Phishing → Practice of sending email to trick users to submit personal information or click a link
Can be done to install malware, validate email address, get money
Smishing → SMS Phishing
Vishing → Phone Phishing → Phishing over Voice over IP (VoIP)
Spam → Unwanted / Solicited Email
SPIM → Unwanted messages over Instant Messaging Channels
Spear Phishing → Phishing target on specific group of people or even a single user
Mitigation → Use digital signatures
Dumpster diving → Practice of searching through trash & recycling to gain info from discarded items
Mitigation → Shredding or Burning Paper instead of throwing it away
Shoulder surfing → Looking over shoulder of someone to gain information
Mitigation → Use screen filters
Pharming → Manipulates DNS server or client to redirect users to different websites
Changes DNS entries on a local PC or on a trusted local DNS server
Tailgating → Practice of one person following closely behind another person without showing credentials
Mitigation → Access Control Vestibules (Mantraps) → Allows only single person to pass at a time
Eliciting information → Act of getting information without asking for it directly
Active Listening → Target is encouraged to keep talking
Reflective Questioning → Repeat statements as a question & encourages to talk more
False Statement → Give false info hoping that the target corrects it
Bracketing → Try to get specific info by stating a specific number or range of numbers
Whaling → Phishing targeted on high level executives
Prepending → Add something to the beginning of something else. Ex. [SAFE] [EXTERNAL]
Pretexting → Adding a fictitious scenario to a conversation to make more believable request
Identity Theft → When someone steals personal info about you
Identity Fraud → Criminals use stolen identity information to commit identity fraud
Invoice Scams → Trick people or organizations into paying for goods or services they didn’t request & usually didn’t receive
Credential Harvesting → Collect usernames & passwords from users
Phishing Email → Link to a website → Login with credentials → Redirect to original website & showing password is incorrect
MFA helps to limit the impact of credential harvesting attacks
Reconnaissance → Gathering information about target
Hoax → Security threat that simply doesn’t exists
Impersonation → Act of pretending to be another person
Watering Hole Attack → Attempts to discover which websites people are likely to visit & infect those websites with malware that can infect the visitors
Typosquatting → URL Hijacking → Occurs when someone buys a domain name that is close to the legitimate domain name
Smurf Attack → A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power.
Occurs when the attacker floods the target network with infinite ICMP request packets
A smurf attack is a DDoS attack in which an attacker attempts to flood a targeted server with Internet control message protocol (ICMP) packets.
Influence campaigns → Uses variety of sources to influence public perception
Hybrid Warfare → Military strategy that blends conventional warfare with unconventional methods to influence people
Social Media → To spread misinformation
Principles of Social Engineering
Authority
Impersonation → Impersonate others to get people to do something
Whaling → Executives respect authorities such as legal entities
Vishing → Use phone to impersonate authority
Intimidation → Scaring or Bullying an individual into taking a desired action
Consensus → When attacker convinces victims that they can be trusted
People tend to want to do what others are doing to persuade themselves to take action → “Social Proof”
Ex. Everyone in the department has clicked on the link, Then I should also
Fake Testimonials → People are more willing to like something that other people like
Scarcity → People are encouraged to act when they think there is limited quantity of items
Urgency → Use urgency as a technique to encourage people to act
Familiarity → Attackers attempts to use likability to get victim to complete the request
Companies hire well-liked celebrities
Trust → Attackers attempts to build a trust relationship with victim
Ransomware → Malware that takes control of user’s system & encrypts user’s data using Cryptomalware & demand ransom from companies
Trojans → Looks like something beneficial but actually it’s malicious
Rogueware masquerades as a free antivirus program.
Backdoor → Methods or Tools that provide access that bypasses normal authentication & authorization procedures, allowing attackers access to systems, devices, apps, etc.
Detection → Checking for unexpected open ports & services
Remote access Trojan (RAT) → Malware that allows attackers to control systems from remote locations
Also called as stalkerware → Used in intimate relationships to spy on their partners
Worms → Self replicating malware that travels throughout the network without assistance of host application or user interaction
Potentially Unwanted Programs(PUP) → Programs that users may not want it, but user is consented to download it. Some PUP are legitimate, Some are malicious like RAT
Fileless Virus → Malicious software that runs in the memory
Scripts that are injected into malicious programs
Memory Code Injection, Script based techniques, Windows Registry Manipulation
Spread via methods like spam email & malicious websites & they exploit flaws in browser plugins & web browsers themselves
Command and control → Resources used to control infected computers
Cryptomalware → Malware used to encrypt user’s data
Logic bombs → Script or Code that will execute in response to an event
Rootkit → A group of programs that hides the fact that system has been infected by malicious code
Rootkit hides its running processes to avoid detection to antivirus scans
Rootkit have system level access to systems
Integrity checking & data validation can be useful for rootkit detection
Botnet → Remotely controlled systems or devices that have malware infection
Uses command & control to operate in client-server mode
Beaconing → A call home message is an indicator of compromise known as beaconing.
It indicates that a workstation or server is infected and is trying to communicate with the attacker’s command and control server.
A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667
Investigative authorities use DNS sinkholes to disrupt botnets and malware.
Botnet Models
Command & Control → Client-Server Model
Peer-To-Peer → Connects bots to each other, making it harder to take down a single central server or known IP of bots
Many botnets use Flux DNS → Flux DNS uses many IP addresses that are used to answer queries for one or more fully qualified DNS names
Taking down the domain names is the best way to defeat Flux-DNS
Virus Types
Memory Resident Viruses → Remain in memory while system is running
Non-Memory Resident → Execute, spread & then shut down
Boot Sector Virus → Reside inside boot sector of drive or storage media
Macro Virus → Use macros or code inside tools to spread
Email Virus → Spread via emails via attachments or as part of email itself using flaws within email clients
Spyware → Malware that is designed to obtain information about an individual, organization or a system
Keylogger → Program that captures keystrokes from keyboards, although some keyloggers also capture other input like mouse movement, touchscreen inputs & credit card swipes from attached devices
Rogue Anti-Virus → Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer, and to pay money for a fake malware removal tool (that actually introduces malware to the computer)
Adversarial AI attempts to fool AI models by supplying it with deceptive input
Tainted Data for ML → Use tainted data to cause AI & ML to give inconsistent results
Indicator → Sudden unexpected activity
While training ML model for baselining of network, it is important to ensure that no malicious activity is occurring while baseline data capture to ensure data is not tainted
Security of ML Algos → Prevent unauthorized disclosure of algorithms; Attackers can use this info to attack
Best Practices to secure AIML
Understand the quality & security of source data
Work with the AI & ML developers to ensure that they are working in secure environments & that data sources, systems & tools are maintained in secure manner
Ensure that changes to AI & ML algorithms are reviewed, tested & documented
Encourage reviews to prevent intentional or unintentional bias in algorithms
Pointer/Object Dereference → When object is null, it can cause problems if the program later tries to access the object
Java → NullPointerException error
C / C++ → Memory Leak in runtime
Mitigation → Verify the value is not null before using it
Race Conditions → Two or more applications tries to access a program at a same time, it can cause a conflict that is known as race condition
Attackers exploit time of check to time of use (TOCTOU) → This is called State Attack
Error Handling → Applications should show generic error messages but log detailed error messages in logging system.
Replay Attack → Replay attacks capture data in a session to impersonate one of the parties in the session.
Mitigation → Timestamps and sequence numbers
Buffer Overflow → Writes more data to a buffer than it can hold
ASLR → Address Space Layout Randomization
A security technique used to prevent memory corruption vulnerabilities such as buffer overflow
It randomizes the memory address used by the system & application processes, making it difficult for attackers to predict the location of functions, libraries & system calls
Buffer overflows are most easily detected by conducting a static code analysis
Integer Overflow → Occurs when an application receives a numeric value that is too big for application to handle
Memory Leak → Causes application to consume more & more memory the longer it runs
Indicator → system running slower & slower until it reboots
Mitigation → A static code analyzer can check to see if all memory allocation commands (malloc, alloc , etc.) have a matching deallocation command.
SSL Striping → Changes HTTPS connection to HTTP connection
Driver Manipulation →
Shimming → Provides a solution that makes it appear that older drivers are compatible
Driver shim is additional code to be run instead of original driver → When app attempts to call the older driver, system intercepts the call & redirects it to run the shim code instead
Refactoring → Process of rewriting the code’s internal processing without changing its external behavior
Pass the Hash → Attacker discovers the hash of user’s password & uses it to log in to the system as the user
Evil Twin → Rogue Access Point with same SSID used to capture & exfiltrate data
Rogue Access Point → An access point placed in the network without official authorization
Bluetooth Attacks:
Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices
Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device
Bluebugging → Gains access to the phone & install a backdoor
Disassociation → Removes a wireless client from wireless network
RFID Attacks:
Sniffing / Eavesdropping → Attacker can collect RFID data by listening
Replay → Replay captured data
DOS → If attacker knows the RFID frequency, attacker can launch a jamming or interference attack, flooding the frequency with noise
Initialization vector (IV) → IV is the number used by encryption systems & a wireless IV attack attempts to discover the pre-shared key after discovering the IV
Some wireless protocol use IV by combining it with pre-shared key to encrypt data in transit
When an encryption system reuses the IV, IV attack can discover the IV easily
DNS data is frequently logged to help identify compromised systems or systems that have visited known phishing sites.
DNS logs can be used along with IP reputation and known bad hostname lists to identify issues like these.
Domain Hijacking → Attacker changes a domain name registration without permission from owner
DNS Poisoning → Attempts to modify or corrupt DNS data
Mitigation → Use DNSSEC to protect DNS records & DNS poisoning attacks
Domain Reputation → It helps ISP to determine the likelihood that an email being sent by a legitimate organization or is it a malicious email.
Split Horizon DNS → Deploys distinct DNS servers for two or more environments, ensuring that those environments receive DNS information appropriate to the DNS view that their clients should receive.
a term used when two zones for the same domain are created
one zone is used by the internal network
the other by the external network (usually the internet)
DNS Blackholing → A method used to prevent access to malicious domains by redirecting malicious queries for those domains to a non-routable IP address, effectively blackholing the traffic
Suppose an organization wants to block access to a known malicious domain malicious.example.com. They can configure their DNS server to return 127.0.0.1 for any query to malicious.example.com.
SYN Flood Attacks → Attacker never completes the TCP Handshake
It is a resource exhaustion attack
Half-Open connection consumes server’s resources & it can crash the server
Once the limit is reached, server won’t accept new connections, blocking the legitimate users
Mitigation → Linux use iptables to set threshold for SYN packets → Although it protects the system from crashing, it also denies the service to legitimate users
Advanced Persistent Threat(APT) → A group of organized threat actors that engage in targeted attacks against organizations.
Typically sponsored by nation-states or governments
APT members are State Actors
Shadow IT → Any unauthorized systems or applications installed on a network without authorization or approval.
Insider Threat → Behavioral assessments are very useful when you are attempting to identify insider threats.
An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Closed/Proprietary intelligence → Trade secrets as an intellectual property
Proprietary intelligence → This refers to the information that is owned, controlled & often generates by organization for its own use.
Owned & controlled by the organization
Closed intelligence → Refers to the information that is not freely accessible to public
Owned by external entities → Accessed through subscriptions / permissions
OSINT → Types:
Vulnerability databases → National Vulnerability Database (NVD), Common Vulnerability Exposures (CVEs) maintained by MITRE corp.
Automated indicator sharing (AIS):
Trusted Automated eXchange of Indicator Information → TAXII → Open standard that defines a set of services & message exchanges used to share information.
It provides a standard way for organizations to exchange cyber threat information but it does not specify what information organizations should exchange.
TAXII is designed to support STIX data exchange
Structured Threat Information eXpression (STIX) → Open Standard that identifies what cyber threat information organizations should share.
It provides a common language for addressing wide range of cyber threat information.
STIX data is shared via TAXII
STIX is based on XML language
Threat Maps → Visual Representation of active threats
Vendor management → Vendor management systems include limiting system integration & understanding when vendor support stops
Vendor Diversity → Provides cybersecurity resilience → Using more than one vendor for the same supply reduces the organizations’s risk if the vendor no longer provide the product or service
Outsourced code development → Some organizations hire developers or outsource code development
Legacy platforms → Primary risk is that the vendor doesn’t support them
It is a process of actively looking for threats within a network before an automated tool detects & reports on the threat
Threat Feeds → Provides subscribers with up-to-date information about current threats
Advisories and bulletins → Regularly release information on threats & vulnerabilities
Adversary Tactics, Techniques & Procedures → Refers to attackers’ methods when exploiting a target
Intelligence fusion → Combines all the data to create a picture of likely threats & risks for an organization
Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden
Credentialed Scan → Allows the scan to check security issues at much deeper level
Credentialed scans only require read-only access to target servers.
Configuration review → A Configuration Compliance Scanner performs a configuration review of systems to verify that they are configured properly → Configuration Validation
It is done with Credentialed Scan
Vulnerability Scanner is passive, non-intrusive & has little impact on the system during test
Penetration tests are active & intrusive, can potentially compromise a system.
Penetration testing is more invasive that a vulnerability scan
Controls that can affect vulnerability scan results:
Firewall Settings
Network Segmentation
IDS & IPS
Network Vulnerability Scanners:
Nessus → Well-known widely used network vulnerability scanner
Qualys → Commercial network vulnerability scanner that offers management console to run scans
Static Testing → Analyzes code without executing it
Dynamic Testing → Executes code as part of a test, providing it with a input
Interactive Testing → Combines static & dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces
It provides a centralized solution for collecting, analyzing & managing data from multiple sources.
It combines services of security event management (SEM) & security information management (SIM) solutions
SEM → Provides real-time monitoring, analysis & notification of security events, such as suspected security events
SIM → Provides long term storage of data, along with methods of analyzing the data looking for trends or creating reports needed to verify compliance with laws & regulations
SIEM systems use scripts to automate the monitoring & reporting
Capabilities:
Log Collectors → SIEM collects log data from different devices throughout the network & stores these loges in searchable database
Data Inputs → Firewalls, routers, network intrusion detection
Log Aggregation → SIEM system collects data from multiple systems, SIEM systems can aggregate the data & store it so that it is easy to analyze & search
Correlation Engine → Used to collect & analyze event log data from various systems within the network.
It aggregates the data looking for common attributes
It uses advanced analytics tools to detect patterns of potential security events & raise alerts.
Reports → SIEM systems include built-in reports
Packet Capture → SIEM includes protocol analyzer capabilities to capture network traffic
User Behavior Analysis → UBA focuses what users are doing, monitor critical files looking for who accessed them & what they did & how frequently they access it.
Typically looks for abnormal patterns of activity that may indicate malicious intent
Sentiment Analysis → Use UBA technologies to observe user behaviors to detect unwanted behaviors
Relies on AI to analyze large datasets
Security Monitoring → Provides predefined alerts which can provides continuous monitoring of systems & provide notification of suspicious events
If it detect a new port on server, it will send email to admin
Automated Triggers → Trigger can cause an action in response to a predefined number of repeated events
A SIEM includes the ability to modify predefined triggers & create new ones
Time Synchronization → All servers sending data to the SIEM should be synchronized with the same time.
Event Deduplication → Process of removing duplicate entities
Logs / WORM → SIEM includes methods to prevent anyone from modifying log entries
Elements of SIEM Dashboard:
Sensors → Collects logs from devices & send it to SIEM system
Alerts → Sends out an alert when trigger fires
Sensitivity → Setting sensitivity levels to limit false positives while avoiding false negatives
Correlation → SIEM correlates & analyzes the data
Trends → By analyzing the data, SIEM can identify trends
Integrates with various security tools and automate responses to threats
Used to respond to low-level security events automatically
SOAR tools respond automatically which frees up administrators to focus on their administrative & cybersecurity tasks.
SOAR tool can open attachments within a sandbox & observe the activity
SOAR can perform steps to automatically verify the threat is real or not, implement the appropriate steps to mitigate it.
SOAR platform use playbook & runbooks
Playbook → Provides checklist of things to check for suspected incidents
It is a set of rules that determine what actions will be performed when an event occurs
Runbook → Implements the playbook checklist using available tools within an organization
Functions:
Security Orchestration → SOAR platforms integrate with various security tools, systems, and applications, such as SIEM, firewalls, endpoint protection, and threat intelligence feeds.
Automation → Automates repetitive security tasks to improve efficiency and reduce manual workload.
Incident Response → Facilitates and manages the response to security incidents, including the coordination of actions across different teams and tools.
Case Management → Provides a centralized system for tracking and managing security incidents, including documentation and workflow management.
Threat Intelligence Management → Aggregates and analyzes threat intelligence data to provide context for incidents and improve detection capabilities.
Reporting & Analysis → Generates reports and dashboards to provide insights into security operations and incident trends.
SOAR Vs SIEM
SOAR → Automation of incident response, workflow management, playbooks
Orchestrating and automating security operations and incident response
Uses data from SIEMs and other security tools to automate responses
War Driving → Attackers use war driving to discover wireless networks they can exploit
Admins use war driving as a part of wireless audit: A wireless audit is a detective control & examines the signal footprint, antenna placement & encryption of wireless traffic.
Ex. Detect rogue access points & evil twins by war driving
Done by walking or driving around
War Flying → People fly around in private planes / Drone
Same function as War Driving
Footprinting → Wireless footprinting creates a detailed diagram of APs, hotspots & dead spots within an organization.