Module 2: Threats and Exploit

2.1 Cybercrime Landscape • Current Cybercrime landscape

• Future landscape

2.3 Threat Actors • Organised Cyber Criminals

• Hacktivists
• Nation States
• Insider Threats

2.3 Types of Malware • Worms

• Trojan Horses
• Fake Anti-Virus
• Viruses
• Spyware
• Ransomware
o WannaCry
• Modern Malware
• Botnets

2.4 Tactics, Techniques and The Tactics, Techniques and Procedures utilised by Threat
Procedures Actors and stages of an attack

2.5 Types of Attacks • Brute Force Attack and calculator

• Denial of Service and Distributed Denial of Service
• Man-In-The-Middle Attacks

2.6 Social Engineering What is Social Engineering – a focus on Phishing

2.7 Zero-Day Vulnerabilities Description of, timelines of, case study and how to protect
against.
Module outline and expected learning outcomes
In this module we will explore the current cybercrime landscape; the people working within this
landscape, known as threat actors, or TAs and their motivations; the cyber threats that TAs utilise
such as malware and phishing scams; and a few key considerations resolving around threats
within the cybercrime landscape.

2.1 Cybercrime Landscape

Roughly half of the world’s population use the internet every day, a figure that
has doubled in the last ten years.

This equates to 226 million google searches, every minute of every day, with
each search using enough energy to power a standard 60W lightbulb for
around 17 seconds.

As you can imagine, this is a lot of activity and it’s estimated that Google’s
data centres use around 1.5% of the whole planet’s energy supply.

But what about activity in the darker underbelly of the internet - cybercrime?

Cyber criminals make an attack every 39 seconds with nearly all featuring
hacking, malware, phishing or social engineering.

Even with these alarming figures, only 5% of companies’ folders are properly
protected.

World-wide spending on cybersecurity is forecasted to reach $133.7 billion

USD by 2020, but one problem the industry is currently facing is that there is
serious lack of cybersecurity professionals.
Regardless of this funding, over $1.5 trillion USD in revenue is generated per
year through computer-based criminal activities and is expected to grow
steadily in the future.

We’ll start with a very shortened history of cybercrime, focusing on some

notorious developments.

The Morris Worm of 1988 was one of the first documented computer worms
to gain media notoriety.

It was written by Robert Morris, a student at Cornell University, but launched

from the computer systems at MIT in a bit to try and hide the creator’s origins.

Morris claims that the code was not designed to cause damage, but as an
experiment to highlight security flaws.
An unfortunate and supposedly unintended consequence of the code
transformed the Morris Worm from a harmless intellectual exercise into a
virulent denial-of-service attack. This element of the code was in the
spreading mechanism, enabling the code to infect systems multiple times.
Each additional infection would slow the affected machine down to the point
where many became unusable.

The code infected two thousand computers in fifteen hours in a year when
there were only 60,000 computers connected to the internet and was so
damaging the internet had to be partitioned for several days to prevent the
spread, as networks were cleaned of the worm.

Moving a decade on to 1998, we see this image which shows the infamous
hacker group, L0pht Heavy Industries, as they testify to the US Senate. They
claimed that they were able to completely shutdown nationwide internet
access in just 30 minutes, and it is very likely that they could do what they
claimed. Even over 20 years ago, this would have had a significant affect on
the economy and would be completely devastating.

One thing of note is that this was not some basement-dwelling hacker group.
Many were highly educated electrical and software engineers who went on to
found successful cybersecurity companies and run government defence
programs.

Later in 2008, we see Alberto Gonzalez (aka “CumbaJohnny”) pictured in the

penthouse suite from which he lived. He was caught in possession of over
170 million credit card, debit card and ATM details.

He was actually also arrested five years earlier in 2003 when spotted by a
plainclothes NYPD officer withdrawing hundreds of dollars from an ATM, then
switching cards and withdrawing more, switching again and again and
continually withdrawing.

This initial arrest led to his employment by the United States Secret Service
to bring down the international hacker group he was affiliated with, called
Shadowcrew. After this he was allowed to return to normal life, however, his
gift for deception meant that throughout the time he was cooperating with the
Secret Service, he was also orchestrating a crew of hackers to gain access to
the 170 million payment card accounts which he had stolen from large
shopping chains in the US. He utilised a combination of SQL injection
backdoors in order to collect network traffic from within corporate computer
systems.
From September 2013 to May 2014, a famous trojan ran riot infecting
computers running Microsoft Windows with a ransomware called
CryptoLocker.

It spread through email attachments and via a preexisting network of

compromised computers which had been infected by another trojan.

When activated, the CryptoLocker malware would encrypt files on the

effected computer, with the key to unencrypt held by the associated cyber
criminals. Users of the infected machine would be presented with a message
requesting payment in the form of bitcoin within a set deadline in exchange
for the encryption key. The ransomware was estimated to have generated
around $3mil dollars in revenue.

2019 was a year of big data breaches, with cyber attacks targeting Internet of
Things Devices surging 300%. Just three attacks alone against First
American, Facebook and Capital One resulted in over 1.5 billion
compromised records.

Compromised records, along with other illicit products, like drugs, weapons
and even child pornography, is sold by cyber criminals on darknet
marketplaces, such as Genesis Market and Samara Market.

The future of cyber crime is incredibly hard to predict. It is a very high-stake,

fast-paced industry and cybersecurity professionals need to be meticulously
proactive in their research in order to stay on top of potential threats.

Recently we have seen the cybersecurity industry utilise artificial intelligence

and machine learning as tools to combat cyber attacks. The problem is, while
machine learning defences are quite well established, it is expected than
cyber criminals will also start to employ this technology to be used on the
malicious offensive. Attacks may avoid detection and defences whilst
increasing transmission and aggression over their lifetime through by learning
from their failures.

It is predicted that there will be a large increase in wetware attacks in the

future as hackers target human psychology as a key route to data. Wetware
is a term use to describe non-code-based approaches to obtaining
information, such as an untrustworthy employee being bribed to provide
confidential data, or sensitive paper documentation found in public places that
weren’t appropriately destroyed.

Another area of cyber crime that is expected to continue, develop and

progress indefinitely is state-sponsored cyber espionage and cyber warfare.
We’ll cover these in more detail shortly, but essentially, they are governments
attacking each other to gather information or cause disruption.

One thing that’s clear is that there is a tremendous amount of money involved
and that the motivation behind attacks is evolving more and more toward pure
^CLICK^ financial gain rather than internet fame like we saw in the days of
L0pht Heavy Industries. This isn’t expected to change any time soon as more
internet-dependent consumables are developed each year with potential to
be targeted, such as driverless cars, airplane communication modules and
even medical devices like pacemakers.

But who exactly will be leading the way for cybercriminals? In the next video
we’ll look at the main culprits, and their motivations.

2.3 Threat Actors

Types of Threat Actors

Most cybercrime is committed by four main groups of criminals, known as

Threat Actors. These are Organised Cyber Criminals, Hacktivists, Nation
States, and Insider Threats.
The different types of threat actors come equipped with their own favourite
supply of attack vectors known as Tactics, Techniques, and Procedures, or
TTPs for short. They are also driven by different agendas which can be
generalised as financial vs non-financial.

Let’s start with organized cyber criminals.

When picturing a cyber criminal, most would imagine a pale, skinny nerd
operating from his mum’s basement, but reality could not be further from the
truth.

As mentioned at the start of this module, cybercrime is estimated to generate

over $1.5 trillion USD per year. That’s over three times what the illicit drug
market generates! So the reality for a cyber criminal is more super-yacht than
basement-dweller.

You may have already guessed, the motivation of an organised cyber criminal
is financial gain. Cyber criminals achieve this by running large-scale
organisations with highly-skilled and well-communicating team members.

In recent years, the TTP of choice for organised cyber criminals by far has
been mass phishing campaigns designed to compromise as many machines
as possible. Each compromise only provides potential for a small monetary
gain, but when large numbers of machines are compromised, the revenue
generated can be astounding.

A common tactic to achieve this is using social engineering via emails to

deliver malware payloads.

Hacktivists

The second type of threat actor aren’t interested in financial gain as they are
activism-motivated, and are know as Hacktivists.

The most well known hacktivists are the group Anonymous, who are a not
just a collection of hackers, but also activists and general internet users. They
target high profile ideological groups such as the KKK, ISIS and international
arms dealers.

Hacktivist’s have two main TTPs of choice. The first is defacing websites of
governments, embassies, corporations or any organisation they don’t agree
with. The aim of this kind of attack is to embarrass the victim which may seem
like a relatively light-hearted attack, but the potential damage caused to the
reputation of certain organisations such as a the police force can be severely
costly.

The second TTP in a hactivist’s arsenal is DDoS attacks, or Distributed

Denial of Service attacks. They involve directing a large amount of traffic to
overwhelm a website through simple requests, such as loading the webpage,
sometimes causing it to crash.

Nation States

The third group of threat actors are nation states, AKA state-sponsored
hackers. Nations have been obsessively spying on and attacking each other
since they’ve existed, and the invention of the internet has just permitted
them to up their efforts.

‘Cyber espionage’ refers to information gathering, known as intelligence,

which is occurring on a massive, long-term scale. A prolific example of this
would be the work being performed by the USA’s National Security Agency,
or NSA. Edward Snowden is a whistleblower from the NSA who revealed that
they are monitoring most of the world’s emails, phone calls, IMs and so on.

Nation states also engage in what is dubbed ‘cyberwarfare’ which involves

one nation state penetrating another nation’s computers or networks for the
purposes of causing disruption.
A recent example of this is China’s alleged state-sponsored attacks against
foreign biomedical and pharmaceutical COVID-19 related research efforts in
a bid to slow foreign countries’ recovery from the pandemic.

Nation States often hire prolific national hackers and provide them a route to
legitimate income away from cyber crime. State-sponsored hackers are highly
resourced and their TTP of choice is advance persistent threat (APT) which is
a term used to describe utilising multiple different attack vectors to gain long-
term access to information.

Insider Threats

And more recently, we have found an increase in activity from the fourth
category, insider threats, which are threats from within an organisation itself.

The intent of this type of threat actor can range dramatically from the
malicious to the best-intentions.

A disgruntled employee may be tempted to steal sensitive data from their

employer prior to resigning - be it to publicise the information in a smear
campaign, to provide it to competitors for financial gain, or to use as a
reference for personal development or self-employment going forward.

On the other end of the spectrum of insider threats is an employee with

helpful intent who may share too much company information which falls into
the hands of competitors.

As you probably guessed, the TTP of choice is nearly always information data
theft.

Now that you’ve learnt about the four main types of Threat actors, it’s time to
dive a little deeper into the different types of Threats, Techniques and
Procedures that these four TAs favour.

2.3 Types of Malware

The next section of this course will cover the different types of malware.
But before we start, what exactly is malware?
A lot of people think that malware is the same as computer viruses, but the
truth is that a computer virus is just one of many types of malware.
The word malware is derived from the term ‘Malicious Software’. Malicious
Software, or malware, is intrusive code designed to infect a computer, server,
client or network with the aim of causing harm or stealing information.
There are many different types of malware out there to be wary of, but
generally we categorise them depending on some key behavioural difference.

In this video we will be looking at a few types of malware including worms,

trojans and ransomware

Worms
First we’ll cover worms, which are independent, self-contained malware
programs that are able to spread functional copies of themselves through
remote code execution. A worm does not require user interaction to infect a
system meaning they could infect your computer without you doing anything
at all.
Worms often spread exponentially as the number of infected computers
increases.

Often the malicious intent of a worm is to create a network of infected

computers, called a botnet. An attacker is able to command this network of
infected machines to direct large-scale attacks in the future. We’ll cover
botnets more in a short while.
The harm inflicted by worms usually leads to a consumption of bandwidth
causing a slowing of the infected machine, a halting of active anti-malware
software, immobilising safe mode and also hindering windows auto update
which may include important security updates relating to the worm itself!
Pause the video in a moment and refer to Exercise 1, Question 1 in your
exercise worksheet. If a worm can infect two new computers every two hours,
then how many infected computers are there after 12 hours?

Trojan Horse
The next malware we’ll look at take their name from Ancient Greek mythology
where the Greeks hid within a giant wooden horse, disguised as a gift, in
order to penetrate the walls of Troy.
Trojan horses are any malware that misleads its true intent and cannot self-
replicate.
They often utilise social engineering tactics to compromise machines, such as
fake advertisements or phishing. One of the most common trojans is a user
receiving an email and opening an attachment believing it to be legitimate.
When they open it, however, the attacker uses the opportunity to delivers a
payload that may allow them to obtain the user’s personal information, such
as banking log in details and passwords

A big problem in the past and good example of a trojan is Fake Anti-Virus
software, or FakeAV. It is a type of rogue security software posing as
legitimate software which misleads the user into believing that their machine
is infected with malware. The FakeAV malware requires a payment in order to
be purchased, which the victim will happily pay in order to remove the fake
malware from their system, but will then install real malware on their
computer as part of the FakeAV installation.

Viruses

The third malware we will look at today are viruses. Virus’ require user
interaction
Viruses are malware which hide their own code within executable programs
such as .exe and com files. The virus will modify the executable so that when
the program is executed, the virus spreads or replicates.
A virus will spread further when the program which it is hiding within is shared
and subsequently executed by others.

Spyware

The term spyware has been around since roughly 2000, although spyware
really took off in 2003. It is any program that monitors and gathers information
without the user’s knowledge.
Generally, the software is installed on purpose by somebody with the
intention of monitoring another user of the computer that it is being installed
on. This is the key different between spyware and a trojan or backdoor - it is
without the user’s knowledge, not without the user’s permission. The
ambiguity is that there are multiple users.
A lot of spyware is directed toward ‘concerned’ family members or a
‘suspecting spouse’. Regardless of motivation, installing spyware without an
affiliate’s knowledge is a grossly unethical breach of privacy.
Common damage we see caused by spyware includes the collection of
personal and confidential information, the installation of unsolicited software,
redirection of web browsers and also the adjustment of computer settings.
Pause the video in a moment and refer to Exercise 1, Question 2 in your
exercise worksheet. What do you think Sally has done, and what does she
need to now do?

Ransomware

Ransonware is a very common current malware type. An attacker aims

compromise your machine to reversibly encrypt the data within in. They will
then hold your data encrypted to a ransom payment. If you pay them the
defined ransom within their set timeframe, you can prevent a number of
malicious actions, such as taking you or your client’s sensitive data public, or
even permanently encrypting it deeming it completely unusable. The attacker
will hold the key to the encryption at their control centre until proof of payment
is received.
A particularly effective ransomware that plagued the world in 2017 was
WannaCry, which was unprecedented in scale with around 200,000
computers being infected across 150 countries
It propagated through EternalBlue, an exploit developed by the NSA within
older versions of Microsoft Windows, and demanded ransom payments in
bitcoin for the decryption key.
One institution especially effected by this ransomware was the National
Health Service, or NHS, in UK. Over 70,000 devices, including MRI scanners,
blood storage refrigerators and surgery equipment were affected.
Later in 2017, the USA, UK and Australia asserted that the attack was state-
sponsored by North Korea.

Modern Malware

We’ve just covered a number of main malware types. As a side note; we

generally define viruses, trojans and worms by how they are delivered and
propagated, but spyware, adware and ransomware by what they do.
Can you guess what type or types are most common nowadays? Well, the
answer is quite unfortunate for the victims of modern malware.
Modern malware has evolved to become very sophisticate and nearly always
draws together elements of many different malware types to produce a highly
devastating attack. Blended malware is malware that utilizes multiple types of
malware technology. For example, a virus these days may utilise social
engineering to spread, but also include a Trojan element where the attached
file has the appearance of a safe file, but once opened may run a code to
hold the data on that computer ransom. That’s a virus that is also a trojan that
is also a ransomware!

Botnets

We’ve mentioned the term ‘botnet’ a few times over the course of this
module, which is a collection of compromised computers, often referred to as
zombies.
They are the product of malware makings rounds on the internet and infecting
large numbers of computers, sometimes into the millions!
The hacker who compromised these computers, referred to as the bot master
or bot herder, can access and control the botnet using command and control
(C&C) software to deliver DDoS attacks, send spam, orchestrate mass
phishing campaigns and more!

Continued learning:
If you’re interested in learning about more types of malware, you can do
some internet research on on any of the following types which haven’t been
covered in this syllabus:
Backdoors
 • Downloaders
• Adware
• Droppers
• Rootkits
• Dialers

2.4 Tactics, Techniques and Procedures

Attackers will use a wide variety of methods to exploit vulnerabilities in a

system. There are a number of steps the attacker will need to carry out in
order to successfully execute and steal data. For these we will look at the
Mitre Attack Framework for the most commonly used tactics including:

• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defensive Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration

Initial Access
The adversary is trying to get into your network.
Initial Access consists of techniques that use various entry vectors to gain
their initial foothold within a network. Techniques used to gain a foothold
include targeted spearphishing and exploiting weaknesses on public-facing
web servers. Footholds gained through initial access may allow for continued
access, like valid accounts and use of external remote services, or may be
limited-use due to changing passwords.

Execution

The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code
running on a local or remote system. Techniques that run malicious code are
often paired with techniques from all other tactics to achieve broader goals,
like exploring a network or stealing data. For example, an adversary might
use a remote access tool to run a PowerShell script that does Remote
System Discovery.
PowerShell is a powerful interactive command-line interface and scripting
environment included in the Windows operating system. Adversaries can use
PowerShell to perform a number of actions, including discovery of information
and execution of code. Examples include the Start-Process cmdlet which can
be used to run an executable and the Invoke-Command cmdlet which runs a
command locally or on a remote computer.

Persistence

The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to
systems across restarts, changed credentials, and other interruptions that
could cut off their access. Techniques used for persistence include any
access, action, or configuration changes that let them maintain their foothold
on systems, such as replacing or hijacking legitimate code or adding startup
code.
Example: account manipulation - Account manipulation may aid adversaries
in maintaining access to credentials and certain permission levels within an
environment. Manipulation could consist of modifying permissions, modifying
credentials, adding or changing permission groups, modifying account
settings, or modifying how authentication is performed.

Privilege Escalation

The adversary is trying to gain higher-level permissions.

Privilege Escalation consists of techniques that adversaries use to gain
higher-level permissions on a system or network. Adversaries can often enter
and explore a network with unprivileged access but require elevated
permissions to follow through on their objectives. Common approaches are to
take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Example: Access Token manipulation, Windows uses access tokens to
determine the ownership of a running process. A user can manipulate access
tokens to make a running process appear as though it belongs to someone
other than the user that started the process.

Defense Evasion

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid
detection throughout their compromise. Techniques used for defense evasion
include uninstalling/disabling security software and leverage and abuse
trusted processes to hide and masquerade their malware.
Example:
Adversaries may disable security tools to avoid possible detection of their
tools and activities. This can take the form of killing security software or event
logging processes, deleting Registry keys so that tools do not start at run
time, or other methods to interfere with security scanning or event reporting.

Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account
names and passwords. Using legitimate credentials can give adversaries
access to systems, make them harder to detect, and provide the opportunity
to create more accounts to help achieve their goals. Techniques used to get
credentials include keylogging which allows the threat actor is gain access to
user credentials

Discovery

The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge
about the system and internal network. These techniques help adversaries
observe the environment and orient themselves before deciding how to act.
They also allow adversaries to explore what they can control and what’s
around their entry point in order to discover how it could benefit their current
objective.
Example: Network sniffing - Network sniffing refers to using the network
interface on a system to monitor or capture information sent over a wired or
wireless connection

Lateral Movement

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and
control remote systems on a network. Following through on their primary
objective often requires exploring the network to find their target and
subsequently gaining access to it. Reaching their objective often involves
pivoting through multiple systems and accounts to gain.
Example: remote desktop protocol can be exploited to allow the threat hacker
access to the remote system. Adversaries might install their own remote
access tools to accomplish Lateral Movement or use legitimate credentials
with native network and operating system tools, which may be stealthier.

Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information
and the sources information is collected from that are relevant to following
through on the adversary's objectives. Frequently, the next goal after
collecting data is to steal (exfiltrate) the data. Common target sources include
various drive types, browsers, audio, video, and email. Common collection
methods include capturing screenshots and keyboard input.
Example: An adversary can leverage a computer's peripheral devices (e.g.,
microphones and webcams) or applications (e.g., voice and video call
services) to capture audio recordings for the purpose of listening into
sensitive conversations to gather information.

Command and Control

The adversary is trying to communicate with compromised systems to control

them.
Command and Control consists of techniques that adversaries may use to
communicate with systems under their control within a victim network.
Adversaries commonly attempt to mimic normal, expected traffic to avoid
detection. There are many ways an adversary can establish command and
control with various levels of stealth depending on the victim’s network
structure and defenses.
Example: data obfuscation. Command and control (C2) communications are
hidden (but not necessarily encrypted) in an attempt to make the content
more difficult to discover or decipher and to make the communication less
conspicuous and hide commands from being seen.

Exfiltration

The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from
your network. Once they’ve collected data, adversaries often package it to
avoid detection while removing it. This can include compression and
encryption. Techniques for getting data out of a target network typically
include transferring it over their command and control channel or an alternate
channel and may also include putting size limits on the transmission.
Example: Data can be compressed and encrypted so it is less conspicuous
upon inspection by the victim

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and

data.
Impact consists of techniques that adversaries use to disrupt availability or
compromise integrity by manipulating business and operational processes.
Techniques used for impact can include destroying or tampering with data. In
some cases, business processes can look fine, but may have been altered to
benefit the adversaries’ goals. These techniques might be used by
adversaries to follow through on their end goal or to provide cover for a
confidentiality breach.
Example: account access removal - Adversaries may interrupt availability of
system and network resources by inhibiting access to accounts utilized by
legitimate users. Accounts may be deleted, locked, or manipulated (ex:
changed credentials) to remove access to accounts.

In the following videos we will look at examples of attacks that use a

combination of the tools, techniques and practices to achieve their goals

2.5 Types of Attacks

In this video we will reviewing the types of attacks that threat actors carry out,
what they look like and steps to mitigate them. We will look at brute force
attacks, denial of service attacks, man in the middle attacks and SQL
injections.

Brute Force Attacks

What is a brute force attack? This is a trial and error hacking technique
where the hacker continually attempts to guess the credentials which includes
passwords, pin codes and encryption data. The hacker uses an automated
software to generate the guesses. Examples of these programmes include
John the Ripper and Cain and Abel.

These are run by high powered computers that can run tasks at high speed.
These attacks are not very sophisticated and they do take take advantages of
system vulnerabilities. Dictionary attacks use a list of common passwords and
frequently used combinations of words, letters and numbers to guess
passwords or patterns on the qwerty keyboard such as 1qaz. Hackers may
find lists of passwords on the dark web and use these in their dictionary
attacks.

So let us have a look at this in practice, and demonstrate how longer

passwords with a range of characters are much harder to crack with a brute
force attack.

The longer the password the less likely any brute force attack will ever be
able to crack the password it due to the probabilities involved.
So besides ensuring we have good password hygiene, how else can we
protect from brute force attack?
- Two-factor authentication is considered by many to be the first line of
defense against brute force attacks. Implementing such a solution
greatly reduces the risk of a potential data breach. The great thing
about two factor authentification is that password alone is not enough.
Even if an attacker cracks the password, they would have to have
access to your smartphone or email client.
- We all got used to seeing CAPTCHA on the internet. Nobody likes
trying to make sense of something that looks like it’s been scribbled by
a two-year-old, but tools such as CAPTCHA render automated bots
ineffective. That single requirement to enter a word, or the number of
traffic lights, is highly effective against bots, even though hackers have
started using optical character recognition tools to get past this safety
mechanism.
- Enforcing a timeout for users who exceed the maximum number of
failed login attempts. By locking an account only for a set amount of
time after a designated number of unsuccessful login attempts it means
that automated brute force attack tools will not be as useful.

DoS and DDoS

Now we are going to have a look at DOS and DDOS attacks

DOS stands for Denial of Service attacks and DDOS stands for distributed
denial of service attacks. The goal of these attacks is to knock the victim
offline and make the targeted website unavailable to legitimate users.

Now let us look at how these attacks work. When you have a session
between a computer and a server, the computer will send requests to check it
is online and to interact with the content from the server. A denial of service
attack works by sending multiple requests, overloading the servers
capabilities, resulting in it becoming unavailable and unable to respond to
legitimate requests. The attacks leverage knowledge of protocols to maximise
the effect of their attacks to overwhelm the bandwidth of the target. These
attacks are measured by how many bits of traffic they send the target per
second, depending on the attack they may be measured in Mbps, Gbps and
Tbps. However not all attacks are bandwidth focused.

So what is the difference between a DoS and a DDoS attack?

Both attacks work by flooding a network or server with requests until the
website comes inaccessible
A DoS attack uses a single machine to launch the attack whereas a DDoS
attack uses multiple machines
A DDoS attack may use malware to affect multiple computers
DDoS attacks often use multiple computers flood the target with requests
distributed using botnets

What are the impact of a DDoS attacks?

A DDoS attack works using bots to send out multiple requests to a server
causing it to be overwhelmed. The connectively becomes so slow, it will time
out the session and terminate the connection.
By making one site unavailable, users may use another site to seek out the
content they were after.
In 2016 users could not access high profile sites such Twitter, Paypal, CNN
and many other websites due to a DDoS attack targeting the third party
providing technical services to these sites

DDoS attack have become a growing form of cyber crime, with cybercriminals
monetising on this trend with DDoS for hire attacks They advertise their
services on the dark web with promises to take competitors offline. In 2019 a
21-year old pleaded guilty to operating the Satori botnet, offering DDoS-for-
hire services using hacked IoT devices. This botmaster had infected more
than 800,000 devices including home routers, security cameras, welcomes
and online gaming platforms. The Satori-controlled botnets would flood
victims systems with internet traffic, taking them offline.
These attacks are highly effective and can cause huge amounts of damage to
the victims. With one attack an organisation or individual may be offline for a
substantial amount of time causing loss in revenue, loss of communication
and damage to reputation.

Lets is now have a look at some of the motivation for DoS and DDoS attacks:
• Financial - a company may seek to cause a competitors website to go
offline in order to increase legitimate traffic to their own website. An
online retail business going offline during an end of tax year sale would
cause huge financial losses. In 2017 research carried out by Kaspersky
Lab revealed that more than 40% of businesses hit by DDoS attacks
believed their competitors were behind it
• Political - an organisation may want to take down a website of an
opponent or opposing political group so they are unable to share their
political messages. In 2014, citizens in Hong Kong were invited to vote
on a referendum of constitutional voting reforms which would allow all
citizens to vote in elections. DDoS attacks targeted pro-democracy
websites such as Popvote, with peak traffic levels hitting 500 Gbps
• Hacktivists - these are cyber activists who take sites offline in the name
of their own ideologies. These attacks are often a form of ‘justice’
delivered to an organisation that the hackivisits feel wronged by.
Anonymous is a hacktivist group that have been active for many years
and have launched DDoS attacks against financial institutions based on
the belief that capitalism is evil
So how can you prevent and combat these form of attacks?
Detection: abnormal traffic flows can be detected and responded to early on
before major damage is done.
Idenitfy: DoS attacks are easier to combat as the victim can identify and block
the IP address of the particular attacker. However, DDOS attacks are harder
to combat because of the sheer volume of traffic, and it is difficult to identify
between legitimate traffic and attacks.
Routing - Organisations can avoid a single point of failure by spreading their
servers or they may increase their bandwidth to make it more difficult for the
attackers to overwhelm the server.
Response plan: In order to be proactive organisations should have DDoS
response plan in the event of an attack or they may outsource support from
companies specialise in DDos attacks.

Man-In-The-Middle Attacks

A man-in-the-middle attack is a type of cyberattack where a malicious actor

inserts themselves into a conversation between two parties. Generally, MITM
attacks fall into two categories. Purely eavesdropping is called a “passive
MITM.” The more advanced configuration is the “active MITM,” where
someone can capture everything that transmits between two devices, and
even modify the data in transit.

A passive man in the middle attack is basically eavesdropping online. Let us

look how this attack works. Two computers are sending and receiving data
between each other, and then a malicious actor virtually intercepts between
the two computers to receive data meant for someone else, without either
party being aware of what is happening. The most common (and simplest)
way of doing this is a passive attack in which an attacker makes free,
malicious WiFi hotspots available to the public. These free wi-fi spots are
often named according to their location and they aren’t password protected.
Once a victim connects to such a hotspot, the attacker gains full visibility to
any online data exchange.

Active MITM attacks often take place with email hijacking where the attacker
gains access to email accounts, can send emails from the victims account.
Here is an example of a MITM attack. The hacker impersonates both sides of
the conversation allowing him to gain access to funds.
This is commonly carried out with ARP spoofing. ARP spoofing is the process
of linking an attacker’s MAC address with the IP address of a legitimate user
on a local area network using fake ARP messages. As a result, data sent by
the user to the host IP address is instead transmitted to the attacker.
In 2015, a cyber-criminal group in Belgium stole a total of €6 million by
hacking through company emails using a man in the middle attack. The
hackers were able to gain access of corporate email accounts and request
money from clients using the hacked accounts.

So how do we protect against a man in the middle attack

- Avoid connections to public and free wi-fi connections
- Ensure strong router login credentials – not only must they be changed
from their default settings, they must have a login credential that is not
easily identifiable and a strong password. This prevents an attacker
logging in and spying on any communication.
- Use a VPN connection to add another layer of security. A VPN uses key
based encryption to create a subnet for secure communication
- Enforce HTTPS connection. HTTP is the primary protocol used to send data
between a web browser and a website. However HTTP communications are
not protected and open to interception, making them targets for MITM
attacks. Hypertext transfer protocol secure (HTTPS) is the secure version
of HTTP,. HTTPS is encrypted in order to increase security of data transfer.
This is particularly important when users transmit sensitive data, such as by
logging into a bank account, email service, or health insurance provider.

2.6 Social Engineering

So what is phishing?
Phishing works on the process of impersonating a trustworthy party to gain
access to sensitive data or install malware on a victims machine. It relies on
manipulation, where the user assumes the content from the author is
legitimate and has legitimate authority. The attacker is using using social
engineering tactics to fool you into thinking it is safe. Humans are, by nature,
trusting and often fall prey to manipulation online, which is a major risk to
cybersecurity.

This is what a common phishing scam might look like

- The user receives an email from a known contact or company, such as
a bank
- The email includes an attachment or a link to a fake website, known as
a trojan
- Once the user has clicked the link they will be directed to a fake website
that will look authentic, with the use of logos and reference to legitimate
company details
- The fake website will then ask the user to fill out a form with personal
information, password or credentials
- The personal information is now compromised and in the hands of the
threat actor who can use it for their own malicious means
Paypal is often used as a front for phishing scams. An example email sent
has the subject line ‘You’ve added a new address to your account’. The
recipient is then advised that if they didn’t add this address they must let
PayPal know straight away so no-one gets into their account without their
knowledge.

Unsuspecting users are then sent to a fake PayPal branded website that
looks legitimate asking them to enter their credentials.
After they have logged in they are then asked to update their billing address
and payment information. The cyber criminal now has access to log in
credentials, address, mobile number and credit card information.

So why is phishing so effective?

According to Verizon’s 2019 Data Breach Investigations report, 32% of all
cyber attacks involved phishing which shows how effective they are. Here are
some of the social engineering factors that contribute to their success:
- Authority: users see legitimate company names and logos and believe
that the company has the authority to ask for the information. Users
trust big companies and corporations and phishing scams prey on this
trust
- Familiarity: users recognise the well known company branding that is
used and believe it to be legitimate
- Urgency: phishing emails often use intimidation tactics and ‘better act now’
headlines. They often scare users into believing their data has been
compromised, their password has been leaked or might advertise a once in a
lifetime deal with big savings or a competition to enter for a quick win. They
often use dramatic language - warning in subject, threat that your account will
be suspended.
There are 3 main types of phishing and vary according to their target
General phishing is generic and targets a large audience
Spear phishing is targeted phishing of an individual. Attackers often research
the target on their social media account, finding out where their work and
personal information so they can make their communication seem more
authentic. According to the SANS institute 95% of all attacks on enterprise
networks are the result of successful spear phishing.
Whaling targets high profile executives in a company like the CEO. A whaling
attack example would be a hacker posing as the companies chief financial
officer and asking the CEO to confirm and approve a transaction and forward
onto the companies financial department. The hacker can then change the
account details, allowing the money being transferred to their account
Another type of targeted attack is a watering hole attack where an attacker
infects websites that they know the targets frequent.

So how do we detect a phishing email?

There are often certain details you can spot in a phishing email, however
some are very sophisticated and they replicate the real company very well.
1. Just because it says it’s coming from a person or company you trust, it
doesn’t mean it is legitimate. Always check the email address and
spelling of the company email to ensure it is genuine and you can
confirm the true sender. If you are unsure about the domain name
check the companies domain on google before interacting with any
links in the email
2. Check the links BEFORE you click on them, you can hover over the link
and check if it is the legitimate website
3. Look at the salutation used in the email. Phishing emails tend to use
general salutations such as ‘dear valued customer’ whereas legitimate
organisations will often use your full name
4. Beware of urgent language and headlines. Phishing email will often
create a sense of urgency to encourage users to click on links and
download attachments
5. Beware of attachments as these can contain malware. Attackers will try
and trick you with attachment names that entice you. If you are not
expecting an attachment, then do not open it.

Now let us have a look at this email, interact with it and see it we can spot
any signs that would tell us it was a phishing email.
• Firstly, by hovering over the sender details, we can see that the email
domain is @gmail.com rather than the company name and the
company name has been misspelt
• When we look at the salutation we can see it is vague and does not
directly greet the recipient
• As you read the email you can see that the language is used to create a
sense of urgency and scare the recipient
• There are several spelling errors and poor grammar throughout.
• Before clicking on the link, you can hover over it and see that it does
not take you to the legitimate Dropbox website

So how do we combat phishing?

• A lot of it comes down to user education and teaching people what to
look out.
• Businesses and individuals should invest in antivirus software that will
filter their incoming emails to reduce the risk of users clicking of
malicious links
• A quote from Ronald Reagan that summarises the approach to protect
against phishing scams is ‘trust but verify’. Be cautious and investigate
links and urgent requests
• In order to build awareness, individuals and businesses should report
phishing scams so businesses should be aware of common phishing
email addresses.
2.7 Zero-Day Vulnerabilities

tIn this video we will be looking at zero day vulnerabilities.

So what is a zero day vulnerability?
A zero day vulnerability is a security flaw in the software, hardware or
firmware that has been discovered, but not yet patched. These vulnerabilities
open the software to risk of exploitation by cybercriminals. We can compare it
to a thief sneaking in through a backdoor that was accidently left unlocked.
. The term ‘zero-day’ refers to a newly discovered vulnerability, where there is
so official patch or update to fix it. The developers therefore have ‘zero days’
to fix the problem. However, in practice, the attacks don’t happen this quickly;
there is a window of exposure where once the vulnerability becomes known,
the vendor has to act promptly to fix the vulnerability before hackers manage
to exploit the weakness, which is referred to as a zero-day attack. It is often a
race between the vendors working to release a patch and threat actors trying
to exploit the flaw.

Let us review a zero day vulnerability.

• It begins with the development of a software by a vendor. However, the
develop is not aware that the software contains a vulnerability
• The next stage is discovery. This is where the threat actor discovers a
zero-day vulnerability. Often these are advertised and sold on dark web
forums.
• Now the threat actors plan an attack by creating exploits and targeting
systems who are vulnerable
• Once the vendor detects the vulnerability they can work on creating a
patch before an attack can take place.
• Finally, the vendor created and distributes an update to patch the
vulnerability.

Why are they so effective?

These exploits are often reserved for high profile and high value targets such
as banks and governments, as these attacks tend to have a high success
rate.
Due to the window of exposure available zero day exploits allow threat actors
time to inflict damage unnoticed for a long time. Cyber criminals often reserve
these exploits for high value targets. Threat actors value zero day exploits
highly because they can often remain undetected for a long time, if they are
unknown flaws.
Funding and resources – zero-day exploits are often sold on the dark web for
large amounts of money. Threat actors who make these transactions often
have access to funds and resources to carry out highly sophisticated and
effective attacks
Zero day exploits are often difficult to detect because no attack signature
exists. Therefore it cannot be picked up by intrusion detection systems (ISes)
and intrusion prevention systems (IPSes). Successful detection often comes
from monitoring user behaviour analytics and looking for unusual activity that
does not follow the usual trend.
In a 2018 survey by the Ponemon Institute, 76% of organisations who were
compromised were due to zero day attacks. Cyber criminals are not the only
ones who take advantage of zero day vulnerabilities, government intelligence
agencies have also used these for their own political means.

Now let us have a look at a highly sophisticated zero day attack that targeted
Irans nuclear systems infrastructure.
In 2010, a highly sophisticated zero-day attack used Stuxnet, which was a
worm that exploited previously unknown Windows zero-day
vulnerabilities. Stuxnet was undetectable and the Iranian monitoring systems
never picked up the malware until it was too late.
This is how it happened
1) Attackers infiltrated Windows computer systems trying to find
vulnerabilities
2) Stuxnet was deployed using a worm via a USB and exploited zero day
vulnerabilities in the Microsoft Windows OS
3) The vulnerabilities passed from Windows software to the nuclear control
systems, allowing the malware to gain highly privileged access
4) The malware manipulated the centrifuge system, resulting in them
burning themselves out and shutting down

So how do we protect against zero days attacks?

1) Use only essentials applications – the more software you use the more
vulnerabilities you have. You can reduce the risk by using a minimum
numbers of application
2) Keep up to date with patches and updates. Patches will fix the
vulnerabilities making them less susceptible to attack
3) Behavior based detection – zero day exploits are dangerous because
antivirus software doesn’t have signatures in place to identify them.
Instead, by using more advanced antivirus software it can detect
malware using behavior analysis, by logging suspicious patterns of
behavior to detect and identify malware
4) Ensuring users practice cybersecurity hygiene. A culture of
cybersecurity, which includes increasing user awareness on attacks,
helps just as much as the security solutions that are deployed by the
organization.