How can activities in Cyberspace be categorized?
Activities within Cyberspace can be divided into positive, neutral, and negative activities.
Negative activities can be classfied into the categories weakness, vulnerability, threat, and attack.
If these categories are applied to IT-Systems, they often become properties of these systems.
What is a weakness?
A weakness of a Cyberspace participant is something endangering it or making is vulnerable.
Example weaknesses are:
• theft
• natural desaster
• badly written software
Therefore, a weakness describes any activity or property weakening a system indepen dent of security or safety considerations.
Give examples of weaknesses and categorize them.
Force Majeure
Lightning Strike
Earthquake
Strike
Fire
Intent
Hacking
Espionage
Sabotage
Burglary
Carelessness
Mistake / Error
Misoperation
Technical Failure
Power Outage
Hardware Failure
Malfunction
Organizational Deficiencies
Untrained Staff
Unauthorized Access
Pirated Copy
What is a vulnerability? Relate it to weakness.
A vulnerability is a weakness suitable to circumvent Cybersecurity.
What is a threat?
An activity in Cyberspace becomes a Cybersecurity Threat if the possibility of the exploitation of at least one vulnerability exists.
Threats are classified as active and passive.
Active threats are expected to change something at a Cyberspace participant, like changing information transmitted through the Internet.
Passive threats are purely information gathering like recording network traffic or reading files.
What is an attack?
An attack in Cyberspace is the execution of a threat against a specific Cyberspace participant. Attacks include for example phishing, unauthorized access to a system, or render a system unusable.
How can Cybersecurity threats be classfied?
Software
Hardware
Pattern
Social Engineering
Structure
What are examples of software based Cybersecurity threats?
Malware (malicious software) is an umbrella term for software with malicious intent like:
• Virus
• Trojan
• Worm
• Rootkits
• Spyware
What is a computer virus?
A Virus is a piece of software which spreads by infecting existing programs or firmware with code from itself. A virus has hidden functionality triggered by some event. This functionality includes:
•logging keystrokes/ passwords
• encrypting/deleting all files
• transmitting the webcam to somewhere
• uploading files to the internet
• just annoying the user
Examples:
• Melissa (1999, 300-600 million $ damage)
• I LOVE YOU (10 billion $ damage)
What is a trojan?
ATrojan is a piece of software disguising itself as a useful program. A Trojan has hidden functionality triggered on execution. This functionality includes:
• logging keystrokes/ passwords
•copying itself to different locations
• Emotet (2020/2021)
What is ransomware?
Ransomware is a specific class of malware with the goal to press money from people.
This can be done by keeping data as a hostage (encrypting, leaking) or just pretending to. For the normal user both are hard to distinguish.
What is a backdoor?
A Backdoor is a hidden, not documented, entry point into a system. Software and hard ware can contain backdoors. They are injected by the vendor of the software, hardware, or the system or by anyone getting access to the source-code of the system.
Typical implementations of backdoors are:
• hidden administrator accounts
• hidden instruction in the CPU
• weakened crypto
What is a rootkit?
A Rootkit is a software installed by an attacker on a compromized system to ensure persistent local or remote access. Rootkits hide their existence by different means including operating system drivers and hidden directories.
CHAT:
A rootkit is a type of malware designed to gain and maintain privileged access to a computer system without being detected. The term comes from “root” (the highest level of access in Unix/Linux systems) and “kit” (a collection of software tools).
What are hardware based Cybersecurity threats?
BadUSB
KeyGrabber
NetTAP
What is a BadUSB?
A BadUSB device is a hardware dongle with a USB Interface Board. A microcontroller on the dongle can emulate different USB devices like storage or human interface devices. Often these devices can be emulated concurrently.
A BadUSB disguises itself as a normal USB but can execute hidden functions:
typing keys
accessing main memory
copying files destroying
USB Controller/ Main Board
What is a KeyGrabber/Logger
Hardware connected between USB port and keyboard.
Can
sniff any key strokes
and
save to flash
transmit via wifi
transmit via bluetooth
How can a “Patter” class threat be described?
Some vulnerabilities or even properties of systems may be exploited to threaten or attack a system.
What is a DOS attack?
A Denial of Service (DOS) threat/ attack pattern renders a service unusable for Cyberspace participants.
Reasons for the unavailability could be:
• network congestion(overload)
• software is not running
• server shutdown
A Distributed DOS (DDOS) is a special DOS attack in which many distributed IT Systems access a service to overload the network or the server.
What does MITM stand for and what does it describe in the context of Cybersecurity threats?
In a Machine-In-The-Middle (MITM) threat pattern a machine tries to get in between multiple cyberspace participants to read, alter, or drop data of the communication. T
ypical methods to get in between are:
• controlling a router
• splitting a wire
• deceiving a client to connect to the MITM machine
What is described by spoofing?
Spoofing is the process of deceiving Cyberspace participants to be another participant. This can happen on multiple layers of the ISO/OSI Model:
• Data-Link Layer (Ethernet)
• Network Layer (IP)
• Transport Layer (TCP/UDP)
• Application Layer
but also by impersonating a participant in a conversation.
Typical reasons for spoofing are:
• gather login credentials
• start Men-In-The-Middle Attack
• Denial of Service
What does APT stand for and what does it describe in the context of Cybersecurity threats?
An Advanced Persistent Threat (APT) identifies a complex attack pattern against digital infrastructures.
It uses advanced techniques consisting out of small and complex attacks sometimes performed over a long time period to access the victims computer network.
After gaining access the attacker hides itself within the network to gather more information and prepare next steps.
APTs are in general performed by hacker groups, large companies, or nation state actors.
What is the Cyber Kill Chain? What steps does it encompass?
The Cyber Kill Chain is a military concept to structure a Cyberattack, espicially an APT. This concept has been adopted by most professional cybercriminal groups attacking systems.
Reconnaissance
The attacker selects a target and researches all public information about it to identify weaknesses of the target.
Weaponization
The attacker implements exploits for the found vulnerabilities, plans social engineering attacks on exposed employees of the target, and creates a delivery payload.
Delivery
The developed delivery payload is transmitted to the target but possible means like email, USB driver, or a website.
Exploitation
The delivery payload executes and exploits vulnerabilities to gain more access to the targets network.
Installation
Through the exploited vulnerabilities the payload installs a backdoor or rootkit into the system to gain persistent access to the targets network.
Command & Control
In this phase the attacker is able to access the targets network and can research inside information. Actions on Objectives
In the last phase of the attack the main objective is executed, e.g exfiltrating information, destroying information, or even starting an attack on another target.
Describe an example APT attack utilizing the Cyber-Kill-Chain.
select target
research public information about target
identify weaknesses
create exploits/ malware
plan social engineering
create spear phising emails
build delivery payload
transmission of delivery payload
E.g. email
E.g. USB Stick
E.g. websites
delivered payload runs exploit/ malware
install backdoor on system/systems
get persistent access
control the deployed malware
get direct access to targets network
Actions on Objectives
achive the objectives of the attack
exfiltrate data
destroy data
intrusion of another target
What is does the threat class of social engineering encompass and how can it be characterized?
Social Engineering is a threat class in Cyberspace which does not use any software or hardware in the first place. It is all about tricking people to execute some activies.
Examples include PhoneCalls, Phishing, Drop Device.
What is Phising?
Phishing is a part of the broader attack pattern of social engineering.
With phising someone tries to trick recipients of messages (email, SMS, WhatsApp) to click on a link, execute a program, or open a file.
In general, the goal of phishing is to
• spread a malware
• trick people to provide
– passwords
– credit card numbers
– other personal information
Spear-Phising is a specialized form of phising which targets one victim or one group of victims.
Structures?
In Cyberspace also structures may pose a threat to Cyberspace participants. A Botnet is just one example of such structures.
Botnet?
Abotnet consist out of many network connected devices infected by malware and controlled by a command and control server to achieve:
• DDOS Attacks
• Mine crypto currency (bitcoin)
• distribute malware
Often devices like not updated computer systems, vulnerable internet routers, or Internet of Things (IoT) devices are integrated into a botnet
Zuletzt geändertvor einem Monat