Module 2

Cybersecurity Bootcamp | Module 2
Cyber Attack Chain

Class Pointers
● Please switch on your webcams! Communication is 70% body

language.
● This is not a webinar. This is an interactive, hands-on training
workshop, where everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no
matter your starting level.
© 2022 Vertical Institute

Vertical Institute
Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!
Step 1:
Step 2:

Vertical Institute
Agenda
Tutorial
● Cyber-Attack chain ● Security technologies
○ Reconnaissance ○ Anti-virus
○ Weaponization ○ Security monitoring
○ Delivery ○ Intrusion detection and prevention systems
○ Exploitation ○ Biometrics
○ Installation ○ Security controls
○ Command and Control
● Demonstration of hacking examples mapped to
○ Actions on Objective
the Cyber-Attack Chain phases

Vertical Institute
Agenda
Activity
● Map security controls against cyber-attack chain
● Threat modeling

Vertical Institute
Financial Services
cyber-security snapshot
Financial Services snapshot
https://www.verizon.com/business/ve
Activities Statistics rizonpartnersolutions/business/resou
rces/reports/2020-data-breach-invest
igations-report-financial-services.pdf
Frequency 1,509 incidents, 448 with confirmed data disclosure
Top Patterns Web Applications, Miscellaneous Errors and Everything Else represent 81% of
breaches
Threat Actors External (64%), Internal (35%), Partner (2%), Multiple (1%) (breaches)
Actor Motives Financial (91%), Espionage (3%), Grudge (3%) (breaches)
Data Compromised Personal (77%), Other (35%), Credentials (35%), Bank (32%) (breaches)
Top Controls Implement a Security Awareness and Training Program (CSC17), Boundary
Defense (CSC 12), Secure Configurations (CSC 5, CSC 11)

Key cybersecurity terminologies
Asset Threat Vulnerability Risk

• What needs to be • Who are the bad • Weakness or gap • Potential for loss,
protected? guys? in our security damage or
controls destruction of an
asset, due to a
threat’s having
successfully
exploited a
vulnerability

Key cybersecurity terminologies
Asset Threat Vulnerability Risk

• Your cell phone • Pickpockets • No PIN code • Can be stolen in
password a dangerous city
where pickpocket
is rampant

What are the key assets to a bank/financial institution?
Personally identifiable
Data Credit ratings
information
Loans Contracts Agreements
Computer systems that provide services

What are the key threats to a bank/financial institution?
Hackers
Phishing
State-sponsore Script kiddies Hacktivists Cyber terrorists Inside threats
scammers
d hackers

What are the key vulnerabilities to a bank/financial institution?
Complex application logic

that may have weaknesses
Users who are not educated on

latest phishing attack methods
Misconfiguration in applications

Cyber-Attack chain
Cyber Attack Chain
● Developed by Lockheed Martin, the Cyber Kill Chain® framework

is part of the Intelligence Driven Defense® model for identification
and prevention of cyber intrusions activity. The model identifies what
the adversaries must complete in order to achieve their objective.
● The eight steps of the Cyber Kill Chain® enhance visibility into an
attack and enrich an analyst’s understanding of an adversary’s
tactics, techniques and procedures.

How do burglars go after a specific house?
Look out for area

where houses may Plan burglary and Break into the
be less secured escape route house Grab valuables
Identify doors/windows Get ready the tools to Search through the house Run through
that can be broken into break into the house for valuables exit route
Go to master bedroom
(highest chance of having
valuables like cash and
jewelries)

How do robbers go after a bank?
Look out for

Run to the
branches Identify target Plan robbery Get ready Run through
Break into bank’s vault Grab cash and
where bank branch’s and escape tools to rob planned exit
the bank or counter’s valuables
may be less employees route the bank route
drawers
secured

Hacker’s toolbox
● Kali Linux
○ Open-source penetration testing toolbox
○ Loaded with hundreds of hacking software
○ Used by both white hat and black hat hackers

Kali Linux
● It is free and anyone can download to use it

● Can even run in your cell phone

The Cyber Attack Chain: ideal for analyzing attacks from an adversarial points of view and for identifying
gaps in detection, prevention, and security controls.
Recon Weaponize Deliver Exploit
Attackers probe for a Build a deliverable Sending the weaponised Executing code on
weakness. This might include payload using an exploit and bundle to the victim the victim's
harvesting login credentials of a back-door. - for example, malicious system.
information useful in an attack. link in an e-mail.
Install C&C Actions on Target Ex-filtration
Installing malware Creating a channel Attacker remotely carries Pull data out of the
on the target where the attacker can out its intended goal. target system(s)
asset. control a system
remotely.

Cyber-Attack Chain and Kali
Linux is mapped closely

Reconnaissance
• Passive information gathering for publicly

Information available information
gathering • Active information gathering to probe systems
and users for information

Locatefamily.com

Finding information of employees on Social Media

Exercise
● Go to www.linkedin.com
● Can you find your co-workers?
● Can you find who are the top management?
● Can you find colleagues that you have not met before?

Email guessing
● bobmister@bank.com
● misterbob@bank.com
● bm@bank.com

Exercise
● Go to www.facebook.com
● Can you find your co-workers and friends?
● Can you find who are the top management?
● Can you find colleagues that you have not met before?
● Do you know more about their personal lives now?

monitor.firefox.com

www.avast.com/hackcheck

Google hacking database
https://www.exploit-db.com/google-hacking-database

Active vs Passive scanning
● Demonstrated so far are all passive scanning

● Active scanning
○ Knocking on the door of the house to check if anyone is at home
○ Trying to open the door in a bank’s office to see if the security system is working
○ Scanning a computer for openings

Scanning tools
● Network mapper (nmap)

● To scan against a set of computer(s) to look for openings and potentially, vulnerabilities
that can be exploited

NMAP Demonstration
Difference between vulnerability assessment
and penetration testing
Vulnerability assessment Penetration testing
To uncover potential gaps May include gaining unauthorised

in the systems access into the systems

Defend Against Reconnaissance
(Facebook, LinkedIn,
Privatise Privatise your publicly available information Google, etc.)
Update Regularly update your passwords across all accounts
Separate Separate private and public profiles
Secure systems Configuration details should be secured against

from exposure public access

Weaponization
Creating malicious files to be sent to the victim
Files that can bypass security mechanisms like

anti-virus or firewall

Macro Excel
Exploit

Macro Excel Exploit Execution

Macro Excel
Full Remote
Control

MSFVENOM
● A malicious software builder

● Can generate malicious files like pdf, asp, exe, vba and more

Defend Against Weaponization
Regularly update
Do not click on
all your computers
links from
and mobile
unverified senders
devices
Run the latest

anti-virus software

● Regularly update all your computers, mobile devices and Internet-connected devices
● Updates address not just new features and functions, but also security holes

● Do not click on links from unverified senders

● Some malicious files bypass anti-virus defenses, as such, you may not get alert if the
file contains malicious code

● Run the latest anti-virus software

● The anti-virus is generally updated with the latest signatures to stop new threats
● Similar to vaccination against viruses

Zero-Day Exploits
● Now you will be thinking, if a new threat emerges, does it

mean that there are no defenses?

Zero-Day Exploits
● There is a time gap between the exposed vulnerability and the ability
of the software vendor to update with newer and more secure code

Defenses for Zero-Day Exploits
● Compensating security controls

● Virtual patches
● Defense in depth
● For example:
○ If the software is vulnerable at a particular page, it can be blocked by using
firewall to stop access to that page until the security patch is available

Demonstration of hacking
examples mapped to the
Cyber-Attack Chain phases
Delivery
CREATE FAKE CREATE FAKE MASS EMAIL USB

WEBSITE WIRELESS
ACCESS POINT

Delivery
http://www.techerator.com/2009/10/preventing-viruses-part-1-email-viruses
/

Browser exploitation framework
Live hacking demo on how hackers take over an

entire browser session

Exploitation
Exploit a software
weakness inside a
computer or phone
Attacks both
operating system and
software

Exploitation
● Hackers can search for exploit availability to target against vulnerable services
● Exploit-db.com
● SearchSploit in Kali Linux
● Target against specific application and/or operating system

Common Vulnerability Exposure (CVE)
● Reference for publicly known information-security vulnerabilities and exposure

● Maintained by The Mitre Corporation

Defend Against Exploitation
● Verify links before clicking on the links

● Install anti-virus on your computers and mobile devices
● Backup and restore if hacker gains access into your computer

Installation
Install virus or backdoors

into the system
Auto-start virus in the

background when computer
is booted

Command And Control
Control hacked computers remotely

Actions on Objectives
● Data exfiltration—copying and removing files from computers or servers

● Data corruption—altering or erasing data from computers or servers
● Attacks to destroy—launching harmful applications or queries
● Redirecting browser queries

The Cyber Attack Chain: ideal for analysing attacks from an adversarial
points of view and for identifying gaps in detection, prevention, and security
controls.
Actions on Ex-filtratio
Recon Weaponise Deliver Exploit Install C&C
Target n
•Attackers probe •Build a •Sending the •Executing code •Installing •Creating a •Attacker •Pull data out of
for a weakness. deliverable weaponised on the victim's malware on the channel where remotely carries the target
This might payload using bundle to the system. target asset. the attacker can out its intended system(s)
include an exploit and victim- for control a system goal.
harvesting login a back-door. example, a remotely.
credentials of malicious link in
information an e-mail.
useful in an
attack.

Security Controls
Security controls you can use to stop the attack chain
● Detect—determine attempts to scan or penetrate the organization

● Deny—stop attacks as they happen
● Disrupt—intercept data communications carried out by the attacker and interrupt them
● Degrade—create measures that will limit the effectiveness of an attack
● Deceive—mislead an attacker by providing false information or setting up decoy assets

Security Controls mapped to the Cyber Attack Chain
Phase Detect Deny Disrupt Degrade Deceive Contain
Web Analytics
Information Sharing Policy
Reconnaissance Threat Intelligence
Firewall Access Control Lists
Network Intrusion Detection System
Threat Intelligence Network Intrusion Prevention

Weaponization
Network Intrusion Detection System System
Change Management Router Access Control Lists

Application Whitelisting App-aware Firewall
Delivery Endpoint Malware Protection Proxy Filter Inline Anti-Virus Queuing Trust Zones
Host-Based Intrusion Prevention Inter-zone Network Intrusion Detection
System System
App-aware Firewall
Endpoint Malware Protection Secure Password Data Execution Trust Zones
Exploitation
Host-Based Intrusion Detection System Patch Management Prevention Inter-zone Network Intrusion Detection
System
App-aware Firewall
Security Information and Event Privilege Separation
Router Access Control Trust Zones
Installation Management (SIEM) Strong Passwords
Lists Inter-zone Network Intrusion Detection
Host-Based Intrusion Detection System Two-Factor Authentication
System
Command & Network Intrusion Detection System Firewall Access Control Lists Host-Based Intrusion Domain Name Trust Zones
Tarpit
Control Host-Based Intrusion Detection System Network Segmentation Prevention System System Redirect Domain Name System Sinkholes
Actions on Endpoint Malware Quality of

Endpoint Malware Protection Data-at-Rest Encryption Honeypot Incident Response
Objectives Protection Service
Data Loss Prevention

Exfiltration Security Information and Event Egress Filtering Data Loss Prevention Firewall Access Control Lists
© 2022 Vertical Institute Management (SIEM)
Security Technologies
Network Architecture – On-premises
https://www.researchgate.net/figure/Hierarchical-Datacenter-Architecture_fig9_322324205
As-a-service model
● Software as a service
● Platform as a service
● Infrastructure as a service

As-a-service examples
Platform Type Common Examples

SaaS Google Workspace, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting
AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine,
PaaS
Apache Stratos, OpenShift
DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod,
IaaS
Microsoft Azure, Google Compute Engine (GCE)

Pizza as a service

Amazon Web Services Architecture example

How are websites/mobile apps built and deployed?
1. Written in code
2. Uploaded to a computer
3. Users access the computer
4. Computer runs code
5. Computer responses with results

Software development lifecycle
Planning
Maintenance Analysis
Testing &
Design
Integration
Implementation

Anti-virus
Signature based
Behaviour based

Anti-virus: Signature based
● Hacker file contains <open notepad>

● Anti-virus has list of signatures to detect <open notepad> in the file
Pros Cons
• Able to detect quickly • Hackers can update file type and the
malicious software is no longer detected
• For example, changing to <open open
notepad>

Anti-virus: Behavior based
● Execute the file in a sandbox environment

● Detect based on indicators of attack and compromise
For example, a malicious file is executed in the sandbox. If the file tries to delete or
encrypt other files, it is an indication of attack.

Intrusion prevention/
detection systems
https://purplesec.us/intrusion-detection-vs-intrusion-prevention-systems/

Intrusion prevention/detection system example
Inject malicious
code into
application Rule 1
Rule 2
Rule 3
…

Intrusion prevention/detection system example
Regular access
Rule 1 Access user profile

Rule 2 information
Rule 3
…

Security monitoring
systems
https://gbhackers.com/security-information-and-event-management-siem-a-detail
ed-explanation/

Identity &
Access
Who can
Management
access what

Entering a bank Entering a building
Identity & If you are a customer, You are only allowed
you are only allowed access if you have an
Access access to the branch and access card
Management to the counters In order to obtain the
If you are a bank staff, access card, your identity
Example you are only allowed has been provided and
access into the office the building gives you the
segment of the branch rights to access its floors
Sometimes, you are only
allowed access to a
single floor or to specific
rooms in that floor.
Authentication vs Authorisation
Authentication is proving you are Authorisation is whether you

who you say you are have access
• Username and password • I have logged in, what can I do?

• Multi-factor authentication • Can I transfer money out of the
• Biometric account?
• Can I have administrative power to
view others’ account statement?

Bank’s Identity & Access
Management System

Different levels of access
● Login to view account details

● Transactions require challenge
○ Multi-factor authentication challenges to confirm on transaction and to additionally
verify on the requestor’s identity

Code scanning (Static application security testing)
● Scans application source code to test for a range of vulnerabilities

● Detect problems early in the development lifecycle

Vulnerability scanners
● Attached to the integrated development environment

● Scans code before it is published to production environment
https://www.plutora.com/blog/what-staging-environment-how-get-it-right
Backups
● Saving data into a separate repository for safeguard and future recovery
● Highly common practice in most large enterprises, financial institutions and banks
● Need to comply with regulatory requirements

Backups recovery process must be tested regularly
● Backup process is part of day to day business

● However, attempt to recover from existing backups may be lackluster
● Need to run backup regularly to look at operations ability to recover from cyber-attack
● Can be part of incident response management

Threat Modelling against financial services organization
]
What is a security architecture?
Security architecture is a unified security design that addresses the necessities and
potential risks involved in a certain scenario or environment. It also specifies when and
where to apply security controls. The design process is generally reproducible.

Threat Modelling
“Know the enemy and know yourself in a hundred battles you will never be in peril.
When you are ignorant of the enemy but know yourself, your chances of winning or losing
are equal. If ignorant both of your enemy and of yourself, you are certain in every battle to be
in peril.” – Sun Tzu

What is Threat Modelling?
● Threat modeling is a structured process with these objectives:
Identify security pinpoint security threats quantify threat and prioritise remediation
requirements, and potential vulnerabilities, vulnerability criticality, and methods.

What are the threats?
● Profiles of potential attackers, including their goals and methods

● A catalog of threats
○ Which threat has a higher probability of occurring?
● Security responses and/or controls against these attackers

Threat Modelling Process
● Identify Assets
● Create an Architecture Overview
● Decompose the Application
● Identify the Threats
● Document the Threats
● Rate the Threats

Threat Modelling Process
Create an Document the

Decompose the
Identify Assets Architecture Identify the Threats Rate the Threats
Application Threats
Overview
•Website for users •How are accesses •What are the •Who could be •Common threats •What is the impact
•HR site for internal made? critical access targeting our •Advanced threats to the
employees •Where are the trust paths? websites? organization?
boundaries? •What are the
critical
components?
•Web server that
can spin up
quickly
•Information in
database

Threat Models - STRIDE Model
● Spoofing
○ Pretending to be something/someone else
● Tampering
○ Unauthorized modifications
● Repudiation
○ Unable to prove responsibility of actions
● Information disclosure
○ Giving data to others who should not know
● Denial of service
○ Rendering service unavailable
● Elevation of privilege
○ Moving from normal user to administrative rights

Day to day threat modelling
If I am joining today’s class

If today’s class is held in-person at
virtually, could my Internet be going
down? a specific location, what could go
wrong?
• What are the threats to my Internet
connectivity in order to attend this class?
• What are the threats for the journey from
• Kids turning off the router my home to the classroom?
• Car may knock you down

● Adversarial threats
○ Hackers, 3rd party vendors,
insiders and suppliers
Types of ● Natural disasters

○ Hurricanes, flood, earthquake,
threats ●
fire and lightning
System failure
○ Hardware issues, power
outages
● Human error
○ Accidental deletion, incorrect
logic, misconfiguration of
security settings

Threat modelling example
● Customer can login to the bank’s portal

● Bank’s portal is accessible through the Internet
● Hacker can launch brute force authentication
○ Limit 5 retries before IP address is blocked
● Hacker can guess username and password in order to login to the website
○ Limit 5 retries before IP address is blocked
● Customer falls victim to social engineering attack and gave up username and password
to scammer
○ Track IP address of customer and country origin

Threat modelling Exercise
You are a security analyst working in a bank and has been tasked to work on
threat modelling against the bank’s new website before its launch date in 3 months
time.
● Identify threats to the bank’s new website
● Identify threat paths
● Map to STRIDE
● Provide countermeasures option
● Less than 100 words

What is the 1st phase of the cyber attack chain?
A. Recon
B. Weaponize
C. Deliver

What is the 1st phase of the cyber attack chain?
A. Recon
B. Weaponize
C. Deliver

Which is NOT a type of cybercriminal?
A. State/Nation Sponsored Hackers

B. Cyber Terrorists
C. Cyber Influencer

Which is NOT a type of cybercriminal?
A. State/Nation Sponsored Hackers

B. Cyber Terrorists
C. Cyber Influencer

Which is NOT a cyber crime?
A. Computer as a target
B. Computer as a tool to launch attacks
C. Online harassment
D. Computer harvestor

Which is NOT a cyber crime?
A. Computer as a target
B. Computer as a tool to launch attacks
C. Online harassment
D. Computer harvestor

Which is the last phase of the cyber attack chain?
A. Weaponization
B. Delivery
C. Ex-filtration

Which is the last phase of the cyber attack chain?
A. Weaponization
B. Delivery
C. Ex-filtration

On average, how long does it take hackers
to gain access into your computers?
A. Minutes
B. Hours
C. Weeks
D. Months

On average, how long does it take hackers
to gain access into your computers?
A. Minutes
B. Hours
C. Weeks
D. Months

Exercise. Let’s rob a bank!
https://terminal.cyberskillslesson.com/

What did you learn?
What have we learned today?
Tutorial
● Cyber-Attack chain ● Security technologies
○ Reconnaissance ○ Anti-virus
○ Weaponization ○ Security monitoring
○ Delivery ○ Intrusion detection and prevention systems
○ Exploitation ○ Biometrics
○ Installation ○ Security controls
○ Command and Control
● Demonstration of hacking examples mapped to
○ Actions on Objective
the Cyber-Attack Chain phases

Vertical Institute
What have we learned today?
Activity
● Map security controls against cyber-attack chain
● Threat modeling

Vertical Institute
Thank you!

Module 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 2

Uploaded by

Copyright:

Available Formats

Cybersecurity Bootcamp | Module 2

Cyber Attack Chain

● Please switch on your webcams! Communication is 70% body

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Actor Motives Financial (91%), Espionage (3%), Grudge (3%) (breaches)

© 2022 Vertical Institute

Asset Threat Vulnerability Risk

© 2022 Vertical Institute

Asset Threat Vulnerability Risk

© 2022 Vertical Institute

Loans Contracts Agreements

Computer systems that provide services

© 2022 Vertical Institute

© 2022 Vertical Institute

Complex application logic

Users who are not educated on

© 2022 Vertical Institute

● Developed by Lockheed Martin, the Cyber Kill Chain® framework

© 2022 Vertical Institute

Look out for area

© 2022 Vertical Institute

Look out for

© 2022 Vertical Institute

© 2022 Vertical Institute

● It is free and anyone can download to use it

© 2022 Vertical Institute

Recon Weaponize Deliver Exploit

Install C&C Actions on Target Ex-filtration

© 2022 Vertical Institute

© 2022 Vertical Institute

• Passive information gathering for publicly

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

● Demonstrated so far are all passive scanning

© 2022 Vertical Institute

● Network mapper (nmap)

© 2022 Vertical Institute

Vulnerability assessment Penetration testing

To uncover potential gaps May include gaining unauthorised

© 2022 Vertical Institute

Update Regularly update your passwords across all accounts

Separate Separate private and public profiles

Secure systems Configuration details should be secured against

© 2022 Vertical Institute

Creating malicious files to be sent to the victim

Files that can bypass security mechanisms like

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

● A malicious software builder

© 2022 Vertical Institute

Run the latest

© 2022 Vertical Institute