Threats, Attacks, Vulnerabilities: Difference between revisions
NickPGSmith (talk | contribs) |
NickPGSmith (talk | contribs) m (1 revision imported) |
(No difference)
| |
Revision as of 21:02, 17 February 2023
Malware
Comparing viruses, worms and trojans
- Virus: need user interaction
- Worm: no user interaction
- RTM Worm (1988), 10% affected
- Trojan horse: disguised actions
- RAT (Remote Access Trojan)
Malware payloads
- Adware: Change search engine, popups, etc
- Spyware: Gathers info, eg keyloggers
- Ransomware: Encrypt disk, eg wannacry
- Crypto malware: mines cryptocurrency
Understanding backdoors and logic bombs
- Backdor: workaround access eg hardcoded accounts, defaults, unknown access channels
- Logic bomb: eg date/time, file contents, API call
Looking at advanced malware
- Root kits: escalate privileges
- File-less viruses: in memory only, eg Office Macros, JavaScript code, Registry
- Botnets: communicate though IRC, Twitter, peer-peer (Command and Control)
Understanding botnets
Malicious script execution
Understanding Attackers
- Script kiddies
- Hacktivist - motivation
- Organised crime
- Nation states - APTs
- White Hats: work with targets' permission
- Back Hats: no permission
- Grey Hats: illegal, but with good intent
- Insider threat: principle of least privilege
- 2 person check for critical operations
- mandatory vacations for critical staff (fraud uncovering)
- Shadow IT
- Attack Vectors: Email, social media, USB, chip in cable, network jack, skimmmers, cloud servers, physical access (including supply chain), Wifi
Cybersecurity Adversaries
Preventing insider threats
Attack vectors
Zero days and the advanced persistent threat
Threat Intelligence
Threat Intelligence
Open Source intelligence: security websites, vulnerability DBs, media, codebases, etc Closed Source intelligence: proprietary info
- Timelines
- Accuracy
- Reliability
Threat indicators: IP, file patterns, etc
- Cyberobservable expression CybOX - Schema
- Structured Threat Information Expression (STIX) - Language format
- Trusted Automated Exchange of Indicator of Information (TAXI) - Info exchange
Cybox > STIX > TAXI
- Open IOC - Mandient Framework
- Functions supported by intellegence
- Incident Response
- Vulnerability Management
- Risk Management
- Security Engineering
- Detection and Monitoring
Intelligence sharing
Information sharing & analysis centres
- Safe way for competitors to collaborate
- Each industry has at least one ISAC
Threat research
- Reputational threat research
- previous actors, IP, email, domains, etc
- Behavioural research
- identify behaviour that resemble activity of past threats
- Vendor websites, cybersecurity jouranals, academic journals, RFC docs, local industry groups, social media, etc
Identifying threats
Modelling: structured approach should be used:
- Asset focused
- Threat focused
- Service focused eg API review
Automating threat intelligence
eg
- Blacklisting IPs from feeds
- Incident Response could be partially automated eg IDS attack > workflow for customer geolocaton, logs, etc
Security Orchestration, Automation and Response (SOAR)
- Machine learning allows automated creation of file diagnostics
Threat hunting
Cannot prevent all threats: "assumption of compromise"
- Now searching for those compromises
- Need to think like an adversary
Establish a hypothesis and look for indicators of compromise -> containment/eradication/recovery
TTPs - Tactics, Techniques, Procedures
Social Engineering Attacks
Social engineering
Psychological attacks to gain info
- Authority - defer to authority
- Intimidation - scare people
- Consensus/social proof - herd mentality
- Scarcity - act quickly or miss an opportunity
- Urgency - time is running out
- Familiarity/liking - flattery/fake relationships
Education is the solution
Impersonation attacks
- Spam
- phishing, trick users to share information
- Prepending info on email
- Spear phishing - target a small number
- Whaling - target executives eg subpoenas
- Pharming - setup false websites
- Vishing - voice phishing
- Smishing / SPIM - SMS/IM often uses spoofing, faking an identity
Identifying fraud and pretexting
Pretexting - impersonate a customer while contacting an organisation
- eg convince phone company to switch phone number to his -> reset bank details with this number
Watering hole attacks
Websites that spread malware - users must trust websites, at least to some extent Users are conditioned to bypass security Attacker uses a compromised popular website -> infected system calls home
Physical social engineering
- Shoulder surfing
- Dumpster diving
- Tailgating
Common Attacks
Password attacks
- Brute force
- Dictionary attacks
- Hybrid attacks
- Rainbow table attacks
Password spraying and credential stuffing
Uses common password list and attempt to use them against one account
Adversarial artificial intelligence
Machine Learning:
- Descriptive analytics (eg what % female)
- Predictive analytics (eg model to predict future customer behaviour)
Aversarial AI: Injected tainted training data - Tesla speed sign example)
Understanding Vulnerability Types
Vulnerability impact
Confidentiality:
- Disclosure attacks: data breach
Integrity:
- Unauthorised changes
Availability:
- Authorised individuals can't access resources: DoS attacks
Risks:
- Financial
- Reputational
- Strategic
- Operational
- Compliance (eg HIPAA)
Supply chain vulnerabilities
End of Life Cycle:
- End of sale
- End of Support (all or some support stopped)
- End of Life (now updates at all)
Vendors can just fail to provide proper support, especially in embedded systems
Configuration vulnerabilities
eg default accounts
Cryptographic vulnerabilities
- Key management
- Certificate management
Patch management (OS, Apps, Finance)
Account management (eg execute permissions)
- Use principle of least privilege
Architectural vulnerabilities
Incorporate security early on, no a bolt-on extra
System sprawl: new devices get turned on but old devices are not decomissioned
Vulnerability Scanning
What is vulnerability management?
Detects, remediates and reports vulnerabilities
Why manage?
- Maintain security
- Comply with corp policy
- Comply with regulations
- PCI/DSS: anyone who handles credit card data: quarterly scans internasal and external, repeat scans after large changes, use approved vendor, remediate and rescan until you achieve a clean report
- FISMA for US government employers: follow NIST guidelines, regular scans, analyse the results, remediate legitimate vulnerabilities, share with other agencies
Tests:
- Network scans
- Application scans
- Web application scans (eg SQL/CSS)
Identifying scan targets
Asset Inventory provides a starting point Nessus and Qualis may discover assets
- Impact > what is the highest level of data classification handled?
- Likelihood > What is the network exposure? (is it behind a firewall? What services are running?)
- How critical is the system?
Scan configuration
Nessus
- configure pings, port scanning, scan sensitivity: default "normal" sensitivity
- "Enable safe checks"
- Rate limits can be configured
- Choose default plugins
Scan perspective
Network location:
- Consider scanning inside network/Internet/DMZ
- All are valid and answer different questions
Firewall and IDS/IPS and segmentation impacts scan results
Agent-based scans: install a security agent on each target
Credentialed scanning: mix scan perspectives
SCAP (Security Content Automation Protocol)
Confusing terminology, so provide a consistent language that describes items:
- CVSS (Common Vulnerability Scoring System)
- CCE (Common Configuration Enumeration)
- CPE (Common Platform Enumeration)
- CVE (Common Vulnerability and Exposures)
- EXXDF *Extensible Configuration Checklist Format)
- OVAL (Open Vulnerability Assesment Language)
- describes testing procedures in a programmatic way
CVSS (Common Vulnerability Scoring System)
CVSS: 10 point scale:
- Attack vector
- Physical
- Local
- Adjacent Network
- Network
- Attack complexity
- High
- Low
- Privileges required
- High (admin)
- Low
- None
- User interaction (exploitability)
- Required (user needs to do something)
- None
- Confidentiality
- None
- Low
- High (all is vulnerable)
- Integrity
- None
- Low
- High (all info could be modified)
- Availability
- None
- Low (performance degraded)
- High (system shutdown)
- Scope
- Changed (vulnerabilities can affect other comments)
- Unchanged
Analysing scan reports
Prioritisation factors
- Severity of vulnerabilities
- System criticality
- Information sensitivity
- Remediation difficulty
- System exposure
Correlating scan results
Consult industry standard eg PCI/DDS:
- will fail if any systems has CVSS score of ⩾ 4.0
Technical info CMDB, log repositories, others Trend analysis look for changes over time, Eg if new web apps keep showing CVSS: Dev training or better libraries
Penetration Testing and Exercises
Penetration testing
Security professionals in roles of attackers
- test security controls by bypassing or defeating them
- define scope of systems ("Rules of engagement")
- White Box Test - with full knowledge like an internal attacker
- Black Box Test - with no knowledge like outsider
- Grey Box Test - with some knowlegde
NIST recommend:
- Discovery Phase
- Attack Phase
- Gain Access > Elevate Privs > Browsing > Install tools
- Goto Discovery
Pivot: after exploiting a system, pivot to another more secure system
Clean up the traces of attack
- expensive/time consuming so use occasionally
Bug bounty
- Align attacker's and organisation's interests
- Can be self managed or fully managed by external vendor
Cybersecurity exercises
- Teams attacking (red) vs Securing systems (blue)
- White team: observe and judge
Red and blue team results -> Purple Team
- Capture the Flag exercises, usually in a sandbox