Cyber threats, attacks vectors and vulnerabilities; as a system administrator, pretty much everything you do is geared to dealing with these challenges . As a hacker, your job is to make the most of these tools in order to compromise your targets.
– Sun Tzu, Art of War“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
At the risk of sounding cliche, those in charge of protecting organizations, need to get their hands dirty in the process of understanding the cyber threats, attacks vectors and vulnerabilities facing them. This includes malware and social engineering tactics.
Cybersecurity Threat Actors
The cybersecurity world is populated by a range of threat actors, and while they each have different attributes, they all make use of open-source intelligence gathering before launching an attack. The different actors include:
- Advanced Persistent Threats (APT): Sophisticated targeted attacks against a network and are backed by significant amount of resources and funding resulting in prolonged periods of unauthorized access and the exfiltration of significant amounts of data.
- Competitors: Motivation is typically to gain a competitive advantage through the acquisition of proprietary information about another company.
- Hacktivists: Launches attacks as part of an activist movement or to further a cause rather than for their own benefit,
- Insiders: Anyone who has legitimate access to an organization’s internal resources and is the reason why you need internal security measures and to design your system to incorporate the concept of least privilege. Malicious insiders have a diverse set of motivations.
- Organized crime: The primary motivation of criminals in organized crime is money. Almost all their efforts can be traced back to greed with the goal of getting more money, regardless of how they get it.
- Script kiddies: Attacker who uses existing computer scripts or code to launch attacks and have very little expertise or sophistication.
Generic Cyber Attacks
- Adware: Originally built for the purpose of delivering targeted advertising to subsidize the cost of free software but has evolved into spyware. However, some traditional adware still exists.
- Bots/Botnets: Are simply software robots used for malicious purposes and when grouped together are called a botnet. Botnets attempt to infect as many computers as possible and control them through one or more servers running command-and-control software. Most computers join a botnet through malware infection. Bot herders directed the botnet to repeatedly query DNS servers in a protracted distributed denial-of-service (DDoS) attacks
- Backdoors: Provide another way of accessing a system; often installed by malware to bypass normal authentication methods.
- Denial of Services: Two generic types of attacks are denial-of- service (DoS) attacks and distributed denial- of-service (DDoS) attacks.
- A DoS attack is from one attacker against one target.
- A DDoS attack is an attack from two or more computers against a single target. DDoS attacks often include sustained, abnormally high network traffic on the network interface card of the attacked computer.
These attacks attempt to overload an application or service on a computer and lead to resource exhaustion as the attacked computer is no longer able to keep up with the requests. The attacked computer typically slows down significantly, preventing legitimate users from viewing web pages and eventually might crash.
- Keylogger: Hardware or software that capture a user’s keystrokes, stores them in a file and send to an attacker automatically, or the attacker may manually retrieve the file.
- Rootkit: Programs that hide that the system has been compromised by malicious code. While a user might suspect something is wrong, but antivirus scans and other checks indicate everything is fine as the rootkit hides its running processes to avoid detection; rootkits do this by modifying system files such as the Registry and system access, as they have system-level/root-level/ kernel-level access, which is the same level of access as the operating system. Using hooked processes, rootkits intercept system-level function calls, events, or messages to the operating system, uses them to control the system’s behavior. Rootkit prevents the antivirus software from making these calls so antivirus software will sometimes report everything is OK, even if the system is infected with a rootkit.
- An antivirus software can often detect the hooked processes by examining the contents of the system’s random access memory (RAM).
- Another method to detect rootkits is booting up in safe mode or scanning the system before it boots, but this isn’t always successful. It’s important to remember that rootkits are very difficult to detect because they can hide so much of their activity.
- Spyware: Installed on users’ systems without their awareness or consent to monitor their activity while sending this information to a third party. In some situations, these changes can slow a system down, resulting in poorer performance.
- Some spyware includes keyloggers
- Often installed by a trojan.
- Trojans: Comes in the form of pirated software, a useful utility, a game, or something else that users download; are often used in drive-by downloads when web servers include malicious code that attempts to download and install itself on user computers after they visit. The typical sequence of events is:
- Attackers compromise a web site.
- A trojan is embedded in the web site’s code.
- Attackers lure visitors to the site.
- When users visit, the web site attempts to download the Trojan to the users’ systems.
-
- Ransomware: Attackers encrypt the user’s data, lock out the user out and demand the user pay a ransom to regain access
- Often deliver ransomware via drive-by downloads or embedded in other software delivered via email.
- Rogueware: is another popular trojan vector, masquerading as a free antivirus program. It appears as free antivirus software, running a system scan and reports finding multiple issues to encourage the user to resolve these issues immediately by buying some malicious
- Ransomware: Attackers encrypt the user’s data, lock out the user out and demand the user pay a ransom to regain access
-
- Remote Access Trojan (RAT): Allows attackers to take control of systems from remote locations. After installation, attackers can access infected computers at any time, and install additional malware if desired. Some RATs automatically collect and log keystrokes, usernames and passwords, incoming and outgoing email, chat sessions, and browser history as well as take screenshots. The RAT can then automatically send the data to the attackers at predetermined times. Additionally, attackers can explore the network using the credentials of the user or the user’s computer. Attackers often do this to discover, and exploit, additional vulnerabilities within the network. It’s common for attackers to exploit this one infected system and quickly infect the entire network with additional malware, including installing RATs on other systems.
- Virus: malicious code that attaches itself to a host application and executes, without user knowledge, when the host application is executed, replicating by finding other host applications to infect with the malicious code so most viruses won’t cause damage immediately. When it reaches some level of infection, the virus activates/delivers its payload which typically:
- Delete files
- Cause random reboots
- Join the computer to a botnet, or
- Enable backdoors
- Worms: Self-replicating malware travel throughout a network without the assistance of a host application or user as it resides in memory, using different transport protocols to traverse a network. As worms replicate themselves hundreds of times and spread to all the systems in the network, they also cause significant problems by consuming network bandwidth, slowing traffic to a crawl.
Social Engineering Attacks
Adapted from the world of old school espionage and spy-craft, it is the use of deceptive interpersonal interactions in order to gain unauthorized information typically by encouraging someone to perform an authorized action and is referred to as social engineering; by default, it is low tech strategy to encourage individuals to reveal information, such as user credentials and typically involves a combination of the use of flattery, impersonations and authority.
- Dumpster Diving: Searching through trash or recycling containers to gain information from discarded documents. Shredding or burning papers instead of throwing them away mitigates this threat.
- Email Attacks: Many people don’t understand how dangerous a simple email can be for the entire organization, so they click a link within a malicious email, which gives attackers access to an entire network.
- Spam: Unsolicited email and can include malicious links, code or attachments. Criminals use a variety of methods to collect email addresses. They buy lists from other criminals and harvest them from web sites. Some malware scans address books of infected computers to collect email.
- Phishing: Sending email to users with the purpose of tricking them into revealing personal information or clicking on a link. A phishing attack often sends the user to a malicious web site that appears to the user as a legitimate site.
- Install Malware: Phishing email often look like they come from official sources, attempting to get user click to click on it. When they do so, they are told they need to update a piece of expired software in order to access the information indicated by the email. If the user clicked Yes, it downloaded and installed malware.
- Validate Email Addresses: Can use beacons, a link included in the email that links to an image stored on an Internet server, to validate email addresses; the link includes unique code that identifies the receiver’s email address. When the email application displays the image, it retrieve the image from the Internet server, which logs the email address from which it received the request, indicating it’s valid. This is one of the reasons that most email programs won’t display images by default.
- Steal Money: The old fashioned 419 scam involves getting an email from someone claiming a relative or someone else has millions of dollars but they can’t get the money without your help, for which you’ll get a substantial portion of the money for your assistance.
- Spear Phishing: A targeted form of phishing. One solution that deters the success of these types of spear phishing attacks is to use digital signatures. The CEO and anyone else in the company can sign their emails with a digital signature.
- Whaling: A form of spear phishing that attempts to target high-level executives.
- Friendly Emails: Emails from people impersonating your friends is a common security issue related to social media. To identify the actual sender, you often need to look at the full header of the email address. Links in these emails often lead to a server that attempts a drive-by downloads or joining the computer to a botnet. A bot herder is now using your friend’s computer to send out phishing emails.
- Hoaxes Messages: message that warn user to take action against a security threat that doesn’t exist by encouraging the deletion of required system files or downloading of compromised files. If users are convinced to delete important files, they may make their systems unusable, wasting help-desk time due to needless damaged users caused to their systems in response to the hoax.
- Impersonation: Some social engineers often attempt to impersonate others to convince an authorized user to provide some information, or defeat a security control.
- Identity verification methods are useful to prevent the success of impersonation attacks.
- Shoulder Surfing: Looking over the shoulder of someone to gain information by casual observation, screen filters help prevent shoulder surfing by obscuring the view for people unless they are directly in front of the monitor.
- Tailgating: Tailgating is the practice of one person following closely behind another without showing credentials, bypassing the access control; this can be prevented with a mantrap, like a turnstile.
- Watering Hole Attacks: An attempt to discover which web sites a group of people visit and then infects the web sites with malware that can infect the visitors. The attacker’s goal is to infect a web site that users trust already, making them more likely to download infected files.
- Vishing: Use phone systems to trick users into giving up personal and financial information and often uses social engineering tactics over Voice over IP (VoIP) technology , so the caller ID can be spoofed caller ID, making it appear as though the call came from a real company. Usually these calls focus around obtaining credit card information.
Why Social Engineering Works
Social engineering works because it combines convincing acting with the application of the principles of human psychology. These principles include:
Authority: People have grown up to respect authority and are more likely to comply when a person of authority says to do so; used as a part of many types of attacks like Vishing and Whaling as social engineer tactics that involved impersonating authority figures.
Consensus: People often like something that other people like so social engineers create web sites with fake testimonials that promote a software product to leverage consensus/social proof; targets are more likely to install a piece of software if they think everyone indicate it’s safe.
Familiarity: If you like someone, you are more likely to do what the person asks; most effective with shoulder surfing and tailgating attacks.
Intimidation: Combines bullying and impersonating tactics and most effective with phising/vishing attacks.
Scarcity: Effective with phishing and trojans, people often make quick decisions without thinking and take action when they think there is a limited quantity of an item. A phishing emails take advantage of this, encouraging users to click a link for exclusive access to some software product, which leads to malicious web site.
Trust: In addition to familiarity, some social engineers attempt to build a trusting relationship between them and the victim. This often takes a little time, but the reward for the criminal can be worth it. Vishing attacks often use this method.
Urgency: Some attacks use urgency as a technique to encourage people to take action and is most effective with ransomware, phishing, vishing, whaling, and hoaxes.
How To Defend Against Malware
Malware is a significant threat for any organization and requires multiple security controls including:
- Mail gateway based spam and malware defences: Use spam filters on mail gateways to detect/filter spam preventing it from reaching users in order to minimize any chance of them clicking on a malicious link in that email. Email can include malware as attachments so running anti-malware software on the mail server can detect and strip out potentially malicious attachments off email, and notify the user what was removed.
- All workstations/servers: Should have anti-malware software installed. User systems also have anti-spam filters.
- Boundaries/firewalls: Be sure to include detection tools that monitor network traffic through the firewall, like a unified threat management (UTM) tool to inspect traffic.
A large portion of malicious files come into your system via spam and the challenge with spam filtering is to only filter out spam, and never filter out actual email and as such, blocking spam often requires several technology layers.
- Many UTM systems have spam filters to detect and block spam.
- UTM output goes to an email server.
- Email servers also detect/block spam.
- Spam filters allow administrators to identify email addresses as safe, or to be blocked. You can add these as individual addresses or entire domains.
- The email server sends all email to the users, except for what it detects as spam.
Most spam filters are cautious so they allow a bit of spam through rather than potentially marking valid email as spam. Although the science behind spam filtering continues to improve, criminals have also continued to adapt.
Antivirus and Anti-Malware Software
If you are confused about the difference between Anti-malware and antivirus software, you aren’t alone as the dividing line is quite blurry and threat actors modify their technologies, so antivirus products now detect, block, and remove a cornucopia of malware like viruses, worms, rootkits, etc. Antivirus software provides real-time protection and can perform both scheduled and manual scans.
If the antivirus software detects malware, either with heuristic or signature-based methodologies, it will typically quarantine it and then notify the user.
Heuristic Detection Methodologies: Detect viruses that were previously unknown and do not have signatures, including zero-day exploits. It does this by running questionable code in a sandboxed virtualized space in order to protect the live environment so it can observe the code’s behavior to detect these viral activities.
Signature-Based Detection: Viruses have patterns that can be defined by signature files; when signature based antivirus software identifies a matching pattern, it reports an infection and takes action, deleting/quarantining the offending file. While in quarantine, the virus is not harmful to the system and is available for analysis. As malware constantly evolves, it’s important to update signature definition files regularly, which is usually an automated process of checking for signature file updates and downloading the signature definition files.
Maintaining File Integrity: Antivirus scanners often use file integrity checkers to detect modified system files by:
- Calculating hashes on system files as a baseline
- Periodically recalculates these file hashes
- Compares the original and recalculated hashes.
- If the hashes are ever different, the system files have been modified and a notification is sent to the user
Data execution prevention (DEP): Prevents code from executing in non-executable memory regions in order to protect a system from malware. It is enforced by both hardware and software.
Educating Users: User ignorance is a significant risk to any organization and is the largest vulnerabilities. No matter how much money gets invested in security technology, a user clicking on a link in the wrong email circumvents it all. This indicates that training users in the importance of security is of paramount importance as users aren’t aware of attacker methods. Making users cognizant of security helps them recognize and respond appropriately to new threats and security trends. This included educating them about:
- New Viruses: New viruses are constantly being released and can be exceptionally damaging as administrators need to take quick action to mitigate the threat with minimal knowledge.
- Phishing Attacks: The best way to prevent successful attacks is to educate people about the mechanics of phishing.
- Zero-Day Attacks: Teaching users about zero day exploits keeps users from having a false sense of confidence in the software defence mechanisms running on the system and keeps them aware of their role in security.
Summary: Cyber Threats, Attacks Vectors and Vulnerabilities
- A denial-of-service (DoS) attack is an attack from a single source that attempts to disrupt the services provided by another system.
- A distributed denial-of-service (DDoS) attack includes multiple computers attacking a single target. DDoS attacks typically include sustained, abnormally high network traffic.
- Malware includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more. A virus is malicious code that attaches itself to an application and runs when the application is started. A worm is self-replicating and doesn’t need user interaction to run.
- Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users’ objections. Scarcity and urgency are two techniques that encourage immediate action.
- Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature-based antivirus software detects known malware based on signature definitions while heuristically-based software detect unknown malware based on behavior.
- Educating users about new viruses, phishing attacks, and zero- day exploits helps prevent incidents. Zero-day exploits take advantage of vulnerabilities that aren’t known by trusted sources, such as operating system vendors and antivirus vendors. Some basic guidelines are:
- Don’t click on links within emails from unknown sources (no matter how curious you might be).
- Don’t open attachments from unknown sources. Malware can be embedded into many different files, such as Portable Document Format (PDF) files, Word documents, Zipped (compressed) files, and more.
- Be wary of free downloads from the Internet. (Trojans entice you with something free, but they include malware.)
- Limit information you post on social media sites. (Criminals use this to answer password reset questions.)
- Back up your data regularly (unless you’re willing to see it disappear forever).
- Keep your computer up to date with current patches (but beware of zero-day exploits).
- Keep antivirus software up to date (but don’t depend on it to catch everything).
