Threats in Cyberspace

Who are the threats?

Some compare Cyberspace to the U.S. wild west era where the outlaws ruled the landscape and innocent people were often victims to various crimes. But what differentiates Cyberspace from that time in history is the anonymity of the attackers. It's important to classify the threat actors and understand their motives in cyberspace.

Threat Actor

Motivation

Examples

Nation-state

Leverages cyberspace to perform military-style operations. Looks to gather intelligence on other nations and develop capabilities to deceive the enemy, deny, degrade, disrupt, or destroy digital resources.

Stuxnet worm was developed by a nation-state actor and used against the Iranian Nuclear Program

Cybercrime Organizations

Leverages cyberspace for financial gain.

Cryptolocker malware used to encrypt user data, then demands payment for decryption.

Hacktivists

Leverages cyberspace to promote a political agenda.

In 2011 LulzSec performed a Distributed Denial of Service Attack on the U.S. CIA website.

Individual

Leverages cyberspace to hack various targets for notoriety or personal gain.

During the late 1980's Kevin Mitnick broke into the Digital Equipment Corporation to steal the source code of their latest operating system.

Now that we know the threats and their respective motives, we need to understand their methodologies. What are the indicators that a cyber breach has occurred and what countermeasures can we put into place to prevent these types of attacks. In this lesson we will discuss five common cyber threats:

  • Phishing

  • Malware

  • Weak or default passwords

  • Un-patched or outdated software

  • Removable media

Phishing

This is a process where a malicious actor sends a convincing email to a set of targets. The goal is to get the target to disclose personal information, click on a malicious email attachment or malicious link. Spear-phishing is a targeted attack directed against a specific person or group.

The following image is an example of a phishing campaign. The actor is posing as a member from USAA Financial Services; however, when we look at the actual FROM email address we learn its coming from noreply.usaa-electronic-alert@bk.ru. Legitimate emails should be coming from usaa.comnot bk.ru. By the way, .ruis the top-level domain for the Russian Federation.

Indicators

Here are indicators related to phishing campaigns:

  • Typically email-based

  • FROM email addresses are not from legitimate domains

  • Bad grammar, spelling mistakes, bad translations

  • May contain malicious links or attachments

  • Appears to be from a position of authority (e.g. IRS, FBI, your boss)

  • Asks the user to update their information

  • Directs to a website that looks legitimate

Countermeasures

Here are ways to protect yourself from phishing attacks:

  • Do not open suspicious emails

  • Do not open suspicious attachments

  • Do not click on suspicious links

  • Do not disclose private information

  • Read all emails in plaintext form instead of HTML

  • Validate all FROM email addresses

  • Check the domain names

  • Validate all links

  • Check the domain names

  • Look for digital signatures (if possible)

  • Report any incident (e.g. accidentally clicking on email)

  • Update anti-virus

Malware (Malicious Software)

Malicious software or "malware" is used by adversaries to: damage a system, perform unwanted behavior, or establish a foothold for future malicious activity. The following are common types of malware:

Type

Definition

Viruses

Malware that self-replicates, usually via removable storage media

Worms

Malware that does not require user interaction and may use stolen credentials to "worm" its way across a network to infect other systems.

Trojan

Malware designed to appear as legitimate software and usually requires user interaction to run (i.e. double-click to run)

Keyloggers

Malware designed to record user keystrokes and/or mouse-clicks

Spyware

Malware designed to record user activity to include: browser history, cookies, keystrokes. This software can also activate builtin cameras and microphones unbeknownst to the user

Rootkits

Malware designed to subvert the operating system and hide malicious activity

Backdoors

Malware designed for access into a target system only known by the attacker

Indicators

Malware may come from the following sources:

  • E-mail attachments

  • Infected websites

  • Infected removable media (e.g. USB drive)

Malware can cause the following effects:

  • Destroyed or modified data

  • System or network disruptions/latency

  • Loss of personal data

  • Allow malicious actor access to system/network

Countermeasures

Here are ways to protect yourself from malware:

  • Scan all e-mail attachments with anti-virus

  • Do not run software from an untrusted sites

  • Do not run pirated software

  • Keep operating system and installed software up-to-date

Weak or Default Passwords

User credentials allow us to access computing systems and is typically done with a username and a password. While the username may be known, the password has always been designed to be a secret; however, default or weak passwords can allow unauthorized access to a system.

We can classify our passwords based on complexity and rememberability. These classifications are:

Classification

Description

Example

Strong

A highly complex password. Typically uses uppercase and lowercase letters, numbers, and special characters.

hT9$5hrQP!

Weak

A password with little to no complexity

password

Good

A password that is easily memorable

1%PassworD

Bad

A password that is not easily remembered

hT9$5hrQP!

Note in the example above, the same password can be classified as "strong," due to its complexity, yet also can be classifed as "bad," because it could be difficult to remember.

Some devices like home switches and routers have default (weak) passwords that are typically posted on the manufacturer's website. For example, on most Linksys routers the defaults are:

Username: admin
Password: admin

Because these passwords are known to the world, it is a security professional's job to know this and immediately change the passwords prior to connecting the device to the Internet.

Indicators

Weak or default passwords have the following indicators:

  • Passwords are found in a dictionary

  • Passwords contain information about the person (e.g. dog's name)

  • Passwords do not use a combination of uppercase and lowercase letters, numbers, and special characters

Adversaries can use default passwords, password crackers, and brute force techniques to guess passwords and gain unauthorized access to systems.

Countermeasures

The following are common countermeasures:

  • Use complex passwords (combination of uppercase and lowercase letters, numbers, and special characters)

  • Do not use personal information

  • Do not use dictionary words or phrases

  • Do not write down your password

  • Create policies forcing users to use strong passwords

  • Enforce account lock outs to prevent brute force attacks

  • Do not use your browser to save passwords

  • Do not use the same password for all your accounts

  • Use a password manager

  • Do not share passwords

Unpatched or Outdated Software

A vulnerability is a flaw in software that could compromise the security of the system running the software. Malicious actors may exploit these vulnerabilities to gain unauthorized access to a system or perform a denial of service to prevent legitimate access. Updates or patches are fixes to known vulnerabilities. It is important for a security professional to ensure that software, to include the operating system, is properly patched and updated.

Indicators

The following are indicators relating to un-patched or outdated software:

  • Program crashes

  • Operating system crashes (Blue Screen of Death)

  • Unauthorized access

  • Unauthorized modifications to the system

Countermeasures

The following are common countermeasures:

  • Set operating systems to update automatically from trusted sources

  • Frequently update installed programs

  • Audit installed programs

  • Remove unneeded or unwanted programs

Removable Media

Removable media is any storage device that can be installed and removed from a computing system. This includes:

  • CD-ROMs

  • DVDs

  • USB Flash Drives

  • USB External Hard Drives

  • Mobile phones

  • Audio devices (e.g. iPod)

In some cases, adversaries will install malware on these devices, distribute them, wait for the device to be installed on a target system, and receive connection back to the attackers system.

Indicators

The following are indicators of malicious removable media:

  • Removable media left in locations to pick up (e.g. parking lot)

  • Removable media sent to persons under the claim of a "free trial" or winning a prize

Countermeasures

The following are common countermeasures:

  • Create policies to prevent or limit the use of removable media

  • Use only approved media

  • Do not use media found or given to you by an untrusted party

  • Scan all removable media with anti-virus prior to use, preferably on a network isolated system

How do organizations respond to cyber threats?

No matter how strong an organization's security posture is, their security professionals and IT staff should be prepared to respond to all threats from cyberspace. An organization designed to handle cybersecurity breaches and investigations are commonly referred to as a Computer Emergency Response Team or "CERT". Some larger organization may employ a team that regularly audits network security and responds to a potential incident. Smaller organizations may dual-hat their IT department to permit response to security threats when detected. However, one thing should be clear:

Information Technology (IT) is NOT cyber security

Information Technology manages the implementation, installation, maintenance, and decommissioning of IT resources. They tend to only focus on the Availability aspect of the CIA Triad. Cyber security professionals are concerned with the physical and logical security of information systems and their data; incorporating all aspects of the CIA Triad.

As discussed earlier in this chapter, security professionals must embrace the prevent, detect, and respond lifecycle. This cyclical process is designed to strengthen an organizations security posture, find and detect malicious activity, and respond to active attacks.

Prevention

You may have heard of the term "defense in-depth." This term employs a concept called layering and places multiple security controls on top of each other to prevent the adversary from compromising the entire network. We typically deploy:

  • Industry standards for server and workstation hardening

  • Technology to prevent attacks

  • Firewalls

  • Intrusion Prevention Systems

  • Anti-virus

  • Backup data in case of corruption or destruction

For example, we will harden our workstations and servers using industry standards like the Defense Information Systems Agency's Security Technical Implementation Guide. We will install network firewalls to deny all but explicitly authorized activity across the network. We can use third-party services to aid in preventing Distributed Denial of Service (DDoS) attacks on critical systems. Finally we would backup our data to a third-party cloud service.

Detection

Do you have anti-virus on your computer now? This is an example of a threat detection system. Most organizations add additional layers of detection by employing:

  • Commercial (centrally-managed) anti-virus

  • Intrusion Detection / Prevention Systems (IDS/IPS)

  • Honey pots

Most detection systems rely on threat intelligence to enumerate current threats and build signatures to detect the malicious activity.

For example, you are the response team lead for the ACME Corporation CERT. You've recently received a report that a Charlie's computer is starting to "act weird." In your investigation you pull the logs from the email server and notice that the user received an email with the attachment important.doc.exe. The user confirms that they have downloaded and ran the program, but "nothing happened." You pull the email from the server and compiled a MD5 hash of the attachment and received the following:

jds@affinityhq$: openssl md5 important.doc.exe
MD5(CP_image.zip)= 19a9338a4417ce2beb28d5f2c6f94abe

You enter this hash into VirusTotal and get back the following result:

You learn that this file is "ransom" malware and take this intelligence (the MD5 hash) and enter it into your IDS and anti-virus platforms. This will aid in detecting more attacks and help determine if this is an isolated incident or a phishing attack.

Response

The U.S. National Institution for Standards and Technology (NIST) published the Special Publication 800-61R2 - Cyber Security Incident Handling Guide that is designed as a framework on how to respond to incidents. We strongly encourage you to skim this document.

Organizations typically handle incidents in a four-step process:

  • Preparation

  • Detection and Discovery

  • Containment, Eradication, Recovery

  • Post-Incident Activities

Preparation

Organizations need to have a response plan. They should have a list of qualified individuals to investigate potential breaches and respond quickly.

Detection and Discovery

Organizations need to have technologies that will find and notify professionals of possible attacks or breaches.

Containment, Eradication, Recovery

Incident response professionals need to contain threats from spreading to critical services. Remove those threats from the network and recover data that may have been destroyed. Professionals must also keep in mind that the company may have critical services that need to be accessible to customers or employees. Remember that most companies use information technology to make money. Keep the company running, or you may be out of a job.

Post-Incident Activity

Once the attack has been stopped or the breach has been contained, what did you learn? Did you responsibly report any data breaches to your employees, customers, share holders? Did you report the incident to law enforcement? Incident response professionals should:

  • Conduct a "hot wash" to discuss lessons learned and how to improve processes

  • Deploy new countermeasures

  • Build an incident report

  • In case of a data breach, notify

    • Leadership

    • Shareholders (if applicable)

    • Employees

    • Law Enforcement

Last updated