Cybersecurity Overview

Network Security
Obtain global perspective of network and

information security measures
Understand malware threats and trends
Examine in detail different types of malware
and their propagation
Examine the motivation behind cyber attacks
Survey the techniques to counter security
threats
1
Vulnerability A weakness that allows a

threat to inflict loss on an asset
Software vulnerabilities

software
Software vulnerabilities
to escalate privileges.
are weaknesses in

allow attackers access,

or

Exploit A software payload that takes

advantage of a vulnerability
2
3
Network Layers
Human Social engineering; Phishing
Application PDF obfuscation; injection attacks; Email spoofing
Presentation PDF encryption
Session SSL Man-in-the-Middle attacks
Transport SYN-Fragment attack; SYN flooding; DDoS
Network Route injection; IP address spoofing
Data Link WEP and WPA attacks; ARP poisoning, Man-in-
the-Middle
Physical Jamming attacks
MALWARE SIGNATURES

New signatures increasing
at an exponential rate
Malware is becoming more
and more polymorphic
Difficult for current
signature and behavior
based detection systems to
keep pace
4
MALWARE SIGNATURES

TARGETS & TECHNIQUES

New signatures increasing
at an exponential rate
Consumer and business
banking accounts
Web-based malware used
to attack targets
Use of multistage Trojan
droppers
Packaged malware
products


Malware is becoming more
and more polymorphic
Difficult for current
signature and behavior

based detection
keep pace
systems to Phishing kits
Botnet deployment kits


5
TECHNIQUES

Disposable malware
Lifespan of malware dropping
average lifespan just 2 hours
PDF files used in 49% of all
attacks
Domain joined computers
exposed to greater threat
from worms

Trojans much more
common in non-domain
joined computers

Transitive Trust from
social networking sites
6
BOTNETS

A network of host capable
of acting upon a set of
instructions
Often millions of hosts
Zombie is the software
used to control an Internet
host
Bot C&C used to manage
zombies
Often contains authentication
key or password
IRC C&C utilizes chat to
make bot communications
more stealthy
HTTP also used for C&C
C&C server IP addresses
hidden through fast-flux
DNS



Uses short TTL and multiple
IP addresses
IP addresses are redirects to
real C&C server


7
USER MODE

KERNEL MODE

Hooks user or application
space so that when an
application makes a call,
the Windows rootkit
hijacks the system
Hooks or modifies kernel
memory space to avoid
detection
User applications do not
have read privilege to the
kernel, and cannot see
malware in the kernel
Hidden in:
Drivers & system32
User temp folder


Rootkit is not visible
Windows Explorer
Inefficient method
in

8
MASTER BOOT RECORD

MODE
Infects the MBR in the first
sector of the disk
Modifies other sectors
Runs the malware at boot
Disables detection
software to protect itself
9
DATABASES

NIST
Mitre
Open Sourced
Rapid7
10
PURPOSE

To evade detection and
analysis
Polymorphism and
metamorphism change form
Polymorphism uses
encryption
Metamorphism changes the
virus body by rearranging
code or inserting unneeded
functions
Mutation common in non-
executables
Packing/compression more
common with executables

Used by software vendors to
protect intellectual property
Used by malware developers
to hide malware


Entry Point Obfuscation
changes a location in the
host code

Relies on hooking/inserting to
call malware

11
POLYMORPHISM

OBFUSCATION

The decryptor exposes the
malware to detection
Decryptors are now mutated
as well
Four step process
Obfuscation step
Modeling step
Mutation step
Techniques such as
permutation of subroutines,

insertion of jump instructions,
substitution of instructions,
etc.




Analysis
Standard decryption
Heuristics-examines behavior
Emulation-runs malware in
virtualized sandbox
12
MOTIVATION

TACTICS

Primarily financial
Credit cards
Bank accounts
Email addresses & accounts
Identities
Malicious code developers
are selling code and tools
Like many businesses,
developers are not necessarily
the users
Multistage
Initial attack gets foothold
may use a Trojan
Subsequent payloads tailored
to the compromised host


13
The asset is protected by multiple controls
meeting various design criteria.
Asset
Robustness:
Intrusion Detection
Isolation:
Firewall
Redundancy:
Multiple Links
Segregation:
Separate Control &
Corporate Networks
Layered security ensures assets
are protected by multiple controls.
Attackers must compromise
Asset
multiple
asset.
controls to attack an
Robustness:
Intrusion Detection
Isolation:
Firewall
Redundancy:
Multiple Links
Segregation:
Separate Control &
Corporate Networks
Robust layered security would
include deterrent, preventive,
detective and corrective
technical, administrative and
physical controls
Deterrent Preventive Detective
Technical Admin Physical Technical Admin Physical Technical Admin Physical
Access Control
Kerberos Locked
Facilities
Log
Analysis
Segregation
Isolation
Redundancy
Robustness
Redundancy
Links
Power
Supplies
Recoverability