Terms: “Security”: is a system’s ability to provide services while maintaining the five IA pillars “Attack”: an action that violates one of the IA pillars Examples Phases of a Cyber Attack2 GoalPillar Violated Steal a fileConfidentiality Deface a webpageIntegrity Bring down DNS serverAvailability Send an from someone else’s accountNon-redpudiation Steal login credentialsAuthentication
Ex 1: George from Accounting keeps the secret recipe for his award-winning chili on his office computer, and your goal is to steal the recipe. What's stopping you? Password authentication! You need his username and password to login to his computer and access the recipe. Phases of a Cyber Attack3
Ex 2: You want to view a webpage with secret planning information housed on your competitor's internal webserver. What's stopping you? A firewall! Your competitor's network sits behind a firewall that doesn't allow port 80 bound traffic in. Phases of a Cyber Attack4
Ex 3: There's a guy on your WiFi network whom you want to discredit. You want to snoop in on his browser traffic to see what banking pages he's looking at. What's stopping you? Encryption! He's accessing sites via HTTPS and all the traffic is AES encrypted! Bottom Line: If you want to attack a system, you need to violate a pillar. In order to (successfully) violate a pillar, you need to defeat the tools employed to protect the pillars. Phases of a Cyber Attack5
Multiple layers of defense Each layer presents a new set of challenges to an attacker Phases of a Cyber Attack6 Firewall Open Ports Host Firewall File Permissions
Phases of a Cyber Attack7
8 2. We use this to make an SSH connection from the webserver to the target host, which is allowed since both parties are inside the firewall. 3. Now we have some some degree of access to our target host. Subsequent steps in the attack would have to take advantage of that to pursue the ultimate goal of stealing a copy of the file secret.txt. Notional Attack: 1.We send port 80 traffic into the network (which the firewall allows) to the webserver with some carefully crafted content that exploits a bug in the webserver, ultimately allowing us to execute commands on it.
Reconnaissance Discover the information necessary to gain access to the target Infiltration Gain the accesses necessary to achieve your goal Conclusion Carry out steps necessary to achieve your goal Takes steps necessary to cover your tracks Phases of a Cyber Attack9
Goal: identify possible targets and vulnerabilities Any information gathered may prove crucial to discovering a critical vulnerability Two methods Passive Gathering information without alerting the subject of the surveillance Active Gathering information using techniques that may alert the target Phases of a Cyber Attack10
Passive reconnaissance Minimize interactions with the target network that may raise flags Build a target profile Open source research Determine Domain names Network address blocks Organization Employees and system administrators Affiliates Public information pertaining to Network infrastructure Security policies Systems / technologies used Service providers Any other information that may prove useful Phases of a Cyber Attack11
Target's website Public DNS servers Internet registry (WHOIS) Phonebook Personal blogs Social media News articles Discarded trash Many, many others Phases of a Cyber Attack12
Active reconnaissance Build a picture of the target network IP addresses of Internet-connected systems Network protocols used Operating systems in use Architecture x86, x64, SPARC, … Services running HTTP, FTP, SMTP, DNS, etc. Remote access systems RAS, VPN, dial-up modems, etc. Security posture Access control mechanisms, intrusion detection / prevention systems (IDS/IPS), security responses Phases of a Cyber Attack13
Ping sweep Ping all IP addresses in a given range Record addresses that respond Port scanning Attempt to connect to all ports or specific list of ports on a host Determine if port is open, closed, or filtered nmap is a powerful tool used for both ping sweeps and port scans Use tools such as traceroute to discover network topology Phases of a Cyber Attack14
Banner grabbing Connect to remote service and observe output Can be VERY informative netcat and telnet can be used to interact with a service for banner grabbing Operating system fingerprinting Determine which OS is running Can be based on Open ports / services running Certain ports are OS-specific Server software/version can indicate a particular OS How target responds to certain data packets How target sets certain fields in data packets Service specific techniques Pick a protocol… There’s a tool/technique to enumerate Phases of a Cyber Attack15
Network reconnaissance is a legal “grey area” Footprinting makes use of information that is publicly available Many scanning and enumeration tools use public accesses No authentication Guest / publicly known accounts Is collecting information or connecting to a host with public accesses a crime? What is the threshold? Phases of a Cyber Attack16
Goal: gain control of a host on the target's network Typically gaining remote access to a shell or terminal with administrator privileges Knowledge of a vulnerability is not enough Must have the ability to exploit the vulnerability Does not necessarily require advance knowledge or skill Many tools openly available Including automated tools Phases of a Cyber Attack17
Goal: achieve the intended objective and eliminate traces of the attack Set up data exfiltration paths Hide tools and programs uploaded to the target Eliminate logs Logon, logoff Startup, shutdown Network connections Program execution Privilege uses Errors Terminate connections May create a backdoor for future access Phases of a Cyber Attack18
Phases of a Cyber Attack19