CST 8249 – Network Security
About this course …
•
Most of this course material is sourced from the Cisco Networking
Academy CyberOps Associate course.
Cisco Certified CyberOps Associate
netacad.com
Cybersecurity Legal Issues
 Cybersecurity professionals must have the same / similar skills as threat actors but
must work within legal boundaries.
– Just because you can hack someone does not mean you should.
– Ethically not right.
– Also, threat actors always leave traces behind …
 There are legal consequences to hacking:
– Most countries have cybersecurity laws in place.
– If you break cybersecurity laws, you could be
prosecuted, fined, and possibly sentenced.
– Countries are increasingly cooperating in this area.
 The bottom line is …
Cybersecurity Ethical Issues
 Cybersecurity professionals must demonstrate ethical behavior.
– Ethics is the little voice in your head that tells you what is right and what is wrong, guiding
you to make the right decisions.
– Ethical principles are often the foundation of many of the laws currently in place.
 Ethics is a standard that is higher than the law.
– It is a set of moral principles that govern civil behavior
– Often referred to as “codes of ethics”.
 Individuals that violate the code of ethics can face consequences.
– E.g., loss of certification, loss of employment, and even prosecution by criminal / civil
courts.
 There are many areas in cybersecurity that are not covered by laws.
– Therefore, many IT organizations have created their own codes of ethics.




Computer Ethics Institute (CEI)
Internet Activities Board (IAB)
Generally Accepted System Security Principles (GASSP)
International Information Systems Security Certification Consortium, Inc (ISC)2 Code of Ethics
5
Ethics Quiz
6
of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software which is not paid for.
7. Thou shalt not use other people's computer resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program being written or the
system being designed.
10. Thou shalt always use a computer in ways that ensure consideration and respect for
fellow humans.
Computer Ethics Institute
7
Ethical Hacking Statement
The Cisco Networking Academy Program is focused on creating the global problem solvers
needed to build, scale, secure, and defend the networks that are used in our businesses
and daily lives.
Training to become a cybersecurity specialist requires in depth understanding and
exposure to how cyber attacks occur, as well as how they are detected and prevented.
These skills will naturally also include learning the techniques that threat actors use to
circumvent data, privacy, and computer and network security.
In this course, you will use tools and techniques in a “sandboxed”, VM environment that
allows you to create, implement, monitor, and detect various types of cyber attacks. The
hands-on training is performed in this environment so that students can gain the necessary
skills and knowledge needed to thwart these and future cyber attacks.
Security holes and vulnerabilities that are created in this course should only be used in an
ethical manner and only in this “sandboxed” virtual environment. Experimentation with
these tools, techniques, and resources outside of the provided sandboxed virtual
environment is not permitted.
Unauthorized access to data, computer, and network systems is a crime in many
jurisdictions and often is accompanied by severe consequences, regardless of the
perpetrator’s motivations. It is your responsibility to be aware of and compliant with
computer use laws.
CST8249 – NetSec 1
NetSec-1
CyberOps Mod1: The Danger
• War Stories
• Threat Actors
• Threat Impact
CyberOps Mod13: Attackers and Their Tools
• Who is Attacking Our Network?
• Threat Actor Tools
CyberOps Mod14: Common Threats and Attacks
• Malware
• Common Network Attacks – Reconnaissance, Access, and Social
Engineering
• Network Attacks – Denial of Service, Buffer Overflows, and Evasion
War Stories
Hijacked People
 You’re at McDonald’s and want to
check your bank account to see if
you got paid.
 A threat actor set up an open
“rogue” (i.e., evil twin) wireless
hotspot posing as a legitimate
wireless network.
 You unsuspectingly connected to
the threat actor’s wireless hotspot.
 The threat actor has created a
man-in-the-middle attack, hijacks
your session, and gains access to
your bank account.
War Stories
Hijacked People
 Stop, Think, and Connect
– STOP: Make sure security measures are in place.
– THINK: Consider the consequences of your actions and
online behavior.
– CONNECT: Enjoy the internet.
 Protect yourself online:
–
–
–
–
–
–
Lock down your logins
Keep a clean machine
Secure personal information
When in doubt, throw it out
Share with care
Manage your online presence
War Stories
Ransomed Companies
 You are in a hotel lobby checking your
email and just received an email from
your CEO with an attached document.
 You read the email and open the
document which contains insignificant
information.
 The problem is that this was a phishing
email which contained ransomware that
you have now unknowingly installed on
your computer.
 Ransomware propagates to other systems, gathers data, and eventually encrypts
corporate data locking access to all data.
– The threat actors hold the company’s data for ransom until they are paid (typically in
bitcoins).
War Stories
Ransomed Companies
War Stories
Ransomed Companies
War Stories
Ransomed Companies
War Stories
Ransomed Companies – Timing …
War Stories
Ransomed Companies – Thrive in disasters …
War Stories
Ransomed Companies – Motivation $$$
War Stories
Ransomed Companies – Nation State Sponsored
War Stories
Targeted Nations
 Nation-state threats are related to attacks on the infrastructure, military and
businesses.
– It is usually difficult to identify the threat actors because they always shift the blame to
independent cyber gangs, foreign entities or hacktivists.
 The purpose behind the attacks can vary and might include:
–
–
–
–
Military espionage.
Influencing public opinion through disinformation disseminated via social media.
Manipulating government decision-making processes.
Gaining control of foreign governments systems.
War Stories
Targeted Nations
 In the mid 2000s, Iran was enriching uranium with
the goal of producing nuclear weapons.
– To do so, they used uranium enrichment centrifuges.
 The Stuxnet worm was developed to damage the
centrifuges in Iran’s nuclear facilities.
– Specifically, it targeted the Siemens “Step 7” software
that controls the centrifuges programmable logic
controllers (PLCs).
– The software to communicate with the PLCs was
Windows-based.
 The Iranian network controlling the centrifuges
was “air gapped” (i.e., closed)
– The vector of infection was an infected USB drive that
was connected to a Windows computer in Iran’s
nuclear facility.
– The malware altered code in the centrifuges PLCs
and eventually damaged them.
War Stories
Targeted Nations
War Stories
Targeted Nations
Canadian Security and Intelligence Service
Communications Security
Establishment (CSE)
War Stories
Targeted Nations
Communications Security
Establishment (CSE)
War Stories
Hacking Home Devices …
War Stories
Hacking Vehicles …
War Stories
Hacking To Kill …
Networks Are Targets
 Networks are routinely under attack.
– E.g., Kapersky maintains the interactive Cyberthreat Real-Time Map display of current
network attacks.
– Data is submitted from Kapersky network security products that are deployed worldwide.
https://cybermap.kaspersky.com/
28
FireEye Cyber Threat Map
https://www.fireeye.com/cyber-map/threat-map.html
29
Cisco Talos Cyber Attack Map
https://talosintelligence.com/ebc_spam
30
How many computers connected to the internet are still running Telnet?
 In 2012, that’s what a researcher wanted to find out.
– He also decided to test the security posture of these Telnet servers by attempting to login
using default credentials (i.e., admin/admin, admin/no password, root/root, and root/no password).
 Within hours he had scanned a few thousand systems and found many unsecured.
– But scanning was time consuming and he wanted to scan the internet (4 billion IPs).
 He decided to enlist the help (illegally) of the insecure systems he discovered.
– His program (malware?) would scan for unprotected Telnet systems.
– It would then upload the same program, and execute it.
– The insecure systems would now start scanning for systems, and repeat the process.
 He created the “Carna botnet”!
– It took 6 weeks to complete the “Carna botnet” discovered 1.2 million unsecured devices.
– Many vulnerable devices shouldn’t be on the internet (e.g., TVs, industrial control systems,
cameras, water sprinklers, ...)
– Out of those 1.2 million vulnerable devices, the botnet was installed on 420,000 hosts.
31
The Internet Census of 2012
 The researcher used this data to create the Internet Census of 2012.
– He performed GeoIP lookups on all IPs to determine their global location.
 The researcher took all of this data an placed it on a map.
32
The Bottom Line …
“Be afraid …. Be very afraid!
“Secure your Networks!
33
Video
M1: Quiz
NetSec-1
CyberOps Mod1: The Danger
• War Stories
• Threat Actors
• Threat Impact
CyberOps Mod13: Attackers and Their Tools
• Who is Attacking Our Network?
• Threat Actor Tools
CyberOps Mod14: Common Threats and Attacks
• Malware
• Common Network Attacks – Reconnaissance, Access, and Social
Engineering
• Network Attacks – Denial of Service, Buffer Overflows, and Evasion
Security Basics
Organizations (and individuals) must ask themselves:
1. What are our crown jewels?
Assets
2. Who would want to steal/disrupt/destroy the Crown Jewels?
Mitigation
3. What do we have in place to stop that from happening?
4. Where are the gaps or weaknesses?
Vulnerability
5. What if we don’t address the gap or weakness?
Threats
Risk
Basic Security Terminology
Asset
Vulnerability
• Anything of value to an organization that must be protected.
• A weakness in a system or its design that could be exploited by a threat.
• The vulnerability can be exploited to negatively impact a network, or to access
confidential data within an organization.
• Sources of network vulnerabilities include weak and unsecure network protocols,
configuration errors, or weak security policies.
Exploit
• The mechanism used to leverage a vulnerability and compromise an asset.
Threat
• This is the potential for a vulnerability to turn into a network attack.
• Threats include malware, exploits, and more.
Mitigation
(Countermeasure)
Attack surface
Risk
• This is the action of reducing the severity of the vulnerability.
• Network security involves multiple mitigation techniques.
• The total sum of the vulnerabilities in a given system that are accessible to a threat actor
and describes different points where a threat actor could get into a system, and where
they could get data out of the system.
• For example, an unpatched operating system and web browser provide an attack
surface that the threat actor can exploit.
• The potential that a threat can exploit vulnerabilities of assets.
• Risk is measured using the probability of an occurrence and its consequence
38
Risk Management
 Risk management is the process that balances the:
 There are four risk management strategies:
Risk Management
Strategy
Risk Acceptance
Risk Avoidance
Explanation
• The cost of risk management options outweighs the cost of the risk itself.
• The risk is accepted, and no action is taken.
• Avoids exposure to the risk by eliminating the activity or device that presents the risk.
• Most popular risk mitigation strategy.
Risk Reduction
• It reduces exposure to risk (or risk impact) by taking action(s) to decrease it.
• Strategy carefully evaluates the costs of loss, mitigation strategy, and benefits gained.
Risk Transfer
• Some or all of the risk is transferred to a willing third party (e.g., an insurance company).
39
Data Loss (Data Exfiltration)
 What is an organization’s most valuable asset!
Data!
 Data loss or data exfiltration is when data is intentionally or unintentionally
lost, stolen, or leaked to the outside world.
 Can result in:
–
–
–
–
–
–
Brand damage and loss of reputation
Loss of competitive advantage
Loss of customers
Loss of revenue
Litigation/legal action resulting in fines and civil penalties
Significant cost and effort to notify affected parties and recover from the breach
40
How is Data Exfiltrated?
Vector of Data Loss Specifics
Email / Webmail
Unencrypted Devices
Cloud Storage Devices
Removable Media
Hard Copy
Improper Access
Control
• The most common vector includes instant messaging and social media sites.
• E.g., intercepted email or IM messages could reveal confidential information.
• A stolen corporate laptop contains confidential organizational data.
• If the data is not encrypted, then the thief can retrieve valuable confidential data.
• If the cloud access is compromised due to weak security settings, then sensitive
data can be lost.
• A lost USB drive can contain valuable corporate data.
• An employee could also perform an unauthorized transfer of data to a USB drive.
• Corporate data should be disposed of using a paper shredder.
• Otherwise, confidential data could be retrieved by threat actors.
• Passwords are the first line of defense.
• Stolen passwords or weak passwords which have been compromised can provide
a threat actor easy access to corporate data.
41
Network Attack Vectors
 Attack vectors can originate from:
The outside
The inside
 Inside / internal threats are of greater
concern because employees have intimate
knowledge of the corporate network,
resources, and data.
– E.g., an employee, can accidently or
intentionally:
 Connect an infected USB drive into a corporate
computer system.
 Disconnect a critical network connection and cause a
network outage.
 Compromise internal servers or network devices.
 Steal / copy confidential data, email, messaging
software, and other media.
Two other related terms:
• Local exploit: Requires internal network access
(e.g., internal user account credentials)
• Remote exploit: Does not require an internal
account to exploit the vulnerability.
42
Who is Attacking Our Network?
A “Hacker”
 The term “Hacker” has changed over the years:
– In the 1960s, it referred to a programmer that could develop new programs and make
efficient code changes.
– A network professional that uses sophisticated skills to secure networks.
– A person who tries to gain unauthorized access to devices on the internet.
– An malicious individual who attempts to prevent (or slow) network access to users, or corrupt
or wipe out data on servers.
 There are three types of hackers:
Hacker Title
Description
White hat hacker
• Term describes ethical hackers who use their programming skills to discover and
report network vulnerabilities.
Black hat hacker
• Term to describe unethical criminals who violate computer and network security for
personal gain, or for maliciousness reasons such as attacking networks.
• They exploit vulnerabilities to compromise computer and network systems.
Grey hat hacker
• Term to describe individuals who commit crimes and do arguably unethical things,
but not for personal gain or to cause damage.
44
Evolution of Threat Actors
Note: The threat actor term will be
used as a generic term for all.
 The following are categories of threat actors.
Hacker Title
Script Kiddies
Description
• Term describing amateurs (e.g., teenagers, newbies).
• They use existing scripts, tools, and exploits to cause harm.
• Typically not for profit.
Vulnerability Broker
Hacktivists
• Term describing grey hat hackers (i.e., researchers) who attempt to discover
vulnerabilities and report them to vendors, sometimes for prizes or rewards.
• Term describing grey hat hackers that protest against organizations or
governments by posting articles and videos, leaking sensitive information, and
disrupting web services using DDoS attacks.
• They do this to bring attention to a cause or belief.
Cyber Criminals
• Term describing black hat hackers who are either self-employed or working for
large cybercrime organizations.
• They are responsible for stealing billions of dollars from consumers / businesses.
State-Sponsored
hackers
• Term describing threat actors who steal government secrets, gather intelligence,
and sabotage networks of foreign governments, terrorist groups, and corporations.
• Most countries participate in state-sponsored hacking.
• Depending on a person’s perspective, they are either white or black hat hackers.
Advanced Persistent
Threat (APT)
• This is a group of highly-skilled and motivated threat actors that have a specific
goal of what they want to accomplish.
• They often have significant well-funded resources (e.g., state-sponsored)
45
More on Vulnerability Brokers …
 Vulnerability brokers can sell zero-day vulnerabilities to the vendor (i.e., Microsoft,
Cisco, Apple, …) or to a bug bounty vendor.
– Zero-day vulnerabilities are bugs that the vendor or software developer do not know exists or
has not yet fixed.
 The zero-day vulnerability can be exploited on the latest and greatest software updates.
 Bug bounty vendors buy zero-day vulnerabilities and act
as brokers between you and the vendor.
 ZDI is the world’s largest vendor bug-bounty program.
– They buy bugs found in Microsoft, Cisco, Google, …
– If you can demonstrate an exploit on a fully-updated software,
the ZDI team will buy that exploit from you.
– They then contact the vendor and give them 120 days to fix the
vulnerability before they share it with the public.
 Note:
– ZDI is owned and operated by Trend Micro and to enrich the
vulnerabilities that their TippingPoint Intrusion Detection
System.
46
Why Do Threat Actors Write Malicious Code?
 Early worms and viruses were written as experiments or pranks.
– Generally intended to be harmless or annoying rather than cause serious damage.
– Programmers wrote them for the sole purpose to see how far it could spread.
– In many cases, the perpetrator did not realize how much harm their creations could do.
 Malware writing has now changed mostly for profitable ($$$) reasons.
– Mainly due to the Internet and broadband access.
 Since 2003 most viruses and worms have been designed to take control of users'
computers for black-market exploitation.
– Infected "zombie computers" are used to send email spam, to host contraband data, or to
engage in DDoS attacks as a form of extortion.
 In 2008, Symantec published:
The release rate of malicious code and other unwanted programs may be
exceeding that of legitimate software applications.
47
Why?
 Financial gain!
– It is estimated that businesses will lose over $5 trillion annually by 2024 due to cyberattacks.
 Gain trade secrets
– Theft of intellectual property can give another company or country a significant advantage in
international trade.
– Nation states are also using cyberspace for industrial espionage.
 Influence global politics
– Nation states are hacking other countries and interfering with internal politics.
 Threat actors are also after your personal data, bank information, and anything else
leverageable to generate cash flow.
– Personally Identifiable Information (PII)
– Protected Health Information (PHI)
– Personal Security Information (PSI)
48
Personally Identifiable Information (PII)
 PII is any information that can be used to positively identify an
individual.
 Stolen PII can be used to create fake financial accounts, such
as credit cards and short-term loans.
49
Personal Security Information (PSI)
 PSI is similar to PII but includes usernames, passwords, and other securityrelated information that individuals use to access information or services on the
network.
 According to a 2019 report by Verizon, the second most common way that
threat actors breached a network was by using stolen PSI.
50
Protected Health Information (PHI)
 PHI is a subset of PII and relates to medical records.
 The medical community creates and maintains electronic medical records (EMRs)
containing:
–
–
–
–
–
Health card information
Medical records
Device identifiers and serial numbers
Health insurance beneficiary numbers
Biometrics identifiers
 Each country has its own PHI regulations:
Country
Regulation Act
Description
Canada
PIPEDA
The Personal Information Protection and Electronic Document Act is a federal
law protecting all personal data including healthcare and patient privacy.
United States
HIPAA
The Health Insurance Portability and Accountability Act protect as US citizens
healthcare PHI.
European Union
GDPR
The General Data Protection Regulation act protects a broad range of personal
information including health records.
51
Who is the best hacker in the world?
 The Masters of Pwn award is given to the
winner of the Pwn2Own hacker competition.
 Master of Pwn is a prestigious title with
thousands of dollars in prize money at stake.
– It is given to the “best” hacker in the world.
– Note: Many other hackers stay in the “shadows”
 Pwn2Own started in 2007 at the CanSecWest security conference in Vancouver,
Canada.
– An organizer had a MacBook which had a reputation as being essentially hack-proof.
– He connected the MacBook on the conference network and challenged the conference
attendees to hack by announcing: “If you pwn it, you can own it.”.
– The winner got to keep the MacBook plus $10,000 US.
– Note: Dino Dai Zovi used a bug in QuickTime to take over the system.
52
Threat Actor Tools
RATs
Packet
Crafting
Tools
Hacking
Operating
Systems
Forensic
Tools
Fuzzers to
Search
Vulnerabilities
Social
engineering
Network
Scanning and
Hacking Tools
Encryption
Tools
Data
stealers
Password
crackers
Packet Sniffers
Phishing
Phone phishing
Spear phishing
Whaling
Debuggers
Advanced
Persistent Threats
Wireless
Hacking
Tools
RAM
scrappers
(remote
access tools)
Vulnerability
Exploitation
Tools
Vulnerability
Scanners
Sophistication of Tools vs. Technical Knowledge
 To exploit vulnerability, threat actors must have a
technique or tool that can be used.
– In the early day, threat actors were programmers and
created their own tools.
 Over the years, attack tools have become more
sophisticated, and highly automated, requiring
less technical knowledge to use them.
54
Evolution of Security Tools
 Various network penetration tools have been created to test network / end devices.
– Threat actors have also created various hacking tools explicitly written for nefarious reasons.
Penetration Tools
Hacking Operating Systems
Password Crackers
Specifics
• These are specially designed operating systems preloaded with tools and
technologies optimized for hacking.
• Examples include Kali Linux, Backtrack 5r3, SELinux, Knoppix, BackBox Linux
• Password recovery tools are used to crack or recover the password.
• Password crackers repeatedly make guesses in order to crack the password.
• E.g., John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, Medusa.
Wireless Hacking Tools
• Used to intentionally hack into a wireless network to detect security vulnerabilities.
• Examples include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and
NetStumbler.
Network Scanning and
Hacking Tools
• Used to probe network devices, servers, and hosts for open TCP or UDP ports.
• Examples include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Packet Crafting Tools
Packet Sniffers
Rootkit Detectors
• Used to probe and test a firewall’s robustness using specially crafted forged packets.
• Examples include Hping, Scapy, Socat, Yersinia, Netcat, Hping, Nping, and Nemesis.
• Used to capture and analyze packets within traditional Ethernet LANs or WLANs.
• E.g., Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler and Ratproxy.
• Used by white hats to detect installed root kits.
• Examples include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
55
Evolution of Security Tools
Penetration Tools
Fuzzers to Search
Vulnerabilities
Forensic Tools
Encryption Tools
Debuggers
Vulnerability Scanners
Vulnerability
Exploitation Tools / Kits
Note: Many of these tools are Linux based;
therefore, a security professional should have a
strong Linux background.
Specifics
• Used to discover a computer system’s security vulnerabilities.
• Examples include Skipfish, Wapiti, and W3af.
• Used to sniff out any trace of evidence existing in a particular computer system.
• Example include Sleuth Kit, Helix, Maltego, and Encase.
• Tools safeguard the contents of an organization’s data when it is stored or transmitted.
• They use algorithm schemes to encode the data to prevent unauthorized access to the
data.
• Examples include VeraCrypt, CipherShed, Open SSH, OpenSSL, and OpenVPN.
• Used by black hats to reverse engineer binary files when writing exploits.
• They are also used by white hats when analyzing malware.
• Examples include GDB, WinDbg, IDA Pro, and Immunity Debugger.
• Used to scan a network or system to identify open ports, discover known vulnerabilities,
and scan VMs, BYOD devices, and client databases.
• Examples include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS
• These tools identify whether a remote host is vulnerable to a security attack.
• Examples include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and
Netsparker.
Top Hacking Tools
56
The Story of Angler
 The Angler Exploit Kit is a Russian made vulnerability exploit for sale on the dark
web.
– Victims somehow are redirected to a malicious website running the Angler Exploit Kit.
 Angler scans the victim host for many types of vulnerabilities.
– The exploit scans to detect outdated software versions (i.e., Adobe PDF Reader, Flash,
Java, Silverlight, …) with known vulnerabilities on the victim host.
– If a vulnerability is discovered, it runs commands (i.e., payload) on victim host and stops.
 Angler’s purpose is to get on host and execute a payload.
– A payload could be for keylogging, identity theft, botnet, ransomware (e.g., Reveton), or
even delete the drive.
– Target hosts can be infected in seconds.
 For example, Angler can be weaponized with Reveton.
– Reveton is a powerful ransomware that encrypts a victims’ hard drive with a password.
– Reveton is known as the Police Virus (or FBI virus) because an infected host will also display
a police logo and message stating that the law has been broken.
– A ransom must be paid to avoid criminal charges and get that password to decrypt it.
57
Threat Actors Categories of Attacks
Category of Attack
Password-Based attacks
IP Address Spoofing attack
Description
• Threat actors uncovers a valid user account and assumes the user’s rights.
• A threat actor builds an IP packet using a valid corporate address.
Eavesdropping attack
• “Sniffing” or “snooping” is when a threat actor captures and “listens” to network traffic.
Sniffer attack
• A sniffer is an application or device that can read, monitor, and capture network
data exchanges and read network packets.
Data Modification attack
Denial-of-Service
(DoS) attack
• A threat actor alters captured data packets and forwards it.
• A DoS attack prevents normal use of a computer or network by valid users.
Compromised-Key attack
• Hacker obtains a secret key (a.k.a. compromised key) to gain access to a
secured communication without the sender or receiver being aware.
Man-in-the-Middle attack
• Hackers have positioned themselves between a source and destination and
can now covertly monitor, capture, and control the communication.
58
CYU
59
M13: Quiz
60
NetSec-1
CyberOps Mod1: The Danger
• War Stories
• Threat Actors
• Threat Impact
CyberOps Mod13: Attackers and Their Tools
• Who is Attacking Our Network?
• Threat Actor Tools
CyberOps Mod14: Common Threats and Attacks
• Malware
• Common Network Attacks – Reconnaissance, Access, and Social
Engineering
• Network Attacks – Denial of Service, Buffer Overflows, and Evasion
Malware (Malicious software)
 Malware, short for malicious software or malicious code
– It is code or software that is specifically designed to damage, disrupt, steal, or generally
inflict some other “bad” or illegitimate action on data, hosts, or networks.
– Threat actors try to trick users into installing malware to help exploit security gaps.
– Malware also morphs (changes) very rapidly making it hard for antimalware software to be
updated quickly enough to stop the new threats.
 There are three common types of malware:
Attack Category
Virus
Specifics
• Malicious software that is attached to another program to execute a
particular unwanted function on a user's workstation.
Trojan Horse
• A Trojan horse is different only in that the entire application was
written to look like something else, when in fact it is an attack tool.
Worm
• A worm executes arbitrary code and installs copies of itself in the
infected computer’s memory, which infects other hosts.
62
Viruses
 A computer virus is a malicious
computer program (executable file) that
can copy itself and infect a computer
without permission or knowledge of the
user.
 A virus can be dormant and then
activate at a specific time or date.
 A virus can only spread from one
computer to another by:
– Sending it over a network as a file or as an
email payload
– Carrying it on a removable medium.
 Viruses need USER INTERVENTION
to spread …
63
Trojan Horses
 A Trojan horse is a program that appears, to the user, to perform a desirable
function but, in fact, facilitates unauthorized access to the user's computer system.
 Trojan horses may appear to be useful or interesting programs, or at the very least
harmless to an unsuspecting user but are harmful when executed.
 Trojan horses are not self-replicating
which distinguishes them from viruses
and worms.
 Custom-written Trojan horses, such as
those with a specific target, are difficult
to detect.
64
Trojan Horse Classification
Type of Trojan Horse
Description
Remote-Access Trojan
(RAT)
Enables threat actors to control your host
Data Sending
FTP (opens port 21)
Keylogger
Destructive
Security Software
Disabler
DoS
Provides the threat actor with sensitive data such as passwords
Enables unauthorized file transfer services on end devices.
Actively attempts to steal confidential information, such as credit card numbers, by
recording keystrokes entered into a web form.
Corrupts or deletes files
This stops antivirus programs or firewalls from functioning.
This slows or halts network activity.
65
Worms
 Worms replicate themselves by independently exploiting vulnerabilities in networks.
– Their goals is usually to slow down networks and hosts.
 Worms DO NOT NEED USER INTERVENTION!
– Worms do not require user participation and can spread extremely fast over the network.
66
First Worm – The Morris Worm
 Robert Morris was a student at Cornell
University in New York.
– He created the first internet worm.
– It consisted of 99 lines of code.
– It was launched from a 3.5” floppy disk on
Nov. 2, 1988, at MIT in Boston (300 miles away).
– When the Morris Worm was released, 10% of
internet servers were brought to a halt.
 It is considered the first worm and was
certainly the first to gain significant
mainstream media attention.
 It was the 1st conviction in the US under the
1986 Computer Fraud and Abuse Act.
 He did 3 years of probation, 400 hours of
community service, and paid a $10,500 fine.
 B.T.W. Robert Morris is now a tenured
professor at MIT.
67
Code Red and SQL Slammer Worms
Note: Server patches were
available for months before these
attacks occurred!
 In January 2001, the Code Red Worm
created a DoS attack that drastically slowed
internet traffic.
 Over 300,000 servers were infected within
19 hours of its release.
 In January 2003, the SQL Slammer Worm
(a.k.a., the worm that ate the Internet),
exploited a buffer overflow bug in Microsoft
SQL Servers.
 Over 250,000 servers were infected within 30
minutes of its release.
68
Code Red
Worm Components
 Worms share similar characteristics.
– They all exploit an enabling vulnerability
– They have a way to propagate themselves
– They all contain a payload.
 The enabling vulnerability
– A worm installs itself using an exploit vector on a vulnerable system.
 Propagation mechanism
– After gaining access to devices, a worm replicates and selects new targets.
 Payload
– Once the device is infected with a worm, the threat actor has access to the host – often as a
privileged user.
– Attackers could use a local exploit to escalate their privilege level to administrator.
Note:
• Worms never really stop on the Internet.
• After they are released, they continue to propagate until all possible sources of infection are properly patched.
69
Ransomware
 Ransomware has quickly become the most lucrative malware tool for threat actors.
– Many victims believe paying the ransom is the most cost-effective way to retrieve their data.
 Cybersecurity Research estimates that
in 2019 new organizations fell victim to
ransomware every 14 seconds.
– This is projected to be every 11 seconds
by 2021.
 For example, in May 2019, the City of
Baltimore was hit by a ransomware
attack blocking access to critical
infrastructure systems for a week.
– Recovery from the attack was complex.
– It cost the city an estimated $18 million.
– The ransom demanded was $76,000.
70
How Ransomware Works …
Ransom payments are usually requested
using cryptocurrency (e.g., Bitcoin).
71
Other Malware
Note:
• This list will continue to grow as the Internet evolves
because new malware will always be developed.
• A major goal of white hat hackers is to learn about new
malware and how to promptly mitigate it.
Type of Malware Description
Phishing
• This malware attempts to convince people to divulge sensitive information.
• Examples include receiving an email from their bank asking users to divulge their account
and PIN numbers.
• Variations of this attacks include spear phishing and whaling.
Spyware
• This malware is used to gather information about a user and send the information to
another entity, without the user’s consent.
• Spyware can be classified as a system monitor, Trojan horse, Adware, Tracking cookies,
and key loggers.
Adware
• This malware typically displays annoying pop-ups to generate revenue for its author.
• The malware may analyze user interests by tracking the websites visited.
• It can then send pop-up advertising pertinent to those sites.
Scareware
• This malware includes scam software which uses social engineering to shock or induce
anxiety by creating the perception of a threat.
• It is generally directed at an unsuspecting user.
Rootkits
• This malware is installed on a compromised system.
• After it is installed, it continues to hide its intrusion and maintain privileged access to the
threat actor.
72
Common Malware Behaviors
 Cybercriminals continually modify malware code to change how it spreads and
infects computers.
 Computers infected with malware often exhibit some of the following symptoms:
–
–
–
–
–
–
–
–
–
–
–
–
Strange computer behavior
Computer screen is freezing or system is crashing
Slow computer or web browser speeds
Problems connecting to networks
Appearance of strange files, programs, or desktop icons
Emails are spontaneously being sent without your knowledge to your contact list
Files have been modified or deleted
Antivirus and firewall programs are turning off or reconfiguring settings
Increased CPU and/or memory usage
Unknown processes or services running
Unknown TCP or UDP ports open
Connections are made to hosts on the Internet without user action
 Note: Malware behavior is not limited to the above list.
73
Common Network Attacks
Before learning how to defend against attacks, you need to know how a
potential attacker operates.
“To know your Enemy, you must become your
Enemy.”
“If you know the enemy and know yourself, you
need not fear the result of a hundred battles. If
you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If you
know neither the enemy nor yourself, you will
succumb in every battle.”
Sun Tzu – The Art of War
Common Types of Network Attacks
 By categorizing network attacks, it is possible to address types of attacks rather than
individual attacks.
– There is no standardized way of categorizing network attacks.
 The method used in this course classifies attacks in three major categories.
Network Attack
Description
Reconnaissance
“Recon” Attack
• Used to gather information and learn about vulnerabilities that exist in the system
• It is the unauthorized discovery and mapping of systems, services, or vulnerabilities.
• Is analogous to a thief surveying a neighborhood for vulnerable homes to break into, such
as an unoccupied residence or a house with an easy-to-open door or window.
Access Attacks
• Exploits known vulnerability in authentication services, FTP services, and web services to
gain entry to web accounts, databases, and other sensitive information.
• An access attack can be performed in a variety of ways including using social engineering
techniques.
DoS Attacks
• Disruption of network resources.
• DoS attacks slow or crash applications and processes.
• Threat actor either generates overwhelming or maliciously formatted packets.
75
Reconnaissance Attack Steps
Recon Attacks
Perform an
information
query of a target
Initiate a ping
sweep of the
target network
Recon Attacks
Description
• The threat actor is looking for initial information about a target.
• Various tools exist, including the Google search, organizations website, whois, and more.
• The information query usually reveals the target’s network address.
• The threat actor can now initiate a ping sweep to determine which IP addresses are active.
• Angry IP Scanner, SolarWinds management Tools
Initiate a port
scan of active IP
addresses
• This is to determine which ports or services are available.
• Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and
NetScanTools.
Run Vulnerability
Scanners
• This is to query the identified ports to determine the type and version of the application and
operating system that is running on the target host.
• Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open
VAS.
Run Exploitation
tools
• The threat actor now attempts to discover vulnerable services that can be exploited.
• A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap,
Social Engineer Toolkit, and Netsparker.
76
Access Attacks
Access Attacks
Password attack
IP, MAC, DHCP
Spoofing
Trust Exploitation
Port redirection
Man-in-themiddle attack
Buffer overflow
Access Attacks
Description
• Threat actors attempt to discover critical system passwords using various methods, such
as social engineering, dictionary attacks, brute-force attacks, or network sniffing.
• Brute-force password attacks involve repeated attempts using tools such as THC Hydra,
L0phtCrack, John the Ripper, Hashcat, Brutus, Wfuzz, Medusa, RainbowCrack, Ophcrack.
• Spoofing attacks is when a device attempts to pose as another by falsifying data.
• There are multiple types of spoofing attacks (i.e., IP, MAC, DHCP).
• For example, MAC address spoofing occurs when one computer accepts data packets
based on the MAC address of another computer.
• A threat actor uses unauthorized privileges to gain access to a system, possibly
compromising the target.
• A threat actor uses a compromised system to redirect attacks against other targets.
• The threat actor is positioned between two legitimate entities in order to read or modify the
data that passes between the two parties.
• A threat actor exploits the memory buffer and overwhelms it with unexpected values.
• This usually renders the system inoperable, creating a DoS attack.
• It is estimated that one third of malicious attacks are the result of buffer overflows.
77
Access Attack: Social Engineering
Access Attacks
 Social engineering is an access attack that attempts to manipulate individuals into
performing actions or divulging confidential information.
– Social Engineers are typically good con artists!
 Social engineers rely on people’s willingness to be helpful and prey on people’s
weaknesses.
– For example, a threat actor calls an IT technician with an urgent problem that requires
immediate network access and could invoke authority using name-dropping techniques,
appeal to the employee’s vanity, or appeal to the employee’s greed.
78
Types of Social Engineering Attacks
Social Engineering
Attack
Access Attacks
Description
• A threat actor calls someone and lies to them to gain access to privileged data.
Pretexting
• An example involves a threat actor who pretends to need personal or financial data in order to
confirm the identity of the recipient.
• A threat actor sends fraudulent emails disguised as being from a legitimate trusted source.
Phishing
Spear Phishing
Spam
Something for
Something
(Quid pro quo)
Baiting
• The message intends to trick the recipient to click on link or download a document which in
turn can install malware on the device, or share personal or financial information.
• A threat actor sends a targeted email tailored for a specific individual or organization.
• A threat actor uses email to trick a user to click an infected link or download an infected file.
• A threat actor requests personal information from a party in exchange for something like a
free gift.
• A threat actor leaves a malware-infected physical device, such as a USB flash drive in a
public location such as a corporate washroom.
• An unsuspecting victim finds the drive and inserts it onto their computer, unintentionally
installing malware.
79
Types of Social Engineering Attacks
Social Engineering
Attack
Tailgating
Impersonation
Access Attacks
Description
• A threat actor quickly follows an authorized person into a secure location to gain
access to a secure area.
• A threat actor pretends to be someone else to gain the trust of a victim.
Shoulder Surfing
• A threat actor inconspicuously looks over someone’s shoulder to steal their
passwords or other information.
Dumpster Diving
• A threat actor rummages through trash bins to discover confidential documents.
80
Phishing …
 Phishing remains the #1 threat action used in successful breaches linked to social
engineering and malware attacks.
– 96% of phishing attacks arrive by email.
– 88% of organizations around the world experienced spear phishing attempts in 2019.
 Phishers use four main steps when creating convincing phishing emails.
– Understanding these steps helps you to spot and stop them.
1. They pick their targets
2. They choose emotional triggers:
 Work related, Curiosity, Hope,
Necessity
3. They build the email (bait the hook)
domains.google.com
4. Send the email (cast the line)
Source
81
Phishing …
82
Must Watch Videos …
83
Network Attacks
84
DoS Attacks
DoS Attacks
 A Denial of Service (DoS) attack creates some sort of interruption of network
services to users, devices, or applications.
 There are two major sources of DoS attacks:
Sources of DoS
Attacks
Maliciously
Formatted
Packets
Overwhelming
Quantity of
Traffic
Description
• This is when a maliciously formatted packet is forwarded to a host or application and the
receiver is unable to handle an unexpected condition.
• For example, a threat actor forwards packets containing errors that cannot be identified by
the application, or forwards improperly formatted packets.
• This causes the receiving device to crash or run very slowly.
• A buffer overflow DoS attack exploits a system memory-related flaw and overwhelming the
memory buffer with unexpected values rendering it inoperable and creating a DoS attack.
• Examples includes the ping of death, TCP SYN flood attack, …
• Note: It is estimated that one third of malicious attacks are the result of buffer overflows.
• This is when a network, host, or application is unable to handle an enormous quantity of
data, causing the system to crash or become extremely slow.
85
Examples of DoS Attacks
DoS Attacks
Description
Ping of Death
• This is an example of a maliciously formatted packet to create a buffer overflow attack.
• In this legacy attack, the threat actor sent a ping of death which was an echo request in an
IP packet larger than the maximum packet size of 65,535 bytes.
• The receiving host would not be able to handle a packet of that size and it would crash.
Smurf Attack
• This is an example of overwhelming quantity of traffic.
• In this legacy attack, a threat actor sent many ICMP Echo Requests packets with a
spoofed source IP address to the broadcast address of a subnet to amplify the attack.
• This was a type of reflection attack because the echo replies would all be reflected to the
targeted host to overwhelm it.
• Smurf attacks are now easily mitigated with the no ip directed-broadcast command,
which is a default interface setting, as of Cisco IOS version 12.0.
• However, the reflection and amplification technique continues to be used in newer forms of
attacks.
TCP SYN Flood
Attack
• This is an example of a buffer overflow attack.
• In this type of attack, a threat actor sends many TCP SYN session request packets with a
spoofed source IP address to an intended target.
• The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits
for a TCP ACK packet.
• However, the responses never arrive, and the target hosts are overwhelmed with TCP halfopen connections.
86
Smurf Attack (Amplification Attack)
ping x.x.x.255 –t (source 1.1.1.1)
1.1.1.1
G0/0
R1
Note: Low Orbit Ion Canon (LOIC) is a DoS tool that
can send millions of packets to a target IP.
87
SYN Flood Attack
 A SYN Flood attack takes advantage of the TCP Three-Way handshake.
Distributed DoS Attack (DDoS)
 A DDoS attack is a coordinated DoS attack from multiple sources.
– DDoS attacks consist of botmaster, handlers, botnet, bots, and zombies.
1. The Client (i.e., botmaster) host scans for vulnerable systems to exploit.
2. The vulnerable systems are infected with
code and become Handlers.
Botnet
• Handlers now scan for other vulnerable hosts
(i.e., Agents) to compromise and infect.
3. Vulnerable hosts are infected with
remote control attack software (i.e.,
bots) and become Agents (i.e.,
zombies).
• Agents can also log keystrokes, gather
passwords, capture packets, and more.
4. The zombies running bots initiates a DDoS attack
by sending commands to Handlers that cause the
Agents to participate in a coordinated mass attack.
• The zombie malware continually attempts to selfpropagate like a worm.
89
Distributed DoS Attack (DDoS)
 There is an underground economy on the Darkweb where botnets (i.e., an army of
infected hosts ready) can be rented for a nominal fee.
– This enables any threat actor to launch DDoS attacks.
– This service is called a “stressor”
 A “stressor” is simple DoS as a service.
– It is a fully functioning botnet capable of sending gigabits of data to a target IP address.
– In comparison, Low Orbit Ion Cannon can send megabits of traffic.
 Stressors are marketed as a “stress testing tool to test to see if an organization’s site
can handle a DDoS attack”.
 Threat actors pay to use this service.
– They simply go to the site, enter an IP address, hit go, and whoever’s IP that belongs to is
now facing tons and tons of incoming traffic which will probably knock them offline.
90
Threat Actor Evasion Methods
 Threat actors need
“to hide is to thrive”
which means that
their malware and
attack methods are
most effective when
they are undetected.
– For this reason, many
attacks use stealthy
evasion techniques to
disguise an attack
payload.
– Their goal is to
prevent detection by
evading network and
host defenses.
Threat Actor Evasion Methods
Evasion Method
Encryption and
tunneling
Resource
exhaustion
Traffic
fragmentation
Description
• Uses tunneling to hide, or encryption to scramble, malware files making it difficult for security
detection techniques to detect and identify the malware.
• Makes the target host too busy to properly use security detection techniques.
• Splits malicious payload into smaller packets to bypass network security detection.
• After the fragmented packets bypass the security detection system, the malware is reassembled.
Protocol-level
misinterpretation
• Occurs when network defenses do not properly handle PDU features like a checksum or TTL
value tricking a firewall into ignoring packets that it should check.
Traffic substitution
• Threat actor attempts to trick an IPS by obfuscating (i.e., disguising) the data in the payload.
• For example, the threat actor could use encoded traffic in Unicode instead of ASCII.
• The IPS does not recognize the data, but the target end system can read the data.
Traffic insertion
• Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious
sequence of data and the IPS rules miss the malicious data, accepting the data.
Pivoting
• The threat actor has compromised an inside host and wants to expand their access further
into the compromised network.
Rootkits
• A complex threat actor tool that integrates with the lowest levels of the operating system.
• When a program attempts to list files, processes, or network connections, the rootkit presents a
sanitized version of the output, eliminating any incriminating output.
• The goal of the rootkit is to completely hide the activities of the threat actor on the local system.
Proxies
• Network traffic is redirected through intermediate systems in order to hide the ultimate
destination for stolen data.
CYU
93
And more …
94
Mitigating Threats
Best Practices for Securing a Network
 Develop a written security policy for the company.
 Control and secure physical access to systems.
 Educate employees about the risks of social engineering, and develop strategies
to validate identities over the phone, via email, or in person.
 Enforce strong passwords and change them often.
 Use a defense-in-depth approach and implement firewalls, IPSs, virtual private
network (VPN) devices, antivirus software, and content filtering.
 Shut down unnecessary services and ports.
 Patch and patch often. Keep patches up-to-date by installing them weekly or daily,
if possible, to prevent buffer overflow and privilege escalation attacks.
 Encrypt and password-protect sensitive data.
 Perform backups and test the backed-up files on a regular basis.
 Perform security audits to test the network.
96
Mitigating Malware
 The primary means of malware is antivirus / antimalware software.
– E.g., Products from Symantec, McAfee, and Trend Micro.
 Antivirus / anti-malware products must be updated automatically or on demand.
– This is critical for keeping a network free of malware and should be formalized in a network
security policy.
 Antivirus products are host-based.
– These products are installed on computers and servers to detect and eliminate viruses.
– However, they do not prevent viruses from entering the network, so a network security
professional must be aware of the major viruses and keep track of security updates
regarding emerging viruses.
 Backup, backup, backup …
– This is the best mitigation solution for many malware attacks.
– Ensure you have up-to-date backups and verify their operation.
97
Mitigating Worms
 Four phase process to mitigate an active worm attacks.
 Containment Phase:
– Segment the network using ACLs to prevent infected
hosts from targeting and infecting other systems.
 Inoculation Phase:
– Patch uninfected systems.
– Runs parallel to or subsequent to the
containment phase.
– This phase further deprives the worm of any
available targets.
 Quarantine Phase:
– Track down infected devices and disconnect,
block, or remove them.
– This isolates these systems appropriately for
the Treatment Phase.
 Treatment Phase:
– Disinfects actively infected systems.
– Terminate the worm process, remove modified files or system settings that the worm
introduced, and patch the vulnerability the worm used to exploit the system.
– In severe cases, a complete format and rebuild may be required.
98
Mitigating Reconnaissance Attacks
 Reconnaissance attacks are typically the precursor to other attacks.
 Network security professionals may be alerted to a reconnaissance attack by
receiving notifications from preconfigured alarms.
– E.g., Triggered when certain parameters are exceeded (e.g., ICMP requests per second).
 Reconnaissance attacks can be mitigated in several ways, including the following:
–
–
–
–
–
Implement authentication to ensure proper access.
Use encryption to render packet sniffer attacks useless.
Use anti-sniffer tools to detect packet sniffer attacks.
Use a firewall and IPS to limit the information that can be discovered with a port scanner.
Use anti-sniffer software and hardware tools to detect changes in the response time of
hosts.
– Enable encryption whenever possible as any captured data will not be readable.
– Stop ping sweeps by filtering ICMP echo-replies on edge routers.
99
Mitigating Phishing … Awareness and Education!
 The following steps will help reduce phishing risks.
–
–
–
–
–
Analyze your security culture.
Target your training efforts.
Provide clear guidance on how to respond.
Educate through safe exposure.
Enable cultural change.
 Remember, the goal of phishing training is to make people more aware of potential
threats, and more likely to report them.
100
Mitigating Ransomware
101
Mitigating Social Engineering Attacks
 Enterprises must educate
their users about the risks
of social engineering.
Always destroy
confidential
information
according to the
organization
policy.
Always report
suspicious
individuals.
Never give your PSI
(username
password)
credentials to
anyone.
Never leave your
PSI where they can
easily be found.
Protecting
against social
engineering
attacks
Always lock of sign
out of your
computer when
unattended.
Never open emails
from untrusted
sources.
Never release work
related information
on social media
sites.
Never re-use work
related passwords.
102
Mitigating Access Attacks
 Use strong passwords.
– Strong passwords are at least eight characters and contain uppercase letters, lowercase
letters, numbers, and special characters.
 Disable accounts after a specified number of unsuccessful logins has occurred.
– This practice helps to prevent continuous password attempts.
 Implement a network design using the principle of minimum trust.
– This means that systems should not use one another unnecessarily.
 Use encryption for remote access to a network.
– Routing protocol traffic should also be encrypted.
 Educate users about the risks of social engineering.
 Implement multifactor authentication.
 Monitor logs for failed login attempts.
103
Mitigating DoS Attacks
 Install a network utilization software package.
– It should be always running and required by the network security policy.
– A network utilization graph showing unusual activity could also indicate a DoS attack.
 Implement antispoofing technologies on routers and switches including:
–
–
–
–
–
Port security
Dynamic Host Configuration Protocol (DHCP) snooping
Dynamic Address Resolution Protocol (ARP) Inspection
IP Source Guard (IPSG)
Access control lists (ACLs)
104
Awareness and Education
 Users are the weakest link therefore educating your users is paramount!
105
NetSec-1
CyberOps Mod1: The Danger
• War Stories

• Threat Actors


• Threat Impact
CyberOps Mod13: Attackers and Their Tools
• Who is Attacking Our Network?

• Threat Actor Tools

CyberOps Mod14: Common Threats and Attacks
• Malware

• Common Network Attacks – Reconnaissance, Access, and Social

Engineering
• Network Attacks – Denial of Service, Buffer Overflows, and Evasion

108