CA Module 14
CA Module 14
CA Module 14
and Attacks
CyberOps Associate v1.0
Module Objectives
Module Title: Common Threats and Attacks
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
14.1 Malware
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Common Threats and Attacks
Types of Malware
• Malware is a code or software designed to damage, disrupt, steal, or inflict some other ‘bad’
or illegitimate action on data, hosts, or networks.
• The three most common types of malware are Virus, Worm, and Trojan horse.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Common Threats and Attacks
Viruses
• A virus is a type of malware that spreads by inserting a copy of itself into another program.
• After the program is run, viruses spread from one computer to another, thus infecting the
computers.
• A simple virus may install itself at the first line of code in an executable file.
• Viruses can be harmless, for those that display a picture on the screen, or they can be
destructive. They can also modify or delete files on the hard drive.
• Most viruses spread by USB memory drives, CDs, DVDs, network shares, and email.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Common Threats and Attacks
Trojan Horses
• Trojan horse malware is a software that appears to be legitimate, but it contains malicious
code which exploits the privileges of the user that runs it.
• Trojans are found attached to online games.
• Users are commonly tricked into loading and executing the Trojan horse on their systems
• It can cause immediate damage, provide remote access to the system, or access through a
back door.
• Custom-written Trojan horses with a specific target are difficult to detect.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Common Threats and Attacks
Trojan Horses Classification
• Trojan horses are usually classified according to the damage that they cause, or the manner
in which they breach a system.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Common Threats and Attacks
Trojan Horses Classification (Contd.)
The types of Trojan horses are as follows:
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Common Threats and Attacks
Worms
• Computer worms are similar to viruses because they
replicate themselves by independently exploiting
vulnerabilities in networks.
• Worms can slow down networks as they spread
from system to system.
• Worms can run without a host program.
Initial Code Red Worm Infection
• However, once the host is infected, the worm
spreads rapidly over the network.
• In 2001, the Code Red worm had initially infected
658 servers. Within 19 hours, the worm had infected
over 300,000 servers.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Common Threats and Attacks
Worm Components (Contd.)
The three worm components are as follows:
• Enabling vulnerability - A worm installs itself using an exploit mechanism, such as an
email attachment, an executable file, or a Trojan horse, on a vulnerable system.
• Propagation mechanism - After gaining access to a device, the worm replicates itself
and locates new targets.
• Payload - Any malicious code that results in some action is a payload. Most often this is
used to create a backdoor that allows a threat actor to access the infected host or to
create a DoS attack.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Common Threats and Attacks
Worm Components (Contd.)
• Worms are self-contained programs that
attack a system to exploit a known
vulnerability.
• Upon successful exploitation, the worm
copies itself from the attacking host to the
newly exploited system and the cycle begins
again.
• This propagation mechanism is commonly
deployed in a way that is difficult to detect.
• Note: Worms never stop spreading on the
internet. After they are released, worms
continue to propagate until all possible
sources of infection are properly patched.
Code Red Worm Propagation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Common Threats and Attacks
Ransomware
• Ransomware is a malware that denies access to the infected computer system or its data.
• Ransomware frequently uses an encryption algorithm to encrypt system files and data.
• Email and malicious advertising, also known as malvertising, are vectors for ransomware
campaigns.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Common Threats and Attacks
Other Malware
The examples of modern malware are as follows:
Type of Malware Description
Includes scam software which uses social engineering to shock or induce anxiety by
creating the perception of a threat. It is generally directed at an unsuspecting user
Scareware
and attempts to persuade the user to infect a computer by taking action to address
the bogus threat.
Attempts to convince people to divulge sensitive information. Examples include receiving
Phishing
an email from their bank asking users to divulge their account and PIN numbers.
Installed on a compromised system. After it is installed, it continues to hide its intrusion
Rootkits
and provide privileged access to the threat actor.
Used to gather information about a user and send the information to another entity
Spyware without the user’s consent. Spyware can be a system monitor, Trojan horse, Adware,
tracking cookies, and key loggers.
Displays annoying pop-ups to generate revenue for its author. The malware may analyze
Adware user interests by tracking the websites visited. It can then send pop-up advertising
pertinent to those sites.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Common Threats and Attacks
Other Malware
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Common Threats and Attacks
Common Malware Behaviors
• Computers infected with malware often exhibit one or more of the following symptoms:
• Appearance of strange files, programs, or desktop icons
• Antivirus and firewall programs are turning off or reconfiguring settings
• Computer screen is freezing or system is crashing
• Emails are spontaneously being sent without your knowledge to your contact list
• Files have been modified or deleted
• Increased CPU and/or memory usage
• Problems connecting to networks
• Slow computer or web browser speeds
• Unknown processes or services running
• Unknown TCP or UDP ports open
• Connections are made to hosts on the Internet without user action
• Strange computer behavior
• Note: Malware behavior is not limited to the above list.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Common Threats and Attacks
Lab – Anatomy of Malware
In this lab, you will research and analyze some recent malware.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
14.2 Common Network
Attacks - Reconnaissance,
Access, and Social
Engineering
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Types of Network Attacks
• Malware is a means to get a payload delivered .
• When a payload is delivered and installed, it can be used to cause a variety of network-
related attacks from the inside as well as from the outside.
• Network attacks are classified into three categories:
• Reconnaissance Attacks
• Access Attacks
• DoS Attacks
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Reconnaissance Attacks
• Reconnaissance is information gathering.
• Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and
mapping of systems, services, or vulnerabilities.
• Recon attacks precede access attacks or DoS attacks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Reconnaissance Attacks (Contd.)
The techniques used by malicious threat actors to conduct reconnaissance attacks are as follows:
Technique Description
Perform an information The threat actor is looking for initial information about a target. Various tools can be
query of a target used, including the Google search, organizations website, whois, and more.
Initiate a ping sweep of The information query usually reveals the target’s network address. The threat actor
the target network can now initiate a ping sweep to determine which IP addresses are active.
Initiate a port scan of This is used to determine which ports or services are available. Examples of port
active IP addresses scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
This is to query the identified ports to determine the type and version of the
Run vulnerability
application and operating system that is running on the host. Examples of tools
scanners
include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
The threat actor now attempts to discover vulnerable services that can be exploited. A
Run exploitation tools variety of vulnerability exploitation tools exist including Metasploit, Core Impact,
Sqlmap, Social Engineer Toolkit, and Netsparker.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Reconnaissance Attacks (Contd.)
Internet Information Queries: Click Play in Performing Ping Sweep: Click Play in the figure
the figure to view an animation of a threat to view an animation of a threat actor doing a
actor using the who is command to find ping sweep of the target’s network address to
information about a target. discover live and active IP addresses.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Reconnaissance Attacks (Contd.)
Performing Port Scan: Click Play in the figure to view an animation of a threat actor performing
a port scan on the discovered active IP addresses using Nmap.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Video - Reconnaissance Attacks
Watch the video to learn about the different techniques in a reconnaissance attack.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Access Attacks
• Access attacks exploit known vulnerabilities in authentication services, FTP services, and
web services to gain entry into web accounts, confidential databases, and other sensitive
information.
Password Attacks
The threat actor attempts to discover critical system passwords using
a variety of password cracking tools.
Spoofing Attacks
The threat actor device attempts to pose as another device by falsifying data.
Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.
Trust exploitations
Port redirections
Man-in-the-middle attacks
Buffer overflow attacks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Access Attacks (Contd.)
Trust Exploitation Example: Click Play in the Port Redirection Example: The example
figure to view an example of trust exploitation. shows a threat actor using SSH (port 22) to
connect to a compromised Host A trusted by
Host B. Hence, the threat actor can use
Telnet (port 23) to access it.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Access Attacks (Contd.)
Man-in-the-Middle Attack Example: The Buffer Overflow Attack: The figure shows that
figure displays an example of a man-in-the- the threat actor is sending many packets to the
middle attack. victim in an attempt to overflow the victim’s
buffer.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Video - Access and Social Engineering Attacks
Watch the video to see the demonstration of the types of access and social engineering attacks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Social Engineering Attacks
• Social Engineering is an access attack that attempts to manipulate individuals into performing
actions or divulging into confidential information.
• Some social engineering techniques are performed in-person or via the telephone or internet.
• Social engineering techniques are explained in the below table.
Social Engineering
Description
Attack
A threat actor pretends to need personal or financial data to confirm the identity of
Pretexting
the recipient.
A threat actor sends fraudulent email which is disguised as being from a legitimate,
Phishing trusted source to trick the recipient into installing malware on their device, or to share
personal or financial information.
A threat actor creates a targeted phishing attack tailored for a specific individual or
Spear phishing
organization.
Also known as junk mail, this is unsolicited email which often contains harmful links,
Spam
malware, or deceptive content.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Social Engineering Attacks (Contd.)
Social Engineering
Description
Attack
Something for Sometimes called “Quid pro quo”, this is when a threat actor requests personal
Something information from a party in exchange for something such as a gift.
A threat actor leaves a malware infected flash drive in a public location. A victim
Baiting finds the drive and unsuspectingly inserts it into their laptop, unintentionally
installing malware.
In this type of attack, a threat actor pretends to be someone else to gain the trust of
Impersonation
a victim.
This is where a threat actor quickly follows an authorized person into a secure
Tailgating
location to gain access to a secure area.
This is where a threat actor inconspicuously looks over someone’s shoulder to steal
Shoulder surfing
their passwords or other information.
This is where a threat actor rummages through trash bins to discover confidential
Dumpster diving
documents.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Social Engineering Attacks (Contd.)
• The Social Engineer Toolkit (SET) was
designed to help white hat hackers and other
network security professionals to create social
engineering attacks to test their own networks.
• Enterprises must educate their users about
the risks of social engineering, and develop
strategies to validate identities over the phone,
via email, or in person.
• The weakest link in cybersecurity can be the personnel within an organization, and social
engineering is a major security threat.
• One of the most effective security measures that an organization can take is to train its
personnel and create a ‘security-aware culture’.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Lab – Social Engineering
In this lab, you will research examples of social engineering and identify ways to recognize and
prevent it.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
14.3 Network Attacks - Denial
of Service, Buffer Overflows,
and Evasion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Video – Denial of Service Attacks
Watch the video to learn about Denial of Service attacks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
DoS and DDoS Attacks (Contd.)
DoS Attack: Click Play in the figure to view DDoS Attack: Click Play in the figure to
the animation of a DoS attack. view the animations of a DDoS attack.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
DoS and DDoS Attacks
• A Denial of Service (DoS) attack creates some sort of interruption in network services to
users, devices, or applications. The two types of DoS attacks are as follows:
• Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of data at
a rate that the network, host, or application cannot handle.
• Maliciously Formatted Packets - The threat actor sends a maliciously formatted packet to a
host or application and the receiver is unable to handle it.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Components of DDoS Attacks
The following terms are used to describe the components of a DDoS:
Component Description
A group of compromised hosts. These hosts
zombies
run malicious code.
Bots are malware that is designed to infect a
bots
host and communicate with a handler system.
A group of zombies that have been infected
botnet using self-propagating malware and are
controlled by handlers.
A master command-and-control
handlers (CnC or C2) server controlling groups of
zombies.
Enables unauthorized file transfer services
botmaster
on end devices.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Video Demonstration – Mirai Botnet
Mirai is malware that targeted IoT devices that are configured with default login information.
Closed-circuit television (CCTV) cameras made up the majority of Mirai’s targets. Using a
brute force dictionary attack, Mirai ran through a list of default usernames and passwords
that were widely known on the internet.
root/default
root/1111
root/54321
admin/admin1234
admin1/password
guest/12345
tech/tech
support/support
• The botnet was used as part of a Distributed Denial of Service (DDoS) attack.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Video Demonstration – Mirai Botnet (Contd.)
Play the video to view a demonstration of how a botnet-based DDoS attack makes services
unavailable.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Buffer Overflow Attack
• The threat actor uses the buffer overflow DoS attack to find
a system memory-related flaw on a server and exploit it.
• For instance, a remote denial of service attack vulnerability
was discovered in Microsoft Windows 10, where the threat
actor created malicious code to access out-of-scope
memory.
• Another example is ping of death, where a threat actor
sends a ping of death, which is an echo request in an IP
packet that is larger than the maximum packet size.
• The receiving host cannot handle a packet size and it
would crash.
• Note: It is estimated that one third of malicious attacks are
the result of buffer overflows.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Evasion Methods
The evasion methods used by threat actors include:
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Evasion Methods (Contd.)
Evasion Method Description
This evasion technique occurs when network defenses do not properly handle features
Protocol-level
of a PDU like a checksum or TTL value. This can trick a firewall into ignoring packets
misinterpretation
that it should check.
In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the
data in the payload. This is done by encoding it in a different format. For example, the
Traffic substitution
threat actor could use encoded traffic in Unicode instead of ASCII. The IPS does not
recognize the true meaning of the data, but the target end system can read the data.
Similar to traffic substitution, but the threat actor inserts extra bytes of data in a
Traffic insertion malicious sequence of data. The IPS rules miss the malicious data, accepting the full
sequence of data.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Common Threats and Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Evasion Methods (Contd.)
Evasion Method Description
This technique assumes the threat actor has compromised an inside host and wants to
expand their access further into the compromised network. An example is a threat actor
Pivoting
who has gained access to the administrator password on a compromised host and is
attempting to login to another host using the same credentials.
A rootkit is a complex attacker tool used by experienced threat actors. It integrates with
the lowest levels of the operating system. When a program attempts to list files,
Rootkits processes, or network connections, the rootkit presents a sanitized version of the output,
eliminating any incriminating output. The goal of the rootkit is to completely hide the
activities of the attacker on the local system.
Network traffic can be redirected through intermediate systems in order to hide the
ultimate destination for stolen data. In this way, known command-and-control not be
blocked by an enterprise because the proxy destination appears benign. Additionally, if
Proxies
data is being stolen, the destination for the stolen data can be distributed among many
proxies, thus not drawing attention to the fact that a single unknown destination is
serving as the destination for large amounts of network traffic.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Common Threats and Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Evasion Methods (Contd.)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
14.4 Common Threats and
Attacks Summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Common Threats and Attacks Summary
What Did I Learn in this Module?
• Malware is short for malicious software or malicious code.
• Most viruses are spread through USB memory drives, CDs, DVDs, network shares, and
email.
• Trojans are found in online games.
• Three common types of malware are virus, worm, and Trojan horse.
• Threat actors can also attack the network from outside.
• The three major categories are reconnaissance, access, and DoS attacks.
• Recon attacks precede access or DoS attacks.
• Access attacks exploit known vulnerabilities in authentication services, FTP services, and
web services.
• DoS attacks create some sort of interruption of network services to users, devices, or
applications.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Common Threats and Attacks Summary
What Did I Learn in this Module? (Contd.)
• DDoS attacks are similar in intent to DoS attacks, except that the DDoS attack increases in
magnitude because it originates from multiple, coordinated sources.
• Mirai is a malware that targets IoT devices configured with default login information.
• The goal of a threat actor when using a buffer overflow DoS attack is to find a system
memory-related flaw on a server and exploit it.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49