Threats in Cyberspace
Who are the threats?
Some compare Cyberspace to the U.S. wild west era where the outlaws ruled the landscape and innocent people were often victims to various crimes. But what differentiates Cyberspace from that time in history is the anonymity of the attackers. It's important to classify the threat actors and understand their motives in cyberspace.
Threat Actor | Motivation | Examples |
Nation-state | Leverages cyberspace to perform military-style operations. Looks to gather intelligence on other nations and develop capabilities to deceive the enemy, deny, degrade, disrupt, or destroy digital resources. | Stuxnet worm was developed by a nation-state actor and used against the Iranian Nuclear Program |
Cybercrime Organizations | Leverages cyberspace for financial gain. | Cryptolocker malware used to encrypt user data, then demands payment for decryption. |
Hacktivists | Leverages cyberspace to promote a political agenda. | In 2011 LulzSec performed a Distributed Denial of Service Attack on the U.S. CIA website. |
Individual | Leverages cyberspace to hack various targets for notoriety or personal gain. | During the late 1980's Kevin Mitnick broke into the Digital Equipment Corporation to steal the source code of their latest operating system. |
Now that we know the threats and their respective motives, we need to understand their methodologies. What are the indicators that a cyber breach has occurred and what countermeasures can we put into place to prevent these types of attacks. In this lesson we will discuss five common cyber threats:
Phishing
Malware
Weak or default passwords
Un-patched or outdated software
Removable media
Phishing
This is a process where a malicious actor sends a convincing email to a set of targets. The goal is to get the target to disclose personal information, click on a malicious email attachment or malicious link. Spear-phishing is a targeted attack directed against a specific person or group.
The following image is an example of a phishing campaign. The actor is posing as a member from USAA Financial Services; however, when we look at the actual FROM email address we learn its coming from noreply.usaa-electronic-alert@bk.ru. Legitimate emails should be coming from usaa.comnot bk.ru. By the way, .ruis the top-level domain for the Russian Federation.
Indicators
Here are indicators related to phishing campaigns:
Typically email-based
FROM email addresses are not from legitimate domains
Bad grammar, spelling mistakes, bad translations
May contain malicious links or attachments
Appears to be from a position of authority (e.g. IRS, FBI, your boss)
Asks the user to update their information
Directs to a website that looks legitimate
Countermeasures
Here are ways to protect yourself from phishing attacks:
Do not open suspicious emails
Do not open suspicious attachments
Do not click on suspicious links
Do not disclose private information
Read all emails in plaintext form instead of HTML
Validate all FROM email addresses
Check the domain names
Validate all links
Check the domain names
Look for digital signatures (if possible)
Report any incident (e.g. accidentally clicking on email)
Update anti-virus
Malware (Malicious Software)
Malicious software or "malware" is used by adversaries to: damage a system, perform unwanted behavior, or establish a foothold for future malicious activity. The following are common types of malware:
Type | Definition |
Viruses | Malware that self-replicates, usually via removable storage media |
Worms | Malware that does not require user interaction and may use stolen credentials to "worm" its way across a network to infect other systems. |
Trojan | Malware designed to appear as legitimate software and usually requires user interaction to run (i.e. double-click to run) |
Keyloggers | Malware designed to record user keystrokes and/or mouse-clicks |
Spyware | Malware designed to record user activity to include: browser history, cookies, keystrokes. This software can also activate builtin cameras and microphones unbeknownst to the user |
Rootkits | Malware designed to subvert the operating system and hide malicious activity |
Backdoors | Malware designed for access into a target system only known by the attacker |
Indicators
Malware may come from the following sources:
E-mail attachments
Infected websites
Infected removable media (e.g. USB drive)
Malware can cause the following effects:
Destroyed or modified data
System or network disruptions/latency
Loss of personal data
Allow malicious actor access to system/network
Countermeasures
Here are ways to protect yourself from malware:
Scan all e-mail attachments with anti-virus
Do not run software from an untrusted sites
Do not run pirated software
Keep operating system and installed software up-to-date
Weak or Default Passwords
User credentials allow us to access computing systems and is typically done with a username and a password. While the username may be known, the password has always been designed to be a secret; however, default or weak passwords can allow unauthorized access to a system.
We can classify our passwords based on complexity and rememberability. These classifications are:
Classification | Description | Example |
Strong | A highly complex password. Typically uses uppercase and lowercase letters, numbers, and special characters. | hT9$5hrQP! |
Weak | A password with little to no complexity | password |
Good | A password that is easily memorable | 1%PassworD |
Bad | A password that is not easily remembered | hT9$5hrQP! |
Note in the example above, the same password can be classified as "strong," due to its complexity, yet also can be classifed as "bad," because it could be difficult to remember.
Some devices like home switches and routers have default (weak) passwords that are typically posted on the manufacturer's website. For example, on most Linksys routers the defaults are:
Because these passwords are known to the world, it is a security professional's job to know this and immediately change the passwords prior to connecting the device to the Internet.
Indicators
Weak or default passwords have the following indicators:
Passwords are found in a dictionary
Passwords contain information about the person (e.g. dog's name)
Passwords do not use a combination of uppercase and lowercase letters, numbers, and special characters
Adversaries can use default passwords, password crackers, and brute force techniques to guess passwords and gain unauthorized access to systems.
Countermeasures
The following are common countermeasures:
Use complex passwords (combination of uppercase and lowercase letters, numbers, and special characters)
Do not use personal information
Do not use dictionary words or phrases
Do not write down your password
Create policies forcing users to use strong passwords
Enforce account lock outs to prevent brute force attacks
Do not use your browser to save passwords
Do not use the same password for all your accounts
Use a password manager
Do not share passwords
Unpatched or Outdated Software
A vulnerability is a flaw in software that could compromise the security of the system running the software. Malicious actors may exploit these vulnerabilities to gain unauthorized access to a system or perform a denial of service to prevent legitimate access. Updates or patches are fixes to known vulnerabilities. It is important for a security professional to ensure that software, to include the operating system, is properly patched and updated.
Indicators
The following are indicators relating to un-patched or outdated software:
Program crashes
Operating system crashes (Blue Screen of Death)
Unauthorized access
Unauthorized modifications to the system
Countermeasures
The following are common countermeasures:
Set operating systems to update automatically from trusted sources
Frequently update installed programs
Audit installed programs
Remove unneeded or unwanted programs
Removable Media
Removable media is any storage device that can be installed and removed from a computing system. This includes:
CD-ROMs
DVDs
USB Flash Drives
USB External Hard Drives
Mobile phones
Audio devices (e.g. iPod)
In some cases, adversaries will install malware on these devices, distribute them, wait for the device to be installed on a target system, and receive connection back to the attackers system.
Indicators
The following are indicators of malicious removable media:
Removable media left in locations to pick up (e.g. parking lot)
Removable media sent to persons under the claim of a "free trial" or winning a prize
Countermeasures
The following are common countermeasures:
Create policies to prevent or limit the use of removable media
Use only approved media
Do not use media found or given to you by an untrusted party
Scan all removable media with anti-virus prior to use, preferably on a network isolated system
How do organizations respond to cyber threats?
No matter how strong an organization's security posture is, their security professionals and IT staff should be prepared to respond to all threats from cyberspace. An organization designed to handle cybersecurity breaches and investigations are commonly referred to as a Computer Emergency Response Team or "CERT". Some larger organization may employ a team that regularly audits network security and responds to a potential incident. Smaller organizations may dual-hat their IT department to permit response to security threats when detected. However, one thing should be clear:
Information Technology (IT) is NOT cyber security
Information Technology manages the implementation, installation, maintenance, and decommissioning of IT resources. They tend to only focus on the Availability aspect of the CIA Triad. Cyber security professionals are concerned with the physical and logical security of information systems and their data; incorporating all aspects of the CIA Triad.
As discussed earlier in this chapter, security professionals must embrace the prevent, detect, and respond lifecycle. This cyclical process is designed to strengthen an organizations security posture, find and detect malicious activity, and respond to active attacks.
Prevention
You may have heard of the term "defense in-depth." This term employs a concept called layering and places multiple security controls on top of each other to prevent the adversary from compromising the entire network. We typically deploy:
Industry standards for server and workstation hardening
Technology to prevent attacks
Firewalls
Intrusion Prevention Systems
Anti-virus
Backup data in case of corruption or destruction
For example, we will harden our workstations and servers using industry standards like the Defense Information Systems Agency's Security Technical Implementation Guide. We will install network firewalls to deny all but explicitly authorized activity across the network. We can use third-party services to aid in preventing Distributed Denial of Service (DDoS) attacks on critical systems. Finally we would backup our data to a third-party cloud service.
Detection
Do you have anti-virus on your computer now? This is an example of a threat detection system. Most organizations add additional layers of detection by employing:
Commercial (centrally-managed) anti-virus
Intrusion Detection / Prevention Systems (IDS/IPS)
Honey pots
Most detection systems rely on threat intelligence to enumerate current threats and build signatures to detect the malicious activity.
For example, you are the response team lead for the ACME Corporation CERT. You've recently received a report that a Charlie's computer is starting to "act weird." In your investigation you pull the logs from the email server and notice that the user received an email with the attachment important.doc.exe. The user confirms that they have downloaded and ran the program, but "nothing happened." You pull the email from the server and compiled a MD5 hash of the attachment and received the following:
You enter this hash into VirusTotal and get back the following result:
You learn that this file is "ransom" malware and take this intelligence (the MD5 hash) and enter it into your IDS and anti-virus platforms. This will aid in detecting more attacks and help determine if this is an isolated incident or a phishing attack.
Response
The U.S. National Institution for Standards and Technology (NIST) published the Special Publication 800-61R2 - Cyber Security Incident Handling Guide that is designed as a framework on how to respond to incidents. We strongly encourage you to skim this document.
Organizations typically handle incidents in a four-step process:
Preparation
Detection and Discovery
Containment, Eradication, Recovery
Post-Incident Activities
Preparation
Organizations need to have a response plan. They should have a list of qualified individuals to investigate potential breaches and respond quickly.
Detection and Discovery
Organizations need to have technologies that will find and notify professionals of possible attacks or breaches.
Containment, Eradication, Recovery
Incident response professionals need to contain threats from spreading to critical services. Remove those threats from the network and recover data that may have been destroyed. Professionals must also keep in mind that the company may have critical services that need to be accessible to customers or employees. Remember that most companies use information technology to make money. Keep the company running, or you may be out of a job.
Post-Incident Activity
Once the attack has been stopped or the breach has been contained, what did you learn? Did you responsibly report any data breaches to your employees, customers, share holders? Did you report the incident to law enforcement? Incident response professionals should:
Conduct a "hot wash" to discuss lessons learned and how to improve processes
Deploy new countermeasures
Build an incident report
In case of a data breach, notify
Leadership
Shareholders (if applicable)
Employees
Law Enforcement
Last updated
