Module 2: Attacks, Concepts

and Techniques
2.1 Analyzing a Cyber Attack
 2.1.1 Types of Malware
Cybercriminals use many different types of malicious software, or malware, to carry out their
activities. Malware is any code that can be used to steal data, bypass access controls, or cause
harm to or compromise a system. Knowing what the different types are and how they spread
is key to containing and removing them.
1. Spyware
Designed to track and spy on you, spyware monitors your online activity and can log every key
you press on your keyboard, as well as capture almost any of your data, including sensitive
personal information such as your online banking details. Spyware does this by modifying the
security settings on your devices.
It often bundles itself with legitimate software or Trojan horses.
2. Adware
Adware is often installed with some versions of software and is designed to automatically
deliver advertisements to a user, most often on a web browser. You know it when you see it!
It’s hard to ignore when you’re faced with constant pop-up ads on your screen.
It is common for adware to come with spyware.
 2.1.1 Types of Malware
3. Backdoor
This type of malware is used to gain unauthorized access by bypassing the normal
authentication procedures to access a system. As a result, hackers can gain remote access to
resources within an application and issue remote system commands.
A backdoor works in the background and is difficult to detect.
4. Ransomware
This malware is designed to hold a computer system or the data it contains captive until a
payment is made. Ransomware usually works by encrypting your data so that you can’t access
it.
Some versions of ransomware can take advantage of specific system vulnerabilities to lock it
down. Ransomware is often spread through phishing emails that encourage you to download a
malicious attachment or through a software vulnerability.
5. Scareware
This is a type of malware that uses 'scare’ tactics to trick you into taking a specific action.
Scareware mainly consists of operating system style windows that pop up to warn you that
your system is at risk and needs to run a specific program for it to return to normal operation.
If you agree to execute the specific program, your system will become infected with malware.
 2.1.1 Types of Malware
6. Rootkit
This malware is designed to modify the operating system to create a backdoor, which attackers
can then use to access your computer remotely. Most rootkits take advantage of software
vulnerabilities to gain access to resources that normally shouldn’t be accessible (privilege
escalation) and modify system files.
Rootkits can also modify system forensics and monitoring tools, making them very hard to
detect. In most cases, a computer infected by a rootkit has to be wiped and any required
software reinstalled.
7. Virus
A virus is a type of computer program that, when executed, replicates and attaches itself to
other executable files, such as a document, by inserting its own code. Most viruses require
end-user interaction to initiate activation and can be written to act on a specific date or time.
Viruses can be relatively harmless, such as those that display a funny image. Or they can be
destructive, such as those that modify or delete data.
Viruses can also be programmed to mutate in order to avoid detection. Most viruses are
spread by USB drives, optical disks, network shares or email.
 2.1.1 Types of Malware
8. Trojan horse
This malware carries out malicious operations by masking its true intent. It might appear
legitimate but is, in fact, very dangerous. Trojans exploit your user privileges and are most
often found in image files, audio files or games.
Unlike viruses, Trojans do not self-replicate but act as a decoy to sneak malicious software past
unsuspecting users.
9. Worms
This is a type of malware that replicates itself in order to spread from one computer to
another. Unlike a virus, which requires a host program to run, worms can run by themselves.
Other than the initial infection of the host, they do not require user participation and can
spread very quickly over the network.
Worms share similar patterns: They exploit system vulnerabilities, they have a way to
propagate themselves, and they all contain malicious code (payload) to cause damage to
computer systems or networks.
Worms are responsible for some of the most devastating attacks on the Internet. In 2001, the
Code Red worm had infected over 300,000 servers in just 19 hours.
 2.1.2 Symptoms of Malware
So now you know about the different kinds of malware. But what do you think their
symptoms might be?
Regardless of the type of malware a system has been infected with, there are some
common symptoms to look out for. These include:
 An increase in central processing unit (CPU) usage, which slows down your device
your computer freezing or crashing often.
 A decrease in your web browsing speed.
 Unexplainable problems with your network connections.
 Modified or deleted files.
 The presence of unknown files, programs or desktop icons.
 Unknown processes running.
 Programs turning off or reconfiguring themselves.
 Emails being sent without your knowledge or consent.
 2.2 Methods of infiltration
2.2.1 Social Engineering
Social engineering is the manipulation of people into performing actions or divulging confidential
information. Social engineers often rely on people’s willingness to be helpful, but they also prey on their
weaknesses. For example, an attacker will call an authorized employee with an urgent problem that
requires immediate network access and appeal to the employee’s vanity or greed or invoke authority by
using name-dropping techniques in order to gain this access.
Some common types of social engineering attacks include:
1. Pretexting
This is when an attacker calls an individual and lies to them in an attempt to gain access to privileged
data.
For example, pretending to need a person’s personal or financial data in order to confirm their identity.
2. Tailgating
This is when an attacker quickly follows an authorized person into a secure, physical location.
3. Something for something (quid pro quo)
This is when an attacker requests personal information from a person in exchange for something, like a
free gift.
 2.2.2 Denial-of-Service
Denial-of-Service (DoS) attacks are a type of network attack that is relatively simple to
carry out, even by an unskilled attacker. A DoS attack results in some sort of
interruption of network service to users, devices or applications.
The two main types of DOS attacks are:
1. Overwhelming quantity of traffic
This is when a network, host or application is sent an enormous amount of data at a
rate which it cannot handle. This causes a slowdown in transmission or response, or
the device or service to crash.
2. Maliciously formatted packets
A packet is a collection of data that flows between a source and a receiver computer or
application over a network, such as the Internet. When a maliciously formatted packet
is sent, the receiver will be unable to handle it.
For example, if an attacker forwards packets containing errors or improperly formatted
packets that cannot be identified by an application, this will cause the receiving device
to run very slowly or crash.
 2.2.3 Distributed DoS
A Distributed DoS (DDoS) attack is similar to a DoS attack but originates from multiple,
coordinated sources. For example:
An attacker builds a network (botnet) of infected hosts called zombies, which are
controlled by handler systems.
The zombie computers will constantly scan and infect more hosts, creating more and
more zombies.
When ready, the hacker will instruct the handler systems to make the botnet of
zombies carry out a DDoS attack.
 2.2.4 Botnet
A bot computer is typically infected by visiting an unsafe website or opening an infected email
attachment or infected media file. A botnet is a group of bots connected through the internet,
that can be controlled by a malicious individual or group. It can have tens of thousands, or
even hundreds of thousands, of bots that are typically controlled through a command and
control server.
These bots can be activated to distribute malware, launch DDoS attacks, distributed spam
email, or execute brute-force password attacks. Cybercriminals will often rent out botnets to
third parties for nefarious purposes.
Many organizations. Like Cisco, force network activities through botnet traffic filters to identify
any botnet locations.
1. Infected bots try to communicate with a command and control host on the internet.
2. The Cisco Firewall botnet filter is a feature that detects traffic coming from devices
infected with the malicious botnet code.
3. The cloud-based Cisco security intelligence operations (SIO) service pushes down updated
filters to the firewall that match traffic from new known botnets.
4. Alerts go out to Cisco’s internal security team to notify them about the infected devices
that are generating malicious traffic so that they can prevent, mitigate and remedy these.
 2.2.5 On-path Attacks
On-path attackers intercept or modify communications between two devices, such as a web
browser and a web server, either to collect information from or to impersonate one of the
devices.
This type of attack is also referred to as a man-in-the-middle or man-in-the-mobile attack.
1. MAN-IN-THE-MIDDLE(MITM)
A MitM attack happens when a cybercriminal takes control of a device without the user’s
knowledge. With this level of access, an attacker can intercept and capture user information
before it is sent to its intended destination. These types of attackers are often used to steal
financial information.
There are many types of malware that possess MitM attack capabilities.
2. MAN-IN-THE-MOBILE(MITMO)
A variation of man-in-middle, MitMo is a type of attack used to take control over a user’s
mobile device. When infected, the mobile device is instructed to exfiltrate user-sensitive
information and send it to the attackers. ZeuS is one example of a malware package with
MitMo capabilities. It allows attackers to quietly capture two-step verification SMS messages
that are sent to users.
 2.2.6 SEO Poisoning
You’ve probably heard of search engine optimization or SEO which, in simple terms, is
about improving an organization’s website so that it gains greater visibility in search
engine results.
Search engines such as Google work by presenting a list of web pages to users based
on their search query. These web pages are ranked according to the relevancy of their
content.
While many legitimate companies specialize in optimizing websites to better position
them, attackers take advantage of popular search terms and use SEO to push malicious
sites higher up the rank of search results. This technique is called SEO poisoning.
The most common goal of SEO poisoning is to increase traffic to malicious sites that
may host malware or attempt social engineering.
 2.2.7 Wi-Fi password cracking
You’re enjoying your lunch in the canteen when a colleague approaches you. They
seem distressed.
They explain that they can’t seem to connect to the public Wi-Fi on their phone and
ask if you have the private Wi-Fi password to hand so that they can check that their
phone is working.
How would you respond?
 2.2.8 Password Attacks
Entering a username and password is one of the most popular forms of authenticating to a
website. Therefore, uncovering your password is an easy way for cybercriminals to gain access
to your most valuable information. Some common password security attacks include:
1. Password spraying
This technique attempts to gain access to a system by ‘spraying’ a few commonly used
passwords across a large number of accounts. For example, a cybercriminal uses
‘Password123’ with many usernames before trying again with a second commonly-used
password, such as ‘qwerty’.
This technique allows the perpetrator to remain undetected as they avoid frequent account
lockouts.
2. Dictionary attacks
A hacker systematically tries every word in a dictionary or a list of commonly used words as a
password in an attempt to break into a password-protected account.
3. Brute-force attacks
The simplest and most commonly used way of gaining access to a password-protected site,
brute-force attacks see an attacker using all possible combinations of letters, numbers and
symbols in the password space until they get it right.
 2.2.8 Password Attacks
4. Rainbow attacks
Passwords in a computer system are not stored as plain text, but as hashed values
(numerical values that uniquely identify data). A rainbow table is a large dictionary of
precomputed hashes and the passwords from which they were calculated.
Unlike a brute-force attack that has to calculate each hash, a rainbow attack compares
the hash of a password with those stored in the rainbow table. When an attacker finds
a match, they identify the password used to create the hash.
5. Traffic interception
plain text or unencrypted passwords can be easily read by other humans and
machines by intercepting communications.
If you store a password in clear, readable text, anyone who has access to your account
or device, whether authorized or unauthorized, can read it.
 2.2.9 Advanced Persistent Threats
Attackers also achieve infiltration through APTs. A multi-phase, longterm, stealthy and
advanced operation against a specific target. For these reasons, an individual attacker
often lacks the skill set, resources or persistence to perform APTs.
Due to the complexity and the skill level required to carry out such an attack, an APT is
usually well-funded and typically targets organizations or nations for business or
political reasons.
Its main purpose is to deploy customized malware on one or more of the other target’s
systems and remain there undetected.
In order to prevent cybercriminals from launching a cyber attack, organizations need to
be constantly checking for security vulnerabilities in their systems and networks.
 2.3 Security vulnerabilities and
exploits
Security vulnerabilities are any kind of software or hardware defect. A program written
to take advantage of a known vulnerability is referred to as an EXPLOIT. A cybercriminal
can use an exploit against a vulnerability to carry out an attack, the goal of which is to
gain access to a system, the data it hosts or a specific resource.
 2.3.1 Hardware Vulnerabilities
Hardware vulnerabilities are most often the result of hardware design flaws. For example, the
type of memory called RAM basically consists of lots of capacitors (a component which can
hold an electrical charge) installed very close to one another. However, it was soon discovered
that, due to their close proximity, changes applied to one of these capacitors could influence
neighbor capacitors. Based on this design flaw, an exploit called Rowhammer was created. By
repeatedly accessing (hammering) a row of memory, the Rowhammer exploit triggers
electrical interferences that eventually corrupt the data stored inside the RAM.
Meltdown and Spectre
Google security researchers discovered Meltdown and Spectre, two hardware vulnerabilities
that affect almost all central processing units (CPUs) released since 1995 within desktops,
laptops, servers, smartphones, smart devices and cloud services.
Attackers exploiting these vulnerabilities can read all memory from a given system
(Meltdown), as well as data handled by other applications (Spectre). The Meltdown and
Spectre vulnerability exploitations are referred to as side-channel attacks (information is
gained from the implementation of a computer system). They have the ability to compromise
large amount of memory data because the attacks can be run multiple times on a system with
very little possibility of a crash or other error.
 2.3.1 Hardware Vulnerabilities
Hardware vulnerabilities are specific to device models and are not generally exploited
through random compromising attempts. While hardware exploits are more common
in highly targeted attacks, traditional malware protection and good physical security
are sufficient protection for the everyday user.
 2.3.2 Software Vulnerabilities
Software vulnerabilities are usually introduced by errors in the operating system or
application code. An example of a software vulnerability is the SYNful Knock
vulnerability discovered in Cisco Internetwork Operating System (IOS) in 2015.
The SYNful Knock vulnerability allowed attackers to gain control of enterprise-grade
routers, such as the legacy Cisco ISR routers, from which they could monitor all
network communication and infect other network devices.
This vulnerability was introduced into the system when an altered IOS version was
installed on the routers. To avoid this, you should always verify the integrity of the
downloaded IOS image and limit the physical access of such equipment to authorized
personnel only.
 2.3.3 categorizing Software Vulnerabilities
Most software vulnerabilities fall into several main categories.
 Buffer overflow
Buffers are memory areas allocated to an application. A vulnerability occurs when data is
written beyond the limits of a buffer. By changing data beyond the boundaries of a buffer, the
application can access memory allocated to other processes. This can lead to a system crash or
data compromise, or provide escalation of privileges.
 Non-validated input
Programs often require data input, but this incoming data could have malicious content,
designed to force the program to behave in an unintended way.
For example, consider a program that receives an image for processing. A malicious user could
craft an image file with invalid image dimensions. The maliciously crafted dimensions could
force the program to allocate buffers of incorrect and unexpected sizes.
 Race conditions
This vulnerability describes a situation where the output of an event depends on ordered or
timed outputs. A race condition becomes a source of vulnerability when the required ordered
or timed events do not occur in the correct order or at the proper time.
 2.3.3 categorizing Software Vulnerabilities
 Weaknesses in security practices
Systems and sensitive data can be protected through techniques such as authentication,
authorization and encryption.
Developers should stick to using security techniques and libraries that have already been
created, tested and verified and should not attempt to create their own security algorithms.
These will only likely introduce new vulnerabilities.
 Access control problems
Access control is the process of controlling who does what and ranges from managing physical
access to equipment to dictating who has access to a resource, such as a file, and what they
can do with it, such as read or change the file. Many security vulnerabilities are created by the
improper use of access controls.
Nearly all access controls and security practices can be overcome if an attacker has physical
access to target equipment. For example, no matter the permission settings on a file, a hacker
can bypass the operating system and read the data directly off the disk. Therefore, to protect
the machine and the data it contains, physical access must be restricted, and encryption
techniques must be used to protect data from being stolen or corrupted.
 2.3.4 Software Updates
The goal of software updates is to stay current and avoid exploitation vulnerabilities.
Microsoft, Apple and other operating system producers release patches and updates
almost everyday and applications such as web browsers, mobile apps and web servers
are often updated by the companies or organizations responsible for them.
Despite the fact that organizations put a lot of effort into finding and patching software
vulnerabilities, new vulnerabilities are discovered regularly. That’s why some
organizations use third party security researchers who specialize in finding
vulnerabilities in software, or actually invest in their own penetration testing teams
dedicated to search, find and patch software vulnerabilities before they can get
exploited.
Google’s project Zero is a great example of this practice. After discovering a number of
vulnerabilities in various software used by end users, Google formed a permanent
team dedicated to finding software vulnerabilities.
 2.4 The Cybersecurity Landscape
You’ve probably heard of cryptocurrency, but do you exactly what it is and how it
works?
 2.4.1 Cryptocurrency
Cryptocurrency is digital money that can be used to buy goods and services, using strong
encryption techniques to secure these online transactions. Banks, governments and even
companies like Microsoft and AT&T are very aware of its importance and are jumping on the
currency bandwagon!
 Cryptocurrency owners keep their money in encrypted, virtual ‘wallets’. When a transaction
takes place between the owners of two digital wallets, the details are recorded in a
decentralized, electronic ledger or blockchain system. This means it is carried out with a
degree of anonymity and is self-managed, with no interference from third parties such as
central banks or government entities.
 Approximately every ten minutes, special computers collect data about the latest
cryptocurrency transactions, turning them into mathematical puzzles to maintain
confidentiality. These transactions are then verified through a technical and highly complex
process known as ‘mining’. This step typically involves an army of ‘miners’ working on high-
end PCs to solve mathematical puzzles and authenticate transactions.
 Once verified, the ledger is updated and electronically copied and disseminated worldwide
to anyone belonging to the blockchain network, effectively completing a transaction.
 2.4.2 Cryptojacking
Cryptojacking is an emerging threat that hides on a user’s computer, mobile phone,
tablet, laptop or servers, using that machine’s resources to ‘mine’ cryptocurrencies
without the user’s consent or knowledge.
Many victims of cryptojacking didn’t even know they’d been hacked until it is too late!
It’s clear that the cyber landscape is changing. And while the rise of crypto currency
has produced lots of opportunity, it also exposes more vulnerabilities, making it easier
than ever before for hackers to steal huge sums of money online.
END