Cybersecurity Overview

Kevin Barton, MS, CISSPAssociate Professor

kbarton@tamusa.tamus.eduCISA 4325

Network Security

Obtain global perspective of network and information security measures

Understand malware threats and trends Examine in detail different types of malware

and their propagation Examine the motivation behind cyber attacks Survey the techniques to counter security

threats

1

Vulnerability – A weakness that allows a threat to inflict loss on an asset

Software vulnerabilities are weaknesses in software

Software vulnerabilities allow attackers access, or to escalate privileges.

Exploit – A software payload that takes advantage of a vulnerability

2

Network Layers

Human Social engineering; Phishing

Application PDF obfuscation; injection attacks; Email spoofing

Presentation PDF encryption

Session SSL Man-in-the-Middle attacks

Transport SYN-Fragment attack; SYN flooding; DDoS

Network Route injection; IP address spoofing

Data Link WEP and WPA attacks; ARP poisoning, Man-in-the-Middle

Physical Jamming attacks

3

MALWARE SIGNATURES

New signatures increasing at an exponential rate

Malware is becoming more and more polymorphic

Difficult for current signature and behavior based detection systems to keep pace

4

MALWARE SIGNATURES

New signatures increasing at an exponential rate

Malware is becoming more and more polymorphic

Difficult for current signature and behavior based detection systems to keep pace

TARGETS & TECHNIQUES

Consumer and business banking accounts

Web-based malware used to attack targets

Use of multistage Trojan “droppers”

Packaged malware products Phishing kits

Botnet deployment kits

5

TECHNIQUES

Disposable malware Lifespan of malware dropping

– average lifespan just 2 hours

PDF files used in 49% of all attacks

“Transitive Trust” from social networking sites

Domain joined computers exposed to greater threat from worms

Trojans much more common in non-domain joined computers

6

BOTNETS

A network of host capable of acting upon a set of instructions Often millions of hosts

Zombie is the software used to control an Internet host

Bot C&C used to manage zombies Often contains authentication

key or password

IRC C&C utilizes chat to make bot communications more stealthy

HTTP also used for C&C C&C server IP addresses

hidden through fast-flux DNS Uses short TTL and multiple

IP addresses

IP addresses are redirects to real C&C server

7

USER MODE

Hooks user or application space so that when an application makes a call, the Windows rootkit hijacks the system

Rootkit is not visible in Windows Explorer

Inefficient method

KERNEL MODE

Hooks or modifies kernel memory space to avoid detection

User applications do not have read privilege to the kernel, and cannot see malware in the kernel

Hidden in: Drivers & system32

User temp folder

8

MASTER BOOT RECORD MODE

Infects the MBR in the first sector of the disk Modifies other sectors

Runs the malware at boot

Disables detection software to protect itself

9

DATABASES

NIST Mitre Open Sourced Rapid7

10

PURPOSE

To evade detection and analysis Polymorphism and

metamorphism change form

Polymorphism uses encryption

Metamorphism changes the virus body by rearranging code or inserting unneeded functions

Mutation common in non-executables

Packing/compression more common with executables Used by software vendors to

protect intellectual property

Used by malware developers to hide malware

Entry Point Obfuscation changes a location in the host code Relies on hooking/inserting to

call malware

11

POLYMORPHISM

The decryptor exposes the malware to detection Decryptors are now mutated

as well

Analysis Standard decryption

Heuristics-examines behavior

Emulation-runs malware in virtualized sandbox

OBFUSCATION

Four step process Obfuscation step

Modeling step

Mutation step

Techniques such as permutation of subroutines, insertion of jump instructions, substitution of instructions, etc.

12

MOTIVATION

Primarily financial Credit cards

Bank accounts

Email addresses & accounts

Identities

Malicious code developers are selling code and tools Like many businesses,

developers are not necessarily the users

TACTICS

Multistage Initial attack gets foothold –

may use a Trojan

Subsequent payloads tailored to the compromised host

13

Asset

Robustness:

Intrusion Detection

Isolation:

Firewall

Redundancy:

Multiple Links

Segregation:

Separate Control & Corporate Networks

The asset is protected by multiple controls

meeting various design criteria.

Asset

Robustness:

Intrusion Detection

Isolation:

Firewall

Redundancy:

Multiple Links

Segregation:

Separate Control & Corporate Networks

Layered security ensures assets

are protected by multiple controls.

Attackers must compromise

multiple controls to attack an

asset.

Robust layered security would

include deterrent, preventive,

detective and corrective

technical, administrative and

physical controls

Deterrent Preventive Detective

Technical Admin Physical Technical Admin Physical Technical Admin Physical

Access Control Kerberos LockedFacilities

Log Analysis

Segregation

Isolation

Redundancy

Robustness

Redundancy LinksPower Supplies

Recoverability