Module 2 Network Threats

Who is Attacking Our Network?

2.1.1 Threat, Vulnerability, and Risk

We are under attack and attackers want access to our assets. Assets are anything of value to an
organization, such as data and other intellectual property, servers, computers, smart phones, tablets,
and more.

To better understand any discussion of network security, it is important to know the following terms:

Term Explanation

Threat A potential danger to an asset such as data or the network itself.

Vulnerability A weakness in a system or its design that could be exploited by a threat.

An attack surface is the total sum of the vulnerabilities in a given system that are accessible to
an attacker. The attack surface describes different points where an attacker could get into a
system, and where they could get data out of the system. For example, your operating system
Attack surface
and web browser could both need security patches. They are each vulnerable to attacks and
are exposed on the network or the internet. Together, they create an attack surface that the
threat actor can exploit.

The mechanism that is used to leverage a vulnerability to compromise an asset. Exploits may
Exploit be remote or local. A remote exploit is one that works over the network without any prior
access to the target system. The attacker does not need an account in the end system to
Term Explanation

exploit the vulnerability. In a local exploit, the threat actor has some type of user or
administrative access to the end system. A local exploit does not necessarily mean that the
attacker has physical access to the end system.

The likelihood that a particular threat will exploit a particular vulnerability of an asset and
Risk
result in an undesirable consequence.

Risk management is the process that balances the operational costs of providing protective measures
with the gains achieved by protecting the asset. There are four common ways to manage risk, as
shown in the table:

Risk Management Strategy Explanation

This is when the cost of risk management options outweighs the cost of the risk
Risk acceptance
itself. The risk is accepted, and no action is taken.

This means avoiding any exposure to the risk by eliminating the activity or device
Risk avoidance that presents the risk. By eliminating an activity to avoid risk, any benefits that are
possible from the activity are also lost.

This reduces exposure to risk or reducing the impact of risk by taking action to
decrease the risk. It is the most commonly used risk mitigation strategy. This
Risk reduction
strategy requires careful evaluation of the costs of loss, the mitigation strategy, and
the benefits gained from the operation or activity that is at risk.

Some or all of the risk is transferred to a willing third party such as an insurance
Risk transfer
company.

Other commonly used network security terms include:

 Countermeasure - The actions that are taken to protect assets by mitigating a threat or
reducing risk.

 Impact - The potential damage to the organization that is caused by the threat.

Note: A local exploit requires inside network access such as a user with an account on the network. A
remote exploit does not require an account on the network to exploit that network’s vulnerability.

2.1.2 Hacker vs. Threat Actor

As we know, “hacker” is a common term used to describe a threat actor. However, the term “hacker”
has a variety of meanings, as follows:

 A clever programmer capable of developing new programs and coding changes to existing
programs to make them more efficient.

 A network professional that uses sophisticated programming skills to ensure that networks
are not vulnerable to attack.
  A person who tries to gain unauthorized access to devices on the internet.

 An individual who run programs to prevent or slow network access to a large number of
users, or corrupt or wipe out data on servers.

The figure shows that there are White, Grey and Black Hat hackers. The White hat hacker is labeled
1, gray hat 2, and black hat 3.

As shown in the figure, the terms white hat hacker, black hat hacker, and grey hat hacker are often
used to describe hackers.

1. White hat hackers are ethical hackers who use their programming skills for good, ethical, and
legal purposes. They may perform network penetration tests in an attempt to compromise
networks and systems by using their knowledge of computer security systems to discover
network vulnerabilities. Security vulnerabilities are reported to developers and security
personnel who attempt to fix the vulnerability before it can be exploited. Some organizations
award prizes or bounties to white hat hackers when they provide information that helps to
identify vulnerabilities.

2. Grey hat hackers are individuals who commit crimes and do arguably unethical things, but
not for personal gain or to cause damage. An example would be someone who compromises
a network without permission and then discloses the vulnerability publicly. Grey hat hackers
may disclose a vulnerability to the affected organization after having compromised their
network. This allows the organization to fix the problem.

3. Black hat hackers are unethical criminals who violate computer and network security for
personal gain, or for malicious reasons, such as attacking networks. Black hat hackers exploit
vulnerabilities to compromise computer and network systems.
Good or bad, hacking is an important aspect of network security. In this course, the term threat actor
is used when referring to those individuals or groups that could be classified as gray or black hat
hackers.

2.1.3 Evolution of Threat Actors

Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio
frequencies to manipulate phone systems. At that time, telephone switches used various tones, or
tone dialing, to indicate different functions. Early threat actors realized that by mimicking a tone
using a whistle, they could exploit the phone switches to make free long-distance calls.

In the mid-1980s, computer dial-up modems were used to connect computers to networks. Threat
actors wrote “war dialing” programs which dialed each telephone number in a given area in search
of computers, bulletin board systems, and fax machines. When a phone number was found,
password-cracking programs were used to gain access. Since then, general threat actor profiles and
motives have changed quite a bit.

There are many different types of threat actors.

Click the buttons to see definitions for the different types of threat actors.

Script kiddies-Script kiddies emerged in the 1990s and refers to teenagers or inexperienced threat
actors running existing scripts, tools, and exploits, to cause harm, but typically not for profit.

Vulnerability brokers-Vulnerability brokers typically refers to grey hat hackers who attempt to
discover exploits and report them to vendors, sometimes for prizes or rewards.

Hacktivists-Hacktivists is a term that refers to grey hat hackers who rally and protest against different
political and social ideas. Hacktivists publicly protest against organizations or governments by posting
articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS)
attacks.

Cybercriminals-Cybercriminal is a term for black hat hackers who are either self-employed or working
for large cybercrime organizations. Each year, cyber criminals are responsible for stealing billions of
dollars from consumers and businesses.

State-sponsored-State-Sponsored hackers are threat actors who steal government secrets, gather
intelligence, and sabotage networks of foreign governments, terrorist groups, and corporations.
Most countries in the world participate to some degree in state-sponsored hacking. Depending on a
person’s perspective, these are either white hat or black hat hackers.

2.1.4 Cybercriminals

Cybercriminals are threat actors who are motivated to make money using any means necessary.
While sometimes cybercriminals work independently, they are more often financed and sponsored
by criminal organizations. It is estimated that globally, cybercriminals steal billions of dollars from
consumers and businesses every year.

Cybercriminals operate in an underground economy where they buy, sell, and trade exploits and
tools. They also buy and sell the personal information and intellectual property that they steal from
victims. Cybercriminals target small businesses and consumers, as well as large enterprises and
industries.
2.1.5 Cybersecurity Tasks

Threat actors do not discriminate. They target the vulnerable end devices of home users and small-
to-medium sized businesses, as well as large public and private organizations.

To make the internet and networks safer and more secure, we must all develop good cybersecurity
awareness. Cybersecurity is a shared responsibility which all users must practice. For example, we
must report cybercrime to the appropriate authorities, be aware of potential threats in email and the
web, and guard important information from theft.

Organizations must take action and protect their assets, users, and customers. They must develop
and practice cybersecurity tasks such as those listed in the figure.

The figure shows a cybersecurity checklist consisting of trustworthy i t vender (checked), security
software up to date, regular penetration tests, backup to cloud and hard disk, periodically change wi
fi password, security policy up to date, enforce use of strong passwords, and two factor
authentication.
2.1.6 Cyber Threat Indicators

Many network attacks can be prevented by sharing information about indicators of

compromise (IOC). Each attack has unique identifiable attributes. Indicators of compromise are the
evidence that an attack has occurred. IOCs can be features that identify malware files, IP addresses
of servers that are used in attacks, filenames, and characteristic changes made to end system
software, among others. IOCs help cybersecurity personnel identify what has happened in an attack
and develop defenses against the attack. A summary of the IOC for a piece of malware is shown in
the figure.

For instance, a user receives an email claiming they have won a big prize. Clicking on the link in the
email results in an attack. The IOC could include the fact the user did not enter that contest, the IP
address of the sender, the email subject line, the URL to click, or an attachment to download, among
others.
Indicators of attack (IOA) focus more on the motivation behind an attack and the potential means by
which threat actors have, or will, compromise vulnerabilities to gain access to assets. IOAs are
concerned with the strategies that are used by attackers. For this reason, rather than informing
response to a single threat, IOAs can help generate a proactive security approach. This is because
strategies can be reused in multiple contexts and multiple attacks. Defending against a strategy can
therefore prevent future attacks that utilize the same, or similar strategy.

2.1.7 Threat Sharing and Building Cybersecurity Awareness

Governments are now actively promoting cybersecurity. For instance, the US Cybersecurity
Infrastructure and Security Agency (CISA) is leading efforts to automate the sharing of cybersecurity
information with public and private organizations at no cost. CISA uses a system called Automated
Indicator Sharing (AIS). AIS enables the sharing of attack indicators between the US government and
the private sector as soon as threats are verified. CISA offers many resources that help to limit the
size of the United States attack surface.

The CISA and the National Cyber Security Alliance (NCSA) promote cybersecurity to all users. For
example, they have an annual campaign in every October called “National Cybersecurity Awareness
Month” (NCASM). This campaign was developed to promote and raise awareness about
cybersecurity.

The theme for the NCASM for 2019 was “Own IT. Secure IT. Protect IT.” This campaign encouraged
all citizens to be safer and more personally accountable for using security best practices online. The
campaign provides material on a wide variety of security topics including:

 Social media safety

 Updating privacy settings

 Awareness of device app security

 Keeping software up-to-date

 Safe online shopping

 Wi-Fi safety

 Protecting customer data

The European Union Agency for Cybersecurity (ENISA) delivers advice and solutions for the
cybersecurity challenges of the EU member states. ENISA fills a role in Europe that is similar to the
role of CISA in the US.
Threat Actor Tools
2.2.1 Introduction of Attack Tools

To exploit a vulnerability, a threat actor must have a technique or tool. Over the years, attack tools
have become more sophisticated, and highly automated. These new tools require less technical
knowledge to implement.

In the figure, drag the white circle across the timeline to view the relationship between the
sophistication of attack tools versus the technical knowledge required to use them.

shows a bar with sophistication of attack on the left and a bar with technical knowledge on the right.
In 1985, attacks were not very sophisticated and required a lot of technical knowledge. As time
passed, the sophistication of attack grew and the required technical knowledge diminished.

Sophistication of Attack Tools vs. Technical Knowledge

2.2.2 Evolution of Security Tools

Ethical hacking involves using many different types of tools to test the network and end devices. To
validate the security of a network and its systems, many network penetration testing tools have been
developed. However, many of these tools can also be used by threat actors for exploitation.

Threat actors have also created various hacking tools. These tools are explicitly written for nefarious
reasons. Cybersecurity personnel must also know how to use these tools when performing network
penetration tests.
Explore the categories of common network penetration testing tools. Notice how some tools are
used by white hats and black hats. Keep in mind that the list is not exhaustive as new tools are
continually being developed.

Note: Many of these tools are UNIX or Linux based; therefore, a security professional should have a
strong UNIX and Linux background.

Categories of
Description
Tools

Passwords are the most vulnerable security threat. Password cracking tools are often
referred to as password recovery tools and can be used to crack or recover the password.
This is accomplished either by removing the original password, after bypassing the data
password crackers encryption, or by outright discovery of the password. Password crackers repeatedly make
guesses in order to crack the password and access the system. Examples of password
cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack,
and Medusa.

Wireless networks are more susceptible to network security threats. Wireless hacking
wireless hacking tools are used to intentionally hack into a wireless network to detect security
tools vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer,
KisMAC, Firesheep, and NetStumbler.

Network scanning tools are used to probe network devices, servers, and hosts for open
network scanning
TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP
and hacking tools
Scanner, and NetScanTools.

Packet crafting tools are used to probe and test a firewall’s robustness using specially
packet crafting
crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia,
tools
Netcat, Nping, and Nemesis.

Packet sniffers tools are used to capture and analyze packets within traditional Ethernet
packet sniffers LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros,
Fiddler, Ratproxy, and SSLstrip.

A rootkit detector is a directory and file integrity checker used by white hats to detect
rootkit detectors
installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.

fuzzers to search Fuzzers are tools used by threat actors when attempting to discover a computer system’s
vulnerabilities security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.

White hat hackers use forensic tools to sniff out any trace of evidence existing in a
forensic tools particular computer system. Example of tools include Sleuth Kit, Helix, Maltego, and
Encase.

debuggers Debugger tools are used by black hats to reverse engineer binary files when writing
exploits. They are also used by white hats when analyzing malware. Debugging tools
Categories of
Description
Tools

include GDB, WinDbg, IDA Pro, and Immunity Debugger.

Hacking operating systems are specially designed operating systems preloaded with tools
hacking operating
and technologies optimized for hacking. Examples of specially designed hacking
systems
operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.

These tools safeguard the contents of an organization’s data when it is stored or

transmitted. Encryption tools use algorithm schemes to encode the data to prevent
encryption tools
unauthorized access to the data. Examples of these tools include VeraCrypt, CipherShed,
Open SSH, OpenSSL, OpenVPN, and Stunnel.

These tools identify whether a remote host is vulnerable to a security attack. Examples of
vulnerability
vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer
exploitation tools
Tool Kit, and Netsparker.

These tools scan a network or system to identify open ports. They can also be used to
vulnerability scan for known vulnerabilities and scan VMs, BYOD devices, and client databases.
scanners Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and
Open VAS.

2.2.3

Categories of Attacks

Threat actors can use the previously mentioned tools or a combination of tools to create various
attacks. The table displays common types of attacks. However, the list of attacks is not exhaustive as
new ways to attack networks are continually being discovered.

It is important to understand that threat actors use a variety of security tools to carry out these
attacks.

Category of
Description
Attack

eavesdropping An eavesdropping attack is when a threat actor captures and listens to network traffic.
attack This attack is also referred to as sniffing or snooping.

data modification Data modification attacks occur when a threat actor has captured enterprise traffic and
attack has altered the data in the packets without the knowledge of the sender or receiver.

IP address An IP address spoofing attack is when a threat actor constructs an IP packet that
spoofing attack appears to originate from a valid address inside the corporate intranet.

Password-based attacks occur when a threat actor obtains the credentials for a valid
password-based
user account. Threat actors then use that account to obtain lists of other users and
Category of
Description
Attack

network information. They could also change server and network configurations, and
attacks
modify, reroute, or delete data.

A DoS attack prevents normal use of a computer or network by valid users. After gaining
access to a network, a DoS attack can crash applications or network services. A DoS
denial-of-service
attack can also flood a computer or the entire network with traffic until a shutdown
(DoS) attack
occurs because of the overload. A DoS attack can also block traffic, which results in a
loss of access to network resources by authorized users.

man-in-the- A MiTM attack occurs when threat actors have positioned themselves between a source
middle attack and destination. They can now actively monitor, capture, and control the
(MiTM) communication transparently.

A compromised-key attack occurs when a threat actor obtains a secret key. This is
compromised key
referred to as a compromised key. A compromised key can be used to gain access to a
attack
secured communication without the sender or receiver being aware of the attack.

A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer
sniffer attack provides a full view of the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the threat actor does not
have access to the key.

Malware
2.3.1 Types of Malware

End devices are especially prone to malware attacks. Therefore, the focus of this topic is on threats to
end devices. Malware is short for malicious software or malicious code. It is code or software that is
specifically designed to damage, disrupt, steal, or generally inflict some other “bad” or illegitimate
action on data, hosts, or networks. It is important to know about malware because threat actors and
online criminals frequently try to trick users into installing malware to help exploit security gaps. In
addition, malware morphs so rapidly that malware-related security incidents are extremely common
because antimalware software cannot be updated quickly enough to stop the new threats.

Play the animation to view examples of the three most common types of malware; virus, worm, and
Trojan horse.

The animation shows a network with two PCs and two routers with the routers connected to each
other sit between the two PCs with each PC connected to one of the routers. The PC on the left has
an attacker. As the animation plays a text box opens that reads “The primary vulnerabilities for end-
user workstations are viruses, worm, and Trojan Horse attacks. As the animation continues to play
the attacker at the PC on the left sends a virus attack on the network that travels over the network
routers to the PC on the right. A text box opens that reads “A virus is malicious software which
executes a specific unwanted, and often harmful, function on a computer”. As the animation
continues to play the attacker at the PC on the left sends a worm attack on the network that travels
over the network routers to the PC on the right. A text box opens that reads “A worm executes
arbitrary code and installs copies of itself in the memory of the infected computer. The main purpose
of a worm is to automatically replicate itself and spread across the network from system to system”.
As the animation continues to play the attacker at the PC on the left sends a Trojan Horse attack on
the network that travels over the network routers to the PC on the right. A text box opens that reads
“A Trojan horse is a non-self-replicating type of malware. It often contains malicious code that is
designed to look like something else, such as a legitimate application or file. When an infected
application or file is downloaded and opened, the Trojan horse can attack the end device from
within”.

The primary vulnerabilities for end-user workstations are virus, worm, and Trojan Horse attacks.

A virus is malicious software which executes a specific unwanted, and often harmful, function on a
computer.
A worm executes arbitrary code and installs copies of itself in the memory of the infected computer.
The main purpose of a worm is to automatically replicate itself and spread across the network from
system to system.

A Trojan horse is a non-self-replicating type of malware. It often contains malicious code that is
designed to look like something else, such as a legitimate application or file. When an infected
application or file is downloaded and opened, the Trojan horse can attack the end device from
within.

2.3.2 Viruses

A virus is a type of malware that spreads by inserting a copy of itself into another program. After the
program is run, viruses then spread from one computer to another, infecting the computers. Most
viruses require human help to spread. For example, when someone connects an infected USB drive
to their PC, the virus will enter the PC. The virus may then infect a new USB drive, and spread to new
PCs. Viruses can lay dormant for an extended period and then activate at a specific time and date.

A simple virus may install itself at the first line of code in an executable file. When activated, the virus
might check the disk for other executables so that it can infect all the files it has not yet infected.
Viruses can be harmless, such as those that display a picture on the screen, or they can be
destructive, such as those that modify or delete files on the hard drive. Viruses can also be
programmed to mutate to avoid detection.

Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and email. Email
viruses are a common type of virus.

2.3.3 Trojan Horses

The term Trojan horse originated from Greek mythology. Greek warriors offered the people of Troy
(the Trojans) a giant hollow horse as a gift. The Trojans brought the giant horse into their walled city,
unaware that it contained many Greek warriors. At night, after most Trojans were asleep, the
warriors burst out of the horse, opened the city gates, and allowed a sizeable force to enter and take
over the city.

Trojan horse malware is software that appears to be legitimate, but it contains malicious code which
exploits the privileges of the user that runs it, as shown in the figure.
The figure shows a trojan horse exploiting the privileges of the user using a computer.

Often, Trojans are found attached to online games. Users are commonly tricked into loading and
executing the Trojan horse on their systems. While playing the game, the user will not notice a
problem. In the background, the Trojan horse has been installed on the user’s system. The malicious
code from the Trojan horse continues operating even after the game has been closed.

The Trojan horse concept is flexible. It can cause immediate damage, provide remote access to the
system, or access through a back door. It can also perform actions as instructed remotely, such as
"send me the password file once per week." This tendency of malware to send data back to the
cybercriminal highlights the need to monitor outbound traffic for attack indicators.

Custom-written Trojan horses, such as those with a specific target, are difficult to detect.

2.3.4 Trojan Horse Classification

Trojan horses are usually classified according to the damage that they cause, or the manner in which
they breach a system, as shown in the table.

Type of Trojan Horse Description

Remote-access Enables unauthorized remote access.

Data-sending Provides the threat actor with sensitive data, such as passwords.

Destructive Corrupts or deletes files.

Uses the victim's computer as the source device to launch attacks and perform
Proxy
other illegal activities.

FTP Enables unauthorized file transfer services on end devices.

Security software
Stops antivirus programs or firewalls from functioning.
disabler

Denial of Service (DoS) Slows or halts network activity.

Actively attempts to steal confidential information, such as credit card numbers, by

Keylogger
recording keystrokes entered into a web form.

2.3.5 Worms

Computer worms are similar to viruses because they replicate and can cause the same type of
damage. Specifically, worms replicate themselves by independently exploiting vulnerabilities in
networks. Worms can slow down networks as they spread from system to system.

Whereas a virus requires a host program to run, worms can run by themselves. Other than the initial
infection, they no longer require user participation. After a host is infected, the worm is able to
spread very quickly over the network.

Worms are responsible for some of the most devastating attacks on the internet. In 2001, the Code
Red worm had initially infected 658 servers. Within 19 hours, the worm had infected over 300,000
servers.

Initial Code Red Worm Infection

Code Red Infection 19 hours later

The initial infection of the SQL Slammer worm is known as the worm that ate the internet. SQL
Slammer was a denial of service (DoS) attack that exploited a buffer overflow bug in Microsoft’s SQL
Server. At its peak, the number of infected servers doubled in size every 8.5 seconds. This is why it
was able to infect 250,000+ hosts within 30 minutes. When it was released on the weekend of
January 25, 2003, it disrupted the internet, financial institutions, ATM cash machines, and more.
Ironically, a patch for this vulnerability had been released 6 months earlier. The infected servers did
not have the updated patch applied. This was a wake-up call for many organizations to implement a
security policy requiring that updates and patches be applied in a timely fashion.

Initial SQL Slammer Infection

SQL Slammer Infection 30 minutes later

Worms share similar characteristics. They all exploit an enabling vulnerability, have a way to
propagate themselves, and they all contain a payload.

2.3.6 Worm Components

Despite the mitigation techniques that have emerged over the years, worms have continued to
evolve and pose a persistent threat. Worms have become more sophisticated over time, but they still
tend to be based on exploiting weaknesses in software applications.

Common Worm Pattern

 Enabling vulnerability

 Propagation mechanism
  Payload

The animation shows the 3 components of a worm attack; enabling vulnerability, propagation
mechanism, and payload.

Most worm attacks consist of three components, as listed in the animation above.

 Enabling vulnerability - A worm installs itself using an exploit mechanism, such as an email
attachment, an executable file, or a Trojan horse, on a vulnerable system.

 Propagation mechanism - After gaining access to a device, the worm replicates itself and
locates new targets.

 Payload - Any malicious code that results in some action is a payload. Most often this is used
to create a backdoor that allows a threat actor access to the infected host or to create a DoS
attack.

Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon
successful exploitation, the worm copies itself from the attacking host to the newly exploited system
and the cycle begins again. Their propagation mechanisms are commonly deployed in a way that is
difficult to detect.

Code Red Worm Propagation

The propagation technique used by the Code Red worm is shown in the figure.
The figure diagrams the steps in the propagation of the Code Red worm. Those steps are as follows:
Step 1 - Propagate for 19 days. Step 2 - Launch DoS attack for the next 7 days. Step 3 - Stop and go
dormant for a few days. Step 4 - Repeat the cycle.

Note: Worms never really stop spreading on the internet. After they are released, worms continue to
propagate until all possible sources of infection are properly patched.

2.3.7 Ransomware

Threat actors have used viruses, worms, and Trojan horses to carry their payloads and for other
malicious reasons. However, malware continues to evolve.

Currently, the most dominating malware is ransomware. Ransomware is malware that denies access
to the infected computer system or its data. The cybercriminals then demand payment to release the
computer system.

Ransomware has evolved to become the most profitable malware type in history. In the first half of
2016, ransomware campaigns targeting both individual and enterprise users became more
widespread and potent.

There are dozens of ransomware variants. Ransomware frequently uses an encryption algorithm to
encrypt system files and data. The majority of known ransomware encryption algorithms cannot be
easily decrypted, leaving victims with little option but to pay the asking price. Payments are typically
paid in Bitcoin because users of bitcoin can remain anonymous. Bitcoin is an open-source, digital
currency that nobody owns or controls.
Email and malicious advertising, also known as malvertising, are vectors for ransomware campaigns.
Social engineering is also used, as when cybercriminals who identify themselves as security
technicians call homes and persuade users to connect to a website that downloads the ransomware
to the user’s computer.

2.3.8 Other Malware

These are some examples of the varieties of modern malware:

Type of Malware Description

Used to gather information about a user and send the information to another entity
Spyware without the user’s consent. Spyware can be a system monitor, Trojan horse, Adware,
tracking cookies, and key loggers.

Displays annoying pop-ups to generate revenue for its author. The malware may analyze
Adware user interests by tracking the websites visited. It can then send pop-up advertising
pertinent to those sites.

Includes scam software which uses social engineering to shock or induce anxiety by
creating the perception of a threat. It is generally directed at an unsuspecting user and
Scareware
attempts to persuade the user to infect a computer by taking action to address the bogus
threat.

Attempts to convince people to divulge sensitive information. Examples include receiving

Phishing
an email from their bank asking users to divulge their account and PIN numbers.

Installed on a compromised system. After it is installed, it continues to hide its intrusion

Rootkits
and provide privileged access to the threat actor.

This list will continue to grow as the internet evolves. New malware will always be developed. A
major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate
it.

2.3.9 Common Malware Behaviors

Cybercriminals continually modify malware code to change how it spreads and infects computers.
However, most produce similar symptoms that can be detected through network and device log
monitoring.

Computers infected with malware often exhibit one or more of the following symptoms:

 Appearance of strange files, programs, or desktop icons

 Antivirus and firewall programs are turning off or reconfiguring settings

 Computer screen is freezing or system is crashing

 Emails are spontaneously being sent without your knowledge to your contact list

 Files have been modified or deleted

  Increased CPU and/or memory usage

 Problems connecting to networks

 Slow computer or web browser speeds

 Unknown processes or services running

 Unknown TCP or UDP ports open

 Connections are made to hosts on the Internet without user action

 Strange computer behavior

Note: Malware behavior is not limited to the above list.

Common Network Attacks - Reconnaissance, Access, and Social
Engineering
2.4.1 Types of Network Attacks

Malware is a means to get a payload delivered. When it is delivered and installed, the payload can be
used to cause a variety of network-related attacks from the inside. Threat actors can also attack the
network from outside.

Why do threat actors attack networks? There are many motives including money, greed, revenge, or
political, religious, or sociological beliefs. Network security professionals must understand the types
of attacks used to counter these threats to ensure the security of the LAN.

To mitigate attacks, it is useful to first categorize the various types of attacks. By categorizing network
attacks, it is possible to address types of attacks rather than individual attacks.

Although there is no standardized way of categorizing network attacks, the method used in this
course classifies attacks in three major categories.

 Reconnaissance Attacks

 Access Attacks

 DoS Attacks

2.4.2 Reconnaissance Attacks

Reconnaissance is information gathering. It is analogous to a thief surveying a neighborhood by going

door-to-door pretending to sell something. What the thief is actually doing is looking for vulnerable
homes to break into, such as unoccupied residences, residences with easy-to-open doors or
windows, and those residences without security systems or security cameras.

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of
systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks.

Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are
described in the table.

Technique Description

Perform an information The threat actor is looking for initial information about a target. Various tools can
query of a target be used, including the Google search, organizations website, whois, and more.

Initiate a ping sweep of The information query usually reveals the target’s network address. The threat
the target network actor can now initiate a ping sweep to determine which IP addresses are active.

Initiate a port scan of This is used to determine which ports or services are available. Examples of port
active IP addresses scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Run vulnerability This is to query the identified ports to determine the type and version of the
scanners application and operating system that is running on the host. Examples of tools
include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Technique Description

The threat actor now attempts to discover vulnerable services that can be
Run exploitation tools exploited. A variety of vulnerability exploitation tools exist including Metasploit,
Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

Click each button to view the progress of a reconnaissance attack from information query to ping
sweep, to port scan.

Internet Information Queries

Performing Ping Sweeps

Performing Port Scans

 Click Play in the figure to view an animation of a threat actor using the whois command to
find information about a target.

The animation shows a threat actor connected to a network with p cs and servers. The animation
shows the threat actor type the address http://www.whois.net into a web browser. The animation
now shows a who is searching for all who is records. the threat actor types in cisco.com to search for
its record. the record is returned showing cisco.com and the physical address for Cisco in San Jose.

 Click Play in the figure to view an animation of a threat actor doing a ping sweep of the
target’s network address to discover live and active IP addresses. Click Play in the figure to
view an animation of a threat actor doing a ping sweep of the target’s network address to
discover live and active IP addresses.

The animation shows a threat actor connected to a network with p cs and servers. The animation
shows the threat actor's computer send a small red target to each of the computers and servers on
the network. Each of the small red targets is returned to the threat actor's computer.
  Click Play in the figure to view an animation of a threat actor performing a port scan on the
discovered active IP addresses using Nmap.

The animation shows a threat actor connected to a network with p cs and servers. The animation
shows the threat actor's computer sending multiple small red targets to a server on the network.
These small red targets are then returned from the server to the threat actor's computer. The
animation then shows a bubble over the threat actor with information about the state of multiple
ports on the server

2.4.3 Video - Reconnaissance Attacks

Play Video

2.4.4 Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web
services. The purpose of this type of attack is to gain entry to web accounts, confidential databases,
and other sensitive information.

Threat actors use access attacks on network devices and computers to retrieve data, gain access, or
to escalate access privileges to administrator status.

Password Attacks

In a password attack, the threat actor attempts to discover critical system passwords using various
methods. Password attacks are very common and can be launched using a variety of password
cracking tools.

Spoofing Attacks
In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data.
Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. These spoofing
attacks will be discussed in more detail later in this module

Other Access attacks include:

 Trust exploitations

 Port redirections

 Man-in-the-middle attacks

 Buffer overflow attacks

Click each button to view an illustration and explanation of these access attacks.

Trust Exploitation Example

In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system,
possibly compromising the target. Click Play in the figure to view an example of trust exploitation.

The animation shows a threat actor at a computer that is not connected. There is a network with a
computer labeled system a, another computer labeled system b, and a cloud labeled internet. Each
of these connects separately to a firewall. As the animation plays, the words system a trusts system b
appears over system a. the words system b trusts everyone appear over system b. Next to the threat
actor, the words goal: an attacker wants to gain access to system a. system a blinks. under system a
are the words user=psmith; pat smith. a bubble appears over the threat actor that says i can't get
access to system a but system be is open. the words user=psmith; pat smith appear next to the
threat actor. an arrow goes from the threat actor to the internet, to the firewall, to system b. The
words compromised by attacker user=psmith; pat smith appear under system b and system b is
shown as compromised. the workds i have control of system b and now have access to system a
appear in the threat actors bubble. an arrow goes directly from the threat actor to system a where
system a is shown as compromised.
Port Redirection Example

In a port redirection attack, a threat actor uses a compromised system as a base for attacks against
other targets. The example in the figure shows a threat actor using SSH (port 22) to connect to a
compromised Host A. Host A is trusted by Host B and, therefore, the threat actor can use Telnet (port
23) to access it.

The figure shows a threat actor and multiple clouds, servers and hosts in many different networks.
the words source: attacker destination: a port: 22 show next to the threat actor. an arrow goes from
the threat actor through a cloud, tow routers, another cloud with many routers to a firewall. from
the firewall, the arrow goes to a p c labeled compromised host a. the words source: a destination: b
port: 23 are next to compromised host a. an arrow goes from here back to the firewall and into an
internal network to a switch and on to a server labeled host b with the words next to it source:
attacker destination: b port: 23
Man-in-the-Middle Attack Example

In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in
order to read or modify the data that passes between the two parties. The figure displays an
example of a man-in-the-middle attack.

The figure shows a laptop labeled victim with a arrow labeled 1 going through multiple network
devices and a cloud to a threat actor holding a laptop. an arrow labeled 2 goes from the threat actor
to a web server. an arrow labeled 3 goes from the web server to the threat actor. an arrow labeled 4
goes from the threat actor, back through the cloud and network devices to the laptop labeled victim.

Buffer Overflow Attack

In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with
unexpected values. This usually renders the system inoperable, creating a DoS attack. The figure
shows that the threat actor is sending many packets to the victim in an attempt to overflow the
victim’s buffer.

The figure shows a threat actor with a laptop. an arrow goes from the threat actor through the
internet, two routers, a switch and arrives at a server labeled victim. There are four stacked
envelopes next to the switch.

2.4.5 Video - Access and Social Engineering Attacks

2.4.6 Social Engineering Attacks

Social engineering is an access attack that attempts to manipulate individuals into performing actions
or divulging confidential information. Some social engineering techniques are performed in-person
while others may use the telephone or internet.

Social engineers often rely on people’s willingness to be helpful. They also prey on people’s
weaknesses. For example, a threat actor could call an authorized employee with an urgent problem
that requires immediate network access. The threat actor could appeal to the employee’s vanity,
invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

Social
Engineering Description
Attack

Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the
Social
Engineering Description
Attack

recipient.

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted
Phishing source to trick the recipient into installing malware on their device, or to share personal or
financial information.

A threat actor creates a targeted phishing attack tailored for a specific individual or
Spear phishing
organization.

Also known as junk mail, this is unsolicited email which often contains harmful links,
Spam
malware, or deceptive content.

Something for Sometimes called “Quid pro quo”, this is when a threat actor requests personal information
Something from a party in exchange for something such as a gift.

A threat actor leaves a malware infected flash drive in a public location. A victim finds the
Baiting
drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.

Impersonation In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.

This is where a threat actor quickly follows an authorized person into a secure location to
Tailgating
gain access to a secure area.

Shoulder This is where a threat actor inconspicuously looks over someone’s shoulder to steal their
surfing passwords or other information.

Dumpster This is where a threat actor rummages through trash bins to discover confidential
diving documents.

The Social Engineer Toolkit (SET) was designed to help white hat hackers and other network security
professionals create social engineering attacks to test their own networks. It is a set of menu-based
tools that help launch social engineering attacks. The SET is for educational purposes only. It is freely
available on the internet.

Enterprises must educate their users about the risks of social engineering, and develop strategies to
validate identities over the phone, via email, or in person.

The figure shows recommended practices that should be followed by all users.
 2.4.7

Strengthening the Weakest Link

Cybersecurity is only as strong as its weakest link. Since computers and other internet-connected
devices have become an essential part of our lives, they no longer seem new or different. People
have become very casual in their use of these devices and rarely think about network security. The
weakest link in cybersecurity can be the personnel within an organization, and social engineering is a
major security threat. Because of this, one of the most effective security measures that an
organization can take is to train its personnel and create a “security-aware culture.”
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
2.5.2 DoS and DDoS Attacks

A Denial of Service (DoS) attack creates some sort of interruption of network services to users,
devices, or applications. There are two major types of DoS attacks:

 Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of data at a
rate that the network, host, or application cannot handle. This causes transmission and
response times to slow down. It can also crash a device or service.

 Maliciously Formatted Packets - The threat actor sends a maliciously formatted packet to a
host or application and the receiver is unable to handle it. This causes the receiving device to
run very slowly or crash.

DoS attacks are a major risk because they interrupt communication and cause significant loss of time
and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.

A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple,
coordinated sources. For example, A threat actor builds a network of infected hosts, known as
zombies. The threat actor uses a command and control (CnC) system to send control messages to the
zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is
designed to infect a host, making it a zombie that can communicate with the CnC system. The
collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to
make the botnet of zombies carry out a DDoS attack.
The animation shows a threat actor sending a command to two bots to send traffic to a web server
to overwhelm it.

2.5.3 Components of DDoS Attacks

If threat actors can compromise many hosts, they can perform a Distributed DoS Attack (DDoS). DDoS
attacks are similar in intent to DoS attacks, except that a DDoS attack increases in magnitude because
it originates from multiple, coordinated sources, as shown in the figure. A DDoS attack can use
hundreds or thousands of sources, as in IoT-based DDoS attacks.

The following terms are used to describe components of a DDoS attack:

Component Description

This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code
zombies referred to as robots (i.e., bots). The zombie malware continually attempts to self-propagate like
a worm.

Bots are malware that is designed to infect a host and communicate with a handler system. Bots
bots
can also log keystrokes, gather passwords, capture and analyze packets, and more.

This refers to a group of zombies that have been infected using self-propagating malware (i.e.,
botnet
bots) and are controlled by handlers.

This refers to a primary command-and-control (CnC or C2) server controlling groups of zombies.
handlers The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to
remotely control the zombies.

botmaster This is the threat actor who is in control of the botnet and handlers.
Component Description

Note: There is an underground economy where botnets can be bought (and sold) for a nominal fee.
This can provide threat actors with botnets of infected hosts ready to launch a DDoS attack against
the target of choice.

2.5.4

Video - Mirai Botnet

Mirai is malware that targeted Internet of Things (IoT) devices that are configured with default login
information. Closed-circuit television (CCTV) cameras made up the majority of Mirai’s targets. Using a
brute force dictionary attack, Mirai ran through a list of default usernames and passwords that were
widely known on the internet.

 root/default

 root/1111

 root/54321

 admin/admin1234

 admin1/password

 guest/12345

 tech/tech

 support/support

After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that run on these
devices. These utilities were used to turn the devices into bots that could be remotely controlled as
part of a botnet. The botnet was then used as part of a distributed denial of service (DDoS) attack. In
September 2016, a Mirai botnet of over 152,000 CCTVs and digital video recorders (DVRs) was
responsible for the largest DDoS attack known until that time. With peak traffic of over 1 Tb/s, it took
down the hosting services of a France-based web hosting company.

In October 2016 the services of Dyn, a Domain Name System (DNS) provider, were attacked, causing
internet outages for millions of users in the United States and Europe.

Play the video to view a demonstration of how a botnet-based DDoS attack makes services
unavailable.

Note: In December 2017, three American threat actors pleaded guilty to conspiring to “conduct DDoS
attacks against websites and web hosting companies located in the United States and abroad.” The
three felons face up to 10 years in prison and $250,000 in fines.

2.5.5 Buffer Overflow Attack

The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-
related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with
unexpected values usually renders the system inoperable, creating a DoS attack.

For example, a threat actor enters input that is larger than expected by the application running on a
server. The application accepts the large amount of input and stores it in memory. The result is that it
may consume the associated memory buffer and potentially overwrite adjacent memory, eventually
corrupting the system and causing it to crash.

An early example of using malformed packets was the Ping of Death. In this legacy attack, the threat
actor sent a ping of death, which was an echo request in an IP packet larger than the maximum
packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and
it would crash.

Buffer overflow attacks are continually evolving. For instance, a remote denial of service attack
vulnerability was recently discovered in Microsoft Windows 10. Specifically, a threat actor created
malicious code to access out-of-scope memory. When this code is accessed by the Windows
AHCACHE.SYS process, it attempts to trigger a system crash, denying service to the user. Search the
Internet on “TALOS-2016-0191 blog” to go to the Cisco Talos threat intelligence website and read a
description of such an attack.

Note: It is estimated that one third of malicious attacks are the result of buffer overflows.
2.5.6 Evasion Methods

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack
methods are most effective when they are undetected. For this reason, many attacks use stealthy
evasion techniques to disguise an attack payload. Their goal is to prevent detection by evading
network and host defenses.

Some of the evasion methods used by threat actors include:

Evasion Method Description

This evasion technique uses tunneling to hide, or encryption to scramble, malware files.
Encryption and
This makes it difficult for many security detection techniques to detect and identify the
tunneling
malware. Tunneling can mean hiding stolen data inside of legitimate packets.

Resource This evasion technique makes the target host too busy to properly use security detection
exhaustion techniques.

This evasion technique splits a malicious payload into smaller packets to bypass network
Traffic
security detection. After the fragmented packets bypass the security detection system, the
fragmentation
malware is reassembled and may begin sending sensitive data out of the network.

This evasion technique occurs when network defenses do not properly handle features of
Protocol-level
a PDU like a checksum or TTL value. This can trick a firewall into ignoring packets that it
misinterpretation
should check.

In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data
Traffic in the payload. This is done by encoding it in a different format. For example, the threat
substitution actor could use encoded traffic in Unicode instead of ASCII. The IPS does not recognize the
true meaning of the data, but the target end system can read the data.

Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious
Traffic insertion sequence of data. The IPS rules miss the malicious data, accepting the full sequence of
data.

This technique assumes the threat actor has compromised an inside host and wants to
expand their access further into the compromised network. An example is a threat actor
Pivoting
who has gained access to the administrator password on a compromised host and is
attempting to login to another host using the same credentials.

A rootkit is a complex attacker tool used by experienced threat actors. It integrates with
the lowest levels of the operating system. When a program attempts to list files, processes,
Rootkits or network connections, the rootkit presents a sanitized version of the output, eliminating
any incriminating output. The goal of the rootkit is to completely hide the activities of the
attacker on the local system.

Proxies Network traffic can be redirected through intermediate systems in order to hide the
Evasion Method Description

ultimate destination for stolen data. In this way, known command-and-control not be
blocked by an enterprise because the proxy destination appears benign. Additionally, if
data is being stolen, the destination for the stolen data can be distributed among many
proxies, thus not drawing attention to the fact that a single unknown destination is serving
as the destination for large amounts of network traffic.

New attack methods are constantly being developed. Network security personnel must be aware of
the latest attack methods to detect them.

Network Threats Summary

2.6.1 What Did I Learn in this Module?

Who is Attacking Our Network?

Understanding network security requires you to understand the following terms: threat,
vulnerability, attack surface, exploit, and risk. Risk management is the process that balances the
operational costs of providing protective measures with the gains achieved by protecting the asset.
Four common ways to manage risk are risk acceptance, risk avoidance, risk reduction, and risk
transfer. Hacker is a term used to describe a threat actor. White hat hackers are ethical hackers using
their skills for good, ethical, and legal purposes. Grey hat hackers are individuals who commit crimes
and do unethical things, but not for personal gain or to cause damage. Black hat hackers are
criminals who violate computer and network security for personal gain, or for malicious reasons,
such as attacking networks. Threat actors include script kiddies, vulnerability brokers, hacktivists,
cybercriminals, and state-sponsored hackers. Many network attacks can be prevented by sharing
information about IOCs. Many governments are promoting cybersecurity. CISA and NCSA are
examples of such organizations.

Introduction of Attack Tools

Threat actors use a technique or tool. Attack tools have become more sophisticated, and highly
automated. Many of the tools are Linux or UNIX based and a knowledge of these are useful to a
cybersecurity professional. Tools include password crackers, wireless hacking tools, network security
scanning and hacking tools, packet crafting tools, packet crafting tools, packet sniffers, rootkit
detectors, fuzzers to search vulnerabilities, forensic tools, debuggers, hacking operating systems,
encryption tools, vulnerability exploitation tools, and vulnerability scanners. Categories of attacks
include eavesdropping attacks, data modification attacks, IP address spoofing attacks, password-
based attacks, denial-of-service attacks, man-in the-middle attacks, compromised key attacks, and
sniffer attacks.

Malware
Malware is short for malicious software or malicious code. Threat actors frequently try to trick users
into installing malware to help exploit end device vulnerabilities. Often antimalware software cannot
be updated quickly enough to stop new threats. Three common types are virus, worm, and Trojan
horse. A virus is a type of malware that spreads by inserting a copy of itself into another program.
Most viruses are spread through USB memory drives, CDs, DVDs, network shares, and email. Trojan
horse malware is software that appears to be legitimate, but it contains malicious code that exploits
the privileges of the user that runs it. Often, Trojans are found on online games. Trojan horses are
usually classified according to the damage they cause. Types of Trojan horses include remote-access,
data-sending, destructive, proxy, FTP, security software disabler, DoS, and keylogger. Worms are
similar to viruses because they replicate and can cause the same type of damage. Viruses require a
host program to run. Worms can run themselves. Most worm attacks consist of three components:
enabling vulnerability, propagation mechanism, and payload. Currently, ransomware is the most
dominant malware. It denies access to the infected system or its data. The cybercriminals then
demand payment to release the computer system. Other malware examples include spyware,
adware, scareware, phishing, and rootkits.

Common Network Attacks – Reconnaissance, Access, and Social Engineering

Threat actors can also attack the network from outside. To mitigate attacks, it is useful to categorize
the various types of attacks. The three major categories are reconnaissance, access, and DoS attacks.
Reconnaissance is information gathering. Threat actors do unauthorized discovery and mapping of
systems, services, or vulnerabilities. Recon attacks precede access or DoS attacks. Some of the
techniques used include the following: performing an information query of a target, initiating a ping
sweep of the target network, initiating a port scan of active IP addresses, running vulnerability
scanners, and running exploitation tools. Access attacks exploit known vulnerabilities in
authentication services, FTP services, and web services. These attacks include password attacks,
spoofing attacks, trust exploitation attacks, port redirections, man-in-the-middle attacks, and buffer
overflow attacks. Social engineering is an access attack that attempts to manipulate individuals into
performing unsafe actions or divulging confidential information. These attacks include pretexting,
phishing, spear phishing, spam, something for something, baiting, impersonation, tailgating,
shoulder surfing, and dumpster diving.

Network Attacks – Denial of Service, Buffer Overflows, and Evasion

DoS attacks create some sort of interruption of network services to users, devices, or applications.
There are two major types: overwhelming quantity of traffic, and maliciously formatted packets.
DDoS attacks are similar in intent to DoS attacks, except that the DDoS attack increases in magnitude
because it originates from multiple, coordinated sources. The following terms are used to describe
DDoS attacks: zombies, bots, botnet, handlers, and botmaster. Mirai is malware that targets IoT
devices configured with default login information. Mirai uses a brute force dictionary attack. After
successful access, Mirai targets the Linux-based BusyBox utilities that are designed for these devices.
The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-
related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with
unexpected values usually renders the system inoperable, creating a DoS attack. Many attacks use
stealthy evasion techniques to disguise an attack payload. Evasion methods include encrypting and
tunneling, resource exhaustion, traffic fragmentation, protocol-level misinterpretation, traffic
substitution, traffic insertion, pivoting, rootkits, and proxies.