1. Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct and Mitigate Cyber Threats 2015 International Conference on Computing and Network Communications (CoCoNet'15)

2. Motivation 2 Evolution of Cyber Threats

3. Cyber Kill Chain 3 Reconaissance Delivery Exploitation Installation Command & Control Act on Objective

4. Cyber Attack Thread 4 Attack Vector Verification & Reconaissance Enticing the end-user Security Penetration Execution on Target System Internal Reconnaissance Information Exfiltration Cover Tracks

5. Attack Vector Verification and Reconnaissance 5 Reconnaissance Passive Reconnaissance Active Reconnaissance Attack Vector Verification Integration and Testing of components Based on target-specific scenario and configuration

6. Enticing the End-user 6 Targeting user E-mail, drive-by-downloads, malicious USB etc. Defence: spam filters, web application firewall, etc. Targeting third-party interactions with user Watering Hole attack

7. Security Penetration to reach the Target System 7 Inbound Network Security Intrusion Detection and Prevention System Signature based Anomaly based Stateful Protocol Analysis Example – SNORT, Surricata, BRO Network based Firewall Inbound System Security Anti-Virus Host based IDS Host based firewall Application Security User Awareness

8. Execution on Target System 8 Ability of attacker to execute crafted malicious content on targets system Exploit Career for the payload Takes advantage of the flaws and vulnerabilities in various software components Office applications, PDF Readers, Web browsers, OS, firmware etc. Defenses against Exploits Stack Based Stack Cookies or stack-guard Structured Exception Handler Protection overwrite Heap Based Safe unlinking Allocation order randomization Virtual Table Guard System-wide protection Address Space Layout Randomization Data Execution Prevention Control Flow Integrity

9. Execution on target System (contd.) 9 Payload Core component of the cyber attack Responsible to achieve the end-objective of the cyber attack Kinds Remote access toolkit, Rootkit, Bootkit, Dropper, Downloader Characteristics Stealthy Evasive Polymorphic Metamorphic Objectives Data Exfiltration Files, Keylogs, User-credentials - Persistence - Propagation Defences for Payload Types of Malware Detection Heuristic based Analysis and Detection Behavioral Analysis and Detection Cloud based detection Sandboxing

10. Internal Reconnaissance 10 Information Accessed By attackers Primary Tactical Information Secondary Strategic Information Defenses Security Information and Event Management(SIEM) Data Labelling Minimize Storage of Credentials Two Factor Authentication Access to System Logs restricted

11. Information Exfiltration 11 Channels available to Attacker TCP FTP HTTP POST/GET Others like EMAIL, SSH, Instant Messages, Social Media, etc. Dropbox Covert Channels Defense Mechanisms Blacklists Statistical profiles Packet header mangling deploying DMZ limiting protocol support packet regeneration

12. Covering Tracks 12 Attacker’s Actions Data Elimination Data Manipulation Direct Attacks on Tools and Techniques Defender’s Counter Measures Remote Logging Facilities Log Correlation Distributed Forensics and Incident Response

13. Conclusion 13 Attackers Action at each stage was observed Corresponding to each stage, existing defense mechanisms listed Will help administrators and security professionals harden and secure their infrastructure against such complex attacks.

14. Thank You Doubts or Questions?? Contact: koustavsadhukhan@hqr.drdo.in arvindrao@hqr.drdo.in tarunyadav@sag.drdo.in