Experiment No.

1
PART A
(PART A: TO BE REFERRED BY STUDENTS)

A.1 Aim:
Basics of computer security.

Note: Copy paste from Internet or any other source is not allowed

Task 1:
1. Find real world examples where the security was compromised
2. Analyze the case with respect to following points
a. Motivation of attack
b. Impact of attack
c. Kind of vulnerability exploited
d. How was the attack performed?
e. Report which security goals were compromised

Task 2:
Identify the type of goal compromised in following situation. Justify your answer.
You are working in your office and open a file that you had been working on the previous
day. You notice the values you had input into the file are different, and looking at the
versions of the file you note the time stamp indicates the last time the file was accessed
was 2 am. Knowing that the company hours are 8 am to 5 pm, you suspect that one of the
goal of security is compromised.

Task 3:
1. _______ is considered the weakest link to security for an
Organization.
2. A countermeasure to eavesdropping on the communication link is the use of
__________
3. The motivation of an ethical hacker is
a) Financial gain
b) Thrill of hacking
c) Desire to identify vulnerabilities so they can be corrected before they are publicly
exposed
d) religious/political/ideological cause

Task 4:
List at least three kinds of harm a company could experience from unauthorized viewing
of confidential company materials.
A.2 Prerequisite:
Basic understanding of goals of security, attacks and design principle

A.3 Outcome:

After successful completion of this experiment students will be able to

1. Strengthen understanding of basics of security concepts.

A.4 Theory:
A vulnerability is a weakness in the system, for example, in procedures, design, or
implementation that might be exploited to cause loss or harm

A threat to a computing system is a set of circumstances that has the potential to cause loss or
harm

Security Goals:
Confidentiality: the ability of a system to ensure that an asset is viewed only by authorized
parties.

Integrity: the ability of a system to ensure that an asset is modified only by authorized parties

Availability: the ability of a system to ensure that an asset can be used by any authorized parties
 Experiment No. 1
PART B
(PART B : TO BE COMPLETED BY STUDENTS)

(Students must submit the soft copy as per following segments within two hours of the
practical. The soft copy must be uploaded on the Blackboard or emailed to the concerned lab in
charge faculties at the end of the practical in case the there is no Black board access available)

Roll No: N240 Name: Sonam Kumar

Branch: MBA Tech CS Batch: B2
Date of Experiment: 13/7/21 Date of Submission: 13/7/21
Grade: Prof. Name:

B.1 Tasks completed by the student

TASK 1

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors
behind this campaign gained access to numerous public and private organizations around the
world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring
and management software. This campaign may have begun as early as Spring 2020 and is
currently ongoing. Post compromise activity following this supply chain compromise has included
lateral movement and data theft. The campaign is the work of a highly skilled actor, and the
operation was conducted with significant operational security.
A. Motivation of attack
Gain access of more than 20000 public and private organization
B. Impact of attack
Data leaked from various organizations.
C. Kind of vulnerability exploited.
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of
the Orion software framework that contains a backdoor that communicates via HTTP to
third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-
in as SUNBURST.
After an initial dormant period of up to two weeks, it retrieves and executes commands,
called “Jobs”, that include the ability to transfer files, execute files, profile the system,
reboot the machine, and disable system services. The malware masquerades its network
traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results
within legitimate plugin configuration files allowing it to blend in with legitimate
SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic
and anti-virus tools running as processes, services, and drivers.
D. How was the attack performed?
Before reaching out to its C2 server, SUNBURST performs numerous checks to ensure no
analysis tools are present. It checks process names, file write timestamps, and Active
Directory (AD) domains before proceeding. We believe that these checks helped
SUNBURST evade detection by anti-virus software and forensic investigators for seven
months after its introduction to the SolarWinds Orion supply chain.
 First, the backdoor verifies that the lowercase name of the current process is
solarwinds.businesslayerhost. UNC2452 avoided including this string directly in the
source code by computing a hash of the string and comparing the result to the 64-bit
number 17291806236368054941. The hash value is calculated as a standard FNV-1A 64-
bit hash with an additional XOR by the 64-bit number 6605813339339102567. The
additional XOR operation forces malware analysts to develop custom tools to brute force
the hash preimage.
Next, the backdoor only executes if the filesystem last write time of the .NET assembly
SolarWinds.Orion.Core.BusinessLayer.dll is at least 12 to 14 days prior to the current
time. The exact threshold is selected randomly from this interval. In other words,
SUNBURST lays low for almost two weeks before raising its head. If the timestamp check
fails, the backdoor will execute again at a random later time when it is invoked by a
legitimate recurring background task. Once the threshold is met, the sample creates the
named pipe 583da945-62af-10e8-4902-a8f205c72b2e to ensure only one instance of the
backdoor is running. If the named pipe already exists, the malware exits.
SUNBURST stores its configuration in the legitimate
SolarWinds.Orion.Core.BusinessLayer.dll.config file. It repurposes two existing settings
in the appSettings section: ReportWatcherRetry and ReportWatcherPostpone. During
initialization, the backdoor determines if the ReportWatcherRetry setting is the value 3.
This value indicates the malware has been deactivated and will no longer perform any
network activity. As we describe later, UNC2452 can command the backdoor to disable
itself. This feature may be utilized when the operator determines the victim is not of
interest or that they’ve completed their mission. When investigating a system
compromised by SUNBURST, review this setting to determine if the backdoor has been
disabled. Note, the presence of this value does not offer proof the actor did not further
compromise the environment before disabling SUNBURST.
E. Report which security goals were compromised.
Integrity of files

TASK 2:

Two goals have been

compromised:
1. Integrity: As there was
message modification by the
attacker.
2. Access Control: As the
document was being
accessed without the
owner’s
permission. Therefore, not
knowing the level of access of
that document
Two goals have been compromised:
1. Integrity: As there was file modification by the attacker.
2. Access Control: As the document was being accessed without the owner’s
permission. Therefore, not knowing the level of access of that document.

TASK 3:

1. Internal employee i.e. human

is considered the weakest link to
security for an
organization.
2. A countermeasure to
eavesdropping on the
communication link is the
use of
encryption.
3. The motivation of an ethical
hacker is
a) Financial gain
b) thrill of hacking
c) desire to identify
vulnerabilities so they can be
corrected before they are
publicly exposed
d) religious/political/ideological
cause
1. Internal employee i.e. human is considered the weakest link to security for an
organization.
2. A countermeasure to eavesdropping on the communication link is the use of
encryption.
3. The motivation of an ethical hacker is
a) financial gain
b) thrill of hacking
c) desire to identify vulnerabilities so they can be corrected before they are
publicly exposed
d) religious/political/ideological cause
TASK 4:
 The organization might need to recalculate their business strategies.
 The organization might lose their public relation status as their data integrity will also be
compromised.
 The organization might need to do their database correction as many manipulations of it
may have occurred.

B.2 Observations and learning:

B.3 Conclusion:

B.4 Questions of Curiosity

Q1. What is the role of authentication, access control and non-repudiation in system security?
 Authentication helps in proving the identity of the user with help of passwords in different
form.
 Access Control helps to define the level of access of any particular file i.e. read only, read
write or owner access only and so on.
 Non-Repudiation helps if there is any denial by receiver, then sender has a proof of the
message sent.

Q2. What are Preventive, Detective and Responsive controls used in system security?

Preventive controls attempt to prevent an incident from occurring. Detective controls attempt to
detect incidents after they have occurred. Corrective controls attempt to reverse the impact of an
incident. Deterrent controls attempt to discourage individuals from causing an incident.