

Information from one site could be shared with another One of the most common web application development errors - Takes advantage of the trust a user has for a site - Complex and varied Malware that uses JavaScript Protection: Be careful when clicking untrusted links - Never blindly click in your email inbox Consider disabling JavaScript - Or control with an extension - This offers limited protection Keep your browser and applications updated - Avoid the nasty browser vulnerabilities Validate input - Don't allow users to add their own scripts to an input field Found in web applications, allows for an attacker to inject client-side scripts in web pages

Cross-site scripting (XSS)

Web site allows scripts to run in user input - Search box is a common source Attacker emails a link that takes advantage of this vulnerability - Runs a script that sends credentials/session IDs/cookies to the attacker Script embedded in URL executes in the victim's browser - As if it came from the server Attacker uses credentials/session IDs/cookies to steal victim's information without their knowledge - Very sneaky

Non-persistent (reflected) XSS attacks

Attacker posts a message to a social media network - Includes the malicious payload It's now "persistent" - Everyone gets the payload No specific target - All viewers to the page For social networking, this can spread quickly - Everyone who views the message can have it posted to their page - Where someone else can view it and propagates it further

Persistent (stored) XSS attack

Adding your own information into a data stream Enabled because of bad programming - The application should properly handle input and output So many different data types HTML, SQL, XML, LDAP, etc

Code Injection

Modifying SQL requests - Your application shouldn't really allow this Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application Is prevented through input validation and using least privilege when accessing a database If you see ` OR 1=1; on the exam, it’s this

SQL Injection

Set of rules for data transfer and storage Modifying XML requests

XML Injection

Created by the telephone companies Now used by almost everyone Modify LDAP requests to manipulate application results

LDAP Injection

A Windows library containing code and data Many applications can use this library Inject this and have an application run a program - Runs as part of the target process Allows for the running of outside code

DLL Injection

Overwriting a buffer of memory - Spills over into other memory areas Developers need to perform bounds checking - Attackers spend a lot of time looking for openings Not a simple exploit - Takes times to avoid crashing things - Takes time to make it do what you want A really useful one of these is repeatable - Which means that a system can be compromised Too much data for the computer's memory to buffer A program attempts to wire more data that can be held in fixed block of memory

Buffer overflow

Useful information is transmitted over the network - A crafty hacker will take advantage of this Need access to the raw network data - Network tap, ARP poisoning, malware on the victim computer The gathered information may help the attacker - Replay the data to appear as someone else This is not an on-path attack - The actual replay doesn't require the original workstation Avoid this type of attack with a salt - Use a session ID with the password hash to create a unique authentication hash each time This is a passive attack where the attacker captures wireless data, records it, and then sends it on to the original recipient without them being aware of the attacker's presence

Replay Attacks

Client authenticates to the server with a username and hashed password During authentication, the attacker captures the username and password hash Attacker sends his own authentication request using the captured credentials An authentication attack that captures and uses the hash of a password. The attacker then attempts to log on as the user with the stolen hash. This type of attack is commonly associated with the Microsoft NTLM protocol

Pass the Hash

Steps: 1. Victim authenticates to the server 2. Server provides a session id to the client 3. Attacker intercepts the session ID and uses it to access the server with the victim's credentials An attack in which an attacker attempts to impersonate the user by using their legitimate session token

Session hijacking

One click attack, session riding - XSRF, CSRF (sea surf) Takes advantage of the trust that a web application has for the user - The web site trusts the browser - Requests are made without your consent or knowledge - Attacker posts a Facebook status on your account Significant web application development oversight - The application should have anti-forgery techniques added - Usually a cryptographic token to prevent a forgery Steps: 1. Attacker creates a funds transfer request 2. Request is sent as a hyperlink to a user who may already be logged into the bank web site 3. Visitor clicks the link and unknowingly sends the transfer request to the bank web site 4. Bank validates the transfer and sends the visitor's funds to the attacker Unauthorized commands are send from a user that is trusted by the website. Allows the attacker to steal cookies and harvest passwords

Cross-site request forgery

Attacker finds a vulnerable web application - Sends requests to a web server - Web server performs the request on behalf of the attacker Caused by bad programming - Never trust the user input - Server should validate the input and the responses - There are rate, but can have critical vulnerabilities Steps: 1. Attacker sends a request that controls a web application 2. Web server sends request to another service, such as cloud file storage 3. Cloud storage sends response to Web Server 4. Web Server forwards response to attacker

Server-side request forgery (SSRF)

Traditional anti-virus is very good at identifying known attacks - Checks the signature - Block anything that matches There are still ways to infect and hide - It's a constant war - Zero-day attacks, new attack types, etc. Your drivers are powerful - The interaction between the hardware and your operating system - They are often trusted - Great opportunity for security issues Hardware interactions contain sensitive information - Video, keyboard, mouse

Driver manipulation

Filling in the space between two objects - A middleman Windows includes this - Backward compatibility with previous Windows versions - Application Compatibility Shim Cache Malware authors write their own - Get around security The process of injecting alternate or compensation code into a system in order to alter its operations without changing the original or existing code

Shimming

Metamorphic malware - A different program each time it's downloaded Make it appear different each time - Add NOP instructions - Loops, pointless code strings Can intelligently redesign itself - Reorder functions - Modify the application flow - Recorder code and insert unused data types Difficult to match with signature-based detection - Use a layered approach Rewrites the internal processing of code without changing its behavior

Refactoring

Combines an on-path attack with a downgrade attack - Difficult to implement, but big returns for the attacker Attacker must sit in the middle of the conversation - Must modify data between victim and web server - Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc. Victim does not see any significant problem - Except the browser page isn't encrypted This is a client and server problem - Works on SSL and TLS

SSL Striping

A programming conundrum - Sometimes, things happen at the same time - This can be bad if you've not planned for it Time-of-check to time-of-use attack (TOCTOU) - Check the system - When do you use the results of your last check? - Somethings might happen between the check and the use The behavior of a software, electronic, or another system's output is dependent on the timing, sequence of events, or factor out of the user's control

Race Conditions

Unused memory is not properly released Begins to slowly grow in size Eventually uses all available memory System crashes Leaves the system unresponsive

Memory leak

Programming technique that references a portion of memory Application crash, debug information displayed, DOS Failed dereference can cause memory corruption and the application to crash

NULL Pointer dereference

Read files from a web server that are outside of the website's file directory Users shouldn't be able to browse the Windows folder Web server software vulnerability - Won't stop users from browsing past the web server root Web application code vulnerability - Take advantage of badly written code

Directory traversal

Errors happen - And you should probably know about it Messages should be just informational enough - Avoid too much detail - Network information, memory dump, stack traces, database dumps This is an easy one to find and fix - A development best-practice The error messages display sensitive or private information that give the user too much data

Improper error handling

Many applications accept user input - We put data in, we get data back All input should be considered malicious - Check everything. Trust nobody. Allowing invalid can be devastating - SQL injections, buffer overflow, denial of service, etc. It takes a lot of work to find that can be used maliciously - But they will find it The system does not properly validate data, allows for an attacker to create an input that is no expected Allows for parts of the system vulnerable to unintended data

Improper input handling

Attackers look for vulnerabilities in this new communication path - Exposing sensitive data, DoS, intercepted communication, privileged access

API attacks

A specialized DoS attack - May only require one device and low bandwidths A denial of service occurs, the amount of resources to execute an action are expended, making it unable for the action to be performed

Resource exhaustion

Unauthorized wireless access point - May be added by an employer or an attacker - Not necessarily malicious - A significant potential backdoor Very easy to plug in a wireless AP - Or enable wireless sharing in your OS Schedule a periodic survey - Walk around your building/campus - Use third-party tools/WiFi Pineapple Consider using 802.1X (Network Access Control) - You must authenticate, regardless of the connection type An unauthorized WAP or Wireless Router that allows for attackers to bypass many of the network security configurations and opens the network and its users to attacks

Rogue Access Points

Looks legitimate, but actually malicious - The wireless version of phishing Configure an access point to look like an existing network - Same (or similar) SSID and security settings/captive portal Overpower the existing access points - May not require the same physical location WiFi hotspots (and users) are easy to fool - And they're wide open You encrypt you communication, right? - Use HTTPS and a VPN Has same SSID as a proper access point (AP). Once a user connects to it, all wireless traffic goes through it instead of the real AP

Wireless Evil Twin

Sending of unsolicited messages to another device via Bluetooth - No mobile carrier required! Typical functional distance is about 10 meters - More or less depending on antenna and interference Third party software may also be used Sending unauthorized messages to a Bluetooth device

Bluejacking

Access a Bluetooth-enabled device and transfer data - Contact list, calendar, email, pictures, video, etc. First major security weakness in Bluetooth Serious security issue - If you know the file, you can download it without authentication Gathering unauthorized access to, or stealing information from a Bluetooth device

Bluesnarfing

Denial of Service - Prevent wireless communication Transmit interfering wireless signals - Decrease the signal-to-noise ratio at the receiving device - The receiving device can't hear the good signal Sometimes it's not intentional - Interference, not jamming - Microwave over, fluorescent lights Jamming is intentional - Someone wants your network to not work

RF jamming

Many different types - Constant, random bits/Constant, legitimate frames Data sent at random times - Random data and legitimate frames Reactive jamming - Only when someone else tries to communicate Needs to be somewhere close - Difficult to be effective from a distance Time to go fox hunting - You'll need the equipment to hunt down the jam - Directional antenna, attenuator Disabling a wireless frequency with noise to block the wireless traffic

Wireless jamming

It's everywhere - Access badges - Inventory/Assembly line tracking - Pet/Animal identification - Anything that needs to be tracked Radar technology - Radio energy transmitted to the tag - RF powers the tag, ID is transmitted back - Bidirectional communication - Some tag formats can be active/powered Communicates with a tag placed in or attached to an object using radio signals

RFID

Data capture - View communication - Replay attack Spoof the reader - Write your own data to the tag Denial of Service - Signal jamming Decrypt communication - Many default keys are on Google Can be jammed with noise interference, the blocking of radio signals, or removing/disabling the tags themselves

RFID Attacks

Two-way wireless communication - Builds on RFID, which is mostly one-way Payment systems - Many options available Bootstrap for other wireless - NFC helps with Bluetooth pairing Access token, identity "card" - Short range with encryption support Remote capture - It's a wireless network Frequency jamming - Denial of service Relay/Replay attack - On-path attack Wireless technology that allows for smartphones and other devices to establish communication over a short distance

NFC Attack

A type of nonce - Used for randomizing an encryption scheme - The more random the better Used in encryption ciphers, WEP, and some SSL implementations A random number used to increase security by reducing predictability and repeatibility

IV (Initialization Vector)

How can an attacker watch without you knowing? - Formally known as man-in-the-middle Redirects your traffic - Then passes it to the destination - You never know your traffic was redirected

On-path network attack

On-path attack on the local IP subnet The act of falsifying the IP-to-MAC address resolution system employed by TCP/IP Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network ▪ Allows an attacker to essentially take over any sessions within the LAN Prevented by VLAN segmentation and DHCP snooping

ARP poisioning

What if the middleman was on the same computer as the victim? - Malware/Trojan does all of the proxy work - Formally known as man-in-the-browser Huge advantages for the attackers - Relatively easy to proxy encrypted traffic - Everything looks normal to the victim Malware in your browser waits for you to login to your bank - And cleans you out

On-path browser attack

The MAC table is only so big - Attacker starts sending traffic with different source MAC addresses - For out the legitimate MAC addresses The table fills up - Switch begins flooding traffic to all interfaces This effectively turns the switch into a hub - All traffic is transmitted to all interfaces - No interruption in traffic flows Attacker can easily capture all network traffic! Flooding can be restricted in the switch's port security settings

MAC flooding

An attacker changes their MAC address to match the MAC address of an existing device - A clone/spoof Circumvent filters - Wireless or wired MAC filters - Identify a valid MAC address and copy it Create a DoS - Disrupt communication to the legitimate MAC Easily manipulated through software - Usually a device driver option The attacker falsifies the MAC address of a device

MAC cloning/spoofing

Modify the DNS server - Requires some crafty hacking Modify the client host file - The host file takes precedent over DNS queries Send a fake response to a valid DNS request - Requires a redirection of the original request or the resulting response Type of attack that exploits vulnerabilities in the domain name system to divert internet traffic away from legitimate servers and towards fake ones

DNS poisoning

Get access to the domain registration, and you have control where the traffic flows - You don't need to touch the actual servers - Determines the DNS names and DNS IP addresses Many ways to get into the account - Brute force - Social engineer the password - Gain access to the email address that manages the account The act of changing the registration of a domain name without the permission of the victim

Domain hijacking

Make money from your mistakes - There's alot of advertising on the 'net' Sell the badly spelled domain to the actual owner - Sell a mistake Redirect to a competitor - Not as common, legal issues Phishing site - Looks like the real site, please login Infect with drive-by download Redirects the user to a false website based on mispelling the URL, and is also called typoquatting

URL hijacking

The internet is tracking your security posture - They know when things go sideways Email reputation - Suspicious activity - Malware originating from the IP address A bad reputation can cause email delivery to fail - Email rejection or simply dropped Check with the email or service provider to check the reputation - Follow their instructions to remediate Infected systems are noticed by the search engines - Your domain can be flagged or removed Users will avoid the site - Sales will drop - Users will avoid your brand Malware might be removed quickly - Recovery takes much longer

Domain reputation

Launch an army of computers to bring down a service - Use all the bandwidth or resources - traffic spike This is why the attackers have botnets - Thousands or millions of computers at your command - At its peak, Zeus botnet infected over 3.6 million PCs - Coordinated attack Asymmetric threat - The attacker may have few resources than the victim Multiple different sources attack one victim

Network DDOS

Make the application break or work harder - Increase downtime and costs Overuse a measured cloud source - More CPU/memory/network is more money Increase the cloud server response time - Victim deploys a new application instance - repeat

Application DoS

The hardware and software for industrial equipment - Electric grids, traffic control, manufacturing plants, etc This is more than a web server failing - Power grid drops offline - All traffic lights are green - Manufacturing plant shuts down Requires a different approach - A much more critical security posture

Operational Technology (OT) DoS

Command line for system administrators - .ps1 file extension - Included with Windows 8/8.1 and 10 Extend command-line functions - Uses cmdlets (command-lets) - Standalone executables Attack Windows systems - System administration - Active Domain administration - File share access

Windows Powershell

General-purpose scripting language - .py file extension Popular in many technologies - Broad appeal and support Commonly used for cloud orchestration - Create and tear down application instances Attack the infrastructure - Routers, servers, switches

Python

Scripting the Unix/Linux shell - Automate and extend the command line - Bash, Bourne, Korn, C Starts with a shebang or hash-bang #! - Often has a .sh file extension Attack the Linux/Unix environment - Web, database, virtualization servers Control the OS from the command line - Malware has a lot of options

Shell script

Automate functions within an application - Or OS Designed to make the application easier to use - Can often create security vulnerabilities Attackers create automated exploits - They just need the user to open the file - Prompts to run the macro

Macros

Automates processes within Windows applications - Common in Microsoft Office A powerful programming language - Interacts with the operating system

VBA (Visual Basic for Applications)

More than just password on sticky notes - Some are out for no good Sophistication may not be advanced, but has institutional knowledge - Attacks can be directed at vulnerable systems - They know what to hit Someone who is inside the company who has intricate knowledge of the company and how its network works. They can pinpoint a specific vulnerability and may even have access to multiple parts of the network

Insiders

Governments - National security, job security - Always an external entity Highest sophistication - Military control, utilities, financial control Constant attacks - Commonly an APT These are massively security risks that can cost companies and countries millions of dollars. Nation states have very sophisticated hacking teams that target the security of other nations. They often attack military organizations or large security sites, they also frequently attack power plants.

Nation states

A hacker with a purpose - Social change or a political agenda - Often an external entity Can be remarkably sophisticated - Very specific hacks - DoS, web site defacing, release of private documents, etc Funding is limited - Some organization have fundraising options An individual who is someone who misuses computer systems for a socially or politically motivated agenda. They have roots in the hacker culture and ethics. Hacker on a mission.

Hacktivist

Runs pre-made scripts without any knowledge of what's really happening - Not necessarily a youngster Can be internal or external - But usually external Not very sophisticated No formal funding - Looking for low hanging fruit Motivated by the hunt - Working the ego, trying to make a name A person who uses pre-existing code and scripts to hack into machines, because they lack the expertise to write their own

Script kiddies

Professional criminals - Motivated by money - Almost always an external entity Very sophisticated - Best hacking money can buy Crime that's organized - One person hacks, one person manages the exploits, another person sells the data, another handles customer support Lots of capital to fund hacking efforts These are professionals motivated ultimately by profit. They have enough money to buy the best gear and tech. Multiple people perform specific roles: gathering data, managing exploits, and one who actually writes the code

Organized crime/Criminal syndicate

Experts with technology - Often driven by money, power, and ego Authorized - An ethical hacker with good intentions - And permission to hack Unauthorized - Malicious, violates security for personal gain Semi-authorized - Finds a vulnerability, doesn't use it

Hackers

Going rogue - Working around the internal IT organization IT can put up roadblocks - Use the cloud - Might also be able to innovate Not always a good thing - Wasted time and money - Security risks - Compliance issues - Dysfunctional organization

Shadow IT

Many different motivations - DoS, espionage, harm reputation High level of sophistication - Based on some significant funding - The competitive upside is huge (and very unethical) Many different intents - Shut down your competitor during an event - Steal customer lists - Corrupt manufacturing databases - Take financial information Rival companies, can bring down the network or steal information through espionage

Competitors

Method used by the attacker - Gain access or infect to the target A lot of work goes into finding vulnerabilities in these vectors - Some are more valuable than others IT security professional spend their career watching these vectors - Closing up existing vectors - Finding new ones

Attack vectors

There's a reason we lock the data center - Physical access to a system is a significant attack vector Modify the operating system - Reset the administrator password in a few minutes Attack a keylogger - Collect usernames and passwords Transfer files - Take it with you Denial of service - This power cable is in the way

Direct access attack vectors

Default login credentials - Modify the access point configuration Rogue access point - A less-secure entry point to the network Evil twin - Attacker collects authentication deteails - On-path attacks

Wireless attack vectors

One of the biggest (and most successful) attack vectors - Everyone has email Phishing attacks - People want to click links Delivery the malware to the user - Attach it to the message Social engineering attacks - Invoice scams

Email attack vectors

Tamper with the underlying infrastructure - Or manufacturing process Gain access to network using a vendor Malware can modify the manufacturing process Counterfeit networking equipment - Install backdoors, substandard performance and availability

Supply chain attack vectors

Attackers thank you for putting your personal information online - Where you are and when - Vacation pictures are especially telling User profiling - Where were you born? - What is the name of your school mascot? Fake friends are fake - The inner circle can provide additional information

Social media attack vectors

Get around the firewall - The USB interface Malicious software on USB flash drives - Infect air gapped networks - Industrial systems, high security services USB devices can act as keyboards - Hacker on a chip Data exfiltration - Terabytes of data walk out the door - Zero bandwidth used

Removable media attack vectors

Publicly-facing applications and services - Mistakes are made all the time Security misconfigurations - Data permissions and public data stores Brute force attacks - Or phish the users of the cloud service Orchestration attacks - Makes the cloud build new application instances Denial of service - Disable the cloud services for everyone

Cloud attack vectors

Research the threats - and the threat actors Data is everywhere - Hacker group profiles, tools used by the attackers, and much more Make decisions based on this intelligence - Invest in the best prevention Used by researchers, security operations teams, and others

Threat intelligence

Open source - Publicly available resources - A good place to start Internet - Discussion groups, social media Government data - Mostly public headings, reports, websites, etc Commercial data - Maps, financial reports, databases

Open-source intelligence (OSINT)

Someone else has already compiled the threat information - You can buy it Threat intelligence services - Threat analytics, correlation across different data sources Constant threat monitoring - Identify new threats - Create automated prevention workflows

Closed/proprietary intelligence

Researchers find vulnerabilities - Everyone needs to know about them Common Vulnerabilities and Exposures (CVE) - A community managed list of vulnerabilities - Sponsored by DHS and CISA US National Vulnerability Database (NVD) - Summary of CVEs - Also sponsored by DHS and CISA NVD provides additional detail over the CVE list - Patch availability and severity scoring

Vulnerability databases

Public threat intelligence - Often classified information Private threat intelligence - Private companies have extensive resources Need to share critical security details - Real-time, high-quality cyber threat information sharing Cyber Threat Alliance (CTA) - Members upload specifically formatted threat intelligence - CTA scores each submission and validates across other submissions - Other members can extract the validated data

Public/private information-sharing centers

Intelligence industry needs a standard way to share important threat data - Share information freely Structured Threat Information eXpression (STIX) - Describes cyber threat information - Includes motivations, abilities, capabilities, and response information Trusted Automated eXchange of Indicator Information (TAXII) - Securely shares STIX data

Automated indicator sharing (AIS)

Dark web - Overlay networks that use the Internet - Requires specific software and configurations to access Hacking groups and services - Activities - Tools and techniques - Credit card sales - Accounts and passwords Monitor forums for activity - Company names, executive names

Dark web intelligence

An event that indicates an intrusion - Confidence is high - He's calling from inside the house Indicators - Unusual amount of network activity - Change to file hash values - Irregular international traffic - Changes to DNS data - Uncommon login patterns - Spikes of read requests to certain files

Indicators of Compromise (IOC)

Analyze large amounts of data very quickly - Find suspicious patterns - Big data used for cybersecurity Identify patterns - DNS queries, traffic patterns, location data Creates a forecast for potential attacks - An early warning system Often combined with machine learning - Less emphasis on signatures

Predictive analysis

Identify attacks and trends - View worldwide perspective Created from real attack data - Identify and react

Threat maps

See what the hackers are building - Public code repositories, GitHub See what people are accidentally releasing - Private code can often be published publicly Attackers are always looking for this code - Potential exploits exist - Content for phishing attacks

File/code repositories

Vendors and manufacturers - They wrote the software They know when problems are announced - Most vendors are involved in the disclosure process They know their product better than anyone - They react when surprises happen - Scrambling after a zero-day announcement - Mitigating and support options

Vendor websites

Watch and learn - An early warning of things to come Researchers - New DDoS methods, intelligence gathering, hacking the latest technologies Stories from the trenches - Fighting and recovering from attacks - New methods to protect your data Building relationships - forge alliances

Conferences

Research from academic professionals - Cutting edge security analysis Evaluations of existing security technologies - Keeping up with the latest attack methods Detailed post mortem - Tear apart the latest malware and see what makes it tick Extremely detailed information - Break apart topics into their small pieces

Academic journals

Published by the Internet Society (ISOC) - Often written by the Internet Engineering Task Force (IETF) Not all are standards documents - Experimental, Best Current Practice, Standard Track, and Historic

Request for Comments (RFC)

Gathering of local peers - Shared industry and technology, geographical presence Associations - Information Systems Security Association, Network Professional Association - Meet others in the area, discuss local challenges Industry user groups - Cisco, Microsoft, VMware, etc

Local industry groups

Hacking group conversations - Monitor the chatter Honeypot monitoring on Twitter - Identify new exploits attempts Keyword monitoring - CVE-2020-*, bugbounty, 0-day Analysis of vulnerabilities - Professionals discussing the details Command and control - User social media as the transport

Social media

Monitor threat announcements - Stay informed Many sources of information

Threat feeds

Tactics, techniques, and procedures - What are adversaries doing and how are they doing it? Search through data and networks - Proactively look for threats - Signatures and firewall rules can't catch everything Different types of of these - Information on targeted victims (Finance for energy companies) - Infrastructure used by attackers (DNS and IP addresses - Outbreak of a particular malware variant on a service type

TTP

Many applications have vulnerabilities - We've just not found them yet Someone is working hard to find the next big vulnerability - The good guys share these with developers Attackers keep these yet-to-be-discovered holes to themselves - They want to use these vulnerabilities for personal gain Vulnerability has not been detected or published

Zero-day attacks

Very easy to leave a door open - Hackers will always find it Increasingly common with cloud storage - Statistical chance of finding this

Open permissions Vulnerability

The Linux root account - The administrator or superuser account Can be a misconfiguration - Intentionally configuring and easy-to-hack password Disable direct login to the root account - Use the su or sudo option Protect accounts with root or administrator access - There should not be a lot of these

Unsecured root accounts Vulnerability

Encryption protocols (AES, 3DES, etc) - Length of the encryption key (40 bits, 128 bits, 256 bits) - Wireless encryption (WEP, WPA) Some cipher suites are easier to break than others - Stay updated with the latest best practices TLS is one of the most common issues - Over 300 cipher suites Which are good and which are bad? - Weak or null encryption (less than 128 bit key sizes), outdated hashes (MD5)

Weak encryption Vulnerability

Some protocols aren't encrypted - All traffic sent in the clear - Telnet, FTP, SMTP, IMAP Verify with packet capture - View everything sent over the network Use the encrypted versions - SSH, SFTP, IMAPS, etc

Insecure protocols Vulnerability

Every application and network device has a default login - Not all of these are ever changed

Default settings Vulnerability

Services will open ports - It's important to manage access Often managed with a firewall - Manage traffic flows - Allow or deny based on port number or application Firewall rulesets can be complex - It's easy to make a mistake Always test and audit - Double and triple check

Open ports and services Vulnerability

Often centrally managed - The upgrade server determine when you patch - Test all of your apps, then deploy - Efficiently manage bandwidth Firmware - The BIOS of the device Operating system - Monthly and on-demand patches Applications - Provided by the manufacturer as-needed

Improper patch management Vulnerability

Some devices remain installed for a long time - Perhaps too long Legacy devices - Older operating systems, applications, middleware Many be running end-of-life software - Risk needs to be compared to the return May require additional security protections - Additional firewall rules - IPS signature rules for older operating systems

Legacy platforms Vulnerability

Professional installation and maintenance - Can include elevated OS level Can be on-site - With physical or virtual access to data and systems - Keylogger installations and USB flash drive data transfers Can run software on the internal network - Less security on the inside - Port scanners, traffic captures - Inject malware and spyware, sometimes inadvertently

System integration risk

Security requires diligence - The potential for a vulnerability is always there Venders are the only ones who can fix their products - Assuming they know about the problem - And care about fixing it

Lack of vendor support

You can't always control security at a third-party location - Always maintain local security controls Hardware and software from a vendor can contain malware - Verify the security of new system Counterfeit hardware is out there

Supply chain risk

Accessing the code base - Internal access over the VPN - Cloud-based access Verify security to other systems - The development systems should be isolated Test the code security - Check for backdoors - Validate data protection and encryption

Outsourced code development

Consider the type of data - Contact information - Healthcare details, financial information Storage at a third-party may need encryption - Limits exposure, adds complexity Transferring data - The entire data flow needs to be encrypted

Data storage

Vulnerability: Unsecured databases - No password or default password Thousands of databases are missing Overwrites data with iterations - No messages or motivational content

Data loss

Getting hacked isn't a great look - Organizations are often required to disclose - Stock prices drop, at least for the short term

Reputational impact

Outages and downtime - Systems are unavailable The pervasive ransomware attack - Brings down the largest networks

Availability loss

The constant game of cat and mouse - Find the attacker before they find you Strategies are constantly changing - Firewalls get stronger, so phishing gets better Intelligence data is reactive - You can't see the attack until it happens Speed up the reaction time - Use technology to fight

Threat hunting

An overwhelming amount of security data - Too much data to properly detect, analyze, and react Many data types - Dramatically different in type and scope Separate teams - Security operations, security intelligence, threat response Fuse the security data together with big data analytics - Analyze massive and diverse datasets - Pick out the interesting data points and correlations

Intelligence fusion

Collect the data - Logs and sensors, network information, internet events, intrusion detection Add external sources - Threat feeds, government alerts, advisories and bulletins, social media Correlate with big data analytics - Focus on predictive analysis and user behavior analytics - Mathematical analysis of unstructured data

Fusing the data

In the physical world, move troops and tanks - Stop the enemy on a bridge or shore In the virtual world, move firewalls and operating systems - Set a firewall rule, block an IP address, delete malicious software Automated maneuvers - Moving at the speed of light - The company reacts instantly Combined with fused intelligence - Ongoing combat from many fronts

Cybersecurity maneuvers

Usually minimally invasive - Unlike a penetration test Port scan - Poke around and see what's open Identify systems - And security devices Test from the outside and inside - Don't dismiss insider threats Gather as much information as possible

Vulnerability scanning

Gather information, don't try to exploit a vulnerability

Non-intrusive scans

You'll try out the vulnerability to see if it works

Intrusive scans

The scanner can't login to the remote device

Non-credentialed scans

You're a normal user, emulates an insider attack

Credentialed scan

Scans desktop or mobile apps

Application scan

Scans software on a web server

Web application scan

Scans misconfigured firewalls, open ports, vulnerable devices

Network scans

Quantitative scoring of a vulnerability - 0 to 10 The scoring standards change over time

Common Vulnerability Scoring System (CVSS)

Vulnerability is identified that doesn't really exist Different from low severity where its real but not highest priority

False positive

Vulnerability exists but you didn't detect it Update to the latest signatures - If you don't know about it, you can't see it Work with the vulnerability detection manufacturer - They may need to update their signatures for your environment

False negative

Validate the security of device configurations - It's easy to misconfigure one thing - A single unlocked window puts the entire home at risk Workstations - Account configurations, local device settings Servers - Access controls, permission settings Security devices - Firewall rules, authentication options

Configuration review

Logging of security events and information Log collection of security alerts - Real-time information Log aggregation and long-term storage - Usually includes advanced reporting features Data correlation - link diverse data types Forensic analysis - Gather details after an event Data inputs - Server authentication attempts - VPN connections - Firewall session logs - Denied outbound traffic flows - Network utilizations Packet captures - Network packets - Often associated with a critical alert - Some organizations capture everything

SIEM

Standard for message logging - Diverse systems, consolidated log Usually a central log collector - Integrated into the SIEM You're going to need a lot of disk space - Data storage from many devices over an extended timeframe

Syslog

Constant information flow - Important metrics in the incoming logs Track important statistics - Exceptions can be identified Send alerts when problems are found - Email, text, call, etc Create triggers to automate responses - Open a ticket, reboot a server

Security monitoring

Detect insider threats Identify targeted attacks Catches what the SIEM and DLP systems might miss

User and entity behavior analytics (UEBA)

Public discourse correlates to real-world behavior - If they hate you, they hack you - Social media can be a barometer

Sentiment analysis

Security orchestration, automation, and response - Automate routine, tedious, and time insensitive activities Orchestration - Connection many different tools together Automation - Handle security tasks automatically Response - Make changes immediately

Security orchestration, automation, and response (SOAR)

Pentest - Simulate an attack Similar to vulnerability scanning - Except we actually try to exploit the vulnerabilities Often a compliance mandate - Regular penetration testing by a 3rd-party

Penetration testing

An important document - Defines purpose and scope - Makes everyone aware of the test parameters Type of testing and schedule - On-site physical breach, internal test, external test - Normal working hours, after 6 PM only, etc The rules - IP address ranges - Emergency contacts - How to handle sensitive information - In-scope and out-of-scope devices or applications

Rules of engagement

Move from system to system The inside of the network is relatively unprotected

Lateral movement

Once you're there, you need to make sure there's a way back in Set up a backdoor, build user accounts, change or verify default passwords

Persistence

Gain access to systems that would normally not be accessible Use a vulnerable system as a proxy or relay Occurs when an attacker moves onto another workstation or user account

Pivot

Leave the network in its original state Remove any binaries or temporary files Remove any backdoors Delete user accounts created during the test

Cleanup

A reward for discovering vulnerabilities Earn money for hacking a system Document the vulnerability to earn cash

Bug bounty

Learn as much as you can from open sources - There's a lot of information out there - Remarkably difficult to protect or identify Social media Corporate web site Online forums, Reddit Social engineering Dumpster diving Business organizations

Passive footprinting

Combine WiFi monitoring and a GPS - Search from your car or plan - Search from a drone Huge amount of intel in a short period of time - And often some surprising results All of this is free - Kismet, inSSIDer - Wireless Geographic - Logging Engine - http://wigle.net

Wardriving/warflying

Gathering information from many open sources - Find information on anyone or anything - The name is not related to open-source software Data is everywhere Automated gathering - Many software tools available

Open Source Intelligence (OSINT)

Trying the doors - Maybe one is unlocked - Don't open it yet - Relatively easy to be seen Visible on network traffic and logs Ping scans, port scans, DNS queries, OS scans, OS fingerprinting, Service scans, versions scans

Active footprinting

Cybersecurity involves many skills - Operational security, penetration testing, exploit research, web application hardening, etc Become an expert in your niche - Everyone has a role to play The teams - Red team, blue team, purple team, white team

Security teams

Offensive security team - The hired attackers Ethical hacking - Find security holes Exploit vulnerabilities - Gain access Social engineering - Constant vigilance Web application scanning - Test and test again

Red team

Defensive security - Protecting the data Operational security - Daily security tasks Incident response - Damage control Threat hunting - Find and fix the holes Digital forensics - Find data everywhere

Blue team

Red and blue teams - Working together Competition isn't necessarily useful - Internal battles can stifle organizational security - Cooperate instead of compete Deploy applications and data securely - Everyone is on-board Create a feedback loop - Red informs blue, blue informs red

Purple team

Not on a side - Manages the interactions between red teams and blue teams The referees in a security exercise - Enforces the rules - Resolves any issues - Determines the score Manages the post-event assessments - Lessons learned - Results

White team

A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click ThIS STRING string (data:text) converts the link into a Data URL (or Data URL) that embeds small files inline of documents

Prepending

The use by one person of another person's personal information, without authorization, to commit a crime or to deceive or defraud that other person or a third person Identity theft involves stealing another person's identity and using it as your own Identity fraud and identity theft are commonly used interchangeably these days

Identify fraud

The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Command and control

Attack that targets an individual client connected to a network, forces it offline by deauthenticating it, and then captures the handshake when it reconnects Used as part of an attack on WPA/WPA

Disassociation