Study Guide for NSE 1: The Threat Landscape 2016

Study Guide February 1

for NSE 1:
The Threat
Landscape
2016
This Study Guide is designed to provide information for the Fortinet Fortinet
Network Security Expert Program – Level 1 curriculum. The study
guide presents discussions on concepts and equipment necessary as a
Network
foundational understanding for modern network security prior to Security
taking more advanced and focused NSE program levels.
Solutions

i
 Study Guide for NSE 1: The Threat Landscape 2016

Contents
Figures ..................................................................................................................................................... iii
Tables ...................................................................................................................................................... iv
Threat Landscape .......................................................................................................................................... 1
Evolution of Adversaries ........................................................................................................................ 1
Hacker Tools ............................................................................................................................................ 5
Old…but not Dead .......................................................................................................................................................... 6
Threat Timeline ....................................................................................................................................... 7
Anatomy of a Hacking Attack ................................................................................................................. 9
Advanced Threats ........................................................................................................................................................ 10
The Advanced Threat Lifecycle .............................................................................................................................. 11
The Advanced Attack Kill Chain ............................................................................................................................. 13
Introduction to Modern Network Security ................................................................................................. 15
Infrastructure Evolution ....................................................................................................................... 17
Size Matters............................................................................................................................................ 19
Advanced Threats ........................................................................................................................................................ 20
Advanced Threat Protection (ATP)...................................................................................................... 20
Breaking the Advanced Threat Kill Chain .......................................................................................................... 21
Advanced Threats and Network Security: Continuing Evolution...................................................... 25
Key Acronyms.............................................................................................................................................. 26
Glossary ....................................................................................................................................................... 28

ii
 Study Guide for NSE 1: The Threat Landscape 2016

Figures
Figure 1. Ranking adversaries to network security. ...................................................................................... 3
Figure 2. Chronology of major networks attacks October 2013 to June 2014. ............................................ 7
Figure 3. Anatomy of an attack: The Hacker's point of view. ....................................................................... 9
Figure 4. The Advanced Threat lifecycle. .................................................................................................... 11
Figure 5. Kill chain of an advanced attack................................................................................................... 13
Figure 6. The Network Security “Battle of the minds.” .............................................................................. 15
Figure 7. From closed networks to Global Information Grid ...................................................................... 18
Figure 8. The scope of modern global network users................................................................................. 19
Figure 9. UTM versus traditional ad hoc model.......................................................................................... 19
Figure 10. Miniaturization of computers and network access appliances. ................................................ 20
Figure 11. Advanced Threat Protection (ATP). ........................................................................................... 21
Figure 12. Breaking the advanced threat kill chain - Part 1. ....................................................................... 22
Figure 13. Breaking the advanced threat kill chain - Part 2. ....................................................................... 23

iii
 Study Guide for NSE 1: The Threat Landscape 2016

Tables
Table 1. Major network attacks October 2013 to June 2014. ...................................................................... 8
Table 2. Recent attacks on major sites. ........................................................................................................ 9

iv
 Study Guide for NSE 1: The Threat Landscape 2016

Threat Landscape
One may view the threat landscape much the same as law enforcement views threats using three
primary characteristics—motive, means, and opportunity. In terms of technology threats, these terms
are translated into motivation (motive), knowledge (means), and access (opportunity). Motivation may
be as simple as a student trying to get into protected information or as malicious as a competitor trying
to delay or disable a company’s ability to reach the market. Knowledge on networks—and hacking—is
widespread, with books and guides available
globally through the Internet and often at little or
no cost. As for Access, this is the area where the
veracity of your network security will pay off—
identifying potential threats, analyzing them, and
either determining validity or cataloging and
rejecting them as a threat.

Contemporary and future threat landscapes are dynamic and often include unforeseen technological
advances. Devices and applications are under development and appear on the market at more rapidly—
and with those new technologies come new threats. Not only companies and organizations, but
individual users of less expensive technology such as smartphones, tablets, and laptop computers who
are novices where information security is concerned must deal with optimizing their devices and
applications while blocking potential threats.

With the explosion of social media as the

primary source of connectivity for so many
people internationally, addressing the hidden
threats from social media sites is a continuing
challenge…and more cross-platform sharing and
integration will continue to make device and
network security an evolving challenge at all
levels.

Evolution of Adversaries
Computer hacking was once the realm of curious teenagers. It's now the arena of government spies,
professional thieves and soldiers of fortune…but don’t count out the curious teenagers just yet; more
and more young people are enamored with the prospect—and thrill—of hacking and seeing how far
they can get.

1
 Study Guide for NSE 1: The Threat Landscape 2016
The whole concept of "hacking" sprouted from the Massachusetts Institute of Technology nearly 50
years ago. Computer science students there borrowed the term from a group of model train enthusiasts
who “hacked electric trains and switches” in 1969 to improve performance. These new hackers were
already figuring out how to alter computer software and hardware to speed it up, even as the scientists
at AT&T Bell Labs were developing UNIX, one of the world's first major operating systems.

The Golden Age of Hacking was the 1980’s, as people bought personal computers for their homes and
hooked them up to the telephone network. The Web wasn't yet alive, but computers could still talk to
one another through venues like hosted chat rooms and FTP. In fact, the 1980’s was still the age of MS-
DOS and command line interface (CLI) programming and online interaction. These curious kids tapped
into whatever computer system they could find just to explore. Some broke into computer networks at
companies. And digital “hangouts” started, such as Chat City and other hosted group online
communication sites.

As hacking progressing into the 1990’s, the purposes for hacking ranged across a number of motives.
Some hacked for money. Others did it for revenge. However, hacking was still more of an annoyance
than anything devastating, though it was quickly becoming apparent that the potential was there for
damage, including industrial espionage, hardware damage, file damage, and so forth. The stock market,
hospitals, credit card transactions, and corporate or personal file storage -- everything was running on
computers now.

As the 21st Century turned the clocks, loosely affiliated amateurs were replaced by well-paid, trained
professionals. By the mid-2000’s, hacking had become a widespread tactic for organized crime,
governments, and hacktivists.

Crime. Hackers around the world wrote malicious software (malware) to hijack tens of
thousands of computers, using their processing power to generate spam. They wrote
banking Trojans to steal website login credentials. Hacking payment systems turned out
to be insanely lucrative, too. Albert Gonzalez’s theft of $94M credit cards from TJX in
2007 proved to be a precursor to later retailer data breaches, like Target, Home Depot
and others.

Government. When the United States wanted to sabotage the Iranian nuclear program
in 2009, it hacked a development facility and unleashed the most dangerous computer
virus to date--Stuxnet caused the Iranian lab computers to spin centrifuges out of
control. Russia used cyberattacks to shut down media during the 2008 war in Georgia.
And now, it is suspected that both China and Russia have hacked into US Government
systems, stealing PII on millions of government personnel and their families.

Hacktivists. The populist group Anonymous hacks into police departments to expose
officer brutality and floods banks with garbage Internet traffic and a group calling
themselves “Vigilante” takes down Islamic jihadist websites.

Figure 1 depicts how various adversaries pose a threat to network security.

2
 Study Guide for NSE 1: The Threat Landscape 2016
What exists now is a tricky world. When the White House got hacked, was it the Russian government,
nationalists acting on their own, or freelance agents paid by the government? Meanwhile, with the
explosion of technology-focused classes at all levels of education and training, it is easier than ever to
become a hacker. Because of the tools that are available—and ongoing development of new threat
methods--attribution is very difficult when an attack occurs.

Figure 1. Ranking adversaries to network security.

As one examines Figure 1, it is important to understand that there is no distinct barrier separating these
methods. In fact, it is easily conceivable that one type of adversary could—purposely or inadvertently—
enable another to access a network or system.

The early days of personal computer availability to consumers and the advent of the Internet and
Worldwide Web are behind us. These events were followed by parallel development of more powerful
hardware appliances and more complex applications for those machines. Unfortunately, with those
developments also came a thriving developmental path for malware and other methods by which to
breach system and network security to obtain data from or deny use of targeted platforms.

From a starting point of small, direct attacks on computers, hackers have evolved along with computers,
networks, and security. Modern hackers are skilled cybercriminals, motivated by such issues as financial
gain, criminal organization sponsorship, radical political groups, or even sovereign states. Modern—and
future—hackers have far more resources than their counterparts of a quarter century ago, greater
technical knowledge and concentration, and greater funding and organization. There are a number of
different types of hackers that have developed since the 1980’s.

3
 Study Guide for NSE 1: The Threat Landscape 2016
Adversaries attempt to gain access to many different types of data for many different reasons, ranging
from personal information to covert access to machines or networks to attacks that harvest—or prevent
the receipt of—information. In some cases, the motive is simple—extortion. Among the reasons for
hacking into systems are:

IP. Gaining the IP address of a target, so that traffic into/out of the address can be
monitored, stopped, or otherwise affected.

Financial Information. This runs a broad scope from hacking banks for the fourth
decimal place amount of interest money on all the institution’s accounts, to
ransomware that makes the target pay a fee to get the “antidote” code for the malware,
to small purchases with credit card information stolen from consumers.

PII – Identity Theft. This includes everything from credit information to identification
documentation to Social Security numbers, birthdates, and other data that may be used
to create an identity without the target being aware until it is too late and the damage
has been done.

Shutting Down Competition. Tactics like DDoS attacks have been used to block business
competitors from broadcasting product/service information. Other attacks may infect
manufacturing systems, payrolls, and other functions that result in a company having to
shut down operations until the problem(s) is/are resolved This may also include
industrial sabotage, whereby data is gained that gives a company advantage over
competitors or alters their product so it is unmarketable.

Wikileaks. The media coverage of Julian Assange and the Wikileaks organization has
spurred on activists to follow in his footsteps and work to expose things with which they
disagree, either publicly shaming the company into changing procedures/products or
using the information as collateral for a ransom.

Profit. This is the prime motivator behind criminal enterprises, and it is no different
when they apply their trade to network attacks.

Sabotage. At a major company, organization, or government level, sabotage is the

means to an end—usually the shutdown of a program (as with the 2009 use of Stuxnet
to shut down Iran’s nuclear program for a time), catastrophic loss of systems and/or
data, or stealing of industrial information.

As you review the illustration of escalating threat levels (Figure 1), you will notice that a key factor
defining threat level is the level of resources (training, equipment, funding) available to the adversary.
As hacking elevated from individuals to large, well-organized, and well-resourced entities, additional
benefits became available to hackers that provide enhanced capability over individual efforts.

4
 Study Guide for NSE 1: The Threat Landscape 2016
Because organizational hacking provides the benefit of collaboration and increased funding, it provides a
breeding ground for hackers and development of new cyber-threats. Some of the benefits of
organizational hacking include:
• Education, training, tech support
• Storefront for hacking tools and zero-day exploits/vulnerability information
• Sophisticated organization
• Backed by governments
• Supported by currencies like bitcoin
• Obscured through anonymous networks like TOR

Hacker Tools
Hackers rely on two primary categories of tools to facilitate their activities:

 Social engineering – Techniques

 Malware – Tools

Social engineering is the use of content that convinces or encourages people to do something to
accomplish the hacker’s mission—usually something damaging. The tactics vary as methods and tools
vary among different hackers with different objectives. Social engineering relies on non-technical
methods of intrusion that often trick people into breaking normal security procedures. Because it
leverages the human factor, social engineering is one of the greatest threats to organizations because of
the difficulty in controlling individual actions among members or employees.

Numerous techniques are available to the hacker. In fact, this is by necessity, as social engineering
targets human factors, which vary across a wide range of technical, social, and responsibility levels.
Therefore, social engineering encompasses numerous techniques that provide options to influence
many different human perspectives, and may include the following methods:

Spoofing is a technique where one person or program masquerades successfully as

another. This is usually accomplished by falsifying data to make the hacker appear as the
other entity.

Phishing is not unlike going fishing. The hacker attempts to acquire sensitive user
information (such as usernames, passwords, account data, or even directly steal money)
for malicious reasons by masquerading as a trustworthy entity in electronic
communications. This is particularly widespread among e-mail, but may also be used
through false web pages.

Spearphishing is an e-mail spoofing fraud that targets specific organizations in order to

gain unauthorized access to confidential, proprietary, or personal data. This is generally
a technique not used by individuals; rather, spearphishing is often used by perpetrators
out for financial gain, trade secrets, or military information.

Watering-hole Attacks target specific groups—organizations, companies, industry,

region—to indirectly infect the group’s network machines. The attacker analyzes which
Internet sites people from the group are likely to visit, infects the site(s) with malware,
and then waits for an individual from the group to access it. Once the individual is
infected, that person spreads it within the organization, widening access for the hacker.

5
 Study Guide for NSE 1: The Threat Landscape 2016
Phone calls and impersonation are still viable in the technology age. PhoneBots—also
known as auto-dialers—present a predetermined message when the recipient answers
the phone. These messages typically request the recipient to call a number for a specific
purpose. The number may be attempting a scam as simple as having the recipient call a
number that is a pay-per-minute program—without the recipient being aware—which
later shows up as a charge on their phone bill.

Malvertising is the use of online ads to spread malware. These ads do not require
specific action by the user—such as clicking on the ad; rather, they take advantage of
macros and advertisement windows that vary ads based on use preferences to spread
malware. Malvertising can run across legitimate sites without directly compromising the
site(s).

Social Media links are literally a playground for hackers and thieves, because many
people using social media platforms believe that web-based or SaaS platforms are
impervious to hackers. Often the hacker will use an intriguing picture, video, or
hyperlink to entice victims to interact, resulting in effects such as stealing browser
windows, embedding malware to steal data, or even tricking the user into a purchase.

Malware is a category of malicious code that includes viruses, worms, and Trojans—it is a primary tool
for hackers when using social engineering techniques to gain access to systems or networks. The effects
of malware are not unlike how a human body becomes infected and how the immune system reacts:

 Known viruses. These are cataloged in anti-virus programs and defenses have been developed
to counter the threat—sometimes referred to as inoculating the machine or network against the
virus.
 Unknown viruses. These are viruses that are not yet cataloged or do not yet have a
countermeasure developed to inoculate machines or networks. These unknowns may include
exploits developed and for sale to hackers, adaptive viruses, wrappers, and polymorphic code.
 Combination. Because an attack does in restricted neither to a single piece of malware nor a
single attacking device or vector, the use of multiple viruses that include both known and
unknown varieties, may be used by hackers.

Old…but not Dead

A misconception about threats is that old threats no longer work because they have standard defense
that have been built into newer software releases. Unfortunately, even with the increase in automated
network updates and functions, not all threats are mitigated—in many cases, it requires action (and
often investment of resources and money) by the user to enable threat defense. Common problems that
allow old threats to remain effective include:

Unpatched systems. The cost of continually running patches—when adding manpower,

network down time, and software costs—often leads to programs not receiving patches
to correct identified deficiencies and vulnerabilities. This is especially true with
individual consumers, whose vulnerable machines may pass malware on to
company/organization networks. There are still users with Microsoft Office 2003 on
their machines, for example, which no longer has support.

6
 Study Guide for NSE 1: The Threat Landscape 2016
Old OS versions. In most cases—for both company, organization, and consumer use—
this comes down to a single factor…cost. For example, Windows 10 was released on July
29, 2015, yet users are still using Windows XP or Windows NT, having not upgraded to
Windows 7 or 8.1. Even when support was halted for these old versions—making them
more likely to be vulnerable in the future—both consumers and organizations continued
risking their use.

AV/AM signatures not up to date. Viruses/Malware are developed at breakneck

rapidity on a continual basis. It literally does not take a computer scientist to develop
malicious code—children 9 years old have demonstrated superior capability (can you
imagine them at 25?). It is essential to have a program that provides regular updates to
definitions and countermeasures, across individual, company, and organizational
scopes.

SMB, small agencies, partnerships lack security spending but still have network access.
Unfortunately, many times the cost of saving a few pennies early on results in the loss of
dollars later, especially if a major breach occurs.

Threat Timeline
From the last quarter of 2013 through the first quarter of 2014, major network attacks affected large
companies and billions of consumers. These attacks not only affected business systems, but also had the
ability to infect personal systems and mobile devices, such as the Heartbleed and Find My iPhone
attacks. Figure 2 chronicles those threats and the targets affected by them.

Figure 2. Chronology of major networks attacks October 2013 to June 2014.

7
 Study Guide for NSE 1: The Threat Landscape 2016
In the period between October 2013 and June 2014, numerous major network attacks affected large
companies and billions of consumers. Over a year later, the impact of those attacks still resonates in
both company losses and loss of consumer trust. The timeline illustrated in Figure 2 presents some of
the more noteworthy attacks during that nine-month period, as described in Table 1.

Table 1. Major network attacks October 2013 to June 2014.

EVENT DESCRIPTION
Adobe Hack An estimated 2.9 million customer IDs, passwords, and possibly names & credit information.
Quarian Spearphishing attacks exploited a vulnerability in MS Office to retrieve .doc data.
Backdoor
MS Office Zero- 11 occurred in 2013 and 5 in the first half of 2014.
Day Attack
Android/ Mobile malware used in sabotage campaign against political movement in Middle East that
Hackdrive took over all audio functions of smartphones when downloaded.
OSX/Crisis Attacked Mac systems, using expensive root kit to collect personal data, incl keystrokes.
Google Play Hack JavaScript app stole phone number directories from mobile devices.
(Japanese &
Koreans)
Android/Balloon Android Balloon Pop 2 Game hack stole WhatsApp conversations from users.
Popper:
EVENT DESCRIPTION
Android/ Collected Google (Gmail) IDs, but not associated passwords.
GaLeaker
Turkish Hack Russian hackers stole 54 million Turkish citizens’ ID numbers, addresses, fathers’ names.
Reveton Variants Ransomware using random extensions to hide DLLs in batch files like rundll32.exe. Locked
machines and would not release unless user paid “ransom” fee to unlock.
Adobe Flash in Replacing earlier versions of the Blackhole exploit after arrest of the writer, this malware used
Exploit Kit popup technology to disrupt Adobe software use.
Target Corp Hack Hackers stole credit and debit card information for over 40 million customers
GnuTu (Linux) “goto fail” programming errors left encrypted data open to hackers.
Fail & Apple
SSL/TLS Bug
Heartbleed Affected OpenSSL sites—mostly social media—threatening to expose user data.
Find My iPhone Ransomware that locked iPhones using the “Find My iPhone” app and demanded payment
to unlock the phone. The next month Android phone users were also hit.
eBay In May 2014, eBay hackers gained access to names, email and home addresses, phone
numbers, dates of birth, and encrypted passwords for around 145 million users.
Basecamp DDoS Ransomware Distributed Denial of Service (DDoS) attack against the Basecamp project
Ransom Hack management web app.

More recent attacks affected numerous well-known and high-utilization sites (Table 2).

8
 Study Guide for NSE 1: The Threat Landscape 2016
Table 2. Recent attacks on major sites.

SITE DESCRIPTION
Twitter Detected unauthorized access to 250,000 accounts.
Lost thousands of email addresses to a hacker accessed
Zendesk
support information of 3 major clients.
Was attacked by 45 pieces of custom malware, 53
New York Times
employees’ systems compromised.
Schnuck’s Blames ongoing cyber-attack for a breach, which impacted
Markets 2.4 million payment cards.
Resets passwords for 50 million users after detecting
Evernote
suspicious activity on its network.
Notifies 50 million users that attackers had infiltrated and
LivingSocial
gained access to systems.
Washington Indicates up to 160,000 social security numbers exposed by
State Court hack.
System

Other victims included: Michael’s, Home Depot, AOL, Avast, Holiday Inn, Neiman Marcus, P. F. Chang’s,
and J.P. Morgan Chase.

Anatomy of a Hacking Attack

In some ways, the effective hacking attack is similar to painting a house—it takes more preparation than
execution time. In order for an attack to be successful—especially and advanced persistent attack
(APT)—a number of steps are essential, as indicated in Figure 3.

Figure 3. Anatomy of an attack: The Hacker's point of view.

9
 Study Guide for NSE 1: The Threat Landscape 2016
Choosing a Target: The attacker first determines whom they wish to infiltrate and what
they wish to steal. Is the attacker after confidential financial data? Source code?
Technical drawings? All of these help determine a specific target.

Target Research: Once a target has been selected, the attacker will do extensive
background research on his target. By combing through search engines, employee social
network activity, public email and phone directories and other sources of easily
obtained data, the attacker can build a profile as well as a detailed list of other potential
human targets inside an organization.

Penetration: After a target has been acquired, the attacker typically creates a
customized phishing email in the hope that their target will open an attachment that
contains an exploit that allows the attacker to plant remote access malware on the
target’s computer.

Elevation of Privileges: Once the attacker has gained a foothold inside a target’s
network, an attempt is made to exploit vulnerabilities on other internal computers to
gain further access on the network. Once access has been gained, the attacker can then
move deeper into the target’s network.

Internal Network Movement: If the attacker was successful in gaining further access
inside the network, they can then expand their control to other machines on the
network and compromise other computers and servers, allowing them to access data
throughout the network.

Data Theft: Once network access has been achieved, data can be easily stolen.
Passwords, files, databases, email accounts and other potentially valuable data can all
be sent back to the attacker.

Maintenance and Administration: Even after the requisite data has been stolen, an
attacker may decide to remain present on the target’s network. This requires vigilance
on the attacker’s part in order to evade detection and maintain surveillance on the
target’s data assets to ensure further data can be stolen.

Advanced Threats

Advanced threats include modern and emerging threats, many of which engage more complex
methods that the simpler and focused attacks of the past. Advanced Persistent Threat (APT)
technology, has evolved at a Moore’s Law clip since magician Nevil Maskelyne hacked a public
demonstration of apparently secure wireless telegraphy technology in 1903, sending insulting Morse
code messages through an auditorium’s projector. Since the dawn of the computer age, people have
used advanced software to target specific companies or individuals in an attack designed to either
damage or steal data. What makes today’s APTs unique and frightening are the sophistication of the
malware, the vectors they’re choosing for attack and the perseverance with which they’re going after
their targets.

10
 Study Guide for NSE 1: The Threat Landscape 2016
What exactly does an Advanced Persistent Threat (APT) mean? As indicated in its name, three
components comprise APTs:

 Advanced. Using organized methods, advanced malware, buying new tools constantly
developed.

 Persistent. Patient. Using more social engineering combined with malware and codes. Can be
very hard to detect, with expectation of higher payout.

 Threats. Designed to attack deliberate choices of target. Credit Card info is cheap on the open
market. Now it’s about business disruption, massive identity theft, IP theft, spying.

The Advanced Threat Lifecycle

As the sophistication of computer network attacks developed, strategies evolved from direct attacks to
employment of strategic, patient, more complex approaches to computer network intrusion and
exploitation. Along with this threat evolution came background and remote threats to computers and
networks from seemingly innocuous sources, such as malware embedded in legitimate Internet links or
files. With these threats, the lifecycle runs from reconnaissance of potential targets and manufacturing
of the method or malware to an endpoint of receiving the desired data or effect and exploiting the
results.

Cybercriminals are creating customized attacks to evade traditional defenses, and once inside, to avoid
detection and enable egress of valuable data. Once inside the network there are few systems in place to
detect or better still protect against APTs. It can be seen from the threat life cycle illustration that once
the perimeter border is penetrated, the majority of the activity takes place inside the boundary of the
network. Activities include disabling any agent-based security, updates from the botnet command and
control system, additional infection/recruitment and extraction of the targeted assets.

Figure 4. The Advanced Threat lifecycle.

11
 Study Guide for NSE 1: The Threat Landscape 2016
An attacker has a substantial arsenal of tools at the ready in order to launch and maintain their attack.

Malware. Some hackers use specially crafted malware to exploit a victim’s computer,
while others use “off the shelf” malware tools that are easily obtainable online and on
many underground hacking forums.

Social Engineering. A key component in any attack is the ability to make a human target
believe an attack is coming from a trusted source. Using previously obtained research,
an attacker may craft very specific spear-phishing emails with seemingly innocuous
attachments that the target will likely open. Links to Web pages with malicious code
embedded (known as a watering hole attack), spreadsheets and other documents such
as text files and PDF files that take advantage of exploits in order to execute malicious
software are also oftentimes used.

Zero-Day and Other Exploits. As mentioned earlier, a zero-day exploit is a vulnerability

in a software product that allows an attacker to execute unintended code or gain
control of a target computer. These exploits are usually included in spearphishing and
watering hole attacks. In some cases, exploits are used that have recently been fixed by
vendors but have not yet been patched by the target organization. Both have been
shown to be very successful in attacks.

Insiders and Recruits. Sometimes an attacker will recruit an insider to assist in launching
an attack. In the case of Stuxnet, it is believed an insider sympathetic to the attacker’s
goals was recruited to launch the initial attack by plugging in a specially created USB key
that contained the attack malware. This is often the only way an attacker can reach a
target computer that is not connected to the Internet (or what’s known as an air gapped
network).

Forged and Fake Certificates. An attacker may attempt to forge or fake an SSL
certificate in order to get a victim to visit a page that pretends to be from a safe site. In
2011, the certificate authority Comodo was compromised and fake certificates were
issued for popular sites such as Google, Skype and Yahoo.

From the most basic threats of past years through the development and emergence of APTs, the threats
for computers networks continue to evolve, presenting continued challenges to those charged with the
responsibility of network protection—from the network security administrator down to the individual
desktop user. The following section presents discussion on fundamental concepts in modern network
security.

12
 Study Guide for NSE 1: The Threat Landscape 2016
The Advanced Attack Kill Chain
So how does an advanced attack work? Here’s a snapshot of a typical kill chain for an advanced attack
and the typical security technologies that are in play in order to block that attack and break the kill
chain.

Figure 5. Kill chain of an advanced attack.

The number one, most popular method for initiating an advanced attack is to send a malicious email to
the target. This email may have a malicious file attachment or a URL that connects to a malicious web
site. You hope your anti-spam will stop this email from ever reaching an end user target. However, there
are ways to get around antispam and other email gateway security techniques. For example, Bots may
leverage legitimate (but compromised) IPs from which to send the email or they may use targeted spear
phishing techniques and social engineering to get through filters and to entice an end users to click on a
URL. They may encrypt a malicious attachment to hide it from AV scanning.

If an email with a malicious URL gets through and an end user clicks on that URL link, you hope your web
filtering protection will stop the user from ever connecting to that malicious web site and in many cases
this will work. However, some attackers use a fast flux approach, only using a site for a few days or a few
hours – harvesting what they can before moving on to another URL.

If the end user connects with the malicious web site, that site will launch exploits at the user and you
hope your Intrusion prevention will block the attack. However, exploits can slip through by taking
advantage of zero-day vulnerabilities, new variants, and encryption.

If an exploit gets through, you hope you will catch any malware it tries to deliver with your antivirus.
And many times this will work but sometimes it doesn’t. Malware can use file compression, encryption,
and new malware variants to get through an AV filter.

13
 Study Guide for NSE 1: The Threat Landscape 2016
If that malware gets into the organization, it will try to proliferate and it will look for valuable data to
collect. Eventually it will try to exfiltrate stolen data or simply go out to try to pull more threats into the
organization and here’s where your application control and IP reputation controls may be able to
identify and stop a connection to a command & control center. But if it doesn’t (maybe because the
traffic was encrypted) your organization is breached.

14
 Study Guide for NSE 1: The Threat Landscape 2016

Introduction to Modern Network Security

The evolution of network security necessarily followed the evolution of threats to the network. From the
early days of simple, direct attacks to modern threats that include complex, indirect, and coordinated
attacks, security development continues to counter new and future threats. The steps in network
security evolution have necessarily followed the evolution of emerging threats.

Network security is truly a Battle of Minds – the battle between how sophisticated hackers and
malicious code is developed and used versus the ability of IT security professionals to innovate and
implement security measures to mitigate current and emerging threats.

Figure 6. The Network Security “Battle of the minds.”

Included in the Hackers’ toolkit of threats are:

 Bot/Botnet  Spam/Phishing Message  Malicious Code

 Malware  Malicious URL  General Known Threats
 Vulnerability Exploiting  Malicious Applications  Unknown Threats

On the other side of the battle are the tools for network security managers:

 Anti-botnet  Anti-spam  Database Protection

 Intrusion Prevention (IPS)  Web Filtering  Advanced Threat
 Antivirus/Antimalware  IP Reputation Protection (ATP)
(AV/AM)  Application Control
 Vulnerability Management  Web Application Security

15
 Study Guide for NSE 1: The Threat Landscape 2016
Modern network security is comprised of many facets, some of which are in your control, others
which may not be. In an increasingly mobile world, traditional network security measures
focused on desktop platforms and “dumbphones” are no longer relevant to the world of tablets,
phablets, and smartphones. Because of the constantly changing landscape of network
environments, organizations of all sizes and complexities face challenges in keeping pace with
change, developing counters to emerging threats, and controlling network and security policies.
Once the realm of the highly trained and richly resourced, development of malicious code has
become widespread to the degree that school children have been known to compete with each
other in hacking contests. To meet modern and emerging threats, companies and organizations
must adopt dynamic network security programs that keep pace with changing trends and
activities.

People—or the man-machine interface—is the weakest link in any security process. People are
easily lulled into a false sense of security about the effectiveness of passwords and access codes,
identity verification, and policies regarding the use of information technology (IT) systems and
networks. It takes just one careless moment to potentially breach the integrity of protected
information and systems—if network security user policies and protocols are too complicated,
compliance is less likely. Because of this human factor it is important to focus on user-
friendly/threat unfriendly solutions, ensuring that network security schema is clear and simple
for network administrators and users to operate, with the necessary complexity to identify,
deter, or contain threats being embedded in state-of-the-art hardware and software solutions
that are nearly transparent to internal network users.

But a note of caution—just as every organization is not alike, neither will their networks,
hardware, software, or needs be alike. Each organization needs a customized strategic network
security program tailored to balance its needs against its operating environment, perceived
threats, and operating budget. Of course, the best network security program would be an end-
to-end, 24/7 monitored program with regular analytics informing plan effectiveness and
potential enhancements—this would be the holy grail of network security. Systems like Unified
Threat Management (UTM) provide the ability to balance needs, capabilities, and resources to
secure networks while maintaining the ability of the organization to operate. In essence, this
book will help you learn about how to take steps to mitigate best the threats to your network
and optimize network security while balancing those factors.

Infrastructure Evolution
In a world growing ever more complex with network portability being built into an increasing
number of devices of varying capabilities, network security continues to evolve in complexity—
and importance. In the 1980’s a transition from early closed networks to a broader Internet
occurred, with the advent of Ethernet, Bitnet, TCP/IP, SMTP, DNS, and in 1985—the first .com
domain name registration. It was not until six years later, in 1991, that the Worldwide Web
(WWW) came into existence; by 1995, what we know now as the modern Internet became

17
 Study Guide for NSE 1: The Threat Landscape 2016
established as a fixture in how business—and the world—would communicate in the future
(Figure 7).

Figure 7. From closed networks to Global Information Grid

 Star Trek introduced the idea of floppy disks and “flip” cellular phones.
 The Forbin Project introduced the idea of supercomputers running complex algorithms
that controlled government functions and could potentially supplant human decision-
makers. Later ideas included War Games and Terminator.
 1976 the “Osborne 1” was the first portable computer…although not by today’s
standards.
 The first .com domain was registered in 1985, and the Worldwide Web began in 1991.
The Internet as we know it today did not come online until 1995—a mere 20 years ago!
 A Japanese company introduced the first “smartphone” in 1999…although it was a
relatively simple device compared to today’s smartphones.
 Many of us remember the hype around the Y2K bug (would computers go back to 1900
at midnight?). Early programs were written with just the last two digits of the year with
the “19xx” assumed…
 Believe it or not, the first tablet came out in 2002—but not as light and useful as today’s
models.
 The discussion between the labelling and merits of Next Generation Firewall (NGFW)
and Unified Threat Management (UTM) expanded and carried on through 2009, with
Gartner, IDC, and Fortinet in the fray.
 2007 saw the introduction of the first iPhone (wow, seems longer ago than that!)
 Finally, 2013-2014 turned out to be a year of breaches by advanced threats targeting
specific entities (which we will discuss more in a few minutes).

No longer was high-tech the sole domain of major companies, organizations, and government
agencies, but the global information network became the domain of everyone from multi-billion
dollar international conglomerates to grade school children (Figure 8). As technologies
developed, the industry response was typically the addition of new stand-alone, single- or dual-
purpose hardware or integrated hardware-software packages designed to address newly
identified threats. This resulted in a constant state of expensive upgrades that added network
complexity, integration of new devices and scrubbing and repurposing or disposing of legacy
hardware, new policy development and new management consoles. This served to increase
workload, retraining, and complexity for network administrators and end users, exacerbating
the balancing problem between security and productivity.

18
 Study Guide for NSE 1: The Threat Landscape 2016

Figure 8. The scope of modern global network users.

Because new products were not always able to integrate fully into existing systems, the
piecemeal approach to network development and security led to potential blind spots that
threats may exploit undetected. In order to solve this growing challenge, a move toward more
strategic solutions to network security were needed—not new stand-alone systems addressing
individual threat vectors; rather, strategic systems and processes designed to protect networks
comprised of systems-of-systems. From this problem developed the Unified Threat
Management (UTM) concept, which goes beyond a system-of-systems approach to integrate
individual system characteristics into strategic systems (Figure 9).

Figure 9. UTM versus traditional ad hoc model.

Size Matters
As technology evolved, appliance size necessary to house its components decreased. From early
computers that used vacuum tubes and took up entire rooms, to decreasing media size with
increased media capacity, to unplugging from cables and wires to conduct operations with
mobile devices, the size of computers has decreased while capabilities grew. Today,
smartphones and tablets can accomplish many functions previously requiring larger appliances
with ever-evolving functionality. In fact, with modern remote technology, a smartphone user

19
 Study Guide for NSE 1: The Threat Landscape 2016
may remotely access a desktop platform with greater capability to work on large files or access
data instead of carrying the files on portable media.

Along with size, system and network technology has also decreased. Legacy systems were built
much like 1980’s-1990’s stereos—single- or dual-function components connected together to
create an overall system. This resulted in the need for additional space for additional
capabilities, caused signal loss through cables connecting distant components, and required
multiple control heads to adjust to achieve the optimum system performance. Modern,
integrated systems provide efficiencies by taking up less space because of less hardware
appliances, less signal loss because multi-function appliances integrate system components, and
a single control head to optimize network-wide performance.

Figure 10. Miniaturization of computers and network access appliances.

Advanced Threats
Experienced hackers or groups of hackers possessing significant resources pose an increased
threat to systems and networks, including developing and implementing techniques not
previously used to compromise, gain control of, or shut down service. Advanced Threat
Protection—also referred to as Advanced Persistent Threat Protection—provides integrated
measures to detect and block advanced threats. These measures include botnet and phishing
antivirus profiling, as well as zero-day threat protection and using sandboxing to analyze,
identify, and block suspicious code and add the suspicious code profile to the ATP signature
database.

Advanced Threat Protection (ATP)

In order to protect against modern and emerging future threats, adaptive defense tools like ATP
are being incorporated into network security infrastructures at an increasing pace. This level of
protection provides increased security across all network sizes from SMB to large enterprises.
Critical capabilities brought to bear by ATP include access control, threat prevention, threat
detection, incident response, and continuous monitoring:

20
 Study Guide for NSE 1: The Threat Landscape 2016
• Access Control. Layer 2/3 firewall, vulnerability management, two-factor
authentication.

• Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email
filtering, antimalware.

• Threat Detection. “Sandboxing,” botnet detection, client reputation, network behavior

analysis.

• Incident Response. Consolidated logs & reports, professional services, user/device

quarantine, threat prevention updates.

• Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.

Figure 11. Advanced Threat Protection (ATP).

Breaking the Advanced Threat Kill Chain

Additional discussion in the platform-focused modules of this programs to provide a more in-
depth examination of these attack mitigation methods; however, these are some methods by
which network security administrators can detect, stop, and mitigate attack consequences.

21
 Study Guide for NSE 1: The Threat Landscape 2016

Figure 12. Breaking the advanced threat kill chain - Part 1.

Security Partnerships. Attackers don’t rest on their laurels and neither should an
organization. Having a strong partnership with a security organization can provide up-
to-date information and threat intelligence as well as clearly-defined escalation path
when an incident is detected.

End User Education. Attackers target end users because they find the greatest chance of
success focusing their initial attacks there. Educating end users on proper use of social
media to prevent confidential information from becoming publicly available is one
component. Internal awareness training and regular testing by IT staff can help mitigate
an attack.

Network Segregation. If there is no reason for an employee to have network access to

particular resources that may contain sensitive data, then basic network segregation can
help prevent lateral movement inside the network. By placing resources on segments
that cannot be reached from end users, an organization can potentially prevent an
attacker from moving beyond the initial foothold.

Web Filtering/IP Reputation. By using a solution that provides current IP reputation

data and Web filtering rules, an organization may be able to stop some attacks. By using
an IP reputation service, an organization may be able to stop an attacker that has
launched attacks on other organizations using the same network resources.

Whitelisting. Whitelisting can be used in multiple ways. For example, network

whitelisting can be used to only allow certain internal traffic to reach other network
resources. This can prevent an attacker from moving laterally inside a network. Network
whitelists can also prevent a user from accessing any sites online that are not explicitly
approved. Application whitelisting can be used to allow only a set list of applications

22
 Study Guide for NSE 1: The Threat Landscape 2016
from running on a computer, preventing all other software from running. This can
prevent an attacker from running new programs on the target’s computer.

Blacklisting. While a whitelist is a list of things that are explicitly allowed to execute or
access resources, a blacklist explicitly blocks items on the list from accessing resources,
sites or applications deemed unsafe.

Application Control. Employees are using Web services like Facebook, Twitter and
Skype on a frequent basis today. Application Control allows you to identify and control
applications on your network, regardless of port, protocol or IP address. Using tools
such as behavioral analysis, end-user association and application classification can
identify and block potentially malicious applications and malware.

Sandboxing. With targeted attacks often designed (and indeed tested) to bypass
traditional security technologies, additional inspection of code activity has emerged.
Whether cloud-based or on-premise, sandboxes analyze code execution and subsequent
activity within contained virtual environments to expose full, previously unknown,
threat lifecycles.

Data Leak Prevention (DLP). By properly identifying sensitive data and implementing a
DLP solution, an organization can prevent sensitive information from leaving a network.
Data being used at the endpoint, data moving inside a network and data being stored
can all be protected from theft or improper use by implementing a DLP solution.

Figure 13. Breaking the advanced threat kill chain - Part 2.

23
 Study Guide for NSE 1: The Threat Landscape 2016
Intrusion Prevention (IPS) / Intrusion Detection (IDS): By using a product that
provides IPS and IDS, an organization can add another layer of traffic monitoring
to watch for suspicious activity. A good IPS/IDS system will also alert IT staff of
potential threats in progress.

Proactive Patching: A computer is only as secure as the software on it. It is

essential for companies to deploy patches to their systems as quickly as
possible. Attackers and cyber criminals waste no time integrating proof-of
concept code into their malware and exploit kits – in some cases exploits have
been added to an exploit kit within hours or days of a patch being available. By
delaying deployment of critical patches, an organization risks becoming
vulnerable to attack. For business intelligence or in-house applications that
require almost constant uptime, it’s critical to keep test machines available to
deploy patches to and test mission critical applications without impacting the
main network.

Restricting Administrative Rights: Some companies provide employees with

local administrative rights in order to install drivers or software on an as-
needed basis. This can be a double-edged sword. While it can reduce support
calls and empower employees, it can also lead to easier access for attackers to
install malware and remote access tools (also known as RATs) on a victim’s
computer. By limiting access to administrative rights whenever possible, an
organization may be able to mitigate many attacks.

Network Access Control (NAC): NAC is a solution that can prevent computers on
a network from accessing resources unless certain rules or policies are met. For
example, if a computer hasn’t been patched recently, NAC can place that
computer on a segregated subnet that blocks access to resources until the
machine has been properly patched.

Two-Factor Authentication: There are many forms of two-factor authentication

available for end users. By implementing two-factor authentication for remote
users or users that require access to sensitive information, an organization can
make it difficult for an attacker to take advantage of lost or stolen credentials,
as the attacker would need to provide a second form of identification in order to
gain network access. Commonly used two-factor authentication methods
include the standard username and password plus a hardware – or software-
based authentication token, which provides a one-time, time-sensitive
password that must be entered when the username and password is presented
to the authentication server.

24
 Study Guide for NSE 1: The Threat Landscape 2016
USB Drive Restrictions: Many computers will accept a USB thumb drive
implicitly and execute any auto-run applications located on the drive. A drive
that has malicious code planted on it can be all an attacker needs to gain an
initial foothold in a network. Limiting USB drive access to employees on an as-
needed and justified basis is a good idea; banning them outright is even safer. If
USB drive access is necessary, enabling a proper Group Policy to prevent a drive
from auto-running is essential.

Limiting Access to Cloud-based File Sharing: Services such as Dropbox have

enjoyed wide scale adoption both at home and in the workplace. As with USB
drive access, it is important to limit access to these programs unless absolutely
necessary. Cloud-based file sharing and syncing applications can make it trivial
for an attacker to compromise a home computer and move malware into a
corporate network when a user syncs the files they took home the night before.

Advanced Threats and Network Security: Continuing Evolution

The early days of personal computer availability to consumers and the advent of the Internet
and Worldwide Web are behind us. These events were followed by parallel development of
more powerful hardware appliances and more complex applications for those machines.
Unfortunately, with those developments also came a thriving developmental path for malware
and other methods by which to breach system and network security to obtain data from or deny
use of targeted platforms. This Modern Network Security Program presents current and future
appliances, applications, and concepts to provide the options to keep pace with emerging
capabilities and threats—and maintain the safety and security of your system and network.

25
 Study Guide for NSE 1: The Threat Landscape 2016

Key Acronyms
AAA Authentication, Authorization, and HTML Hypertext Markup Language
Accounting
HTTP Hypertext Transfer Protocol
AD Active Directory
HTTPS Hypertext Transfer Protocol Secure
ADC Application Delivery Controller
IaaS Infrastructure as a Service
ADN Application Delivery Network
ICMP Internet Control Message Protocol
ADOM Administrative Domain
ICSA International Computer Security
AM Antimalware Association
API Application Programming Interface ID Identification
APT Advanced Persistent Threat IDC International Data Corporation
ASIC Application-Specific Integrated Circuit IDS Intrusion Detection System
ASP Analog Signal Processing IM Instant Messaging
ATP Advanced Threat Protection IMAP Internet Message Access Protocol
AV Antivirus IMAPS Internet Message Access Protocol
Secure
AV/AM Antivirus/Antimalware
IoT Internet of Things
BYOD Bring Your Own Device
IP Internet Protocol
CPU Central Processing Unit
IPS Intrusion Prevention System
DDoS Distributed Denial of Service
IPSec Internet Protocol Security
DLP Data Leak Prevention
IPTV Internet Protocol Television
DNS Domain Name System
IT Information Technology
DoS Denial of Service
J2EE Java Platform Enterprise Edition
DPI Deep Packet Inspection
LAN Local Area Network
DSL Digital Subscriber Line
LDAP Lightweight Directory Access Protocol
FTP File Transfer Protocol
LLB Link Load Balancing
FW Firewall
LOIC Low Orbit Ion Cannon
Gb Gigabyte
MSP Managed Service Provider
GbE Gigabit Ethernet
MSSP Managed Security Service Provider
Gbps Gigabits per second
NGFW Next Generation Firewall
GSLB Global Server Load Balancing
NSS NSS Labs
GUI Graphical User Interface
OSI Open Systems Infrastructure

26
 Study Guide for NSE 1: The Threat Landscape 2016
OTS Off the Shelf SPoF Single Point of Failure
PaaS Platform as a Service SQL Structured Query Language
PC Personal Computer SSL Secure Socket Layer
PCI DSS Payment Card Industry Data Security SWG Secure Web Gateway
Standard
SYN Synchronization packet in TCP
PHP PHP Hypertext Protocol
Syslog Standard acronym for Computer
POE Power over Ethernet Message Logging
POP3 Post Office Protocol (v3) TCP Transmission Control Protocol
POP3S Post Office Protocol (v3) Secure TCP/IP Transmission Control Protocol/Internet
Protocol (Basic Internet Protocol)
QoS Quality of Service
TLS Transport Layer Security
Radius Protocol server for UNIX systems
TLS/SSL Transport Layer Security/Secure Socket
RDP Remote Desktop Protocol Layer Authentication
SaaS Software as a Service UDP User Datagram Protocol
SDN Software-Defined Network URL Uniform Resource Locator
SEG Secure Email Gateway USB Universal Serial Bus
SFP Small Form-Factor Pluggable UTM Unified Threat Management
SFTP Secure File Transfer Protocol VDOM Virtual Domain
SIEM Security Information and Event VM Virtual Machine
Management
VoIP Voice over Internet Protocol
SLA Service Level Agreement
VPN Virtual Private Network
SM Security Management
WAF Web Application Firewall
SMB Small & Medium Business
WANOpt Wide Area Network Optimization
SMS Simple Messaging System
WLAN Wireless Local Area Network
SMTP Simple Mail Transfer Protocol
WAN Wide Area Network
SMTPS Simple Mail Transfer Protocol Secure
XSS Cross-site Scripting
SNMP Simple Network Management Protocol

27
 Study Guide for NSE 1: The Threat Landscape 2016

Glossary
Application Control. Protects managed desktops and servers by allowing or denying network application
usage based on policies established by the network administrator. Enterprise applications, databases,
web mail, social networking applications, IM/P2P, and file transfer protocols can all be identified
accurately by sophisticated detection signatures.

APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access to
a network and stays there undetected for a long period of time. The intention of an APT attack is to steal
data rather than to cause damage to the network or organization. APT attacks target organizations in
sectors with high-value information, such as national defense, manufacturing and the financial industry.

ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple—
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.

AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.

Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that
runs automated tasks over the Internet. Typically, bots perform tasks that are both simple and
structurally repetitive, at a much higher rate than would be possible for a human alone. The largest use
of bots is in web spidering, in which an automated script fetches, analyses and files information from
web servers at many times the speed of a human.

Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to
other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer
"robot" or "bot" that serves the wishes of some master spam or virus originator. Most computers
compromised in this way are home-based. According to a report from Russian-based Kaspersky Labs,
botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from
Symantec came to a similar conclusion.

28
 Study Guide for NSE 1: The Threat Landscape 2016
Drive-by. A drive-by download refers to the unintentional download of a virus or malicious software
(malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or
“exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial
code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often
simply to contact another computer where it can pull down the rest of the code on to your smartphone,
tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes
that one of them will match a weakness on your computer.

Exploit. A piece of software, a segment of data, or command sequences that takes advantage of
a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software,
hardware, or appliances incorporating the Internet of Things (IoT). Such behavior frequently includes
things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service
attack.

IP/PII. This is what cybercriminals are after. From the IP owned by a corporation or organization to
individual PII, this is the commodity most often sought by hackers, who often use it for financial gain or
blackmail.

IP stands for Internet Protocol, or the address commonly used to identify the origin of an Internet
transmission—i.e. your device.

PII stand for Personally Identifiable Information, sometimes referred to as “Personal Information,”
and is often equated in the U.S. with “Privacy Act Information.”

NIST Special Publication 800-122 defines PII as "any information about an individual maintained by an
agency, including (1) any information that can be used to distinguish or trace an individual‘s identity,
such as name, social security number, date and place of birth, mother‘s maiden name, or biometric
records; and (2) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information. It has become much more important as IT and the
Internet have made it easier to collect PII through breaches of Internet and network security and Web
browser vulnerabilities.

Recent courts decisions have leaned toward IP not being considered as PII, judging that an IP only
identifies a particular platform or device, not an actual individual.

IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including: predefined
and custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS),
packet logging, and IPS sensors. IPS can be installed at the edge of your network or within the network
core to protect critical business applications from both external and internal attacks.

29
 Study Guide for NSE 1: The Threat Landscape 2016
Log Management. The collective processes and policies used to administer and facilitate the generation,
transmission, analysis, storage and ultimate disposal of the large volumes of log data created within an
information system.

Malvertising. This is the use of online advertising to spread malware. Online advertisements provide a
solid platform for spreading malware because significant effort is put into them in order to attract users
and sell or advertise the product. Malvertising can be easily spread across a large number of legitimate
websites without directly compromising those websites. According to Reed Exhibitions, "The interesting
thing about infections delivered through malvertising is that it does not require any user action (like
clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the
server it is hosted from... infections delivered through malvertising silently travel through Web page
advertisements.”

Malware. Malware is a category of malicious code that includes viruses, worms, and Trojan horses.
Destructive malware will utilize popular communication tools to spread, including worms sent through
email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded
from peer-to-peer connections. Malware will also seek to exploit existing vulnerabilities on systems
making their entry quiet and easy.

Virus. A computer virus is a program or piece of code that is loaded onto your computer without
your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer
viruses are man-made. A simple virus that can make a copy of itself over and over again is relatively
easy to produce. Even such a simple virus is dangerous because it will quickly use all available
memory and bring the system to a halt. An even more dangerous type of virus is one capable of
transmitting itself across networks and bypassing security systems.

Worm. Computer worms are similar to viruses in that they replicate functional copies of themselves
and can cause the same type of damage. In contrast to viruses, which require the spreading of an
infected host file, worms are standalone software and do not require a host program or human help
to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind
of social engineering to trick users into executing them. A worm enters a computer through a
vulnerability in the system and takes advantage of file-transport or information-transport features
on the system, allowing it to travel unaided.

Trojan. A Trojan [horse] is a program in which malicious or harmful code is contained inside
apparently harmless programming or data in such a way that it can get control and do its chosen
form of damage, such as ruining the file allocation table (FAT) on your hard drive. In one case, a
Trojan was a program that was supposed to find and destroy computer viruses. A Trojan may be
widely redistributed as part of a computer virus.

30
 Study Guide for NSE 1: The Threat Landscape 2016
Network Behavior Anomaly Detection (NBAD). The continuous monitoring of a network for unusual
events or trends. An NBAD program tracks critical network characteristics in real time and generates an
alarm if a strange event or trend is detected that could indicate the presence of a threat. NBAD is an
integral part of network behavior analysis.

Network Forensics. Capturing, recording, and analyzing network events for the purpose of discovering
the source of security attacks or other problem incidents. “Catch-it-as-you-can" systems capture
all packets passing through a certain traffic point, store the data, and then perform analysis in batch
mode. "Stop, look and listen" systems perform a basic analysis in memory and save only certain data for
subsequent analyses.

NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:

 Intrusion Prevention (IPS)
 Access Enforcement
 Third Party Management
Compatibility
 Deep Packet Inspection (DPI)  Network App ID & Control
 Distributed Enterprise  “Extra Firewall” Intelligence
Capability
 VPN  Application Awareness

Phishing. Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email
in an attempt to gather personal and financial information from recipients. Typically, the messages
appear to come from well-known and trustworthy Web sites. Web sites that are frequently spoofed by
phishers include PayPal, eBay, MSN, Yahoo, BestBuy, banks, and government agencies. A phishing
expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure
hoping to fool at least a few of the prey that encounter the bait.

Risk Management. The process of identifying, assessing and controlling threats to an organization's
capital and earnings. Such threats include financial uncertainty, legal liabilities, strategic management
errors, accidents, natural disasters and information technology (IT) security threats.

Sandboxing. A Sandbox is designed to detect and analyze advanced attacks designed to bypass
traditional security defenses. Sandboxing refers to the process of isolating unknown or potentially
malicious codes to fully execute all functions before allowing the traffic to download into the network.
By analyzing files in a contained environment to identify previously unknown threats and uncovering the
full attack lifecycle, if malicious activity is discovered, Advanced Threat Protection (ATP) can block it.

Security Information and Event Management (SIEM). An approach to security management that seeks
to provide a holistic view of an organization’s information technology (IT) security. Most SIEM systems
deploy multiple collection agents to gather security-related events from end-user devices, servers,
network equipment and specialized security equipment like firewalls, AV/AM or IPS. The collectors
forward events to a centralized management console, which performs inspections and flags anomalies.

31
 Study Guide for NSE 1: The Threat Landscape 2016
Security Intelligence (SI) is the information relevant to protecting an organization from external and
inside threats as well as the processes, policies and tools designed to gather and analyze that
information.
Intelligence, in this context, is actionable information that provides an organization with
decision support and possibly a strategic advantage. SI is a comprehensive approach that
integrates multiple processes and practices designed to protect the organization.

UTM. Unified Threat Management provides administrators the ability to monitor and manage multiple,
complex security-related applications and infrastructure components through a single management
console. The advantage to UTM is that it goes beyond the NGFW focus of high performance protection
of data centers by incorporating a broader range of security capabilities as either cloud services or
network appliances, integrating:

 Intrusion Prevention (IPS)  Content Filtering  Quality of Service (QoS)

 Anti-Malware  VPN Capabilities  SSL/SSH Inspection
 Anti-Spam  Load Balancing  Application Awareness
 Identity-based Access Control

Vulnerability. In cybersecurity, vulnerability refers to a flaw in a system that can leave it open to attack.
A vulnerability may also refer to any type of weakness in a computer system itself, in a set of
procedures, or in anything that leaves information security exposed to a threat. Cutting down
vulnerabilities provides fewer options for malicious users to gain access to secure information.

Watering Hole. The watering hole attack method targets specific groups (organization, company,
industry, region, etc.). In this attack, the attacker guesses or observes which websites the group often
uses and infects one or more of them with malware. Eventually, some member of the targeted group
gets infected, resulting in the malware being spread to others in the targeted group.

Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.

32