1.2 Potential Indicators - Type of Attacks

Overview of Malware

Malware, short for "malicious software," is a broad category of software programs or code specifically designed to infiltrate, damage, disrupt, or gain unauthorized access to computer systems, networks, or devices. Malware can take many forms and serve various malicious purposes, posing a significant cybersecurity threat.

Virus = malware that can be reproduce itself | it needs you to execute a program | reproduce through file systems or the network | may or may not cause problems - program virus = its part of the application - boot sector virus = when you start your computer, the virus is launched because it is located in the bootloader. - script viruses = browser-based or OS based viruses - macro virus = usually runs inside of another application - fileless virus = never saves itself in the file system | it tries to avoid anti-virus detection | operates in the memory, but never installed in a file or application

Crypto-malware = your data is unavailable until you pay | uses cryptography to encrypt information unless you have the decryption key

Ransomware = they will attack you and want money | attackers inject malware - usually ransomware locks/encrypts your file system and only release it after receiving the money

Worms = malware that self-replicates | moves system to system | spreads quickly - doesn't need you to do anything - uses the network as a transmission medium - IDS/IPS can mitigate worm infestations but doesn't help once the worm gets inside

Trojan Horse = software pretends to be something else | it looks like you are installing an application but its actually a malware

Keylogger = form of a malware or hardware that keeps track of and records your keystrokes as you type | captures sensitive information like passwords

Adware/Spyware = if you see a pop-up or advertisement its adware | spyware is a malware that spies on you - advertising, identity theft, affiliate fraud

Bots = once your machine is infected, it becomes a bot | they are controlled remotelly by an attacker | usually used for Command and Control (C&C) purposes

Botnets = a group of comuters (bots) working together for evil intentions | usually used for DDoS attack - can act as a relay spam - proxy network traffic - distributed computing tasks - botnets can be purchased online from darkweb - on-demand scans and network monitoring can stop the botnets - block at the firewall

Logic Bomb = waits for a predefined event and exploit itself | time bomb (occurs in certain time or date) - difficult to recover if it goes off or after - each logic bomb is unique so no predefined signatures - electronic monitoring : host-based intrusion detection, Tripwire, etc.

Backdoor = a process that allows you to reconnect to the system an attacker exploited | same backdoor can be used by different malware

Remote Access Trojan (RAT) = third party access to the computer | nearly have complete control of the system - key logging, screen recording, copy files, embed more malware - RAT is like connecting a computer with RDP but with malicious intend

Rootkits = modifies core system files, part of the kernel | can be invisible to the OS, won't see it in task manager | very difficult to remove - rootkits can be prevented by secure boot UEFI (UEFI/BIOS = two types of firmware interfaces used in computers for initializing the hardware during the booting process - bridge between the computer's firmware and its operating system)

Password Attacks

Hashing a password = fixed-length string of a text | there are some hashing algorithms that creates a one-way value originated from the plain text - it is impossible to revert back to the original message - different inputs won't produce the same output

Spraying attack = trying small/limited set of credentials against a wide range of targets - it is more focused approach compared to brute force attack

Brute force attack = attacker systematically tries all possible combinations of credentials until the correct one is found - time consuming and resource-intensive method

Dictionary attack = attacker uses a predefined list of commonly used passwords or phrases to try and gain access to an account - more efficient than bruteforce as it only tries known passwords

Salting = random data is being added to the password when hashing - add salt before hashing the password

Rainbow tables = pre-build set of hashes | contains pre-calculated hash chains - needs different tables for different hashing methods - if the system uses password hashes, rainbow attack won't be useful against it - needs CPU power to prepare the table before the attack

Physical Attacks

Malicious USB drive/cable looks like a normal USB but it has additional electronics inside - operating systems identifies this as a keyboard or mouse (human interface device - HID) - attackers can load malware in documents after the USB is connected to the computer

Skimming refers to stealing credit card information during a normal transcation - copying data from the magnetic stripe - ATM skimming involves a camera or additional device to watch your PIN number

Card cloning creates a duplicate of a card which often includes the CVC number

Adversarial Artificial Intelligence

Machine learning is being used to train data and detect anomalies. It is being used in face recognition which requires lots of face data to train the AI model. AI can stop spam and recommend products online.

Attackers can poison the training data by feeding wrong or malicious data for AI to behave incorrectly.

Evasion Techniques

AI can understand what SPAM mail looks like and an attacker can craft the mail according to that so that AI won't detect it anymore.

AI that uses real-world information can release confidential information which can be leaked through sophisticated ways.

Constantly check the training data and verify the accuracy of it. Train the AI with possible poisoning data and try to understand what would an attacker do.

Supply Chain Attacks

Supply chain contains moving parts such as raw materials, suppliers, manufacturers, distributors, customers, consumers. Attackers can infect any step during the process. Usually, just one interference with the process can affect other processes along the way. - make sure you can trust your server/router/switch/firewall/software - use small supplier base and tighten the control for vendors - use strict controls over policies and procedures to ensure proper security is in place

Cloud-Based vs. On-Premises Attacks

On-premise infrastructure allows full control and customization to the security posture. On-site IT team can manage the security better and ensure everything is secure/safe. Local IT teams can maintain availability and uptime of the services. - changes can take time - troubleshooting can take time | installing new equipments and hardware can be a burden

Cloud-based infrastructure has no physical access to the resources meaning that local IT teams are not maintaining the services. Data is usually secure in a cloud environment, but a third-party might have access to the data. - cloud providers offer minimal down time and 24/7 support - scalable security operations with one-click deployments

Cryptographic Attacks

Birthday attack = brute force attack that exploits the exponentially growing probability of collision. - is used to create hash collisions - the attacker generates multiple versions of the plaintext to match the hashes

Collisions = hash digests are supposed to be uniqe meaning that different input should never create the same hash. If two different input creates the same output, collision happens. - MD5 hashing algorithm usage can be resulted in a collision

Downgrade attack = instead of using perfectly good encryption, use something not so great | force the systems to downgrade their security - this type of attack is typically occurs during the negotiation process of a security protocol, where two parties (client and server) agree on the protocol version and cipher suits to use.