Viruses, Trojans, and Other Malware
As a security engineer, you need to be aware of the various threats of today’s digital world that attackers can utilize in order to disrupt legitimate business activity. No longer are enterprise’s IT equipment bound to just one single location or even a few different remote sites for that matter. Organizations, are continuing to use cloud environments to run some or even all of their operations. So in this course, we will explore threats that can affect enterprise environments. So let’s first talk about malware. The name malware comes from combining malicious software into one word and it is a broad term that encompasses a lot of threats inside of it, threats like viruses, trojans and backdoors, worms, rootkits, spyware, exploits, adware, and any potentially unwanted programs just to name a few. One of the oldest types of malware is viruses. While some people mistakenly interchange malware and viruses, the strictest definition for a virus is a computer program that copies itself. The virus spreads from one file to another eventually infecting enough of the computer to cause serious damage. Although, just one infected file can be enough to cause damage. Viruses can also spread from computer to computer when the infected files are transferred via a shared drive, USB drive, or any other medium of transferring files. A virus is an executable code that attaches itself to another program like an executable file or a macro inside of a Microsoft office file. The virus lays dormant until the infected file is ran, which is when the virus will execute its code. The main purpose behind the virus is to wreak havoc. It does this by corrupting files, even system files, so the underlying operating system does not even work properly.
Spyware is another type of malware. As the name implies, spyware is designed to run on a victim’s computer and steal sensitive information. Spyware can be in the form of a key logger, which logs every key stroke. If a victim were to go to a banking website and then log in, then the attacker would be able to see the keystrokes to find out which banking website the user was browsing to and also the username and password. Spyware can find other information, such as credit card numbers, browsing habits, and pretty much anything else that a victim does on the computer.
Another piece of malware that is designed to cause serious harm is a Trojan. Often, Trojans don’t appear to be malicious software, but just like any other malware, they have code designed to do a specific task. Unlike viruses, Trojans are not able to self-replicate themselves. They have to be installed by the user. A common type of Trojan is a backdoor Trojan, which is designed to give the attacker access to the infected computer allowing them to do whatever they want. They’re able to add the lead or even send and receive various files or maybe the purpose of the Trojan is just to annoy the user by displaying AD pop ups or just changing the desktop background. The attacker can also control multiple different machines and use them all to attack other victims. The attacker can have all of the infected computers attempt to bring down a system in a Distributed Denial of Service attack. We will get into Denial of Service and Distributed Denial of Service attacks in the next clip. There is a specific type of Trojan that is designed to infect a user’s computer and cause it to not work. The only way for the victim to gain access to their computer, as well as their files, is to pay the attacker a sum of money. This type of Trojan is called ransomware as the attacker has the victim pay a ransom.
Another type of malware is rootkits. RootKits are designed to do a lot of the same malicious things that some of the other malware we have talked about does. The biggest difference is that rootkits are designed specifically to go undetected by traditional anti-malware software. They can do this by installing themselves into the computer’s kernel, which is the same level as a host operating system. This allows attackers to control the entire computer and even overwrite or delete the operating system files.
Worms are a different type of malware. They are very similar to viruses in that they replicate themselves, however, they are not attached to another program and they do not need the user or host program to help spread the worm. Worms attack a vulnerability of the target system in order to help themselves spread from system to system. This is why it is so important to ensure that operating systems and software are kept up-to-date.
Adware is another type of malware that generates revenue by displaying ads on an infected machine. The developer of the malware creates revenue by either displaying the ad or a pay-per-click model. As computer and network systems continue to evolve, it is almost certain that malware will continue to evolve with it. This is why it is important as ever to ensure that as a security engineer you’re keeping up with the different type of threats that are out there and keeping up with how to mitigate against them.
DoS Attacks and Man-in-the-middle Attacks
There are more threats that exist that are not specifically malware. In this section, I will talk to you about Denial of Service and Distributed Denial of Service attacks in man-in-the-middle attacks. A Denial of Service, or DoS, attack is when a system is so degraded that legitimate users are unable to use the system’s services. The system could be a web server, an email server, or any other service that relies on a computer or a system of computers. In order to effectively orchestrate a DoS attack, a malicious attacker has to send so much traffic that the service’s server does not have the appropriate resources to respond to every piece of traffic. This could be done by sending a large number of ICMP messages, send messages that try to initiate the three-way handshake without ever completing it, UDP messages, or really, any other type of message the service is designed to respond to under normal conditions. Once the system or service is overwhelmed, it is unable to process any incoming legitimate requests so users are denied to the service. A Distributed Denial of Service attack, or DDoS attack, is when it is not just one machine that is attacking the service, rather it is a coordinated effort between multiple machines. Like we talked about in the previous clip, machines that are infected with malware can be controlled by the attacker to send various types of messages to the intended victim of the DDoS attack. A man-in-the-middle attack is when someone is intercepting the traffic between two otherwise benign systems. For example, if a malicious attacker was able to intercept traffic between a client and a server, they would be able to see the entire contents of the traffic. A man-in-the-middle attack first intercepts the client’s initial request to the server, then it makes a copy of that message and sends its copy to the original server. From there, the server replies to the man-in-the-middle with its return message. Again, the man-in-the-middle makes a copy of this traffic and then replies back to the client with the copy. The man-in-the-middle is able to complete this process over and over throughout the entire conversation between the client and the server. Both the client and the server believe they are talking to each other unaware there is a device in the middle that is able to see the entire contents of the conversation. Furthermore, with the correct tools, a man-in-the-middle attacker would even be able to inject whatever they wanted to in the communication between the client and the server. So not only could they read the contents of the conversation, they can manipulate the conversation in any way they please.
Social Engineering and Phishing Attacks
Another type of attack has been on the rise over the past few years. This attack is a social engineering attack. One example of social engineering is when there is perceived trust between the attacker and another party. The party could either be the victim themselves or they could be a third-party, such as an internet service provider or email provider. For the latter, if the attacker is able to gain the trust of the provider and convince them that they are the victim’s identity, it is possible that the service provider will give out confidential information that should only be disclosed to the victim, such as an account name and password. Once the attacker has this information, they can use it to obtain even more information or even change the service in order to prevent the victim from using the service. If the attacker has completed social engineering attacks directly with the victim, they are convincing the victim that they are a trusted authority. There are various ways that attackers can use to find out enough information in order to gain the victim’s trust. A common method in today’s world is to use social media and other online profiles of the victim. Regardless of the method used to collect information, once the trust has been gained, the attacker can use the trust in order to convince the victim that all correspondence is legitimate. This means they can send emails with malicious links that we talked about in the previous clip and module. If the user believes the email is legitimate, then they are much more likely to click on the link. The email doesn’t even need to contain a malicious file. Let’s say the attacker was able to find out that the victim was buying a house and needed to send a large wire transfer for the down payment of a house. I live in the United States, and normally, the money is transferred to a title company. If the attacker were to use social engineering to convince the victim that they are the title company, they could provide an incorrect banking number so the victim sends money to the attacker and not the legitimate title company. One of the common ways to implement a social engineering attack is to use phishing. Phishing is the act of using electronic communications in order to gain the trust of the unsuspecting user. There are a few different variants of phishing. Bulk phishing is when there is not a specific individual or organization that is being targeted, rather the attacker will start a phishing campaign and target as many people as possible to try to gain as many victims that fall for the phishing attempt. Spear phishing is when the attacker is trying to attack a specific individual or organization. The attacker will conduct research and gather as much information about their intended target in order to have a higher chance of success. The example that I gave earlier about the attacker impersonating a title company is an example of a spear phishing attack. The attacker knew that the victim was going to buy the house and probably found out the title company that the victim was planning to use. Again, by having this information, the attacker had a higher chance of success since they would know information that the victim believes only legitimate person or company would know.
Whaling is a subset of spear phishing that is attempting to attack senior executives and other high-profile targets. The content that the attacker would use to gain the victim’s trust would be tailored to target upper management.
Endpoints Stopping Phishing
We have been discussing social engineering attacks which include phishing so now let’s about different ways to mitigate phishing. One of the best ways to mitigate phishing attempts is to train the userbase by preparing the users to know common tactics that phishing attackers will use so if they see any of these tactics, they are less likely to click on malicious links or attachments within an email. Here are some helpful tips that you can use to teach your userbase. First, you want to have them verify that the domain name looks correct before clicking on any of the links regardless of who it comes from. Another tip is to have the users ask themselves if the email makes complete sense. An example scenario would be attacking a corporate user in finance and include a link to an invoice. If the user is trying to ask if it makes sense that they are receiving the invoice, that will help bring up red flags. Maybe they are expecting an invoice, but the from address does not look familiar. This leads me to the next tip. If the phishing attempt does seem plausible, train the user to call to confirm. If the attacker was able to spoof the from address to be the correct domain or even a correct email address, the user should still call to confirm that an invoice was actually sent. If the user does spot a phishing attempt, do not have them reply, rather, train the user to flag the email as spam to help prevent more phishing attempts to make it through the company’s filters. Lastly, teach the users that if they do happen to click on a malicious link to contact their IT department or security team right away. This will help minimize the damage as quickly as possible. There are services out there that allow you to run campaigns against your userbase in order to simulate a phishing attempt. No malicious links are included, rather the link redirects the user to a Landing Page giving them even more useful tips on what to look for. However, even though training users is very effective, sometimes it is not enough. As we discussed in the previous clip, phishing attacks are becoming more and more sophisticated. If an attacker is able to come up with a new method that the userbase has not been trained on, the user is more likely to fall for the phishing attempt. This is where technology comes in.
For example Cisco’s advanced phishing protection analyzes emails that make it through the initial secure email gateway, then it analyzes these emails using various methods such as advanced machine learning techniques, relationship modeling, real-time behavior analytics, as well as telemetry to quickly identify if the email is a phishing attempt or not. If the email is determined to be a phishing attempt or malicious, the advanced phishing protection can be configured to have the emails discarded or even redirected to be further analyzed. This can be analyzed either in-house or with a security partner such as Cisco. Cisco security experts will help your organization fully understand the impact of various phishing and social engineering attempts. By implementing technology to help with phishing, any new phishing technique that has been identified elsewhere can be implemented to protect the organization. This means that along with training the users on how to spot malicious attempts, your organization can be confident that anything they are not being trained on as a reduced likelihood that the phishing attempt will be successful.
Attacks Against Cloud Services
While all of the attacks that were mentioned in this module can affect devices that are hosted in a cloud environment, in this clip, I want to talk to you about specific threats that can occur against cloud environments. There are a few not-for-profit organizations out there that provide guidelines for security engineers to ensure that their systems are secure. The cloud security alliance, or CSA, is one of them, and as their name implies, they are focused on securing the cloud. Open web application security project, or OWASP, is focused on creating secure web applications and they maintain a top 10 list of vulnerabilities. The first threat that I wanted to talk to you about that affects clouds is a cloud data breach. A data breach occurs when an attacker is able to view information that should be kept confidential via hacking into a system where the data was stored. As more and more organizations decide to store their information in the cloud environment, that information is more susceptible if any of the security measures are not correctly configured. Once an attacker has identified a system that has less security, it makes it a lot easier for them to gain access to that system. The CSA states that the lack of security could be from human error, application vulnerabilities, or just poor security practices, in general. Once the attackers have access to the system, they then have access to all of the files that are on that system. In order to take advantage of the many benefits the cloud computing provides, application programming interfaces, referred to as APIs are used. APIs allow for connections and authorized data sharing to occur automatically. However, just like with the previous threats we’ve discussed so far, APIs that are not secure are vulnerable to attack, threats, such as creating an API request with an embedded threat or getting a hold of API keys and using them to impersonate a legitimate application trying to make an API request. If the API itself isn’t using the principle of least privilege, that is another security concern that would allow a threat actor to do even more damage than if the API had the correct restrictions. API gateways can be used in order to have the API connections all terminate at one location. The OWASP Foundation recommends using API security gateways. The API security gateways provide the same functionality as an API gateway, but as the name implies, they have security technologies built right in. When the API gateways were designed, security was not a primary concern, only functionality. This leaves them susceptible for an attacker to gain access. Another concern for cloud systems is plain old account management. Just like with organizations that host our systems on-premise, if admin accounts are not properly managed and passwords are not properly changed when an administrator leaves an organization, this poses another security risk. If the organization does not properly manage and authenticate operators, this leaves them susceptible to attack. A good way to mitigate against stolen credentials is to utilize multifactor authentication. Multifactor authentication is covered in depth in the Cisco Core Security Endpoint Protection and Detection course. And just like with on-premise systems, Denial of Service and Distributed Denial of Service attacks are also a risk for systems hosted on the cloud. Alright, so that is all I wanted to teach you about the various threats that affect both on-premises environments, as well as environments that are hosted in the cloud.