Welcome to this video on Common Methods of Attack. You’ll learn about some of the ways malicious attackers can cause problems in your networks, machines and software. We will focus on cyber crime, cyber exploits, malware, denial of service attacks and threat prevention. A cyber-dependent crime can only be committed with the use of a computer, and will generally target another computer in order to proceed. On screen you can see a number of cyber-dependent crimes, and we will examine some of these in more detail shortly. A cyber-enabled crime is one that could take place without the use of a computer, but which can be facilitated or committed at a larger scale with the aid of technology.
On screen you can see a number of traditional crimes that have moved into the cyber realm. Attackers can use computers to commit crimes in many ways. One way which is often used in cyber-dependent crimes is the exposure and use of cyber exploits. An exploit is a weakness within the operation of a computer system or software. Malicious software, or malware, is a common cyber exploit. Malware is a kind of software that has been created with the express intent of causing something to happen on a computer system without the owner’s informed consent. Malware doesn’t always make computers crash, and often user’s won’t even be aware of its presence.
Malware has a broad range of capabilities, from joke programs through to highly sophisticated malware that could cause serious harm. A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or "morph," making it difficult to detect with anti-malware programs. Malicious code can change in ways by, for instance, changing file names, compression and encryption with variable keys. Although the appearance, or signature, of the code in a polymorphic virus varies with each "mutation," the essential function usually remains the same.
For example, a spyware program intended to act as a keylogger will continue to perform that function even though its signature changes. If the spyware program is discovered by an anti-malware program and its signature is added to the vendors list of malware definitions, the anti-malware program will fail to detect the rogue code after the signature changes, just as if a new spyware program had emerged. In this way, malware creators gain an advantage over security vendors that use traditional signature-based detection to find and block malicious code. More recent examples of polymorphic viruses and malware have demonstrated increased sophistication.
The Storm Worm, which featured a backdoor Trojan, was first discovered in 2007. The worm spread via malicious email messages and once the Trojan executed it would turn systems or devices into bots. The Storm Worm featured a polymorphic packer, which is similar to a polymorphic engine. A packer can contain several different variants of malware in a single item such as an email attachment. The worm's polymorphic packer would change every 10 to 30 minutes, depending on the version, in order to avoid detection. The primary characteristic of a worm is its ability to self-replicate.
There will usually be some sort of human interaction required at the worm’s first point of entry into any given network, such as a user visiting a compromised website, or opening a malicious e-mail attachment. These actions can cause the worm to execute on that one machine. From that initial landing point, the worm spreads out across the network, making use of built-in functionalities that exist within the operating system and with no further human interaction required.
Worms have many aims, but they will often involve the delivery of a malicious payload. In the past few years, one of the most notorious examples of a worm being used was the WannaCry malware, which used Windows filesharing functionality to propagate. It targeted exploits available in older versions of Windows, so organizations that had not updated their Windows estate were the hardest hit. In the United Kingdom, the NHS’ use of Windows XP saw them suffer widespread consequences from a WannaCry attack. The authors of the WannaCry malware are widely believed to be the North Korean state sponsored hacking team known as Lazarus.
A Trojan is a non-self-replicating type of malware which gains privileged access to the operating system while appearing to offer a desirable function. Instead it will drop a malicious payload, often including a backdoor allowing unauthorized access to the target's computer. An example would be a program advertising itself as a free word-processing program – anyone installing it on their computer will certainly be able to create word documents, but they will also get some malicious software installed on their computer at the same time.
Trojans are often just the first stage in the compromise of a computer system. Once they have successfully been run on the target system, they either unleash further capabilities they already have configured, or download and install extra malware. Adware is software designed to generate revenue from the display of advertisements. Some examples of adware are: Mysearchdial – This is a web browser hijack tool that alters the users homepage and search provider, removes plugins and injects webpages with unwanted adverts Shopathome – This is a web browser toolbar that displays coupons for goods on sites you visit. It also installs a rootkit that makes it very difficult to remove once installed. Spyware is software that gathers information about the systems it is installed on. The information gathered may relate to the system itself, or to the people using that system. The information is then sent back to the author of the spyware.
An example of spyware, with additional adware capabilities is: Coolwebsearch – This program can change an infected computer's web browser homepage to coolwebsearch.com. Although originally thought to only work on Internet Explorer, recent variants have been found to affect Firefox and Chrome. Its functionalities include collecting private information about users; creating pop-up ads that redirect to other websites including adult sites; and slowing the speed of infected computers. Coolwebsearch also alters the Windows hosts file to add DNS entries to affiliate websites.
Ransomware is designed to deny access to computer resources, making the user pay a ransom to restore their access. The resources denied could range from a whole computer system to specific applications. Sophisticated ransomware now has the capability to interfere with in-built backups, and the forensic recovery of deleted data, making it very difficult to recover from a ransomware attack. The WannaCry malware was an example of ransomware. Another example was Cryptolocker. This Ransomware Trojan targeted Microsoft Windows. Cryptolocker propagated via infected email attachments, and via an existing botnet. When activated on a system, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key being sent to the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment - through either Bitcoin or a pre-paid cash voucher, was made by a stated deadline, and threatened to delete the private key if the deadline passed. If the deadline was not met, the malware offered to decrypt the data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.
A rootkit is a particularly sophisticated malware variant. Rootkits have many capabilities, and work at all levels of a computer system. The most harmful and stealthy are kernel level rootkits. These burrow deep into the inner workings of an operating system, manipulating the kernel so that it becomes almost impossible to determine whether the operating system is telling the truth about any operations it carries out. This stealth capability means that it is very difficult to find kernel level rootkit infections, and it may be that the only way they reveal themselves in through their communications back to the malware author.
Other types of Rootkits include: Firmware – This type of rootkit attacks the BIOS, or firmware, of a computer. This area of storage is not checked for integrity, and not well protected. Rootkits establishing here are incredibly difficult to find. Hypervisor – This type of rootkit interferes with the operation of Virtual Machines. It corrupts the hypervisor, taking charge of its controlling functions. Again, this is very difficult to find. A keylogger is a type of malware concerned with capturing keystrokes made by the user of a computer.
If you think about what kind of things you type into your computers, it becomes immediately obvious that attackers can use keyloggers to obtain very sensitive information, such as passwords and bank account details. Keyloggers can be malicious software, but can also be built into specialist hardware. This hardware can be installed inside a keyboard itself, or placed in between the keyboard and the system it is connected to. So, why is malware able to use cyber exploits at all? The simple answer is that modern computing has an incredibly complex and varied landscape.
Applications are designed to offer ever greater levels of functionality, and this comes with the need to use more and more code. In turn this creates more opportunities for errors, and therefore potential exploits. There are many exploit repositories available, which give details of how exploits work and the software they affect. On screen you can see the number of exploits available for various major software technologies in January 2019.
Having looked at malware, let’s now turn our attention to other types of cyber-dependent crimes. The first of these is the Denial of Service attack which looks to deny users access to a computer system or application. This is usually done by flooding a target system with bogus requests for services, causing the system to become overwhelmed and unable to fulfil its core functions. In a Distributed Denial of Service (DDoS) attack there are many different sources of bogus requests.
Due to the large numbers of attackers involved, the sheer volume of bogus requests can be massive, bringing a whole new set of challenges when looking to mitigate these types of attacks. Although attack methods have become more sophisticated, there are still many tools available that can be used by attackers with little or no knowledge of how the tools work, nor the damage they can cause. Good examples of these are the High Orbit and Low Orbit Ion Cannons, HOIC and LOIC. These tools are freely available, and require minimal configuration or knowledge.
A DDoS requires the establishment of a network of compromised computers, or bots. A bot is an application that can perform and repeat a particular task faster than a human. The name given to the network of bots is botnet. Botnets are controlled by botmasters, bot herders, zombie masters or other variants on this naming convention. The names all refer to the person or persons responsible for the running of the botnet. Botnets are typically installed on compromised machines via various forms of remote code installation, usually involving malware.
The botmaster will often hide their identity via proxies and other means, to disguise their IP address from detection by investigators and law enforcement. In some cases a botnet is shared, and multiple botmasters operate it together. It is also commonplace to see hacking of botnet credentials or otherwise taking control of another botmaster's botnets. Botnets consists of three main elements: The bots; the command and control servers, also known as C&C or C2; and the botmaster who controls the botnet. C&C servers are used to remotely send commands to, and receive responses from, the botnet.
The term Command and Control originated from the military concept of a commanding officer directing control to their forces to accomplish a goal. C&C servers can make use of many different communication channels. Bots are configured to authenticate to the C&C infrastructure via password and/or keys. Anytime attackers wish to launch a DDoS attack, they can send special commands to their botnet's C&C servers with instructions to perform an attack on a particular target, and any infected machines communicating with the contacted C&C server will comply, launching a coordinated attack. Having seen how botnets are created, let’s now look at some of the types of DDoS attack that can be instigated via a botnet.
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. The common method of referring to an ICMP echo request is a ‘ping’ It is used by network devices, including routers, to send error messages and operational information indicating a requested service is not available or that a host or router could not be reached. Ping flood, also known as ICMP flood, is a common Denial of Service attack in which an attacker takes down a victim's computer by overwhelming it with pings. The attack involves flooding the victim's network with request packets, knowing that the network will respond with an equal number of reply packets. This strains both the incoming and outgoing channels of the network, consuming significant bandwidth and resulting in a denial of service. Executing a ping flood is dependent on attackers knowing the IP address of their target.
Attacks can therefore be broken down into three categories, based on the target and how its IP address is resolved. A targeted local disclosed ping flood targets a single computer on a local network. An attacker needs to have physical access to the computer in order to discover its IP address. A successful attack results in the target computer being taken down.
A router disclosed ping flood targets routers in order to disrupt communications between computers on a network. It is reliant on the attacker knowing the internal IP address of a local router. A successful attack results in all computers connected to the router being taken down.
The next type of DDoS attack we will look at is a SYN flood. A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which runs like this: The client requests a connection by sending a SYN message to the server. The server acknowledges this request by sending SYN-ACK back to the client. The client responds with an ACK, and the connection is established. This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, cause the server to send the SYN-ACK to a falsified IP address - which will not respond with an ACK because it "knows" that it never sent a SYN. The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client grab hold of resources on the server and may eventually exceed the available resource pool. At that point, the server cannot connect to any clients, whether legitimate or otherwise.
This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way. Denial of Service attacks can be very effective, and are difficult to fully mitigate without expensive equipment designed specifically for the task. There are a number of ways that cost-effective mitigations can be put in place, involving initial consideration of DoS attacks when designing a network; careful configuration of network protection devices; and having an effective business continuity plan in place to ensure that customers can still have their requests serviced in some form, even whilst the network is under attack.
The most sophisticated cyber attackers are known as Advanced Persistent Threats, or APTs. These could be nation states, or highly sophisticated cyber-criminals. As the name implies these attackers use highly advanced tools and techniques to achieve their aims, including the ability to maintain a persistent presence on the target network. A persistent presence means that they are able to navigate the network as and when they choose, rather than having to re-infect machines with malware. APTs work through a list of key staging points, as shown on screen.
A lot of time is spent on Intelligence Gathering, as this is where they will be gaining all of the knowledge they need to successfully attack the target. This knowledge could include software used within the target organization; naming conventions for machines and users; password policies; and corporate organisational structures. The ultimate end goal is to steal data, preferably without the target ever becoming aware of the compromise.
So, how can organisations defend against APTs? Standard, one-size-fits-all approaches cannot deal with the custom nature of targeted attacks and their dedicated perpetrators. The malware, communications and attacker activities used in targeted attacks can be invisible to standard endpoint, gateway, and network security measures. There is a need for a new type of network monitoring that uses specialised detection and analysis techniques designed specifically to discover the signs of these attacks. In-depth detection and analysis capabilities need to exist across all phases of the attack lifecycle.
Defenders should investigate where techniques such as data mining, visualisation and AI, and machine learning algorithms can be involved. Defenders should practice “simulated attacks” and prepare their cyber incident response teams. It is always useful, if not vital, to keep up to date with threats and capabilities. The NCSC plays a critical role in protecting the country from cyber-attacks - a big part of this is keeping organisations up to date with the cyber threat. QA Cyber publishes a weekly cyber report, compiled of the latest round up of cyber news, called Cyber Pulse, and this is free to subscribe to. That brings us to the end of this video.
Richard Beck is Director of Cyber Security at QA. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for an organization that underpins 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in the Defence, Financial Services, and HMG. Richard sits on a number of security advisory panels and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). Richard is also a STEM Ambassador working to engage and enthuse young people in the area of cybersecurity. Providing a unique perspective on the world of cybersecurity to teachers and encourage young people to consider a career in cybersecurity.