Hello and welcome back. Now we're going to look at external attacks. Now, an external attack has a number of stages.

First, we footprint. That means we go and find out what is available to hack. Find out as much information as possible. So, for example, maybe you intercept an organization’s employees  at the coffee shop. You’re having a conversation, talking about football, and you pay attention to him, you recognize where he puts his pass, you realize that he's got a pass that could be copied, you also be able to copy it there and then with a card reader. You also realize who his workmates are and see if you can intercept them. You set up face Facebook accounts to interact with them as well and have a good conversation. You’re doing reconnaissance work. You could do some dumpster diving, rooting through the trashcan to find information about their network, piecing  together shreddings that weren't done very well. Social engineering. Getting into the organization. I'm going for job interviews. All of that type of stuff where we actually find out information that we can use for a hack. Finding out what systems they're running. 

We then do a bit of scanning where we actually scan their systems and find out what systems they're using. That allows us to then move towards enumeration. If we know what they're running, then we can find out the vulnerabilities. And then we chose our pathway based on all of this foot printed information.

If footprinting is done correctly, the rest of the stages of an external attack run ever so smoothly. Yet if it isn't done sufficiently, this becomes hard work.

Penetration, that's then taking advantage of the vulnerabilities that we found and actually using an exploit. 

Then we elevate our actual privileges. Moving from user to admin or power user, or the main administrator, or whatever that might be.

Then we have pilfering, so we pilfer stuff, we take things that don’t belong to us. And then we cover our tracks. We cover our tracks by doing things such as deleting logs, changing things so that it doesn't look like we've been there, destroying accounts that we've created, etc.

And then, finally, we stage our return. We do what's called an established persistence, once we've penetrated. And that's what we'll do in terms of establishing some sort of command or control so that we can get back into the network at any point in time that we'd like to, leaving ourselves a back door, if you will.

So let’s now take a look at targeted attacks and advanced persistent threats, otherwise known as APTs. These are the norm nowadays. So you'll see big companies and nations stay active with doing all of this. They have so much money they can really, really hunt. And they can also pay for what we call Zero Days.

So, there are a couple of vulnerabilities. There are normal vulnerabilities which you will find on the CVE list, which can easily be found with a quick Google search.

CVE stands for Common Vulnerabilities and Exposures. We also have Zero Days. Now, the difference between these two are that CVEs are known, while Zero Days are unknown.

The unknown vulnerabilities are not on the CVE list. So if someone discovers an unknown vulnerability, in an organization’s system or in their software, through a penetration test, for example, it's known as a Zero Day. Nobody's found it yet. So, Zero Days are the most dangerous type of vulnerability, because they're not known to the vendors. Nobody knows about them, there's nothing to protect against them, therefore at the time they are known as Zero Days. There's nothing in place to fix them.

However, with common vulnerabilities and exposures there are patches. So if you get hit with this, that's your fault then. If you get caught with a CVE that's your fault. Some people spend time finding new vulnerabilities and putting them on the CVE list. It's also a good way to make money. They call it bug bounty hunting. People get paid to find bugs and vulnerabilities. Companies pay so much money now to bug bounty hunters and penetration testers to find these things before people that have malicious intent do. Or before people that don't have very good ethics do. Because what those people can do is use Zero Days and chain them together and to take advantage of them and launch very sophisticated attacks. Because nobody knows that those vulnerabilities exist.

APT threat stages are similar. Intelligence gathering. Finding a point of entry after that intelligence gathering. Setting up command and control. Lateral movement and persistence, which means moving from one system to another across the network, finding the data that you want to get, and then exfiltrating it.

That might be done in a multitude of ways such as email, USB devices, DNS traffic, tunneling, encrypting traffic and sending it out. There are so many different ways to get data out of an organization. They might get somebody to hide it on their person. And these are all examples of exfiltration.