007. SECURITY EVASION TECHNIQUES
In this article, we look at how attackers obtain Stealth as well as the tricks used to negatively impact detection and forensic technologies. An example of this concept is a robber kicking in a door verses picking a lock when breaking into a house. Both methods will accomplish the same goal of gaining access to the property. The difference is that kicking in a door will be louder and leave a mess behind that will quickly attract attention, whereas picking a lock is slower but leaves little evidence and is much quieter, which is why it is the more common choice for a robbery.
Another example would be the robber picking the lock and setting off the alarm system every few days before actually attempting to enter the property. The idea is that the people monitoring the system will assume the attempt following multiple false alarms is another false alarm, thus giving the attacker access without concern for the alarm attracting attention to his or her actions. This ignoring the alarm behavior can be seen in some neighborhoods with car alarms that continually go off on their own.
ENCRYPTION AND TUNNELING
A very simple definition of encryption is “to hide or encode something so the content is protected from unwanted parties.” The content could be network traffic, such as a virtual private network (VPN) between two systems encrypting traffic to prevent eavesdropping on a conversation.
Encryption could also mean rendering a file unreadable unless the user is able to decrypt the file. Although encryption might sound like something very positive, attackers can use it to hide data when leaving a victim’s network after successfully breaching it or to mask an attack from a security defense tool. For example, encrypting an attack would hide it from many signature-based detection technologies such as an Intrusion Prevention System (IPS).
Starting with protecting data in transit, the use of virtual private networks (VPNs) is a common method for providing security for network traffic. A VPN can exist between two or more locations; this is known as a site-to-site VPN. Its purpose is to connect two or more locations in a secure manner over an unsecure medium.
An example is an organization having two locations in different countries. A site-to-site VPN could be set up so that someone at location A could plug in his or her laptop and access resources at location B without any network changes. This means that communication between sites A and B travels over an encrypted tunnel. Any unwanted parties who attempt to capture and view the traffic would be unable to decipher it because they don’t have the ability to decrypt the traffic.
Secure Shell (SSH) encrypts traffic between a client and an SSH server. SSH was developed as a secure alternative to Telnet, because Telnet is vulnerable to man-in-the-middle attacks due to its lack of encryption. The most common use of SSH is protecting traffic between an administrator remotely accessing and administrating network device command-line terminals.
Attackers can use SSH to hide traffic, such as creating a reverse SSH tunnel from a breached system back to an external SSH server, hiding sensitive data as the traffic leaves the network.
Another encryption concept is hiding the actual data. There are many techniques for doing this, such as enterprise file encryption technologies that encrypt files and control access to opening them.
Many attackers abuse encryption concepts such as file and protocol encryption to hide malicious code. An example would be an attack happening from a web server over SSL encryption to hide the attack from network intrusion detection technologies. This works because a network intrusion detection tool uses signatures to identify a threat, which is useless if the traffic being evaluated is encrypted.
Resource exhaustion is a type of denial-of-service attack; however, it can also be used to evade detection by security defenses. A simple definition of resource exhaustion is “consuming the resources necessary to perform an action.” For example, a service can be a website, such as www.example.com.
The server hosting this website can only provide services to a certain number of systems using digital communication, meaning the server will fail if too many systems access a specific resource at the same time.
One denial-of-service attack tool that can exhaust the available resources of the server hosting such a website is called Slowloris, which can be found at http://chers.org/slowloris. This tool holds connections by sending partial HTTP requests to the website. The tool continues sending several hundred subsequent headers at regular intervals to keep sockets from closing, thus overwhelming the target’s resources. This causes the website to be caught up with existing requests, thus delaying responses to legitimate traffic.
When it comes to bypassing access-control security, resource exhaustion attacks can consume all processes to force a system to fail open, meaning to permit access to unauthorized systems and networks. This attack can be effective against access-control technologies that administrators typically configure to fail open if a service failure is detected.
Network technologies expect traffic to move in a certain way. This is known as the TCP/IP suite. Understanding how this works can help you identify when something is operating in an unusual manner.
Fragmenting traffic is a method of avoiding detection by breaking up a single Internet Protocol (IP) datagram into multiple, smaller-size packets. The goal is to abuse the fragmentation protocol within IP by creating a situation where the attacker’s intended traffic is ignored or let through as trusted traffic. The good news is that most modern intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are aware of this attack and can prevent it. Best practice is to verify that your version of IDS/IPS has traffic fragmentation detection capabilities.
A protocol is a set of rules or data structures that governs how computers or other network devices exchange information over a network. Protocols can be manipulated to confuse security devices from properly evaluating traffic since many devices and applications expect network communication to follow the industry-defined rules when a protocol is used.
The key is understanding how the protocol should work and attempting to see if the developer of the receiving system defined defenses such as limitations on what is accepted, a method to validate what is received, and so on. The second key piece is identifying what happens when a receiving system encounters something it doesn’t understand (meaning seeing the outcome of a failure).
A security device misinterpreting the end-to-end meaning of network protocols could cause traffic to be ignored, dropped, or delayed, all of which could be used to an attacker’s advantage.
Like with IP fragmentation attacks, the good news is that many security solutions are aware of this form of attack and have methods to validate and handle protocol manipulation. Best practice is to verify with your security solution providers whether their products are aware of protocol-level misinterpretation attacks.
Although cyber-attacks can vary in nature, one common step in the attack process, according to the “kill chain” concept first introduced by Lockheed Martin, is the idea of establishing a foothold in the target network and attempting to pivot to a more trusted area of the network.
Establishing a foothold means breaching the network through exploiting a vulnerability and creating access points into the compromised network. The challenge for the attacker is the level of access granted with the exploit. For example, breaching a guest system on a network would typically mean gaining access to a guest network that is granted very limited access to network resources.
An attacker would want to pivot from the guest network to another network with more access rights, such as the employee network. In regards to the kill chain, a pivot would be an action taken to start the sequence over once the attacker reached the “action” point.
As illustrated in the figure below, the attacker would first perform reconnaissance on other systems on the same network as the compromised system, weaponize an attack, and eventually move through the attack kill chain with the goal of gaining command and control abilities on other systems with greater network access rights.
006. TYPES OF ATTACKS AND VULNERABILITIES
The sophistication of cyber security attacks is increasing every day. In addition, there are numerous types of cyber security attacks and vulnerabilities. This article covers the most common.
TYPES OF ATTACKS
As you probably already know, most attackers do not want to be discovered, so they use a variety of techniques to remain in the shadows when attempting to compromise a network. The following sections list the most common types of attacks carried out by threat actors.
1. Reconnaissance Attacks
2. Social Engineering
3. Privilege Escalation Attacks
5. Code Execution
6. Man-in-the Middle Attacks
7. Denial-of-Service Attacks
8. Attack Methods for Data Exfiltration
9. ARP Cache Poisoning
10. Spoofing Attacks
11. Route Manipulation Attacks
12. Password Attacks
13. Wireless Attacks
TYPES OF VULNERABILITIES
Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting these vulnerabilities or putting in appropriate countermeasures to mitigate threats against them. Potential network vulnerabilities abound, with many resulting from one or more of the following:
1. Policy flaws
2. Design errors
3. Protocol weaknesses
5. Software vulnerabilities
6. Human factors
7. Malicious software
8. Hardware vulnerabilities
9. Physical access to network resources
Cisco and others have created databases that categorize threats in the public domain. The Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known security vulnerabilities and exposures.
A quick search using your favorite search engine will lead you to the website. Also, the National Vulnerability Database (NVD) is a repository of standards-based vulnerability information; you can do a quick search for it, too. (URLs change over time, so it is better to advise you to just do a quick search and click any links that interest you.)
The following are examples of the most common types of vulnerabilities:
1. API abuse
2. Authentication and authorization bypass vulnerabilities
3. Buffer overflow
4. Cross-site scripting (XSS) vulnerability
5. Cross-site request forgery (CSRF) vulnerability
6. Cryptographic vulnerability
7. Deserialization of untrusted data vulnerability
8. Double free
9. Insufficient entropy
10. SQL injection vulnerability
005. SECURITY MONITORING OPERATIONAL CHALLENGES
There are several security monitoring operational challenges, including encryption, network address translation (NAT), time synchronization, Tor, and peer-to peer communications. This article covers these operational challenges in brief.
SECURITY MONITORING AND ENCRYPTION
Encryption has great benefits for security and privacy, but the world of incident response and forensics can present several challenges. Even law enforcement agencies have been fascinated with the dual-use nature of encryption.
When protecting information and communications, encryption has numerous benefits for everyone from governments and militaries to corporations and individuals. On the other hand, those same mechanisms can be used by threat actors as a method of evasion and obfuscation.
Historically, even governments have tried to regulate the use and exportation of encryption technologies. A good example is the Wassenaar Arrangement, which is a multinational agreement with the goal of regulating the export of technologies like encryption. Other examples include events around law enforcement agencies such as the U.S. Federal Bureau of Investigation (FBI) trying to force vendors to leave certain investigative techniques in their software and devices. Another example is the alleged U. S. National Security Agency (NSA) backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) that allows cleartext extraction of any algorithm seeded by this pseudorandom number generator.
SECURITY MONITORING AND NETWORK ADDRESS TRANSLATION
Layer 3 devices, such as routers and firewalls, can perform network address translation (NAT). The router or firewall “translates” the “internal” host’s private (or real) IP addresses to a publicly routable (or mapped) address. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range.
This enables a network professional to use any IP address space as the internal network. A best practice is to use the address spaces that are reserved for private use (see RFC 1918, “Address Allocation for Private Internets”).
Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host.
NAT can present a challenge when performing security monitoring and analyzing logs, NetFlow, and other data, because device IP addresses can be seen in the logs as the “translated” IP address versus the “real” IP address. In the case of port address translation (PAT), this could become even more problematic because many different hosts can be translated to a single address, making the correlation almost impossible to achieve.
Security products, such as the Cisco Lancope Stealthwatch system, provide features that can be used to correlate and “map” translated IP addresses with NetFlow. This feature in the Cisco Lancope Stealthwatch system is called NAT stitching. This accelerates incident response tasks and eases continuous security monitoring operations.
DNS TUNNELING AND OTHER EXFILTRATION METHODS
Threat actors have been using many different nontraditional techniques to steal data from corporate networks without being detected. For example, they have been sending stolen credit card data, intellectual property, and confidential documents over DNS using tunneling. As you probably know, DNS is a protocol that enables systems to resolve domain names (for example, cisco.com) into IP addresses (for example, 220.127.116.11).
DNS is not intended for a command channel or even tunneling. However, attackers have developed software that enables tunneling over DNS. These threat actors like to use protocols that traditionally are not designed for data transfer, because they are less inspected in terms of security monitoring. Undetected DNS tunneling (otherwise known as DNS exfiltration) represents a significant risk to any organization.
In many cases, malware can use Base64 encoding to put sensitive data (such as credit card numbers, PII, and so on) in the payload of DNS packets to cyber criminals. The following are some examples of encoding methods that could be used by attackers:
1. Base64 encoding
2. Binary (8-bit) encoding
3. NetBIOS encoding
4. Hex encoding
SECURITY MONITORING AND TOR
Many people use tools such as Tor for privacy. Tor is a free tool that enables its users to surf the Web anonymously. Tor works by “routing” IP traffic through a free, worldwide network consisting of thousands of Tor relays. Then it constantly changes the way it routes traffic in order to obscure a user’s location from anyone monitoring the network.
The use of Tor also makes security monitoring and incident response more difficult, because it’s hard to attribute and trace back the traffic to the user. Different types of malware are known to use Tor to cover their tracks. This “onion routing” is accomplished by encrypting the application layer of a communication protocol stack that’s “nested” just like the layers of an onion.
The Tor client encrypts the data multiple times and sends it through a “network or circuit” that includes randomly selected Tor relays. Each of the relays decrypts “a layer of the onion” to reveal only the next relay so that the remaining encrypted data can be routed on to it.
004. ENDPOINT SECURITY TECHNOLOGIES
ANTIMALWARE AND ANTIVIRUS SOFTWARE
Computer viruses and malware have been in existence for a long time. On the other hand, the level of sophistication has increased over the years. There are numerous antivirus and antimalware solutions on the market designed to detect, analyze, and protect against both known and emerging endpoint threats. Before diving into these technologies, let us look at some of the viruses and malicious software (malware) and some of the taxonomy around the different types of malicious software.
The following are the most common types of malicious software:
1. Computer virus
3. Mailer and mass-mailer worm
4. Logic bomb
5. Trojan horse
10. Key logger
There are numerous types of commercial and free antivirus software, including the following:
2. AVG Internet Security
3. Bitdefender Antivirus Free
4. ZoneAlarm PRO Antivirus + Firewall and ZoneAlarm Internet Security Suite
5. F-Secure Anti-Virus
6. Kaspersky Anti-Virus
7. McAfee AntiVirus
8. Panda Antivirus
9. Sophos Antivirus
10. Norton AntiVirus
12. Immunet AntiVirus
HOST-BASED FIREWALLS AND HOST-BASED INTRUSION PREVENTION
Host-based firewalls are often referred to as “personal firewalls.” Personal firewalls and host intrusion prevention systems (HIPSs) are software applications that you can install on end-user machines or servers to protect them from external security threats and intrusions.
The term personal firewall typically applies to basic software that can control Layer 3 and Layer 4 access to client machines. HIPS provides several features that offer more robust security than a traditional personal firewall, such as host intrusion prevention and protection against spyware, viruses, worms, Trojans, and other types of malware.
Today, more sophisticated software is available on the market that makes basic personal firewalls and HIPS obsolete. For example, Cisco Advanced Malware Protection (AMP) for Endpoints provides more granular visibility and controls to stop advanced threats missed by other security layers. Cisco AMP for Endpoints takes advantage of telemetry from big data, continuous analysis, and advanced analytics provided by Cisco threat intelligence in order to detect, analyze, and stop advanced malware across endpoints.
APPLICATION-LEVEL WHITELISTING AND BLACKLISTING
Three different concepts are defined in this section:
Whitelist: A list of separate things (such as hosts, applications, email addresses, and services) that are authorized to be installed or active on a system in accordance with a predetermined baseline.
Blacklist: A list of different entities that have been determined to be malicious.
Graylist: A list of different objects that have not yet been established as not harmful or malicious. Once additional information is obtained, graylist items can be moved onto a whitelist or a blacklist.
Application whitelisting can be used to stop threats on managed hosts where users are not able to install or run applications without authorization. For example, let’s imagine that you manage a kiosk in an airport where users are limited to running a web-based application. You may want to whitelist that application and prohibit running any additional applications in the system.
One of the most challenging parts of application whitelisting is the continuous management of what is and is not on the whitelist. It is extremely difficult to keep the list of what is and is not allowed on a system where there are hundreds of thousands of files with a legitimate need to be present and running on the system; however, several modern application whitelisting solutions are available that can help with this management nightmare.
Several of these modern application whitelisting systems are quite adept at tracking what is happening on a system when approved changes are made and managing the whitelist accordingly. These solutions do this by performing system application profiling.
003. SECURITY OPERATIONS MANAGEMENT
Identity and access management (IAM) has a very broad definition and in general includes all policies, processes, and technologies used to manage the identity, authentication, and authorization of an organization’s resources. Several disciplines and technologies are usually covered under the umbrella of IAM: access controls, password management, the IAM lifecycle, directory management, and single sign-on (SSO), among others.
PHASES OF THE IDENTITY AND ACCESS LIFECYCLE
One of the properties of a secure identity is the secure issuance of that identity. Additionally, access privileges should be associated with an identity, and the identity’s validity and permissions should be constantly reviewed. At times, an identity and permissions should be revoked, and a process should be established to do this in a secure way.
These processes are called identity proof and registration, account provisioning, access review, and access revocation. All of this goes under the umbrella of identity and account lifecycle management.
The following figure shows the four phases of the identity and access lifecycle, which are described in the list that follows:
Registration and identity validation: A user provides information and registers for a digital identity. The issuer will verify the information and securely issue a unique and non-descriptive identity.
Privileges provisioning: The resource owner authorizes the access rights to a specific account, and privileges are associated with it.
Access review: Access rights are constantly reviewed to avoid privilege creep.
Access revocation: Access to a given resource may be revoked due, for example, to account termination.
A password is a combination of characters and numbers that should be kept secret, and it is the most common implementation of the authentication-by-knowledge concept. Password authentication is usually considered one of the weakest authentication methods, yet it’s one of the most used due to its implementation simplicity.
The weakness of password authentication is mainly due to the human factor rather than technological issues. Here’s a list of some typical issues that lead to increased risk when using passwords as the sole authentication method:
1. Users tend to use the same password across all systems and accounts.
2. Users tend to write down passwords (for example, on a sticky note).
3. Users tend to use simple passwords (for example, their child’s name or 12345).
4. Users tend to use the default system password given at system installation.
Password management includes all processes, policies, and technologies that help an organization and its users to improve the security of their password-authentication systems. Password management includes policies and technologies around password creation, password storage, and password reset.
We will not go into much of what security operations management (SOM) entails but we are going to list in summary what is included in the SOM as shown below:
1. Directory Management
2. Single Sign-On (SSO)
3. Federated SSO
4. Security Events and Logs Management
5. Assets Management
6. Enterprise Mobility Management
7. Configuration and Change Management
8. Vulnerability Management
9. Patch Management