Tutorial 1 CIA Triad

By:
Mohamed Ayman

CIA Triad CIA Triad: Confidentiality

that needs to be provided in any system in order to be “secure enough” unauthorized person cannot access it..
◎ CIA is a security model from many models that represents that security principles ◎ Confidentiality means the protection of information in the system so that an

○ Confidentiality ○ Data Encryption

○ Integrity ○ Restrict Access to Data
◎ CIA stands for: ◎ That can be achieved with more than one way like:

○ Availability ○ Comply with industry Regulations

○ Here in the GUC, if student A wants to access

his/her transcript, it will be doable. However, it
◎ Example:

won’t be the same case if trial was for the

transcript of student B.

4 5
 CIA Triad: Integrity CIA Triad: Availability
24/7.
◎ Integrity means guarding against improper information modification or destruction. ◎ Availability means trying to make the services of the system up and running almost

○ Access Control
○ Hashing
◎ That can be achieved with more than one way like:

and running as much as possible.

○ Validation
◎ That can be achieved by having our servers up

○ Banking Services.
○ Here in the GUC, if student A wants to ○ Our GUC System xD
◎ Example:

edit his/her grade in the transcript, it won’t be

◎ Example:

doable because only the Dr. and the Tas can do this
function. This is how you maintain integrity of the
data so that the grades are trustworthy.

6 7

AAA Model
principles that needs to be provided in any system in order to be “secure enough”
◎ AAA is a another security model from many models that represents that security

○ Authentication
○ Authorization
◎ AAA stands for:

○ Accountability
AAA Model

9
 AAA Model: Authentication AAA Model: Authorization
(who) of functions
◎ Authentication means the action of verifying the person who will use the system ◎ Authorization means the action of giving permission to the user for a certain margin

○ Bio-metrics (fingerprint) ○ Identifying User Type

○ Login credentials
◎ This can be achieved by: ◎ This can be achieved by:

○ USB Key, ID Card

○ Exam Office can’t change the grades of the students
◎ Example:

○ Your student email and password to enter

the student portal or the email.
◎ Example:

10 11

AAA Model: Authentication vs Authorization AAA Model: Accountability

device.
◎ Accountability means the traceability of actions performed by a user, process or

○ Having logs to trace the actions of the users

◎ This can be achieved by:

○ Blockchain Systems
◎ Example:

12 13
 AAA Model: Non-repudiation
◎ By applying the AAA Model, non-repudiation can be achieved.
◎ Non-repudiation means the user can’t deny any action that they made.

○ The user is authenticated to use the system

○ The user made changes that he/she is authorized to use
◎ This is done because:

○ The actions of the user is saved in the logs to hold him/her accountable for their actions
Attack Surface
and Vectors

14

Attack Surface and Vectors

unauthorized user can access a system and extract data.
◎ Attack surface is the number of all possible points, or attack vectors, where an

◎ The smaller the attack surface, the easier to protect.

whereas attack surface refers to the collective vulnerability that these vectors
◎ An attack vector is any means by which an attacker can infiltrate your environment,
Password
create.

○ Phishing
○ DDos
◎ Examples for attack vectors:
Cracking
○ Ransomware

16
 Password Cracking Password Cracking – A wicked Problem
passwords stored in computer systems or in a network. passwords stored in computer systems or in a network.
◎ Password Cracking is the process of using some tools and programs to retrieve ◎ Password Cracking is the process of using some tools and programs to retrieve

○ Brute Force ○ Brute Force

○ Dictionary attack ○ Dictionary attack
◎ This can be done using different techniques like: ◎ This can be done using different techniques like:

○ Rainbow table ○ Rainbow table

which are:
◎ Password Cracking is considered as a wicked problem because of its characteristics

○ Complexity
○ Ethical considerations

18 19

Password Cracking: Example

his password might be in a text file (a dictionary) having millions of passwords.
◎ A student wants to crack his rival’s password on his college website. He knows that

However; the college’s system locks out the user after 3 failed attempts for around 30
minutes. After calculating the computational power of his computer, he finds out
that it would take him 2 years to finish the attack.
◎ Think of a way that could make that time around 10 days? Case Study
could use his own credentials to avoid triggering the lockout mechanism, and then
◎ Solution: Since the student already has valid credentials, every third attempt, he

continue with the attack.

time, the college will punish the student for his actions.
◎ Problem: Since the credentials of the student is present in the logs, each third

20
 Case Study Case Study: Getting to the target Machine
1. The attack starts when users receive an email in their local language. Attackers usually pose as
“Emmental” senders from a popular company. This mail contains a .rtf file.
◎ The case study discusses an attack happened on online banking services called

bypassing session tokens, which are frequently sent to users’ mobile devices via Short Message
Service (SMS)
◎ The attack is designed to bypass a certain two-factor authentication scheme used by banks by

22 23

Case Study: Getting to the target Machine Case Study: Getting to the target Machine
2. When opened, the attached .RTF file contains another file 3. they will see a warning that they are opening a .CPL file or a Control Panel item, which could be
dangerous.

24 25
 Case Study: Getting to the target Machine Case Study: Malware Usage?
3. they will see a warning that they are opening a .CPL file or a Control Panel item, which could be
dangerous.
Running the .CPL file downloads and executes
◎ Malware infection, meanwhile, has three system effects, Namely:

1. The malware changes the system’s Domain Name System (DNS) server settings to point to one
another file called “netupdater.exe,” which is that is under the attackers’ control. From this point forward, the attackers gain control over
supposedly a Windows® update tool. In reality, how the infected system resolves Internet domains.
however, installing the fake update tool results
in malware infection. 2. The malware installs a new root Secure Sockets Layer (SSL) certificate in the infected system.
This allows the attackers to display content from secure phishing sites without triggering a
warning from the browser.

Secure Sockets Layer (SSL) is a

protocol that provides secure
communication over the
Internet. It uses both symmetric
and asymmetric cryptography.
The SSL protocol provides server
authentication and client
26 authentication 27

Case Study: Malware Usage? Case Study: Starting the Attack

certificate installed, the users do not see any browser warning.
◎ Malware infection, meanwhile, has three system effects, Namely: ◎ Note that the communication occurs via secure HTTP but since the system has a fake

1. The malware changes the system’s Domain Name System (DNS) server settings to point to one
that is under the attackers’ control. From this point forward, the attackers gain control over
how the infected system resolves Internet domains.

2. The malware installs a new root Secure Sockets Layer (SSL) certificate in the infected system.
This allows the attackers to display content from secure phishing sites without triggering a
warning from the browser.

3. The malware deletes itself without leaving any trace, which makes it difficult for users to detect
infection after installation. This means that if the infection attempt was not immediately
detected, any anti-malware check that follows will not detect anything since the file will no
longer be there.

28 29
 Case Study: Starting the Attack Case Study: Starting the Attack
1. First, the users land on a phishing page that asks them to log in,
certificate installed, the users do not see any browser warning. revealing their usernames, bank account numbers, and some
◎ Note that the communication occurs via secure HTTP but since the system has a fake

other numbers that they supposedly received from their banks.

Note that the users are already
giving away their first
authentication factor to
access their accounts at this
point.

30 31

Case Study: Starting the Attack Case Study: Starting the Attack
2. The users are then asked to provide a one-time password generated by 3. The SMS that the bank should supposedly send never arrives. The
their bank’s mobile app. The regular procedure is to wait for an SMS users are forced to click the “I didn’t receive the SMS” link. When
from the bank but instead of that, the phishing page instructs the users clicked, they get a prompt to install the mobile app. They are led
to install a special mobile app to a shortened URL that leads
in order to receive a number to http :// security - apps . biz /
presumably via SMS that they [bank name] . apk—a page that
should then type into hosts the rogue Android app.
a website form. The site looks
secure but it is fake so the
mobile app provided is not
trustworthy

32 33
 Case Study: Starting the Attack Case Study: Starting the Attack
4. The app has a preset list of possible passwords and just randomly 5. Installing the Android app allows the attackers to gain full control of
chooses one. The Web page, meanwhile, simply checks if one of users’ online banking sessions because, in reality, it intercepts
those possible passwords was entered. If a correct number is entered session tokens sent via SMS to users’ phones, which are then
though, the site claims that forwarded to the cybercriminals.
the new security feature has
been successfully enabled.

34 35

Case Study: Starting the Attack Case Study: QA:

5. The spoofed website allows the attackers to obtain the users’ login credentials 1. Confidentiality: How did attackers compromise confidentiality in Operation
while the mobile app intercepts real session tokens sent by the banks Emmental?

Solution:
Attackers compromised confidentiality in Operation Emmental by tricking online
banking users into revealing sensitive data, such as usernames, bank account numbers,
personal identification numbers (PINs), and session tokens, through phishing emails
and rogue mobile apps.

36 37
 Case Study: QA:
2. Integrity: How did the attack in Operation Emmental compromise data integrity?
Solution:
The attack in Operation Emmental compromised data integrity by manipulating session
tokens and directing users to malicious servers. This allowed attackers to alter
transaction details, potentially leading to financial losses and unauthorized access to
accounts, compromising the integrity of the data.
38
Case Study: QA:
3. Network Components: Describe the various network components and
communication channels exploited by the attackers in Operation Emmental to carry
out their attacks
Solution:
communication channels, including email systems, DNS servers, and mobile
◎ The attackers in Operation Emmental exploited several network components and
networks.
how infected systems resolved Internet domains, and created rogue mobile apps to
◎ They used phishing emails to initiate attacks, manipulated DNS settings to control
deceive users and intercept their session tokens and personal information.
40
Case Study: QA:
3. Availability: How did attackers target availability in Operation Emmental?
Solution:
Attackers targeted availability in Operation Emmental by manipulating DNS settings,
redirecting users to phishing sites, and creating rogue mobile apps. These actions
disrupted users’ access to legitimate banking services and redirected them to
malicious servers, compromising the availability of online banking services.
39
Case Study: QA:
5. DNS Manipulation: Explain how attackers manipulated DNS settings in Operation
Emmental. What role did DNS play in facilitating the attack?
Solution:
Attackers manipulated DNS settings in Operation Emmental by changing the system’s
DNS server settings to point to one under their control. This allowed them to direct
users to malicious servers when accessing specific banking sites. DNS played a crucial
role in facilitating the attack by redirecting user traffic to phishing servers instead of
legitimate banking servers, enabling the attackers to intercept sensitive information.
41
 Case Study: QA: Case Study: QA:
6. Threat Identification: Identify the different types of threats that were part of 7. Exploiting Vulnerabilities: Discuss the vulnerabilities in the online banking system
Operation Emmental. How did these threats manifest during the attack? that the attackers exploited to carry out their attack. How could these vulnerabilities
have been mitigated?

Solution:
Operation Emmental involved various threats, including phishing, malware
distribution, session token theft, DNS manipulation, and the use of rogue mobile
apps. These threats manifested as deceptive emails, the distribution of malware
through malicious attachments, the theft of session tokens, the manipulation of DNS
settings, and the installation of rogue mobile apps on users’ devices all aimed at
compromising the security and confidentiality of online banking users.
Solution:
Attackers in Operation Emmental exploited vulnerabilities in the online banking system,
including user susceptibility to phishing emails, the reliance on SMS-based session
tokens, and the absence of official Android apps from the targeted banks. These
vulnerabilities could have been mitigated by enhancing user education and awareness,
implementing more secure authentication methods, and developing official mobile
apps with strong security measures.

42 43

Case Study: QA:

7. User Awareness: How could user awareness and education have played a role in
preventing the attack in Operation Emmental? What could online banking customers
have done differently to protect themselves?

Solution: Tutorial 2
User awareness and education could have played a crucial role in preventing the attack By:
in Operation Emmental. Online banking customers could have protected themselves by Mohamed Ayman
being more cautious when opening emails, verifying the authenticity of mobile apps
before installation, and recognizing the risks associated with installing unofficial
banking applications. Educating users about these risks and best practices enhances
their security awareness.

44

Threat Actors
Threat Actors: Cybercriminals
• These actors are motivated primarily by
financial gain.
• They engage in activities such as deploying
ransomware, stealing credit card
information, executing financial fraud, and
selling stolen data on the dark web.
• Cybercriminals often operate individually or
as part of organized crime groups.
Threat Actors
harmful to an organization's or individual's digital systems, networks, or data.
• These actors are motivated primarily by
◎ “Threat actor" refers to an individual or group that performs actions potentially
financial gain.
• They engage in activities such as deploying
ransomware, stealing credit card information,
executing financial fraud, and selling stolen
data on the dark web.
• Cybercriminals often operate individually or
as part of organized crime groups.
• Hacktivism is the act of hacking, or breaking into
computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber
motivated purposes. attacks to
• Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or
defacing websites, leaking sensitive information, or
disrupting services. tarnish the reputation of
• Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in
the market.
• This term refers to inexperienced individuals who use pre-written
hacking tools and scripts to attack systems without fully
• These are individuals or groups that operate on behalf of, or in understanding the underlying technology or the implications of their
direct support of, a government's objectives. actions.
• State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
or influence operations targeting foreign governments, critical significant disruption.
infrastructure, and corporations to gain strategic, economic, or
military advantage.
• Insider threats come from individuals within the organization,
such as • Cyber terrorism involves the use of cyber attacks by terrorist
• employees, contractors, or business partners, who have groups to cause panic, fear, or physical harm.
legitimate access to the • These attacks may target critical infrastructure, government
• organization's networks and systems. Insiders can
intentionally or unintentionally systems, or the general public, aiming to disrupt services,
• compromise security through malicious actions, negligence, or cause economic damage, or incite fear to further their
by being exploited by external threat actors. ideological, political, or social objectives.
• APTs are groups with the capability and intent to launch sophisticated, long-term cyber
espionage or cyber warfare campaigns against specific targets.
• APTs usually have significant resources, often state sponsored, and are known for their
persistence, sophistication, and focus on stealth and evasion techniques.
4
Threat Actors: Hacktivists
• These actors are motivated primarily by
financial gain.
• They engage in activities such as deploying
ransomware, stealing credit card information,
executing financial fraud, and selling stolen
data on the dark web.
• Cybercriminals often operate individually or
as part of organized crime groups.
• Hacktivism is the act of hacking, or breaking into
computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber • In corporate espionage, competitors may engage in cyber
motivated purposes. attacks to attacks to
• Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or • steal sensitive business information, disrupt operations, or
defacing websites, leaking sensitive information, or
disrupting services. tarnish the reputation of tarnish the reputation of
• Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in • their rivals. This is often done to gain a competitive edge in
the market. the market.
• Hacktivism is the act of hacking, or
breaking into computers and networks, for
politically or socially motivated purposes.
• This term refers to inexperienced individuals who use pre-written • This term refers to inexperienced individuals who use pre-written
hacking tools and scripts to attack systems without fully hacking tools and scripts to attack systems without fully
• These are individuals or groups that operate on behalf of, or in understanding the underlying technology or the implications of their
Hacktivists aim to draw attention to their • These are individuals or groups that operate on behalf of, or in understanding the underlying technology or the implications of their
direct support of, a government's objectives. actions. direct support of, a government's objectives. actions.
• State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
• • State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
or influence operations targeting foreign governments, critical significant disruption. or influence operations targeting foreign governments, critical significant disruption.
infrastructure, and corporations to gain strategic, economic, or infrastructure, and corporations to gain strategic, economic, or
military advantage. military advantage.
causes by defacing websites, leaking
sensitive information, or disrupting
services.
• Insider threats come from individuals within the organization, • Insider threats come from individuals within the organization,
such as • Cyber terrorism involves the use of cyber attacks by terrorist such as • Cyber terrorism involves the use of cyber attacks by terrorist
• employees, contractors, or business partners, who have groups to cause panic, fear, or physical harm. • employees, contractors, or business partners, who have groups to cause panic, fear, or physical harm.
legitimate access to the legitimate access to the
• organization's networks and systems. Insiders can • These attacks may target critical infrastructure, government Their goals are not financial but rather • organization's networks and systems. Insiders can • These attacks may target critical infrastructure, government
intentionally or unintentionally systems, or the general public, aiming to disrupt services, intentionally or unintentionally systems, or the general public, aiming to disrupt services,
• compromise security through malicious actions, negligence, or cause economic damage, or incite fear to further their
• • compromise security through malicious actions, negligence, or cause economic damage, or incite fear to further their
by being exploited by external threat actors. ideological, political, or social objectives. by being exploited by external threat actors. ideological, political, or social objectives.
ideological.
• APTs are groups with the capability and intent to launch sophisticated, long-term cyber • APTs are groups with the capability and intent to launch sophisticated, long-term cyber
espionage or cyber warfare campaigns against specific targets. espionage or cyber warfare campaigns against specific targets.
• APTs usually have significant resources, often state sponsored, and are known for their • APTs usually have significant resources, often state sponsored, and are known for their
persistence, sophistication, and focus on stealth and evasion techniques. persistence, sophistication, and focus on stealth and evasion techniques.
5 6
 Threat Actors: Nation State-Sponsored
Actors
• These are individuals or groups that
operate on behalf of, or indirect support of,
a government's objectives.
• State-sponsored actors often engage in
espionage, sabotage, or influence
operations targeting foreign governments,
critical infrastructure, and corporations to
gain strategic, economic, or military
advantage.
Threat Actors: Advanced Presistent
Threats (APTs)
• APTs are groups with the capability and
intent to launch sophisticated, long-term
cyber espionage or cyber warfare
campaigns against specific targets.
• APTs usually have significant resources,
often state sponsored, and are known for
their persistence, sophistication, and focus
on stealth and evasion techniques.
Threat Actors: Insiders
• These actors are motivated primarily by • These actors are motivated primarily by
financial gain. financial gain.
• They engage in activities such as deploying • They engage in activities such as deploying
ransomware, stealing credit card information, ransomware, stealing credit card information,
executing financial fraud, and selling stolen executing financial fraud, and selling stolen
data on the dark web. data on the dark web.
• Cybercriminals often operate individually or • Cybercriminals often operate individually or
as part of organized crime groups. as part of organized crime groups.
• Hacktivism is the act of hacking, or breaking into • Hacktivism is the act of hacking, or breaking into
computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber
motivated purposes. attacks to motivated purposes. attacks to
• Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or • Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or
defacing websites, leaking sensitive information, or defacing websites, leaking sensitive information, or
disrupting services. tarnish the reputation of disrupting services. tarnish the reputation of
• Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in • Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in
the market. the market.
• Insider threats come from individuals within
the organization, such as
• employees, contractors, or business
• This term refers to inexperienced individuals who use pre-written • This term refers to inexperienced individuals who use pre-written
hacking tools and scripts to attack systems without fully hacking tools and scripts to attack systems without fully
understanding the underlying technology or the implications of their
partners, who have legitimate access to the • These are individuals or groups that operate on behalf of, or in understanding the underlying technology or the implications of their
actions. direct support of, a government's objectives. actions.
• While often less sophisticated, their activities can still cause • State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
significant disruption. or influence operations targeting foreign governments, critical significant disruption.
infrastructure, and corporations to gain strategic, economic, or
military advantage.
• organization's networks and systems.
Insiders can intentionally or unintentionally
• compromise security through malicious
• Insider threats come from individuals within the organization,
such as • Cyber terrorism involves the use of cyber attacks by terrorist • Cyber terrorism involves the use of cyber attacks by terrorist
• employees, contractors, or business partners, who have groups to cause panic, fear, or physical harm. groups to cause panic, fear, or physical harm.
legitimate access to the • These attacks may target critical infrastructure, government • These attacks may target critical infrastructure, government
• organization's networks and systems. Insiders can actions, negligence, or by being exploited
intentionally or unintentionally systems, or the general public, aiming to disrupt services, systems, or the general public, aiming to disrupt services,
• compromise security through malicious actions, negligence, or cause economic damage, or incite fear to further their cause economic damage, or incite fear to further their
by being exploited by external threat actors. ideological, political, or social objectives. ideological, political, or social objectives.
by external threat actors.
• APTs are groups with the capability and intent to launch sophisticated, long-term cyber • APTs are groups with the capability and intent to launch sophisticated, long-term cyber
espionage or cyber warfare campaigns against specific targets. espionage or cyber warfare campaigns against specific targets.
• APTs usually have significant resources, often state sponsored, and are known for their • APTs usually have significant resources, often state sponsored, and are known for their
persistence, sophistication, and focus on stealth and evasion techniques. persistence, sophistication, and focus on stealth and evasion techniques.
7 8
Threat Actors: Terrorists
• These actors are motivated primarily by • These actors are motivated primarily by
financial gain. financial gain.
• They engage in activities such as deploying • They engage in activities such as deploying
ransomware, stealing credit card information, ransomware, stealing credit card information,
executing financial fraud, and selling stolen executing financial fraud, and selling stolen
data on the dark web. data on the dark web.
• Cybercriminals often operate individually or • Cybercriminals often operate individually or
as part of organized crime groups. as part of organized crime groups.
• Hacktivism is the act of hacking, or breaking into • Hacktivism is the act of hacking, or breaking into
computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber
motivated purposes. attacks to motivated purposes. attacks to
• Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or • Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or
defacing websites, leaking sensitive information, or defacing websites, leaking sensitive information, or
disrupting services. tarnish the reputation of disrupting services. tarnish the reputation of
• Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in • Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in
the market. the market.
• Cyber terrorism involves the use of cyber
attacks by terrorist groups to cause panic,
fear, or physical harm.
• This term refers to inexperienced individuals who use pre-written • This term refers to inexperienced individuals who use pre-written
hacking tools and scripts to attack systems without fully hacking tools and scripts to attack systems without fully
• These are individuals or groups that operate on behalf of, or in understanding the underlying technology or the implications of their • These are individuals or groups that operate on behalf of, or in understanding the underlying technology or the implications of their
direct support of, a government's objectives. actions. direct support of, a government's objectives. actions.
• State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
• These attacks may target critical • State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
or influence operations targeting foreign governments, critical significant disruption. or influence operations targeting foreign governments, critical significant disruption.
infrastructure, and corporations to gain strategic, economic, or infrastructure, and corporations to gain strategic, economic, or
military advantage. military advantage.
infrastructure, government systems, or the
general public, aiming to disrupt services,
cause economic damage, or incite fear to
Insider threats come from individuals within the organization, Insider threats come from individuals within the organization,
•
•
such as
employees, contractors, or business partners, who have
• Cyber terrorism involves the use of cyber attacks by terrorist
•
•
such as
employees, contractors, or business partners, who have
groups to cause panic, fear, or physical harm.
legitimate access to the • These attacks may target critical infrastructure, government legitimate access to the
• organization's networks and systems. Insiders can further their ideological, political, or social • organization's networks and systems. Insiders can
intentionally or unintentionally systems, or the general public, aiming to disrupt services, intentionally or unintentionally
• compromise security through malicious actions, negligence, or cause economic damage, or incite fear to further their • compromise security through malicious actions, negligence, or
by being exploited by external threat actors. ideological, political, or social objectives. by being exploited by external threat actors.
objectives.
• APTs are groups with the capability and intent to launch sophisticated, long-term cyber
espionage or cyber warfare campaigns against specific targets.
• APTs usually have significant resources, often state sponsored, and are known for their
persistence, sophistication, and focus on stealth and evasion techniques.
9 10
 Threat Actors: Script Kiddies
• This term refers to inexperienced individuals
who use pre-written hacking tools and
scripts to attack systems without fully
understanding the underlying technology or
the implications of their actions.
• While often less sophisticated, their activities
can still cause significant disruption.
Some
Networking
Recap
Threat Actors: Competitors
• These actors are motivated primarily by • These actors are motivated primarily by
financial gain. financial gain.
• They engage in activities such as deploying • They engage in activities such as deploying
ransomware, stealing credit card information, ransomware, stealing credit card information,
executing financial fraud, and selling stolen executing financial fraud, and selling stolen
data on the dark web. data on the dark web.
• Cybercriminals often operate individually or • Cybercriminals often operate individually or
as part of organized crime groups. as part of organized crime groups.
• Hacktivism is the act of hacking, or breaking into • Hacktivism is the act of hacking, or breaking into
computers and networks, for politically or socially • In corporate espionage, competitors may engage in cyber computers and networks, for politically or socially
motivated purposes. attacks to motivated purposes.
• Hacktivists aim to draw attention to their causes by • steal sensitive business information, disrupt operations, or • Hacktivists aim to draw attention to their causes by
defacing websites, leaking sensitive information, or defacing websites, leaking sensitive information, or
disrupting services. tarnish the reputation of disrupting services.
• Their goals are not financial but rather ideological. • their rivals. This is often done to gain a competitive edge in • Their goals are not financial but rather ideological.
the market.
• In corporate espionage, competitors may
• This term refers to inexperienced individuals who use pre-written
hacking tools and scripts to attack systems without fully
These are individuals or groups that operate on behalf of, or in These are individuals or groups that operate on behalf of, or in
•
direct support of, a government's objectives.
engage in cyber attacks to steal sensitive •
direct support of, a government's objectives.
understanding the underlying technology or the implications of their
actions.
• State-sponsored actors often engage in espionage, sabotage, • State-sponsored actors often engage in espionage, sabotage, • While often less sophisticated, their activities can still cause
or influence operations targeting foreign governments, critical or influence operations targeting foreign governments, critical significant disruption.
infrastructure, and corporations to gain strategic, economic, or infrastructure, and corporations to gain strategic, economic, or
military advantage. business information, disrupt operations, or military advantage.
tarnish the reputation of their rivals.
• This is often done to gain a competitive
• Insider threats come from individuals within the organization, • Insider threats come from individuals within the organization,
such as • Cyber terrorism involves the use of cyber attacks by terrorist such as • Cyber terrorism involves the use of cyber attacks by terrorist
• employees, contractors, or business partners, who have groups to cause panic, fear, or physical harm. • employees, contractors, or business partners, who have groups to cause panic, fear, or physical harm.
legitimate access to the • These attacks may target critical infrastructure, government legitimate access to the • These attacks may target critical infrastructure, government
organization's networks and systems. Insiders can
•
•
intentionally or unintentionally
compromise security through malicious actions, negligence, or
systems, or the general public, aiming to disrupt services,
cause economic damage, or incite fear to further their
edge in the market. •
•
organization's networks and systems. Insiders can
intentionally or unintentionally
compromise security through malicious actions, negligence, or
systems, or the general public, aiming to disrupt services,
cause economic damage, or incite fear to further their
by being exploited by external threat actors. ideological, political, or social objectives. by being exploited by external threat actors. ideological, political, or social objectives.
• APTs are groups with the capability and intent to launch sophisticated, long-term cyber • APTs are groups with the capability and intent to launch sophisticated, long-term cyber
espionage or cyber warfare campaigns against specific targets. espionage or cyber warfare campaigns against specific targets.
• APTs usually have significant resources, often state sponsored, and are known for their • APTs usually have significant resources, often state sponsored, and are known for their
persistence, sophistication, and focus on stealth and evasion techniques. persistence, sophistication, and focus on stealth and evasion techniques.
11 12
Some Networking Recap: TCP/IP
◎ The TCP/IP model is a framework for understanding network communication.
internet and modern networking technologies.
◎ It is more widely used in practice than the OSI Model, especially in the context of the
Application, Transport, Internet
◎ TCP/IP only has 4 layers:
and Network.
14
 Some Networking Recap: TCP Three- Some Networking Recap: TCP Three-
way Handshake way Handshake
used to make a connection between the server and client. Hey, Let’s
Talk!
◎ The TCP/IP Three-Way Handshake (aka TCP 3-way handshake) is a process which is

synchronization and acknowledgment packets before the real data communication

◎ It is a three-step process that requires both the client and server to exchange

process starts.

15 16

Some Networking Recap: TCP Three- Some Networking Recap: TCP Three-
way Handshake way Handshake
Sure, I'm
listening!

Let’s Talk

Great, let's
start talking!

17 18
Some Networking Recap: TCP vs UDP Some Networking Recap: TCP vs UDP

19 20

Some Networking Recap: TCP vs UDP

Stages Of
Attack

21
 Stages Of Attack Stages Of Attack: Info Gathering:
find out information about the vulnerable points of the target network.
◎ Reconnaissance is a type of computer attack where the attacker tries to

1. Reconnaissance/Information Gathering
◎ There are 5 Phases of Penetration Testing:

2. Vulnerability Scanning
1. Active Info Gathering:
◎ It has 2 Types:

3. Gaining Access (aka: Vulnerability Exploitation)

◉ Is interacting with the target to gather information about it.
4. Maintaining Access (aka: Post-Exploitation)
◉ Whether we send package and enumerate the target website to gather info
5. Covering Tracks from it, or by taking with employee inside it and perform some social
engineering to extract info from it about the target website
◉ Identifying active machines, Finding open ports and access points, OS and
Services Fingerprinting

23
◉ Tools Used: Nmap 24

Stages Of Attack: Info Gathering: Stages Of Attack: Info Gathering:

2. Passive information gathering:

◎ It has 2 Types:

2. Passive information gathering:

◎ It has 2 Types:

◉ When we have some middle source between us and the target website, it
could be anything, whether search engine, website, or even a person. What ◉ Tools that can be used for passive info gathering are:
matters is that we are interacting with someone in the middle and not the ● theHarvester
target website directly ● Sherlock
◉ Analyze these data to possibly find more data associated with it. For ● Whois
example, host IPs or email addresses ● Whatweb
◉ Active information gathering gets us much more info than passive one ● Red-Hawk
because we are interacting directly with the target

25 26
 Stages Of Attack: Info Gathering:
kind of data are we looking for??
○ IP address or addresses if it has more than one
◎ What

○ If we are talking about a company that has branches and employees:

◉ Their Emails
◉ Phone Numbers NMap
◉ How many networks that have
◉ What operating systems they have
○ If it was a website:
◉ How it was built
◉ Which programming languages it has
○ Technologies that the target has 27

Nmap Nmap: Scanned Ports

has 3 Main Types:
1. Open Port:
◎ Much Deeper Information Gathering and focuses more on technology ◎ It

ports that every machine has and then, it uses them to host their software and
◎ When we scan, we don’t look for physical ports or plug in USB, we look for virtual open

communicate with other machines over internet.

to host a web server. It’s used for HTTP and it’s also known as HTTP port. So every time you visit a
website you are essentially making a connection to that machine hosting that website on port 80 or on
◎ For example, since we are using the internet, then we have port 80 open. why? Because port 80 is used

port 443 since port 443 is used for HTTPs.

HTTP 80
HTTPs 443
FTP 21
SSH 22
DNS 23
SMTP 25
29 30
 Nmap: Scanned Ports Nmap: Scanned Ports
has 3 Main Types: has 3 Main Types:
2. Closed Port: 3. Filtered Port:
◎ It ◎ It

31 32

Nmap: Commands: Ping Scan Nmap: Commands: TCP-SYN Scan

–sP <IP address> –sS <IP address>
○ This scan is used to specify which hosts (aka: IP address) is alive ○ To perform a TCP SYN scan and it is the most popular type of scan
◎ nmap ◎ nmap

without getting into the open ports
○ It sends ICMP (internet control message control) echo request (aka:
ping it) to target hosts and analyze the response
○ It can scan thousands of ports quickly(and stealthy) and networks that aren’t
protected by a firewall.
○ It is less likely to be logged or detected by IDS or firewalls
○ The reason why it’s called SYN scan because it never really opens a full TCP
connection
◉ It only performs the first step of TCP connection which is sending SYN.
◉ The way it works is if the target sends SYN-ACK back for a certain port that indicates that
that port is listening or it’s open. Here, it doesn’t complete the handshake. Instead, it sends
a RST (reset) packet to tear down the connection

33 34
 Nmap: Commands: TCP Full Scan Nmap: Commands: UDP Scan
–sT <IP address> –sU <IP address>
○ To perform a TCP scan ○ To perform a UDP scan
◎ nmap ◎ nmap

○ It doesn’t require sudo privileges because it performs a normal TCP three-way
handshake connection.
○ But, this scan will leave much more trace that you performed an Nmap scan on
the target machine and it’s easily detected.
○ That’s why once you can run Nmap as root, usually a SYN scan will be a better
option.
○ It is much slower than TCP scanning and more difficult, some people when they
develop their security protocols, they ignore the UDP ports.
○ This makes a lot of UDP ports exploitable and hence we should always do our
UDP scan regardless of how much time it takes
○ It requires sudo privileges

35 36

Nmap: Commands: Version Scan Nmap: Commands: OS Scan

–sV <IP address> –O <IP address>
○ Which is used to perform version discovery (version of the service) ○ To scan our target machine to get to know its Operating System
◎ nmap ◎ nmap

○ We use the versions that we got to search for the vulnerabilities that may exist in
these versions
○ NMAP analyzes the responses received from the target ports and compares them
against its database of service fingerprints.
○ The target machine has to have one open port and one close port
○ It tells us which version of the OS and also how many hops is the target
distance from us
○ If our target is a VM, it will be detected that it is a VM because of its MAC address
as it has the same 3 octets which are 08:00:27

37 38
 Nmap: Commands: Script Scan Nmap: Commands: Extras
–sC -sV <IP address>
○ It enables aggression scanning which performs mulitple scans without specifying like OS scan, Version scan, and script
scanning
◎ nmap –A <IP address>

○ Also known as NSE (Nmap Scripting Engine) scanning, allows you to execute
◎ nmap

custom scripts to automate various tasks during a network scan.

○ NSE scripts can be used to perform tasks such as service version detection, ○ Here we specify what is the intensity of the version scanning
○ It goes from 0 up to 9, but the default level is 7
◎ nmap -sV --version-intensity 9 <IP address>

vulnerability detection, and more.

○ Of course, there are a lot of other scripts that we can manually add to our scan to ○ To increase the verbosity of the scan (make it more organized and contain more info)
make it more comprehensive.
◎ -v

○ Defines a set of ports that we want to scan

◎ -p

○ Define what source port you want NMAP to use (try to evade IDS and firewall)
◎ -g

○ Save the NMAP output into a file

◎ -o

39
○ Less intensive service probing. It will try to probe the service using best guesses 40
◎ --version-light

Practice MCQ: 1) Practice MCQ: 1)

A group defaces a corporate website with politically motivated messages, A group defaces a corporate website with politically motivated messages,
protesting the company’s environmental policies. protesting the company’s environmental policies.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

42 43
 Practice MCQ: 2) Practice MCQ: 2)
A sophisticated attack gains unauthorized access to a government defence A sophisticated attack gains unauthorized access to a government defence
contractor’s network and exfiltrates highly classified military blueprints. contractor’s network and exfiltrates highly classified military blueprints.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

44 45

Practice MCQ: 3) Practice MCQ: 3)

A sophisticated security breach lasted for 8 months that targets a research A sophisticated security breach lasted for 8 months that targets a research
institution, aiming to steal advanced scientific research findings. institution, aiming to steal advanced scientific research findings.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

46 47
 Practice MCQ: 4) Practice MCQ: 4)
An unauthorized user gains access to an employee’s email account, sending An unauthorized user gains access to an employee’s email account, sending
false emails under their name. false emails under their name.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

48 49

Practice MCQ: 5) Practice MCQ: 5)

An attack used pre-made tools to launch a series of DDoS attacks against An attack used pre-made tools to launch a series of DDoS attacks against
several online gaming platforms for a few hours. several online gaming platforms for a few hours.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

50 51
 Practice MCQ: 6) Practice MCQ: 6)
After a massive layoff, confidential information has been leaked to a rival After a massive layoff, confidential information has been leaked to a rival
company company
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

52 53

Practice MCQ: 7) Practice MCQ: 7)

A ransomware attack encrypts a company’s files, preventing access until a A ransomware attack encrypts a company’s files, preventing access until a
ransom is paid. ransom is paid.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

54 55
 Practice MCQ: 8) Practice MCQ: 8)
A massive Distributed Denial of Service (DDoS) attack floods a popular e- A massive Distributed Denial of Service (DDoS) attack floods a popular e-
commerce website, rendering it inaccessible to users during a major holiday commerce website, rendering it inaccessible to users during a major holiday
shopping season. shopping season.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddies
f) Insider f) Insider
56 57

Practice MCQ: 9) Practice MCQ: 9)

A security breach targets several financial institutions’ databases of one A security breach targets several financial institutions’ databases of one
country and changes account balances, causing customers to believe they country and changes account balances, causing customers to believe they
have more money than they do. have more money than they do.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider
58 59
 Practice MCQ: 10) Practice MCQ: 10)
A hacker injects malicious code into a website, causing visitors’ browsers to A hacker injects malicious code into a website, causing visitors’ browsers to
redirect to a phishing page when the visitors leave the infected website. redirect to a phishing page when the visitors leave the infected website.
Category? Threat Actor? Category? Threat Actor?
a) Confidentiality a) Cybercriminals a) Confidentiality a) Cybercriminals
b) Integrity b) Hacktivists b) Integrity b) Hacktivists
c) Availability c) APT c) Availability c) APT
d) Accountability d) Nation-States d) Accountability d) Nation-States
e) Script Kiddes e) Script Kiddes
f) Insider f) Insider

60 61

Tutorial 3 NMAP UDP

By:
Mohamed Ayman Scanning
 Nmap UDP Scanning Nmap UDP Scanning ICMP: Internet Control
Message Protocol and
used as ping message
◎ The Open Port: ◎ The Closed Port:

4 5

Nmap UDP Scanning

◎ The Filtered Port:

Practical Nmap
Scan

6
 Practical Nmap Scan Practical Nmap Scan
and (SNMP, 161)} on a given IP address example your router IP or public IP (e.g.
◎ Use Nmap to scan common UDP ports such as {(DNS, 53), (DHCP, 67 or 68), (NTP, 123), ◎ TCP scan:

8.8.8.8). Run the scan and capture the scan traffic using Wireshark.

8 9

You can display

the progress of
the scan by using
Practical Nmap Scan the arrows in the
Practical Nmap Scan: Wireshark
keyboard or the
scroll wheel in
the mouse
to and from the machine.
◎ UDP scan: ◎ It’s a tool that is used to capture the traffic (packets) that are being sent and received

start menu in the task bar.

◎ It is by default installed in our Kali Linux machines so that we can open it from the

information as possible about the target

◎ Wireshark is used to capture unencrypted traffic in order to gather as much

10 11
 Practical Nmap Scan: Wireshark
◎ Wireshark for nmap UDP scan:

Vulnerability
Scanning

13

Stages Of Attack: Vulnerability Scanning Stages Of Attack: Vulnerability Scanning

possible information that we can gather.
◎ After finishing the First Step of our penetration testing, we gathered all the

1. Reconnaissance/Information Gathering
◎ There are 5 Phases of Penetration Testing:

2. Vulnerability Scanning our target machine.

◎ Now we start to analyze these information to find out the weak spots in

3. Gaining Access (aka: Vulnerability Exploitation)

4. Maintaining Access (aka: Post-Exploitation)
◎ This can be done using several tools like, OpenVAS or Nessus

5. Covering Tracks

15 16
 Stages Of Attack: Vulnerability Scanning Stages Of Attack: Vulnerability Scanning
5. Web Application Vulnerabilities:
○ Web application scanning tools identify vulnerabilities in web applications, such as SQL injection, security
1. Outdated Software Versions misconfigurations, and other issues that could lead to compromise.
◎ What kind of vulnerabilities can we get from the scanning??

○ Scanners detect outdated versions of software that may have known vulnerabilities. Ensuring that software is up to date 6. Denial-of-Service (DoS) Vulnerabilities:
is crucial for security.
○ Vulnerability scanners may identify vulnerabilities that could be exploited to launch Denial-of-Service attacks, impacting
2. Configuration Issues: the availability of systems or services.
○ Misconfigurations in operating systems, network devices, and applications can be identified. These issues may include 7. Malware Indicators:
default passwords, unnecessary services running, or insecure settings that could be exploited.
○ Some scanners look for signs of malware infections, unusual processes, or indicators of compromise on systems.
3. Default Credentials:
○ Vulnerability scanners often check for the use of default or weak credentials. Systems or devices using default usernames
and passwords are at a higher risk of unauthorized access.

4. Open Ports and Services:

1. Scanners identify open ports and services on networked devices. Understanding the services running on a system helps
in assessing potential attack vectors.

17 18

Nessus
Network Security. It is free of charge for personal use in a non-enterprise
◎ Nessus is a proprietary vulnerability scanner developed by Tenable

environment.
◎ Nessus is generally a passive vulnerability scanner

Nessus 1. Vulnerabilities that allow a remote hacker to control or access sensitive data on a system (e.g.
weak and default password)
◎ Nessus scan for:

2. Misconfiguration
3. Denials of service against the TCP/IP stack by using malformed packets
4. Security compliance (e.g PCI DSS = Payment Card Industry Data Security Standard)

and attacks
◎ You could use Nessus Attack Scripting Language (NASL) to write exploit

20
 Nessus with Kali Linux 1 Nessus with Kali Linux 2
1. Visit the website of Nessus installation through firefox in the kali linux machine 1. Visit the website of Nessus installation through firefox in the kali linux machine
Here is the link: https://www.tenable.com/products/nessus/nessus-essentials Here is the link: https://www.tenable.com/products/nessus/nessus-essentials

21 22

Nessus with Kali Linux 3 Nessus with Kali Linux 4

1. Get your Activation Code: 4. Choose the First Option for Tenable Nessus

23 24
 Nessus with Kali Linux 5 Nessus with Kali Linux 6
5. Choose Debian 64-bit 6. Save the deb file to your
which is suitable for disk
Kali Linux.

25 26

Nessus with Kali Linux 7 Nessus with Kali Linux 8

7. Change the permission on the deb file 8. Use the following Command to install the .deb file (after opening the cmd inside the
folder containing the .deb file)
sudo dpkg -i Nessus-10.4.2-ubuntu1404_amd64.deb

27 28
 Nessus with Kali Linux 9-13 Nessus with Kali Linux 14
9. Start the Nessus Server 14. Create and Account , Register, and Activate

systemctl start nessusd.service

Then open your firefox and go to the specified link in the
previous screen shot
10. Then click on continue (without ticking the register offline box)
11. Choose to register for nessus essentials
12. Provide the requried information (and if you already have the registeration code
click on skip)
13. Enter the registeration code that you receieved through the provided email

29 30

Nessus with Kali Linux 15 Nessus Dashboard

15. Wait for the download to finish (it will take some time)

31 32
Nessus Create a Scan Nessus: Select the Type of the Scan

33 34

Nessus: Select Basic Network Scan Nessus: Edit your Scan info and save it

35 36
 Nessus: Select and Launch your Scan Nessus: Wait until the scan complete

37 38

Nessus: You can view the scanning result or

Nessus: When the Nessus Complete the Scan
export it

39 40
Nessus: Nessus report the problem and
suggest solution

Tutorial 4
By:
Mohamed Ayman

41

Threats Analysis
vulnerability in an information system or organization
◎ “Threats" refers to any potential danger or circumstance that can exploit a

be natural events, human actions, or technical vulnerabilities

◎ Threats are not inherently harmful; they represent the possibility of harm. They can

Threats
Analysis

4
 Threats Analysis: Types of Threats Threats Analysis: Types of Threats

• Viruses
• Worms
• Trojans
• Ransomware
• Spyware
• Adware

5 6

Threats Analysis: Types of Threats Threats Analysis: Types of Threats

It is malicious software designed to harm, exploit, or compromise computer systems, networks, They are deceptive and fraudulent attempts to trick individuals into revealing sensitive
or devices without user consent. information, such as login credentials, credit card numbers, or personal data
• Pretexting • Phishing
• Baiting • Spear Phishing
• Tailgating • Whaling

7 8
 Threats Analysis: Types of Threats Threats Analysis: Types of Threats

Man-in-the-Middle Attack (MitM): In a MitM attack, an attacker positions themselves between

two parties who are communicating with each other, allowing the attacker to intercept and
Is a type of cyberattack that aims to disrupt the normal functioning of a computer system,
potentially manipulate the communication.
network, service, or website, making it temporarily or permanently unavailable to legitimate
• Wi-Fi eavesdropping
users.
• Email hijacking
• DoS Attacks
• IP spoofing
• DDoS Attacks
• HTTPS spoofing
• DNS spoofing

9 10

Threats Analysis: Types of Threats Threats Analysis: Types of Threats

A supply chain attack is a cyberattack that targets an organization or individual through

exploit a variety of vulnerabilities to directly insert malicious input into the code of a web vulnerabilities in their supply chain or third-party vendors
application
• SQL Injection (SQLi) Instead of directly attacking the primary target, attackers exploit the trust relationship
• Cross-Site Scripting (XSS) between the target and their suppliers or service providers to gain unauthorized access or
• Command Injection compromise the target's systems or data.

11 12
 Vulnerabilities
configuration of a system, application, or network that can be exploited by threats.
◎ “Vulnerabilities” are weaknesses or flaws in the design, implementation, or

the system using vulnerabilities assessment tools

◎ They can be identified from lists and reports on common vulnerabilities and testing

Vulnerabilities

14

Vulnerabilities

Threats vs
Vulnerabilities

15
Threats vs Vulnerabilities Threats vs Vulnerabilities

17 18

Threats vs Vulnerabilities Threats vs Vulnerabilities

19 20
 Threats vs Vulnerabilities

ICMP and ARP

Exploitation

21

ARP ARP
◎ ARP is a connectionless (doesn’t require steps before connecting)
◎ ARP is stateless protocol (doesn’t save the state of the connection)
◎ It operates at the data link layer
◎ It is used to respond to queries about MAC Address of a specific IP Address

23 24
 What Type
of attack do
ARP: Request ARP: Exploit you think??

MITM

25 26

ICMP ICMP: Exploit

◎ ICMP is a connectionless (doesn’t require steps before connecting) ◎ ICMP is a connectionless (doesn’t require steps before connecting)
◎ ICPM is stateless protocol (doesn’t save the state of the connection) ◎ ICPM is stateless protocol (doesn’t save the state of the connection)
◎ It operates at the network layer ◎ It operates at the network layer

packet processing. packet processing.

◎ It is primarily used for sending error messages and control information related to IP ◎ It is primarily used for sending error messages and control information related to IP

the same target (DoS attack)

◎ It’s attack is mainly used to overwhelm the server with many packets being sent to

27 28
 Threat Modeling:
steps. Each step is documented as it is carried out. The resulting
◎ The threat modeling process can be decomposed into three high level

document is the threat model for the application.

1. Decompose the Application
◉ Creating use cases to understand how the application is used.
Threat Modeling ◉ Identifying entry points, assets and trust levels.
2. Determine and Rank Threats
3. Determine Countermeasures and Mitigation

30

Threat Modeling: Step One Threat Modeling: 1.a) Designing Threat Model
Information identifying the threat model typically includes the following:
understanding of the application and how it interacts with external 1) Application Name
◎ The goal of decomposing the application step is to gain an

entities.
2) Application Version
3) Description
clearly defined structure.
◎ That can be achieved by gathering information and documentation in a

4) Document Owner
1. Designing the Threat Model. 5) Participants
◎ Decomposing an application includes:

2. Determining the external dependencies. 6) Reviewer

3. Understanding the entry and exit points of the application.
4. Determining my assets.
5. Determining the trust levels.

31 32
Threat Modeling: 1.b) External Dependencies Threat Modeling: 1.c) Entry Points
pose a threat to the application. interact with the application or supply it with data.
◎ External dependencies are items external to the code of the application that may ◎ Entry points define the interfaces through which potential attackers can

within the control of the development team.

methods) and could be layered.
◎ These items are typically still within the control of the organization, but possibly not
◎ Entry points show where data enters the system (i.e. input fields,

environment and requirements.

1. A unique ID assigned to the entry point. This will be used to cross-reference the entry point with
◎ The first area to consider when investigating external dependencies is the production

any threats or vulnerabilities that are identified.

◎ Entry points should be documented as follows:

○ ID: A unique ID assigned to the external dependency. 2. A descriptive name identifying the entry point and its purpose.
3. A textual description detailing the interaction or processing that occurs at the entry point.
◎ External dependencies should be documented as follows:

○ Description: A textual description of the external dependency.

4. Trust Levels which is the level of access required at the entry point. These will be cross-
referenced with the trust levels defined later in the document.

33 34

Threat Modeling: 1.d) Determining Assets Threat Modeling: 1.e) Trust Levels
threats will exist. Assets can be both physical assets and abstract external entities. The trust levels are cross-referenced with the entry
◎ Assets are essentially targets for attackers, i.e. they are the reason ◎ Trust levels represent the access rights that the application will grant to

assets. points and assets.

○ A unique ID is assigned to identify each asset. This will be used to cross- entry point, and those required to interact with each asset.
◎ Assets are documented in the threat model as follows: ◎ This allows us to define the access rights or privileges required at each

reference the asset with any threats or vulnerabilities that are identified.
○ A descriptive name that clearly identifies the asset.
○ A textual description of what the asset is and why it needs to be protected. ○ A unique ID is assigned to each trust level. This is used to cross-reference the
◎ Trust levels are documented in the threat model as follows:

○ Trust Levels which is the level of access required at the entry point. These will trust level with the entry points and assets.
be cross-referenced with the trust levels defined later in the document. ○ A descriptive name that allows you to identify the external entities that have
been granted this trust level.
○ A textual description of the trust level detailing the external entity who has
been granted the trust level.
35 36
 Case Study: 1.a) Threat Model Info
Threat Model Information
◎ Application Version: 1.0

librarians and library patrons (students and college staff) with online services. As this is the
first implementation of the website, the functionality will be limited. There will be three users
◎ Description: The college library website is the first implementation of a website to provide

of the application:
(1) Students (2) Staff (3) Librarians
Case Study
books. Librarians will be able to log in, add books, add users, and search for books.
◎ Staff and students will be able to log in and search for books, and staff members can request

◎ Document Owner: David Lowry

◎ Participants: David Rook
◎ Reviewer: Eoin Keary

38

Case Study: 1.b) External Dependencies Case Study: 1.c) Entry Points
Entry Points

39 40
Case Study: 1.d) Assets Points Case Study: 1.d) Assets Points

41 42

Case Study: 1.d) Assets Points Case Study: 1.e) Trust Levels

43 44
 Thank You Tutorial 5
By:
Mohamed Ayman

Tutorial Content:

STRIDE

2
 STRIDE
potential threats to a system or application It provides a structured
◎ STRIDE is a threat modeling framework used to identify and categorize
approach for analyzing security vulnerabilities by categorizing threats
into six main categories:
1. Spoofing: Involves an attacker masquerading as another user or system entity
to gain unauthorized access or privileges.
2. Tampering: Involves unauthorized modification or alteration of data,
configurations, or software components.
3. Repudiation: Relates to the inability to verify the identity of a user or system
entity, leading to disputes over the authenticity of actions or transactions.
4 5
ARP
Exploitation
STRIDE
potential threats to a system or application It provides a structured
◎ STRIDE is a threat modeling framework used to identify and categorize
approach for analyzing security vulnerabilities by categorizing threats
into six main categories:
4. Information Disclosure: Involves unauthorized access to sensitive
information, such as confidential data, intellectual property, or personally
identifiable information (PII).
5. Denial of Service (DoS): Involves attacks aimed at disrupting or degrading
the availability or performance of a system or service.
6. Elevation of Privilege: Involves unauthorized escalation of privileges or
access rights, allowing an attacker to perform actions or access resources
beyond their intended level of authorization.
ARP Model
7
ARP Model ARP Model

8 9

ARP Model ARP Model

10 11
 ARP Exploiting Using STRIDE Model:
1. Spoofing:
○ Threat: ARP Spoofing Attack
○ Description: An attacker sends falsified ARP messages to
impersonate another device on the network, redirecting traffic
intended for the impersonated device to the attacker's machine.
○ Mitigation: Implement ARP spoofing detection mechanisms, such
as ARP inspection or dynamic ARP inspection, to detect and block
unauthorized ARP messages.
ARP Exploiting Using STRIDE Model:
2. Tampering:
○ Threat: ARP Cache Poisoning
○ Description: An attacker sends malicious ARP replies containing
incorrect MAC-to-IP mappings, leading to incorrect entries in the
ARP cache of other devices on the network
○ Mitigation: Use techniques such as ARP cache timeouts or static
ARP entries to mitigate the impact of ARP cache poisoning attacks.
Additionally, deploy network-based intrusion detection systems
(IDS) to detect and alert on suspicious ARP activity.

12 13

ARP Exploiting Using STRIDE Model: ARP Exploiting Using STRIDE Model:
3. Repudiation: 4. Information Disclosure:
○ Threat: ARP Message Replay Attack ○ Threat: ARP Cache Snooping
○ Description: An attacker captures legitimate ARP messages and ○ Description: An attacker monitors ARP traffic to gather information
replays them on the network, causing devices to update their ARP about the devices on the network, such as their IP and MAC
caches with outdated information. addresses.
○ Mitigation: Implement sequence numbers or timestamps in ARP ○ Mitigation: Encrypt ARP traffic using protocols such as IPsec to
messages to prevent replay attacks. Additionally, deploy network prevent eavesdropping. Additionally, deploy network segmentation
monitoring tools to detect and identify anomalous ARP message techniques to limit the scope of ARP traffic visibility to authorized
patterns. devices.

14 15
 ARP Exploiting Using STRIDE Model: ARP Exploiting Using STRIDE Model:
5. Denial of Service (DoS): 6. Elevation of Privilege:
○ Threat: ARP Flood Attack ○ Threat: ARP Spoofing for Man-in-the-Middle (MitM) Attacks
○ Description: An attacker floods the network with a large number of ○ Description: An attacker performs ARP spoofing to intercept and
ARP requests or replies, causing congestion and potentially manipulate network traffic between two legitimate devices,
disrupting network communication. allowing them to eavesdrop on or modify communication.
○ Mitigation: Implement rate limiting for ARP messages to prevent ○ Mitigation: Implement secure communication protocols, such as
excessive ARP traffic from overwhelming network devices. HTTPS or SSH, to protect sensitive data from interception.
Additionally, deploy intrusion prevention systems (IPS) to detect Additionally, deploy network segmentation and access control
and block ARP flood attacks. mechanisms to limit the impact of compromised devices.

16 17

STEP-01: Probing the Network

Practical ARP
Exploit

19
STEP-01: Probing the Network STEP-01: Probing the Network

20 21

STEP-01: Probing the Network STEP-01: Probing the Network

22 23
STEP-01: Probing the Network STEP-01: Probing the Network

1. There are only 4 live hosts on the network ( the attacker machine is
◎ What did the attacker learn so far?

one of them).
2. The attacker knows the IP addresses of the other hosts and the MAC
address associated with each IP address.

24 25

STEP-01: Probing the Network STEP-01: Probing the Network

26 27
STEP-01: Probing the Network STEP-02: ARP Spoofing
1. The attacker decided to attacks the Windows machine
2. Since there are only 2 hosts in the network in addition to the attacker the attacker
will use ARP spoofing to trick the Windows machine to believes that the attacker
machine is the network router.
3. The attacker will link his IP to the MAC address of the network router. Only the victim
machine will see this link.
4. The attacker will send an ARP message (announcement) only to the Victim machine
that links attacker MAC address to the Router IP address.

28 29

STEP-02: ARP Spoofing STEP-02: ARP Spoofing

30 31
 STEP-02: ARP Spoofing STEP-02: ARP Spoofing
ARP malicious messages to the target claiming that the attacker MAC address is the
◎ The attacker will enable IP Forwarding on his machine. ◎ After enabling IP Forwarding, the attacker will use a malicious tool to send crafted

path a packet or datagram can be sent. MAC address of the network router
◎ IP forwarding also known as Internet routing is a process used to determine which

packets.
◎ The attacker will use the following command to enable his machine to forward IP ◎ The attacker use ARPSPOOF tool (available on Kali Linux)

32 33

STEP-02: ARP Spoofing STEP-03: Man-in-the-Middle

machine.
◎ The tool will continue sending the crafted ARP reply over and over ◎ Now all the network traffic sent from the victim to the internet goes to the attacker

to capture and record all the network

◎ The attacker could use a network sniffer

traffic.

34 35
 STEP-03: Man-in-the-Middle STEP-03: Man-in-the-Middle
internet.
◎ The victim machine could access the

change.
◎ Nothing from the victim point of view

36 37

STEP-03: Man-in-the-Middle STEP-03: Man-in-the-Middle

38 39
 STEP-03: Denial of Service
sending the malicious ARP messages?
◎ What will happen if the attacker disable the IP forward on his machine and continue

Case Study for

Threat
Modeling
40

Ranking of Threats Ranking of Threats

Model: DREAD
○ Damage: How big would the damage be if the attack succeeded?
◎ Subjective Model: DREAD ◎ Subjective

○ Reproducibility: How easy is it to reproduce an attack?

◎ Example:

○ Exploitability: How much time, effort, and expertise is needed to

exploit the threat?
○ Affected Users: If a threat were exploited, what percentage of users
would be affected?
○ Discoverability: How easy is it for an attacker to discover this threat?

42 43
CSEN1001 Tutorial #1: Network
Scanners

1. Introduction
The purpose of this tutorial is to introduce the use of network scanning tools in
achieving two main types of activities:

1. Automated network information gathering

2. Network vulnerability identification

While a significant amount of information can be gathered manually or in a semi-

automated way using, for instance, search engines, network probing tools represent an
important asset in mapping a network by identifying open/filtered ports, running
services/protocols, hosts IP addresses, network topology etc. We will introduce in this
lab, Nmap as an example of network probing tool.

After gathering basic information about the target, an attacker still needs to identify
areas of vulnerability to be able to launch a successful attack. Vulnerability identification
can be carried out manually using, for instance, vulnerability databases. The manual
process can also be complemented by using vulnerability scanners, which match
running services and applications with known vulnerabilities (from vulnerabilities
databases) in an automated way. A popular example of vulnerability scanner that will be
introduced in this lab is Nessus.

3. Network Probing using Nmap

Nmap is a simple and popular scanner that implements many probing techniques. Using
a handful of probing techniques, Nmap can accurately identify several hundred different
types and patch levels of Operating Systems. Nmap runs on all the major platforms
including Windows and various Unix-like operating systems, Linux, and Mac OS X.
Nmap is constantly being enhanced; it is open source and freely distributed. Nmap can
be downloaded at www.nmap.org. A target machine has been setup by the Nmap team
for training purpose; you are allowed to scan this machine with Nmap or other port
scanners; the hostname of the machine is scanme.nmap.org
Practice #1: Identify Target IP Address
While some scanners allow you to specify the hostname of the target, this may not
always be the case. Hence, it is convenient sometime to identify the IP address of the
target prior to starting the scanning.

Knowing the target hostname, you can identify the corresponding IP address using the
ping command.

1. Open a command window

a. Go under Start and type cmd in the box

b. A Command prompt window will be displayed

2. Type the ping command with the target hostname: ping targethostname
a. For instance, in the following example the target hostname is the Google
website www.google.com
b. Details about the server will be displayed
The ping results indicates that the server is alive and also that the IP address is
74.125.129.99

3. Start Kali, and use the Ping tool to identify the IP address for the host
scanme.nmap.org

Practice #2: Using Nmap

The Nmap scanner is available in Kali; you can start it from the zenmap tool which is a
graphical user interface for Nmap; note that by default Nmap is a command line-based
tool.
Step 1: Start the Nmap scanner

a. Click on the Zen-Nmap GUI link

b. The Nmap GUI will be displayed as shown below.
Step 2: Enter the target IP address or hostname

In this example, you can use scanme.nmap.org as the target host

a. Enter the target hostname, e.g., scanme.nmap.org

b. Select under Profile the type of scan, e.g., Intense scan
c. Click the Scan button
d. The scanning process will be launched as shown below.
By browsing through the NMAP Output tab, you can notice that during the scanning
process, the scanner tries various probing techniques, e.g., parallel DNS resolutions,
SYN stealth scan etc. Each technique will allow the scanner to gather specific types of
information.
Step 3: Analyze scan output

At the end of the scan, the scanner will provide at the bottom of the window a summary
of the scan activity. The following message indicates the end of the scan: Nmap done: 1
IP address (1 host up) scanned in 21.88 seconds Raw packets sent: 1085
(49.432KB) | Rcvd: 1049 (43.520KB)
The remaining tabs display the scan results from different perspectives. By clicking on
the Ports/Hosts tab, you can view the list of hosts scanned in a given network, and the
status of the ports on these hosts: open and filtered.

Open ports are ports running specific services; for instance, port 22 is open and running
a SSH service. Filtered ports are opened ports that are protected by a firewall; for
instance, port 445 is filtered. All other remaining ports are closed ports (i.e. no service
running on them).
You can notice that for some of the services, the scanner provides the version as well,
which can be very useful in identifying relevant exploits. For instance, the SSH
application running on port 22 is OpenSSH 5.3.

By clicking on the Topology tab, you can view a graphical depiction of the route traced
by the scanner from the source host (running the scanner) to the target host, with
details related to intermediary hops.

This can also be very useful in allowing the attacker to devise a strategy to attack the
target anonymously, for instance, by using some of the intermediary hosts as stepping
stones.

By clicking on the Host Details tab, more information can be obtained about the target
host as shown below:
While in the above example, a specific host is targeted in the scan, it is important to
keep in mind that the scanner can also be used to target a subnet or an entire network
by specifying a range of IP address in the target area, e.g., a.b.c.d - x.y.z.u. Similarly, a
list of IP addresses can be specified as the target of the scan.
In this case, the scanning will take longer, and the Ports/Hosts tab will display the active
hosts found in the range with their details.

Zenmap on the Offensive release of Kali

Zenmap provides a GUI for the nmap command line. While nmap is still available in
Kali, zenmap has ceased to be shipped by default on Kali since version 2019.4. So
you’d have to install it; this is worth it as zenmap provides some nice features beyond
the command line, e.g. visualizing the network topology, etc.

Below are the steps to install zenmap on Kali.

First, download zenmap -> "Optional Zenmap GUI (all platforms): zenmap-7.80-
1.noarch.rpm" from https://nmap.org/download.html

Save the file into your downloads folder:

Go to the Downloads folder, list the downloaded file (zenmap….) and run apt-get update
as follows:

Next, install Alien and necessary packages using the following command:
Next, convert the downloaded zenmap package from RPM to debian format and then
install the package using the following commands:

Finally, run zenmap and display the GUI by typing zenmap:

Summary
This tutorial nmap as a tool to gathers critical network information and identify possible
vulnerabilities. The collected knowledge will serve as a basis to attempt to gain access
to the system by exploiting specific vulnerabilities