Malicious Activities
I am following Udemy Jason Dion’s course for Security +
Malicious Activities
Understanding cyber threats is the first step towards prevention and mitigation
Distributed Denial of Service Attacks (DDOS)
An attack that attempts to make a computer or computer server’s resource unavailable
DOS Types:
- Flood Attack: Type of DDOS which attempts to send more packets to a single server or host
- Ping Flood: A server is sent with too many pings (ICMP Echo). Preventions: Timeout (Block) all echo requests
- SYN Flood: An attacker with initiate multiple TCP sessions but never complete the three-way handshake. Preventions: Flood Guard, Timeout half open requests, Intrusion Prevention
- Permanent Denial of Service (PDOS): An attack which exploits a security flaw by reflashing a firmware, permanently breaking the networking device
- Fork Bomb: A large number of processes are created to use up a computer’s available processing power. This is not a WORM because this can not infect programs
Surviving DDOS Attacks Techniques:
- Blackhole/Sinkhole:
- Intrusion Prevention System
- Elastic Cloud Infrastructure (Most Effective): Some Providers - Cloudflare, Akamai
Domain Name Server (DNS) Attacks
Type of attacks:
- DNS Cache Poisoning or DNS Spoofing: Involves corrupting the DNS cache data of a DNS resolver with false information. Preventions: Use DNSSEC to add digital signature to the organization’s DNS data, Secure network configurations and firewalls to protect DNS server
- DNS Amplification: The attacker overloads a target system with DNS response traffic by exploiting the DNS resolution process. Preventions: Add rate limit to DNS response traffic
- DNS Tunneling: Uses DNS protocol over port 53 to encase non-DNS traffic, trying to evade firewall rules for C2 or data exfiltration. Preventions: Regular log monitoring
- Domain Hijacking : Altering the original domain name’s registration without the original registrant’s consent. Preventions: Use domain registry lock
- DNS Zone Transfer: The attacker mimics an authorized system to request and obtain the entire DNS zone data for a domain.
Directory Traversal Attacks/Path Traversal
This is a type of injection attack that allows access to commands, files and directories, either connected to web document root directory or not.
- File Inclusion: Is a vulnerability which allows an attacker to either download files from an arbitrary location or upload executable or script to open a backdoor
- Remote: Execute a script to inject a remote file
- Local: Execute or add a file that already exist
Execution and Escalation Attack
Types of Escalation Attacks:
- Arbitrary Code Execution: A vulnerability that allows the attacker to execute a code or run a module to exploit an vulnerability.
- Remote Code Execution: Allows attacker to transmit code from remote host.
- Privilege Escalation: When user accesses or modifies specific resources that they where not entitled to normally access.
- Vertical Privilege Escalation: From normal level user to high level user.
- Horizontal Privilege Escalation: From one user to another user of generally the same level.
- Rootkit: A malware that modifies system files, often at the kernel level, to conceal it’s presence.
- Kernel mode: At Ring 0 (Most privileged), this has complete control of the system
- User mode: Might have administrator level privileges, they have to be inside the registry (like Task Scheduler)
Replay Attacks
This is a type of network-based attack that involves maliciously repeating or delaying valid data transmissions. Here the attacker intercepts the data, analysis it then decides weather to retransmit it later. prevention: Use authentication tokens for unique authentication identification or MFA
Session/Cookie/Session Key Hijacking or Sidejacking
Session Management: A fundamental security component that enables web applications to identify users. Cookies: Allows web applications to retain information about the user. 1. Session Cookies: Gets deleted when browser is closed 2. Persistent Cookies: Stays around for a while, gets deleted by the user manually (clear cookie) or after a given expiration date\
Session Hijacking: A type of spoofing attack where the host is disconnected and replaced by the attacker Session Prediction: An attacker attempts to predict the session token to hijack that session. Cookie Poisoning: Modifying the contents of a cookie to be sent to client’s browser and exploit the vulnerabilities in an application.
On-path Attack
An attacker puts the workstation logically between two hosts during the communication. 1. ARP Poisoning 2. DNS Poisoning 3. Introducing a rouge Wireless Access Point (WAP) 4. Introducing a rouge hover/switch
Replay: Occurs when an attacker captures a valid data which is then repeated immediately or delayed and then repeated. Relay: Occurs when an attacker insert themself in between two hosts and become part of the conversation. Prevention: Using encrypted communications like TLS 1.3 SSL Striping: Tricking the encrypted application with an HTTP instead of HTTPs connection.
Indicator of Compromise (IOC)
Data pieces that detect potential malicious activity on a network or system. This a digital evidence that a security breach has occurred.
Indications
- Account lockouts
- Blocked content
- Resource consumption
- Out-of-cycle logging
- Missing logs
- Concurrent session usages
- Impossible travel
- Resource inaccessibility
- Article or documents on security breach
To get in touch with me or for general discussion please visit ZeroDayMindset Discussion