Cybersecurity Overview

Kevin Barton, MS, CISSP

Associate Professor
kbarton@tamusa.tamus.edu
CISA 4325
Network Security
Obtain global perspective of network and
information security measures
Understand malware threats and trends
Examine in detail different types of malware
and their propagation
Examine the motivation behind cyber attacks
Survey the techniques to counter security
threats
1
Vulnerability A weakness that allows a
threat to inflict loss on an asset
Software vulnerabilities are weaknesses in
software
Software vulnerabilities allow attackers access, or
to escalate privileges.
Exploit A software payload that takes
advantage of a vulnerability
2
Network Layers
Human Social engineering; Phishing
Application PDF obfuscation; injection attacks; Email spoofing
Presentation PDF encryption
Session SSL Man-in-the-Middle attacks
Transport SYN-Fragment attack; SYN flooding; DDoS
Network Route injection; IP address spoofing
Data Link WEP and WPA attacks; ARP poisoning, Man-in-
the-Middle
Physical Jamming attacks
3
MALWARE SIGNATURES
New signatures increasing
at an exponential rate
Malware is becoming more
and more polymorphic
Difficult for current
signature and behavior
based detection systems to
keep pace
4
MALWARE SIGNATURES
New signatures increasing
at an exponential rate
Malware is becoming more
and more polymorphic
Difficult for current
signature and behavior
based detection systems to
keep pace
TARGETS & TECHNIQUES
Consumer and business
banking accounts
Web-based malware used
to attack targets
Use of multistage Trojan
droppers
Packaged malware
products
Phishing kits
Botnet deployment kits
5
TECHNIQUES
Disposable malware
Lifespan of malware dropping
average lifespan just 2 hours
PDF files used in 49% of all
attacks
Transitive Trust from
social networking sites
Domain joined computers
exposed to greater threat
from worms
Trojans much more
common in non-domain
joined computers
6
BOTNETS
A network of host capable
of acting upon a set of
instructions
Often millions of hosts
Zombie is the software
used to control an Internet
host
Bot C&C used to manage
zombies
Often contains authentication
key or password
IRC C&C utilizes chat to
make bot communications
more stealthy
HTTP also used for C&C
C&C server IP addresses
hidden through fast-flux
DNS
Uses short TTL and multiple
IP addresses
IP addresses are redirects to
real C&C server
7
USER MODE
Hooks user or application
space so that when an
application makes a call,
the Windows rootkit
hijacks the system
Rootkit is not visible in
Windows Explorer
Inefficient method
KERNEL MODE
Hooks or modifies kernel
memory space to avoid
detection
User applications do not
have read privilege to the
kernel, and cannot see
malware in the kernel
Hidden in:
Drivers & system32
User temp folder
8
MASTER BOOT RECORD
MODE
Infects the MBR in the first
sector of the disk
Modifies other sectors
Runs the malware at boot
Disables detection
software to protect itself
9
DATABASES
NIST
Mitre
Open Sourced
Rapid7
10
PURPOSE
To evade detection and
analysis
Polymorphism and
metamorphism change form
Polymorphism uses
encryption
Metamorphism changes the
virus body by rearranging
code or inserting unneeded
functions
Mutation common in non-
executables
Packing/compression more
common with executables
Used by software vendors to
protect intellectual property
Used by malware developers
to hide malware
Entry Point Obfuscation
changes a location in the
host code
Relies on hooking/inserting to
call malware
11
POLYMORPHISM
The decryptor exposes the
malware to detection
Decryptors are now mutated
as well
Analysis
Standard decryption
Heuristics-examines behavior
Emulation-runs malware in
virtualized sandbox
OBFUSCATION
Four step process
Obfuscation step
Modeling step
Mutation step
Techniques such as
permutation of subroutines,
insertion of jump instructions,
substitution of instructions,
etc.
12
MOTIVATION
Primarily financial
Credit cards
Bank accounts
Email addresses & accounts
Identities
Malicious code developers
are selling code and tools
Like many businesses,
developers are not necessarily
the users
TACTICS
Multistage
Initial attack gets foothold
may use a Trojan
Subsequent payloads tailored
to the compromised host
13
Asset
Robustness:
Intrusion Detection
Isolation:
Firewall
Redundancy:
Multiple Links
Segregation:
Separate Control &
Corporate Networks
The asset is protected by multiple controls
meeting various design criteria.
Asset
Robustness:
Intrusion Detection
Isolation:
Firewall
Redundancy:
Multiple Links
Segregation:
Separate Control &
Corporate Networks
Layered security ensures assets
are protected by multiple controls.
Attackers must compromise
multiple controls to attack an
asset.
Robust layered security would
include deterrent, preventive,
detective and corrective
technical, administrative and
physical controls
Deterrent Preventive Detective
Technical Admin Physical Technical Admin Physical Technical Admin Physical
Access Control
Kerberos Locked
Facilities
Log
Analysis
Segregation
Isolation
Redundancy
Robustness
Redundancy
Links
Power
Supplies
Recoverability