Week 6 Notes on Malware

Malware Overview Malware comes in three main forms: 1. **Viruses**: Malicious code that attaches to files and spreads by self-replication. They can be polymorphic (mutating to avoid detection) and have different triggers (like logic bombs or time bombs). Viruses can spread through various methods, such as infecting executable files, boot sectors, or email attachments. 2. **Worms**: Unlike viruses, worms do not require user interaction to spread. They exploit network vulnerabilities to replicate across systems, often causing network slowdowns or providing remote access to attackers. Notable examples include the **Blaster** and **Witty worms**. 3. **Trojans**: Programs that appear harmless but hide malicious activities like **keylogging** (recording keystrokes) or opening a **backdoor** for attackers to gain remote control. **Malware Detection and Prevention:** - **User Awareness**: Educating users to avoid risky behaviours (e.g., downloading suspicious files) can prevent infections. - **Technical Solutions**: Write-protection, firewalls, and intrusion detection systems help prevent malware attacks. - **Antivirus Software**: This software can identify and remove malware, but it requires regular updates to recognize new threats. **Antivirus Approaches:** 1. **Virus Dictionaries**: Scans for known virus signatures but struggles with **unknown** or **polymorphic viruses**. 2. **Behaviour Blockers**: Monitors for suspicious system commands, like file deletions, and alerts users before actions are carried out. 3. **Integrity Checkers**: Detect changes in files caused by malware, although only after some damage has occurred. 4. **Activity Monitoring**: Tracks program behaviour for unusual activities (e.g., attempts to alter other programs), though it can result in **false positives**. In both behaviour and activity monitoring, suspected files can be **quarantined** (isolated to prevent further damage), sometimes in a **sandbox** environment, where any changes made by malware are erased when the sandbox is closed. **Threat modelling** - A systematic and structured process for identifying potential threats and security risks in a specific context, such as an application or system. - It provides a more comprehensive and methodical way to evaluate security risks than an ad hoc approach, helping to prevent overlooked vulnerabilities. - **Systematic Approach**: Threat modelling follows clear, repeatable steps to map out the **threat landscape** (possible attacks) against a system. It aids defenders in identifying and mitigating potential risks. - **Threat Actors vs. Defenders**: Attackers (threat actors) have an advantage because they only need to exploit one vulnerability, while defenders must protect against all possible threats. Therefore, it is crucial to consider the range of threats, the potential impact of those threats, and how to mitigate them. - **General Approach (4 Key Questions)**: - **What are we building?**: Explore and describe the system, often through diagrams like component diagrams or data flow diagrams. - **What can go wrong?**: Brainstorm potential threats or attacks, using frameworks like **STRIDE**, **cyber kill chains**, or **attack trees** to structure discussions. - **What will we do about it?**: Identify and implement mitigation techniques to address vulnerabilities and prioritize actions. - **Reflection**: Continuously review, reflect, and revise procedures to improve security over time. **STRIDE Framework:** 1\. **Spoofing (S)**: - **Security Property**: Authentication - **Definition**: Masquerading as another user or entity. - **Example**: Phishing emails or websites. - **Mitigation**: Ensure strong authentication measures, like multi-factor authentication (MFA). 2\. **Tampering (T)**: - **Security Property**: Integrity - **Definition**: Unauthorized modification of data. - **Example**: Changing salary information in an HR database. - **Mitigation**: Protect data integrity through encryption and checksums. 3\. **Repudiation (R)**: - **Security Property**: Non-repudiation - **Definition**: Denying responsibility for an action. - **Example**: Denying having sent an email or accessed inappropriate websites. - **Mitigation**: Use digital signatures and proper logging to ensure actions can be tracked and verified. 4\. **Information Disclosure (I)**: - **Security Property**: Confidentiality - **Definition**: Unauthorized access to information. - **Example**: Password leaks. - **Mitigation**: Implement strong encryption, access controls, and proper data handling policies. 5\. **Denial of Service (D)**: - **Security Property**: Availability - **Definition**: Preventing legitimate users from accessing services. - **Example**: Flooding a website with service requests (e.g., DDoS attacks). - **Mitigation**: Use firewalls, intrusion detection/prevention systems (IDS/IPS), and load balancing. 6\. **Elevation of Privilege (E)**: - **Security Property**: Authorization - **Definition**: Gaining unauthorized access to higher-level permissions. - **Example**: A user with read-only access gaining the ability to modify a document. - **Mitigation**: Ensure proper authorization mechanisms, role-based access controls (RBAC), and privilege separation. **Application of STRIDE:** - STRIDE encourages developers to systematically evaluate each component of their system against potential threats. For example, for a web application, the developer might ask how an attacker could spoof users, tamper with data, or cause a denial-of-service attack. By recording and analysing these threats, developers can proactively implement mitigation strategies like password policies or staff training to reduce risks. **Cyber Kill Chain** - It describes the sequence of actions that attackers typically follow to infiltrate a network, gain a foothold, and ultimately achieve their goals, such as data exfiltration. **Stages of the Cyber Kill Chain:** 1. **Reconnaissance**: - **Definition**: The attacker gathers information about the target, such as identifying weaknesses or points of entry. - **Example**: Scanning for open ports or collecting employee emails for phishing. - **Types**: Active reconnaissance (detectable by the target) and passive reconnaissance (undetectable). 2. **Weaponization**: - **Definition**: Creating the malicious tool or payload (malware) based on the vulnerabilities found during reconnaissance. - **Example**: Building a custom malware or using tools like Metasploit to craft an exploit. 3. **Delivery**: - **Definition**: The attacker delivers the malware or exploit to the target. - **Example**: Sending a phishing email with a malicious attachment, exploiting open ports, or using social engineering. 4. **Exploitation**: - **Definition**: The malware is executed, taking advantage of a vulnerability to gain initial access to the system. - **Example**: A user clicking on a malicious link or an SQL injection attack. 5. **Installation**: - **Definition**: Additional malware or tools are installed to further establish the attacker\'s presence in the system. - **Example**: Installing a remote access Trojan (RAT) to maintain access and control. 6. **Command and Control (C2)**: - **Definition**: The attacker establishes communication with the compromised system, often through a backdoor, to remotely control the system. - **Example**: A C2 server communicating with infected machines to steal data or send further commands. 7. **Actions on Objectives**: - **Definition**: The attacker achieves their final goal, which could involve exfiltrating data, disrupting services, or conducting further attacks. - **Example**: Stealing intellectual property, defacing a website, or selling stolen data on the dark web. - There are five defensive steps which can be deployed using different mitigation controls to minimise the success of an attack. These are: - Detect- involves detecting attackers as they access systems or explore the network - Deny- stopping attackers gaining access to critical information or services - Disrupt- altering or stopping outbound data - Degrade - Counterattack on the attacker - Deceive - Interfere with data which attackers have access to in order to learn more about the attacker.

Week 6 Notes on Malware

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue