Vous êtes sur la page 1sur 30

Threat Landscape Evolution of Adversaries

NSE 1: The Threat Landscape

Study Guide
NSE 1: The Threat Landscape Study Guide
Last Updated: 8 April 2016

Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents

THREAT LANDSCAPE ....................................................................................4

Evolution of Adversaries .........................................................................................................4

Hacker Tools ...........................................................................................................................7

Oldbut not Dead........................................................................................................................................9

Threat Timeline .......................................................................................................................9

Anatomy of a Hacking Attack..................................................................................................13

The Advanced Threat Lifecycle ....................................................................................................................14
Advanced-Attacks Kill Chain........................................................................................................................15

INTRODUCTION TO MODERN NETWORK SECURITY .........................................17

Infrastructure Evolution ...........................................................................................................2

Advanced Threats ........................................................................................................................................4

Advanced Threat Protection (ATP).........................................................................................4

Breaking the Advanced Threat Kill Chain .....................................................................................................5

Advanced Threats and Network Security: Continuing Evolution............................................8

KEY ACRONYMS ...........................................................................................9

Threat Landscape Evolution of Adversaries

Threat Landscape
The threat landscape, much the same as the law enforcement, views threats using three primary
characteristics: motive, means, and opportunity. In technology threats, these terms are translated into
motivation (motive), knowledge (means), and access (opportunity). Motivation may be as simple as a
student trying to access protected information or as malicious as a competitor trying to delay or disable a
companys ability to reach the market. Knowledge about networksand hackingis widespread, with
books and guides available globally through the Internet and often at little or no cost. Access, this is the
area where the veracity of your network security will pay offidentifying potential threats, analyzing them,
and either determining validity or cataloging and
rejecting them.

Contemporary and future threat landscapes are

dynamic and often include unforeseen technological
advances. Devices and applications are constantly
being developed, and appear on the market at a rapid
rate. With those new technologies come new threats.
As well as companies and organizations, individual
users must also deal with optimizing their devices and
applications while blocking potential threats. This can be a challenge because these individual users often
use less expensive technology, such as smartphones, tablets, and laptop computers, are novices where
information security is concerned.
Social media has become the primary source of
connectivity for many people internationally, and
addressing the hidden threats coming from
social media sites is a continuing challenge.
More cross-platform sharing and integration will
continue to make device and network security
an evolving challenge at all levels.

Evolution of Adversaries
Computer hacking was once the realm of curious teenagers. Now it's the arena of government spies,
professional thieves and soldiers of fortune. But, dont count out those curious teenagers just yet; more
and more young people are enamored with the prospect, and thrill, of hacking and seeing how far they
can get.
The whole concept of hacking sprouted from the Massachusetts Institute of Technology nearly 50
years ago. Computer science students there borrowed the term from a group of model train
enthusiasts who hacked electric trains and switches in 1969 to improve performance. These new
hackers were already figuring out how to alter computer software and hardware to speed it up. This
was happening as the scientists at AT&T Bell Labs were developing UNIX, one of the world's first
major operating systems.
The Golden Age of Hacking was the 1980s when people bought personal computers for their homes
and hooked them up to the telephone network. The Web wasn't yet alive, but computers could still talk
to one another through hosted chat rooms and FTP. In fact, the 1980s was the age of MS-DOS and

NSE 1: The Threat Landscape Study Guide 4

Threat Landscape Evolution of Adversaries

command line interface (CLI) programming and online interaction. These curious kids tapped into
whatever computer system they could find, just to explore. Some broke into computer networks at
companies. Digital hangouts started, such as Chat City and other hosted group online communication
As hacking progressed in the 1990s, the purposes for hacking ranged across a number of motives. Some
hacked for money. Others did it for revenge. However, hacking was still more of an annoyance
than anything devastating. However, it was quickly becoming apparent that the potential was there for
damage, including industrial espionage, hardware damage, file damage, and so on. The stock market,
hospitals, credit card transactions, and corporate or personal file storage were all running on computers.
As the 21st Century turned the clocks, loosely affiliated amateurs were replaced by well-paid, trained
professionals. By the mid-2000s, hacking had become a widespread tactic for organized crime,
governments, and hacktivists.
Crime. Hackers around the world wrote malicious software (malware) to hijack tens of
thousands of computers, using their processing power to generate spam. They wrote
banking Trojans to steal website login credentials. Hacking payment systems turned out
to be insanely lucrative too. Albert Gonzalezs theft of $94M in credit cards from TJX in
2007 proved to be a precursor to later retailer data breaches, like Target, Home Depot
and others.
Government. When the United States wanted to sabotage the Iranian nuclear program
in 2009, it hacked a development facility and unleashed the most dangerous computer
virus to date. Stuxnet caused the Iranian lab computers to spin centrifuges out of control.
Russia used cyberattacks to shut down media during the 2008 war in Georgia. And now,
it is suspected that both China and Russia have hacked into US Government systems,
stealing Personally Identifiable Information (PII) on millions of government employees
and their families.
Hacktivists. The populist group, Anonymous, hacks into police departments to expose
officer brutality, floods banks with garbage Internet traffic, and a group calling themselves
Vigilante takes down Islamic jihadist websites.
What exists now is a tricky world. When the White House got hacked, was it the Russian government,
nationalists acting on their own, or freelance agents paid by the government? Meanwhile, with the
explosion of technology-focused classes at all levels of education and training, it is easier than ever to
become a hacker. Because of the tools that are availableand ongoing development of new threat
methods--attribution is very difficult when an attack occurs.
Figure 1 depicts how various adversaries pose a threat to network security

NSE 1: The Threat Landscape Study Guide 5

Threat Landscape Evolution of Adversaries

Figure 1. Ranking adversaries to network security.

As one examines Figure 1, it is important to understand that there is no distinct barrier separating these
methods. In fact, it is easily conceivable that one type of adversary couldpurposely or inadvertently
enable another to access a network or system.
The early days of personal computer availability to consumers, and the advent of the Internet and
Worldwide Web are behind us. These events were followed by the parallel development of more powerful
hardware appliances and more complex applications for those machines. Unfortunately, with those
developments also came a thriving developmental path for malware and other methods by which to
breach system and network security to obtain data from or deny use of targeted platforms.
From a starting point of small, direct attacks on computers, hackers have evolved along with computers,
networks, and security. Modern hackers are skilled cybercriminals, motivated by such issues as financial
gain, criminal organization sponsorship, radical political groups, or even sovereign states. Modernand
futurehackers have far more resources than their counterparts of a quarter century ago, greater
technical knowledge and concentration, and greater funding and organization. A number of different types
of hackers that have developed since the 1980s.
Adversaries attempt to gain access to many different types of data for many different reasons. These
reasons range from personal information, to covert access to machines or networks, to attacks that
harvestor prevent the receipt ofinformation. In some cases, the motive is simpleextortion. Among
the reasons for hacking into systems are:
IP. Gaining the IP address of a target so that traffic into and out of the address can be
monitored, stopped, or otherwise affected.
Financial Information. This runs a broad scope from hacking banks for the fourth
decimal place amount of interest money on all the institutions accounts, to ransomware
that makes the target pay a fee to get the antidote code for the malware, to small
purchases with credit card information stolen from consumers.
PII Identity Theft. This includes everything from credit information to identification
documentation such as Social Security numbers, birthdates, and other data that may be
used to create an identity without the target being aware until it is too late, and the
damage has been done.
Shutting Down Competition. Tactics like Distributed Denial of Service (DDoS) attacks
have been used to block business competitors from broadcasting product and service

NSE 1: The Threat Landscape Study Guide 6

Threat Landscape Hacker Tools

information. Other attacks may infect manufacturing systems, payrolls, and other
functions that result in a company having to shut down operations until the problem is
resolved. These attacks may also include industrial sabotage, where data is gained that
gives a company an advantage over competitors, or alters a competitor's product so it is
Wikileaks. The media coverage of Julian Assange and the Wikileaks organization has
spurred on activists to follow in his footsteps. These activists work to expose things with
which they disagree; either publicly shaming the company into changing procedures or
products, or using the information as collateral for a ransom.
Profit. This is the prime motivator behind criminal enterprises, and it is no different when
applied to network attacks.
Sabotage. At a major company, organization, or government level, sabotage is the
means to an endusually the shutdown of a program (as with the 2009 use of Stuxnet to
shut down Irans nuclear program for a time), catastrophic loss of systems and/or data, or
stealing of industrial information.
As you review the illustration of escalating threat levels (Figure 1), you will notice that a key factor is the
level of resources (training, equipment, funding) available to the adversary. As hacking escalated from
individuals to large, well-organized, and well-resourced entities, additional benefits became available to
hackers that provided enhanced capabilities over individual efforts.
Because organizational hacking provides the benefit of collaboration and increased funding, it provides a
breeding ground for hackers and development of new cyber-threats. Some of the benefits of
organizational hacking include:
Education, training, and tech support
Storefront for hacking tools and zero-day exploits/vulnerability information
Sophisticated organization
Government backing
Support by currencies like bitcoin
Obscurity gained through anonymous networks like TOR

Hacker Tools
Hackers rely on two primary categories of tools to facilitate their activities:
Social engineering Techniques
Malware Tools
Social engineering is the use of content that convinces or encourages people to do something to
accomplish the hackers missionusually something damaging. The tactics vary as methods and tools
vary among different hackers with different objectives. Social engineering relies on non-technical
methods of intrusion that often trick people into breaking normal security procedures. Because it
leverages the human factor, social engineering is one of the greatest threats to organizations because
of the difficulty in controlling individual actions among members or employees.
Numerous techniques are available to the hacker. In fact, this is by necessity, as social engineering
targets human factors, which vary across a wide range of technical, social, and responsibility levels.
Therefore, social engineering encompasses numerous techniques that provide options to influence

NSE 1: The Threat Landscape Study Guide 7

Threat Landscape Hacker Tools

many different human perspectives, and may include the following methods:
Spoofing is a technique where one person or program masquerades successfully as
another. This is usually accomplished by falsifying data to make the hacker appear as the
other entity.
Phishing is not unlike going fishing. The hacker attempts to acquire sensitive user
information (such as usernames, passwords, account data, or even directly steal money)
for malicious reasons by masquerading as a trustworthy entity in electronic
communications. This is particularly widespread among e-mail, but may also be used
through false web pages.
Spearphishing is an e-mail spoofing fraud that targets specific organizations in order to
gain unauthorized access to confidential, proprietary, or personal data. This is generally a
technique not used by individuals; rather, spearphishing is often used by perpetrators out
for financial gain, trade secrets, or military information.
Watering-hole Attacks target specific groupsorganizations, companies, industry,
regionto indirectly infect the groups network machines. The attacker analyzes which
Internet sites people from the group are likely to visit, infects the site(s) with malware, and
then waits for an individual from the group to access it. Once the individual is infected,
that person spreads it within the organization, widening access for the hacker.
Phone calls and impersonation are still viable in the technology age. PhoneBotsalso
known as auto-dialerspresent a predetermined message when the recipient answers
the phone. These messages typically request the recipient to call a number for a specific
purpose. The number may be attempting a scam as simple as having the recipient call a
number that is a pay-per-minute programwithout the recipient being awarewhich later
shows up as a charge on their phone bill.
Malvertising is the use of online ads to spread malware. These ads do not require
specific action by the usersuch as clicking on the ad; rather, they take advantage of
macros and advertisement windows that vary ads based on use preferences to spread
malware. Malvertising can run across legitimate sites without directly compromising the
Social Media links are literally a playground for hackers and thieves, because many
people using social media platforms believe that web-based or SaaS platforms are
impervious to hackers. Often the hacker will use an intriguing picture, video, or hyperlink
to entice victims to interact. This can result in effects such as stealing browser windows,
embedding malware to steal data, or even tricking the user into a purchase.
Malware is a category of malicious code that includes viruses, worms, and Trojans. Malware is a primary
tool for hackers when using social engineering techniques to gain access to systems or networks. The
effects of malware are not unlike how a human body becomes infected and how the immune system
Known viruses. These are cataloged in anti-virus programs and defenses have been developed
to counter the threat. This is sometimes referred to as inoculating the machine or network
against the virus.
Unknown viruses. These are viruses that are not yet cataloged or do not yet have a
countermeasure developed to inoculate machines or networks. These unknown viruses may
include exploits developed and for sale to hackers, adaptive viruses, wrappers, and
polymorphic code.
Combination. Because an attack does in restricted neither to a single piece of malware nor a
single attacking device or vector, the use of multiple viruses that include both known and
unknown varieties may be used by hackers.

NSE 1: The Threat Landscape Study Guide 8

Threat Landscape Threat Timeline

Old, But Not Dead

A misconception about threats is that old threats no longer work because standard defenses have been
built into newer software releases. Unfortunately, even with the increase in automated network updates
and functions, not all threats are mitigated. In many cases, threat mitigation requires action (and often
investment of resources and money) by the user to enable threat defense. Common problems that allow
old threats to remain effective include:
Unpatched systems. The cost of continually running patcheswhen adding manpower,
network down time, and software costsoften leads to programs not receiving patches to
correct identified deficiencies and vulnerabilities. This is especially true with individual
consumers, whose vulnerable machines may pass malware on to company or
organization networks. There are still users with Microsoft Office 2003 on their machines,
for example, which no longer has support.
Old OS versions. In most cases, for both organization and consumer use, this comes
down to a single factor: cost. For example, Windows 10 was released on July 29, 2015,
yet users are still using Windows XP or Windows NT, having not upgraded to Windows 7
or 8.1. Even when support was halted for these old versions, making them more likely to
be vulnerable in the future, both consumers and organizations continued to use them,
despite the risk.
AV/AM signatures not up to date. Viruses and malware are developed at quickly and
on a continual basis. It does not take a computer scientist to develop malicious code
children 9 years old have demonstrated superior capability (can you imagine them at
25?). It is essential to have a program that provides regular updates to definitions and
countermeasures, across individual, company, and organizational scopes.
SMB, small agencies, partnerships. Many do not spend enough on security, but still
have network access. Unfortunately, many times the cost of saving a few pennies early,
may result in the loss of dollars later, especially if a major breach occurs.

Threat Timeline
From the last quarter of 2013 through the first quarter of 2014, major network attacks have affected large
companies and billions of consumers. These attacks not only affected business systems, but also had the
ability to infect personal systems and mobile devices, such as the Heartbleed and Find My iPhone
attacks. Figure 2 chronicles those threats and the targets affected by them.

NSE 1: The Threat Landscape Study Guide 9

Threat Landscape Threat Timeline

Figure 2. Chronology of major networks attacks October 2013 to June 2014.

In the period between October 2013 and June 2014, numerous major network attacks affected large
companies and billions of consumers. Over a year later, the impact of those attacks still resonates in both
company losses and loss of consumer trust. The timeline illustrated in Figure 2 presents some of the
more noteworthy attacks during that nine-month period, as described in Table 1.
Table 1. Major network attacks October 2013 to June 2014.


An estimated 2.9 million customer IDs, passwords, and possibly names & credit
Adobe Hack

Spearphishing attacks exploited vulnerability in MS Office to retrieve .doc data.

MS Office Zero-
11 occurred in 2013 and 5 in the first half of 2014.
Day Attack

NSE 1: The Threat Landscape Study Guide 10

Threat Landscape Threat Timeline


Android/ Mobile malware used in sabotage campaign against political movement in Middle
Hackdrive East that took over all audio functions of smartphones when downloaded.

Attacked Mac systems, using expensive root kit to collect personal data, including

Google Play
JavaScript app stole phone number directories from mobile devices.
(Japanese &

Android Balloon Pop 2 Game hack stole WhatsApp conversations from users.

Collected Google (Gmail) IDs, but not associated passwords.

Russian hackers stole 54 million Turkish citizens ID numbers, addresses, and

Turkish Hack
fathers names.

Reveton Ransomware using random extensions to hide DLLs in batch files like rundll32.exe.
Variants Locked machines and would not release it, unless user paid ransom fee to unlock.

Adobe Flash in Replacing earlier versions of the Blackhole exploit after arrest of the writer, this
Exploit Kit malware used popup technology to disrupt Adobe software use.

Target Corp
Hackers stole credit and debit card information for over 40 million customers

GnuTu (Linux)
Fail & Apple goto fail programming errors left encrypted data open to hackers.

Heartbleed Affected OpenSSL sitesmostly social mediathreatening to expose user data.

Ransomware that locked iPhones using the Find My iPhone app and demanded
Find My iPhone
payment to unlock the phone. The next month Android phone users were also hit.

NSE 1: The Threat Landscape Study Guide 11

Threat Landscape Threat Timeline


In May 2014, eBay hackers gained access to names, email and home addresses,
eBay phone numbers, dates of birth, and encrypted passwords for around 145 million

Ransomware Distributed Denial of Service (DDoS) attack against the Basecamp
DDoS Ransom
project management web app.

Below (Table 2) see more recent attacks that affected numerous well-known and high-utilization sites.
Table 2. Recent attacks on major sites.


Detected unauthorized access to 250,000


Lost thousands of email addresses when hacker

accessed to support information of 3 major clients.

Was attacked by 45 pieces of custom malware, 53

New York Times
employees systems compromised.

Schnucks Blames ongoing cyber-attack for a breach, which

Markets impacted 2.4 million payment cards.

Resets passwords for 50 million users after detecting

suspicious activity on its network.

Notifies 50 million users that attackers had infiltrated and

gained access to systems.

Indicates up to 160,000 social security numbers
State Court
exposed by hack.

Other victims included: Michaels, Home Depot, AOL, Avast, Holiday Inn, Neiman Marcus, P. F.
Changs, and J.P. Morgan Chase.

NSE 1: The Threat Landscape Study Guide 12

Threat Landscape Anatomy of a Hacking Attack

Anatomy of a Hacking Attack

In some ways, the effective hacking attack is similar to painting a houseit takes more preparation than
execution time. In order for an attack to be successfulespecially and advanced persistent attack
(APT)a number of steps are essential, as indicated in Figure 3.

Figure 3. Anatomy of an attack: The Hacker's point of view.

An example of the shown process is:
Choosing a Target: The attacker first determines whom they wish to infiltrate and what they wish to
steal. Is the attacker after confidential financial data? Source code? Technical drawings? All of these help
determine a specific target.
Target Research: Once a target has been selected, the attacker will do extensive background research
on his target. By combing through search engines, employee social network activity, public email and
phone directories and other sources of easily obtained data, the attacker can build a profile as well as a
detailed list of other potential human targets inside an organization.
Penetration: After a target has been acquired, the attacker typically creates a customized phishing email,
in the hope that their target will open an attachment that contains an exploit that allows the attacker to
plant remote access malware on the targets computer.
Elevation of Privileges: Once the attacker has gained a foothold inside a targets network, an attempt is
made to exploit vulnerabilities on other internal computers to gain further access on the network. Once
access has been gained, the attacker can then move deeper into the targets network.
Internal Network Movement: If the attacker was successful in gaining further access inside the network,
they can then expand their control to other machines on the network and compromise other computers
and servers, allowing them to access data throughout the network.
Data Theft: Once network access has been achieved, data can be easily stolen. Passwords, files,
databases, email accounts and other potentially valuable data can all be sent back to the attacker.
Maintenance and Administration: Even after the requisite data has been stolen, an attacker may
decide to remain present on the targets network. This requires vigilance on the attackers part in order
to evade detection and maintain surveillance on the targets data assets to ensure further data can be
Advanced Threats

NSE 1: The Threat Landscape Study Guide 13

Threat Landscape Anatomy of a Hacking Attack

Advanced threatsmodern and emerging threatsengage more complex methods that the simpler and
focused attacks of the past. Advanced Persistent Threat (APT) technology is evolving rapidly. Since the
dawn of the computer age, people have used advanced software to target specific companies or
individuals in an attack designed to either damage or steal data. What makes todays APTs unique and
frightening are the sophistication of the malware, the vectors theyre choosing for attack, and the
perseverance with which theyre going after their targets.
APTs are:
Advanced: APTs use organized methods to create and distribute advanced malware. New tools
are constantly being developed.
Persistent. APTs patiently use social engineering combined with malware and codes. They can
be very hard to detect and come with the expectation of higher payout.
Threats. APTs are designed to attack specific, deliberately chosen targets. Credit card
information is cheap to buy on the open market. Now its about business disruption, massive
identity theft, IP theft, and spying.

The Advanced Threat Lifecycle

The sophistication of computer network attacks includes strategies, evolved from direct attacks to
employment of more complex approaches of computer network intrusion and exploitation. Along with this
threat evolution, came background and remote threats to computers and networks from seemingly
innocuous sources, such as malware embedded in legitimate Internet links or files. With these threats, the
lifecycle runs from reconnaissance of potential targets and manufacturing of the method or malware, to
an endpoint of receiving the desired data or effect and exploiting the results.
Cybercriminals create customized attacks to evade traditional defenses, avoid detection, and enable
egress of valuable data. Once inside the network, there are few systems in place to detect or, better still,
protect against APTs. It can be seen from the threat lifecycle illustration (figure 4); once the perimeter
border is penetrated, the activity takes place inside the boundary of the network, including disabling any
agent-based security, updates from the botnet command and control system, additional
infection/recruitment, and extraction of the targeted assets.

Figure 4. The Advanced Threat lifecycle.

An attacker has a substantial arsenal of tools at the ready in order to launch and maintain their attack.

NSE 1: The Threat Landscape Study Guide 14

Threat Landscape Anatomy of a Hacking Attack

Malware. Some hackers use specially crafted malware to exploit a victims computer,
while others use off the shelf malware tools that are easily obtainable online and on
many underground hacking forums.
Social Engineering. A key component in any attack is the ability to make a human target
believe an attack is coming from a trusted source. Using previously obtained research, an
attacker may craft very specific spear-phishing emails with seemingly innocuous
attachments that the target will likely open, such as links to Web pages with malicious
code embedded (known as a watering hole attack), spreadsheets, text files, and PDF
files, that take advantage of exploits in order to execute malicious software.
Zero-Day and Other Exploits. A zero-day exploit is a vulnerability in a software product
that allows an attacker to execute unintended code or gain control of a target computer.
These exploits are usually included in spearphishing and watering hole attacks. In some
cases, exploits that have recently been fixed by vendors but have not yet been patched
by the target organization are used. Both have been shown to be very successful in
Insiders and Recruits. Sometimes an attacker will recruit an insider to assist in
launching an attack. In the case of Stuxnet, it is believed an insider sympathetic to the
attackers goals was recruited to launch the initial attack by plugging in a specially
created USB key that contained the attack malware. This is often the only way an
attacker can reach a target computer that is not connected to the Internet (or whats
known as an air-gapped network).
Forged and Fake Certificates. An attacker may attempt to forge or fake an SSL
certificate to get victims to visit websites that pretends to be safe. In 2011, the certificate
authority Comodo was compromised, and fake certificates were issued for popular sites
such as Google, Skype and Yahoo.
From the most basic threats of past years through the development and emergence of APTs, the threats
for computers networks continue to evolve. This presents continued challenges to those charged with the
responsibility of network protectionfrom the network security administrator down to the individual
desktop user.

Advanced-Attacks Kill Chain

So how does an advanced attack work? Figure 5 presents a snapshot of a typical kill chain for an
advanced attack, and the common security technologies used to block the attack breaking the kill chain.

NSE 1: The Threat Landscape Study Guide 15

Threat Landscape Anatomy of a Hacking Attack

Figure 5. Kill chain of an advanced attack.

To send a malicious email is the most popular method for initiating an advanced attack. The email may
have a file attachment or a URL that connects to a malicious web site. Being lucky, your anti-spam may
stop this email. However, there are many ways to get around antispam and other email gateway security
techniques. For example, bots may leverage legitimate (but compromised) IPs from which to send the
email, or they may use targeted spearphishing techniques and social engineering to get through filters
and to entice an end users to click the URL. They may encrypt a malicious attachment to hide it from AV
If an email with a malicious URL gets through, and the end user clicks on it, your web filtering protection
may stop you from connecting to that malicious web site. However, some attackers use a fast flux
approach, only using a site for a few days or a few hours harvesting what they can, before moving on to
another URL.
If the end user connects with the malicious web site, that site will launch exploits, and you hope your
Intrusion prevention engine will block the attack. However, exploits can slip through by taking advantage
of zero-day vulnerabilities, new variants, and encryption.
If an exploit gets through, the expected behavior is that your antivirus (AV) catches any malware. Many
times this works, but sometimes it doesnt. Malware can use file compression, encryption, and new
malware variants to get through an AV filter.
If malware gets into the organization, it will try to proliferate and it will look for valuable data to collect.
Eventually, it will try to exfiltrate stolen data, or simply go out to try to pull more threats into the
organization. This is where your application control and IP reputation controls may be able to identify, and
stop a connection to a command and control center. But if it doesnt, maybe because the traffic was
encrypted, your organization is breached.

NSE 1: The Threat Landscape Study Guide 16

Introduction to Modern Network Security Anatomy of a Hacking Attack

Introduction to Modern Network

The evolution of network security followed the evolution of network threats. Security development
continues to counter new and future threats. The steps in network security evolution have necessarily
followed the evolution of emerging threats.
Network security is truly a battle of minds the battle between how sophisticated hackers and malicious
code is developed and used versus the ability of IT security professionals to innovate and implement
security measures to mitigate current and emerging threats.

Figure 6. The Network Security Battle of the minds.

As figure 6 shows, hackers toolkit of threats include:

Malicious URL General Known Threats
Malicious Applications Unknown Threats
Vulnerability Exploiting
Malicious Code
Spam/Phishing Message
On the other side, network security managers apply the below tools:
Vulnerability Management Application Control
Intrusion Prevention (IPS)
Anti-spam Web Application
Antivirus/Antimalware Security
Web Filtering
Database Protection
IP Reputation

NSE 1: The Threat Landscape Study Guide 17

Introduction to Modern Network Security Infrastructure Evolution

Advanced Threat Protection (ATP)

Modern network security is composed of many facets, some of which are in your control, while
others are not. In an increasingly mobile world, traditional network security, based on desktop
platforms and dumbphones, is no longer relevant to the world of tablets, phablets, and
smartphones. Because of the constantly changing landscape of network environments,
organizations of all sizes, challenges in keeping pace with change, developing counters to
emerging threats, and controlling network and security policies.
To meet modern and emerging threats, companies and organizations must adopt dynamic
network security programs that keep pace with changing trends and activities.
Peopleor the man-machine interfaceis the weakest link in any security process. People are
easily lulled into a false sense of security about the effectiveness of passwords and access
codes, identity verification, and policies regarding the use of information technology (IT) systems
and networks. It takes just one careless moment to potentially breach the integrity of protected
information and systems. If network security user policies and protocols are too complicated,
compliance is less likely. The human factor makes it necessary for security solutions to be user-
friendly and threat unfriendly; clear and simple for network administrators and users to operate,
with the necessary complexity to identify, deter, or contain threats. They can be embedded in
state-of-the-art hardware and software solutions, nearly transparent to internal network users.
Not all organizations or their networks are alike. Each organization needs a customized, strategic
network security program tailored to balance its needs against its operating environment,
perceived threats, and operating budget. Of course, the best network security program would be
an end-to-end, 24/7 monitored program with regular analytics informing plan effectiveness and
potential enhancements. This would be the holy grail of network security.
Systems like Unified Threat Management (UTM) provide the ability to balance needs, capabilities,
and resources to secure networks while maintaining the ability of the organization to operate. In
essence, this book will help you learn about how to take steps to mitigate best the threats to your
network, and optimize network security while balancing those factors.

Infrastructure Evolution
In a complex growing world that experiences network portability, compatible to an increasing
number of devices with different capabilities, network security continues to evolve in complexity
and importance. In the 1980s early closed networks transitioned to a broader Internet, with the
advent of Ethernet, Bitnet, TCP/IP, SMTP, DNS, and, in 1985, the first .com domain name
registration. Then, in 1991, the Worldwide Web (WWW) came into existence. By 1995, the
modern Internet became established as a fixture in how businessand the worldwould
communicate in the future (Figure 7).

Figure 7. From closed networks to Global Information Grid

Star Trek inspired the idea of floppy disks and flip cellular phones.

NSE 1: The Threat Landscape Study Guide 2

Introduction to Modern Network Security Infrastructure Evolution

The Forbin Project introduced the idea of supercomputers running complex algorithms
that controlled government functions and could potentially supplant human decision-
In 1976 the Osborne 1 was the first portable computer.
The first .com domain was registered in 1985; however the Worldwide Web began in
1991, and the Internet as we know it today did not come online until 1995a mere 20
years ago!
A Japanese company introduced the first smartphone in 1999. It was a relatively
simple device compared to todays smartphones.
Many of us remember the hype around the Y2K bug (Would computers go back to 1900
at midnight?) Early programs were written with just the last two digits of the year with the
Believe it or not, the first tablet came out in 2002but not as light and useful as todays
The discussion between the labelling and merits of Next Generation Firewall (NGFW)
and Unified Threat Management (UTM) expanded and carried on through 2004, with
Gartner, IDC, and Fortinet in the fray.
2007 saw the introduction of the first iPhone.
Finally, 2013-2014 turned out to be a year of breaches by advanced threats targeting
specific entities.

High-tech was not only for major companies, organizations, and government agencies; it was for
Figure 8. The scope of modern global network users.

For the sake of security, it was necessary to add new stand-alone, single- or dual-purpose
hardware or integrated hardware-software packages designed to address newly identified threats.
This resulted in a constant state of expensive upgrades that added network complexity,
integration of new devices, and scrubbing and repurposing or disposing of legacy hardware, new
policy development and new management consoles. This served to increase workload,
retraining, and complexity for network administrators and end users, exacerbating the
balancing problem between security and productivity.
But the products were not always able to integrate fully into existing systems and the
piecemeal approach to network development and security led to potential blind spots that
threats could exploit undetected. In order to solve this growing challenge, a move toward more
strategic solutions to network security was needed. Rather than new stand-alone systems
addressing individual threat vectors, strategic systems and processes designed to protect
networks comprised of systems-of-systems, were needed.
This was how Unified Threat Management (UTM) was developed. UTM goes beyond a

NSE 1: The Threat Landscape Study Guide 3

Introduction to Modern Network Security Advanced Threat Protection (ATP)

system-of-systems approach to integrate individual system characteristics into strategic systems

(Figure 9).

Figure 9. UTM versus traditional ad hoc model.

Advanced Threats
Experienced hackers or groups of hackers can introduce threats to systems and networks,
including developing and implementing previously unused techniques to compromise, gain
control, and/or shut down system/service.
Advanced Threat Protection (APT)also referred to as Advanced Persistent Threat Protection
provides integrated measures to detect and block advanced threats. These measures include
botnet and phishing antivirus profiling, as well as zero-day threat protection and using sandboxing
to analyze, identify, and block suspicious code, and add the suspicious code profile to the ATP
signature database.

Advanced Threat Protection (ATP)

In order to protect against modern and emerging future threats, adaptive defense tools like
ATP are being incorporated into network security infrastructures at an increasing rate. This
level of protection provides increased security across all network sizes from SMB to large
enterprises. Critical capabilities brought to bear by ATP include the following:
Access Control. Layer 2/3 firewall, vulnerability management, two-factor

NSE 1: The Threat Landscape Study Guide 4

Introduction to Modern Network Security Advanced Threat Protection (ATP)

Threat Prevention. Intrusion Prevention (IPS), application control, Web filtering, email
filtering, antimalware.
Threat Detection. Sandboxing, botnet detection, client reputation, network behavior
Incident Response. Consolidated logs and reports, professional services, user/device
quarantine, threat prevention updates.
Continuous Monitoring. Real-time activity views, security reporting, threat intelligence.

Figure 10. Advanced Threat Protection (ATP).

Breaking the Advanced Threat Kill Chain

Now we will look at some methods by which network security administrators can detect, stop, and
mitigate attack consequences.

NSE 1: The Threat Landscape Study Guide 5

Introduction to Modern Network Security Advanced Threat Protection (ATP)

Figure 11. Breaking the advanced threat kill chain - Part 1.

Security Partnerships. Having a strong partnership with a security organization can
provide up-to-date information and threat intelligence as well as clearly-defined
escalation path when an incident is detected.
End User Education. Educating end users on proper use of social media to prevent
confidential information from becoming publicly available is one component. Internal
awareness training and regular testing by IT staff can help mitigate an attack.
Network Segregation. Basic network segregation can help prevent lateral movement
inside the network. By placing resources on segments that cannot be reached from end
users, an organization can potentially prevent an attacker from moving beyond the initial
Web Filtering/IP Reputation. By using a solution that provides current IP reputation,
data, and Web filtering rules, an organization may be able to stop some attacks. By using
an IP reputation service, an organization may be able to stop an attacker that has
launched attacks on other organizations using the same network resources.
Whitelisting. Whitelisting can be used in multiple ways. For example, network
whitelisting can be used to only allow certain internal traffic to reach other network
resources. This can prevent an attacker from moving laterally inside a network. Network
whitelists can also prevent a user from accessing any sites online that are not explicitly
approved. Application whitelisting can be used to allow only a set list of applications from
running on a computer, preventing all other software from running. This can prevent an
attacker from running new programs on the targets computer.
Blacklisting. While a whitelist is a list of things that are explicitly allowed to execute or
access resources, a blacklist explicitly blocks items on the list from accessing
resources, sites or applications deemed unsafe.
Application Control. Application Control allows you to identify and control
applications on your network, regardless of port, protocol or IP address. Using tools
such as behavioral analysis, end-user association and application classification can
identify and block potentially malicious applications and malware.
Sandboxing. With targeted attacks often designed (and indeed tested) to bypass
traditional security technologies, additional inspection of code activity has emerged.
Whether cloud-based or on-premise, sandboxes analyze code execution and
subsequent activity within contained virtual environments to expose full, previously

NSE 1: The Threat Landscape Study Guide 6

Introduction to Modern Network Security Advanced Threat Protection (ATP)

unknown, threat lifecycles.

Data Leak Prevention (DLP). By properly identifying sensitive data and implementing a
DLP solution, an organization can prevent sensitive information from leaving a network.
Data being used at the endpoint, data moving inside a network and data being stored can
all be protected from theft or improper use by implementing a DLP solution.

Figure 12. Breaking the advanced threat kill chain - Part 2.

Intrusion Prevention (IPS) / Intrusion Detection (IDS): By using a product that

provides IPS and IDS, an organization can add another layer of traffic monitoring
to watch for suspicious activity. A good IPS/IDS system will also alert IT staff of
potential threats in progress.
Proactive Patching: A computer is only as secure as the software on it. It is
essential for companies to deploy patches to their systems as quickly as
possible. Attackers and cyber criminals waste no time integrating proof-of
concept code into their malware and exploit kits in some cases exploits have
been added to an exploit kit within hours or days of a patch being available. By
delaying deployment of critical patches, an organization risks becoming
vulnerable to attack. For business intelligence or in-house applications that
require almost constant uptime, its critical to keep test machines available to
deploy patches to and test mission critical applications without impacting the
main network.
Restricting Administrative Rights: Some companies provide employees with
local administrative rights in order to install drivers or software on an as- needed
basis. This can be a double-edged sword. While it can reduce support calls and
empower employees, it can also lead to easier access for attackers to install
malware and remote access tools (also known as RATs) on a victims computer.
By limiting access to administrative rights whenever possible, an organization
may be able to mitigate many attacks.
Network Access Control (NAC): NAC is a solution that can prevent computers
on a network from accessing resources unless certain rules or policies are met.
For example, if a computer hasnt been patched recently, NAC can place that
computer on a segregated subnet that blocks access to resources until the

NSE 1: The Threat Landscape Study Guide 7

Introduction to Modern Network Security Advanced Threats and Network Security: Continuing

machine has been properly patched.

Two-Factor Authentication: There are many forms of two-factor authentication
available for end users. By implementing two-factor authentication for remote
users or users that require access to sensitive information, an organization can
make it difficult for an attacker to take advantage of lost or stolen credentials, as
the attacker would need to provide a second form of identification in order to gain
network access. Commonly used two-factor authentication methods include the
standard username and password plus a hardware or software-based
authentication token, which provides a one-time, time-sensitive password that
must be entered when the username and password is presented to the
authentication server.
USB Drive Restrictions: Many computers will accept a USB thumb drive
implicitly and execute any auto-run applications located on the drive. A drive that
has malicious code planted on it can be all an attacker needs to gain an initial
foothold in a network. Limiting USB drive access to employees on an as- needed
and justified basis is a good idea; banning them outright is even safer. If USB
drive access is necessary, enabling a proper Group Policy to prevent a drive
from auto-running is essential.
Limiting Access to Cloud-based File Sharing: It is important to limit access to
these programs unless absolutely necessary. Cloud-based file sharing and
syncing applications can make it trivial for an attacker to compromise a home
computer and move malware into a corporate network when a user syncs the
files they took home the night before.

Advanced Threats and Network Security: Continuing

The early days of personal computer availability to consumers and the advent of the Internet and
Worldwide Web are behind us. These events were followed by parallel development of more
powerful hardware appliances and more complex applications for those machines. Unfortunately,
with those developments also came a thriving developmental path for malware and other
methods by which to breach system and network security to obtain data from or deny use of
targeted platforms. This Modern Network Security Program presents current and future
appliances, applications, and concepts to provide the options to keep pace with emerging
capabilities and threatsand maintain the safety and security of your system and network.

NSE 1: The Threat Landscape Study Guide 8

Key Acronyms

Key Acronyms

AAA Authentication, Authorization, and IaaS Infrastructure as a Service

Accounting ICMP Internet Control Message Protocol
AD Active Directory ICSA International Computer Security
ADC Application Delivery Controller Association
ADN Application Delivery Network ID Identification
ADOM Administrative Domain IDC International Data Corporation
AM Antimalware IDS Intrusion Detection System
API Application Programming Interface IM Instant Messaging
APT Advanced Persistent Threat IMAP Internet Message Access Protocol
ASIC Application-Specific Integrated Circuit IMAPS Internet Message Access Protocol
ASP Analog Signal Processing Secure
ATP Advanced Threat Protection IoT Internet of Things
AV Antivirus IP Internet Protocol
AV/AM Antivirus/Antimalware IPS Intrusion Prevention System
BYOD Bring Your Own Device IPSec Internet Protocol Security
CPU Central Processing Unit IPTV Internet Protocol Television
DDoS Distributed Denial of Service IT Information Technology
DLP Data Leak Prevention J2EE Java Platform Enterprise Edition
DNS Domain Name System LAN Local Area Network
DoS Denial of Service LDAP Lightweight Directory Access Protocol
DPI Deep Packet Inspection LLB Link Load Balancing
DSL Digital Subscriber Line LOIC Low Orbit Ion Cannon
FTP File Transfer Protocol MSP Managed Service Provider
FW Firewall MSSP Managed Security Service Provider
Gb Gigabyte NGFW Next Generation Firewall
GbE Gigabit Ethernet NSS NSS Labs
Gbps Gigabits per second OSI Open Systems Infrastructure
GSLB Global Server Load Balancing OTS Off the Shelf
GUI Graphical User Interface PaaS Platform as a Service
HTML Hypertext Markup Language PC Personal Computer
HTTP Hypertext Transfer Protocol PCI DSS Payment Card Industry
Data Security
HTTPS Hypertext Transfer Protocol Secure

NSE 1: The Threat Landscape Study Guide 9

Key Acronyms

Standard SSL Secure Socket Layer

PHP PHP Hypertext Protocol SWG Secure Web Gateway
POE Power over Ethernet SYN Synchronization packet in TCP
POP3 Post Office Protocol (v3) Syslog Standard acronym for Computer
POP3S Post Office Protocol (v3) Secure Message Logging
QoS Quality of Service TCP Transmission Control Protocol
Radius Protocol server for UNIX systems TCP/IP Transmission Control Protocol/Internet
RDP Remote Desktop Protocol Protocol (Basic Internet Protocol)
SaaS Software as a Service TLS Transport Layer Security
SDN Software-Defined Network TLS/SSL Transport Layer Security/Secure
SEG Secure Email Gateway
Layer Authentication
SFP Small Form-Factor Pluggable
UDP User Datagram Protocol
SFTP Secure File Transfer Protocol
URL Uniform Resource Locator
SIEM Security Information and Event
USB Universal Serial Bus
UTM Unified Threat Management
SLA Service Level Agreement
VDOM Virtual Domain
SM Security Management
VM Virtual Machine
SMB Small & Medium Business
VoIP Voice over Internet Protocol
SMS Simple Messaging System
VPN Virtual Private Network
SMTP Simple Mail Transfer Protocol
WAF Web Application Firewall
SMTPS Simple Mail Transfer Protocol Secure
WANOpt Wide Area Network Optimization
SNMP Simple Network Management Protocol
WLAN Wireless Local Area Network
SPoF Single Point of Failure
WAN Wide Area Network
SQL Structured Query Language
XSS Cross-site Scripting

NSE 1: The Threat Landscape Study Guide 10


Application Control. Protects managed desktops and servers by allowing or denying network application
usage based on policies established by the network administrator. Enterprise applications, databases,
web mail, social networking applications, IM/P2P, and file transfer protocols can all be identified
accurately by sophisticated detection signatures.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access
to a network and stays there undetected for a long period of time. The intention of an APT attack is to
steal data rather than to cause damage to the network or organization. APT attacks target organizations
in sectors with high-value information, such as national defense, manufacturing and the financial industry.
ATP. Advanced Threat Protection relies on multiple types of security technologies, products, and
research -- each performing a different role, but still working seamlessly together -- to combat these
attacks from network core through the end user device. The 3-part framework is conceptually simple
prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for
network, application and endpoint security, threat detection, and mitigation.
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of malware
attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and reporting on
malicious code. By intercepting and inspecting application-based traffic and content, antivirus protection
ensures that malicious threats hidden within legitimate application content are identified and removed
from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds
an additional layer of security.
Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that
runs automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally
repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is
in web spidering, in which an automated script fetches, analyses and files information from web servers at
many times the speed of a human.
Botnet. A botnet (also known as a zombie army) is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other
computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or
"bot" that serves the wishes of some master spam or virus originator. Most computers compromised in
this way are home-based. According to a report from Russian-based Kaspersky Labs, botnets -- not
spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came
to a similar conclusion.
Drive-by. A drive-by download refers to the unintentional download of a virus or malicious software
(malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or
exploit) a browser, app, or operating system that is out of date and has a security flaw. This initial code
that is downloaded is often very small (so you probably wouldnt notice it), since its job is often simply to
contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or
computer. Often, a web page will contain several different types of malicious code, in hopes that one
of them will match a weakness on your computer.
Exploit. A piece of software, a segment of data, or command sequences that takes advantage of
a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software,
hardware, or appliances incorporating the Internet of Things (IoT). Such behavior frequently includes
things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service
IP/PII. This is what cybercriminals are after. From the IP owned by a corporation or organization to
individual PII, this is the commodity most often sought by hackers, who often use it for financial gain or

NSE 1: The Threat Landscape Study Guide 11


IP stands for Internet Protocol, or the address commonly used to identify the origin of an Internet
transmissioni.e. your device.
PII stand for Personally Identifiable Information, sometimes referred to as Personal Information, and
is often equated in the U.S. with Privacy Act Information.
NIST Special Publication 800-122 defines PII as "any information about an individual maintained by an
agency, including (1) any information that can be used to distinguish or trace an individuals identity, such
as name, social security number, date and place of birth, mothers maiden name, or biometric records;
and (2) any other information that is linked or linkable to an individual, such as medical, educational,
financial, and employment information. It has become much more important as IT and the Internet have
made it easier to collect PII through breaches of Internet and network security and Web browser
Recent courts decisions have leaned toward IP not being considered as PII, judging that an IP only
identifies a particular platform or device, not an actual individual.
IPS. Intrusion Prevention System protects networks from threats by blocking attacks that might otherwise
take advantage of network vulnerabilities and unpatched systems. IPS may include a wide range of
features that can be used to monitor and block malicious network activity including: predefined and
custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode, similar to IDS), packet
logging, and IPS sensors. IPS can be installed at the edge of your network or within the network core to
protect critical business applications from both external and internal attacks.
Log Management. The collective processes and policies used to administer and facilitate the generation,
transmission, analysis, storage and ultimate disposal of the large volumes of log data created within an
information system.
Malvertising. This is the use of online advertising to spread malware. Online advertisements provide a
solid platform for spreading malware because significant effort is put into them in order to attract users
and sell or advertise the product. Malvertising can be easily spread across a large number of legitimate
websites without directly compromising those websites. According to Reed Exhibitions, "The interesting
thing about infections delivered through malvertising is that it does not require any user action (like
clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server
it is hosted from... infections delivered through malvertising silently travel through Web page
Malware. Malware is a category of malicious code that includes viruses, worms, and Trojan horses.
Destructive malware will utilize popular communication tools to spread, including worms sent through
email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded
from peer-to-peer connections. Malware will also seek to exploit existing vulnerabilities on systems
making their entry quiet and easy.
Virus. A computer virus is a program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses
are man-made. A simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available memory and
bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself
across networks and bypassing security systems.
Worm. Computer worms are similar to viruses in that they replicate functional copies of
themselves and can cause the same type of damage. In contrast to viruses, which require the
spreading of an infected host file, worms are standalone software and do not require a host
program or human help to propagate. To spread, worms either exploit a vulnerability on the target
system or use some kind of social engineering to trick users into executing them. A worm enters a
computer through a vulnerability in the system and takes advantage of file-transport or
information-transport features on the system, allowing it to travel unaided.
Trojan. A Trojan [horse] is a program in which malicious or harmful code is contained inside
apparently harmless programming or data in such a way that it can get control and do its chosen
form of damage, such as ruining the file allocation table (FAT) on your hard drive. In one case, a

NSE 1: The Threat Landscape Study Guide 12


Trojan was a program that was supposed to find and destroy computer viruses. A Trojan may be
widely redistributed as part of a computer virus.
Network Behavior Anomaly Detection (NBAD). The continuous monitoring of a network for unusual
events or trends. An NBAD program tracks critical network characteristics in real time and generates an
alarm if a strange event or trend is detected that could indicate the presence of a threat. NBAD is an
integral part of network behavior analysis.
Network Forensics. Capturing, recording, and analyzing network events for the purpose of discovering
the source of security attacks or other problem incidents. Catch-it-as-you-can" systems capture
all packets passing through a certain traffic point, store the data, and then perform analysis in batch
mode. "Stop, look and listen" systems perform a basic analysis in memory and save only certain data for
subsequent analyses.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:

Intrusion Prevention (IPS) Deep Packet Inspection Network App ID & Control

Access Enforcement Distributed Enterprise Extra Firewall Intelligence


Third Party Management VPN Application Awareness


Phishing. Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email
in an attempt to gather personal and financial information from recipients. Typically, the messages appear
to come from well-known and trustworthy Web sites. Web sites that are frequently spoofed by phishers
include PayPal, eBay, MSN, Yahoo, BestBuy, banks, and government agencies. A phishing expedition,
like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool
at least a few of the prey that encounter the bait.

Risk Management. The process of identifying, assessing and controlling threats to an organization's
capital and earnings. Such threats include financial uncertainty, legal liabilities, strategic management
errors, accidents, natural disasters and information technology (IT) security threats.
Sandboxing. A Sandbox is designed to detect and analyze advanced attacks designed to bypass
traditional security defenses. Sandboxing refers to the process of isolating unknown or potentially
malicious codes to fully execute all functions before allowing the traffic to download into the network. By
analyzing files in a contained environment to identify previously unknown threats and uncovering the full
attack lifecycle, if malicious activity is discovered, Advanced Threat Protection (ATP) can block it.
Security Information and Event Management (SIEM). An approach to security management that seeks
to provide a holistic view of an organizations information technology (IT) security. Most SIEM systems
deploy multiple collection agents to gather security-related events from end-user devices, servers,
network equipment and specialized security equipment like firewalls, AV/AM or IPS. The collectors
forward events to a centralized management console, which performs inspections and flags
Security Intelligence (SI) is the information relevant to protecting an organization from external and
inside threats as well as the processes, policies and tools designed to gather and analyze that
Intelligence, in this context, is actionable information that provides an organization with
decision support and possibly a strategic advantage. SI is a comprehensive approach that
integrates multiple processes and practices designed to protect the organization.

NSE 1: The Threat Landscape Study Guide 13


UTM. Unified Threat Management provides administrators the ability to monitor and manage multiple,
complex security-related applications and infrastructure components through a single management
console. The advantage to UTM is that it goes beyond the NGFW focus of high performance protection of
data centers by incorporating a broader range of security capabilities as either cloud services or network
appliances, integrating:

Intrusion Prevention (IPS) Content Filtering Quality of Service (QoS)

Anti-Malware VPN Capabilities SSL/SSH Inspection

Anti-Spam Load Balancing Application Awareness

Identity-based Access

Vulnerability. In cybersecurity, vulnerability refers to a flaw in a system that can leave it open to attack. A
vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or
in anything that leaves information security exposed to a threat. Cutting down vulnerabilities provides
fewer options for malicious users to gain access to secure information.
Watering Hole. The watering hole attack method targets specific groups (organization, company,
industry, region, etc.). In this attack, the attacker guesses or observes which websites the group often
uses and infects one or more of them with malware. Eventually, some member of the targeted group gets
infected, resulting in the malware being spread to others in the targeted group.
Web Filtering. Web Filtering technology gives you the option to explicitly allow web sites, or to pass web
traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most
advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control
perimeter web traffic at a granular level. Using web content filtering technology, these appliances can
classify and filter web traffic using multiple pre-defined and custom categories.

NSE 1: The Threat Landscape Study Guide 14