Professional Documents
Culture Documents
Malware
describe and define the term Malware. Describe the various types of Malware,
we're going to try to answer are, what is Malware, that was a Malware and
to use the host resources for its benefit. Recent malware attacks attempt to remain
hidden on the host using resources for potential uses such as launching
Malware out there with certain features. The same with a virus, which is a piece
of malicious code that spreads from one computer to another by attaching itself
to other files using self replication. Note that they'd require human
interaction to self replicate. Do to its self replicating nature, they are quite difficult
to hide on the system, like polymorphic code which encrypts and duplicates itself which makes it a little
bit harder for the antivirus to find. This is known as a polymorphic virus. Other category of a Malware
virus which
threatens to shield itself by obscuring the true location in the system. And its code make it harder to
reverse
engineer to create signatures for it. Now, we have worms. Worms, it's a self-replicating Malware
that does not require human interaction. Their main is goal is to just spread and
cripple resources or turn computers into zombies. Trojan Horses, also known as Trojans,
gives an attack access to the host. They are usually introducted into
track and report the usage of the host or to collect data that
files the attacker wants to chase. Then we have adware. Adware, code that
usually seen on a browser pop up. RATs, it stands for remote access tool or
gain unauthorized access and control the computer. Lastly, we have a rootkit. It's a piece of software
that
at the lowest level. Now we have Ransomeware. We all hear about Ransomeware,
the host with a code that restricts the access to the computer or
to be paid to get the data back. If it's not paid then in that amount
of time the data will be destroyed. On the right, we can see the banner where
the Ransomware takes control of the host, asking for payment with a time. The most recent May 2017,
how to respond against Ransomware attacks, please check the link. It includes topics such as how can
you
protect your critical information and resources? How to identify the specific variants
Threats
threats besides malware, describe botnets, key-loggers, logic bombs and their components. Now, we
will speak
regarding all the threats out there. So botnets. Botnets are set of
to mount attacks. This kind of attack is used by black head hackers in order to run operations such as in
spam, denial-of-service attacks,
this botnets are also known as zombies or drones that we command from a bot master
advanced persistent threats. Its main goal, is to get access and monitor the network to steal Information
while it's staying undetected for
organizations such as military, government, finance, or companies that have high value information.
Some known groups that are out there are Fancy Bear of Russia, Lazarus group of North Korea, or
Periscope group of China.
Threat Protection
security needs. Then we have updates. With all the software deployed, we need to stay up to-date to
prevent creating new holes
to ensure that all its users comply with the rules and guidelines
one is efficiency more. Then we have trainings. Training is to make sure that
a switch engineering training. How it shows the user. It shows the user how to deal with the social
In this video, you will learn to; describe how network mapping or casing the joint is
used by bad hackers. What commands are used and what information is
mapping threats. Now, let's take a dive into specific security threats against Internet-based
will scan the network, they'll find out what devices are on there, what services, what protocols are on
the network using
like Nmap that determine what hosts are on the network and what
a network exploration tools. So one of the questions is, given this problem set
the topography of that. What can we do? We take a look at coding network traffic
entering the network. Looking for suspicious activity, IP addresses, ports being
network anomalies that good SIEMs like Qradar will be able to pick up
the hosts on the network? What would that do for us? Well, by good asset management, by the way,
which is needed for patch management, at a minimum, we can create
allowed on the network. So that we can if there's additional activity and other hosts that
Packet Sniffing
broadcast style where it uses broadcast UD methods. For example, such as UDP, the network interface
sent in the clear. For example, like we tell them a NIC card that's been promiscuous mode
this diagram here on Slide 14. We say client be communicating on point A the payloads
like servers and routers and switches run software that check periodically, if that host interfaces
that NIC card promiscuous mode is the dangerous element to that. So basically we also have
the setup only one host per segment of the broadcast media which is either switched
again on the bottom of Page 15 shows the threat and the opportunity for
promiscuous as well.
IP Spoofing
the sources is spoofed. So we have a diagram here on page 16 that graphically expresses client C
attempting to masquerade as client B in the source
field of that packet. So how do we protect
talks about internal routers not forwarding packets within valid source addresses. These are datagrams,
source addresses that are
learn to describe how denial of service and distributed denial of service attacks
are carried out. Describe how packet filtering and trace back can
of these measures. One of the major attack scenarios in the cybersecurity world, is that of the denial
of service or DOS. So this has to do with a flood of maliciously generated packets. So basically,
overwhelm,
handling the incoming packets, and they have no time for other computationally
multiple sources. Swamping a receiver. Then distributed attacks are resistant to single
demonstrated in the diagram here on the bottom of page 18. So how to launch a countermeasure
the host having a filter. But the problem there, is that you're going
intelligently filter out packets will help reduce the effect of denial of service.
Host Insertion
In this video,
a server on the network with that intent. So this actually goes on to the network,
move on to its nefarious goals. These are done both as clients and
Qradar has a scanner internally that can generate very accurate inventories
of computer assets on the network. So not just hosts, but all of this,
the servers, the network criteria, all of those can be listed by MAC address. So with a constant or
that MAC address whitelist, that's bad news, and that's when
the red lights and the sirens go off. Some of the remaining security threats
to keep in mind are that of the rogue software processes. This is a software program,
the internal and the external threat. Once again, a whitelist approach
in the enterprise. Once those are identified, right, a vulnerability management software can
help eradicate those software processes. These generally are inserted onto a host,
is that a legitimate software process is modified for evil purposes. So what would they do for this?
Obviously, track network traffic
monitoring to be able to ghost or understand the network traffic patterns. So we talked earlier also in
the first
module about traffic flow analysis. Well, these are are actually the tools
that observe traffic flow and in turn, ascertain and try to obtain
the traffic patterns are shaped. And additionally, this is also used for
exfiltration.
Cyber Kill Chain
a Cyber Kill Chain is and how each link in the chain contributes to
the success of an attack. Well, the Kill Chain that I said before are a set of activity that needs to be done
to
guide a specific Kill Chain. So if you're [inaudible] require some specific activity
identifying what is the exploit. Take WannaCry for example, the WannaCry exploit
the vulnerability. But at the end of the story, there is something that leads
plan of this is arrived and it will exploit that specific vulnerability. Then of course, I need to install some
other component that
would ask ransom of later, I need to hold on the target also a tool that makes
By the way, this is something that is very important for malware in general. You will be surprised, but
developing malware
associated to a malware. Sometimes we create something that can be used by a good guy, but can also
use adoption. Yeah, encrypting a data, generally is not something bad, but if you encrypt a data
and ask for a ransom for the close of that, that is also not
to compromise the victim. But to use the victim of the computer to start
your computer region, your computer to four and at that to the Martina computer. Okay. In this case,
a real incident, if you want to, one is that I am using your computer to perform
an attack on third party. The second, that I use your computer to store
and the control, you can to form such, encrypting data or installing the applications called ransom.
Another thing that I
this defense is the fact that we think that the model as something that has been created by one person
to
to advertisement and all of the people that has already arrived at the commerce
actually more often, companies that you know want to understand if their systems
are vulnerable or not, launch some specific contents
that are called bad bank, like that [inaudible]. So basically [inaudible] is a sort
often launch contest that were to find some vulnerability the attacker can use
Social Engineering
that they don't want to do? Thinking the good way, I mean, how could you trick somebody to give you
her or his password? I mean, if you go
for them to have privately or separated from the public information that
they could give to somebody. So the question or the process to perform a social
engineering attack is, how could you trick somebody to give you something
the victim network. So one of the easy way to perform or get formation
into a BBN system. So if you already have the URL, the external URL to login into SSL BBN system but you
need the password, you need the the username for you to be able to login
into that remote system, the easy way to get that probably is the social
a social engineering attack? That's actually pretty easy also. Again, this is something
there that you could use. A tool that it's actually pretty easy is called setoolkit. Setoolkit is something
that came in Linux that you
example fake websites. Create or clone websites from public Internet domains or
a private Internet domains. For example, you can go and clone external website from your client, from
your victim, and wait a couple of weeks, you could try to
username inside the network, inside your victim network or your client network and see if the user gets
or click
fake HTML for example. So that's not all. I mean, social engineering
by any mean any kind of clone a private website and try to fishing set of usernames, and try to get them
to click a link and
give you the credentials. For any kind of systems, you need to have
the permission for doing that. But the important part here to understand is there is
that you can start doing to understand how could you trick somebody to do something