Cybersecurity lecture 1-14

Ransomware

Attack that encrypts files so the victim cannot access them

Lockerware

Ransomware that locks the device or system, but does not necessarily encrypt the files

Scareware

Fake or exaggerated warnings that scare victims into paying money

Crime script

A step-by-step breakdown of how a crime is prepared, committed, and completed

Ransomware process

Preparation → initial access → infection → encryption/data theft → extortion → payment/negotiation

Initial access ransomware

The first way attackers enter a victim’s system, such as phishing, stolen credentials, vulnerabilities, or bought access

initial access broker

A criminal who hacks into systems and sells that access to other attackers

Ransomware pressure tactics

• Leaking data

• Increasing ransom

• Deletin decryptor

• Contacting clients/employees

• Launcing further attacks

Trust signals ransomware negotiation

Proof that attackers have the data or can decrypt files, such as sample file decryption or a preview of stolen data

Ransom note

A message from attacks explaining the ransom demand, deadline, payment method, and threats

Reasons paying ransom

• Fear of losing files

• Need business continuity

• Trust access will be restored

• Paying is cheaper

Pressure tactics for victims

• Saying they cannot afford it

• Discussing data vale

• Mentioning backups

• Emotional pleas

• Compliments

Impacts ransomware

• Financial loss

• Operational disruption

• Data loss

• Emotional stress

• Reputational damage

• Societal harm

Cybercrime

Any crime that is facilitated or committed using a computer, network, or hardware device

Cybersecurity

The preservation of confidentiality, integrity, and availability of information in cyberspace

Attack vectors

Categorised approaches, mechanisms, or methods used to manipulate an asset and realise a threat

Type of attack vectors

• Insider threats

• Malware

• Social engineering

• System design failures

Cyber-dependent crimes

Crimes that can only be committed using computers, networks, or digital systems

(Hacking , malware, ransomware, DDoS attacks)

Cyber-enabled crimes

Traditional offences that existed before the rise of digital technologies but are now facilitated, amplified, or made more efficient through the use of cyber technologies.
(Online romance scams, illicit trades in counterfeits goods via e-commerce platforms)

Malware

Any software, code, or computer program intentionally designed to cause harm to a computer system or its users

Social engineering

Manipulate people into sharing information that they shouldn’t share, downloading software that they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals or making other mistakes that compromise their personal or organisational security

CIA triad

• Confidentiality

• Integrity

• Availability

Confidentiality (CIA triad)

• Objective: preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary.

• Typical threats: spyware and data exfiltration, man-in-the-middle attacks, compromised credentials, weak authentication

Integrity (CIA triad)

• Objective: guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity

• Typical threats: data tempering, viruses, worms, ransomware, wiperware, supply chain attacks, website defacement

Availability (CIA triad)

• Objective: ensuring timely and reliable access to and use of information

• Typical threats: distributed denial of service (DDoS) attacks, DNS poisoning, ransomware, wiperware, resource exhaustion (e.g. cryptojacking)

Governance and policy

Strong cybersecurity approach against insider threats.

• Tools: personnel screening, physical access, security operations centres (SOCs), procedures and regulations, security auditing, policies of least privilege

Technical and operational defence

Strong cybersecurity approach against malware.

• Tools: security software (e.g. antivirus), end-point detection & response (EDR), firewalls, intrusion detection system (IDS), backups, network & file encryptions

Human behaviour and cognition

Strong cybersecurity approach against social engineering.

• Tools: security awareness training, phishing tests, FIDO passkeys, nudging, cyber safety culture

Architecture and engineering

Strong cybersecurity approach against system design failures.

• Tools: multi-factor authentication, penetration testing, principle of least privilege, mandatory updates, zero-trust framework

Principles zero trust

Never trust, always verify; implement least privilege; assume breach

Kerckhoffs’ principle

A cryptographic system should remain secure even if everything about the system is public, except the key

Advanced Persistent Threat

A sophisticated cyberattack conducted by state-sponsored or highly skilled actors that gains unauthorized access to a network and remains undetected for a long period

Characteristics of APT

• Advanced

• Persistent

• Threat

• Not opportunistic

Advanced (APT)

They use complex attack chains, custom malware, zero-days, and extensive planning

Persistent (APT)

Attackers maintain access for months or years and often regain access after detection

Threat (APT)

They are often conducted by nation-states pursuing strategic political, military, or economic objectives

Opportunistic (APT)

Victims are deliberately selected and targeted

Dwell time

The period attackers remain inside a network before being detected

Cyber warfare

The use of cyber operations to infiltrate, disrupt, spy on, or damage digital systems

APT attack lifecycle

1. Initial access

2. Establish persistence

3. Privilege escalation

4. Lateral movement

5. Collection and exfiltration

6. Reconnaissance(information gathering)

7. Pre-positioning

OT

Operational Technology. Systems that control physical processes

ICS

Industrial Control Systems. Used to operate infrastructure and industrial processes

NIS2

An EU directive establishing cybersecurity requirements for critical sectors

Article 5 cyber clause

A significant cyber attack can trigger collective and defence measures

EU cyber solidarity act

An initiative to strengthen cross-border cyber incident response

Platforms CaaS

• Darkweb marketplaces

• End-to-end encrypted messaging platforms

Products sold through cybercrime

• Stolen payment data

• Fake documents

• Drugs

• Malware

• Criminal services

Network Theory

Cybercrime operates through decentralised online communities and service marketplaces

Asymmetric nature cybercrime

• Large victim pool

• Low cost

• High profits

• Low detection risk

• Rapid adaptation by criminals

Hydra structure (cybercrime networks)

• No clear hierarchy

• Loose networks

• Easily replaceable members

• Distributed across jurisdictions

Script kiddies

Low-skilled attackers who use existing tools without deep technical knowledge

Technologies that enable crime

• AI

• Encryption

• Privacy-enhancing payment systems

• Automation

Challenges combating cybercrime

• Loss of data

• Loss of location

• Differences in legal frameworks

• Obstacles to international cooperation

• Challenges in public-private partnerships

Pillars response model

• Prevent

• Detect

• Deter

• Disrupt

Victim remediation

Helping victims recover through tools such as free ransomware decrypts and malware removal tools

Stages ransomware investigation

1. Victim reporting

2. Police reporting

3. Connecting the dots

4. Joint police action

Organised crime

Criminal activity involving structured and relatively stable groups that operate continuously for profit and power

Key elements organised crime

• Organisation

• Criminal activities

• Power/governance

CaaS

Crime-as-a-Service

Cybercrime as an ecosystem

Because many specialised actors perform different criminal tasks and work together

Roles in malware ecosystem

About 15 technical and non-technical roles

Researcher focus

Law enforcement should focus more on criminal markets because it involves temporary networks and specialised services rather than fixed organisations

Evolving Chinese cybercrime

From patriotic hacking to a sophisticated profit-driven industry

How Chinese cybercrime organisations blend in

• Office hours

• Performance metrics

• Discipline

• Overtime work

Conti

Organised criminal group specialised in RaaS. Highly hierarchical structure with corporate characteristics, specialised roles and profit-driven operations

Digital authoritarianism

The use of digital technologies by governments to surveil, repress, and manipulate domestic and foreign populations

Surveillance state

A state in which the government systematically monitors, collects, stores, and supervises information about its citizens, often for security purposes

Waves of internet control

1. Denial of Internet access

2. Legal and regulatory control

3. Surveillance based control

Categories digital control

1. Obstacles to access

2. Limits on content

3. Violations of rights

Examples obstacles to access

• Website blocking

• Hacking attacks

• Internet shutdowns

Examples limits on content

• Content filtering

• Content bans

• Keyword throttling

• Disinformation

Examples violations of rights

• Surveillance

• Malware

• Shadow banning

Key elements digital authoritarianism

1. Protagonists

2. Technologies

3. Practices

4. First-order effects

5. Second-order effects

Protagonists

• State actors

• State-aligned actors

• Patriotic hackers

• Non-state actors

Practices digital authoritarianism

• Surveillance

• Coercion

• Manipulation

• Media regulation

• Online harassment

• Disinformation and misinformation

First-order effects

Increasing the costs and risk of digital social movement activity

Second-order effects

Consolidation and maintenance of political power

Main surveillance systems China

• Skynet

• Sharp Eyes

Great Firewall

China’s system for controlling and filtering internet content

Social credit system

A data-driven governance system that uses information about individuals and organisations to influence behaviour

China’s strategic objective

To shape narratives and restrict dissenting views

Russian model

Less centralised, more adaptive, and focuses more on information control than comprehensive data integration

SORM

Russia’s surveillance infrastructure. System for Operative Investigative Activities

Yarovaya Laws

Russian laws that expanded surveillance and data-retention powers

RuNet

Russia’s sovereign Internet concept that increases state control over Internet traffic

Russia’s strategic objective

To influence political discourse and shape global information environment

AI changing surveillance

• Automated analysis

• Behaviour prediction

• Behaviour management

• Large-scale monitoring

Data colonialism

The extraction and exploitation of personal data as a valuable resource

Surveillance capitalism

The collection and monetisation of personal data for economic gain

Deepfake

AI-generated or AI-manipulated audio, video, or images that realistically imitate a person

Penetration testing

A simulated cyberattack against a system to identify vulnerabilities before real attackers find them

Goals pentest

• Find vulnerabilities

• Exploit vulnerabilities

• Determine impact

• Provide recommendations

Black box pentest

Tester has no prior knowledge of the target system

Grey box pentest

Tester has limited information about the target system

White box pentest

Tester has full access to information about the system target

Phases pentest

1. Information gathering

2. Scanning

3. Vulnerability assessment

4. Exploitation

5. Privilege escalation

6. Reporting

OSINT

Open Source Intelligence: gathering information from publicly available sources

Examples OSINT

• Google

• Social Media

• WHOIS

• DNS records

• Public documents

• GitHub repositories

Nmap

• Open ports

• Running services

• Operating system information

• Network hosts

SQL injection

An attack where malicious SQL commands are inserted into application input fields to manipulate a database