Comment on page
Threats in Cyberspace
Some compare Cyberspace to the U.S. wild west era where the outlaws ruled the landscape and innocent people were often victims to various crimes. But what differentiates Cyberspace from that time in history is the anonymity of the attackers. It's important to classify the threat actors and understand their motives in cyberspace.
Threat Actor | Motivation | Examples |
Nation-state | Leverages cyberspace to perform military-style operations. Looks to gather intelligence on other nations and develop capabilities to deceive the enemy, deny, degrade, disrupt, or destroy digital resources. | Stuxnet worm was developed by a nation-state actor and used against the Iranian Nuclear Program |
Cybercrime Organizations | Leverages cyberspace for financial gain. | Cryptolocker malware used to encrypt user data, then demands payment for decryption. |
Hacktivists | Leverages cyberspace to promote a political agenda. | In 2011 LulzSec performed a Distributed Denial of Service Attack on the U.S. CIA website. |
Individual | Leverages cyberspace to hack various targets for notoriety or personal gain. | During the late 1980's Kevin Mitnick broke into the Digital Equipment Corporation to steal the source code of their latest operating system. |
Now that we know the threats and their respective motives, we need to understand their methodologies. What are the indicators that a cyber breach has occurred and what countermeasures can we put into place to prevent these types of attacks. In this lesson we will discuss five common cyber threats:
- Phishing
- Malware
- Weak or default passwords
- Un-patched or outdated software
- Removable media
This is a process where a malicious actor sends a convincing email to a set of targets. The goal is to get the target to disclose personal information, click on a malicious email attachment or malicious link. Spear-phishing is a targeted attack directed against a specific person or group.
The following image is an example of a phishing campaign. The actor is posing as a member from USAA Financial Services; however, when we look at the actual FROM email address we learn its coming from
[email protected]. Legitimate emails should be coming from usaa.comnot bk.ru. By the way, .ruis the top-level domain for the Russian Federation. 
Phishing
Here are indicators related to phishing campaigns:
- Typically email-based
- FROM email addresses are not from legitimate domains
- Bad grammar, spelling mistakes, bad translations
- May contain malicious links or attachments
- Appears to be from a position of authority (e.g. IRS, FBI, your boss)
- Asks the user to update their information
- Directs to a website that looks legitimate
Here are ways to protect yourself from phishing attacks:
- Do not open suspicious emails
- Do not open suspicious attachments
- Do not click on suspicious links
- Do not disclose private information
- Read all emails in plaintext form instead of HTML
- Validate all FROM email addresses
- Check the domain names
- Validate all links
- Check the domain names
- Look for digital signatures (if possible)
- Report any incident (e.g. accidentally clicking on email)
- Update anti-virus
Malicious software or "malware" is used by adversaries to: damage a system, perform unwanted behavior, or establish a foothold for future malicious activity. The following are common types of malware:
Type | Definition |
Viruses | Malware that self-replicates, usually via removable storage media |
Worms | Malware that does not require user interaction and may use stolen credentials to "worm" its way across a network to infect other systems. |
Trojan | Malware designed to appear as legitimate software and usually requires user interaction to run (i.e. double-click to run) |
Keyloggers | Malware designed to record user keystrokes and/or mouse-clicks |
Spyware | Malware designed to record user activity to include: browser history, cookies, keystrokes. This software can also activate builtin cameras and microphones unbeknownst to the user |
Rootkits | Malware designed to subvert the operating system and hide malicious activity |
Backdoors | Malware designed for access into a target system only known by the attacker |
Malware may come from the following sources:
- E-mail attachments
- Infected websites
- Infected removable media (e.g. USB drive)
Malware can cause the following effects:
- Destroyed or modified data
- System or network disruptions/latency
- Loss of personal data
- Allow malicious actor access to system/network
Here are ways to protect yourself from malware:
- Scan all e-mail attachments with anti-virus
- Do not run software from an untrusted sites
- Do not run pirated software
- Keep operating system and installed software up-to-date
User credentials allow us to access computing systems and is typically done with a username and a password. While the username may be known, the password has always been designed to be a secret; however, default or weak passwords can allow unauthorized access to a system.
We can classify our passwords based on complexity and rememberability. These classifications are:
Classification | Description | Example |
Strong | A highly complex password. Typically uses uppercase and lowercase letters, numbers, and special characters. | hT9$5hrQP! |
Weak | A password with little to no complexity | password |
Good | A password that is easily memorable | 1%PassworD |
Bad | A password that is not easily remembered | hT9$5hrQP! |
Note in the example above, the same password can be classified as "strong," due to its complexity, yet also can be classifed as "bad," because it could be difficult to remember.
Some devices like home switches and routers have default (weak) passwords that are typically posted on the manufacturer's website. For example, on most Linksys routers the defaults are:
Username: admin
Password: admin
Because these passwords are known to the world, it is a security professional's job to know this and immediately change the passwords prior to connecting the device to the Internet.
Weak or default passwords have the following indicators:
- Passwords are found in a dictionary
- Passwords contain information about the person (e.g. dog's name)
- Passwords do not use a combination of uppercase and lowercase letters, numbers, and special characters
Adversaries can use default passwords, password crackers, and brute force techniques to guess passwords and gain unauthorized access to systems.
The following are common countermeasures:
- Use complex passwords (combination of uppercase and lowercase letters, numbers, and special characters)
- Do not use personal information
- Do not use dictionary words or phrases
- Do not write down your password
- Create policies forcing users to use strong passwords
- Enforce account lock outs to prevent brute force attacks
- Do not use your browser to save passwords
- Do not use the same password for all your accounts
- Use a password manager
- Do not share passwords
A vulnerability is a flaw in software that could compromise the security of the system running the software. Malicious actors may exploit these vulnerabilities to gain unauthorized access to a system or perform a denial of service to prevent legitimate access. Updates or patches are fixes to known vulnerabilities. It is important for a security professional to ensure that software, to include the operating system, is properly patched and updated.
The following are indicators relating to un-patched or outdated software:
- Program crashes
- Operating system crashes (Blue Screen of Death)
- Unauthorized access
- Unauthorized modifications to the system
The following are common countermeasures:
- Set operating systems to update automatically from trusted sources
- Frequently update installed programs
- Audit installed programs
- Remove unneeded or unwanted programs
Removable media is any storage device that can be installed and removed from a computing system. This includes:
- CD-ROMs
- DVDs
- USB Flash Drives
- USB External Hard Drives
- Mobile phones
- Audio devices (e.g. iPod)
In some cases, adversaries will install malware on these devices, distribute them, wait for the device to be installed on a target system, and receive connection back to the attackers system.
The following are indicators of malicious removable media:
- Removable media left in locations to pick up (e.g. parking lot)
- Removable media sent to persons under the claim of a "free trial" or winning a prize
The following are common countermeasures:
- Create policies to prevent or limit the use of removable media
- Use only approved media
- Do not use media found or given to you by an untrusted party
- Scan all removable media with anti-virus prior to use, preferably on a network isolated system
No matter how strong an organization's security posture is, their security professionals and IT staff should be prepared to respond to all threats from cyberspace. An organization designed to handle cybersecurity breaches and investigations are commonly referred to as a Computer Emergency Response Team or "CERT". Some larger organization may employ a team that regularly audits network security and responds to a potential incident. Smaller organizations may dual-hat their IT department to permit response to security threats when detected. However, one thing should be clear:
Information Technology (IT) is NOT cyber security
Information Technology manages the implementation, installation, maintenance, and decommissioning of IT resources. They tend to only focus on the Availability aspect of the CIA Triad. Cyber security professionals are concerned with the physical and logical security of information systems and their data; incorporating all aspects of the CIA Triad.
As discussed earlier in this chapter, security professionals must embrace the prevent, detect, and respond lifecycle. This cyclical process is designed to strengthen an organizations security posture, find and detect malicious activity, and respond to active attacks.
You may have heard of the term "defense in-depth." This term employs a concept called layering and places multiple security controls on top of each other to prevent the adversary from compromising the entire network. We typically deploy:
- Industry standards for server and workstation hardening
- Technology to prevent attacks
- Firewalls
- Intrusion Prevention Systems
- Anti-virus
- Backup data in case of corruption or destruction
For example, we will harden our workstations and servers using industry standards like the Defense Information Systems Agency's Security Technical Implementation Guide. We will install network firewalls to deny all but explicitly authorized activity across the network. We can use third-party services to aid in preventing Distributed Denial of Service (DDoS) attacks on critical systems. Finally we would backup our data to a third-party cloud service.
Do you have anti-virus on your computer now? This is an example of a threat detection system. Most organizations add additional layers of detection by employing:
- Commercial (centrally-managed) anti-virus
- Intrusion Detection / Prevention Systems (IDS/IPS)
- Honey pots
Most detection systems rely on threat intelligence to enumerate current threats and build signatures to detect the malicious activity.
For example, you are the response team lead for the ACME Corporation CERT. You've recently received a report that a Charlie's computer is starting to "act weird." In your investigation you pull the logs from the email server and notice that the user received an email with the attachment
important.doc.exe. The user confirms that they have downloaded and ran the program, but "nothing happened." You pull the email from the server and compiled a MD5 hash of the attachment and received the following:jds@affinityhq$: openssl md5 important.doc.exe
MD5(CP_image.zip)= 19a9338a4417ce2beb28d5f2c6f94abe
vt
You learn that this file is "ransom" malware and take this intelligence (the MD5 hash) and enter it into your IDS and anti-virus platforms. This will aid in detecting more attacks and help determine if this is an isolated incident or a phishing attack.
The U.S. National Institution for Standards and Technology (NIST) published the Special Publication 800-61R2 - Cyber Security Incident Handling Guide that is designed as a framework on how to respond to incidents. We strongly encourage you to skim this document.
Organizations typically handle incidents in a four-step process:
- Preparation
- Detection and Discovery
- Containment, Eradication, Recovery
- Post-Incident Activities
Organizations need to have a response plan. They should have a list of qualified individuals to investigate potential breaches and respond quickly.
Organizations need to have technologies that will find and notify professionals of possible attacks or breaches.
Incident response professionals need to contain threats from spreading to critical services. Remove those threats from the network and recover data that may have been destroyed. Professionals must also keep in mind that the company may have critical services that need to be accessible to customers or employees. Remember that most companies use information technology to make money. Keep the company running, or you may be out of a job.
Once the attack has been stopped or the breach has been contained, what did you learn? Did you responsibly report any data breaches to your employees, customers, share holders? Did you report the incident to law enforcement? Incident response professionals should:
- Conduct a "hot wash" to discuss lessons learned and how to improve processes
- Deploy new countermeasures
- Build an incident report
- In case of a data breach, notify
- Leadership
- Shareholders (if applicable)
- Employees
- Law Enforcement
Last modified 5yr ago