1.

DNS Poisoning:

DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the
domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake
ones.

How DNS Works: Whenever your computer contacts a domain name like “google.com,” it must first
contact its DNS server. The DNS server responds with one or more IP addresses where your computer
can reach google.com. Your computer then connects directly to that numerical IP address. DNS converts
human-readable addresses like “google.com” to computer-readable IP addresses like “173.194.67.102”.

DNS Caching: The Internet doesn’t just have a single DNS server, as that would be extremely inefficient.
Your Internet service provider runs its own DNS servers, which cache information from other DNS
servers. Your home router functions as a DNS server, which caches information from your ISP’s DNS
servers. Your computer has a local DNS cache, so it can quickly refer to DNS lookups it’s already
performed rather than performing a DNS lookup over and over again.

DNS Cache Poisoning: A DNS cache can become poisoned if it contains an incorrect entry. For example,
if an attacker gets control of a DNS server and changes some of the information on it — for example,
they could say that google.com actually points to an IP address the attacker owns — that DNS server
would tell its users to look for Google.com at the wrong address. The attacker’s address could contain
some sort of malicious phishing website

DNS poisoning like this can also spread. For example, if various Internet service providers are getting
their DNS information from the compromised server, the poisoned DNS entry will spread to the Internet
service providers and be cached there. It will then spread to home routers and the DNS caches on
computers as they look up the DNS entry, receive the incorrect response, and store it.
The Solution for DNS poisoning:

The real reason DNS cache poisoning is such a problem is because there’s no real way of determining
whether DNS responses you receive are actually legitimate or whether they’ve been manipulated.

The long-term solution to DNS cache poisoning is DNSSEC. DNSSEC will allow organizations to sign their
DNS records using public-key cryptography, ensuring that your computer will know whether a DNS
record should be trusted or whether it’s been poisoned and redirects to an incorrect location.

2. DOS and D-DOS Attack:

DOS (Denial of Service) and DDOS (Distributed Denial of Service) are 2 commonly used terms where
the target server or application are made unresponsive. In both cases, the attacks deprive legitimate
users (customer and employees) of the service or resource they require. In this article we will deliberate
both the terms and understand their differences.

While DoS attack is related to one computer and one Internet connection flooding a targeted system or
resource to make it unresponsive, DDOS attack uses multiple computers and Internet connections to
flood the targeted resource. Further, while DOS attack is easy to stop since only one source is sending
illegitimate traffic, DDOS attacks are difficult to control and stop since such a vast distribution of
attacking systems makes it very difficult to detect where the actual attacking party is from. Additionally,
DOS attacks are limited to a smaller scale while DDOS can execute an attack of disruptive scale.
Difference between DOS and DDOS Attack

3. Phishing Attack and Types:

“Phishing” refers to an attempt to steal sensitive information, typically in the form of usernames,
passwords, credit card numbers, bank account information or other important data in order to utilize or
sell the stolen information. By masquerading as a reputable source with an enticing request, an attacker
lures in the victim in order to trick them, similarly to how a fisherman uses bait to catch a fish.

From the diagram you see that attacker is trying to phish the victim machine by sending a Fake email.

Types of phishing attacks:

What is spear phishing?

This type of phishing is directed at specific individuals or companies, hence the term spear phishing. By
gathering details or buying information about a particular target, an attacker is able to mount a
personalized scam. This is currently the most effective type of phishing, and accounts for over 90% of
the attacks.

What is whaling?

For attacks that are directed specifically at senior executives or other privileged users within businesses,
the term whaling is commonly used. These types of attacks are typically targeted with content likely to
require the attention of the victim such as legal subpoenas or other executive issues.

What is Deceptive phishing?

Deceptive phishing is the most common type of phishing. In this case, an attacker attempts to obtain
confidential information from the victims. Attackers use the information to steal money or to launch
other attacks.

4. Social Engineering:

Social engineering is all about manipulation and conning the end user into confusing something fake as
something real. The cyber criminal’s goal is to get his victim to download malware or reveal sensitive
information like username/password combinations or financial account numbers. We fall for social
engineering tactics because humans are, for the most part, trusting. We want to believe that people are
good and that the information we are receiving is sincere. Because of all the information that is readily
available about individuals or organizations, however, cyber criminals are able to tailor scams to reach a
particular audience, tricking them into believing what they are seeing is real.

Social Engineering Tactics: Most of us are familiar with one of the most popular versions of social
engineering: phishing. Generic phishing emails are much easier to spot because, in most cases, they are
riddled with errors or the end user has no connection with the “company” or “product” represented in
the email. Spearphishing takes phishing emails up a notch. These email scams are purposely tailored to
specific individuals. Sometimes they spoof a familiar email address to make it look like the message is
coming from a friend or co-worker. Sometimes the spearphishing attack appears to be a business
transaction, complete with an attachment that looks legitimate.

Social Media Risks:

Social networking sites are fertile ground for social engineering attacks.

First, the information we share in social media is mined to create targeted attacks. Users readily share
details like hometowns, schools attended, birth dates, mother’s maiden names, and job history, which
hackers then turn into spear phishing emails.

Second, consider the videos and articles that cycle through the social site’s wall. Many of these are
legitimate, based on the user’s habits. But hackers also have access to those algorithms and will
engineer similar but malicious sites to pop up on feeds.

Finally, social media sites themselves make it very easy for cyber criminals to take advantage of end
users. “As much as they aim to mitigate security threats and terrorist propaganda on their platforms,
they aren’t close to 100 percent effective,” “For example, Facebook reported that for 2015, up to 2
percent of its monthly average users—31 million accounts—are false; Twitter estimates 5 percent; and
LinkedIn openly admitted, ‘We don’t have a reliable system for identifying and counting duplicate or
fraudulent accounts.’”

5.Threat, Vulnerability and Risk:

6. IP Spoofing:

IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in
order to either hide the identity of the sender, to impersonate another computer system, or both. It is a
technique often used by bad actors to invoke DDoS attacks against a target device or the surrounding
infrastructure.

Sending and receiving IP packets is a primary way in which networked computers and other devices
communicate and constitutes the basis of the modern internet. All IP packets contain a header which
precedes the body of the packet and contains important routing information, including the source
address. In a normal packet, the source IP address is the address of the sender of the packet. If the
packet has been spoofed, the source address will be forged.
7. 0 – Day Attack:

A zero-day (0day) exploit is a cyber-attack targeting a software vulnerability which is unknown to the
software vendor or to antivirus vendors. The attacker spots the software vulnerability before any parties
interested in mitigating it, quickly creates an exploit, and uses it for an attack. Such attacks are highly
likely to succeed because defenses are not in place. This makes zero-day attacks a severe security threat.

Typical attack vectors include Web browsers, which are common targets due to their ubiquity, and email
attachments that exploit vulnerabilities in the application opening the attachment, or in specific file
types such as Word, Excel, PDF or Flash.

8. MITM – Man In The Middle Attack:

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a
conversation between a user and an application—either to eavesdrop or to impersonate one of the
parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is to steal personal information, such as login credentials, account details and
credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-
commerce sites and other websites where logging in is required.

Ex: MITM attack is the equivalent of a mailman opening your bank statement, writing down your
account details and then resealing the envelope and delivering it to your door.

9. SQL Injection:
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for execution. SQL injections are typically performed on
faulty and poorly designed web applications that don’t account for the security vulnerabilities possibly
present in the web application’s database management system.

A SQL injection attack is no more than a single line of code. It’s a simple but powerful technique that can
compromise essentially all a web application’s data, including highly sensitive information like user logins
and passwords, employee information, social security numbers, etc.

An attacker decides to attack a SQL server. The server has a prompt for a username and password:

Enter Username: username

Enter Password: password

The server has a database with a table of usernames and passwords. When a user enters their
information, the server compares them against the table of usernames and passwords. If the server
finds a match for both, the user is granted access.

The hidden program translates the user’s input into a query. A SQL query asks the database for a specific
set of information.

A hidden SQL query might look like this:

SELECT UserList.Username
FROM UserList
WHERE UserList.Username = ‘username’
AND UserList.Password = ‘password’

10. Cross-site scripting (XSS) attack:

Cross-site scripting attacks, often abbreviated as XSS, are a type of attack in which malicious scripts are
injected into websites and web applications and run on an end user’s platform. XSS attacks are a
common and widespread type of attack, using unsanitized or unvalidated user inputs, aimed at the
generated output.

The XSS attack does not have to choose a specific target; the attacker simply exploits the vulnerability of
the application or site, taking advantage of anyone unlucky enough to trigger an attack. Using XSS
attacks, a web application or web site becomes the vector of delivering malicious scripts to the browsers
of several victims.

How it works?
1.XSS attacks occur when a security vulnerability is used on a web page, often with a malicious link or an
insecure user input field that allows an attacker to inject a malicious script into a website or application.

2.After this script is inserted into a web page, the unsuspecting user or target often launches the execution
of malicious code when accessing a site or application. It can occur in several different ways, and the most
common of which is when the target clicks on a malicious link or every time a page is loaded from the server.

3.In order for the attack to be successful, attackers need to find a way to transmit malicious code to the target
system via the visited web application or website. Social engineering is a common method that allows people to
visit vulnerabilities, such as a hacked web page, which then transmits a malicious code to the victim's browser.
4.XSS attacks are standard attack vectors for websites that do not sanitize user input. Sanitizing user input means
that potentially dangerous characters are removed from the information before processing. An attacker can take
advantage of user input fields, especially when they are not sanitized, to merely reference the malicious script at
the end of their secure input.

5.When these malicious javascript are injected into a page, an attack starts when the victim's browser loads the
page. Since the browser cannot distinguish the malicious script from the “healthy” page content, the attack will be
successful. An attacker can gain access to the resources of the target site, hiding behind the user's request.

Different types of XSS attack

1.Stored (persistent) XSS – will be done on server end

Stored or persistent XSS attacks occur when the malicious scripts are permanently stored on the targeted server(s);
this can occur in a database, on a message board, in comment fields, or on other user input pages. Victims receive
a malicious script when the information is requested from the server.

2.Reflected XSS – will be done on user machine as a request to server

A reflected attack occurs when the malicious script is not contained on the server but is included in the input sent
to the server. Errors messages and search results are two commonly used vectors.

These attacks are often delivered to the target via an email or on another site, often by tricking the target into
choosing a link containing the malicious script or through user submitting the malicious form. The malicious code
then reflects to the user's browser. This reflection causes the browser to believe that the script is trustworthy and
prompts the browser to execute the script.

3.DOM based attacks

There is a third type of attack, known as a DOM-based attack, which is not common but can occur. The document
object model, or DOM, is the application programming interface (API) used for valid HTML and XML documents. A
DOM-based attack occurs when the DOM environment is modified in the target's web browser. This modification
causes the client-side code to run in unexpected ways.
DOM-based attacks are different in that they do not exploit the flaws in the server-side code, instead of relying on
the client-side scripts.

Impact:

Severe XSS attacks can result in the user's session cookie being disclosed, which will allow an attacker to
take over the user's account and hijack their session. There can also be the disclosure of end user’s files,
installed malware, unexpected site redirects, and content presentation modification. XSS attacks can
lead to compromise of usernames and passwords leakage of sensitive data, and theft of confidential or
trade secrets.
XSS attacks can allow attackers to modify the content in their benefit, allowing them to create falsified
information that can impact or harm the target individuals; this is known as content spoofing.

How to block XSS Attack: Standard Web Application Firewalls (WAF) or even NextGen WAF work all the
same way to detect and block attackers: they will look at flat network data.

11. Brute Force Attack:

One of the least advanced but most successful techniques used by hackers to break into a network, a
brute force attack is achieved by employing a trial-and-error method of entering different username and
password combinations with an automated tool or bot until access is granted. Once they've infiltrated
the network, hackers steal data, install malware, or even shut the system down.

Types of brute force attacks

Credential stuffing: Attackers use known credentials such as email addresses and passwords that have
been previously leaked in breaches from other organizations to log in to the network. Since users tend
to reuse the same credentials in different services or applications, this mode is often successful.
Reverse brute force attack: In this type of attack, the hacker tries a commonly used password and
attempts to log in with different usernames.
Dictionary attack: In this attack, the hacker will enter phrases or well-known words in the dictionary as
passwords. These are usually words like "password," "admin," or "welcome."

How to protect yourself from brute force attacks:

 Enforce robust password policies so passwords are difficult to guess. Passwords that are a
combination of numbers, letters, and special characters are most difficult to guess. Besides these,
you can also restrict users from having their username in the password.

 Implement two-factor authentication (2FA) as an additional layer of security.

 Limit login attempts for a specific time frame or by a certain amount. If an attempt goes beyond the
specified limit, the account should be locked out for a fixed amount of time, or the IP address
sending the repeated requests should be blocked.

 Don't use the same passwords for different services. If a particular service is compromised, the
attackers can reuse the same credentials to access other services.

 Introduce CAPTCHA which requires users to identify a pattern of letters and numbers or images
during the login process.

13. 3 – way Handshakes:

The TCP three-way handshake in Transmission Control Protocol (also called the TCP-handshake; three
message handshake and/or SYN-SYN-ACK) is the method used by TCP set up a TCP/IP connection over an
Internet Protocol based network. TCP's three way handshaking technique is often referred to as "SYN-
SYN-ACK" (or more accurately SYN, SYN-ACK, ACK) because there are three messages transmitted by TCP
to negotiate and start a TCP session between two computers. The TCP handshaking mechanism is
designed so that two computers attempting to communicate can negotiate the parameters of the
network TCP socket connection before transmitting data such as SSH and HTTP web browser requests.

This 3-way handshake process is also designed so that both ends can initiate and negotiate separate TCP
socket connections at the same time. Being able to negotiate multiple TCP socket connections in both
directions at the same time allows a single physical network interface, such as ethernet, to be
multiplexed to transfer multiple streams of TCP data simultaneously.

14. Cyber Kill Chain:

Step 1: RECONNAISSANCE

Harvesting email addresses, conference information, etc.

The first step of any APT attack is to select a target. Depending on the motive(s) of the APT actor, the
victim could be any company or person with information the attacker(s) sees as valuable. Attackers
“fingerprint” the target to create a blueprint of IT systems, organizational structure, relationships, or
affiliations and search for vulnerabilities—both technical and human— to exploit and breach the
network. As large organizations tend to invest in multiple layers of security, this step could take weeks,
even months. However, the more knowledge the APT actor acquires on its target, the higher the success
rate of breaching the network.

Step 2: WEAPONIZATION

Coupling exploit with backdoor into deliverable payload

Next, attackers will re-engineer some core malware to suit their purposes using sophisticated
techniques. Depending on the needs and abilities of the attacker, the malware may exploit previously
unknown vulnerabilities, aka “zero-day” exploits, or some combination of vulnerabilities, to quietly
defeat a network’s defenses. By reengineering the malware, attackers reduce the likelihood of detection
by traditional security solutions. This process often involves embedding specially crafted malware into
an otherwise benign or legitimate document, such as a press release or contract document, or hosting
the malware on a compromised domain.

Step 3: DELIVERY

The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed are email
attachments, websites, and removable media such as a USB stick. The transmission and delivery of
weaponized bundles to the victim’s targeted environment is the objective but these efforts arrive with
some digital fingerprinting. This stage represents the first and most important opportunity for
defenders to block an operation; however, doing so defeats certain key capabilities and other highly
prized data. At this stage we measure of effectiveness of the fractional intrusion attempts that are
blocked at the delivery point.

Step 4: EXPLOITATION

At this stage exploiting a vulnerability to execute code on victim’s system command channel for remote
manipulation of victim is the objective. Here traditional hardening measures add resiliency, but custom
defense capabilities are necessary to stop zero-day exploits at this stage. After the weapon is delivered
to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or
operating system vulnerability, but it could also more simply exploit the users themselves or leverage an
operating system feature that auto-executes code. In recent years this has become an area of expertise
in the hacking community which is often demonstrated at events such as Blackhat, Defcon and the like.
Step 5: INSTALLATION

At this stage the installation of a remote access Trojan or backdoor on the victim system allows the
adversary to maintain persistence inside the environment. Installing malware on the asset requires end-
user participation by unknowingly enabling the malicious code. Taking action at this point can be
considered critical. One method to effect this would be to deploy a HIPS (Host-Based Intrusion
Prevention System) to alert or block on common installation paths, e.g. NSA Job, RECYCLER. It’s critical
to understand if malware requires administrator privileges or only user to execute the objective.
Defenders must understand endpoint process auditing to discover abnormal file creations. They need to
be able to compile time of malware to determine if it is old or new. Answers to the following questions
should be consider mandatory: How does it last, survive, etc. Does it use Auto run key, etc. Does
Backdoor need to run to provide access. Can you identify any certificates and extract any signed
executables?

Step 6: COMMAND AND CONTROL

This stage is the defender’s “last best chance” to block the operation: by blocking the Command and
Control channel. If adversaries can’t issue commands, defenders can prevent impact. Typically,
compromised hosts must beacon outbound to an Internet controller server to establish a Command &
Control (aka C2) channel. APT malware especially requires manual interaction rather than conduct
activity automatically. Once the C2 channel establishes, intruders effectively have “hands on the
keyboard” access inside the target environment. Let’s remember that seldom is Malware automated,
normally this command channel is manual. The general practice of intruders is: Email – in, Web = Out.
The trick for them is to have established the control over many work stations in an effort to “exfiltrate”
data without setting off any anomalies or other monitoring applications based upon content, quantity,
frequency, etc. Hence, the reason it is essential to have the proper tools in place that can identify, track,
observe, stop and destroy these campaigns within your arsenal of capabilities.

Step 7: Actions on Objectives

The longer an adversary has this level of access, the greater the impact. Defenders must detect this
stage as quickly as possible and deploy tools which will enable them to collect forensic evidence. One
example would include network packet captures, for damage assessment. Only now, after progressing
through the first six phases, can intruders take actions to achieve their original objectives. Typically, the
objective of data exfiltration involves collecting, encrypting and extracting information from the victim(s)
environment; violations of data integrity or availability are potential objectives as well. Alternatively,
and most commonly, the intruder may only desire access to the initial victim box for use as a hop point
to compromise additional systems and move laterally inside the network. Once this stage is identified
within an environment, the implementation of prepared reaction plans must be initiated. At a
minimum, the plan should include a comprehensive communication plan, detailed evidence must be
elevated to the highest ranking official or governing Board, the deployment of end-point security tools
to block data loss and preparation for briefing a CIRT Team. Having these resources well established in
advance is a “MUST” in today’s quickly evolving landscape of cybersecurity threats.