Threatscape

Vulnerability: A weakness that compromises the entire security or functionality of the system.
Exploit: The mechanism used to leverage a vulnerability. Example Exploit tool.
Threat: Circumstance or event with the potential to cause harm to an asset.
Risk: The likelihood that a particular threat using a specific attack will exploit a particular
vulnerability of an asset.

DoS
-DoS attack attempt to consume all resources of a computer or network in order to
make it unavailable for valid use.
-They are considered a major risk, because they can easily disrupt the operation of a business
and they are relatively simple to conduct.
-Classic DoS attack
TCP SYN flood attack
*It sends multiple TCP SYN packets with random source addresses to a victim host.
*Victim hosts sends back a SYN ACK message to the random source addresses and adds
an entry to the connection table.
*Because the SYN ACK is directed to a non-existent or wrong address, the 3-way
handshake is never completed and the entry remains in the connection table until a timer
expires.
*By sending multiple TCP SYN messages at a rapid rate, an attacker can fill up the
connection table, denying all other TCP services to legitimate users.
*There is no easy way to trace the originator of the attack because the source IP address is
forged.

Ping of Death
*Can cause a service, system or group of systems to crash
*Attacker creates a fragment, specifying a fragment offset indicating a full packet size of
more than 65,535 bytes.
*The receiver will attempt to set up buffers to accommodate the packet reassembly, and
the out-of-bounds request causes the system to crash or reboot.
*Exploits vulnerabilities at IP layer.
*There are also exploited vulnerabilities at application layer by sending malformed SNMP,
syslog, DNS, or others.

*Modern computer systems have been parched to mitigate Ping of Death attack (in
IPv4). Therefore, is not an issue in todays networks.

DDoS (Distributed DoS)

-When a DoS attack derives from a single host on the network, it constitutes a DoS attack.
-When multiple malicious hosts coordinate to flood a victim, so attack takes place
simultaneously from thousands of sources.
-DDoS attacks emanate from networks know as botnets.

Botnet
*A botnet consists of a group of zombie computers that run bots and a master
control mechanism that control the zombies.
*The originator of a botnet has master control through a command-and-control
server that controls the zombie computers remotely, often using IRC (Internet Relay Chat)
*A botnet operator infects computers by sending malicious bots.
-A malicious bot is self-propagating malware designed to infect a host and send back
information to the command-and-control server.
-As a worm, a bot can self-propagate but includes some other abilities.
-The bot on the infected host logs into the command-and-control server and awaits
for commands.
 -Communication often takes place over IRC, encrypted channels, bot specific peer-
to-peer networks, and even Twitter.

Spoofing
-Anytime a hacker injects traffic that appears to be sourced from a system other from
the attackers system instead.
-It is not specifically an attack, but can be incorporated into many attacks.
-There are many types of spoofing:
*IP address spoofing
-Most common type of spoofing
-Attackers use an IP address that is different from the real IP address.
*MAC Address spoofing
*Application or service spoofing
-Example: DHCP spoofing (can be done either with client or server)
-Another simple example: An email from an attacker that seems to be sourced from
a trusted email account.
*Land attack (combining SYN attack with IP spoofing)
-Attacker send spoofed SYN packets containing the IP address of the victim as both
the source and destination IP address.
-The receiving system responds by sending the SYN-ACK message to itself creating
an empty connection that last until the idle timeout value is reached.

Reflection attack
-Type of DoS attack in which attacker sends a flood of request packets with a spoofed IP source
address to various IP hosts. The hosts that receive theses packets act as reflectors by sending
response packets to the victim (spoofed address).

Amplification attack
-An amplification attack is any attack in which the attacker is able to use an amplification factor
to multiply its power.
-A relatively small number of resources are needed to cause significant number of target sources
to fail.
-In an amplification attack, the small forged query packets are turned into much larger response
payload directed to the target.
For example: DNS amplification attack

*The attacker should spoof the IP source address and find an Internet domain
with registered with many DNS records.
*A hacker sends a recursive DNS query via UDP with a spoofed source address.
 *The DNS server sends a response packet that may be many times larger than DNS
query packet. (DNS server amplifies the traffic sent to the victim.
*These amplifications can increase the size of the requests from around 40 bytes to
above the maximum Ethernet packet size of 4000 bytes, which will require them to
be broken down for transmission and then reassembled, using more resources.

Classic example of reflection and amplification Smurf attack

*The attacker sends multiple ICMP echo-requests to the broadcast address of a large
network.
*Theses packets contain the victims address as source address.
*Every host in the large network respond ICMP echo-replay to the victim.
*Smurf attack can be easily mitigated with the no ip directed-broadcast command (default
setting)
*It no longer represents much of a threat; mitigation techniques became standard time
ago.

Social engineering
*Manipulating people inside a network to provide the information that is needed to access the
network.
*There are many examples of social engineering (calling users on a phone claiming to be IT,
tailgating, visual hacking, phishing, etc.)

*Phishing
-Malicious website and emails resemble those of the original organization.
-The goal is to get the victim enter personal information such as account numbers,
usernames or passwords.

Evolution of phishing
*Spear phishing
-Emails are sent to smaller, more targeted groups, even a single individual.
-More target-specific emails to deceive the target.
*Whaling
-It also uses targeted emails but it increases the profile of the target (often top
executives of an organization)
*Pharming
-Persuades victims by compromising name services (DNS resolved names)
-When users attempt to enter a website, the name service provides the address of a
malicious website instead of the real one.
-This can be done by injecting entries into local host file or by compromising DHCP
servers that specify DNS server to clients.
*Watering hole
-The attacker determines the websites that the target group visit regularly and
compromises them by infecting malware that can identify members of the target
group.
-Eventually, some member of the target group gets infected.
*Vishing
-It uses the same concept of phishing, but it uses voice and phone system as its
medium instead of emails.
*Smishing
-It uses the same concept of phishing, but it uses SMS texting as its medium instead
of email.