Ethical Hacking CISC 350 Introduction PDF

ETHICAL HACKING CISC 350 JANUARY 2025 ETHICAL HACKING take the concepts and techniques used by hackers and apply them for the benefit of organizations and individuals in an attempt to elevate their security posture. But what exactly does that mean? ETHICAL HACKING Ethical hacking represents a group of skills within cyber security that manifests in a few distinctive roles, including red teamers (penetration testers), blue teamers, and purple teamers. Ethical hackers are also part of a larger group known as white hat hackers, whose focus is education and defense What role does the ethical hacker play in organizational security? Unlike threat actors (black hats), who are motivated primarily by financial gain, ethical hackers align themselves on the defensive side of networks, attempting to secure networks by pointing out flaws and misconfigurations that malicious attackers would take advantage of. ETHICAL HACKERS They are skilled in the tactics, techniques, and procedures (TTPs) of adversaries. This means they understand how attackers operate, what tools they use, how they find information, and how they use that to take advantage of an organization. (The best offense is …) Ethical hackers also realize security is an evolving discipline where learning and growth never end. One place to get a better understanding of attackers and the operations they perform is to review the MITRE ATT&CK framework, which lays out a matrix of categories showing various attacks. For more information: https:// attack.mitre.org/ MITRE ATT&CK Let’s visit the site to see what it is about: https://attack.mitre.org/ MITRE ATT&CK stands for "MITRE Adversarial Tactics, Techniques, and Common Knowledge," which is a widely used framework developed by the MITRE Corporation that catalogs and describes the tactics, techniques, and procedures (TTPs) used by cyber attackers, allowing security professionals to better understand and defend against cyber threats by analyzing attacker behaviors across different stages of an attack lifecycle. How can we use this??? Without yet knowing anything about ethical hacking, does this seem useful?? How? ELEMENTS OF INFORMATION SECURITY Information security and, subsequently, ethical hacking methodologies revolve around three core principles: Confidentiality, Integrity, and Availability (CIA). These core principles provide the framework for information security and are used by ethical hackers and security professionals to test security and security solutions. CONFIDENTIALITY Data stored on networks in the form of databases, files, and so on carries a certain level of restriction. Access to information must be given only to authorized personnel. Ensuring this information is reserved for only those who need to know about it can be addressed through techniques such as encryption, network segmentation, and access restrictions, as well as practicing the principle of least privilege. These are the things ethical hackers check and test to make sure there are no gaps or exposure of information beyond what is authorized. INTEGRITY Data that is accessed and viewed, whether part of an email or viewed through a web portal, must be trustworthy. Ethical hackers and security personnel ensure that data has not been modified or altered in any way; this includes data at rest as well as data in transit. Examples of integrity checks include showing and storing hash values and the use of techniques, including digital signatures and certificates AVAILABILITY The last principle is that of availability. Information that is locked down to a level where no one can access it not only defeats the purpose of having data but affects the efficiency of those who are authorized to access it. However, just like the other principles, there is a fine line between availability by authorized personnel and confidentiality. An ethical hacker tests availability in a number of ways. Some examples include remote access for employees, establishing hours of operation for personnel, and what devices can have access WHY DO INTRUSIONS AND ATTACKS HAPPEN? Attacks do not operate in a vacuum, and as such, attacks and intrusions can be broken down into three core areas, sometimes referred to as the intrusion triangle or crime triangle. In other words, certain conditions must exist before an attack can occur. These core areas are: Motive, Means, and Opportunity MOTIVE An attacker must have a reason to want to attack a network. These motives include exploration, data manipulation, and causing damage, destroying, or stealing data. Motives may also be more personal, including financial, retaliation, or revenge. Examples include a disgruntled employee who wants to do damage based on some grievance with the company managers or coworkers. Another would be a cybercrime group targeting a company or industry to extort money through ransomware or some other means. Still, another would be a script kiddie who stumbled upon the network and thought it might be interesting to see what they could get access to MOTIVE (CONT.) For investigators, it is also important to differentiate between motives for criminal activity and the operational goals and objectives associated with the larger crime. As an example, compromising user accounts is not the goal of an attack; gaining access to the corporate network and stealing data is. The account compromise is simply an operational goal. It may also be important to understand the intensity of an attack and the motives behind it. People who are desperate are more determined to achieve their goals. The employee who is in a bad financial situation may see accessing and stealing company funds as the only means to alleviate the situation MEANS Once an attacker has a motive, they need the means to perform the attack. Means refers to the technology plus an individual’s or group’s skills, knowledge, and available resources. By understanding these requirements to commit a given crime, plus the potential motivations, investigators can narrow down attribution to individuals or groups and eliminate others. Additionally, investigators need to be aware of technological innovations as potential means of committing cybercrimes in relation to the crime committed. By way of example, a nation-state actor in China would not have the means to access and sabotage an electrical plant in the United States physically. However, once the electrical plant installed IoT sensors and connected them to the internet, the means would be made available OPPORTUNITY The third part, completing the triangle, is opportunity. Used in conjunction with motive and means, an opportunity is that moment or chance where the attack can be completed successfully. For an opportunity to be available, it means that various protective mechanisms were either ineffective or non-existent. This means that human, technological, or environmental factors were conducive to the crime being committed. For example, a power failure might cause locked doors to fail open for safety but allow criminals free access to all areas of the company (Or) unpatched servers exposed to the internet might be discovered during a scan, informing attackers what exploit(s) will be successful in accessing the core network MOTIVE -- MEANS -- OPPORTUNITY Of the three, which is the one we, as defenders, should be focusing on? Which would we have a level of control over? WHO ARE THE ATTACKERS? In general, hackers are split into a few categories: Black Hat - break into computer networks with malicious intent White Hat - This group is sometimes referred to as ethical hackers and is the opposite of black hat hackers Gray Hat - Gray hat hackers are a peculiar mix of both black hat and white hat characteristics. They operate on their own, looking for network faults and hacks in networks, systems, and applications. They do so with the intention of demonstrating to owners and administrators that have networks, systems, and applications under their care and control that a defect exists in their security posture BLACK HAT Script Kiddies = Novice Hacktivists = We have a cause! Cyber-Terrorists / State Sponsored = Government Cyber Criminals = $$$ Show me the money $$$ WHITE HAT Red team – pen testers, offensive in nature Blue team - defensive computing space and is commonly the internal employees in charge of various security systems, policies, and procedures Purple team - members are there to bridge gaps in understanding and communication by having skills in both disciplines (red & blue) ATTACK TARGETS AND TYPES There are many things that can be targeted for an attack; however, all areas of an attack can be distilled down to three core areas: Network Application Host NETWORK Network attacks are usually one of the first types of attacks to occur. The most common of these types of attacks are flooding attacks, which overwhelm the receiving hardware, forcing it to perform unintended operations or to simply give up and not work at all, such as in a denial of service (DOS) attack. APPLICATION Application attacks, as the name suggests, focus on applications or services. Most of these will be at the server level, however, they are not limited to servers and can exist on standalone devices or user workstations. Application attacks usually take advantage of misconfigurations or vulnerabilities. SQL injection and cross-site scripting are examples of this HOST Host attacks, sometimes called endpoint attacks, are attacks that target end user systems through their desktop machines and laptops. Because of the nature of these machines, they tend to have a much larger number of applications installed, and the behavior of the users operating them is less defined. Drive-by downloads: a victim becomes compromised simply by visiting a website Unpatched or legacy applications: Java is one of the biggest culprits here as old versions of Java can be found on most machines THE ANATOMY OF AN ATTACK Before any type of attack takes place, a series of steps or actions take place, often referred to as the cyber kill chain. This lays out a series of actions and events attackers commonly take to exploit a system or network. This model helps defenders with context and categorizing at what stage an attacker is at when detections are made The cyber kill chain was adopted from the military term kill chain, describing the structure of an attack CYBER KILL CHAIN RECONNAISSANCE This part of the attack is usually the most prolonged and can take weeks, months, or even years depending on the target and the attacker’s goals. Given the current state of information available on the internet, the attacker’s job is made easier. For defenders, it is almost impossible to identify and detect reconnaissance due to how it is conducted. Over time, attackers can collect enough information without any active connection to have a comprehensive profile of the target. WEAPONIZATION After sufficient time, when the collected information about the target nears completion, adversaries move into the weaponization phase. Weaponization may include preparing an exploit based on a vulnerability identified in the target’s environment Security defenders cannot detect weaponization until near the end of this stage, when they contact the target. However, this is an essential phase for defenders to be prepared for by keeping their security controls hardened against these tactics or exploitation and deploying malware. DELIVERY At the completion of the weaponization stage, the attacker is ready for the delivery phase. They will launch their attack using the delivery method of choice and wait for the exploitation to take place. Depending on how the weaponization is performed, this may be the first opportunity for security defenders to detect, analyze, and block the delivery EXPLOITATION Exploitation is the stage where the attacker attempts to gain access to the victim. For this to take place, the adversary needs to exploit a vulnerability; this could be a vulnerability on an internet-facing system, it could be through phishing, or it could even be through some sort of social engineering. The adversary already has spent time collecting information about the vulnerabilities, not only in systems but in people, during the reconnaissance phase INSTALLATION Once exploitation is successful, the attacker moves on to the installation phase. This is the time when the attacker entrenches the system and organization. They do this by establishing persistency by installing backdoors or opening a connection from the victim to a C2 server. Once entrenchment is complete, the attacker begins the process of lateral movement and further installations. Defenders use different security controls such as host-based intrusion detection systems (HIDS), endpoint detection and response (EDR), antivirus (AV) software, and even security information and event management (SIEM) platforms to detect block installation of backdoors. COMMAND & CONTROL In the C2 phase, the attacker creates two-way communication with their server to issue commands from – this is known as a C2 server. This C2 server can be owned and managed by the adversary or rented from another group. This C2 server is set to command the infected hosts, much like other legitimate applications that use an agent on the endpoint to foster communications For defenders, this is the last chance in this kill chain to detect and block an attack by blocking C2 communications. This can be accomplished through proper monitoring of outgoing connections or requiring Proxy HTTP and DNS authentication ACTIONS ON OBJECTIVES At this stage, the adversary has achieved the entrenchment of a victim network with persistent access and communications with the C2 server. Now the attacker can begin to move on to their objectives, but what the adversary will do next depends on their intent. For the defender, the attack is now underway. Proper monitoring techniques may detect the anomaly, but this is not easy once the attacker is inside the system. Most defense is applied to keeping the bad guys out, but what do you do once they are in? DEFENSIVE TECHNOLOGIES Firewalls Antivirus Intrusion Detection Systems (HIDS & NIDS) Endpoint Detection & Response (EDR) – replacement for HIDS, collect data for a central repository Security Information & Event Management (SIEM) – act as a go between for NIDS and EDR. Analyzes the collected data and creates reports Security Orchestration, Automation, and Response (SOAR) - like SIEM, but can also take action to stop an attack

Ethical Hacking CISC 350 Introduction PDF

Document Details

Tags

Related

Summary

Full Transcript