SKILL CCNE015: Communicate cyberspace operations methodologies
SKILL CCNE016: Define common frameworks for conducting cyberspace operations
SKILL CCNE017: Discuss methods to gain access
SKILL CCNE018: Describe network attacks
- Reconnaissance (Footprinting, Scanning, Enumeration, Net Mapping)
- Gaining Access
- Privilege Escalation
- Post Exploitation
- Target Survey & Remote Forensics Analysis
- Cover Tracks (cleanup)
- Data Collection
- Establish Persistence
Reference: SANS.org
- Cyber Criminals
- State Sponsored (Nation State)
- Hacktivist
- Insider Threats
Reference: JP3-12R
- Transnational Actor
- Individual Actors or Small Group
- Malware
- Hacking
- Social Tactics
- Misuse
- Physical
- Error
- Environmental
- Internal Exploitation vs. External Exploitation
- Commonly Compromised Assets
- Importance of Testing Tools
Exfiltration done via outbound connections are very common, and hard to counter at the perimeter since this is an area that has been created to focus on incoming threats
Common protocols are used to mask data exfiltration: HTTP/HTTPS, FTP and DNS for example easily blend into normal outbound network traffic, thus obfuscating the attacker's actions
- In-band vs. out-of-band
- Access
- Persistence
- Means
- Custom exfiltration tool vs Native utilities
- Assess Operational Architecture
- What types of functions are controlled by systems?
- How are dependencies represented among systems?
- Geographic (i.e. Control over infrastructure or area)
- Physical (i.e. Router/hardware)
- Logical (i.e. DNS/software
- Cyber Persona (i.e. accounts/credentials/access to information)
Common means for stealing credentials:
Social Engineering, reusing stolen passwords/shared credentials, brute force, security question reuse
Credentials can provide adversary with:
Remote Access - gain remote entry into networks using Virtual Private networks (VPN) or remote access protocols, like RDP and VNC
Movement within a network: Stolen credentials (especially domain admin credentials) can allow an attacker to move laterally within a network, or potentially deeper into higher security areas
Cloud Access: Cloud services that can be accessed via domain credentials allow an attacker to easily access valuable data, especially as organizations move information into the cloud
Admin/Domain Admin Credentials
- Need to be audited
- Should not have the ability to alter audit files
- Require secondary approval
Access Controls
- Behavioral analysis
- Context Awareness
- Multi-factor authentication
Shellcode
- Machine code
- Exploit vulnerability; deliver payload
Resources:
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html
https://www.coresecurity.com/system/files/publications/2016/05/TheShellcodeGeneration.pdf
Code Injection: exploitation of a computer bug that is caused by processing invalid data.
Injection is used by an attacker to introduce code into a vulnerable computer program and change/manipulate the course of execution
Resources:
http://phpsecurity.readthedocs.io/en/latest/Injection-Attacks.html
https://blog.udemy.com/php-injection/
SQL Injection is a code injection technique that could destroy or compromise the integrity of a database
SQL Injection is one of the most common web hacking techniques
SQL Injection involved placing of malicious code within SQL statements, via a web page's unvalidated user input
- Cyber Criminals
- Internal vs External
- Packet Sniffing
- Man in the Middle
- Network Scanning
- DoS/DDoS
- Access Attack
Ashley Madison:
- Responsibility claimed by the "Impact Team"
- Approx. 9.7 Gb posted on Tor
- Site source code posted MANY git repositories
- Little hard evidence released; not clear whether this was an insider or external hacking
What are some of the collateral effects?
Yahoo Hacking:
- Yahoo's hacking has been measured as the largest data breach in history
- 2014 hack: 500 million accounts, 2014 hack: up to 1 billion accounts
- Not disclosed until 2016
- Two Russian FSB officials indicted
- US has no extradition treaty with Russia
What are some of the collateral effects?
OPM Hack:
- Breached December 2014
- 21 Million current/former Fed. Employees' PII leaked
- China is suspected of the breach
- SF-86's...foreign contacts?
What are some of the collateral effects?