Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
74 views

Module 2

The document discusses the cyber attack chain model and how it relates to analyzing attacks from a hacker's perspective. It provides an overview of key stages in the attack chain including reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on target, and exfiltration.

Uploaded by

hbgty4h5h6
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
74 views

Module 2

The document discusses the cyber attack chain model and how it relates to analyzing attacks from a hacker's perspective. It provides an overview of key stages in the attack chain including reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on target, and exfiltration.

Uploaded by

hbgty4h5h6
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 113

Cybersecurity Bootcamp | Module 2

Cyber Attack Chain


Class Pointers

● Please switch on your webcams! Communication is 70% body


language.
● This is not a webinar. This is an interactive, hands-on training
workshop, where everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no
matter your starting level.

© 2022 Vertical Institute


Vertical Institute
Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!

Step 1:

Step 2:

© 2022 Vertical Institute


Vertical Institute
Agenda
Tutorial
● Cyber-Attack chain ● Security technologies
○ Reconnaissance ○ Anti-virus
○ Weaponization ○ Security monitoring
○ Delivery ○ Intrusion detection and prevention systems
○ Exploitation ○ Biometrics
○ Installation ○ Security controls
○ Command and Control
● Demonstration of hacking examples mapped to
○ Actions on Objective
the Cyber-Attack Chain phases

© 2022 Vertical Institute


Vertical Institute
Agenda
Activity
● Map security controls against cyber-attack chain
● Threat modeling

© 2022 Vertical Institute


Vertical Institute
Financial Services
cyber-security snapshot
Financial Services snapshot
https://www.verizon.com/business/ve
Activities Statistics rizonpartnersolutions/business/resou
rces/reports/2020-data-breach-invest
igations-report-financial-services.pdf
Frequency 1,509 incidents, 448 with confirmed data disclosure

Top Patterns Web Applications, Miscellaneous Errors and Everything Else represent 81% of
breaches
Threat Actors External (64%), Internal (35%), Partner (2%), Multiple (1%) (breaches)

Actor Motives Financial (91%), Espionage (3%), Grudge (3%) (breaches)

Data Compromised Personal (77%), Other (35%), Credentials (35%), Bank (32%) (breaches)

Top Controls Implement a Security Awareness and Training Program (CSC17), Boundary
Defense (CSC 12), Secure Configurations (CSC 5, CSC 11)

© 2022 Vertical Institute


Key cybersecurity terminologies

Asset Threat Vulnerability Risk


• What needs to be • Who are the bad • Weakness or gap • Potential for loss,
protected? guys? in our security damage or
controls destruction of an
asset, due to a
threat’s having
successfully
exploited a
vulnerability

© 2022 Vertical Institute


Key cybersecurity terminologies

Asset Threat Vulnerability Risk


• Your cell phone • Pickpockets • No PIN code • Can be stolen in
password a dangerous city
where pickpocket
is rampant

© 2022 Vertical Institute


What are the key assets to a bank/financial institution?

Personally identifiable
Data Credit ratings
information

Loans Contracts Agreements

Computer systems that provide services

© 2022 Vertical Institute


What are the key threats to a bank/financial institution?

Hackers

Phishing
State-sponsore Script kiddies Hacktivists Cyber terrorists Inside threats
scammers
d hackers

© 2022 Vertical Institute


What are the key vulnerabilities to a bank/financial institution?

Complex application logic


that may have weaknesses

Users who are not educated on


latest phishing attack methods

Misconfiguration in applications

© 2022 Vertical Institute


Cyber-Attack chain
Cyber Attack Chain

● Developed by Lockheed Martin, the Cyber Kill Chain® framework


is part of the Intelligence Driven Defense® model for identification
and prevention of cyber intrusions activity. The model identifies what
the adversaries must complete in order to achieve their objective.
● The eight steps of the Cyber Kill Chain® enhance visibility into an
attack and enrich an analyst’s understanding of an adversary’s
tactics, techniques and procedures.

© 2022 Vertical Institute


How do burglars go after a specific house?

Look out for area


where houses may Plan burglary and Break into the
be less secured escape route house Grab valuables

Identify doors/windows Get ready the tools to Search through the house Run through
that can be broken into break into the house for valuables exit route

Go to master bedroom
(highest chance of having
valuables like cash and
jewelries)

© 2022 Vertical Institute


How do robbers go after a bank?

Look out for


Run to the
branches Identify target Plan robbery Get ready Run through
Break into bank’s vault Grab cash and
where bank branch’s and escape tools to rob planned exit
the bank or counter’s valuables
may be less employees route the bank route
drawers
secured

© 2022 Vertical Institute


Hacker’s toolbox

● Kali Linux
○ Open-source penetration testing toolbox
○ Loaded with hundreds of hacking software
○ Used by both white hat and black hat hackers

© 2022 Vertical Institute


Kali Linux

● It is free and anyone can download to use it


● Can even run in your cell phone

© 2022 Vertical Institute


The Cyber Attack Chain: ideal for analyzing attacks from an adversarial points of view and for identifying
gaps in detection, prevention, and security controls.

Recon Weaponize Deliver Exploit

Attackers probe for a Build a deliverable Sending the weaponised Executing code on
weakness. This might include payload using an exploit and bundle to the victim the victim's
harvesting login credentials of a back-door. - for example, malicious system.
information useful in an attack. link in an e-mail.

Install C&C Actions on Target Ex-filtration

Installing malware Creating a channel Attacker remotely carries Pull data out of the
on the target where the attacker can out its intended goal. target system(s)
asset. control a system
remotely.

© 2022 Vertical Institute


Cyber-Attack Chain and Kali
Linux is mapped closely

© 2022 Vertical Institute


Reconnaissance

• Passive information gathering for publicly


Information available information
gathering • Active information gathering to probe systems
and users for information

© 2022 Vertical Institute


Locatefamily.com

© 2022 Vertical Institute


Finding information of employees on Social Media

© 2022 Vertical Institute


Exercise

● Go to www.linkedin.com
● Can you find your co-workers?
● Can you find who are the top management?
● Can you find colleagues that you have not met before?

© 2022 Vertical Institute


Email guessing

● bobmister@bank.com
● misterbob@bank.com
● bm@bank.com

© 2022 Vertical Institute


Exercise

● Go to www.facebook.com
● Can you find your co-workers and friends?
● Can you find who are the top management?
● Can you find colleagues that you have not met before?
● Do you know more about their personal lives now?

© 2022 Vertical Institute


monitor.firefox.com

© 2022 Vertical Institute


www.avast.com/hackcheck

© 2022 Vertical Institute


Google hacking database

https://www.exploit-db.com/google-hacking-database

© 2022 Vertical Institute


Active vs Passive scanning

● Demonstrated so far are all passive scanning


● Active scanning
○ Knocking on the door of the house to check if anyone is at home
○ Trying to open the door in a bank’s office to see if the security system is working
○ Scanning a computer for openings

© 2022 Vertical Institute


Scanning tools

● Network mapper (nmap)


● To scan against a set of computer(s) to look for openings and potentially, vulnerabilities
that can be exploited

© 2022 Vertical Institute


NMAP Demonstration
Difference between vulnerability assessment
and penetration testing

Vulnerability assessment Penetration testing

To uncover potential gaps May include gaining unauthorised


in the systems access into the systems

© 2022 Vertical Institute


Defend Against Reconnaissance

(Facebook, LinkedIn,
Privatise Privatise your publicly available information Google, etc.)

Update Regularly update your passwords across all accounts

Separate Separate private and public profiles

Secure systems Configuration details should be secured against


from exposure public access

© 2022 Vertical Institute


Weaponization

Creating malicious files to be sent to the victim

Files that can bypass security mechanisms like


anti-virus or firewall

© 2022 Vertical Institute


Macro Excel
Exploit

© 2022 Vertical Institute


Macro Excel Exploit Execution

© 2022 Vertical Institute


Macro Excel
Full Remote
Control

© 2022 Vertical Institute


MSFVENOM

● A malicious software builder


● Can generate malicious files like pdf, asp, exe, vba and more

© 2022 Vertical Institute


Defend Against Weaponization

Regularly update
Do not click on
all your computers
links from
and mobile
unverified senders
devices

Run the latest


anti-virus software

© 2022 Vertical Institute


Defend Against Weaponization

● Regularly update all your computers, mobile devices and Internet-connected devices
● Updates address not just new features and functions, but also security holes

© 2022 Vertical Institute


Defend Against Weaponization

● Do not click on links from unverified senders


● Some malicious files bypass anti-virus defenses, as such, you may not get alert if the
file contains malicious code

© 2022 Vertical Institute


Defend Against Weaponization

● Run the latest anti-virus software


● The anti-virus is generally updated with the latest signatures to stop new threats
● Similar to vaccination against viruses

© 2022 Vertical Institute


Zero-Day Exploits

● Now you will be thinking, if a new threat emerges, does it


mean that there are no defenses?

© 2022 Vertical Institute


Zero-Day Exploits

● There is a time gap between the exposed vulnerability and the ability
of the software vendor to update with newer and more secure code

© 2022 Vertical Institute


Defenses for Zero-Day Exploits

● Compensating security controls


● Virtual patches
● Defense in depth
● For example:
○ If the software is vulnerable at a particular page, it can be blocked by using
firewall to stop access to that page until the security patch is available

© 2022 Vertical Institute


Demonstration of hacking
examples mapped to the
Cyber-Attack Chain phases
Delivery

CREATE FAKE CREATE FAKE MASS EMAIL USB


WEBSITE WIRELESS
ACCESS POINT

© 2022 Vertical Institute


Delivery

http://www.techerator.com/2009/10/preventing-viruses-part-1-email-viruses
/

© 2022 Vertical Institute


Browser exploitation framework

Live hacking demo on how hackers take over an


entire browser session

© 2022 Vertical Institute


Exploitation

Exploit a software
weakness inside a
computer or phone

Attacks both
operating system and
software

© 2022 Vertical Institute


Exploitation

● Hackers can search for exploit availability to target against vulnerable services
● Exploit-db.com
● SearchSploit in Kali Linux
● Target against specific application and/or operating system

© 2022 Vertical Institute


Common Vulnerability Exposure (CVE)

● Reference for publicly known information-security vulnerabilities and exposure


● Maintained by The Mitre Corporation

© 2022 Vertical Institute


Defend Against Exploitation

● Verify links before clicking on the links


● Install anti-virus on your computers and mobile devices
● Backup and restore if hacker gains access into your computer

© 2022 Vertical Institute


Installation

Install virus or backdoors


into the system

Auto-start virus in the


background when computer
is booted

© 2022 Vertical Institute


Command And Control

Control hacked computers remotely

© 2022 Vertical Institute


Actions on Objectives

● Data exfiltration—copying and removing files from computers or servers


● Data corruption—altering or erasing data from computers or servers
● Attacks to destroy—launching harmful applications or queries
● Redirecting browser queries

© 2022 Vertical Institute


© 2022 Vertical Institute
The Cyber Attack Chain: ideal for analysing attacks from an adversarial
points of view and for identifying gaps in detection, prevention, and security
controls.

Actions on Ex-filtratio
Recon Weaponise Deliver Exploit Install C&C
Target n

•Attackers probe •Build a •Sending the •Executing code •Installing •Creating a •Attacker •Pull data out of
for a weakness. deliverable weaponised on the victim's malware on the channel where remotely carries the target
This might payload using bundle to the system. target asset. the attacker can out its intended system(s)
include an exploit and victim- for control a system goal.
harvesting login a back-door. example, a remotely.
credentials of malicious link in
information an e-mail.
useful in an
attack.

© 2022 Vertical Institute


Security Controls
Security controls you can use to stop the attack chain

● Detect—determine attempts to scan or penetrate the organization


● Deny—stop attacks as they happen
● Disrupt—intercept data communications carried out by the attacker and interrupt them
● Degrade—create measures that will limit the effectiveness of an attack
● Deceive—mislead an attacker by providing false information or setting up decoy assets

© 2022 Vertical Institute


Security Controls mapped to the Cyber Attack Chain
Phase Detect Deny Disrupt Degrade Deceive Contain
Web Analytics
Information Sharing Policy
Reconnaissance Threat Intelligence
Firewall Access Control Lists
Network Intrusion Detection System

Threat Intelligence Network Intrusion Prevention


Weaponization
Network Intrusion Detection System System

Change Management Router Access Control Lists


Application Whitelisting App-aware Firewall
Delivery Endpoint Malware Protection Proxy Filter Inline Anti-Virus Queuing Trust Zones
Host-Based Intrusion Prevention Inter-zone Network Intrusion Detection
System System

App-aware Firewall
Endpoint Malware Protection Secure Password Data Execution Trust Zones
Exploitation
Host-Based Intrusion Detection System Patch Management Prevention Inter-zone Network Intrusion Detection
System

App-aware Firewall
Security Information and Event Privilege Separation
Router Access Control Trust Zones
Installation Management (SIEM) Strong Passwords
Lists Inter-zone Network Intrusion Detection
Host-Based Intrusion Detection System Two-Factor Authentication
System

Command & Network Intrusion Detection System Firewall Access Control Lists Host-Based Intrusion Domain Name Trust Zones
Tarpit
Control Host-Based Intrusion Detection System Network Segmentation Prevention System System Redirect Domain Name System Sinkholes

Actions on Endpoint Malware Quality of


Endpoint Malware Protection Data-at-Rest Encryption Honeypot Incident Response
Objectives Protection Service

Data Loss Prevention


Exfiltration Security Information and Event Egress Filtering Data Loss Prevention Firewall Access Control Lists
© 2022 Vertical Institute Management (SIEM)
Security Technologies
Network Architecture – On-premises

https://www.researchgate.net/figure/Hierarchical-Datacenter-Architecture_fig9_322324205
© 2022 Vertical Institute
As-a-service model

● Software as a service
● Platform as a service
● Infrastructure as a service

© 2022 Vertical Institute


As-a-service examples

Platform Type Common Examples


SaaS Google Workspace, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting
AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine,
PaaS
Apache Stratos, OpenShift
DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod,
IaaS
Microsoft Azure, Google Compute Engine (GCE)

© 2022 Vertical Institute


Pizza as a service

© 2022 Vertical Institute


Amazon Web Services Architecture example

© 2022 Vertical Institute


How are websites/mobile apps built and deployed?

1. Written in code
2. Uploaded to a computer
3. Users access the computer
4. Computer runs code
5. Computer responses with results

© 2022 Vertical Institute


Software development lifecycle

Planning

Maintenance Analysis

Testing &
Design
Integration

Implementation

© 2022 Vertical Institute


Anti-virus

Signature based

Behaviour based

© 2022 Vertical Institute


Anti-virus: Signature based

● Hacker file contains <open notepad>


● Anti-virus has list of signatures to detect <open notepad> in the file

Pros Cons

• Able to detect quickly • Hackers can update file type and the
malicious software is no longer detected
• For example, changing to <open open
notepad>

© 2022 Vertical Institute


Anti-virus: Behavior based

● Execute the file in a sandbox environment


● Detect based on indicators of attack and compromise

For example, a malicious file is executed in the sandbox. If the file tries to delete or
encrypt other files, it is an indication of attack.

© 2022 Vertical Institute


Intrusion prevention/
detection systems

https://purplesec.us/intrusion-detection-vs-intrusion-prevention-systems/

© 2022 Vertical Institute


Intrusion prevention/detection system example

Inject malicious
code into
application Rule 1
Rule 2
Rule 3

© 2022 Vertical Institute


Intrusion prevention/detection system example

Regular access

Rule 1 Access user profile


Rule 2 information
Rule 3

© 2022 Vertical Institute


Security monitoring
systems

https://gbhackers.com/security-information-and-event-management-siem-a-detail
ed-explanation/

© 2022 Vertical Institute


Identity &
Access
Who can
Management
access what

© 2022 Vertical Institute


Entering a bank Entering a building
Identity & If you are a customer, You are only allowed
you are only allowed access if you have an
Access access to the branch and access card
Management to the counters In order to obtain the
If you are a bank staff, access card, your identity
Example you are only allowed has been provided and
access into the office the building gives you the
segment of the branch rights to access its floors
Sometimes, you are only
allowed access to a
single floor or to specific
rooms in that floor.
© 2022 Vertical Institute
Authentication vs Authorisation

Authentication is proving you are Authorisation is whether you


who you say you are have access

• Username and password • I have logged in, what can I do?


• Multi-factor authentication • Can I transfer money out of the
• Biometric account?
• Can I have administrative power to
view others’ account statement?

© 2022 Vertical Institute


Bank’s Identity & Access
Management System

© 2022 Vertical Institute


Different levels of access

● Login to view account details


● Transactions require challenge
○ Multi-factor authentication challenges to confirm on transaction and to additionally
verify on the requestor’s identity

© 2022 Vertical Institute


Code scanning (Static application security testing)

● Scans application source code to test for a range of vulnerabilities


● Detect problems early in the development lifecycle

© 2022 Vertical Institute


Vulnerability scanners

● Attached to the integrated development environment


● Scans code before it is published to production environment

https://www.plutora.com/blog/what-staging-environment-how-get-it-right
© 2022 Vertical Institute
Backups

● Saving data into a separate repository for safeguard and future recovery
● Highly common practice in most large enterprises, financial institutions and banks
● Need to comply with regulatory requirements

© 2022 Vertical Institute


Backups recovery process must be tested regularly

● Backup process is part of day to day business


● However, attempt to recover from existing backups may be lackluster
● Need to run backup regularly to look at operations ability to recover from cyber-attack
● Can be part of incident response management

© 2022 Vertical Institute


Threat Modelling against financial services organization

]
What is a security architecture?

Security architecture is a unified security design that addresses the necessities and
potential risks involved in a certain scenario or environment. It also specifies when and
where to apply security controls. The design process is generally reproducible.

© 2022 Vertical Institute


Threat Modelling

“Know the enemy and know yourself in a hundred battles you will never be in peril.
When you are ignorant of the enemy but know yourself, your chances of winning or losing
are equal. If ignorant both of your enemy and of yourself, you are certain in every battle to be
in peril.” – Sun Tzu

© 2022 Vertical Institute


What is Threat Modelling?

● Threat modeling is a structured process with these objectives:

Identify security pinpoint security threats quantify threat and prioritise remediation
requirements, and potential vulnerabilities, vulnerability criticality, and methods.

© 2022 Vertical Institute


What are the threats?

● Profiles of potential attackers, including their goals and methods


● A catalog of threats
○ Which threat has a higher probability of occurring?
● Security responses and/or controls against these attackers

© 2022 Vertical Institute


Threat Modelling Process

● Identify Assets
● Create an Architecture Overview
● Decompose the Application
● Identify the Threats
● Document the Threats
● Rate the Threats

© 2022 Vertical Institute


Threat Modelling Process

Create an Document the


Decompose the
Identify Assets Architecture Identify the Threats Rate the Threats
Application Threats
Overview
•Website for users •How are accesses •What are the •Who could be •Common threats •What is the impact
•HR site for internal made? critical access targeting our •Advanced threats to the
employees •Where are the trust paths? websites? organization?
boundaries? •What are the
critical
components?
•Web server that
can spin up
quickly
•Information in
database

© 2022 Vertical Institute


Threat Models - STRIDE Model

● Spoofing

○ Pretending to be something/someone else

● Tampering

○ Unauthorized modifications

● Repudiation

○ Unable to prove responsibility of actions

● Information disclosure

○ Giving data to others who should not know

● Denial of service

○ Rendering service unavailable

● Elevation of privilege

○ Moving from normal user to administrative rights


© 2022 Vertical Institute
Day to day threat modelling

If I am joining today’s class


If today’s class is held in-person at
virtually, could my Internet be going
down? a specific location, what could go
wrong?
• What are the threats to my Internet
connectivity in order to attend this class?
• What are the threats for the journey from
• Kids turning off the router my home to the classroom?
• Car may knock you down

© 2022 Vertical Institute


● Adversarial threats
○ Hackers, 3rd party vendors,
insiders and suppliers

Types of ● Natural disasters


○ Hurricanes, flood, earthquake,

threats ●
fire and lightning
System failure
○ Hardware issues, power
outages
● Human error
○ Accidental deletion, incorrect
logic, misconfiguration of
security settings

© 2022 Vertical Institute


Threat modelling example

● Customer can login to the bank’s portal


● Bank’s portal is accessible through the Internet
● Hacker can launch brute force authentication
○ Limit 5 retries before IP address is blocked
● Hacker can guess username and password in order to login to the website
○ Limit 5 retries before IP address is blocked
● Customer falls victim to social engineering attack and gave up username and password
to scammer
○ Track IP address of customer and country origin

© 2022 Vertical Institute


Threat modelling Exercise

You are a security analyst working in a bank and has been tasked to work on
threat modelling against the bank’s new website before its launch date in 3 months
time.
● Identify threats to the bank’s new website
● Identify threat paths
● Map to STRIDE
● Provide countermeasures option
● Less than 100 words

© 2022 Vertical Institute


What is the 1st phase of the cyber attack chain?

A. Recon
B. Weaponize
C. Deliver

© 2022 Vertical Institute


What is the 1st phase of the cyber attack chain?

A. Recon
B. Weaponize
C. Deliver

© 2022 Vertical Institute


Which is NOT a type of cybercriminal?

A. State/Nation Sponsored Hackers


B. Cyber Terrorists
C. Cyber Influencer

© 2022 Vertical Institute


Which is NOT a type of cybercriminal?

A. State/Nation Sponsored Hackers


B. Cyber Terrorists
C. Cyber Influencer

© 2022 Vertical Institute


Which is NOT a cyber crime?

A. Computer as a target
B. Computer as a tool to launch attacks
C. Online harassment
D. Computer harvestor

© 2022 Vertical Institute


Which is NOT a cyber crime?

A. Computer as a target
B. Computer as a tool to launch attacks
C. Online harassment
D. Computer harvestor

© 2022 Vertical Institute


Which is the last phase of the cyber attack chain?

A. Weaponization
B. Delivery
C. Ex-filtration

© 2022 Vertical Institute


Which is the last phase of the cyber attack chain?

A. Weaponization
B. Delivery
C. Ex-filtration

© 2022 Vertical Institute


On average, how long does it take hackers
to gain access into your computers?

A. Minutes
B. Hours
C. Weeks
D. Months

© 2022 Vertical Institute


On average, how long does it take hackers
to gain access into your computers?

A. Minutes
B. Hours
C. Weeks
D. Months

© 2022 Vertical Institute


Exercise. Let’s rob a bank!

https://terminal.cyberskillslesson.com/

© 2022 Vertical Institute


What did you learn?
What have we learned today?
Tutorial
● Cyber-Attack chain ● Security technologies
○ Reconnaissance ○ Anti-virus
○ Weaponization ○ Security monitoring
○ Delivery ○ Intrusion detection and prevention systems
○ Exploitation ○ Biometrics
○ Installation ○ Security controls
○ Command and Control
● Demonstration of hacking examples mapped to
○ Actions on Objective
the Cyber-Attack Chain phases

© 2022 Vertical Institute


Vertical Institute
What have we learned today?
Activity
● Map security controls against cyber-attack chain
● Threat modeling

© 2022 Vertical Institute


Vertical Institute
Thank you!

You might also like