Threats, Attacks, Vulnerabilities

Malware

Comparing viruses, worms and trojans

• Virus: need user interaction
• Worm: no user interaction
  • RTM Worm (1988), 10% affected
• Trojan horse: disguised actions
  • RAT (Remote Access Trojan)

Malware payloads

• Adware: Change search engine, popups, etc
• Spyware: Gathers info, eg keyloggers
• Ransomware: Encrypt disk, eg wannacry
• Crypto malware: mines cryptocurrency

Understanding backdoors and logic bombs

• Backdor: workaround access eg hardcoded accounts, defaults, unknown access channels
• Logic bomb: eg date/time, file contents, API call

Looking at advanced malware

• Root kits: escalate privileges
• File-less viruses: in memory only, eg Office Macros, JavaScript code, Registry
• Botnets: communicate though IRC, Twitter, peer-peer (Command and Control)

Understanding botnets

Malicious script execution

Understanding Attackers

• Script kiddies
• Hacktivist - motivation
• Organised crime
• Nation states - APTs

• White Hats: work with targets' permission
• Back Hats: no permission
• Grey Hats: illegal, but with good intent

• Insider threat: principle of least privilege
  • 2 person check for critical operations
  • mandatory vacations for critical staff (fraud uncovering)
• Shadow IT
• Attack Vectors: Email, social media, USB, chip in cable, network jack, skimmmers, cloud servers, physical access (including supply chain), Wifi

Cybersecurity Adversaries

Preventing insider threats

Attack vectors

Zero days and the advanced persistent threat

Threat Intelligence

Threat Intelligence

Open Source intelligence: security websites, vulnerability DBs, media, codebases, etc Closed Source intelligence: proprietary info

• Timelines
• Accuracy
• Reliability

Threat indicators: IP, file patterns, etc

• Cyberobservable expression CybOX - Schema
• Structured Threat Information Expression (STIX) - Language format
• Trusted Automated Exchange of Indicator of Information (TAXI) - Info exchange

Cybox > STIX > TAXI

• Open IOC - Mandient Framework
• Functions supported by intellegence
  • Incident Response
  • Vulnerability Management
  • Risk Management
  • Security Engineering
  • Detection and Monitoring

Intelligence sharing

Information sharing & analysis centres

• Safe way for competitors to collaborate
• Each industry has at least one ISAC

Threat research

• Reputational threat research
  • previous actors, IP, email, domains, etc
• Behavioural research
  • identify behaviour that resemble activity of past threats
• Vendor websites, cybersecurity jouranals, academic journals, RFC docs, local industry groups, social media, etc

Identifying threats

Modelling: structured approach should be used:

• Asset focused
• Threat focused
• Service focused eg API review

Automating threat intelligence

eg

• Blacklisting IPs from feeds
• Incident Response could be partially automated eg IDS attack > workflow for customer geolocaton, logs, etc

Security Orchestration, Automation and Response (SOAR)

• Machine learning allows automated creation of file diagnostics

Threat hunting

Cannot prevent all threats: "assumption of compromise"

• Now searching for those compromises
• Need to think like an adversary

Establish a hypothesis and look for indicators of compromise -> containment/eradication/recovery

TTPs - Tactics, Techniques, Procedures

Social Engineering Attacks

Social engineering

Psychological attacks to gain info

• Authority - defer to authority
• Intimidation - scare people
• Consensus/social proof - herd mentality
• Scarcity - act quickly or miss an opportunity
• Urgency - time is running out
• Familiarity/liking - flattery/fake relationships

Education is the solution

Impersonation attacks

• Spam
  • phishing, trick users to share information
• Prepending info on email
• Spear phishing - target a small number
  • Whaling - target executives eg subpoenas
• Pharming - setup false websites
• Vishing - voice phishing
• Smishing / SPIM - SMS/IM often uses spoofing, faking an identity

Identifying fraud and pretexting

Pretexting - impersonate a customer while contacting an organisation

• eg convince phone company to switch phone number to his -> reset bank details with this number

Watering hole attacks

Websites that spread malware - users must trust websites, at least to some extent Users are conditioned to bypass security Attacker uses a compromised popular website -> infected system calls home

Physical social engineering

• Shoulder surfing
• Dumpster diving
• Tailgating

Common Attacks

Password attacks

• Brute force
• Dictionary attacks
• Hybrid attacks
• Rainbow table attacks

Password spraying and credential stuffing

Uses common password list and attempt to use them against one account

Adversarial artificial intelligence

Machine Learning:

• Descriptive analytics (eg what % female)
• Predictive analytics (eg model to predict future customer behaviour)

Aversarial AI: Injected tainted training data - Tesla speed sign example)

Understanding Vulnerability Types

Vulnerability impact

Confidentiality:

• Disclosure attacks: data breach

Integrity:

• Unauthorised changes

Availability:

• Authorised individuals can't access resources: DoS attacks

Risks:

• Financial
• Reputational
• Strategic
• Operational
• Compliance (eg HIPAA)

Supply chain vulnerabilities

End of Life Cycle:

• End of sale
• End of Support (all or some support stopped)
• End of Life (now updates at all)

Vendors can just fail to provide proper support, especially in embedded systems

Configuration vulnerabilities

eg default accounts

Cryptographic vulnerabilities

• Key management
• Certificate management

Patch management (OS, Apps, Finance)

Account management (eg execute permissions)

• Use principle of least privilege

Architectural vulnerabilities

Incorporate security early on, no a bolt-on extra

System sprawl: new devices get turned on but old devices are not decomissioned

Vulnerability Scanning

What is vulnerability management?

Detects, remediates and reports vulnerabilities

Why manage?

• Maintain security
• Comply with corp policy
• Comply with regulations
  • PCI/DSS: anyone who handles credit card data: quarterly scans internasal and external, repeat scans after large changes, use approved vendor, remediate and rescan until you achieve a clean report
  • FISMA for US government employers: follow NIST guidelines, regular scans, analyse the results, remediate legitimate vulnerabilities, share with other agencies

Tests:

• Network scans
• Application scans
• Web application scans (eg SQL/CSS)

Identifying scan targets

Asset Inventory provides a starting point Nessus and Qualis may discover assets

• Impact > what is the highest level of data classification handled?
• Likelihood > What is the network exposure? (is it behind a firewall? What services are running?)
• How critical is the system?

Scan configuration

Nessus

• configure pings, port scanning, scan sensitivity: default "normal" sensitivity
• "Enable safe checks"
• Rate limits can be configured
• Choose default plugins

Scan perspective

Network location:

• Consider scanning inside network/Internet/DMZ
• All are valid and answer different questions

Firewall and IDS/IPS and segmentation impacts scan results

Agent-based scans: install a security agent on each target

Credentialed scanning: mix scan perspectives

SCAP (Security Content Automation Protocol)

Confusing terminology, so provide a consistent language that describes items:

• CVSS (Common Vulnerability Scoring System)
• CCE (Common Configuration Enumeration)
• CPE (Common Platform Enumeration)
• CVE (Common Vulnerability and Exposures)
• EXXDF *Extensible Configuration Checklist Format)
• OVAL (Open Vulnerability Assesment Language)
  • describes testing procedures in a programmatic way

CVSS (Common Vulnerability Scoring System)

CVSS: 10 point scale:

• Attack vector
  • Physical
  • Local
  • Adjacent Network
  • Network
• Attack complexity
  • High
  • Low
• Privileges required
  • High (admin)
  • Low
  • None
• User interaction (exploitability)
  • Required (user needs to do something)
  • None

• Confidentiality
  • None
  • Low
  • High (all is vulnerable)
• Integrity
  • None
  • Low
  • High (all info could be modified)
• Availability
  • None
  • Low (performance degraded)
  • High (system shutdown)

• Scope
  • Changed (vulnerabilities can affect other comments)
  • Unchanged

Analysing scan reports

Prioritisation factors

• Severity of vulnerabilities
• System criticality
• Information sensitivity
• Remediation difficulty
• System exposure

Correlating scan results

Consult industry standard eg PCI/DDS:

• will fail if any systems has CVSS score of ⩾ 4.0

Technical info CMDB, log repositories, others Trend analysis look for changes over time, Eg if new web apps keep showing CVSS: Dev training or better libraries

Penetration Testing and Exercises

Penetration testing

Security professionals in roles of attackers

• test security controls by bypassing or defeating them
• define scope of systems ("Rules of engagement")

• White Box Test - with full knowledge like an internal attacker
• Black Box Test - with no knowledge like outsider
• Grey Box Test - with some knowlegde

NIST recommend:

• Discovery Phase
• Attack Phase
  • Gain Access > Elevate Privs > Browsing > Install tools
• Goto Discovery

Pivot: after exploiting a system, pivot to another more secure system

Clean up the traces of attack

• expensive/time consuming so use occasionally

Bug bounty

• Align attacker's and organisation's interests
• Can be self managed or fully managed by external vendor

Cybersecurity exercises

• Teams attacking (red) vs Securing systems (blue)
• White team: observe and judge

Red and blue team results -> Purple Team

• Capture the Flag exercises, usually in a sandbox