Chapter 1: Cybersecurity Fundamentals PDF

# Chapter 1: Cybersecurity Fundamentals This chapter covers the following topics: - Introduction to Cybersecurity: - Cybersecurity programs recognize that organizations must be vigilant, resilient, and ready to protect and defend every ingress and egress connection as well as organizational data wherever it is stored, transmitted, or processed. - Cybersecurity programs and policies expand and build upon traditional information security programs, but also include the following: - Cyber risk management and oversight - Threat intelligence and information sharing - Third-party organization, software, and hardware dependency management - Incident response and resiliency - Threat hunting and adversarial emulation - Defining What Are Threats, Vulnerabilities, and Exploits: - Describe the difference between cybersecurity threats, vulnerabilities, and exploits. - Exploring Common Threats: - Describe and understand the most common cybersecurity threats. - Common Software and Hardware Vulnerabilities: - Describe and understand the most common software and hardware vulnerabilities. - Confidentiality, Integrity, and Availability: - The CIA triad is a concept that was created to define security policies to protect assets. The idea is that confidentiality, integrity and availability should be guaranteed in any system that is considered secured. - Cloud Security Threats: - Learn about different cloud security threats and how cloud computing has changed traditional IT and is introducing several security challenges and benefits at the same time. - IoT Security Threats: - The proliferation of connected devices is introducing major cybersecurity risks in today's environment. - An Introduction to Digital Forensics and Incident Response: - You will learn the concepts of digital forensics and incident response (DFIR) and cybersecurity operations. This chapter starts by introducing you to different cybersecurity concepts that are foundational for any individual starting a career in cybersecurity or network security. You will learn the difference between cybersecurity threats, vulnerabilities, and exploits. You will also explore the most common cybersecurity threats, as well as common software and hardware vulnerabilities. You will learn the details about the CIA triad-confidentiality, integrity, and availability. In this chapter, you will learn about different cloud security and IoT security threats. This chapter concludes with an introduction to DFIR and security operations. ## Foundation Topics ### Introduction to Cybersecurity In today's highly interconnected world, our individual and collective actions can have a profound impact, either for good or for ill. It is in this context that cybersecurity plays a crucial role, safeguarding not only our personal data but also our economy, critical infrastructure, and national security against the risks posed by inadvertent or intentional misuse, compromise, or destruction of information and information systems. However, the scope of cybersecurity risk extends beyond just data breaches to encompass the entire organization's operations that rely on digitization and accessibility, making it more crucial than ever for businesses to develop an effective cybersecurity program. It is no longer sufficient to delegate this responsibility solely to the IT team; rather, every individual within an organization must take an active role in mitigating these risks, from entry-level employees to the board of directors. Developing and maintaining robust cybersecurity measures are vital aspects of organizational strategy in today's digital landscape. By doing so, we can ensure that our information systems remain secure and that our collective actions lead to positive outcomes for all. ### Cybersecurity vs. Information Security (InfoSec) Many individuals confuse traditional information security with cybersecurity. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization. Unfortunately, this is no longer sufficient. Organizations are rarely self-contained, and the price of interconnectivity is exposure to attack. Every organization, regardless of size or geographic location, is a potential target. Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks. ### The NIST Cybersecurity Framework The National Institute of Standards and Technology (NIST) is a well-known organization that is part of the U.S. Department of Commerce. NIST is a nonregulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST's mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve quality of life. The Computer Security Division (CSD) is one of seven divisions within NIST's Information Technology Laboratory. NIST's Cybersecurity Framework is a collection of industry standards and best practices to help organizations manage cybersecurity risks. This framework is created in collaboration among the United States government, corporations, and individuals. The NIST Cybersecurity Framework can be accessed at [https://www.nist.gov/cyberframework](https://www.nist.gov/cyberframework). The NIST Cybersecurity Framework is developed with a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure. Although designed for a specific constituency, the requirements can serve as a security blueprint for any organization. ### Additional NIST Guidance and Documents Currently, there are more than 500 NIST information security-related documents. This number includes FIPS, the SP 800 series, information, Information Technology Laboratory (ITL) bulletins, and NIST interagency reports (NIST IR): - **Federal Information Processing Standards (FIPS)**: This is the official publication series for standards and guidelines. - **Special Publication (SP) 800 series**: This series reports on ITL research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations. SP 800 series documents can be downloaded from [https://csrc.nist.gov/publications/sp800](https://csrc.nist.gov/publications/sp800). - **Special Publication (SP) 1800 series**: This series focuses on cybersecurity practices and guidelines. SP 1800 series documents can be downloaded from [https://csrc.nist.gov/publications/sp1800](https://csrc.nist.gov/publications/sp1800). - **NIST Internal or Interagency Reports (NISTIR)**: These reports focus on research findings, including background information for FIPS and SPs. - **ITL Bulletins**: Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis. From access controls to wireless security, the NIST publications are truly a treasure trove of valuable and practical guidance. ### The International Organization for Standardization (ISO) ISO is a network of national standards institutes of more than 160 countries. ISO has developed more than 13,000 international standards on a variety of subjects, ranging from country codes to passenger safety. The ISO/IEC 27000 series (also known as the ISMS Family of Standards, or ISO27k for short) comprises information security standards published jointly by the ISO and the International Electrotechnical Commission (IEC). The first six documents in the ISO/IEC 27000 series provide recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”: - **ISO 27001**: is the specification for an Information Security Management System (ISMS). - **ISO 27002**: describes the Code of Practice for information security management. - **ISO 27003**: provides detailed implementation guidance. - **ISO 27004**: outlines how an organization can monitor and measure security using metrics. - **ISO 27005**: defines the high-level risk management approach recommended by ISO. - **ISO 27006**: outlines the requirements for organizations that will measure ISO 27000 compliance for certification. In all, there are more than 20 documents in the series, and several more are still under development. The framework is applicable to public and private organizations of all sizes. According to the ISO website, “the ISO standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.” ## Defining What Are Threats, Vulnerabilities, and Exploits In the following sections you will learn about the characteristics of threats, vulnerabilities, and exploits. ### What Is a Threat? A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited-or, more importantly, it is not yet publicly known-the threat is latent and not yet realized. If someone is actively launching an attack against your system and successfully accesses something or compromises your security against an asset, the threat is realized. The entity that takes advantage of the vulnerability is known as the malicious actor, and the path used by this actor to perform the attack is known as the threat agent or threat vector. ### What Is a Vulnerability? A vulnerability is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. A specific vulnerability might manifest as anything from a weakness in system design to the implementation of an operational procedure. The correct implementation of safeguards and security countermeasures could mitigate a vulnerability and reduce the risk of exploitation. ### What Is an Exploit? An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system. Exploits are dangerous because all software has vulnerabilities; hackers and perpetrators know that there are vulnerabilities and seek to take advantage of them. Although most organizations attempt to find and fix vulnerabilities, some organizations lack sufficient funds for securing their networks. Sometimes no one may even know the vulnerability exists, and it is exploited. That is known as a *zero-day exploit*. Even when you do know there is a problem, you are burdened with the fact that a window exists between when a vulnerability is disclosed and when a patch is available to prevent the exploit. The more critical the server, the slower it is usually patched. Management might be afraid of interrupting the server or afraid that the patch might affect stability or performance. Finally, the time required to deploy and install the software patch on production servers and workstations exposes an organization's IT infrastructure to an additional period of risk. There are several places where people trade exploits for malicious intent. The most prevalent is the “dark web.” The dark web (or darknet) is an overlay of networks and systems that use the Internet but require specific software and configurations to access it. The dark web is just a small part of the “deep web.” The deep web is a collection of information and systems on the Internet that is not indexed by web search engines. Often people incorrectly confuse the term deep web with dark web. Not all exploits are shared for malicious intent. For example, many security researchers share proof-of-concept (POC) exploits in public sites such as The Exploit Database (or Exploit-DB) and GitHub. The Exploit Database is a site maintained by Offensive Security where security researchers and other individuals post exploits for known vulnerabilities. The Exploit Database can be accessed at [https://www.exploit-db.com](https://www.exploit-db.com). ## Risk, Assets, Threats, and Vulnerabilities As with any new technology topic, to better understand the security field, you must learn the terminology that is used. To be a security professional, you need to understand the relationship between risk, threats, assets, and vulnerabilities. - **Risk**: is the probability or likelihood of the occurrence or realization of a threat. There are three basic elements of risk: assets, threats, and vulnerabilities. To deal with risk, the U.S. federal government has adopted a risk management framework (RMF). The RMF process is based on the key concepts of mission- and risk-based, cost-effective, and enterprise information system security. NIST Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). Let's look at the various components associated with risk, which include assets, threats, and vulnerabilities. - **Assets**: are any item of economic value owned by an individual or corporation. Assets can be real-such as routers, servers, hard drives, and laptops-or assets can be virtual, such as formulas, databases, spreadsheets, trade secrets, and processing time. Regardless of the type of asset discussed, if the asset is lost, damaged, or compromised, there can be an economic cost to the organization. **NOTE**: No organization can ever be 100 percent secure. There will always be some risk left over. This is known as residual risk, which is the amount of risk left after safeguards and controls have been put in place to protect the asset. - **Threats**: can be categorized as events that can affect the confidentiality, integrity, or availability of the organization's assets. These threats can result in destruction, disclosure, modification, corruption of data, or denial of service. - Natural disasters, weather, and catastrophic damage: Hurricanes, storms, weather outages, fire, flood, earthquakes, and other natural events compose an ongoing threat. - Threat actor attacks: An insider or outsider who is unauthorized and purposely attacks an organization's infrastructure, components, systems, or data. - Cyberattacks against critical infrastructure: Attacks that target critical national infrastructures such as water plants, electric plants, gas plants, oil refineries, gasoline refineries, nuclear power plants, waste management plants, and so on. *Stuxnet* is an example of one such tool designed for just such a purpose. You can obtain detailed information about *Stuxnet* and other examples of exploits used by real-life threat actors at [https://attack.mitre.org/software/S0603/](https://attack.mitre.org/software/S0603/). - Viruses and malware: An entire category of software tools that are malicious and are designed to damage or destroy a system or data. - Disclosure of confidential information: Anytime a disclosure of confidential information occurs, it can be a critical threat to an organization if such disclosure causes loss of revenue, causes potential liabilities, or provides a competitive advantage to an adversary. For instance, if your organization experiences a breach and detailed customer information is exposed (for example, personally identifiable information [PII]), such a breach could have potential liabilities and loss of trust from your customers. Another example is when a threat actor steals source code or design documents and sells them to your competitors. - Denial of service (DoS) or distributed DoS (DDoS) attacks: An attack against availability that is designed to bring the network, or access to a particular TCP/IP host/server, to its knees by flooding it with useless traffic. Today, most DoS attacks are launched via botnets, whereas in the past tools such as the Ping of Death or Teardrop may have been used. Like malware, hackers constantly develop new tools so that *Storm* and *Mariposa*, for example, are replaced with other, more current threats. **NOTE**: If the organization is vulnerable to any of these threats, there is an increased risk of a successful attack. ### Defining Threat Actors Threat actors are the individuals (or group of individuals) who perform an attack or are responsible for a security incident that impacts or has the potential of impacting an organization or individual. There are several types of threat actors: - **Script kiddies**: People who use existing “scripts” or tools to hack into computers and networks. They lack the expertise to write their own scripts. - **Organized crime groups**: Their main purpose is to steal information, scam people, and make money. - **State sponsors and governments**: These agents are interested in stealing data, including intellectual property and research-and-development data from major manufacturers, government agencies, and defense contractors. - **Hacktivists**: People who carry out cybersecurity attacks aimed at promoting a social or political cause. - **Terrorist groups**: These groups are motivated by political or religious beliefs. Originally, the term hacker was used for computer enthusiasts. A hacker was a person who enjoyed understanding the internal workings of a system, computer, and computer network and who would continue to hack until he understood everything about the system. Over time, the popular press began to describe hackers as individuals who broke into computers with malicious intent. The industry responded by developing the word cracker, which is short for a criminal hacker. The term cracker was developed to describe individuals who seek to compromise the security of a system without permission from an authorized party. With all this confusion over how to distinguish the good guys from the bad guys, the term ethical hacker was coined. An ethical hacker is an individual who performs security tests and other vulnerability-assessment activities to help organizations secure their infrastructures. Sometimes ethical hackers are referred to as white hat hackers. ### Understanding What Threat Intelligence Is Threat intelligence is referred to as the knowledge about an existing or emerging threat to assets, including networks and systems. Threat intelligence includes context, mechanisms, indicators of compromise (IoCs), implications, and actionable advice. Threat intelligence is referred to as the information about the observables, indicators of compromise (IoCs) intent, and capabilities of internal and external threat actors and their attacks. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats. ### Converting these definitions into common language could translate to threat intelligence being evidence-based knowledge of the capabilities of internal and external threat actors. This type of data can be beneficial for the security operations center (SOC) of any organization. Threat intelligence extends cybersecurity awareness beyond the internal network by consuming intelligence from other sources Internet-wide related to possible threats to you or your organization. For instance, you can learn about threats that have impacted different external organizations. Subsequently, you can proactively prepare rather than react once the threat is seen against your network. ### Providing an enrichment data feed is one service that threat intelligence platforms would typically provide. Figure 1-3 shows a five-step threat intelligence process for evaluating threat intelligence sources and information: - Planning and Direction - Collection - Processing - Analysis and Production - Dissemination ### Many different threat intelligence platforms and services are available in the market nowadays. Cyber threat intelligence focuses on providing actionable information on adversaries, including IoCs. Threat intelligence feeds help you prioritize signals from internal systems against unknown threats. Cyber threat intelligence allows you to bring more focus to cybersecurity investigation because instead of blindly looking for “new” and “abnormal” events, you can search for specific IoCs, IP addresses, URLs, or exploit patterns. ### A number of standards are being developed for disseminating threat intelligence information. The following are a few examples: - **Structured Threat Information eXpression (STIX)**: An express language designed for sharing of cyber-attack information. STIX details can contain data such as the IP addresses or domain names of command-and–control servers (often referred to as C2 or CnC), malware hashes, and so on. STIX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at [http://stixproject.github.io](http://stixproject.github.io). - **Trusted Automated eXchange of Indicator Information (TAXII)**: An open transport mechanism that standardizes the automated exchange of cyber-threat information. TAXII was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at [http://taxiiproject.github.io](http://taxiiproject.github.io). - **Open Indicators of Compromise (OpenIOC)**: An open framework for sharing threat intelligence in a machine-digestible format. Learn more at [http://www.openioc.org](http://www.openioc.org). - **Open Command and Control (OpenC2)**: A language for the command and control of cyber-defense technologies. OpenC2 Forum was a community of cybersecurity stakeholders that was facilitated by the U.S. National Security Agency. OpenC2 is now an OASIS technical committee (TC) and specification. You can obtain more information at [https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2). **NOTE**: The *Common Security Advisory Framework* (CSAF) is a standardized framework that provides a way for organizations to share security vulnerability information. Although it is not a threat–intelligence standard, it can be used to improve communication and collaboration among different organizations by providing a common language and format for sharing security vulnerability information. CSAF is designed to be flexible and adaptable to different types of organizations and security threats. It supports the *Vulnerability Exploitability eXchange* (VEX), which is used by government agencies, private companies, and other organizations to share real-time information about the status of a security vulnerability. You can obtain more information about CSAF and VEX at [https://csaf.io](https://csaf.io). ## Viruses and Worms One thing that makes viruses unique is that a virus typically needs a host program or file to infect. Viruses require some type of human interaction. A worm can travel from system to system without human interaction. When a worm executes, it can replicate again and infect even more systems. For example, a worm can email itself to everyone in your address book and then repeat this process again and again from each user’s computer it infects. That massive amount of traffic can lead to a denial of service very quickly. ### Spyware is closely related to viruses and worms. Spyware is considered another type of malicious software. In many ways, spyware is similar to a Trojan because most users don’t know that the program has been installed, and the program hides itself in an obscure location. Spyware steals information from the user and also eats up bandwidth. If that’s not enough, spyware can also redirect your web traffic and flood you with annoying pop-ups. Many users view spyware as another type of virus. ### This section covers a brief history of computer viruses, common types of viruses, and some of the most well-known virus attacks. Also, some tools used to create viruses and the best methods of prevention are discussed. ### Types and Transmission Methods Although viruses have a history that dates back to the 1980s, their means of infection has changed over the years. Viruses depend on people to spread them. Viruses require human activity, such as booting a computer, executing an autorun on digital media (for example, CD, DVD, USB sticks, external hard drives, and so on), or opening an email attachment. Malware propagates through the computer world in several basic ways: - **Master boot record infection**: This is the original method of attack. It works by attacking the master boot record of the hard drive. - **BIOS infection**: This could completely make the system inoperable or the device could hang before passing Power On Self-Test (POST). - **File infection**: This includes malware that relies on the user to execute the file. Extensions such as .com and .exe are usually used. Some form of social engineering is normally used to get the user to execute the program. Techniques include renaming the program or trying to mask the .exe extension and make it appear as a graphic (.jpg, .bmp, .png, .svg, and the like). - **Macro infection**: Macro viruses exploit scripting services installed on your computer. Manipulating and using macros in Microsoft Excel, Microsoft Word, and Microsoft PowerPoint documents have been very popular in the past. - **Cluster**: This type of virus can modify directory table entries so that it points a user or system process to the malware and not the actual program. - **Multipartite**: This style of virus can use more than one propagation method and targets both the boot sector and program files. One example is the NATAS (Satan spelled backward) virus. **NOTE**: Know the primary types of malware attack mechanisms: master boot record, file infector, macro infector, and others listed previously. After your computer is infected, the malware can do any number of things. Some spread quickly. This type of virus is known as a *fast infection*. Fast-infection viruses infect any file that they are capable of infecting. Others limit the rate of infection. This type of activity is known as a *sparse infection*. Sparse infection means that the virus takes its time in infecting other files or spreading its damage. This technique is used to try to help the virus avoid detection. Some viruses forgo a life of living exclusively in files and load themselves into RAM, which is the only way that boot sector viruses can spread. As the antivirus and security companies have developed better ways to detect malware, malware authors have fought back by trying to develop malware that is harder to detect. For example, in 2012, *Flame* was believed to be the most sophisticated malware to date. *Flame* has the ability to spread to other systems over a local network. It can record audio, screenshots, and keyboard activity, and it can turn infected computers into *Bluetooth beacons* that attempt to download contact information from nearby Bluetooth-enabled devices. Another technique that malware developers have attempted is *polymorphism*. A polymorphic virus can change its signature every time it replicates and infects a new file. This technique makes it much harder for the antivirus program to detect it. One of the biggest changes is that malware creators don’t massively spread viruses and other malware the way they used to. Much of the malware today is written for a specific target. By limiting the spread of the malware and targeting only a few victims, malware developers make finding out about the malware and creating a signature to detect it much harder for antivirus companies. ### When is a virus not a virus? When is the virus just a hoax? A virus hoax is nothing more than a chain letter, meme, or email that encourages you to forward it to your friends to warn them of impending doom or some other notable event. To convince readers to forward the hoax, the email will contain some official-sounding information that could be mistaken as valid. ### Malware Payloads Malware must place their payload somewhere. They can always overwrite a portion of the infected file, but to do so would destroy it. Most malware writers want to avoid detection for as long as possible and might not have written the program to immediately destroy files. One way the malware writer can accomplish this is to place the malware code either at the beginning or the end of the infected file. Malware known as a *prepender* infects programs by placing its viral code at the beginning of the infected file, whereas an *appender* places its code at the end of the infected file. Both techniques leave the file intact, with the malicious code added to the beginning or the end of the file. ### No matter the infection technique, all viruses have some basic common components, as detailed in the following list. For example, all viruses have a search routine and an infection routine: - **Search routine**: The search routine is responsible for locating new files, disk space, or RAM to infect. The search routine could include “profiling.” Profiling could be used to identify the environment and morph the malware to be more effective and potentially bypass detection. - **Infection routine**: The search routine is useless if the virus doesn't have a way to take advantage of these findings. Therefore, the second component of a virus is an infection routine. This portion of the virus is responsible for copying the virus and attaching it to a suitable host. Malware could also use a re-infect/restart routine to further compromise the affected system. - **Payload**: Most viruses don't stop here and also contain a payload. The purpose of the payload routine might be to erase the hard drive, display a message to the monitor, or possibly send the virus to 50 people in your address book. Payloads are not required, and without one, many people might never know that the virus even existed. - **Antidetection routine**: Many viruses might also have an antidetection routine. Its goal is to help make the virus more stealth-like and avoid detection. - **Trigger routine**: The goal of the trigger routine is to launch the payload at a given date and time. The trigger can be set to perform a given action at a given time. ## Trojans Trojans are programs that pretend to do one thing but, when loaded, actually perform another, more malicious act. Trojans gain their name from Homer’s epic tale *The Iliad*. To defeat their enemy, the Greeks built a giant wooden horse with a trapdoor in its belly. The Greeks tricked the Trojans into bringing the large wooden horse into the fortified city of Troy. However, unknown to the Trojans and under cover of darkness, the Greeks crawled out of the wooden horse, opened the city’s gate, and allowed the waiting soldiers into the city. ### A software Trojan horse is based on this same concept. A user might think that a file looks harmless and is safe to run, but after the file is executed, it delivers a malicious payload. Trojans work because they typically present themselves as something you want, such as an email with a PDF, a Word document, or an Excel spreadsheet. Trojans work hard to hide their true purposes. The spoofed email might look like it’s from HR, and the attached file might purport to be a list of pending layoffs. The payload is executed if the attacker can get the victim to open the file or click the attachment. That payload might allow a hacker remote access to your system, start a keystroke logger to record your every keystroke, plant a backdoor on your system, cause a denial of service (DoS), or even disable your antivirus protection or software firewall. ### Unlike a virus or worm, Trojans cannot spread themselves. They rely on the uninformed user. ### A few Trojan categories are command-shell Trojans, graphical user interface (GUI) Trojans, HTTP/HTTPS Trojans, document Trojans, defacement Trojans, botnet Trojans, Virtual Network Computing (VNC) Trojans, remote-access Trojans, data-hiding Trojans, banking Trojans, DoS Trojans, FTP Trojans, software-disabling Trojans, and covert-channel Trojans. In reality, it’s hard to place some Trojans into a single type because many have more than one function. To better understand what Trojans can do, refer to the following list, which outlines a few of these types: - **Remote access**: Remote-access Trojans (RATs) allow the attacker full control over the system. *Poison Ivy* is an example of this type of Trojan. Remote-access Trojans are usually set up as client/server programs so that the attacker can connect to the infected system and control it remotely. - **Data hiding**: The idea behind this type of Trojan is to hide a user’s data. This type of malware is also sometimes known as *ransomware*. This type of Trojan restricts access to the computer system that it infects, and it demands a ransom paid to the creator of the malware for the restriction to be removed. - **E-banking**: These Trojans (Zeus is one such example) intercept and use a victim’s banking information for financial gain. Usually, they function as a transaction authorization number (TAN) grabber, use *HTML injection*, or act as a form grabber. The sole purpose of these types of programs is financial gain. - **Denial of service (DoS)**: These Trojans are designed to cause a DoS. They can be designed to knock out a specific service or to bring an entire system offline. - **Proxy**: These Trojans are designed to work as proxy programs that help a hacker hide and allow him to perform activities from the victim’s computer, not his own. After all, the farther away the hacker is from the crime, the harder it becomes to trace him. - **FTP**: These Trojans are specifically designed to work on port 21. They allow the hacker or others to upload, download, or move files at will on the victim’s machine. - **Security-software disablers**: These Trojans are designed to attack and kill antivirus or software firewalls. The goal of disabling these programs is to make it easier for the hacker to control the system. ### Trojan Ports and Communication Methods Trojans can communicate in several ways. Some use overt communications. These programs make no attempt to hide the transmission of data as it is moved on to or off of the victim’s computer. Most use covert communication channels. This means that the hacker goes to lengths to hide the transmission of data to and from the victim. Many Trojans that open covert channels also function as backdoors. A *backdoor* is any type of program that will allow a hacker to connect to a computer without going through the normal authentication process. If a hacker can get a backdoor program loaded on an internal device, the hacker can then come and go at will. Some of the programs spawn a connection on the victim’s computer connecting out to the hacker. The danger of this type of attack is the traffic moving from the inside out, which means from inside the organization to the outside Internet. This is usually the least restrictive because companies are usually more concerned about what comes in the network than they are about what leaves the network. ## Trojan Goals Not all Trojans were designed for the same purpose. Some are destructive and can destroy computer systems, whereas others seek only to steal specific pieces of information. Although not all of them make their presence known, Trojans are still dangerous because they represent a loss of confidentiality, integrity, and availability. Common targets of Trojans include the following: - **Credit card data**: Credit card data and banking information have become huge targets. After the hacker has this information, he can go on an online shopping spree or use the card to purchase services, such as domain name registration. - **Electronic or digital wallets**: Individuals can use an electronic device or online service that allows them to make electronic transactions. This includes buying goods online or using a smartphone to purchase something at a store. A digital wallet can also be a cryptocurrency wallet (such as Bitcoin, Ethereum, Litecoin, Ripple, and so on). - **Passwords**: Passwords are always a big target. Many of us are guilty of password reuse. Even if we are not, there is always the danger that a hacker can extract email passwords or other online account passwords. - **Insider information**: We have all had those moments in which we have said, “If only I had known this beforehand.” That’s what insider information is about. It can give the hacker critical information before it is made public or released. - **Data storage**: The goal of the Trojan might be nothing more than to use your system for storage space. That data could be movies, music, illegal software (warez), or even pornography. - **Advanced persistent threat (APT)**: It could be that the hacker has targeted you as part of a nation-state attack or your company has been targeted because of its sensitive data. These attackers might spend significant time and expense to gain access to critical and sensitive resources. You can obtain information about numerous APT threat actors, as well as the tactics and techniques used, at the MITRE ATT&CK framework at [https://attack.mitre.org/groups](https://attack.mitre.org/groups). **TIP**: The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that provides a comprehensive framework for understanding the actions and behaviors of real-life attackers during the different stages of an attack. It is widely used in the cybersecurity community and is maintained by MITRE Corporation. MITRE ATT&CK covers a wide range of threat actor tactics, techniques, and procedures (TTPs) across different platforms, such as Windows, macOS, Linux, network infrastructure, mobile devices, IoT, and cloud environments. The framework is organized into matrices that group these TTPs based on the targeted platform. Each TTP is described in detail, providing insights into how adversaries operate, which helps cybersecurity experts, ethical hackers, and incident responders to better understand and respond to cyber threats effectively. The MITRE ATT&CK framework is continually updated to reflect the evolving threat landscape, making it a valuable resource for the cybersecurity community to enhance threat intelligence, detection, and response capabilities. You can access ATT&CK at [https://attack.mitre.org](https://attack.mitre.org). ### Trojan Infection Mechanisms After a hacker has written a Trojan, he will still need to spread it. The Internet has made this much easier than it used to be. There are a variety of ways to spread malware, including the following: - **Peer-to-peer networks (P2P)**: Although users might think that they are getting the latest copy of a computer game or the Microsoft Office package, in reality, they might be getting much more. P2P networks and file-sharing sites such as The Pirate Bay are generally unmonitored and allow anyone to spread any programs they want, legitimate or not. - **Instant messaging (IM)**: IM was not built with security controls. So, you never know the real contents of a file or program that someone has sent you. IM users are at great risk of becoming targets for Trojans and other types of malware. Many popular IM platforms, such as WhatsApp, Facebook Messenger, and Discord, have been used by scammers and attackers. These threat actors have been able to send malicious files and payloads to exploit vulnerabilities and compromise user data. - **Internet Relay Chat (IRC)**: IRC is full of individuals ready to attack the newbies who are enticed into downloading a free program or application. - **Email attachments**: Attachments are another common way to spread a Trojan. To get you to open them, these hackers might disguise the message to appear to be from a legitimate organization. The message might also offer you a valuable prize, a desired piece of software, or similar enticement to pique your interest. If you feel that you must investigate these attachments, save them first and then run an antivirus on them. Email attachments are the number-one means of malware propagation. You might investigate them as part of your information security job to protect network users. - **Physical access**: If a hacker has physical access to a victim’s system, he can just copy the Trojan horse to the hard drive (via a thumb drive). The hacker can even take the attack to the next level by creating a Trojan that is unique to the system or network. It might be a fake login screen that looks like the real one

Chapter 1: Cybersecurity Fundamentals PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue