Lesson-1-Cybersecurity-Essentials.pptx

Full Transcript

Cybersecurit
y Essentials
Outline

◎What is cybersecurity?
◎Scope of Cybersecurity
◎State of Today’s Intrusion
◎The Changing Face of
Cybercriminals
 What is
Cybersecurit
y?
Introduction

◎Cybersecurity is the practice of
protecting systems, networks, and
programs from digital attacks.
These cyberattacks are usually
aimed at accessing, changing, or
destroying sensitive information;
extorting money from users
through ransomware; or
interrupting normal business
processes.
Introduction

◎Advanced persistent threats (APTs)
have changed the world of
enterprise security and how
networks and organizations are
attacked
Introduction

◎Connectivity allows us to
communicate instantly across the
globe.
Review of some concepts
Introduction

◎Physical Security
Introduction
Scope of Cyber Security

TO PROTECT:

◎Confidentiality/Secrecy
◎Integrity
◎Availability

Against THREATS!
They overload websites with fake requests to
make it slow or unreachable for others, that’s
attacking the services availability.
Quick Quiz 1

◎What does cyber security protects?
The Answer

◎Confidentiality
◎Integrity
◎Availability

Of data against threats.
Quick Quiz 2

◎It means that only authorized
people should have the ability to
use or modify systems and data
The Answer

◎Integrity
State of Today’s
Intrusion
Thought-process of Cybercriminals

◎Cybercriminals are highly motivated
professionals — often well-funded
by criminal organizations or nation-
states — who are far more patient
and persistent in their efforts to
break through an organization’s
defenses.
Thought-process of Cybercriminals

◎Today’s threats are more
sophisticated and equal opportunity
than ever before.
◎All types of enterprises and
information
are being targeted.
◎More and more attacks are
increasingly coming to fruition,
producing a steady stream of high-
profile, sophisticated breaches and
Some attacks
Comodo (business partners).
In March 2011, an intruder compromised a reseller’s
network (not Comodo’s own network) and stole nine
digital security certificates that could then be
fraudulently issued to impersonate various websites
operated by Google, Microsoft, Skype, and Yahoo!,
among others.
Some attacks
Adobe
As reported in early October of 2013 by
security blogger Brian Krebs, Adobe
originally reported that hackers had stolen
nearly 3 million encrypted customer credit
card records, plus login data for an
undetermined number of user accounts.
Some attacks
Canva
In May 2019 Australian graphic design tool website Canva
suffered an attack that exposed email addresses, usernames,
names, cities of residence, and salted and hashed with bcrypt
passwords (for users not using social logins — around 61
million) of 137 million users. Canva says the hackers managed
to view, but not steal, files with partial credit card and
payment data.
Some attacks
Uber
The 2016 breach was hidden by the ride-sharing firm
which paid hackers $100,000 (£75,000) to delete the
data. The company's former chief executive Travis
Kalanick knew about the breach over a year ago,
according to Bloomberg, which first broke the news. The
hackers found 57 million names, email addresses and
mobile phone numbers, Uber said.
Some attacks
Epsilon
Epsilon (customer information). In March 2011, a
portion of Epsilon’s (an online marketing company)
clients’ customer database was breached “by an
unauthorized entry into Epsilon’s e-mail system,”
exposing customer names and e-mail addresses. This
information may enable an attacker to create a very
credible spear phishing e-mail campaign.
Warning: False Sense of Security

◎ Many organizations and individuals have
been lulled into a false sense of security
by the mistaken belief that the only data
an attacker wants to steal
◎ and thus the only data that needs to be
protected — is financial data, such as
credit card numbers or banking
information.
◎ But breaches are not limited to financial
data — if it’s valuable to you or your
organization, it’s very likely to be
valuable to someone else as well!
Warning: False Sense of Security

As the Epsilon and Comodo examples
illustrate, you don’t have to have the
“crown jewels” in your own network to
be a victim. How secure are your
partner and reseller networks?
THE CHANGING FACE OF
CYBERCRIMINALS
 Cybercriminals

Cybercriminals have evolved from the
prototypical “whiz kid” — sequestered in
a basement, motivated by notoriety, and
fueled by too much carbonated caffeine
— into bona fide cybercriminals, often
motivated by significant financial gain
and sponsored by nation-states, criminal
organizations, or radical political groups.
Cybercriminals

Today’s attacker fits the following
profile:
✓ Has far more resources available to
facilitate an attack
✓ Has greater technical depth and focus
✓ Is well funded
✓ Is better organized
Cybercriminals

◎ Additionally, criminal organizations
and nation-states have far greater
financial resources than independent
individuals.
◎ Many criminal hacking operations
have been discovered, complete with
all the standard appearance of a
legitimate business with offices,
receptionists, and cubicles full of
dutiful cybercriminals.
◎ These are criminal enterprises in the
truest sense and their reach extends
far beyond that of an individual.
THE LIFECYCLE OF AN
ADVANCED ATTACK
Trend in attacks

Attack strategies have evolved.
Traditional: direct attack against a high-
value server or asset

Trend: strategies now employs a patient,
multi-step process that blends exploits,
malware, and evasion into an ongoing
coordinated network attack.
Example: luring an individual into clicking on an
infected link
 Key Components and Tools in the
Advanced Attach Strategy
Infection Persistence Communication Command &
Control
Phishing (Social) Rootkits/Bootkits Encryption (SSL, Common Apps
SSH, Custom) (Social Media,
P2P)
Hide Backdoor Proxies, RDP, Update
Transmission (Poison Ivy) Application Configure Files
(SSL, IM, P2P) Tunnels
Remote Exploit Anti-AV Post Evasions EXE Updates
(Shell Access) (InfectMBR) (tunnel over
open ports)
Malware Delivery Fast Flux Backdoors and
(Drive-by- (Dynamic DNS) Proxies
Download)

37
Infection

◎ Infection often has a social aspect.
◎ Understanding how malware and
exploits have become closely
interrelated in the advanced attack
life- cycle is important.
◎ Most exploits today are used to crack
a target system to infect it with
malware:
an exploit is run, causing a buffer
overflow, which allows the attacker to
gain shell access.
Infection

◎ With shell access, the attacker can
deliver pretty much any payload. The
first step is to exploit the target, then
deliver the malware in the background
through the application or connection
that is already open
◎ Drive-by-download – the most
common delivery mechanism for
advanced malware today.
◎ Infection relies heavily on hiding from
and evading traditional security
solutions
Infection

◎ Another common way to avoid
security is to infect the user over a
connection that security can’t see
into, such as an encrypted channel.
◎ Attack transmissions are often
obscured in SSL-encrypted (Secure
Sockets Layer) traffic or other
proprietary encryption used in P2P
(peer-to- peer) networking
applications and IM (instant
messaging)
 “
The trend today: threats do
not necessarily come as
an executable attachment
in an e-mail. A link is all that
is required..
Persistence

◎ Once a target machine is infected, the
attacker needs to ensure persistence (the
resilience or survivability of his foot- hold in
the network).
◎ Rootkits and bootkits are commonly
installed on compromised machines for this
purpose.
◎ A rootkit is malware that provides
privileged (root-level) access to a
computer.
◎ A bootkit is a kernel-mode variant of a
rootkit, commonly used to attack
computers that are protected by full-disk
encryption.
Persistence

◎ Backdoors enable an attacker to
bypass normal authentication
procedures to gain access to a
compromised system.
◎ Backdoors are often installed as
failover in case other mal- ware is
detected and removed from the
system.
◎ Poison Ivy is one example of a
backdoor that was used in the RSA
attack.
Persistence

◎Anti-AV malware may be installed to
disable any legitimately installed
antivirus software on the
compromised machine, thereby
preventing automatic detection and
removal of malware that is
subsequently installed by the
attacker.
◎Many anti-AV programs work by
infecting the Master Boot Record
(MBR) of a target machine.
Communication

◎ Communication is fundamental to a
successful APT. Attackers must be able to
communicate with other infected
systems or controllers to enable
command and control, and to extract
stolen data from a target system or
network.
◎ Attack communications must be stealthy
and cannot raise any suspicion on the
network. Such traffic is usually
obfuscated or hidden through
techniques.
Communication

◎ Encryption with SSL, SSH (Secure Shell), or
some other custom application. Proprietary
encryption is also commonly used. For
example, BitTorrent is known for its use of
proprietary encryption and is a favorite
attack tool — both for infection and ongoing
command and control.
◎ Circumvention via proxies, remote desktop
access tools (such as LogMeIn!, RDP, and
GoToMyPC), or by tunnel- ing applications
within other (allowed) applications or
protocols.
Communication

◎ Port evasion using network
anonymizers or port hopping to tunnel
over open ports. For example, botnets
are notorious for sending command-
and-control instructions over IRC
(Internet Relay Chat) on nonstandard
ports.
◎ Fast Flux (or Dynamic DNS) to proxy
through multiple infected hosts, reroute
traffic, and make it extremely difficult
for forensic teams to figure out where
the traffic is really going.
Command and Control

◎Command and control rides on
top of the communication platform
that is established but is really
about making sure that the attack is
controllable, manageable, and
updateable.
THE CENTRAL ROLE OF
MALWARE
Role of Malware

◎Attack techniques have also
evolved and malware now plays a
central role in the cybercriminal’s
arsenal and in the lifecycle of an
attack.
◎Similarly, the cyberattacks rely on
sleight of hand — how to infect,
persist, and communicate without
being detected.
Role of Malware

◎Unfortunately, our traditional view
of malware and old security habits
make us think of malware as the
pea — an executable payload,
perhaps attached to an e-mail. To
understand, control, and
successfully counter advanced
threats, we need to focus on not
just the pea (malware), but on all
the moving parts.
Thank you!