Protect infrastructure by balancing business needs against security risks.
Always assume that an intrusion is underway
- physical incidents like fires, floods,
all need a stable method for incident handling.
Set process to get systems and services back online quickly and securely
Computer and Network Hacker Exploits
Data leaking from your network could provide the clue for an attacker to blow the systems wide open.
First two phases of many computer attacks:
Networks reveal an enormous amount of information to potential attackers.
Attackers conduct detailed scans of systems, scouring the openings to get through defenses.
Targets of opportunity:
- weak systems and firewalls,
- unsecured modems
- wireless local networks
Hackers trading exploits
- blind scans, and bounce scans to obscure their source and intentions.
Also targeting firewalls, attempting to understand and manipulate rule sets to penetrate networks.
Intrusion Detection System evasion.
Understand critical phases of an attack in detail.
- What does the network reveal?
- Leaking too much information?
- Using Whois lookups, ARIN, RIPE and APNIC
- Domain Name System harvesting
- Data gathering from fob postings, web sites, and government databases
- Identifying publicly compromised accounts
- FOCA for metadata analysis
- Locating and attacking insecure wireless LANs
- War dialing with War-VOX for renegade modems and unlocked phones
- Port Scanning: Traditional, stealth, and blind scanning
- Active and passive Operating System fingerprinting
- Determining firewall filtering rules
- Vulnerability scanning using Nessus and other tools
- CGI scanning with Nikto
Intrusion Detection System (IDS) Evasion
- Foiling IDS at the network level: Fragmentation and other tricks
- Foiling IDS at the application level: Exploiting the rich syntax of computer languages
- Using Fragroute and Web Attack IDS evasion tactics
- Bypassing IDS/IPS with TCP obfuscation techniques
- Session hijacking: From Telnet to SSL and SSH
- Monkey-in-the-middle attacks
- Passive sniffing
Gathering and Parsing Packets
- Active sniffing: ARP cache poisoning and DNS injection
- DNS cache poisoning: Redirecting traffic on the Internet
- Using and abusing Netcat, including backdoors and nasty relays
- IP address spoofing variations
Operating System and Application-level Attacks
- Buffer overflows in-depth
- The Metasploit exploitation framework
- Format string attacks
Netcat: The Attacker’s Best Friend
- Transferring files, creating backdoors, and shoveling shell
- Netcat relays to obscure the source of an attack
- Replay attacks
Tools to use for prevention:
- InSSIDer for Wireless LAN discovery
- Nmap Port Scanner and Operating System fingerprinting tool
- Nessus Vulnerability Scanner
- Windows Command Line Kung-Fu for extracting Windows data through SMB sessions
- Sniffers, including Tcpdump
- Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
- Netcat for transferring files, creating backdoors and setting up relays
- ARP and MAC analysis for ARP cache poisoning attack detection
Have to examine how attackers gain access.
The next section covers the attacks in depth
Get hands-on experience and learn how to run sniffers and the Netcat tool.
Have to collect the attack tools and practice how they used in a test environment.
One of the attackers’ favorite techniques for compromising systems: worms.
Have to study the other often exploited area by attackers: web applications.
Look at the a taxonomy of nasty denial-of-service attacks.
Attackers can stop services or exhaust resources. We need to research what to do to prevent this from happening.
- Analysis of worm trends
- Password cracking with John the Ripper
- Rainbow Tables
- Password spraying
Web Application Attacks
- Account harvesting
- SQL Injection: Manipulating back-end databases
- Session Cloning: Grabbing other users’ web sessions
- Cross-Site Scripting
- Distributed Denial of Service: Pulsing zombies and reflected attacks
- Local Denial of Service
Lab exercises in controlled environment
- Password cracking
- Cross-site scripting and SQL injection web application attacks
- Detecting DoS attacks
Maintaining access and covering tracks.
Computer attackers install:
- apply Rootkits,
- manipulate the underlying kernel to hide their presence
These categories of tools require specialized defenses to protect the underlying system.
List and study most commonly used malicious code specimens
Future trends in malware, including BIOS-level and combo malware possibilities
Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes.
Additionally, super stealthy sniffing backdoors are increasingly being used to thwart investigations.
Attackers often alter system logs and attempt to make the compromised system appear normal.
Tools and techniques to detect and respond to activities on your computers and network.
- Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other modern beasts
- Trojan horse backdoors: A nasty combo
- Rootkits: Substituting binary executables with nasty variations
- Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)
Covering the Tracks
- File and directory camouflage and hiding
- Log file editing on Windows and Unix
- Accounting entry editing: UTMP, WTMP, shell histories, etc.
- Covert channels over HTTP, ICMP, TCP, and other protocols
- Sniffing backdoors and how they can mess up investigations unless one aware of them
- Steganography: Hiding data in images, music, binaries, or any other file type
- Memory analysis of an attack
- Specific scenarios showing how attackers use a variety of tools together
- Analyzing scenarios based on real-world attacks
- Learning from the mistakes of other organizations
- Where to go for the latest attack info and trends
Tools to master:
- RootKits and detection
- Detecting Backdoors with Netstat, lsof
- Hidden file detection with LADS
- Covert Channels using Covert_TCP
- HTTP Reverse Shells using Base64
- Nmap port scanner
- Nessus vulnerability scanner
- Network mapping
- Netcat: File transfer, backdoors, and relays
- More Metasploit
- Exploitation using built-in OS commands
- Privilege escalation
- Advanced pivoting techniques
Preparing for the worst case scenario
Securing an infrastructure is a complex task of balancing business needs against security risks.
Incident Handling six steps:
- Lessons learned
These actions have been proven effective in hundreds of organizations.
- Building an incident response kit
- Identifying your core incident response team
- Instrumentation of the site and system
- Signs of an incident
- First steps
- Chain of custody
- Detecting and reacting to Insider Threats
- Documentation strategies: video and audio
- Containment and quarantine
- Pull the network cable, switch and site
- Identifying and isolating the trust model
- Evaluating backup for faults
- Total rebuild of the Operating System
- Moving to a new architecture
- Who makes the determination to return to production?
- Monitoring of system
- Expect an increase in attacks
Special Actions for Responding to Different Types of Incidents
- Inappropriate use
- Pre-built forms
- Legal acceptability
- Lessons learned
- Changes in process for the future