- No category
Cybersecurity Overview: Threats, CIA Triad, & Security Elements
advertisement
CyberSecurity 8 September 2023 CyberSecurity Overview Mini Book  Written by:Ahmad AL-Kadi Report of CyberSecurity Page 1 CyberSecurity 8 September 2023 The History of Cybersecurity About forty years ago words like worms, viruses, trojan-horse, spyware, malware weren’t even a part of conventional information technology (IT) vocabulary. Cybersecurity only came into existence because of the development of viruses. But how did we get here? The history of cybersecurity began as a research project. In the 1970’s, Robert Thomas, a researcher for BBN Technologies in Cambridge, Massachusetts, created the rst computer “worm”. It was called The Creeper. The Creeper, infected computers by hopping from system to system with the message “I’M THE CREEPER: CATCH ME IF YOU CAN.” Ray Tomlinson, the inventor of email, created a replicating program called The Reaper, the rst antivirus software, which would chase Creeper and delete it. Late in 1988, a man named Robert Morris had an idea: he wanted to test the size of the internet. To do this, he wrote a program that went through networks, invaded Unix terminals, and copied itself. The Morris worm was so aggressive that it slowed down computers to the point of being unusable. He subsequently became the rst person to be convicted under Computer Fraud and Abuse Act. From that point forward, viruses became deadlier, more invasive, and harder to control. With it came the advent of cybersecurity. What is Cyber Security? Cyber Security is the process and techniques involved in protecting sensitive data, computer systems, networks, and software applications from cyber attacks. The cyber attacks are general terminology that covers a large number of topics, but some of the popular are: • Tampering systems and data stored within • Exploitation of resources • Unauthorized access to the targeted system and accessing sensitive information • Disrupting the normal functioning of the business and its processes Report of CyberSecurity fi fi  fi Written by:Ahmad AL-Kadi Page 2 CyberSecurity 8 September 2023 Using ransomware attacks to encrypt data and extort money from victims • The attacks are now becoming more innovative and sophisticated that can disrupt the security and hacking systems. So it’s very challenging for every business and security analyst to overcome this challenge and ght back with these attacks. To understand the need for Cyber Security measures and their practices, let’s have a quick look at the types of threats and attacks. Ransomware Ransomeware is a le encryption software program that uses a unique, robust encryption algorithm to encrypt the les on the target system. The authors of the Ransomware threat generate a unique decryption key for each of its victims and save it on a remote server. Thus, users cannot access their les by any application. The ransomware authors take advantage of this and demand a considerable ransom amount from the victims to provide the decryption code or decrypt the data. But such attacks have no guarantee of recovery of data even after paying the ransom. It is de ned as a network or group of devices connected with the same network to execute a task. But this is now being used by bad actors and hackers that attempt to access the network and inject any malicious code or malware to disrupt its working. Some of the botnet attacks include: • Distributed Denial of Service (DDoS) attacks • Spreading spam emails • Stealing of con dential data Botnets attacks are generally carried out against large-scale businesses and organizations due to their huge data access. Through this attack, the hackers can control many devices and compromise them for their evil motives. Page 3 fi Report of CyberSecurity fi fi fi fi fi  Written by:Ahmad AL-Kadi Social Engineering Attacks Social Engineering is now a common tactic used by cybercriminals to gather user’s sensitive information. It may trick you by displaying attractive advertisements, prizes, huge offers, and asking you to feed your personal and bank account details. All the information you enter there is cloned and used for nancial fraud, identity fraud, and so. It is worth saying about the ZEUS virus that is active since 2007 and is being used as a social engineering attack method to steal the victims’ Banking Details. Along with nancial losses, Social engineering attacks can download other destructive threats to the concerned system. Phishing Phishing is a fraudulent action of sending spam emails by imitating to be from any legitimate source. fi  Written by:Ahmad AL-Kadi fi  CyberSecurity 8 September 2023 Report of CyberSecurity Page 4 CyberSecurity 8 September 2023 Such mails have a strong subject line with attachments like an invoice, job offers, big offers from reputable shipping services, or any important mail from higher of cials of the company. The phishing scam attacks are the most common cyber attacks that aim to steal sensitive data like login credentials, credit card numbers, bank account information, etc. To avoid this, you should learn more about phishing email campaigns and their preventive measures. One can also use email ltering technologies to avoid this attack. Along with these, 2019 will seek the potential in biometric attacks, AI attacks, and IoT attacks. Many companies and organizations are witnessing large-scale cyberattacks, and there is no stop for them. Despite the constant security analysis and updates, the rise of cyber-threat is consistent. Thus, it is worth educating yourself on the basic of Cybersecurity and its implementations. The key concept of Cyber Security? Cyber Security is a very broad term but is based on three fundamental concepts known as “The CIA Triad“. Report of CyberSecurity fi   fi Written by:Ahmad AL-Kadi Page 5 CyberSecurity 8 September 2023 It consists of Con dentiality, Integrity, and Availability. This model is designed to guide the organization with the policies of Cyber Security in the realm of Information security. Con dentiality It de nes the rules that limit access to information. Con dentiality takes on the measures to restrict sensitive information from being accessed by cyber attackers and hackers. In an organization, people are allowed or denied access to information according to its category by authorizing the right persons in a department. They are also given proper training about the sharing of information and securing their accounts with strong passwords Report of CyberSecurity fi  fi  fi fi Written by:Ahmad AL-Kadi Page 6 CyberSecurity 8 September 2023 They can change the way data is handled within an organization to ensure data protection. There are various ways to ensure con dentiality, like two-factor authentication, data encryption, data classi cation, biometric veri cation, and security tokens. Integrity This assures that the data is consistent, accurate, and trustworthy over its time period. It means that the data within the transit should not be changed, altered, deleted, or illegally being accessed. Proper measures should be taken in an organization to ensure its safety. File permissions and user access control are the measures controlling the data breach. Also, tools and technologies should be implemented to detect any change or a breach in the data. Various organizations use a checksum and even cryptographic checksum to verify the integrity of data. To cope with data loss or accidental deletion, or even cyberattacks, regular backups should be there. Cloud backups are now the most trusted solution for this. Availability Availability in terms of all necessary components like hardware, software, networks, devices, and security equipment should be maintained and upgraded. This will ensure the smooth functioning and access of Data without any disruption. Also, providing constant communication between the components through providing enough bandwidth. fi fi Report of CyberSecurity fi   Written by:Ahmad AL-Kadi Page 7 CyberSecurity 8 September 2023 It also involves opting for extra security equipment in case of any disaster or bottlenecks. Utilities like rewalls, disaster recovery plans, proxy servers, and a proper backup solution should ensure to cope with DoS attacks. For a successful approach, it should go through multiple layers of security to ensure protection to every constituent of CyberSecurity. Particularly involving computers, hardware systems, networks, software programs, and the shared data. Elements of Cybersecurity During the past few years, there have been signi cant advancements in the world of cybersecurity, cyber crime, and cyber error. As a result, these systems have become more complicated than they ever have been. With this in mind, a comprehensive cybersecurity system must ensure that information and equipment are protected from end-to-end. Therefore, some of the most important elements of cybersecurity include: • Endpoint Security: Many organizations store their data remotely today; however, this can also be a vulnerable location. Remember that if employees and staff can access information remotely, then it could also be accessed by criminals. Endpoint security focuses on protecting remote access to sensitive les. Some of the most common endpoint security measures include VPNs, rewalls, and other tools. • Data Security: Data security is a broad term that encompasses all forms of data protection. For example, this could be something as simple as a username and password that restricts access only to those who have the right credentials. This could also include encryption methods that protect data as it is transferred from place to place. Data security is one of the foundational pillars of cybersecurity as a whole. • Identity Management: This critical part of cybersecurity ensures that everyone has access to the right information. Speci cally, nobody should ever have access to something that they do not need to do their job. Reducing the number of people who have access to speci c les minimizes the risk of company data being compromised if one set of credentials is stolen. • Database and Infrastructure Security: This area of cybersecurity focuses on physical barriers that are in place. These barriers are used to prevent criminals from accessing hardware or stealing it. This could include something as simple as a lock or something as advanced as a comprehensive security system. fi fi Report of CyberSecurity fi fi fi fi fi  Written by:Ahmad AL-Kadi Page 8 CyberSecurity 8 September 2023 • Cloud Security: The cloud has become an integral part of internet use. Employees can upload information to the cloud, allowing others to access it without generating a long email chain. At the same time, the cloud also makes organizations more vulnerable. Cloud security focuses on protecting information that is stored on the cloud from harm. • Mobile Security: Every day, more sensitive information is uploaded to phones. Therefore, all phones need to be protected appropriately. In addition to having a strong password, mobile security also focuses on making sure no information is stored on a phone unless it has to be and teaches others how to safely connect to a mobile network. • Disaster Recovery and Business Continuity Planning: In addition to hackers, natural disasters are also a signi cant threat. This could take the form of a re, a hurricane, or a tornado. If a natural disaster strikes a physical location, it is crucial to ensure the business can continue operating. This is where a business continuity plan comes into play. With the right disaster recovery services, the damage can be cleaned up quickly, and les can be restored. • End-User Education: When it comes to cybersecurity, it is always more effective when everyone is pitching in. This is where end-user education is essential. In this manner, employees will be educated on the current best practices, ensuring they can keep themselves and their peers safe from harm. • Data Loss Prevention: If companies lose their data, this could set them back years. Therefore, the data needs to be protected. This is where the 3, 2, 1 rule is important when it comes to data backup. Ideally, there should be three separate sets of data stored on two different media types, with one location being off-site. By protecting data from being lost, businesses can solidify their operations. • Intrusion Detection System: Lastly, it is essential to cover an intrusion detection system. The system is put in place to alert key professionals if unauthorized access to the company’s system is detected. For example, this might include a text Report of CyberSecurity Page 9 fi fi fi  Written by:Ahmad AL-Kadi CyberSecurity 8 September 2023 message sent to the IT department or an email sent to a manager. The goal is to lock down the system after this intrusion has taken place and trace the signal to see where it came from. This represents just a couple of the key elements that go into a comprehensive cybersecurity plan. It is important to ensure that every cybersecurity strategy includes these elements so that employees and their data can be protected from harm. Cybersecurity Attacks When developing a cybersecurity framework, it is vital to know the cybersecurity attacks that could take place. Some of the most common attacks that everyone should know include: • Drive-By Attack: In a drive-by attack, a hacker looks for insecure websites that could be vulnerable. Then, when this website is identi ed, the hacker will upload malicious scripts onto the pages. As a result, once a person visits the site, this malware reaches their computer and provides the hacker with access. • SQL Injection Attack: Using an SQL query that is taken from the database, commands are inserted into the data plane itself. Then, the hacker will be rewarded with admin privileges, which he or she can use to steal information, steal login credentials, and shut down the database itself. • Secure Sockets Layer Attack: In a secure sockets layer attack, a hacker seeks to exploit a gap between the user’s commands and where the website receives the commands. As a result, the hacker can intercept data as it moves from place to place. • Eavesdropping Attack: This is another attack that hackers can use to intercept data that is in transit. By eavesdropping on individuals who send data back and forth, hackers can read this information as it ows through cyber space. • Password Attack: This is a term used to describe any attack used to steal someone’s password. For example, this could include a phishing attack or a brute force attack that is often used to access a company’s network. • Birthday Attack: In a birthday attack, hackers will replace a legitimate message with a fake one, using something called a hash function. As a result, fi Report of CyberSecurity fl  Written by:Ahmad AL-Kadi Page 10 CyberSecurity 8 September 2023 this type of attack is used to abuse communication privileges reserved for two parties. • Man in the Middle Attack: Typically, data is encrypted once it leaves the computer. It also gets encrypted when it arrives at its destination. Along the way, the data might not be encrypted. Therefore, someone in the middle could steal it, which takes place in this attack. • Denial or Distributed Denial of Service Attack: One of the most devastating cybersecurity attacks out there, the goal of this attack is to completely overwhelm a network or a system of so many commands that it cannot possibly handle all of them. Therefore, it does not respond to any of these commands and the network ends up completely shutting down. These are just a few of the most common types of cyber attacks that might take place. Therefore, everyone needs to be prepared for these attacks and understand how to deal with them appropriately. Cybersecurity Best Practices Finally, it is essential to cover the best cybersecurity practices. To execute a comprehensive cybersecurity strategy, some of the key best practices include: • All data has to be protected at all times. This includes guarding against viruses and malware that are also protecting against natural disasters. • All employees need to be taught the basics of cybersecurity themselves. This includes avoiding pop-ups, not opening unknown emails, and not clicking on mysterious links. • Practice data backup and hygiene by following the 3, 2, 1 rule. • Encourage all employees to practice proper password hygiene by changing their passwords regularly. • All Wi-Fi connections have to be secured all the time. • Everyone has to be trained on the rule of accessing remote les from various locations, ensuring that their connection is encrypted. Report of CyberSecurity fi  Written by:Ahmad AL-Kadi Page 11 CyberSecurity 8 September 2023 • When possible, try to employ two-factor authentication to reduce the chances of gaining access to the network with one set of credentials. • Follow ICA or integrity, con dentiality and availability, which is critical to risk management. Following these best practices can go a long way toward protecting the company from harm. By employing continuous monitoring as a part of cybersecurity management, it is possible to detect advanced persistent threats using general data protection regulation and protect businesses from harm. fi  Written by:Ahmad AL-Kadi Report of CyberSecurity Page 12 CyberSecurity 8 September 2023 Security Architecture (SecA) The better your implemented SecA is, the safer and secure your company is. Every company has a form of security architecture (a coherent set of concepts and their principles) implemented. The question is how much or mature your current state security architecture is aligned with your strategy and policies.  Written by:Ahmad AL-Kadi Report of CyberSecurity Page 13 CyberSecurity 8 September 2023 To nd that out and get insights into, an overview of your security architecture, one can collect data on and document the used concepts, principles, elements, rules, and standards. With that data one can create or generate architecture visualizations at a conceptual, logical and physical level. On this page we introduce an example of conceptual and logical level security architecture visualization (or diagram). The de nition of Security Security is often de ned as a process to increase the reliability of a system in terms of con dentiality, integrity and authenticity. The security of a system is the coherent set of measures taken to improve control over access and usage of a system. Security is not so much a process but a state of a system. Securing a system is a process, like defending is a process. Security Architecture Elements A concept consists of logical and functional elements at the physical level of technical components. In architecture we need both views of a concept. Elements in their turn can be viewed as concepts themselves. Let's take a look at the DMZ concept. A DMZ or demilitarized zone is a physical or logical sub-network that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet (according to Wikipedia). Common elements in a DMZ are services like web servers, FTP servers, Mail Servers and VoIP Servers. There are two main types of DMZs: The Single Firewall DMZ and the Dual Firewall DMZ. So next to services, servers, rewalls are also common elements of a DMZ. fi fi fi fi  fi Written by:Ahmad AL-Kadi Report of CyberSecurity Page 14 CyberSecurity 8 September 2023 Using the above knowledge and information is it possible to analyze whether or not the concept of DMZ is implemented and what type of DMZ there is and what could and should be done to improve the quality (effectiveness) of the DMZ. Security Architecture Principles Every Security concept has one or more ways of working or working mechanisms. A working mechanism of a concept we call the concept principle. Guidelines are recognized to help implement the principle. The list below shows per concept a principle. • • • • • Zero Trust Security - By never trusting anyone and always very someones identity, the network becomes safer. Privacy by Design - By designing an IT system where sensitive and personal data is automatically protected from unauthorized access, the IT system per de nition is made more safe and secure. Least Privilege - By designing an IT system where only the necessary features are provided role-based, the IT system per de nition is made more safe and secure. Layered Security - By building providing security controls at various places or levels in the IT-Infrastructure, breaching one place or level does not mean an entity has access to everything right away, thus making the entire system more safe and secure. Fault Tolerant - By creating system that includes redundancy, fault isolation, fault detection and annunciation, and on-line repair, the system will be fault tolerant and highly available Default Deny - By denying a user access by default and only granting access after veri cation, a network and application are made more safe and secure. fi fi  Written by:Ahmad AL-Kadi Report of CyberSecurity fi • Page 15 CyberSecurity 8 September 2023 What is SIEM? SIEM (Security Information and Event Management) is a security and auditing system comprised of different monitoring and analysis components. The recent rise in cyber attacks, together with strict security regulations required from organizations, are making SIEM a standard security approach which is being adopted by an increasing amount of organizations. A modern SIEM has three core capabilities - data collection, analytics, and response. In this way SIEM provides the security monitoring and visibility needed in today’s hybrid and multi-cloud environments. A SIEM’s job is to ingest data across your entire network (data collection), identify malicious behavior (analytics), and provide alerts to security and IT teams to give them the visibility and information to respond before the issue becomes serious (response). Put simply SIEM is a security system comprised of multiple monitoring and analysis components meant to help organizations detect threats and mitigate them. As implied above, SIEM combines a number of other security disciplines and tools under one comprehensive umbrella: • Log management (LMS) – tools used for traditional log collection and storage. • Security Information Management (SIM) – tools or systems focusing on collecting and managing security-related data from multiple data sources. These data sources could be, for example, rewalls, DNS servers, routers, antivirus apps. • Security Event Management (SEM) – systems that are based on proactive monitoring and analysis, including data visualization, event correlation and alerting. Report of CyberSecurity fi  Written by:Ahmad AL-Kadi Page 16 CyberSecurity 8 September 2023 What is Security Orchestration, Automation and Response (SOAR)? As cyber threats become increasingly sophisticated and for trained security professionals harder to nd, organisations want to explore ways to not only improve but also simplify security. SOAR security offers adequate security on the right scale and for the right price. But how actually SOAR differs from other cyber security systems? SOAR can simply be explained as the technology that is used to protect networks and devices from cyber threats, attacks, and unauthorized access. It combines comprehensive data gathering, analytics, and case management to allow organizations to closely integrate their work ow process with SOAR from one integrated platform. The main components of a SOAR system are: • Orchestration Security orchestration accelerates and improves incident response by integrating and analyzing data from various technologies and security tools. Orchestration also involves coordinating different cybersecurity technologies to help organizations deal with complex cybersecurity incidents. A SOAR tool can, for example, collate network security IT operational data by using data from network monitoring tools as a baseline for rewall rules. • Automation One of the key functions of any SOAR tool is automation, which eliminates the very time-consuming need to manually detect and respond to security incidents. SOAR systems can, for example, automatically triage certain types of events and allow security teams to de ne standardized, automated procedures such as decisionmaking work ows; health checks; enforcement and containment; and auditing. • Report of CyberSecurity fl fi fi fi fl  Written by:Ahmad AL-Kadi Page 17 CyberSecurity 8 September 2023 • Response SOAR platforms collect data from other security tools, such as security information and event management (SIEM) systems and threat intelligence feeds. They prioritize security events and send key information about the security incident to security staff. SOAR vs. SIEM Both SOAR and SIEM deal with data around security threats and enable much better security incident responses. However, SIEM aggregates and correlates data from multiple security systems to generate alerts, while SOAR acts as the remediation and response engine to those alerts. SOAR and SIEM cybersecurity solutions can collect data from the same sources, though the SOAR range is broader, as it can collect data from external applications. The difference between SOAR and SIEM is based on what actions each kind of tool can take when it discovers a potential threat or vulnerability. SOAR uses AI bots and playbooks customized to take a speci c action once a threat has been identi ed. The customized activities are part of an automated work ow that records and tracks the steps to resolve an identi ed threat. This creates more ef ciency in the incident response process. On the other hand, SIEM uses pattern matching to generate alerts that the IT security staff can investigate. SIEM also uses AI technology to reduce the number of false positives that can distract security teams from addressing credible cybersecurity threats. Furthermore, a SIEM tool’s role stops at identifying a threat, whereas a SOAR platform takes the next step of helping administrators take action. How SIEM and SOAR work together? SOAR has been seen as a perfect complement to a SIEM. For example, Gartner uses the combination of SIEM and SOAR as an example of a common approach to detection and response. Even though other tools have come along that provide alternatives to the SIEM-centric SOC, a SIEM is still an ideal alert source, with its ability to aggregate and ag anomalous activity. Those alerts can be then escalated to an integrated SOAR platform, either manually or automatically based on SIEM rules. fi Report of CyberSecurity fi fl fi fi  fl Written by:Ahmad AL-Kadi Page 18 CyberSecurity 8 September 2023 The SOAR platform can be used to analyse the alert, determine if it is a genuine incident, and orchestrate the necessary response across other integrated systems. High-quality integrations between SOAR and SIEM are also bidirectional, allowing the SOAR platform to query the SIEM for more information, and update it when the incident is resolved. Conclusion As explained above both SIEM and SOAR provide security teams with solutions to their problems, but each of them support different goals. On one hand, SIEM approach requires security analysts to involve themselves in the identi cation, incident authentication, and incident response processes. Having a SOAR platform makes SIEM solutions more ef cient. In general, they produce more reliable and meaningful alerts that security teams can effectively respond to. The integration between SIEM tools with a SOAR solution leads to the creation of a more robust, ef cient and responsive security solution. Page 19 fi Report of CyberSecurity fi fi  Written by:Ahmad AL-Kadi What is a Firewall? Firewall de ned A rewall is a network device device that monitors incoming and outgoing network traf c and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traf c from external sources (such as the internet) in order to block malicious traf c like viruses and hackers. How does a rewall work? Firewalls carefully analyze incoming traf c based on pre-established rules and lter traf c coming from unsecured or suspicious sources to prevent attacks. Firewalls guard traf c at a computer’s entry point, called ports, which is where information is exchanged with external devices. For example, “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22." Report of CyberSecurity Page 20 fi fi fi fi fi fi fi  fi Written by:Ahmad AL-Kadi fi fi CyberSecurity 8 September 2023 CyberSecurity 8 September 2023 Think of IP addresses as houses, and port numbers as rooms within the house. Only trusted people (source addresses) are allowed to enter the house (destination address) at all—then it’s further ltered so that people within the house are only allowed to access certain rooms (destination ports), depending on if they're the owner, a child, or a guest. The owner is allowed to any room (any port), while children and guests are allowed into a certain set of rooms (speci c ports). Types of rewalls Firewalls can either be software or hardware, though it’s best to have both. A software rewall is a program installed on each computer and regulates traf c through port numbers and applications, while a physical rewall is a piece of equipment installed between your network and gateway. Packet- ltering rewalls, the most common type of rewall, examine packets and prohibit them from passing through if they don’t match an established security rule set. This type of rewall checks the packet’s source and destination IP addresses. If packets match those of an “allowed” rule on the rewall, then it is trusted to enter the network. Packet- ltering rewalls are divided into two categories: stateful and stateless. Stateless rewalls examine packets independently of one another and lack context, making them easy targets for hackers. In contrast, stateful rewalls remember information about previously passed packets and are considered much more secure. While packet- ltering rewalls can be effective, they ultimately provide very basic protection and can be very limited—for example, they can't determine if the contents of the request that's being sent will adversely affect the application it's reaching. If a malicious request that was allowed from a trusted source address would result in, say, the deletion of a database, the rewall would have no way of knowing that. Next-generation rewalls and proxy rewalls are more equipped to detect such threats. fi Page 21 fi fi fi fi fi fi fi Report of CyberSecurity fi fi fi fi fi fi fi fi fi fi fi fi  Written by:Ahmad AL-Kadi CyberSecurity 8 September 2023 Next-generation rewalls (NGFW) combine traditional rewall technology with additional functionality, such as encrypted traf c inspection, intrusion prevention systems, anti-virus, and more. Most notably, it includes deep packet inspection (DPI). While basic rewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data. Proxy rewalls lter network traf c at the application level. Unlike basic rewalls, the proxy acts an intermediary between two end systems. The client must send a request to the rewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy rewalls monitor traf c for layer 7 protocols such as HTTP and FTP, and use both stateful and deep packet inspection to detect malicious traf c. Network address translation (NAT) rewalls allow multiple devices with independent network addresses to connect to the internet using a single IP address, keeping individual IP addresses hidden. As a result, attackers scanning a network for IP addresses can't capture speci c details, providing greater security against attacks. NAT rewalls are similar to proxy rewalls in that they act as an intermediary between a group of computers and outside traf c. Stateful multilayer inspection (SMLI) rewalls lter packets at the network, transport, and application layers, comparing them against known trusted packets. Like NGFW rewalls, SMLI also examine the entire packet and only allow them to pass if they pass each layer individually. These rewalls examine packets to determine the state of the communication (thus the name) to ensure all initiated communication is only taking place with trusted sources. What Is a Domain Name Server (DNS) Attack? DNS is a fundamental form of communication. It takes user-inputted domains and matches them with an IP address. DNS attacks use this mechanism in order to perform malicious activities. For example, DNS tunneling techniques enable threat actors to compromise network connectivity and gain remote access to a targeted server. Other forms of DNS attacks can enable threat actors to take down servers, steal data, lead users to fraudulent sites, and perform Distributed Denial of Service (DDoS) attacks. fi Page 22 fi fi fi fi fi fi fi fi Report of CyberSecurity fi fi fi fi fi fi fi fi fi fi fi fi  Written by:Ahmad AL-Kadi CyberSecurity 8 September 2023 What Are the 5 Major DNS Attack Types? Here are some of the techniques used for DNS attacks. 1. DNS Tunneling DNS tunneling involves encoding the data of other programs or protocols within DNS queries and responses. It usually features data payloads that can take over a DNS server and allow attackers to manage the remote server and applications. DNS tunneling often relies on the external network connectivity of a compromised system, which provides a way into an internal DNS server with network access. It also requires controlling a server and a domain, which functions as an authoritative server that carries out data payload executable programs as well as server-side tunneling. 2. DNS Ampli cation DNS ampli cation attacks perform Distributed Denial of Service (DDoS) on a targeted server. This involves exploiting open DNS servers that are publicly available, in order to overwhelm a target with DNS response traf c. Typically, an attack starts with the threat actor sending a DNS lookup request to the open DNS server, spoo ng the source address to become the target address. Once the DNS server returns the DNS record response, it is passed to the new target, which is controlled by the attacker. 3. DNS Flood Attack DNS ood attacks involve using the DNS protocol to carry out a user datagram protocol (UDP) ood. Threat actors deploy valid (but spoofed) DNS request packets at an extremely high packet rate and then create a massive group of source IP addresses. Since the requests look valid, the DNS servers of the target start responding to all requests. Next, the DNS server can become overwhelmed by the massive amount of requests. A DNS attack requires a great amount of network resources, which tire out the targeted DNS infrastructure until it is taken of ine. As a result, the target’s internet access also goes down. fi Report of CyberSecurity fl fi fl fi fi  fl Written by:Ahmad AL-Kadi Page 23 CyberSecurity 8 September 2023 4. DNS Spoo ng DNS spoo ng, or DNS cache poisoning, involves using altered DNS records to redirect online traf c to a fraudulent site that impersonates the intended destination. Once users reach the fraudulent destination, they are prompted to login into their account. Once they enter the information, they essentially give the threat actor the opportunity to steal access credentials as well as any sensitive information typed into the fraudulent login form. Additionally, these malicious websites are often used to install viruses or worms on end users’ computers, providing the threat actor with long-term access to the machine and any data it stores. 5. NXDOMAIN Attack A DNS NXDOMAIN ood DDoS attack attempts to overwhelm the DNS server using a large volume of requests for invalid or non-existent records. These attacks are often handled by a DNS proxy server that uses up most (or all) of its resources to query the DNS authoritative server. This causes both the DNS Authoritative server and the DNS proxy server to use up all their time handling bad requests. As a result, the response time for legitimate requests slows down until it eventually stops altogether. What is Network Detection and Response (NDR)? is a cybersecurity solution that continuously monitors an organization’s network to detect cyber threats & anomalous behavior using non-signature-based tools or techniques and responds to these threats via native capabilities or by integrating with other cybersecurity tools/solutions. How does Network Detection and Response work? is a cybersecurity solution that continuously monitors an organizations network by collecting all network traf c for unprecedented visibility and using behavioral analytics, machine learning & arti cial intelligence to detect cyber threats & anomalous behavior and respond to these threats via native capabilities or by integrating with other cybersecurity tools/solutions. Highly performant NDR solutions use advanced machine learning and arti cial intelligence tools to model adversary tactics, techniques and procedures that are mapped in the MITRE ATT&CK framework to detect attacker behaviors with high Report of CyberSecurity Page 24 fi fi fi fl fi fi fi  Written by:Ahmad AL-Kadi CyberSecurity 8 September 2023 precision. They surface security-relevant context, extract high- delity data, correlate events across time, users, and applications to drastically reduce time and effort spent in investigations. They also stream security detections and threat correlations to security information event management (SIEM) solutions for comprehensive security assessments. NDR solutions move beyond merely detecting threats, responding to threats in real-time by native controls or by supporting a wide-range of integrations with other cybersecurity tools or solutions like security orchestration, automation, and response (SOAR). Why does my organization need Network Detection and Response? NDR plays a pivotal role in securing your digital infrastructure. Threat history is generally available in three places: network, endpoint and logs. • Endpoint Detection and Response (EDR) provides a detailed ground-level view of the processes running on a host and interactions between them. • Network Detection and Response (NDR) provides an aerial view of the interactions between all devices on the network. • Security teams then con gure Security Information and Event Management (SIEM) system to collect event log information from other systems and correlate between data sources. Security teams that deploy these tools are empowered to answer a broad range of questions when responding to an incident or hunting for threats. For example, they can answer: What did this asset or account do before the alert? What did it do after the alert? Can we nd out when things started to turn bad? NDR is most critical because it provides perspective where the others cannot For example, exploits that operate at the BIOS level of a device can subvert EDR or malicious activity may simply not be re ected in logs. But their activity will be visible by network tools as soon as they interact with any other system through the network. Report of CyberSecurity fi fl fi fi  Written by:Ahmad AL-Kadi Page 25 CyberSecurity 8 September 2023 Or advanced and sophisticated attackers use hidden encrypted HTTPS tunnels, that blend in with regular traf c, to launch a command and control (C2) session and use the same session to ex ltrate sensitive business and customer data and evade perimeter security controls but NDR solutions are extremely adept at detecting these behaviors. What are the bene ts of Network Detection and Response? Continuous visibility across the network Network Detection and Response cybersecurity solutions provide continuous visibility across all users, devices and technologies connected to the network, from data center to the cloud, from campus users to work from home users, from IaaS to SaaS, and from printers to IoT devices. Behavioral analytics and AI for advanced threats detection Leading NDR solutions use behavioral analytics and ML/AI to directly model attacker behaviors and detect advanced and persistent attacks with surgical precision. They avoid the deluge of low- delity and uninteresting alerts since they don’t detect anomalies, but rather, detect active attacks. They provide detection coverage for several phases of an attack lifecycle, including persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, data collection, C2 and ex ltration. Improvement of security operations center (SOC) operational ef ciency Leading AI-driven NDR solutions are automatic and dramatically improve security detections and security operations center (SOC) operational ef ciency despite organizations and teams being plagued by a chronic shortage of cybersecurity expertise & personnel by offering full attack reconstructions in natural language that provide analysts, all the information they need to act on alerts quickly and completely. Ability to automatically respond and shut down attacks in real-time In addition to detecting sophisticated attacks that operate discreetly and employ evasive techniques, NDR solutions offer the ability to automatically respond to serious attack via native controls and shut down an attack in real-time. Additionally they integrate with several cybersecurity products like EDR or cybersecurity solutions like SOAR. Page 26 fi Report of CyberSecurity fi fi fi fi fi fi  Written by:Ahmad AL-Kadi What is a Security Operations Center (SOC) A security operations center (SOC) – sometimes called an information security operations center, or ISOC – is an in-house or outsourced team of IT security professionals that monitors an organization’s entire IT infrastructure, 24/7, to detect cybersecurity events in real time and address them as quickly and effectively as possible. An SOC also selects, operates, and maintains the organization’s cybersecurity technologies, and continually analyzes threat data to nd ways to improve the organization's security posture. The chief bene t of operating or outsourcing an SOC is that it uni es and coordinates an organization’s security tools, practices, and response to security incidents. This usually results in improved preventative measures and security policies, faster threat detection, and faster, more effective and more cost-effective response to security threats. An SOC can also improve customer con dence, and simplify and strengthen an organization's compliance with industry, national and global privacy regulations. What an Security Operations Center (SOC) does SOC activities and responsibilities fall into three general categories. Preparation, planning and prevention Asset inventory. An SOC needs to maintain an exhaustive inventory of everything that needs to be protected, inside or outside the data center (e.g. applications, databases, servers, cloud services, endpoints, etc.) and all the tools used to protect them ( rewalls, antivirus/anti-malware/anti-ransomware tools, monitoring software, etc). Many SOCs will use an asset discovery solution for this task. Routine maintenance and preparation. To maximize the effectiveness of security tools and measures in place, the SOC performs preventative maintenance such as applying software patches and upgrades, and continually updating rewalls, whitelists and blacklists, and security policies and procedures. The SOC may also create system back-ups – or assist in creating back-up policy or procedures – to fi Page 27 fi Report of CyberSecurity fi fi fi Written by:Ahmad AL-Kadi  fi CyberSecurity 8 September 2023 CyberSecurity 8 September 2023 ensure business continuity in the event of a data breach, ransomware attack or other cybersecurity incident. Incident response planning. The SOC is responsible for developing the organization's incident response plan, which de nes activities, roles, responsibilities in the event of a threat or incident – and the metrics by which the success of any incident response will be measured. Regular testing. The SOC team performs vulnerability assessments – comprehensive assessments that identify each resource's vulnerability to potential threats, and the associate costs. It also conducts penetration tests that simulate speci c attacks on one more systems. The team remediates or ne-tunes applications, security policies, best practices and incident response plans based on the results of these tests. Staying current. The SOC stays up to date on the latest security solutions and technologies, and on the latest threat intelligence – news and information about cyberattacks and the hackers of perpetrate them, gathered from social media, industry sources, and the dark web. Monitoring, detection and response Continuous, around-the-clock security monitoring. The SOC monitors the entire extended IT infrastructure – applications, servers, system software, computing devices, cloud workloads, the network - 24/7/365 for signs of known exploits and for any suspicious activity. For many SOCs, the core monitoring, detection and response technology has been security information and event management, or SIEM. SIEM monitors and aggregates alerts and telemetry from software and hardware on the network in real time, and then analyzes the data to identify potential threats. More recently, some SOCs have also adopted extended detection and response (XDR) technology, which provides more detailed telemetry and monitoring, and the ability to automate incident detection and response. Log management. Log management – the collection and analysis of log data generated by every network event – is a subset of monitoring that's important enough to get its own paragraph. While most IT departments collect log data, it's the analysis that establishes normal or baseline activity, and reveals anomalies that indicate suspicious activity. In fact, many hackers count on the fact that companies don't always analyze log data, which can allow their viruses and malware to run fi Report of CyberSecurity fi  fi Written by:Ahmad AL-Kadi Page 28 CyberSecurity 8 September 2023 undetected for weeks or even months on the victim's systems. Most SIEM solutions include log management capability. Threat detection. The SOC team sorts the signals from the noise - the indications of actual cyberthreats and hacker exploits from the false positives - and then triages the threats by severity. Modern SIEM solutions include arti cial intelligence (AI) that automates these processes 'learns' from the data to get better at spotting suspicious activity over time. Incident response. In response to a threat or actual incident, the SOC moves to limit the damage. Actions can include: • Root cause investigation, to determine the technical vulnerabilities that gave hackers access to the system, as well as other factors (such as bad password hygiene or poor enforcement of policies) that contributed to the incident • Shutting down compromised endpoints or disconnecting them from the network • Isolating compromised areas of the network or rerouting network traf c • Pausing or stopping compromised applications or processes • Deleting damaged or infected les • Running antivirus or anti-malware software • Decommissioning passwords for internal and external users. Many XDR solutions enable SOCs to automate and accelerate these and other incident responses. Recovery, re nement and compliance Recovery and remediation. Once an incident is contained, the SOC eradicates the threat, then works to the impacted assets to their state before the incident (e.g. wiping, restoring and reconnecting disks, end-user devices and other endpoints; restoring network traf c; restarting applications and processes). In the event of a data breach or ransomware attack, recovery may also involve cutting over to backup systems, and resetting passwords and authentication credentials. Post-mortem and re nement. To prevent a recurrence, the SOC uses any new intelligence gained from the incident to better address vulnerabilities, update processes and policies, choose new cybersecurity tools or revise the incident response plan. At a higher level, SOC team may also try to determine if the Page 29 fi Report of CyberSecurity fi fi fi fi fi  Written by:Ahmad AL-Kadi CyberSecurity 8 September 2023 incident reveals a new or changing cybersecurity trend for which the team needs to prepare. Compliance management. It's the SOC's job to ensure all applications, systems, and security tools and processes comply with data privacy regulations such as GDPR (Global Data Protection Regulation), CCPA (California Consumer Privacy Act), PCI DSS (Payment Card Industry Data Security Standard, and HIPAA (Health Insurance Portability and Accountability Act). Following an incident, the SOC makes sure that users, regulators, law enforcement and other parties are noti ed in accordance with regulations, and that the required incident data is retained for evidence and auditing. Key Security Operations Center (SOC) team members In general, the chief roles on an SOC team include: • The SOC manager, who runs the team, oversees all security operations, and reports to the organization's CISO (chief information security of cer). • Security engineers, who build out and manage the organization's security architecture. Much of this work involves evaluating, testing, recommending, implementing and maintaining security tools and technologies. Security engineers also work with development or DevOps/DevSecOps teams to make sure the organization's security architecture is included application development cycles. • Security analysts – also called security investigators or incident responders – who are essentially the rst responders to cybersecurity threats or incidents. Analysts detect, investigate, and triage (prioritize) threats; then they identify the impacted hosts, endpoints and users, and take the appropriate actions to mitigate and contain the impact or the threat or incident. (In some organizations, investigators and incident responders are separate roles classi ed as Tier 1 and Tier 2 analysts, respectively.) • Threat hunters (also called expert security analysts) specialize in detecting and containing advanced threats – new threats or threat variants that manage to slip past automated defenses. Page 30 fi fi Report of CyberSecurity fi fi  Written by:Ahmad AL-Kadi CyberSecurity 8 September 2023 The SOC team may include other specialists, depending on the size of the organization or the industry in which it does business. Larger companies may include a Director of Incident Response, responsible for communicating and coordinating incident response. And some SOCs include forensic investigators, who specialize in retrieving data – clues – from devices damaged or compromised in a cybersecurity incident.  Written by:Ahmad AL-Kadi Report of CyberSecurity Page 31
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users