Lesson 1: Cybersecurity Essentials - PDF
Document Details
Uploaded by OptimisticLake3367
Don Mariano Marcos Memorial State University
Tags
Summary
This presentation outlines the essentials of cybersecurity, including its scope, the evolving nature of cybercriminals, and the lifecycle of an advanced attack. It discusses various attack strategies and methods used by cybercriminals, such as social engineering, malware, and encryption.
Full Transcript
Cybersecurit y Essentials Outline ◎What is cybersecurity? ◎Scope of Cybersecurity ◎State of Today’s Intrusion ◎The Changing Face of Cybercriminals What is Cybersecurit y? Introduction ◎Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. Th...
Cybersecurit y Essentials Outline ◎What is cybersecurity? ◎Scope of Cybersecurity ◎State of Today’s Intrusion ◎The Changing Face of Cybercriminals What is Cybersecurit y? Introduction ◎Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users through ransomware; or interrupting normal business processes. Introduction ◎Advanced persistent threats (APTs) have changed the world of enterprise security and how networks and organizations are attacked Introduction ◎Connectivity allows us to communicate instantly across the globe. Review of some concepts Introduction ◎Physical Security Introduction Scope of Cyber Security TO PROTECT: ◎Confidentiality/Secrecy ◎Integrity ◎Availability Against THREATS! They overload websites with fake requests to make it slow or unreachable for others, that’s attacking the services availability. Quick Quiz 1 ◎What does cyber security protects? The Answer ◎Confidentiality ◎Integrity ◎Availability Of data against threats. Quick Quiz 2 ◎It means that only authorized people should have the ability to use or modify systems and data The Answer ◎Integrity State of Today’s Intrusion Thought-process of Cybercriminals ◎Cybercriminals are highly motivated professionals — often well-funded by criminal organizations or nation- states — who are far more patient and persistent in their efforts to break through an organization’s defenses. Thought-process of Cybercriminals ◎Today’s threats are more sophisticated and equal opportunity than ever before. ◎All types of enterprises and information are being targeted. ◎More and more attacks are increasingly coming to fruition, producing a steady stream of high- profile, sophisticated breaches and Some attacks Comodo (business partners). In March 2011, an intruder compromised a reseller’s network (not Comodo’s own network) and stole nine digital security certificates that could then be fraudulently issued to impersonate various websites operated by Google, Microsoft, Skype, and Yahoo!, among others. Some attacks Adobe As reported in early October of 2013 by security blogger Brian Krebs, Adobe originally reported that hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts. Some attacks Canva In May 2019 Australian graphic design tool website Canva suffered an attack that exposed email addresses, usernames, names, cities of residence, and salted and hashed with bcrypt passwords (for users not using social logins — around 61 million) of 137 million users. Canva says the hackers managed to view, but not steal, files with partial credit card and payment data. Some attacks Uber The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (£75,000) to delete the data. The company's former chief executive Travis Kalanick knew about the breach over a year ago, according to Bloomberg, which first broke the news. The hackers found 57 million names, email addresses and mobile phone numbers, Uber said. Some attacks Epsilon Epsilon (customer information). In March 2011, a portion of Epsilon’s (an online marketing company) clients’ customer database was breached “by an unauthorized entry into Epsilon’s e-mail system,” exposing customer names and e-mail addresses. This information may enable an attacker to create a very credible spear phishing e-mail campaign. Warning: False Sense of Security ◎ Many organizations and individuals have been lulled into a false sense of security by the mistaken belief that the only data an attacker wants to steal ◎ and thus the only data that needs to be protected — is financial data, such as credit card numbers or banking information. ◎ But breaches are not limited to financial data — if it’s valuable to you or your organization, it’s very likely to be valuable to someone else as well! Warning: False Sense of Security As the Epsilon and Comodo examples illustrate, you don’t have to have the “crown jewels” in your own network to be a victim. How secure are your partner and reseller networks? THE CHANGING FACE OF CYBERCRIMINALS Cybercriminals Cybercriminals have evolved from the prototypical “whiz kid” — sequestered in a basement, motivated by notoriety, and fueled by too much carbonated caffeine — into bona fide cybercriminals, often motivated by significant financial gain and sponsored by nation-states, criminal organizations, or radical political groups. Cybercriminals Today’s attacker fits the following profile: ✓ Has far more resources available to facilitate an attack ✓ Has greater technical depth and focus ✓ Is well funded ✓ Is better organized Cybercriminals ◎ Additionally, criminal organizations and nation-states have far greater financial resources than independent individuals. ◎ Many criminal hacking operations have been discovered, complete with all the standard appearance of a legitimate business with offices, receptionists, and cubicles full of dutiful cybercriminals. ◎ These are criminal enterprises in the truest sense and their reach extends far beyond that of an individual. THE LIFECYCLE OF AN ADVANCED ATTACK Trend in attacks Attack strategies have evolved. Traditional: direct attack against a high- value server or asset Trend: strategies now employs a patient, multi-step process that blends exploits, malware, and evasion into an ongoing coordinated network attack. Example: luring an individual into clicking on an infected link Key Components and Tools in the Advanced Attach Strategy Infection Persistence Communication Command & Control Phishing (Social) Rootkits/Bootkits Encryption (SSL, Common Apps SSH, Custom) (Social Media, P2P) Hide Backdoor Proxies, RDP, Update Transmission (Poison Ivy) Application Configure Files (SSL, IM, P2P) Tunnels Remote Exploit Anti-AV Post Evasions EXE Updates (Shell Access) (InfectMBR) (tunnel over open ports) Malware Delivery Fast Flux Backdoors and (Drive-by- (Dynamic DNS) Proxies Download) 37 Infection ◎ Infection often has a social aspect. ◎ Understanding how malware and exploits have become closely interrelated in the advanced attack life- cycle is important. ◎ Most exploits today are used to crack a target system to infect it with malware: an exploit is run, causing a buffer overflow, which allows the attacker to gain shell access. Infection ◎ With shell access, the attacker can deliver pretty much any payload. The first step is to exploit the target, then deliver the malware in the background through the application or connection that is already open ◎ Drive-by-download – the most common delivery mechanism for advanced malware today. ◎ Infection relies heavily on hiding from and evading traditional security solutions Infection ◎ Another common way to avoid security is to infect the user over a connection that security can’t see into, such as an encrypted channel. ◎ Attack transmissions are often obscured in SSL-encrypted (Secure Sockets Layer) traffic or other proprietary encryption used in P2P (peer-to- peer) networking applications and IM (instant messaging) “ The trend today: threats do not necessarily come as an executable attachment in an e-mail. A link is all that is required.. Persistence ◎ Once a target machine is infected, the attacker needs to ensure persistence (the resilience or survivability of his foot- hold in the network). ◎ Rootkits and bootkits are commonly installed on compromised machines for this purpose. ◎ A rootkit is malware that provides privileged (root-level) access to a computer. ◎ A bootkit is a kernel-mode variant of a rootkit, commonly used to attack computers that are protected by full-disk encryption. Persistence ◎ Backdoors enable an attacker to bypass normal authentication procedures to gain access to a compromised system. ◎ Backdoors are often installed as failover in case other mal- ware is detected and removed from the system. ◎ Poison Ivy is one example of a backdoor that was used in the RSA attack. Persistence ◎Anti-AV malware may be installed to disable any legitimately installed antivirus software on the compromised machine, thereby preventing automatic detection and removal of malware that is subsequently installed by the attacker. ◎Many anti-AV programs work by infecting the Master Boot Record (MBR) of a target machine. Communication ◎ Communication is fundamental to a successful APT. Attackers must be able to communicate with other infected systems or controllers to enable command and control, and to extract stolen data from a target system or network. ◎ Attack communications must be stealthy and cannot raise any suspicion on the network. Such traffic is usually obfuscated or hidden through techniques. Communication ◎ Encryption with SSL, SSH (Secure Shell), or some other custom application. Proprietary encryption is also commonly used. For example, BitTorrent is known for its use of proprietary encryption and is a favorite attack tool — both for infection and ongoing command and control. ◎ Circumvention via proxies, remote desktop access tools (such as LogMeIn!, RDP, and GoToMyPC), or by tunnel- ing applications within other (allowed) applications or protocols. Communication ◎ Port evasion using network anonymizers or port hopping to tunnel over open ports. For example, botnets are notorious for sending command- and-control instructions over IRC (Internet Relay Chat) on nonstandard ports. ◎ Fast Flux (or Dynamic DNS) to proxy through multiple infected hosts, reroute traffic, and make it extremely difficult for forensic teams to figure out where the traffic is really going. Command and Control ◎Command and control rides on top of the communication platform that is established but is really about making sure that the attack is controllable, manageable, and updateable. THE CENTRAL ROLE OF MALWARE Role of Malware ◎Attack techniques have also evolved and malware now plays a central role in the cybercriminal’s arsenal and in the lifecycle of an attack. ◎Similarly, the cyberattacks rely on sleight of hand — how to infect, persist, and communicate without being detected. Role of Malware ◎Unfortunately, our traditional view of malware and old security habits make us think of malware as the pea — an executable payload, perhaps attached to an e-mail. To understand, control, and successfully counter advanced threats, we need to focus on not just the pea (malware), but on all the moving parts. Thank you!