ISDS 418 Midterm 2

Advanced Persistent Threat (APT)

Cybercrime directed at business and political targets, using a wide variety of intrusion technologies and malware, applied persistently and effectively to specific targets over an extended period, often attributed to state-sponsored organizations.

Adware

Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.

Attack kit

Set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms.

Auto-rooter

Malicious hacker tools used to break into new machines remotely.

Backdoor (trapdoor)

Any mechanism that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system.

A secret entry point into a program that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures.

Downloaders

Code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package.

Drive-by-download

Spreads when user visits malicious website

The malware does not propagate

Flooders (DoS client)

Used to generate a large volume of data to attack networked computer systems, by carrying out some form of denial-of-service (DoS) attack.

Keyloggers

Captures keystrokes on a compromised system.

Logic bomb

Code embedded in some legitimate program that is set to "explode" when certain conditions are met:

- Presence/absence of certain files

- Particular day of the week or date

- Particular user running the application

Macro virus

A type of virus that uses macro or scripting code, typically embedded in a document, and triggered when the document is viewed or edited, to run and replicate itself into other such documents.

Mobile code

Software (e.g., script, macro, etc) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.

Rootkit

Set of hacker tools used after attacker has broken into a computer system and gained root-level access.

Spammer programs

Used to send large volumes of unwanted e-mail.

Spyware

Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information.

Trojan horse

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes it.

*Malware that do not replicate*

Virus

Malware that, when executed, tries to replicate itself into other executable machine or script code; when it succeeds, the code is said to be infected. When the infected code is executed, the virus also executes

*Parasitic code that needs a host program*

*Malware that replicate*

Worm

A computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network, usually by exploiting software vulnerabilities in the target system.

- exploit software vulnerabilities in client or server programs

- can use network connections to spread from system to system

- can spread through shared media (USB drives, CD, DVD data disks)

Worm Technology

Multiplatform: Windows and UNIX

Multi-exploit: Penetrates systems in various ways, including Web servers, browsers, email, file sharing, etc.

Ultrafast spreading: First find IP addresses of vulnerable machines, then attack

Polymorphic: Adopt virus' polymorphic technique (change worm's appearance) to evade detection

Metamorphic: Change its own behavior patterns to evade detection

Transport vehicles: Worms are ideal for spreading distributed attack tools (e.g. DDoS bots)

Zero-day exploit: Most dreaded by security pros. It exploits a previously unknown vulnerability that only becomes known when the worm is launched

Zombie, bot

Program activated on an infected machine that is activated to launch attacks on other machines.

Blended attack

Uses multiple methods of infection or propagation, to maximize the speed of contagion and the severity of the attack.

Infection mechanism

The means by which a virus spreads or propagates, enabling it to replicate. The mechanism is also referred to as the infection vector

Trigger

The event or condition that determines when the payload is activated or delivered, sometimes known as a logic bomb.

Payload

Based on actions or payloads it performs once a target is reached

Propagates

Based on how it spreads or propagates to reach desired targets

Dormant phase

The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage.

Propagation phase

The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.

- Scanning or fingerprinting: searches for access mechanisms to other systems to infect

- uses the access mechanisms found to transfer a copy of itself to the remote system

- causes the copy to be run

Triggering phase

The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.

Execution phase

The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.

Boot sector infector

Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.

File infector

Infects files that the operating system or shell consider to be executable.

Multipartite virus

Infects files in multiple ways

Encrypted virus

A form of virus that uses encryption to obscure it's content. A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe.

Stealth virus

Designed to hide itself from detection by anti-virus software. It may use code mutation, compression, or rootkit techniques to achieve this.

Polymorphic virus

Mutates with every infection.

Creates copies during replication that are functionally equivalent but have distinctly different bit patterns, in order to defeat programs that scan for viruses.

Mutates with every infection, making detection by virus "signature" impossible

Changes its "appearance"

Metamorphic virus

Mutates with every infection.

Rewrites itself completely at each iteration, using multiple transformation techniques, increasing the difficulty of detection.

Change its behavior and appearance.

Electronic mail or instant messenger facility

A worm e-mails a copy of itself to other systems, or sends itself as an attachment via an instant message service, so that its code is run when the e-mail or attachment is received or viewed.

File sharing

A worm either creates a copy of itself or infects other suitable files as a virus on removable media such as a USB drive; it then executes when the drive is connected to another system using the autorun mechanism by exploiting some software vulnerability, or when a user opens the infected file on the target system

Remote execution capability

A worm executes a copy of itself on another system, either by using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operations

Remote file access or transfer capability

A worm uses a remote file access or transfer service to another system to copy itself from one system to the other, where users on that system may then execute it.

Remote login capability

A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other, where it then executes.

Scanning (fingerprinting)

The first function in the propagation phase for a network worm is for it to search for other systems to infect

Worms must identify potential systems running vulnerable services.

Network address scanning strategies:

Random strategy

Hit list strategy

Topological strategy

Local subnet strategy

Random strategy

Each compromised host probes random addresses in the IP address space, using a different seed.

Hit-List strategy

- Attacker first compiles a long list of potentially vulnerable machines

- Once the list is compiled the attacker begins infecting machines on the list

- Each infected machine is provided with a portion of the list to scan

- This results in a very short scanning period which may make it difficult to detect that infection is taking place

Topological strategy

Use info contained on an infected victim machine to find more hosts to scan

Local subnet strategy

f a host is infected behind firewall, then host looks for targets on that subnet behind firewall.

Worm Propagation Model

dI(t)/dt = bI(t)S(t)

where

I(t) = number of individuals infected as of time t

S(t) = number of susceptible individuals (susceptible to infection but not yet infected) at time t

b = infection rate

N = size of the population, N = I(t) + S(t)

Initial phase (slow start phase) -> Middle phase (fast spread phase) -> Finish phase (slow finish phase)

Ransomware

As an alternative to just destroying data, some malware encrypts the user's data, and demands payment in order to access the key needed to recover this information.

Botnet

The collection of bots often is capable of acting in a coordinated manner

Spamming

With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk e-mail (spam).

Sniffing traffic

Bots can also use a packet sniffer to watch for interesting cleartext data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords.

Installing advertisement add-ons and browser helper objects (BHOs):

Botnets can also be used to gain financial advantages. This works by setting up a fake Web site with some advertisements

Attacking IRC chat networks

Botnets are also used for attacks against Internet Relay Chat (IRC) networks. Popular among attackers is called clone attack.

Manipulating online polls/games

Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person. Online games can be manipulated in a similar way.

Phishing

Exploits social engineering to leverage user's trust by masquerading as communications from a trusted source

Spear-phishing

This again is an e-mail claiming to be from a trusted source. However, the recipients are carefully researched by the attacker.

denial-of-service (DoS)

an attempt to compromise availability by hindering or blocking completely the provision of some service.

an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space

Flooding attacks

in the 50 GBps range are powerful enough to exceed the bandwidth capacity of almost any intended target, including perhaps the core Internet Exchanges or critical DNS name servers, but even smaller attacks can be surprisingly effective

SYN spoofing

This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.

It is an attack on system resource

Poison packet

Another form of system resource attack uses packets whose structure triggers a bug in the system's network handling software, causing it to crash. This means the system can no longer communicate over the network until this software is reloaded, generally by rebooting the target system.

Source address spoofing

A common characteristic of packets used in many types of DoS attacks is the use of forged source addresses.

If using spoofed source addresses, then trace is difficult

Backscatter traffic

The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses

Three-way handshake

SYN, SYN/ACK, ACK

Figure 7.2

TCP SYN spoofing attack

Figure 7.3

Step 1: Client sends SYN (client seq=x) to server

Step 2: Server sends SYN-ACK (server seq=y, client seq "ack"=x+1) to client.

Step 3: Client sends ACK (server seq "ack"=y+1) to server

Server seq is incremented to mark the connection as established at client. Server receives ACK (server seq "ack"=y+1) from client

Connection is now established; data transfer begins

But sometimes things can go wrong

Both client and server keep track of which packet they have sent

If no response is received in a reasonable time, a machine will resend packet (that's why TCP is "reliable")

SYN spoofing exploits this behavior

ICMP flooding

- ping flood using ICMP echo request packets

UDP Flood

uses UDP packets directed to some port number on the target system

TCP SYN Flood

normal TCP connection requests, with either real or spoofed source addresses

Reflection attack (newer attack method)

The attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system. When the intermediary responds, the response is sent to the target. Effectively this reflects the attack off the intermediary, which is termed the reflector.

in other words: Send to intermediary a packet with a spoofed source address = target address

Intermediary servers can generate high volumes of traffic

Intermediary servers should be:

High-capacity networked servers

Routers connected to high-capacity links

Disadvantage of reflection attack: One response (backscatter) packet for each attack packet

Distributed DoS (DDoS) attacks (newer attack method)

Using multiple systems at target

- zombies with backdoor programs installed

- forming a botnet

Amplification attacks (newer attack method)

a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.

They are different in generating multiple response packets for each original packet sent. All hosts on that network can potentially respond to the request, generating a flood of responses to target

Attack prevention and preemption (before the attack)

Enforcing policies for resource consumption

Providing backup resources available on demand

Attack detection and filtering (during the attack)

Detection looks for suspicious patterns of behavior

Response filters out likely attack packets

Attack source traceback and identification (during and after the attack)

Identify attack source to prevent future attacks

Does not yield results fast enough, if at all, to mitigate ongoing attack

Attack reaction (after the attack)

This is an attempt to eliminate or curtail the effects of an attack.

Security Intrusion

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Intrusion Detection

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

Sensors

Collects data

Analyzers

Receive input from sensors to determine if an intrusion has occurred.

output = indication that an intrusion has occurred.

User interface

Enables a user to view output from the system or control the behavior of the system

Host-based IDS (HIDS)

Monitors single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity.

Network-based IDS (NIDS):

Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

Distributed or hybrid IDS

Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity.

false positives and false negatives

false positives: false alarms where authorized users are identified as intruders.

false negative: intruders not identified as intruders.

Figure 8.1 Profiles of Behavior of Intruders and Authorized Users

Figure 8.1 suggests, in abstract terms, the nature of the task confronting the designer of an IDS. Although the typical behavior of an intruder differs from the typical behavior of an authorized user, there is an overlap in these behaviors.

Anomaly detection

Involves the collection of data relating to the behavior of legitimate users over a period of time.

Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or alternatively that of an intruder.

Signature or Heuristic detection

Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if is that of an intruder. It is also known as misuse detection.

Anomaly Detection Classifications

Statistical Analysis: of the observed behavior using univariate, multivariate, or time-series models of observed metrics.

Knowledge based Approaches: use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.

Machine-learning Approaches: automatically determine a suitable classification model from the training data using data mining techniques.

Machine-learning approaches

Bayesian networks: Encode probabilistic relationships among observed metrics.

Markov models: Develop a model with sets of states, some possibly hidden, interconnected by transition probabilities.

Neural networks: Simulate human brain operation with neurons and synapse between them, that classify observed data.

Fuzzy logic: Uses fuzzy set theory where reasoning is approximate, and can accommodate uncertainty.

Genetic algorithms: Uses techniques inspired by evolutionary biology, including inheritance, mutation, selection and recombination, to develop classification rules.

Clustering and outlier detection: Group the observed data into clusters based on some similarity or distance measure, and then identify subsequent data as either belonging to a cluster or as an outlier.

Signature approaches

Match a large collection of known patterns of malicious data against data stored on a system or in transit over a network.

Rule-based heuristic identification

Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses.

Host-based IDSs (HIDSs) Data Sources and Sensors

System call traces: A record of the sequence of systems calls by processes on a system.

Audit (log file) records: Most modern operating systems include accounting software that collects information on user activity.

File integrity checksums: A common approach to detecting intruder activity on a system is to periodically scan critical files for changes from the desired baseline, by comparing a current cryptographic checksums for these files, with a record of known good values.

Registry access: An approach used on Windows systems is to monitor access to the registry, given the amount of information and access to it used by programs on these systems. However this source is very Windows specific, and has recorded limited success.

Inline sensor

Inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

Passive sensor

Monitors a copy of network traffic; the actual traffic does not pass through the device.

Intrusion Detection Message Exchange Requirements (RFC 4766)

Intrusion Detection Message Exchange Format (IDMEF)

The Intrusion Detection Message Exchange Format (RFC 4765)

Extensible Markup Language (XML)

The Intrusion Detection Exchange Protocol (RFC 4767)

Intrusion Detection Exchange Protocol (IDXP)

Figure 8.7 Model for Intrusion Detection Message Exchange

Data source - raw data

Sensor - collects data from data source

Analyzer - analyze data by sensor

Administrator - human

Manager - operator manages ID component

Operator - human

Honeypots

Decoy systems that are designed to lure a potential attacker away from critical systems.

Figure 8.8 Example of Honeypot Deployment

Honeypots can be deployed in a variety of locations

location 1 - external firewall

location 2 - service network (web, mail, dns)

location 3 - internal network

IP Address and Protocol Values

Controls access based on the source or destination addresses and port numbers, direction of flow being inbound or outbound, and other network and transport layer characteristics.