Chapter 2 - 03 - Understand Network-level Attacks - 08_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Distributed Reflection Denial-of-Service (DRDoS) Attack O Adistributed reflected denial-of-service attack (DRD0S), also known as a spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application QO Attackers launch this attack by sending requests to the intermediary hosts, which then redirect the requests to the secondary machines, which in turn reflect the attack traffic to the target Advantages » The primary target seems to be directly attacked by the secondary victim rather \ than the actual attacker » Multiple intermediary victim servers are used, fi which results in an increase in attack bandwidth f i o RN P Fos ( Attacker W \\’T/ * R L Ll T v o | N \ - IntermediaryVictims |- ‘ Primary Target Mo g Secondary Victims Copyright© by EC-Comncil. All Rights Reserved, Reproduction is Strictly Prohibited. ‘ Distributed Reflection Denial-of-Service (DRDoS) Attack A distributed reflection DoS (DRDoS) attack, also known as a “spoofed” attack, involves the use of multiple intermediary and secondary machines that contribute to a DDoS attack against a target machine or application. A DRDoS attack exploits the TCP three-way handshake vulnerability. This attack involves an attacker machine, intermediary victims (zombies), secondary victims (reflectors), and a target machine. The attacker launches this attack by sending requests to the intermediary hosts, which in turn reflect the attack traffic to the target. The process of a DRDoS attack is as follows. First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target’s IP address as the source IP address to other non-compromised machines (secondary victims or reflectors) in order to exhort them to establish a connection with the primary target. Consequently, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it because they believe the host requested it. The primary target discards the SYN/ACK packets received from the reflectors because they did not send the SYN packet. Meanwhile, the reflectors wait for the ACK response from the primary target. Assuming that the packet was lost, the reflector machines resend SYN/ACK packets to the primary target to establish the connection, until a time-out occurs. In this manner, the target machine is flooded with a heavy volume of traffic from the reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine. A DRDoS attack is an intelligent attack because it is very difficult or even impossible to trace the attacker. Instead of the actual attacker, the secondary victims (reflectors) seem to attack the primary target directly. This attack is more effective than a typical DDoS multiple intermediary and secondary victims generate huge attack bandwidth. Module 02 Page 213 attack because Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks - \ Exam 212-82 - - "“_-—-_~‘~s\ -~ -~ ~ ‘\\ \ o SR Ve o= - - --‘s~ \ a8 __..,—------.‘~ | Attacker 5\ Intermediary Victims Secondary Victims v Figure 2.26: Distributed reflection DoS (DRDoS) attack Module 02 Page 214 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Malware Attacks O Malware are software programs or malicious code that install on a system without the user’s knowledge O A malware attack disrupts services, damages systems, gathers sensitive information, etc. O Examples of malware include viruses, trojans, adware, spyware, rootkits, and backdoors ! Malware Attacks A malware is a piece of malicious software that is designed to perform activities intended by the attacker without user consent. It may be in the form of executable code, active content, scripts, or other kinds of software. An attacker can use malware for various objectives such as to compromise system security, intercept computer operations, gather sensitive information, modify, delete or add content to a website, and control a user’s computer. It is used against government agencies or corporate companies to extract highly confidential information. Examples of malware include viruses, Trojans, adware, spyware, rootkits, and backdoors Module 02 Page 215 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Advanced Persistent Threats (APTSs) Q Advanced persistent threats (APTs) are defined as a type of network attack, where an attacker gains unauthorized access to a target network and remains undetected for a long period of time Q The main objective behind these attacks is to obtain sensitive information rather than sabotaging the organization and its network Information Obtained during APT attacks = ~\ ++ Classified documents ¢ Transaction information W % User credentials % Credit card information %+ Personal information about employees or customers ¢+ Organization’s business strategy information % Network information ¢+ Control system access information Copyright © byY EC-Council All Rights Reserved. Reproduction is Strictly pyrig g y Prohibited Advanced Persistent Threats (APTs) An advanced persistent threat is defined as a type of network attack whereby an attacker gains unauthorized access to a target network and remains in the network without being detected for a long time. The word “advanced” signifies the use of techniques to exploit the underlying vulnerabilities in the system. The word “persistent” signifies the external command-and-control (C&C) system that continuously extracts the data and monitors the victim’s network. The word “threat” signifies human involvement in coordination. APT attacks are highly sophisticated attacks whereby an attacker uses well-crafted malicious code along with a combination of multiple zero-day exploits to gain access to the target network. These attacks involve well- planned and coordinated techniques whereby attackers erase evidence of their malicious activities after their objectives have been fulfilled. APT attacks are usually performed on organizations possessing valuable information, such as financial, healthcare, defense and aerospace, manufacturing, and business organizations. The main objective of these attacks is to obtain sensitive information rather than sabotaging the organization and its network. Information obtained by an attacker through APT attacks includes: * (Classified documents * Transaction information * User credentials * (Credit card information = Employee’s or customer’s personal information * QOrganization’s business strategy information = Network information = Control system access information Module 02 Page 216 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Physical Attacks Malicious Universal Serial Bus (USB) Cable ;ii""o']] N Malicious Flash Drive thi of a credit 1 by copying information from Physical Attacks Attackers perform physical attacks by interacting with physical assets such as systems or with networks to damage or spread malware in the entire infrastructure of the target. Attackers create a route to the target system or network by bypassing the physical security of a building or company and implant malicious code or software. It is difficult to detect or defend against such types of attacks as most of these attacks originate from insiders and trusted assets. The following are the possible types of physical attacks. = Malicious Universal Serial Bus (USB) Cable This type of attack is performed by embedding a USB cable containing a small chip with a Wi-Fi controller, which when plugged into a computer can execute commands from the attacker’s system. The victim cannot identify the difference in the cable, and the attacker can control the system remotely. = Malicious Flash Drive Malicious flash drives contain harmful code with autorun capability that can damage the system, steal data, or spread malware to another system in the network. These malicious drives contain viruses, worms, Trojans, or adware, which are installed in the system immediately after plugging in. = Card Cloning Card cloning is the process of creating a copy or duplicate of a credit card or access card by copying information from the original card. This process of copying information from cards is called skimming, which is performed using an electronic device and software. The extracted information is written on another card. Module 02 Page 217 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Skimming Skimming is the process of extracting payment and personal information from credit cards using special devices called skimmers. Identity thieves use a small skimmer attached to an ATM machine or a swipe machine to capture payment information. Module 02 Page 218 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.