Unit 5

Introduction to Cyberspace and Cybersecurity, Cybersecurity Perspectives, Key

Development Areas and their impacts on the ever-evolving nature of
Cybersecurity:
Technological Changes, Economic Model Shifts, and Outsourcing, Risks
Cybersecurity
Mitigates, Common Cyberattacks, Poisoned Web Service Attacks, Network
Infrastructure Poisoning, Technical Attack Techniques, Cyberattackers and Their
Colored
Hats.
• Introduction to Cyberspace and Cybersecurity
• Cyberspace is a digital realm where information and communication occur
through interconnected computer network. Think of it as a vast,
interconnected universe where data flows freely.
• Cyber Security: Is the practice of protecting computer systems, network and
data from unauthorized access, use, disruption, modification or destruction.
• Threats to cybersecurity
• Hackers: A hacker is someone skilled in computer systems, networks, or
software who uses their expertise to identify vulnerabilities.
• Malware: Short for "malicious software," malware is a broad category of
harmful software designed to damage, disrupt, or gain unauthorized access to
systems
• Phishing: Phishing is a social engineering attack where attackers impersonate
legitimate entities (like banks or employers) to trick victims into revealing
sensitive information (e.g., passwords, credit card numbers).
• Data Breach: A data breach occurs when unauthorized individuals access or
expose sensitive, protected, or confidential information.
• Importance of Cybersecurity
• Privacy: Helps safeguard our personal information, preventing from falling into
the wrong hand.
• Financial security: Protecting our online financial transaction and account.
• Business Continuity: For maintaining operation and preventing disruption
caused by cyberattacks
• National Security: Government reply on cybersecurity to protect critical
infrastructure and national security interest.
• Cybersecurity Best Practice
• Strong password
• Regular updates
• Firewall protection
• Encryption
• Employee Training
• Incident response planning
• Cybersecurity Perspective
• 1. Importance of Cybersecurity
• Protecting Privacy: Safeguards sensitive personal and organizational data
from unauthorized access.
• Financial Security: Prevents economic losses due to fraud, ransomware, and
other cybercrimes.
• Business Continuity: Ensures the uninterrupted operation of systems and
processes.
• National Security: Defends critical infrastructure and government data from
cyberattacks.
• Trust and Reputation: Maintains consumer confidence in digital systems and
services.
• Evolving Cybersecurity Threats
• Advanced Persistent Threats (APTs): State-sponsored or highly skilled
attackers targeting governments and corporations.
• Ransomware Evolution: Increasingly sophisticated, targeting critical sectors
like healthcare and utilities.
• Social Engineering Attacks: Phishing, vishing, and smishing attacks exploiting
human vulnerabilities.
• Zero-Day Exploits: Attacks on vulnerabilities unknown to software vendors.
• IoT Vulnerabilities: Insecure Internet of Things (IoT) devices expanding the
attack surface.
• AI-Powered Threats: Cybercriminals leveraging AI to automate and enhance
their attacks.
• Challenges in Achieving Cybersecurity
• Rapidly Changing Technology: New technologies, such as IoT and AI, create
complex and evolving vulnerabilities.
• Lack of Awareness: End-users often remain the weakest link due to insufficient
knowledge about threats.
• Shortage of Skilled Professionals: A global talent gap in cybersecurity expertise
hampers effective defense.
• Regulatory Complexity: Navigating diverse and evolving cybersecurity
regulations across regions.
• Insider Threats: Difficulties in identifying and preventing malicious or negligent
actions by employees.
• Coordination Across Sectors: Limited collaboration between private
companies, governments, and international bodies.
• Key Development Areas and Their Impact on the Ever-Evolving Nature of
Cybersecurity
• As technology advances, new innovations reshape the cybersecurity landscape.

1. Artificial Intelligence (AI) and Machine Learning (ML)

• Impact:
• Enhanced Threat Detection: AI/ML algorithms analyze massive datasets to detect
anomalies and identify threats in real-time.
• Automation of Security Tasks: Speeds up vulnerability assessments, threat hunting,
and incident response.
• Adaptive Defense Systems: AI enables predictive threat modeling and adaptive
defense mechanisms that evolve with attack patterns.
• Challenges:
• Adversarial AI: Cybercriminals also use AI for sophisticated attacks, such as deepfakes and AI-
generated phishing.
• False Positives/Negatives: Reliance on AI may result in inaccuracies if models are poorly trained
or biased.
• 2. Cloud Computing
• Impact:
• Data Centralization: Cloud platforms aggregate vast amounts of sensitive data,
making them high-value targets.
• Scalable Security Solutions: Offers advanced security features like encryption,
multi-factor authentication, and shared responsibility models.
• Challenges:
• Shared Responsibility Confusion: Misunderstandings about who secures what in the
cloud can lead to vulnerabilities.
• Data Breaches and Misconfigurations: Misconfigured cloud resources are a leading
cause of data leaks.
• 3. Internet of Things (IoT)
• Impact:
• Increased Attack Surface: Millions of interconnected devices, often with weak
security protocols, provide new entry points for attackers.
• Critical Infrastructure Risks: IoT devices in healthcare, manufacturing, and
utilities create vulnerabilities that can disrupt essential services.
• Challenges:
• Lack of Standardization: Varied security protocols across devices hinder
comprehensive protection.
• Device Lifecycle Management: Legacy IoT devices often lack regular updates, leaving
them vulnerable.
• 4. Blockchain Technology
• Impact:
• Decentralized Security: Blockchain's distributed ledger technology offers
tamper-proof data storage and transaction verification.
• Secure Authentication: Applications in identity management and secure
transactions reduce fraud risks.
• Challenges:
• Smart Contract Vulnerabilities: Bugs or misconfigurations in smart contracts can lead
to exploitation.
• Scalability Issues: High computational requirements can limit adoption and efficiency.
• 5. Quantum Computing
• Impact:
• Breakthrough in Encryption: Quantum computers could break traditional
encryption algorithms, rendering many existing security measures obsolete.
• Quantum-Safe Cryptography: Development of quantum-resistant algorithms
will become essential to ensure data security.
• Challenges:
• Transition Risks: Organizations face challenges in migrating to quantum-safe encryption
before quantum computers become mainstream.
• Uncertain Timeline: Difficulty predicting when quantum threats will materialize
complicates preparedness
• Economic Model Shift
• Refers to changes in how business operate and allocate resources impacting
their approach to cybersecurity. These shift influence budgeting for security and
risk management:
• Subscription-Based Models in Cybersecurity
• Predictable Costs: Organizations benefit from fixed, recurring expenses for tools
and updates.
• Access to Latest Technology: Always up-to-date with cutting-edge security
features.
• Example: SIEM Solutions
• Tools like Splunk and Elastic SIEM enable:
• Advanced threat detection.
• Real-time incident analysis.
• Cost-Benefit Analysis in Cybersecurity
• Strategic Decision-Making: Balances the cost of security measures against the
potential financial and reputational impact of breaches.
• Resource Optimization: Ensures investments are focused on protecting critical
assets.
• Key Example:
• Sony PlayStation Network Breach (2011)
• Cost: $171 million in damages.
• Highlighted the importance of investing in robust security to avoid catastrophic financial losses.
• Cyber Insurance in Cybersecurity
• Financial Protection: Mitigates financial risks from cyber incidents, such as
ransomware or data breaches.
• Outsourcing
• Outsourcing involves delegating certain function or service to external provider.
• Recently seen key outsourcing trends are:
• 1. Managed Security Services
• Overview: Delegates cybersecurity operations to external providers, offering
continuous monitoring and threat detection.
• Advantages:
• Access to expertise without in-house resources.
• Cost-effective, 24/7 monitoring.
• Scalable to organizational needs.
• Challenges:
• Dependence on third parties.
• Ensuring alignment with business objectives.
• 2. Third-Party Risk Management
• Overview: Focuses on assessing and mitigating risks from external vendors and suppliers.
• Key Practices:
• Regular risk assessments.
• Establishing security compliance requirements in contracts.
• Continuous monitoring of vendor performance.
• Examples: Data breaches caused by vendor mismanagement, such as the Target breach in 2013
via an HVAC contractor.
• 3. Security as a Service (SECaaS)
• Overview: Provides cybersecurity solutions (e.g., firewalls, identity management) on a
subscription basis.
• Benefits:
• Reduced upfront costs.
• Easy access to the latest technologies.
• Flexibility to scale with business needs.
• Challenges:
• Requires careful vendor evaluation to ensure quality and reliability.
• Dependency on external services for critical security operations.
• Cybersecurity: Mitigating Key Risks
• 1. Data Breaches and Unauthorized Access
• Threat: Unauthorized exposure or theft of sensitive information.
• Mitigation:
• Multi-factor authentication (MFA).
• Encryption of sensitive data.
• Regular access audits and compliance checks.
• DLP: is a security solution that identifies and helps prevent unsafe or
inappropriate sharing, transfer, or use of sensitive data.
• Malware and Ransomware Attacks
• Threat: Malicious software designed to disrupt, damage, or extort.
• Mitigation:
• Endpoint protection tools and antivirus software.
• Regular system backups to restore data.
• Employee awareness training on avoiding suspicious links.
• 3. Phishing
• Threat: Deceptive tactics to trick users into revealing credentials or financial
information.
• Mitigation:
• Email filtering and anti-phishing solutions.
• Ongoing employee training and simulated phishing tests.
• Secure email gateways.
• Distributed Denial of Service (DDoS)
• Threat: Overwhelms systems or networks, disrupting services.
• Mitigation:
• Use of Content Delivery Networks (CDNs) and load balancers.
• Implementing DDoS mitigation solutions.
• Traffic monitoring to identify unusual patterns.
• Insider Threats
• Threat: Security risks originating from employees or trusted partners, either
maliciously or negligently.
• Mitigation:
• Strict access controls and privilege management.
• Regular monitoring of user activities.
• Clear policies and insider threat awareness programs.
• Advanced Persistent Threats (APTs)
• Threat: Prolonged, targeted attacks typically by skilled adversaries (e.g., state-
sponsored actors).
• Mitigation:
• Threat intelligence and advanced detection systems.
• Regular patch management to close vulnerabilities.
• Segmentation of critical systems and proactive incident response plans.
• IPS, EDR, Network segmentation
• Regulation and compliance risk
• Threat: Non-compliance with data protection laws (e.g., NRB,GDPR, CCPA,
HIPAA) leading to fines and reputational damage.
• Mitigation: Compliance frameworks and regular audits.
• Data mapping and classification for legal alignment.
• Training staff on regulatory requirements.
• Common Cyberattacks
• Phishing
• Description: Fraudulent attempts to trick users into revealing sensitive information, like
passwords or credit card details.
• Example: Fake emails mimicking trusted institutions.
• Prevention:
• Employee training.
• Anti-phishing tools.
• Secure email gateways.
• Malware
• Description: Malicious software designed to harm or exploit systems, including viruses,
worms, and spyware.
• Example: Keyloggers stealing user credentials.
• Prevention:
• Regular updates and antivirus software.
• Application whitelisting.
• User education.
• Distributed Denial of Service (DDoS)
• Description: Overwhelming servers or networks to disrupt operations.
• Example: Botnets flooding websites with traffic.
• Prevention:
• DDoS mitigation tools.
• Load balancers.
• Traffic filtering.
• Man-in-the-Middle (MitM) Attacks
• Description: Intercepting communication between two parties to steal or alter data.
• Example: Eavesdropping on unsecured Wi-Fi.
• Prevention:
• Use encryption (e.g., HTTPS, VPN).
• Avoid public Wi-Fi without protection.
• Implement secure session management.
• SQL Injection
• Description: Injecting malicious SQL code into applications to manipulate databases.
• Example: Extracting user credentials from a vulnerable login form.
• Prevention:
• Input validation and parameterized queries.
• Regular code reviews.
• Web application firewalls (WAFs)
• Zero-Day Exploits
• Description: Exploiting unknown software vulnerabilities before developers can
patch them.
• Example: Attacks targeting unpatched operating systems.
• Prevention:
• Threat intelligence and monitoring.
• Regular patching and updates.
• Endpoint protection tools.
• Brute Force Attacks
• Description: Repeatedly trying different password combinations to gain
unauthorized access.
• Example: Automated tools cracking weak passwords.
• Prevention:
• Strong password policies.
• Account lockout after failed attempts.
• Multi-factor authentication (MFA).
• Ransomware
• Description: Encrypting data and demanding payment to restore access.
• Example: WannaCry attack targeting businesses globally.
• Prevention:
• Regular backups.
• Endpoint security solutions.
• Employee awareness training.
• Poisoned Web service attacks
• A poisoned web service attack is a type of cyberattack where malicious actor
manipulates or compromise a web service to deliver harmful or misleading content to
users or system that interact with it.
• Types
• Compromising the web service: This attack targets the underlying web service by
exploiting vulnerabilities or weaknesses in its implementation.
• Techniques:
• Exploitation of Weak Authentication: Using stolen credentials or brute-forcing access
to compromise the service.
• Code Injection: Injecting malicious code via input fields, such as SQL injection or
Command Injection.
• Server Misconfiguration: Exploiting misconfigured servers (e.g., open ports, improper
permissions).
• Exploitation of Unpatched Vulnerabilities: Targeting known vulnerabilities in outdated
software
• Manipulating API Responses: Attackers exploit vulnerabilities in APIs to
intercept or alter their responses to clients.
• Techniques:
• Parameter Tampering: Changing API query parameters to manipulate
responses.
• API Replay Attack: Reusing valid requests to achieve unintended results.
• Server-Side Request Forgery (SSRF): Tricking the server into making
unauthorized requests on the attacker's behalf.
• Insecure Direct Object References (IDOR): Gaining unauthorized access to
sensitive resources by guessing object IDs.
• Impact:
• Displaying fake data to users.
• Misleading clients to perform unintended actions.
• Exposing sensitive user or system data.
• Client: The user or system making a request
• API Gateway: The entry point for all requests; it receives requests from the client and routes them to
the appropriate service.
• API: A set of defined endpoints that the client can interact with. These endpoints perform specific
functions or provide access to data.
• Business Logic Layer: This layer processes the incoming request, applies business rules, and interacts
with data so
• Database: The storage layer that holds data used by the API and business logic layer.
• Response: After processing the request, a response is returned back to the client via the API. +---------+
+-------------+ +-----+ +--------------+
• | Client | ---> | API Gateway | ---> | API | ---> | Business Logic|
• +---------+ +-------------+ +-----+ +--------------+
• |
• v
• +-------------+
• | Database |
• +-------------+
• DNS Poisoning and Redirection: This attack manipulates DNS records or
caches to redirect users to malicious websites.
• Techniques:
• Cache Poisoning: Altering the DNS cache on a recursive resolver to return
malicious IPs for legitimate domains.
• Man-in-the-Middle DNS Spoofing: Intercepting DNS queries and returning
malicious responses.
• Compromising Authoritative DNS Servers: Injecting malicious records at the
source.
• Impact:
• Redirecting users to phishing sites.
• Hijacking communication for data theft.
• Facilitating malware distribution.
• Man-in-the-Middle (MITM): An attacker intercepts communication between
two parties to eavesdrop, alter, or steal information.
• Techniques:
• HTTPS Downgrade Attack: Forcing clients to connect over HTTP instead of
HTTPS.
• Session Hijacking: Capturing session cookies to impersonate users.
• SSL/TLS Spoofing: Presenting fake certificates to intercept secure connections.
• Wi-Fi Eavesdropping: Using rogue Wi-Fi networks to capture traffic.
• Impact:
• Theft of sensitive information (e.g., login credentials, personal data).
• Unauthorized transaction approvals.
• Altering communications (e.g., injecting malicious scripts).
• The impact of a poisoned web service attack
• Data Theft and Breaches
• Sensitive Information Exposure: Attackers can extract personal, financial, or
proprietary data from the compromised service.
• Compliance Violations: Breaching sensitive data may violate regulations like
GDPR, HIPAA, or PCI DSS, leading to fines.
• Service Disruption
• Denial of Service (DoS): Manipulated logic or poisoned components can
render the service unusable, disrupting operations.
• Performance Degradation: The poisoned service may process malicious
requests, consuming excessive resources and slowing responses for legitimate
users.
• User Exploitation
• Delivery of Malicious Content: Poisoned responses can redirect users to
phishing sites or deliver malware.
• Account Compromise: Altered API responses or web forms can trick users
into revealing credentials.
• Fraudulent Transactions: Attackers may manipulate service logic to process
unauthorized transactions
• Reputation Damage
• Loss of Customer Trust: A poisoned service that misbehaves or harms users
can erode confidence in the brand.
• Negative Publicity: News of a successful attack can result in bad press and
decreased customer engagement
• Financial Loss
• Direct Loss: Fraudulent transactions, stolen funds, or ransom demands.
• Indirect Loss: Costs of incident response, forensic investigations, and legal settlements.
• Operational Downtime: Loss of revenue during the service outage.
• Propagation of the Attack
• Compromising Users: Poisoned data may exploit client-side vulnerabilities in users’
browsers or devices.
• Amplifying Cyber Threats: Attackers may use poisoned services as a delivery mechanism
for broader attacks, such as botnets or ransomware
• Example Scenarios:
• A poisoned DNS cache redirects users to a fake banking portal, leading to stolen
credentials.
• An API poisoning attack manipulates a payment gateway to bypass fraud detection,
enabling unauthorized transactions.
• Web cache poisoning delivers malicious scripts to thousands of users via a trusted
website.
• Secure APIs
• Rate Limiting and Throttling: Prevent abuse of APIs by limiting the number of
requests.
• Secure Endpoints: Use HTTPS and enforce strict transport security (HSTS).
• Protect Against Web Cache Poisoning
• Cache Key Design: Use unique keys for each cache entry to prevent
overwriting.
• Validate Cached Content: Ensure cached responses are sanitized and non-
malicious.
• Cache Invalidation: Regularly purge outdated or suspect cache entries
• DNS Security
• Implement DNSSEC: Ensure DNS records are signed and validated to prevent
spoofing.
• Monitor DNS Logs: Detect unusual query patterns indicative of poisoning
attempts.
• Use Trusted Resolvers: Prefer DNS providers known for secure operations.
• Encryption
• Use HTTPS/TLS: Encrypt all communication to prevent interception or
tampering.
• TLS Version and Cipher Suites: Use TLS 1.3 or later and disable weak cipher
suites.
• Certificate Pinning: Prevent MITM attacks by validating server certificates.
• Web Application Firewalls (WAFs)
• Deploy WAFs: Block malicious traffic and identify unusual patterns.
• Custom Rules: Define specific rules to detect poisoned input or API abuse.
• Configuration Management
• Harden Servers: Disable unused features, enforce strong security settings, and
minimize the attack surface.
• Configuration Validation: Periodically review and test service configurations for
vulnerabilities.
• Incident Response Plan
• Prepare for Breaches: Develop and test incident response procedures.
• Backups: Regularly back up critical data and configurations to facilitate recovery.
• Forensic Tools: Equip your team with tools to analyze and mitigate poisoning
attacks.
• Network infrastructure poisoning
• is an attack that compromises critical components of a network to manipulate
traffic, compromise data, or disrupt communication. It typically involves exploiting
weaknesses in protocols, configurations, or trust relationships within the
infrastructure
• Common Types of Network Infrastructure Poisoning
• DNS Poisoning
• Description: Alters DNS cache or records to redirect users to malicious domains.
• Techniques:
• Cache poisoning by injecting false responses to DNS queries.
• Compromising DNS servers to insert malicious records.
• Impact:
• Phishing attacks.
• Malware distribution.
• Service disruptions.
• ARP Poisoning
• Description: Sends fake ARP messages on a LAN to associate the attacker’s
MAC address with the IP of another device, enabling Man-in-the-Middle
(MITM) attacks.
• Techniques:
• Spoof ARP replies to intercept or redirect traffic.
• Manipulate the gateway ARP entry to hijack traffic.
• Impact:
• Data interception.
• Network disruption.
• Credential theft.
• BGP Hijacking
• Description: Manipulates Border Gateway Protocol (BGP) to redirect or
intercept internet traffic.
• Techniques:
• Advertise unauthorized routes to capture traffic.
• Exploit weak authentication between BGP peers.
• Impact:
• Traffic interception.
• Disruption of internet services.
• Propagation of malicious content.
• DHCP Spoofing
• Description: An attacker sets up a rogue DHCP server to provide malicious IP
configurations.
• Techniques:
• Assign attacker-controlled gateway or DNS server addresses.
• Assign invalid IP addresses to disrupt connectivity.
• Impact:
• Redirected traffic.
• Denial of service.
• Man-in-the-Middle attacks.
• Impact of Network Infrastructure Poisoning Attacks
• 1. Data Interception and Theft
• Description: Attackers can manipulate network traffic to intercept sensitive data,
such as login credentials, financial information, or confidential communications.
• Impact:
• Compromised customer data and intellectual property
• Increased risk of identity theft and fraud
• Loss of trust from clients and stakeholders
• Network Disruption and Downtime
• Description: Poisoning attacks can redirect or block network traffic, causing outages
or performance degradation.
• Impact:
• Service interruptions and business downtime
• Reduced productivity for employees
• Missed business opportunities and potential revenue loss
• Espionage and Surveillance
• Description: Attackers can redirect network traffic to malicious servers, enabling
them to spy on users' activities and gather confidential information.
• Impact:
• Exposure of sensitive internal communications
• Risk of corporate espionage
• Potential legal and regulatory consequences
• Financial Damage
• Description: Poisoning attacks can lead to direct and indirect financial losses,
including ransom payments, recovery costs, and fines for regulatory non-
compliance.
• Impact:
• Costly incident response and remediation efforts
• Regulatory fines and legal fees
• Long-term brand damage and loss of customer trust
• Mitigating network poisoning
• 1. Use Encrypted Protocols
• Description: Encrypting communication protocols (e.g., HTTPS, SSH, TLS)
ensures that even if network traffic is intercepted, the data remains
unreadable.
• Benefit: Prevents attackers from accessing sensitive information through
interception.
• Implement DNS Security Extensions (DNSSEC)
• Description: DNSSEC adds a layer of authentication to DNS queries, preventing
attackers from altering DNS responses and redirecting users to malicious
websites.
• Benefit: Protects against DNS poisoning and ensures users are directed to
legitimate domains.
• Deploy ARP Spoofing Detection Tools
• Description: Tools like ARPwatch, XArp, or PacketFence monitor and detect
suspicious ARP activity, preventing attackers from impersonating devices
within the network.
• Benefit: Detects and mitigates ARP poisoning attacks in real-time.
• Use Strong Authentication for BGP
• Description: Secure Border Gateway Protocol (BGP) sessions by using strong
authentication mechanisms like MD5 or IPsec to prevent route hijacking.
• Benefit: Prevents BGP hijacking attacks that could disrupt or reroute network
traffic.
• Monitor Network Traffic for Anomalies
• Description: Implement continuous network traffic monitoring to detect
unusual patterns that could indicate an ongoing poisoning attack.
• Benefit: Enables early detection of attacks, allowing for swift response and
mitigation.
• Technical attack techniques
• SQL injection: SQL Injection (SQLi) is a code injection attack that allows
attackers to manipulate an application's SQL queries to interact with the
underlying database in unintended ways. This attack can result in unauthorized
data access, data modification, or even the complete compromise of the
database. Attackers exploit vulnerabilities in input fields (such as login forms,
search bars, or URL parameters) to insert malicious SQL code, tricking the
database into executing unintended commands.
• Mechanism of SQL Injection
• The SQL injection attack follows these steps:
Web application that use DB often reply on user input to construct sql quieries.
If input is not properly validated or sanitize, attacker can insert sql command.
The malicious srl command can then executed by DB , allowing attackers to
bypass authentication, retrieve data or delete data.
• SQL (admin, s3cret123)
• SELECT * FROM users WHERE username = ‘admin’ AND password=
‘password123’
• Say username is admin: popular username, and password = password123

• Now: add admin’

• Always evaluate to true i.e 1=1
• SELECT * FROM users WHERE username = ‘admin’ or ‘1’ = ‘1’ AND password=
‘password123’
• https://demo.testfire.net/index.jsp
• Cross Site Scripting
• Is a technique where attackers inject malicious scripts into website viewed by
others. The malicious script are executed in the user’s browser, which can be
used to steal cookies, session token or accounts

• Mechanism:
• The attacker inject a script into a trusted website that doesn’t properly
validate user input. When other users visit the site, the injected script is
executed in their browser.
• This script can perform action on behalf of the victim, such as stealing session
cookies, or redirecting them to malicious website.
• In 2016, a popular airlines website was found vulnerable to XXS. This allowed
attackers to inject javascript into the website, which redirected user to
phishing site where their credit card were stolen.

• Defense
• Input Validation (Sanitize User Input):Remove potentially dangerous characters
like <, >, &, ', and " from user input.
• Content Security Policy: restrict the execution of unauthorized scripts.
• Regular scan and patch any web application vulnerabilities.
• DDoS (Distributed Denial of Service) Attack
• A DDoS attack is a cyberattack where a large number of compromised devices
(botnets) flood a targeted system, server, or network with overwhelming
traffic, making it unavailable to legitimate user.
• Mechanism:
• The attack use single source to flood a target with traffic. In a Ddos attack,
multiple compromised system are used to flood the target with traffic
simultaneously.
• The large volume of traffic exhausts system resource such as bandwidth,
memory, CPU rendering the service inaccessible to legitimate users.
Example: Nepal Airport, custom office.
• Defense:
• Web Application Firewall (WAF)
• Traffic filtering
• Load balancer
• Ddos protection service

• Mitm attack: A Man-in-the-Middle (MITM) Attack occurs when an attacker

secretly intercepts and alters communication between two parties without
their knowledge. The attacker can eavesdrop, steal sensitive data, or inject
malicious content into the communication.
• Mechanism
• Interception: The attacker places themselves between two parties (e.g., a client and
a server) to intercept the communication.
• Decryption (if using HTTPS):The attacker may use SSL stripping to downgrade the
connection from HTTPS to HTTP, making the traffic readable.
• Example: ARP spoofing,DNS spoofing, DHCP spoofing
• Defenses
• Use End-to-End Encryption:Always use strong encryption protocols such as TLS 1.3
to secure communication.
• Multi-Factor Authentication (MFA): Even if session data is stolen, MFA adds an extra
layer of security by requiring additional authentication steps.
• Educate Users: Train users to recognize phishing sites and be wary of SSL certificate
warnings.
• Use Secure DNS (DNSSEC): DNSSEC ensures that DNS responses are verified,
preventing DNS spoofing.
• Phishing
• Phishing is a cyber attack that uses fraudulent emails, messages, or websites
to trick users into revealing sensitive information or downloading malicious
software.
• Phishing Mechanism
• The attacker creates a fake website or email that mimics a legitimate one
• The attacker sends a bulk email to thousands of users, hoping that a
percentage will fall for the scam.
• Spear Phishing :Spear Phishing is a targeted phishing attack aimed at a
specific individual or organization, often using personalized information to
make the attack more convincing.
Defense Mechanism Description

User Awareness Training Train employees to spot spear phishing attempts.

Multi-Factor Authentication (MFA) Reduces the risk of unauthorized access

Endpoint Detection & Response (EDR) Detect and block malicious payloads on devices.

Email Verification Tools (DMARC, SPF, DKIM) Ensure emails are from legitimate sources.

Zero Trust Security Model Verify every request before granting access.
• Ransomware
• Ransomware is malicious software that encrypts a victim's data, rendering it
inaccessible. The attacker then demands a ransom in exchange for the
decryption key. Failure to pay may result in permanent data loss or public
exposure of sensitive information.
• Mechanism
• Phishing emails with malicious attachments or links
• Exploit kits that target vulnerabilities
• Remote Desktop Protocol (RDP) attacks
• Malicious ads (malvertising)
• Defenses
• Backup Strategy
• Implement Multi-Factor Authentication (MFA)
• Endpoint Detection and Response (EDR)
• Email Security
• Network Segmentation
• Least Privilege Principle
• Disable RDP (Remote Desktop Protocol)
• Password Cracking
• Involves various methods to guess or decrypt password. Attacker use
techniques like brute force, dictionary attacks or exploiting weak hashing
algorithms to gain access to user account
• Mechanics
• Brute force: involves systematically trying every possible combination
characters unit the correct password is found
• Dictionary attack: use list of common password or phrases to guess password.
• Defense
• Complex password, account lockout, password manager
• Privilege Escalation
• Occurs when an attacker exploits a vulnerability to gain higher level access,
administration or root privileges allowing them to perform unauthorized action as
installing software, changing system configuration etc
• Mechanism
• Attackers exploit software bugs or vulnerabilities to gain elevated privileges.
• Improper file, directory, or registry permissions allow attackers to modify or execute
files with elevated privileges.
• Attackers steal privileged account credentials using phishing, keylogging, or token
theft.
• Defense
• Keep Systems and Software Updated Awareness
• Implement the Principle of Least Privilege EDR,Harden file and directory
permission
Secure Credentials and Authentication
• Types of Cyberattackers and Their Hats
• White Hat Hackers (Ethical Hackers): White Hat hackers are ethical security
professionals who use their skills to find and fix vulnerabilities in systems to
prevent cyberattacks
• Characteristics:
• Work with permission from system owners.
• Help secure systems and networks.
• Perform penetration testing and vulnerability assessments.
• Follow ethical guidelines.
• Often certified (e.g., CEH, OSCP).
• Black Hat Hackers (Criminal Hackers): Black Hat hackers are malicious
attackers who infiltrate systems for personal gain, financial profit, or
destruction. Their activities are illegal and harmful.
• Characteristics:
• Work without permission from system owners.
• Steal sensitive data (e.g., credit card information, personal data).
• Deploy malware, ransomware, or spyware.
• Sell data on the dark web.
• Focus on financial gain or disruption.
• Grey Hat Hackers (Hybrid Hackers): Grey Hat hackers operate between ethical
and unethical boundaries. They may exploit vulnerabilities without
permission, but they don’t have malicious intent and often inform the
organization afterward.
• characteristics:
• No clear permission to hack.
• Report vulnerabilities after exploiting them.
• May ask for rewards for their findings.
• Blue Hat Hackers (External Security Specialists): Blue Hat hackers are external
security experts hired by organizations to test the security of their systems.
• Usually hired by companies for specific tasks.
• Conduct penetration testing before system deployment.
• Focus on preventing zero-day attack
• Red Hat Hackers (Vigilante Hackers)
• Red Hat hackers are vigilantes who actively hunt down Black Hat hackers and
malware operators. They use aggressive tactics to take down criminal
systems.
• Characteristics:
• Attack Black Hats and their infrastructure.
• Use offensive hacking techniques (e.g., DDoS attacks).
• Destroy or take down malicious servers.
• Green Hat Hackers (Script Kiddies and Beginners): Green Hat hackers are
newcomers to hacking. They lack advanced knowledge but use ready-made
tools and scripts to launch attacks. They are often learning and may
eventually evolve into more skilled hackers.
• Characteristics:
• Inexperienced and learning.
• Use publicly available tools (e.g., Metasploit, LOIC).
• Often unaware of the consequences of their actions.
• Hacktivists (Activist Hackers):Hacktivists are ideologically motivated hackers
who carry out cyberattacks to promote a political, social, or religious agenda
• Driven by ideology (e.g., political, environmental, social justice).
• Use DDoS attacks, data leaks, and website defacements.
• Target governments, corporations, or individuals.