Cyber Security # Lec 2

Lec-2: Cyber Security
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

Types of Cyberattacks
• Cyberattacks compromise
• Confidentiality by stealing money
• Integrity by modifying data
• Availability by denying access to data, services and systems
• Some attacks may combine two or more of these types in a single
attack but these three are the building block for most malicious
cyberactivities.

Types of Cyber Attack
• Phishing/spearphing
• Drive-By / Watering Hole / Malvertising
• Code Injection / Webshell
• Keyloggig / Session hijacking
• Pass-the-Hash and Pass-the- ticket
• Credential harvesting
• Gate-crashing
• Malware /Botnet
• DDoS
• Identity Theft
• Industrial Espionage
• Pickpocket
• Bank Heist
• Ransomeware

Phishing / Spearphishing
• Phishing and spearphishing are some of the most effective ways of
getting into an enterprise’s network.
• Attackers send e-mail to the victims (targeted e-mail to a specific
person if it’s spearphishing), and the e-mail takes control of the
victim’s computer.

Phishing / Spearphishing
• Impact:
• Gain control of a personal computer inside the enterprise’s network
• Spearphishing, this control includes a computer belonging to a specific person, such as an
executive or systems administrator.
• Methods and Consequences:
• There are three techniques commonly used for phishing and spearphishing attacks.
• Email message containing malicious attachment
• Email to contain a link to a web page
• Email to contain a link to a web page that asks for the victim to type his / her logon credentials
• Potential Defense
• Training to help users recognize when they are being phished
• Educating executives and systems administrators on the threats
• Protecting email and web gateways
• Hardening endpoint computers

Drive-By / Watering Hole / Malvertising
• A drive-by or watering hole attack involves compromising a victim’s
web site and then configuring that website to deliver malware to
people who visit the site.
• When unsuspecting users visit the site, their computers are infected
with malware and the attackers are able to move their attack
forward.
• A malvertising attack has the same effect, but rather than directly
compromising the site, attackers deliver malware through advertising
feeds displayed on the web page alongside the victim’s content.

Drive-by / Watering Hole / Malvertising
• Impact:
• Victim enterprise is an intermediary in an attack while targeting the people who visit the website
• Victim will get collateral damage
• Victim Enterprise’s reputation will be damaged when the story comes out
There are two techniques commonly used for such kinds of attacks.
• Web sites with vulnerabilities are exploited to get control of the site directly from the internet
• Compromise the victim enterprise to get access to the computers and accounts with administrative control over the site
• Web site operators need to have strong configuration control over public-facing web sites
• Advertising networks should strongly filter their content and prevent unexpected and unacceptable behavior
• Surfing the web carefully using non-administrative credentials
• Fully patched endpoint computers
• Hardening endpoint computers

Code Injection / Webshell
• Servers are potentially just as vulnerable as endpoint computers, and they can be
compromised using some of the same techniques.
• Two attacks unique to servers are
• Code injection
• Webshells.
• Code injection compromises a vulnerable web site by modifying requests to the site so
they contain either scripting code or SQL code that is executed by the server without
checking it.
• If the server executes this code using administrative privileges, then the attackers can use
the attack to take control of the server.
• Once the attackers get control of the server, they can place a webshell into the server’s
web site.
• Webshell is a back door that allows attackers to come back to the server’s web site and
execute commands directly on the server.

Code Injection / Webshells
• Impact:
• Gain the administrative control over an internet facing server
• Provide backdoor into the enterprise that is always open and operational for the attacker
• Data and information can be compromised
• Commonly used techniques for code injection and Webshells is as follow:
• Attacker toolkits is used which contain exploits designed to test internet facing web sites for
vulnerabilities
• Periodically re-scan the sites to catch vulnerabilities (due to bad patch or coding mistakes)
• Once the vulnerability is found then starting exploitation of that vulnerability and compromise the server
and then install backdoor
• Strict configuration control of internet-facing servers is the best defense
• Periodically scan the web sites for the vulnerabilities

Keylogging / Session Hijacking
• Keylogging: can be used to capture usernames and passwords of
accounts with single-factor authentication,
• Session hijacking: can be used to exploit accounts protected by multi-
factor authentication.
• Once attackers gain control of a victim’s endpoint computer, they can
use a variety of methods to gain use of the victim’s online accounts.

Keylogging / Session Hijacking
• Impact:
• Gain control over the victim’s online account
• This control include
• Victim’s address book
• E-mail
• Financial account and money
• Commonly used techniques for keylogging and session hijacking is as follow:
• Finding methods to install keylogger in victim’s system
• If successful, then the attacker will know each and every button pressed by the victim
• Attacker will wait, until the credentials found
• Once these logons occurred, attackers can impersonate the user and make use of the accounts
• Secure endpoint to never be infected in the first place
• Use unprivileged accounts
• Protect end system by Anti-virus, anti-malware, intrusion prevention etc
• Use multi-factor authentication systems

Pass-the-Hash and Pass-the-Ticket
• Pass-the-hash and pass-the-ticket are attack techniques that enable
attackers to exploit credentials on an enterprise network.
• These credentials are stored in computer memory and on hard drives.
• These attacks effectively bypass the authentication mechanism of
certain enterprise applications.

Pass-the-Hash and Pass-the-ticket
• Impact:
• Attacker move laterally within enterprise IT environments from computer to
computer
• Commonly used techniques for Pass-the-Hash and Pass-the-ticket is as follow:
• Try to gain administrative control of the victim’s computer
• Scan the memory and hard drives for hashes and tickets belongs to user
• Once hashes and tickets found, then use them to connect to other computers on the
enterprise network and move laterally.
• Reduce vulnerabilities
• Try to avoid storing hashes and tickets on hard drives
• Try to store hashes and tickets over a network which is more difficult

Credential Harvesting
• Credential harvesting is a technique whereby attackers compromise
systems that a large number of users visit.
• They then harvest user credentials from those systems.
• In this way, attackers can get the user credentials for a large portion
of the enterprise, all in a single step.

Credentials Harvesting
• Impact:
• Large number of user credentials compromising in a single step.
• Afford them to access administrator credentials
• Two common approaches for conducting credential harvesting attack
• First, to target public-facing systems with large numbers of users (such as: e-mail, web portal, virtual
desktop systems)
• Exploit vulnerability to gain control, and then start capturing user credentials
• Second, to get inside the enterprise and target vulnerabilities in authentication systems
• Once authentication system is compromised, can get access to credential hashes, ticket, and usernames and
passwords
• Understanding the enterprise IT systems collect large numbers of user logons.
• Protect those systems
• Successful compromise should be detected and responded to in a timely fashion
• Use multi-factor tokens for authentication

Gate-Crashing
• Gate-crashing attacks involve attackers positioning themselves so they
can exploit a vulnerability or a defender mistake to get past a
particular security defense.
• Due to the realities of security technology maintenance and human
errors, almost every preventive defense gets disabled sometime,
either intentionally or by accident. The gate-crashers make sure they
are there to take advantage when it occurs.

Gate-crashing
• Impact:
• To slip past defenses when the opportunity arises
• The attacker waits multiple times for just the right vulnerability or mistake to occur
• Two common approaches for conducting Gate-crashing attack
• Manually: must have active command-and-control connections to systems inside the victim’s
network
• Automatically: intelligent malware watches the victim network for openings and then exploits
those opening when occurs
• Defense layering
• Active monitoring
• Security administrator must be educated on gate-crashing

Malware / Botnet
• Malware is a generic term for malicious software, and it can include
viruses, worms, Trojans, and others.
• There is an extensive malware industry with commodity and custom
toolkits that can be integrated together to perform remote control, session
hijacking, credential harvesting, maintain persistence, and other functions.
• It’s also important to consider remote control functions built into most
modern operating systems as well since, with the right administrator
credentials, those functions can be used for malicious purposes as well.
• Once computers are infected with malware, they may be tied into a botnet
so they can be accounted for and access to them can be sold to the highest
bidder. Botnets can contain hundreds, thousands, or even millions of
compromised machines that can then be used for any attacker purpose.

Malware / Botnet
• Impact:
• Monitor all activity on the victim computer
• Record any credentials and accounts used by the victim
• Allow the attacker to use the computer, either on its own or in conjunction with other machines in a botnet
• Install the malware by exploiting the vulnerability or by the user of the computer willingly from malicious web
site, email attachment or web link.
• Malware may be custom-built or morphed so it is not recognized by signature-based anti-virus
• Once compromised and joined to a botnet, the computer and its data become available to the botnet
operator
• Hardening OS
• Anti-virus
• Anti-Malware
• User privilege limitation and application

Distributed Denial of Service (DDoS)
• DDoS involves flooding the victim’s computers with so much web
traffic—generated from a distributed network—that the victim is
unable to continuing delivering services over the Internet.

DDoS
• Impact:
• Targeted web site is often rendered unusable
• Web sites become unavailable to its own user, customer or partners
• Compromise the computers and also thousands of compromised computers
available on the internet to hire.
• Point the hired compromised network towards the target
• There are two approaches to defend against DDoS:
• The first approach is to utilize content distribution networks that are hard to target and have
the distributed capacity to resist all but the largest DDoS attacks.
• The second approach is to respond quickly to block DDoS traffic at the network layer, thus
mitigating its impact and allowing services to stay operational.

Identity Theft
• Identity theft is one of the most common professional cyberattacks
since stolen identities—particularly
• social security numbers,
• credit card numbers, and medical records
• can be easily sold on the black market for cash.
• Such attacks tend to focus on
• Centralized IT systems
• Databases
• Hacking into point-of-sale (PoS)
• Other critical systems to obtain identity information.

Identity Theft
• Impact:
• Severe for victim enterprises
• Data disclosure
• Compensation to victims
• Possibly penalties
• Gain access to victim networks and get privileged access to victim data.
• Protect data using different security mechanisms
• Should thing through the life cycle of the data from capture to disposal
• Monitor the traffic
• Take regular backup
• Look your data from the adversary’s perspective

Industrial Espionage
• Industrial espionage is a common attack performed by professional
and nation-state attackers to gain advantages in international
business.
• In the international marketplace, such advantages can be big
business,indeed, with billions of dollars and entire market segments
at stake.

Industrial Espionage
• Impact:
• Difficult to measure since it is often difficult to differentiate
• Competitors reading each other’s playbooks
• Economic impact of players who gain the advantage of knowing their competitors every
move.
• Data is stolen (meeting schedules, enterprise processes etc) can be just as useful in defeating
competitors in the international marketplace
• Target victim networks to achieve an initial entry
• Then exploit the entry to move laterally and gain privilege within the victim networks.
• Once, administrative control is taken then stealing business information
• Detective and preventive measure is needed

Pickpocket
• A “pickpocket” attack involves hacking victim systems to steal
relatively small amounts of money across a large number of
transactions.
• Some common examples of this attack include redirecting direct
deposit accounts, payroll, or accounts payable accounts to send
money to the attackers’ accounts instead.

Pickpocket
• Impact:
• The attackers quickly get away with a large amount of money when the many
transactions involved are added up.
• When this money is transferred via wire transfer or direct deposit, it can be difficult
or even impossible to trace and recover.
• Trying to intercept and redirect the financial transactions (payroll , accounts payable
system etc.)
• By the time the victim enterprise catches the redirection, the money is often gone.
• Rapid alerting and auditing system is need to catch unauthorized changes before
money is moved
• Acquire help from financial institution by imposing time delays between when
account information is changed and the change become effective.

Bank Heist
• While a pickpocket attack involves changing financial destinations and
intercepting the victim’s money, a bank heist involves simply getting
direct access to the victim’s bank accounts and stealing it.

Bank Heist
• Impact:
• Victim losing money from their accounts partially or completely.
• Poor safeguards afforded to consumer’s accounts by financial institutions
• Compromise victim systems with privileges to access business financial accounts
• Once successful, transfer large sums of money out via hard-to-trace methods such as
wire transfer
• Closely guarding the computers and credentials
• Securely manage corporate financial accounts or allowing financial personnel to
manage these accounts from their personal computers used to surf the web.

Ransomware
• Ransomware compromises victim computers
• Encrypts the data
• Charges a ransom to get the keys to decrypt the data.
• It can be expensive for individuals.
• It can be devastating at an enterprise level.

Ransomware
• Impact:
• Large amount of corporate data are accessible by large numbers of employees.
• Employee having write access and compromised ending up encrypting it for
everyone
• Common type of malware that is out on the internet, constantly used to get into
victim computers and enterprises.
• Hardening end points
• Training users to not get infected
• Having good segmentation and access controls
• Good backup for recovery

CONCLUSION
• Be flexible and adaptable to changing threats!
• Don’t ignore Information Security principles!
• Mature your Threat and Vulnerability Mgmt
process!
• Conduct frequent incident response exercises!
• Invest in people & training!
• Delay the adversary!

Cyber Security # Lec 2

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Cyber Security # Lec 2 (20)

More from Kabul Education University (20)

Recently uploaded (20)

Cyber Security # Lec 2