2.  Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the IA pillars  Examples Phases of a Cyber Attack2 GoalPillar Violated Steal a fileConfidentiality Deface a webpageIntegrity Bring down DNS serverAvailability Send an email from someone else’s accountNon-redpudiation Steal login credentialsAuthentication

3.  Ex 1: George from Accounting keeps the secret recipe for his award-winning chili on his office computer, and your goal is to steal the recipe. What's stopping you?  Password authentication! You need his username and password to login to his computer and access the recipe. Phases of a Cyber Attack3

4.  Ex 2: You want to view a webpage with secret planning information housed on your competitor's internal webserver. What's stopping you?  A firewall! Your competitor's network sits behind a firewall that doesn't allow port 80 bound traffic in. Phases of a Cyber Attack4

5.  Ex 3: There's a guy on your WiFi network whom you want to discredit. You want to snoop in on his browser traffic to see what banking pages he's looking at. What's stopping you?  Encryption! He's accessing sites via HTTPS and all the traffic is AES encrypted!  Bottom Line: If you want to attack a system, you need to violate a pillar. In order to (successfully) violate a pillar, you need to defeat the tools employed to protect the pillars. Phases of a Cyber Attack5

6.  Multiple layers of defense  Each layer presents a new set of challenges to an attacker Phases of a Cyber Attack6 Firewall Open Ports Host Firewall File Permissions

7. Phases of a Cyber Attack7

8. 8 2. We use this to make an SSH connection from the webserver to the target host, which is allowed since both parties are inside the firewall. 3. Now we have some some degree of access to our target host. Subsequent steps in the attack would have to take advantage of that to pursue the ultimate goal of stealing a copy of the file secret.txt. Notional Attack: 1.We send port 80 traffic into the network (which the firewall allows) to the webserver with some carefully crafted content that exploits a bug in the webserver, ultimately allowing us to execute commands on it.

9.  Reconnaissance  Discover the information necessary to gain access to the target  Infiltration  Gain the accesses necessary to achieve your goal  Conclusion  Carry out steps necessary to achieve your goal  Takes steps necessary to cover your tracks Phases of a Cyber Attack9

10.  Goal: identify possible targets and vulnerabilities  Any information gathered may prove crucial to discovering a critical vulnerability  Two methods  Passive  Gathering information without alerting the subject of the surveillance  Active  Gathering information using techniques that may alert the target Phases of a Cyber Attack10

11.  Passive reconnaissance  Minimize interactions with the target network that may raise flags  Build a target profile  Open source research  Determine  Domain names  Network address blocks  Organization  Employees and system administrators  Affiliates  Public information pertaining to  Network infrastructure  Security policies  Systems / technologies used  Service providers  Any other information that may prove useful Phases of a Cyber Attack11

12.  Target's website  Public DNS servers  Internet registry (WHOIS)  Phonebook  Personal blogs  Social media  News articles  Discarded trash  Many, many others Phases of a Cyber Attack12

13.  Active reconnaissance  Build a picture of the target network  IP addresses of Internet-connected systems  Network protocols used  Operating systems in use  Architecture  x86, x64, SPARC, …  Services running  HTTP, FTP, SMTP, DNS, etc.  Remote access systems  RAS, VPN, dial-up modems, etc.  Security posture  Access control mechanisms, intrusion detection / prevention systems (IDS/IPS), security responses Phases of a Cyber Attack13

14.  Ping sweep  Ping all IP addresses in a given range  Record addresses that respond  Port scanning  Attempt to connect to all ports or specific list of ports on a host  Determine if port is open, closed, or filtered  nmap is a powerful tool used for both ping sweeps and port scans  Use tools such as traceroute to discover network topology Phases of a Cyber Attack14

15.  Banner grabbing  Connect to remote service and observe output  Can be VERY informative  netcat and telnet can be used to interact with a service for banner grabbing  Operating system fingerprinting  Determine which OS is running  Can be based on  Open ports / services running  Certain ports are OS-specific  Server software/version can indicate a particular OS  How target responds to certain data packets  How target sets certain fields in data packets  Service specific techniques  Pick a protocol…  There’s a tool/technique to enumerate Phases of a Cyber Attack15

16.  Network reconnaissance is a legal “grey area”  Footprinting makes use of information that is publicly available  Many scanning and enumeration tools use public accesses  No authentication  Guest / publicly known accounts  Is collecting information or connecting to a host with public accesses a crime?  What is the threshold? Phases of a Cyber Attack16

17.  Goal: gain control of a host on the target's network  Typically gaining remote access to a shell or terminal with administrator privileges  Knowledge of a vulnerability is not enough  Must have the ability to exploit the vulnerability  Does not necessarily require advance knowledge or skill  Many tools openly available  Including automated tools Phases of a Cyber Attack17

18.  Goal: achieve the intended objective and eliminate traces of the attack  Set up data exfiltration paths  Hide tools and programs uploaded to the target  Eliminate logs  Logon, logoff  Startup, shutdown  Network connections  Program execution  Privilege uses  Errors  Terminate connections  May create a backdoor for future access Phases of a Cyber Attack18

19. Phases of a Cyber Attack19