Cyber Security

Fundamentals
1506140

Dr Suha Afaneh
[email protected]
Topic 3:
Threats, Vulnerabilities,
and Common Attacks
Introduction
• Understanding Threat Actors

• Determining Malware Types

• Recognizing Common Attacks

• Blocking Malware
ATTRIBUTES OF THREAT ACTORS
Internal/External
• An external threat actor or agent is one that has no account or authorized
access to the target system.
• A malicious external threat must infiltrate (‫ )يتسلل‬the security system using
malware and/or social engineering.
• It is the threat actor that is defined as external, rather than the attack
method.
• Conversely, an internal (or insider) threat actor is one that has been granted
permissions on the system.
• This typically means an employee, but insider threat can also arise from
contractors and business partners.
Threat Actors
1. Hacker
2. Script kiddie
3. Hacktivist
4. Advanced persistent threat (APT)
Threat Actors
1. Hacker
• Malicious individuals who use their technical expertise to launch attacks.
✓Hacker describes an individual who has the skills to gain access to computer systems
through unauthorized or unapproved means.
✓Originally, hacker was a neutral term for a user who excelled at computer
programming and computer system administration.
✓Hacking into a system was a sign of technical skill and creativity.
✓The terms black hat (unauthorized) and white hat (authorized) are used to distinguish
these motivations.
✓A Gray hat hacker (semi-authorized) might try to find vulnerabilities in a product or
network without seeking the approval of the owner; but they might not try to exploit
any vulnerabilities they find.
✓A white hat hacker always seeks authorization to perform penetration testing of
private and proprietary systems.
Threat Actors
2. Script kiddie
• Teenagers or hobbyists mostly limited to pranks and vandalism, have little or
no skill or experience , often using existing tools or instructions found on the
Internet to launch attacks
• A script kiddie is someone who uses hacker tools without necessarily
understanding how they work or having the ability to craft new attacks.
• Script kiddie attacks might have no specific target or any reasonable goal
other than gaining attention or proving technical abilities.
Threat Actors
3. Hacktivist
• Hacktivist works as part of some sort of team or group.
A hacktivist group uses cyber weapons to promote a political agenda.
• Hacktivists might attempt to obtain and release confidential information to
the public domain, perform denial of service (DoS) attacks, or deface
websites.
Grey hat hackers who rally and protest against different political and social
ideas. Hacktivists publicly protest against organizations or governments by
posting articles, videos, leaking sensitive information, and performing
distributed denial of service (DDoS) attacks.
DoS and DDoS
• Denial of service or DoS is an Internet security-related event in which
the hackers attack a particular server running some Internet services
to prevent it from working normal or to stop the services. In this case,
the servers are overwhelmed with the flooding of superfluous
messages.
• The distributed denial of service or DDoS is a very common technique
to overwhelm any online or cloud-based service with the huge influx
of the traffic from multiple locations directed to the targeted sever.
Threat Actors
4. Nation state/advanced persistent threat (APT)

• First, they used a variety of tools and techniques, not simply tools
downloaded from the Internet.
• Second, the attacks are persistent, occurring over a significant period of time.
In some cases, the attacks continued for months and years as attackers
patiently stalked their targets, awaiting the right opportunity to strike.
• Criminals usually choose an APT for business or political motives.
• APT should have a target.
ATTACK VECTORS
• An Attack Vector is the path that a threat actor uses to gain access to a
secure system. In the majority of cases, gaining access means being able to
run malicious code on the target.

✓Direct access—this is a type of physical or local attack, The threat actor

could exploit an unlocked workstation, use a boot disk to try to install
malicious tools, or steal a device, for example.
✓Removable media—the attacker conceals malware on a USB thumb drive or
memory card and tries to trick employees into connecting the media to a PC,
laptop, or smartphone, For some exploits, simply connecting the media may
be sufficient to run the malware, In many cases, the attacker may need the
employee to open a file in a vulnerable application or run a setup program.
ATTACK VECTORS
✓Email —the attacker sends a malicious file attachment via email,
or via any other communications system that allows attachments,
The attacker needs to use social engineering techniques to
persuade or trick the user into opening the attachment.
✓Remote and wireless—the attacker either obtains credentials
for a remote access or wireless connection to the network or
cracks the security protocols used for authentication,
Alternatively, the attacker spoofs a trusted resource, such as an
access point, and uses it to perform credential harvesting and
then uses the stolen account details to access the network.
ATTACK VECTORS
✓Web and social media—malware may be concealed in files
attached to posts or presented as downloads, An attacker may
also be able to compromise a site so that it automatically infects
vulnerable browser software (a drive-by download).
✓ Cloud —many companies now run part or all of their network
services via Internet-accessible clouds, The attacker only needs to
find one account, service, or host with weak credentials to gain
access, The attacker is likely to target the accounts used to
develop services in the cloud or manage cloud systems, They may
also try to attack the cloud service provider (CSP) as a way of
accessing the victim system
Determining Malware Types
Malware is usually simply defined as software that does something
bad, from the perspective of the system owner.

1. Viruses 2. Worms
3. Trojan 4. PUPs
5. Spyware 6. Keylogger
7. Adware 8. Backdoor
9. RAT 10. Rootkit
10. Ransomware
1. Viruses
• A computer virus is a type of malware designed to
replicate and spread from computer to computer,
usually by "infecting" executable applications or
program code
• A virus is executed only when the user performs
an action such as downloading and running an
infected executable process, attaching an infected
USB stick, or opening an infected Word document
with macros enabled.
1. Replication mechanism
2. Activation mechanism
3. Payload mechanism
2. Worms
• A computer worm is memory-resident malware that can run without user
intervention and replicate over network resources.
• a worm can execute by exploiting a vulnerability in a process when the
user browses a website, runs a vulnerable server application, or is
connected to an infected file share.
• The primary effect of the first types of computer worm is to rapidly
consume network bandwidth as the worm replicates.
• worms can carry a payload that may perform some other malicious action.
1. Replication mechanism
2. Payload mechanism
3. Trojan Horse
• Malware concealed within an installer package for software that
appears to be legitimate.
• This type of malware does not seek any type of consent for
installation and is actively designed to operate secretly.
• Appears to be useful but is malicious
4. Potentially unwanted programs (PUPs)
✓Software installed alongside a package selected by the
user or perhaps bundled with a new computer system.
✓Unlike a Trojan, the presence of a PUP is not automatically
regarded as malicious.
✓It may have been installed without active consent or
consent from a purposefully confusing license agreement.
✓This type of software is sometimes described as grayware
rather than malware.
5. Spyware

• ✓This is malware that can perform adware-like


tracking, but also monitor local application activity,
take screenshots, and activate recording devices,
such as a microphone or webcam.
– Can access a user’s private data and
result in loss of confidentiality
6. Keylogger

✓Is a malware that actively attempts to steal confidential

information by recording keystrokes (record every thing you
type on the keyboard).
✓The attacker will usually hope to discover passwords or
credit card data.
7. Adware
• This is a class of PUP/grayware that performs browser
reconfigurations, such as allowing changing default search providers,
opening sponsor's pages at startup, adding bookmarks, and so on,
Adware may be installed as a program or as a browser
extension/plug-in.
 8. Backdoors
• backdoor is any type of access method to a host that circumvents the usual
authentication method and gives the remote user administrative control.
• Provides an alternate method of access
• Many types of malware create backdoors
• Backdoors can be created in other ways than infection by malware.
• Programmers may create backdoors in software applications for testing and
development that are subsequently not removed when the application is
deployed.
• Backdoors are also created by misconfiguration of software or hardware that
allows access to unauthorized users.
9. Remote access Trojan (RAT)
• RAT is a backdoor malware that mimics the functionality of legitimate
remote control programs, but is designed specifically to operate
covertly.
• Once the RAT is installed, it allows the threat actor to access the host,
upload files, and install software.
 Bots and Botnets
• A bot is an automated script or tool that performs some malicious activity.
• A group of bots that are all under the control of the same malware
instance can be manipulated as a botnet.
• A botnet can be used for many types of malicious purpose, including
triggering distributed denial of service (DDoS) attacks, launching spam
campaigns, or performing crypto-mining.
• Zombies or clones
– A group of computers within botnet
– Each computer joins after becoming infected with
malware
10. Rootkits
• In Windows, malware can only be manually installed with local administrator
privileges.
• This means the user must be confident enough in the installer package to enter the
credentials or accept the User Account Control (UAC) prompt.
• Windows tries to protect the system from abuse of administrator privileges.
• Critical processes run with a higher level of privilege (SYSTEM).
• Consequently, Trojans installed in the same way as regular software cannot conceal
their presence entirely and will show up as a running process or service.
• Often the process image name is configured to be similar to a genuine executable or
library to avoid detection.
• For Example: a Trojan may use the filename "run32d11" to masquerade as "run32dll".
• To ensure persistence (running when the computer is restarted), the Trojan may have
to use a registry entry or create itself as a service, which can usually be detected fairly
easily.
11. Ransomware
• Ransomware is a type of malware that tries to extort money from the
victim.
• One class of ransomware will display threatening messages, such as
requiring Windows to be reactivated or suggesting that the computer has
been locked by the police because it was used to view pornography or for
terrorism.
• This may apparently block access to the file system by installing a different
shell program, but this sort of attack is usually relatively simple to fix.
• The crypto-malware class of ransomware attempts to encrypt data files on
any fixed, removable, and network drives.
• If the attack is successful, the user will be unable to access the files without
obtaining the private encryption key, which is held by the attacker. If
successful, this sort of attack is extremely difficult to mitigate, unless the
user has up to date backups of the encrypted files.
Social Engineering
• Social Engineering is one of the most common
and successful malicious techniques, Because it
exploits basic human trust, by Flattery or conning.
• refers to means of either :
1. Eliciting (‫ )استخالص‬information from someone or
2. getting them to perform some action for the threat
actor.
• It can also be referred to as "hacking the human".
Social Engineering
1. Impersonating
2. Shoulder Surfing
3. Lunchtime attacks
4. Tailgating
5. Dumpster diving
6. Piggy backing
7. Identity fraud
8. Phishing
Social Engineering
1. Impersonating (‫)انتحال شخصية‬
• simply means pretending to be someone else.
• It is one of the basic social engineering techniques.
• Impersonation is possible where the target cannot verify the attacker's
identity easily, such as over the phone or via an email message.

2. Shoulder Surfing
a threat actor can learn a password or PIN (or other secure information) by
watching the user type it.
– Can be in person looking at a computer or smartphone
– Can be with a remote camera
Social Engineering
3. Lunchtime attacks
• If a user leaves a workstation unattended while logged on, an attacker
can physically gain access to the system.
• Most operating systems are set to activate a password-protected
screen saver after a defined period of no keyboard or mouse activity,
Users should also be trained to lock or log off the workstation
whenever they leave it unattended.
Social Engineering

4. Tailgating
• Tailgating is a means of entering a secure area without authorization by
following close behind the person that has been allowed to open the door
or checkpoint.
– Closely following authorized personnel without providing credentials
– Mitigated with mantraps

5. Dumpster diving
• Dumpster diving refers to combing through an organization's (or
individual's) garbage to try to find useful documents (or even files stored
on discarded removable media)
– Searching through trash looking for information
– Mitigated by shredding or burning papers
Social Engineering
6. Piggy backing
• The attacker enters a secure area with an employee's permission(his friend).
• piggy backing may be a means of an insider threat actor to allow access to
someone without recording it in the building's entry log.

7. Identity fraud is a specific type of impersonation where the attacker uses

specific details of someone's identity.
• A typical consumer identity fraud is using someone else's name and address
to make a loan application or using stolen credit card details to start a mobile
phone contract.
• Note: ✓Identity Fraud(‫)تزوير‬: making up an identity.
✓Identity Theft(‫)سرقة‬: stealing someone else's identity.
Social Engineering
8. Phishing (‫)االصطياد اإللكتروني‬
• is a combination of social engineering and spoofing .
• traditionally using email as the vector.
• A phishing message might try to convince the user to perform some action, such
as installing disguised malware or allowing a remote access connection by the
attacker.
• Other types of phishing campaign use a spoof website set up to imitate a bank or
e-commerce site or some other web resource that should be trusted by the
target.
• The attacker then emails users of the genuine website informing them that their
account must be updated or with some sort of hoax alert or alarm, supplying a
disguised link that actually leads to the spoofed site.
• When the user authenticates with the spoofed site, their logon credentials are
captured.
8. Phishing
A. Spear (‫ )موجه‬Phishing:
• a phishing scam where the attacker has some information that makes
an individual target more likely to be fooled by the attack.
• Each phishing message is tailored to address a specific target user. The
attacker might know the name of a document that the target is editing,
for instance, and send a malicious copy, or the phishing email might
show that the attacker knows the recipient's full name, job title,
telephone number, or other details that help convince the target that
the communication is genuine.
• Targeted form of phishing
• Attempts to target specific groups of users, or even a single user
8. Phishing
B. Whaling
– Form of spear phishing that attempts to target high-level
executives
– It attacks directed specifically against upper levels of
management in the organization (CEOs and other "big
fish").
– Upper management may also be more vulnerable to
ordinary phishing attacks because of their unwillingness to
learn basic security procedures.
8. Phishing
C. Vishing (voice phishing)
• a phishing attack conducted through a voice channel (telephone or VoIP(VoIP apps
include Skype, WhatsApp, Viber, Google Hangouts, Facebook Messenger, etc), for
instance).
• For example, targets could be called by someone purporting to represent their bank
asking them to verify a recent credit card transaction and requesting their security
details.
• It can be much more difficult for someone to refuse a request made in a phone call
compared to one made in an email.

D. Smishing (SMS phishing)

• uses text instead of email
 8. Phishing
E. Spam
• Spam is used as the vector for many attacks.
• Threat actors harvest email addresses from marketing lists or databases of
historic privacy breaches, or might try to target every email address at a
certain company.
– Unwanted or unsolicited email
• Spam over internet messaging (SPIM)
– Unwanted messages sent over instant messaging (IM) channels
F. Hoaxes
• An email alert or web pop-up will claim to have identified some sort of
security problem, such as virus infection, and offer a tool to fix the problem.
• The tool of course will be some sort of Trojan application.
One Click Lets Them In
Blocking Malware
• Spam filter on mail gateways

• Anti-malware software on mail gateways

• Anti-malware software on all systems

• Block at boundaries
• Firewalls
• Unified Threat Management (UTM) systems
• devices frequently include firewall, IDS/IPS, antimalware, URL and email filtering and
security, data loss prevention, VPN, and security monitoring and analytics capabilities.
Antivirus software
• Signature-based detection
• Detects known malware based on signature definitions

• Heuristic-based detection
• Detects unknown malware based on behavior

• File integrity monitors

• create a signature or fingerprint for a file, and then monitor the file and file-system for
changes to monitored files. They integrate numerous features to allow normal behaviors
like patching or user interaction, but they focus on unexpected and unintended changes

• Cuckoo sandbox
• is an open-source automated malware analysis system. It is designed to analyze suspicious
files in a safe and isolated environment. Cuckoo Sandbox does this by running the file in a
virtual machine and monitoring its behavior. It then generates a detailed report of the
file's activity, which can be used to identify whether the file is malicious or not.
Live Cyber Threat Map
• https://threatmap.checkpoint.com/

• https://livethreatmap.radware.com/
Topic 3 Summary
• Understanding Threat Actors

• Determining Malware Types

• Recognizing Common Attacks

• Blocking Malware