Security+

Exam SY0-601

Chapter 2 Type of Attack Indicators

1
 Chapter 2 (Domain 1.2)
Learning Objectives

• Compare and contrast different types of attack

• Learn to analyze potential indicators to determine the

type of attack

2
 Types of Attack Indicators
• Attacks can be made against virtually any layer of software, from
network protocols to applications.

• Attacks can be against the user, applications, network or cryptographic

elements employed in a system.

• Each type of attack threatens at least one of the three security

requirements: confidentiality, integrity, and availability (CIA)

• From a high-level standpoint, attacks on computer systems and networks

can be grouped into two broad categories:
– Attacks on specific software
– Attacks on a specific protocol or service
3
 MALWARE
• Refers to software designed for some nefarious purpose.

• Can cause damage to a system

– Delete files
– Create backdoors

• Several different types of malicious software can be used:

– Viruses
– Trojan horses
– Logic bombs
– Spyware
– Worms
4
 RANSOMWARE
• A form of malware that performs some action and extracts a
ransom from the user.

• Typically encrypts files on a system and then leaves them unusable

either permanently, acting as a DoS, or temporarily until a ransom
is paid.

• Typically, a worm and completely automated.

• The only repair is to rebuild the system

• Examples: Cryptolocker, NotPetya, and WannaCry

5
 Trojans
• A piece of software that appears to do one thing (and may, in fact,
actually do that thing) but hides some other functionality.

• Unlike a virus, a Trojan is a standalone program that must be copied

and installed by the user—it must be “brought inside” the system by an
authorized user.

• This generally means that the program must be disguised as

something that the user would want to run.

• Once it has been copied and is inside the system, the Trojan will
perform its hidden purpose with the user often still unaware of its true
nature.
6
 Worms
• Worms are pieces of code that attempt to penetrate networks and
computer systems.

• Once a penetration occurs, the worm will create a new copy of itself on
the penetrated system.

• Reproduction of a worm thus does not rely on the attachment of the virus
to another piece of code or to a file, which is the definition of a virus.

• Recently, worms have become a tool of choice for ransomware attacks,

as they can spread from system to system without operator intervention.
The NotPetya worm of 2017 caused an estimated $10 billion in damage.

7
 Potentially Unwanted Programs
(PUP)
• Potentially unwanted program (PUP) is a designation used by security
companies and antivirus vendors to identify programs that may have adverse
effects on a computer’s security or privacy.

• These involve adware or spyware components and are used for revenue
generation purposes.

• Potentially unwanted programs are a form of malware.

– Slowing down your computer
– Displaying a ton of annoying ads
– Adding toolbars that steal space on the browser
– Collecting private information

• A common source of PUPs is third-party download sites for downloading apps

8
 Fileless Viruses

• Most antivirus/anti-malware solutions find malware

through monitoring the file system for writes and then
filter the writes for known signatures.

• When a piece of malware operates only in memory,

never touching the file system, it is much harder to
detect.

• This type of attack is called a fileless virus, or

memory-based attack.
9
 Command and Control

• Command-and-control servers are used by hackers to control

malware that has been launched against targets.

• Malware infections are seldom a single file on a single

machine when an attack occurs in an enterprise.

• Multiple malware elements, on multiple systems, under

various IDs, all working to provide a means for hackers to re-
enter a system, are commonly found in enterprises.

• These malware elements also work to exfiltrate stolen data..

10
 Bots
• A bot is a functioning piece of software that performs some task,
under the control of another program.

• A series of bots is controlled across the network in a group, and the

entire assembly is called a botnet (combining the terms bot and
network).

• Some botnets are legal

• Illegal botnets work in the same fashion, but controlled by a bot herder

• Botnets continue to advance malware threats.

11
 Crypto-malware

• Malware that encrypts all data on a user’s computer

and may demand a ransom.

• Uses asymmetric encryption; one key to encrypt and a

different key to decrypt.

• Can also be used to mine cryptocurrency, aka

cryptojacking.
– Runs in the background and not detectable to the user.
– Indications of infection: slower computer performance.
12
 Crytpojacking

• Malicious cryptomining
• Cybercriminals hack into personal and business
computer to install software to steal cryptocurrency
account credentials or to use the computer’s
resources to mine for cryptocurrencies without the
user knowledge.

13
 Logic Bombs
• Logic bombs are a type of malicious software that is deliberately
installed, generally by an authorized user.

• A logic bomb is a piece of code that sits dormant for a period of time until
some event or date invokes its malicious payload.

• Two types of logic bombs

– Time-based
– Event-based

• Logic bombs are difficult to detect because they are often installed by
authorized users and, in particular, have been installed by administrators
who are also often responsible for security.
14
 Spyware
• Spyware is software that “spies” on users, recording and reporting on their
activities.

• Typically installed without the user’s knowledge, spyware can perform a wide
range of activities.

• It can record keystrokes (commonly called keylogging) when the user logs on to
specific websites.

• It can monitor how a user applies a specific piece of software, such as to monitor
attempts to cheat at games.

• Many states have passed legislation banning the unapproved installation of

software, but spyware can circumvent this issue through complex and confusing
end-user license agreements.
15
 Keyloggers
• A piece of software that logs all of the keystrokes that a user enters.

• What makes a keylogger a malicious piece of software is when its operation is (1)
unknown to the user, and (2) not under the user’s control.

• Malicious keyloggers have several specific characteristics: they are frequently hidden
from the user’s view, even when looking at Task Manager, and they are used against
the end user’s interests.

• Hackers use keyloggers to obtain passwords and other sensitive pieces of information,
enabling them to use these secrets to act as the user without the user’s consent.

• Keylogger functionality has even been found in legitimate programs, where keystrokes
are recorded for “legitimate” purposes and then are stored in a fashion that enables
unauthorized users to steal the data.

16
 Remote-Access Trojans (RATs)

• A remote-access trojan (RAT) is a toolkit designed to provide

the capability of covert surveillance and/or the capability to gain
unauthorized access to a target system.

• RATs often mimic the behavior of keyloggers and packet

sniffers using the automated collection of keystrokes,
usernames, passwords, screenshots, browser history, e-mails,
chat logs, and more, but they also do so with a design of
intelligence.

• RATs can also employ malware to infect a system with code

that can be used to facilitate the exploitation of a target.
17
 Remote-Access Trojans (RATs)

• This backdoor into the target machine can allow an attacker unfettered
access, including the ability to monitor user behavior, change computer
settings, browse and copy files, access connected systems, and more.

• A RAT should be considered another form of malware, but rather than

just being a program, it has an operator behind it, guiding it to do even
more persistent damage.

• RATs can be delivered via phishing e-mails, watering holes, or any of a

myriad of other malware infection vectors.

• RATs typically involve the creation of hidden file structures on a system

and are vulnerable to detection by modern anti-malware programs.

18
 Rootkit

• Rootkits are a form of malware that is specifically designed to

modify the operation of the operating system in some fashion to
facilitate nonstandard functionality.

• The history of rootkits goes back to the beginning of the UNIX

operating system, where rootkits were sets of modified
administrative tools.

• Originally designed to allow a program to take greater control

over an operating system’s functions when it fails or becomes
unresponsive, the technique has evolved and is used in a
variety of ways.
19
 Rootkit
• A rootkit can do many things—in fact, it can do virtually anything that the operating
system does.

• Rootkits modify the operating system kernel and supporting functions, changing
the nature of the system’s operation.

• Rootkits are designed to avoid, either by subversion or evasion, the security

functions of the operating system to avoid detection.

• The use of rootkit functionality to hide other processes and files enables an
attacker to use a portion of a computer without the user or other applications
knowing what is happening.

• This hides exploit code from antivirus and anti-spyware programs, acting as a
cloak of invisibility.
20
 Rootkit
• Rootkits can load before the operating system loads, acting as a virtualization
layer, as in SubVirt and Blue Pill.

• Rootkits can exist in firmware, and these have been demonstrated in both video
cards and expansion cards.

• Rootkits can exist as loadable library modules, effectively changing portions of the
operating system outside the kernel.

• Five types of rootkits exist: firmware, virtual, kernel, library, and application level.

• Once a rootkit is detected, it needs to be removed and cleaned up.

• The easiest way is to reimage the system.

21
 Backdoors
• Backdoors were originally (and sometimes still are) nothing more than
methods used by software developers to ensure that they can gain
access to an application, even if something were to happen in the future
to prevent normal access methods.
– Aka “maintenance hooks”

• The term backdoor is also, and more commonly, used to refer to

programs that attackers install after gaining unauthorized access to a
system to ensure that they can continue to have unrestricted access to
the system, even if their initial access method is discovered and blocked.

• Backdoors can also be installed by authorized individuals inadvertently if

they run software that contains a trojan horse

22
 PASSWORD ATTACKS

• Spraying
• Dictionary
• Brute Force
– Offline
– Online
• Rainbow Tables
• Plaintext/Unencrypted

23
 Spraying

• Password spraying is an attack that uses a limited

number of commonly used passwords and applies
them to a large number of accounts.

• Traditional brute-force attacks attempt to gain

unauthorized access to a single account by guessing
the password.

• Spraying is the reverse of this, using a limited number

of passwords and trying them against all the accounts.
24
 Dictionary
• Another method of determining passwords is to use a password-cracking
program that uses a list of dictionary words to try to guess the password,
hence the name dictionary attack.

• A number of commercial and public-domain password-cracking programs

employ a variety of methods to crack passwords, including using
variations on the user ID.

• These programs often permit the attacker to create various rules that tell
the program how to combine words to form new possible passwords.

• A dictionary attack involves the use of a lookup table to try and find an
answer.

25
 Brute Force
• An attempt of all possible password combinations.

• The length of the password and the size of the set of possible
characters in the password will greatly affect the time a brute force
attack will take.

• A brute force attack on a password can take place at two levels: it can
attack a system, where the attacker is attempting to guess the
password at a login prompt, or it can attack the list of password hashes
contained in a password file.

• Offline
• Online
26
 Brute Force
• Offline
– Offline, brute force attacks can be employed to perform hash
comparisons against a stolen password file. This has the challenge of
stealing the password file, but if accomplished, it is possible to use high-
performance GPU-based parallel machines to try passwords at very high
rates and against multiple accounts at the same time.

• Online
– When the brute force attack occurs in real time against a system, it is
frequently being done to attack a single account with multiple examples of
passwords. Success or failure is determined by the system under attack,
and the attacker either gets in or doesn’t. Online brute force attacks tend
to be very noisy and easy to see by network security monitoring, and they
are also limited by system response time and bandwidth.

27
 Rainbow Tables
• Rainbow tables are precomputed tables or hash values associated with
passwords. Using rainbow tables can change the search for a password
from a computational problem to a lookup problem.

• This can tremendously reduce the level of work needed to crack a given
password.

• The best defense against rainbow tables is salted hashes, as the addition
of a salt value increases the complexity of the problem by making the
precomputing process not replicable between systems.

• A salt is merely a random set of characters designed to increase the length

of the item being hashed, effectively making rainbow tables too big to
compute.
28
 Plaintext/Unencrypted

• Any time a system can send you a copy of your

password, there is a security issue.

• Example: Microsoft allows administrators to push

out passwords for local accounts via group policy
preferences. To protect the passwords, they are
encrypted using Advanced Encryption Standard
(AES). For reasons of compatibility with other
systems, Microsoft published the AES key—see the
problem.
29
 Physical Attacks

• Malicious USB Cable

• Malicious Flash Drive
• Card Cloning
• Skimming

30
 Malicious USB Cable
• Most users view a USB cable as just a wire, but in fact a USB cable
can have embedded electronics in it.

• “Poisoned” cables have been found with electronics that can deliver
malware to machines.

• This has been found in both normal USB cables and in lightning
cables for Apple devices.

• Demo cables have even been made with embedded Wi-Fi devices,
enabling attacks against a Wi-Fi network from the cable itself.
– Example: The OMG cable

31
 Malicious Flash Drives
• They have been used to dupe users into picking them up, plugging them into their
machine, and accessing an attractive folder such as “HR data” or “Sensitive
pictures.”

• USB dropping is a well-known means of attack, where the attacker leaves tainted
USB devices for people to pick up and use.
– Aka; Baiting

• Once they plug them into the network, the attack is automated.

• For user convenience, operating systems adopted an Auto Run or Auto Play
feature on USB devices, enabling content to run when the device was plugged in.

• After Windows XP, this was disabled.

32
 Card Cloning

• It is possible to copy the information on the magnetic strip,

enabling the person to later make a clone of your card.

• Smart cards made this more difficult, as the chip itself

cannot be cloned.

• Another type of card that can be cloned is the contactless

ID card. These cards are used by transit systems, access
systems, and even passports. The NFC (near field
communications) chip can be read, information copied, and
a clone implemented.
33
 Skimming

• Skimming devices are physical devices built to

intercept a credit card.

• These devices are placed on credit card readers to

skim the data from the card while passing it on to the
legitimate reader.

• Skimmers can collect all the information from a

magnetic strip on the card as well as the PIN being
entered, enabling a clone to be manufactured.
34
 ADVERSARIAL ARTIFICIAL
INTELLIGENCE (AI)
• Artificial intelligence (AI) is the use of complex models to simulate functions of
the brain—in essence, a means to impart analytical abilities to the things we
use, from robot vacuum cleaners to smartphone apps, to digital assistants.

• AI brings power to computer solutions because AI models can analyze more

combinations of inputs than a human and do so faster and with more accuracy.

• AI-enabled systems are used in anti-malware products to find new threats based
on analytical analysis of programmatic behaviors.

• Can AI also be used to evade defenses? The answer is yes, and this is known
as adversarial AI. Just as defenders can write AI-enabled tools, attackers can
use AI to enable their attacks, such as phishing, to avoid machine detection.

35
 Tainted Training Data for Machine
Learning (ML)
• Machine learning (ML) is one of the techniques used in AI.

• ML works by using a training data set to calibrate the detection model to enable
detection on sample data.

• One of the weaknesses of ML is this training set dependency. The ability of the model
to detect is a function of the efficacy of the training data set. A good training data set
can build a solid detection model.

• A deficient training set of data can build a model with holes in it—holes that allow
conditions to go undetected. Tainting the training data is one of the attack vectors that
attackers can use against ML systems.

• Over time, as conditions change, an ML algorithm needs retraining or updating to make

it effective against differing inputs. Each of these updates represents an opportunity to
taint the input data set.
36
 Security of Machine Learning
Algorithms
• Understanding the details of a machine learning
algorithm once it is trained is crucial to the security of
the algorithm.

• Should an attacker be able to reproduce the exact

same set of parameters, they would be able to create
attack data sets that could slip past the ML algorithm.

• Maintaining security around the parameters of an ML

algorithm is essential to maintaining its effectiveness.
37
 SUPPLY-CHAIN ATTACKS
• Supply chains are the network of suppliers that provide the
materials for something to be built.
– Parts for computers
– Libraries for programmers

• The parts that are used—be they physical like a hard drive or
logical like a library module—can be tainted, either by accident or
on purpose.

• Manufacturers have shipped PCs with preinstalled malware,

courtesy of a hard drive manufacturer, which itself became
infected by one of its vendors.
38
 CLOUD-BASED VS.
ON-PREMISE ATTACKS
• Attacks against data can happen whether the system is in house
(on-premises) or in the cloud (cloud based).

• Using cloud computing to improve security only works if you

choose a cloud vendor with a security solution as part of the
package.

• Moving computing or storage to the cloud, in itself, does not

change the security equation.

• Cloud computing is merely using someone else’s resources, and

you get what you pay for, as in all contracts.
39
 CRYPTOGRAPHIC ATTACKS

• Attacks against the cryptographic system are

referred to as cryptographic attacks.

• Types of attacks:
– Birthday
– Collision
– Downgrade

40
 Birthday

• The birthday attack is a special type of brute force attack that

gets its name from something known as the birthday
paradox, which states that in a group of at least 23 people,
the chance that two individuals will have the same birthday is
greater than 50 percent.

• This same phenomenon applies to passwords, with k (the

number of passwords) being quite a bit larger than 50, but
still a manageable number for computers and today’s
storage capacities.

41
 Collision

• A collision attack is where two different inputs yield the

same output of a hash function.

• Through the manipulation of data, subtle changes are

made that are not visible to the user yet create different
versions of a digital file.

• With the creation of many different versions and the use of

the birthday attack to find a collision between any two of
the many versions, an attacker has a chance to create a
file with changed visible content but identical hashes.
42
 Downgrade
• As part of a Transport Layer Security/Secure Sockets Layer (TLS/SSL)
setup, a specification of the cipher suite can be employed.

• This is done to enable the highest form of encryption that both server
and browser can support.

• In a downgrade attack, the attacker takes advantage of a commonly

employed principle to support backward compatibility, to downgrade
the security to a lower or nonexistent state.

• POODLE attack: Forcing TLS 1.0 to “downgrade” to SSL 3.0 and then
using the SSL Strip tool to remove SSL from the connection; thereby
reverting to an unsecure state.
43