Week 2

Malware

In this video, you will learn to

describe and define the term Malware. Describe the various types of Malware,

including Ransomware. >> A Malware, so the question that

we're going to try to answer are, what is Malware, that was a Malware and

how do we protect from it? The first thing that we're

going to do is to define it. Malicious code or malware is any undesired

or unauthorized piece of software running on a host either to disrupt operations or

to use the host resources for its benefit. Recent malware attacks attempt to remain

hidden on the host using resources for potential uses such as launching

service attacks, hosting elicit data, accessing personal or

business information. Types of Malware, there are many forms of

Malware out there with certain features. The same with a virus, which is a piece

of malicious code that spreads from one computer to another by attaching itself

to other files using self replication. Note that they'd require human

interaction to self replicate. Do to its self replicating nature, they are quite difficult

to remove from a system. They also use tactics

to hide on the system, like polymorphic code which encrypts and duplicates itself which makes it a little

bit harder for the antivirus to find. This is known as a polymorphic virus. Other category of a Malware
virus which

threatens to shield itself by obscuring the true location in the system. And its code make it harder to
reverse

engineer to create signatures for it. Now, we have worms. Worms, it's a self-replicating Malware

that does not require human interaction. Their main is goal is to just spread and

cripple resources or turn computers into zombies. Trojan Horses, also known as Trojans,

is hiden Malware that causes damage to a system or

gives an attack access to the host. They are usually introducted into

the environment to a computer by posing as a vending package, such as a

game, wallpaper, or any kind of download. Spyware, the main goal of spyware is to

track and report the usage of the host or to collect data that

the attacker desires to obtain. It can include web browsing history,

personal information, marketing information, any kind of

files the attacker wants to chase. Then we have adware. Adware, code that

automatically displays or downloads unsolicited advertisements,

usually seen on a browser pop up. RATs, it stands for remote access tool or

remote access trojans. RATs allow the attacker to

gain unauthorized access and control the computer. Lastly, we have a rootkit. It's a piece of software
that

is intended to take full or partial control of a system

at the lowest level. Now we have Ransomeware. We all hear about Ransomeware,

but what really is Ransomeware? It's a malware that infects

the host with a code that restricts the access to the computer or

the data on it. The attacker demands a ransom

to be paid to get the data back. If it's not paid then in that amount

of time the data will be destroyed. On the right, we can see the banner where

the Ransomware takes control of the host, asking for payment with a time. The most recent May 2017,

with the Ransomware. If you wish to learn more and

how to respond against Ransomware attacks, please check the link. It includes topics such as how can
you

protect your critical information and resources? How to identify the specific variants

of Ransomware, and how to contain and remove the Ransomware

from infected systems.

Threats

In this video, you will learn to describe other cybersecurity

threats besides malware, describe botnets, key-loggers, logic bombs and their components. Now, we
will speak
regarding all the threats out there. So botnets. Botnets are set of

compromised hosts that enables attackers to exploit those computer resources

to mount attacks. This kind of attack is used by black head hackers in order to run operations such as in
spam, denial-of-service attacks,

phishing, spyware, mind personal information,

or crypto currency. The computer part of

this botnets are also known as zombies or drones that we command from a bot master

or a bot herder. Other malware attacks. We have keyloggers. Keylogger is

any hardware-software that records every keystroke

made by a user. We have logic bombs. Its code that door

mounts on a target until it's triggered by

a specific event such as a data. In time, when

the condition is met it donates to perform whatever

it was programmed to do, usually erasing data

or corrupting systems. Then we have APTs or

advanced persistent threats. Its main goal, is to get access and monitor the network to steal Information
while it's staying undetected for

a long period of time. Usually it targets

organizations such as military, government, finance, or companies that have high value information.
Some known groups that are out there are Fancy Bear of Russia, Lazarus group of North Korea, or
Periscope group of China.

Threat Protection

In this video, you

will learn to describe how to protect systems against

malware and cyber attacks. We spoke about malware and

the things that they do. Now let's talk

a little bit of how do we protect against them. How can we protect as we

have technical controls. Technical controls

are the hardware or software that aid into protect any information which

may include antivirus, which is kind of files

for executable code and much of signatures that

are known viruses. We also have

inter-operation systems, internal detection systems, and unified threat

management systems. Those are systems that

can look for and texting interesting progress

when we get to compromise on the environment. Each implementation

is unique and it depends on the organization

security needs. Then we have updates. With all the software deployed, we need to stay up to-date to
prevent creating new holes

into our security. This is done by applying

the security patches. Then we have operational controls also known as

administratively controls. They are put in place by

management and depends on the stuff on complying in

order to be effective. One of these controls

are policies. So policies, it's

a written document issued by an organization

to ensure that all its users comply with the rules and guidelines

related to security. An example could be

a password policy, which the enterprise

requires a minimum of 15 characters with the list

one is efficiency more. Then we have trainings. Training is to make sure that

users of the organization are aware of its policies

or threats out there. An example could be

a switch engineering training. How it shows the user. It shows the user how to deal with the social

engineering attacks. Lastly we have

revision and tracking. Revision and tracking,

it means ensuring that the items that we just

mentioned they stay up to date.

Internet Security Threats

In this video, you will learn to; describe how network mapping or casing the joint is

used by bad hackers. What commands are used and what information is

commonly gathered. Describe the counter

measures that can be used against

mapping threats. Now, let's take a dive into specific security threats against Internet-based

enterprises. One of the first ones we'll

take a look at today, here on Slide 12, is the idea

of a network mapping. So this is basically

casing the joint. Where our adversaries

will scan the network, they'll find out what devices are on there, what services, what protocols are on
the network using

our ping commands. There's also other tools

like Nmap that determine what hosts are on the network and what

their addresses are. Certainly, port-scanning

comes into play and we talked

about Nmap a little bit earlier which is

a network exploration tools. So one of the questions is, given this problem set

of our adversaries, scanning our network,

and looking for houses essentially getting

the topography of that. What can we do? We take a look at coding network traffic

entering the network. Looking for suspicious activity, IP addresses, ports being

scanned sequentially. By the way, these are

network anomalies that good SIEMs like Qradar will be able to pick up

and create an alert. We can also use

a good host scanner, for example, is that

founding Qradar, keep a good inventory of

the hosts on the network? What would that do for us? Well, by good asset management, by the way,
which is needed for patch management, at a minimum, we can create

a whitelist or a list of authorized devices by mark address that are

allowed on the network. So that we can if there's additional activity and other hosts that

get put some play, we will know this

because it'll be a white list violation.

Packet Sniffing

In this video, you will

learn to: describe packet sniffing and how

it can be used to gather information

about your network, describe the

countermeasures you can deploy to safeguard

against packet sniffers. Packet sniffing which is another predominant

Internet security threat. So this is a

broadcast style where it uses broadcast UD methods. For example, such as UDP, the network interface

called the NIC. By definition reads all packets

that are past five, when it's in the

promiscuous mode. It can read all unencrypted data. So that password is

sent in the clear. For example, like we tell them a NIC card that's been promiscuous mode

will pick that up. We'll take a look at

this diagram here on Slide 14. We say client be communicating on point A the payloads

rather the field headers in the IP package talks

about the source as being B the destination being

A, and the payload. While client C running

and promiscuous smelled won't be able to detect

all of that information. So how do we conduct

counter measures against this? One countermeasure

for packet sniffing is that all of the hosts

old computer clients plus the computer network services

like servers and routers and switches run software that check periodically, if that host interfaces

in the promiscuous mode. So as you can see,

that NIC card promiscuous mode is the dangerous element to that. So basically we also have

the setup only one host per segment of the broadcast media which is either switched

Ethernet at hub. So the diagram once

again on the bottom of Page 15 shows the threat and the opportunity for

clients C to pick up message traffic between B and A when it's in a

promiscuous as well.

IP Spoofing

In this video, you will learn to describe how IP Spoofing

can be used by attackers. Describe how ingress

filtering can be used as a counter measure to

safeguard against IP Spoofing and its level

of effectiveness. So the following security threat

talks about IP Spoofing. We talked about

this briefly during the authentication phase

in an earlier module, where one can generate fake bogus IP packets

directly from an application, putting any value

into the IP source. Remember Trudy

masquerading as Alice, that was the technique

used there. The receiver which

would of course be Bob can't tell that

the sources is spoofed. So we have a diagram here on page 16 that graphically expresses client C
attempting to masquerade as client B in the source
field of that packet. So how do we protect

against this? Ingress filtering that

talks about internal routers not forwarding packets within valid source addresses. These are datagrams,
source addresses that are

not in the routers network. You can't mandate that

for all networks. So this is going to be

at best a partial solution.

Security Threats – Denial of Service

In this video, you will

learn to describe how denial of service and distributed denial of service attacks

are carried out. Describe how packet filtering and trace back can

be used to help counter denial of service attacks and the shortcomings

of these measures. One of the major attack scenarios in the cybersecurity world, is that of the denial

of service or DOS. So this has to do with a flood of maliciously generated packets. So basically,
overwhelm,

swamp the receiver. They spend so much time

handling the incoming packets, and they have no time for other computationally

intensive activity. There is single denial

of service attacks. There's also distributed,

which is DDOS, which talks about

multiple sources. Swamping a receiver. Then distributed attacks are resistant to single

IP blocking, right? We see that activity

demonstrated in the diagram here on the bottom of page 18. So how to launch a countermeasure

for that thing out, flooded packets before reaching

the host having a filter. But the problem there, is that you're going

to be filtering out solid and legitimate

packets along with the bad. We're going to talk

about the ability to trace back to

the source of the floods, but this only applies against innocent and

compromised machines. So the idea about dynamic filtering being

able to adjust as the traffic patterns

are realized, plus, the ability to

intelligently filter out packets will help reduce the effect of denial of service.

Host Insertion

In this video,

you will learn to describe how host insertions are used to

compromise a network. Describe what measures can be taken

to protect against unauthorized insertion of a new host on your network

>> Host insertions, right, so the ability once an insider threat,

the ability to place a computer client on the network or

a server on the network with that intent. So this actually goes on to the network,

hoping that it's not going to be detected and contained,

move on to its nefarious goals. These are done both as clients and

as server, so how can one protect

against host insertions? Slide 21 talks about the idea

about maintaining accurate inventories of computer

hosts by MAC addresses. This is the fundamental technology

behind asset management. Solid asset management is part

of a larger governance program. It also applies directly to patch

maintenance and vulnerability management. So the idea about a scanner,

Qradar has a scanner internally that can generate very accurate inventories

of computer assets on the network. So not just hosts, but all of this,

the servers, the network criteria, all of those can be listed by MAC address. So with a constant or

continual scanning capability you will determine the scanner

will ascertain computer clients or hosts that are not on the whitelist. So missing hosts are okay. This is
where system's turned

off either for maintenance, or it's a notebook computer

that's off of the network. New hosts that are not on

that MAC address whitelist, that's bad news, and that's when

the red lights and the sirens go off. Some of the remaining security threats

to keep in mind are that of the rogue software processes. This is a software program,

software agent, that has been inserted maliciously

on the internal network. This can be inserted both by

the internal and the external threat. Once again, a whitelist approach

about being able to maintain a list of viable and legitimate software

applications in the enterprise. A key part of a solid governance

program will help identify unwanted and uninvited software processes

in the enterprise. Once those are identified, right, a vulnerability management software can

help eradicate those software processes. These generally are inserted onto a host,

right, a computer platform, either a client or

a server, intentionally. The other variation of this

is that a legitimate software process is modified for evil purposes. So what would they do for this?
Obviously, track network traffic

monitoring to be able to ghost or understand the network traffic patterns. So we talked earlier also in
the first

module about traffic flow analysis. Well, these are are actually the tools

that observe traffic flow and in turn, ascertain and try to obtain

intelligence, or at least information, about the enterprise, given the way

the traffic patterns are shaped. And additionally, this is also used for

the exfiltration of sensitive data. We think about customer information,

credit cards, but crypto keys also are a target for

exfiltration.
Cyber Kill Chain

In this video, you will learn to describe what

a Cyber Kill Chain is and how each link in the chain contributes to

the success of an attack. Well, the Kill Chain that I said before are a set of activity that needs to be done
to

compromise the victim. Usually, the Kill Chain

is referred to malware, but each single attack could

guide a specific Kill Chain. So if you're [inaudible] require some specific activity

that needs to be done. For what regarding

the malware itself, those are the most common

activity that should be done. So Reconnaissance that

means that you can understand what type of vulnerability that

can be exploited. Weaponization means for

identifying what is the exploit. Take WannaCry for example, the WannaCry exploit

wasn't no blue. For delivery, I need to make sure that the

malicious by now that I've created and after

creation to ask for ransom where it could be exploited due to

the vulnerability. But at the end of the story, there is something that leads

to a rush to the target, and that is to delivery part. Exploitation is

the ability to start the exploit of

the specific vulnerability. So once the malicious

plan of this is arrived and it will exploit that specific vulnerability. Then of course, I need to install some
other component that

are not necessarily malware that will fix a trainload

to start on my activity. So I need to create some data that you

would ask ransom of later, I need to hold on the target also a tool that makes

encrypting of the data. This is not a malware.

By the way, this is something that is very important for malware in general. You will be surprised, but
developing malware

is not illegal. It is very difficult

to define what is illegal but we have a program

that does something. The fact that

the program does not necessarily can be

associated to a malware. Sometimes we create something that can be used by a good guy, but can also
use adoption. Yeah, encrypting a data, generally is not something bad, but if you encrypt a data

and ask for a ransom for the close of that, that is also not

a particular challenge that we have in the defense. This is also something

that is very much interesting in the sense

that very often, my real objective is not

to compromise the victim. But to use the victim of the computer to start

a transparency. So this is exalted. So he can capture

your computer region, your computer to four and at that to the Martina computer. Okay. In this case,

a real incident, if you want to, one is that I am using your computer to perform

an attack on third party. The second, that I use your computer to store

some data from the Martin. Or I find out the actions

and objectives. So once you have a command

and the control, you can to form such, encrypting data or installing the applications called ransom.
Another thing that I

think is very much interesting in

this defense is the fact that we think that the model as something that has been created by one person
to

compromise another person. In sheer volume of these activities

usually each performed, should be performed by

different organization. Very often we talk about it

such as cybercrime as itself. So you know several organizations that specialist in

delivery for example, from SPAM work

to advertisement and all of the people that has already arrived at the commerce

sense of space. So my understanding would work out whatever

vulnerabilities. It's nice to know that

actually more often, companies that you know want to understand if their systems
are vulnerable or not, launch some specific contents

that are called bad bank, like that [inaudible]. So basically [inaudible] is a sort

of challenge that the company does to understand the

vulnerability in their services. Actually the six top is done

by the attacker as well, and so also attacked very

often launch contest that were to find some vulnerability the attacker can use

in this bold fight.

Social Engineering

In this video, you

will learn to describe social engineering

and how it is used as an effective method of

cyber exploitation. So now, let's talk about

social engineering. Social engineering is actually

pretty easy to understand. Question yourself,

how could you trick somebody to do something

that they don't want to do? Thinking the good way, I mean, how could you trick somebody to give you
her or his password? I mean, if you go

and ask your friends to give him a password

for social network, probably they wouldn't

do that because they understand that the password is something important

for them to have privately or separated from the public information that

they could give to somebody. So the question or the process to perform a social

engineering attack is, how could you trick somebody to give you something

that is private? This is something that

we use normally on offensive security

operations because when we try to exploit things from the

technical perspective, in some occasions, we deal with advanced firewalls with

advanced systems that will block all the effects

that we're delivering to the client or

the victim network. So one of the easy way to perform or get formation

or try to exploit things inside the network

of the client of the victim is try to gain

information from the users, gain information

from somebody inside the network that already

have for example a password, a username to login

into a BBN system. So if you already have the URL, the external URL to login into SSL BBN system but you

need the password, you need the the username for you to be able to login

into that remote system, the easy way to get that probably is the social

engineering attack. Now, how could you perform

a social engineering attack? That's actually pretty easy also. Again, this is something

that you need to have permission to do

that or to do it. There is a lot of tools over

there that you could use. A tool that it's actually pretty easy is called setoolkit. Setoolkit is something
that came in Linux that you

also could install on your system without

any Linux installation or without any specific

Linux distribution. But either it's something

that will have a set of tools is like set on

the title is a toolkit, where you can create for

example fake websites. Create or clone websites from public Internet domains or

a private Internet domains. For example, you can go and clone external website from your client, from
your victim, and wait a couple of weeks, you could try to

impersonate somebody, and that somebody

could send an email using a phishing attack to

username inside the network, inside your victim network or your client network and see if the user gets
or click

on the link that you send and add all

the credentials, write all the

credentials on that user and password log-in

fake HTML for example. So that's not all. I mean, social engineering

toolkit has a lot of tools. Actually, you could also

spoofing voice calls. So that's something

interesting for you to test. Again, you need to have

permission in order to try to exploit

something from a client. I mean, you cannot do

by any mean any kind of clone a private website and try to fishing set of usernames, and try to get them
to click a link and

give you the credentials. For any kind of systems, you need to have

the permission for doing that. But the important part here to understand is there is

a lot of good tools, there is a lot of things

that you can start doing to understand how could you trick somebody to do something

that they shouldn't do.