Cybersecurity Essentials - Module 4 Cheat Sheet

# Module 4: Attacking What We Do :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 4.1 IP Services --- #### 4.1.1 ARP Vulnerabilities The **Address Resolution Protocol (ARP)** is essential for mapping IP addresses to MAC addresses within a local network. However, it has inherent vulnerabilities: - **ARP Process**: - A host sends an **ARP Request** to find the MAC address associated with an IP address. - The target host responds with an **ARP Reply**, providing its MAC address. - **Gratuitous ARP**: - A device sends unsolicited ARP Replies to inform the network of its MAC address. - Exploited by threat actors to claim ownership of any IP/MAC combination, enabling **ARP Cache Poisoning** attacks. - **ARP Cache Poisoning**: - Threat actors insert their MAC address into a victim's ARP table, misdirecting traffic to their host. - Creates a **Man-in-the-Middle (MiTM)** condition to intercept or alter communications. --- #### 4.1.2 ARP Cache Poisoning Process 1. **ARP Request**: - A device (e.g., PC-A) requests the MAC address of its default gateway (e.g., Router R1). - Threat actors monitor the network for such requests. ![image](https://hackmd.io/_uploads/SJxV015Myx.png) 2. **Legitimate ARP Reply**: - The router sends a reply with its MAC address, which is stored in the ARP table of PC-A. ![image](https://hackmd.io/_uploads/HkqH0J9zyg.png) 3. **Spoofed ARP Replies**: - Threat actors send spoofed ARP Replies associating their MAC address with the router’s IP address. - The victim updates its ARP table with the attacker’s MAC, redirecting traffic. ![image](https://hackmd.io/_uploads/Sy-w0k5Gyx.png) 4. **Passive vs. Active Attacks**: - **Passive**: Stealing confidential data. - **Active**: Modifying data in transit or injecting malicious data. **Mitigation**: - Use static ARP entries for critical systems. - Implement ARP monitoring tools like `arpwatch`. - Employ network segmentation to limit attack spread. --- #### 4.1.3 DNS Attacks The **Domain Name System (DNS)** translates domain names into IP addresses but is susceptible to numerous attack vectors: - **DNS Open Resolver Attacks**: - **Cache Poisoning**: Threat actors insert fake resource records (RR) to redirect users to malicious sites. - **Amplification and Reflection**: DoS/DDoS attacks exploit open resolvers to overwhelm targets. - **Resource Utilization Attacks**: DoS attacks deplete resolver resources, disrupting operations. - **DNS Stealth Techniques**: - **Fast Flux**: Rapidly changing IPs hide malicious servers. - **Double IP Flux**: Changes both IP-to-hostname mappings and authoritative name servers. - **Domain Generation Algorithms**: Malware generates random domains to connect with command and control (C&C) servers. - **Domain Shadowing**: - Attackers create malicious subdomains using stolen domain credentials. --- #### 4.1.4 DNS Tunneling **DNS tunneling** is a technique where threat actors embed malicious data within DNS queries and responses to evade detection. - **How It Works**: 1. Data is split into encoded chunks and placed into DNS queries. 2. Recursive DNS servers forward these queries to the attacker’s authoritative server. 3. The attacker’s server responds with encoded commands. 4. Malware on the victim’s device recombines and executes the commands. ![image](https://hackmd.io/_uploads/BksYkx5Gkx.png) - **Mitigation**: - Inspect DNS traffic for anomalies (e.g., unusually long queries). - Use DNS security solutions like Cisco Umbrella to block suspicious domains. --- #### 4.1.5 DHCP Operation and Attacks **Normal DHCP Operation**: 1. **Discover**: Client broadcasts a DHCPDISCOVER message to locate a server. 2. **Offer**: Server responds with a DHCPOFFER containing IP configuration details. 3. **Request**: Client broadcasts a DHCPREQUEST to accept the offer. 4. **Acknowledge**: Server sends a DHCPACK confirming the lease. ![image](https://hackmd.io/_uploads/HJnoyl9z1e.png) **DHCP Spoofing Attacks**: - A rogue DHCP server provides malicious IP configurations: - **Invalid Gateway**: Redirects traffic for MiTM attacks. - **Malicious DNS**: Points clients to phishing or malware sites. - **Invalid IP Address**: Causes DoS by assigning unusable addresses. **Attack Steps**: 1. Client broadcasts a **DHCP Discover**. ![image](https://hackmd.io/_uploads/rJflee5f1x.png) 2. Both legitimate and rogue servers respond with offers. ![image](https://hackmd.io/_uploads/BJeffgxqMyl.png) 3. Client accepts the first offer, often from the rogue server. ![image](https://hackmd.io/_uploads/SyRXgx5fyx.png) 4. Rogue server acknowledges the request, disrupting network operations. ![image](https://hackmd.io/_uploads/rkISeg5fJx.png) **Mitigation**: - Use DHCP snooping to filter rogue DHCP responses. - Enable port security to limit unauthorized devices on the network. >[!Warning]Recap >Hosts broadcast an ARP Request to other hosts on the network segment to determine the MAC address of a host with a particular IP address. Any client can send an unsolicited ARP Reply called a “gratuitous ARP.” This feature of ARP also means that any host can claim to be the owner of any IP/MAC they choose. A threat actor can poison the ARP cache of devices on the local network, creating an MiTM attack to redirect traffic. > >The Domain Name Service (DNS) protocol defines an automated service that matches resource names with the required numeric IP host address. It includes the message format for queries, responses, and data. It uses resource records (RR) to identify the type of DNS response. DNS is crucial to the operation of a network and should be secured accordingly. Many organizations use the services of publicly open DNS servers to provide responses to queries. DNS open resolvers are vulnerable to multiple malicious activities, including DNS cache poisoning, in which falsified records are provided to the open resolver. DNS amplification and reflection attacks are another type of attack in which the benign nature of the DNS protocol is exploited to cause DoS/DDoS attacks. In DNS resource utilization attacks, a DoS attack is launched against the DNS server itself. Threat actors often hide using DNS stealth techniques such as Fast Flux, in which malicious servers will rapidly change their IP address. Threat actors use Double IP Flux, in which threat actors will rapidly change both their domain name to IP mapping and their authoritative name server. Threat actors may also use domain shadowing to hide the source of their attacks by gathering domain account credentials in order to silently create multiple sub-domains to be used during attacks. DNS in the enterprise is sometimes overlooked as a protocol which can be used by botnets. Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often circumvents security solutions. To be able to stop DNS tunneling, a filter that inspects DNS traffic must be used. Dynamic DNS servers are popular with threat actors and traffic that uses dynamic DNS should be a special concern of the cybersecurity analyst. > >DHCP uses a simple exchange of broadcast and unicast messages to provide hosts with addressing information. A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. The rogue server might provide incorrect default gateway information, DNS server information, or IP addressing information. ### 4.2 Enterprise Services --- #### **4.2.1 HTTP and HTTPS** - **Web-Based Attacks**: Attackers exploit vulnerabilities in web browsers and plugins through a series of steps: 1. Victims visit a compromised website. 2. Redirection occurs through compromised servers to malicious sites. 3. Exploit kits scan for vulnerabilities in OS or plugins like Java or Flash. 4. Malicious payloads are downloaded and executed on the victim’s system. - **HTTP Status Codes**: - **1xx**: Informational responses (e.g., connection established). - **2xx**: Success (e.g., request completed). - **3xx**: Redirection (e.g., resource moved). - **4xx**: Client errors (e.g., bad request). - **5xx**: Server errors (e.g., internal server error). **Countermeasures**: - Regularly update browsers and operating systems. - Use web proxies like Cisco Umbrella to block malicious sites. - Follow OWASP guidelines for secure web application development. - Educate users to avoid risky behavior. --- #### **4.2.2 Common HTTP Exploits** 1. **Malicious iFrames**: - Threat actors embed hidden inline frames (iFrames) in web pages to load malicious content. An iFrame is an HTML element that allows the browser to load another web page from another source. - **Prevention**: - Avoid using iFrames. - Block malicious sites using web proxies. - Educate users about identifying suspicious pages. 2. **HTTP 302 Cushioning**: - Attackers abuse HTTP redirection (302 Found) to direct browsers through a series of malicious sites. - **Prevention**: - Use web proxies to monitor redirects. - Train users to recognize abnormal redirect behavior. 3. **Domain Shadowing**: - Threat actors create subdomains of compromised parent domains to host malware. - **Prevention**: - Use strong passwords and two-factor authentication for domain accounts. - Validate domain registrations and monitor for unauthorized subdomains. --- #### **4.2.3 Email Threats** 1. **Attachment-Based Attacks**: - Malware embedded in seemingly legitimate attachments. - **Mitigation**: - Train users to avoid suspicious attachments. 2. **Email Spoofing**: - Threat actors forge sender addresses to steal sensitive information. - **Mitigation**: - Verify sender authenticity and train users to spot inconsistencies. 3. **Spam Email**: - Unsolicited emails containing advertisements or malware. - **Mitigation**: - Use spam filters and block known malicious domains. 4. **Open Mail Relay**: - Misconfigured SMTP servers used for mass spam. - **Mitigation**: - Ensure email servers are not configured as open relays. 5. **Homoglyph Attacks**: - Use of look-alike characters (e.g., "O" vs. "0") in phishing URLs. - **Mitigation**: - Train users to carefully inspect links. --- #### **4.2.4 Web-Exposed Databases** 1. **Code Injection**: - Attackers execute commands on a server via insecure input fields. - **Mitigation**: - Enforce strict input validation. 2. **SQL Injection**: - Attackers manipulate SQL queries to access sensitive data. - **Mitigation**: - Validate user inputs and use parameterized queries. --- #### **4.2.5 Client-Side Scripting** - **Cross-Site Scripting (XSS)**: - Attackers inject malicious scripts into web pages executed on the client’s browser. - Types: - **Stored (Persistent)**: Code stored on the server and served to all users. - **Reflected (Non-Persistent)**: Code embedded in links, requiring user interaction. - **Mitigation**: - Educate developers on XSS prevention. - Use IPS systems and web proxies to detect malicious scripts. >[!Warning]Recap >World Wide Web browsers are used by almost everyone. Blocking web browsing completely is not an option because businesses need access to the web. Cybersecurity analysts must have a good understanding of how a standard web-based attack works. The common stages of a typical web attack include the victim unknowingly visiting a web page that has been compromised by malware. The compromised web page redirects the user to a site that hosts malicious code. The browser is made to visit this site and malicious code infects their computer. This is known as a drive-by download. Regardless of the type of attack being used, the main goal of the threat actor is to ensure the victim’s web browser ends up on the threat actor’s web page, which then serves the malicious exploit to the victim. Some malicious sites take advantage of vulnerable plugins or browser vulnerabilities to compromise the client’s system. Larger networks rely on IDSs to scan downloaded files for malware. If detected, the IDS issues alerts and records the event to log files for later analysis. Server connection logs can often reveal information about the type of scan or attack. The different groups of connection status codes include Informational 1xx, Successful 2xx, Redirection 3xx, Client Error 4xx, and Server Error 5xx. To defend against web-based attacks, countermeasures that should be used include always updating the OS and browsers with current patches and updates, using a web proxy to block malicious sites, using the best security practices from the Open Web Application Security Project (OWASP) when developing web applications, and educating end users by showing them how to avoid web-based attacks. > >There are a number of attacks that use email to carry malware payloads or to phish for personal information. SMTP servers can also have vulnerabilities and should be kept up to date with patches. Email security appliances can detect and block many types of known email threats including phishing, spam, and malware. > >Web applications commonly connect to databases. Because these databases can contain sensitive information, they are a frequent target of attacks. Code injection and SQL injection attacks exploit insufficiently validated input fields to send commands to databases or other applications in order to gain access to private information. Cross-Site Scripting (XSS) attacks occur when browsers execute malicious scripts on the client and provide threat actors with access to sensitive information on the local host. > >The OWASP Top 10 Web Application Security Risks is designed to help organizations create secure web applications. It is a useful list of potential vulnerabilities that are commonly exploited by threat actors. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/17-2-8-check-your-understanding-network-services-attacks-answers.html). ::: ### 4.3 Mitigating Common Network Attacks --- #### **4.3.1 Defending the Network** To effectively defend a network, follow these best practices: - Develop and enforce a written security policy. - Educate employees about risks like social engineering and create validation strategies. - Control physical access to systems. - Use strong passwords and change them regularly. - Encrypt and password-protect sensitive data. - Employ security tools such as firewalls, IPS, VPNs, antivirus software, and content filtering. - Regularly back up data and test recovery. - Disable unnecessary services and ports. - Install software patches promptly to prevent privilege escalation or buffer overflow attacks. - Conduct regular security audits to identify vulnerabilities. --- #### **4.3.2 Mitigating Malware** Malware (e.g., viruses, worms, Trojan horses) can significantly impact networks and devices. - **Antivirus Software**: Install host-based antivirus software to detect and eliminate malware. Regularly update virus definitions and automate updates to ensure up-to-date protection. - **Perimeter Defense**: Use network security devices to identify and block malware files before they enter the network. - **Limitations**: While helpful, no method is 100% effective. Security incidents are inevitable and require ongoing vigilance. --- #### **4.3.3 Mitigating Worms** Worms are more network-oriented than viruses. Mitigation involves these four phases: ![image](https://hackmd.io/_uploads/HkueHg5zye.png) 1. **Containment**: Compartmentalize and segment the network using ACLs on routers and firewalls to limit worm spread. 2. **Inoculation**: Patch all uninfected systems with vendor updates to deprive the worm of targets. 3. **Quarantine**: Identify and isolate infected systems within the network. 4. **Treatment**: Disinfect systems by terminating worm processes, removing files, and patching vulnerabilities. In severe cases, reinstall systems to ensure complete removal. --- #### **4.3.4 Mitigating Reconnaissance Attacks** Reconnaissance attacks often precede more severe intrusions. Countermeasures include: - **Authentication and Encryption**: Secure access and render packet sniffers ineffective. - **Anti-Sniffer Tools**: Detect devices running packet-sniffing software by analyzing host response times. - **Firewalls and IPS**: Limit reconnaissance by restricting visible information and detecting suspicious activity. - **ICMP Management**: Disable ICMP echo and echo-reply to stop ping sweeps, though diagnostic capabilities may be impacted. - **Port Scanning Mitigation**: While not preventable, slow scans by limiting exposed information and blocking unused ports. --- #### **4.3.5 Mitigating Access Attacks** Access attacks target system authentication mechanisms and exploit trust relationships. - **Strong Password Policies**: - Use passwords with at least eight characters, including uppercase, lowercase, numbers, and symbols. - Lock accounts after a set number of failed login attempts. - **Minimum Trust Principle**: - Avoid unnecessary trust between systems (e.g., trusted servers should not trust untrusted devices unconditionally). - **Cryptography**: - Encrypt remote access traffic and routing protocols to prevent interception. - **Multifactor Authentication (MFA)**: - Combine passwords with single-use tokens or verification codes to enhance security. - **Education**: - Train employees to recognize social engineering tactics and validate identities through multiple channels. - **Monitoring and Logging**: - Maintain and review logs for unusual patterns, such as failed login attempts, bandwidth spikes, or process anomalies. --- #### **4.3.6 Mitigating DoS Attacks** DoS attacks disrupt network services by overwhelming resources with excessive traffic. - **Detection**: - Monitor network utilization to identify unusual patterns indicative of DoS activity. - Use behavior analysis tools to detect anomalies. - **Prevention**: - Deploy antispoofing technologies like port security, DHCP snooping, IP Source Guard, and ARP inspection. - Apply ACLs to limit potential attack vectors. - **Response**: - Analyze network utilization graphs to locate the attack's source. - Implement rate-limiting and traffic filtering to manage incoming data during an attack. >[!Warning]Recap >The following best practices are used for securing a network: develop a written security policy, educate employees, control physical access to systems, use strong passwords, encrypt and password- protect sensitive data, implement security hardware and software, perform backups and test the back up files, shut down unnecessary services and ports, keep patches up-to-date, and perform security audits and tests. > >The primary means of mitigating virus and Trojan horse attacks is antivirus software. A network security professional must be aware of the major viruses and keep track of security updates regarding emerging viruses. > >Worms are more network-based than viruses. The response to a worm attack can be broken down into four phases: containment, inoculation, quarantine, and treatment. > >Reconnaissance attacks can be mitigated in several ways: implement authentication to ensure proper access, use encryption to render packet sniffer attacks useless, use anti-sniffer tools to detect packet sniffer attacks, implement a switched infrastructure, and use a firewall and IPS. Encryption is also effective for mitigating packet sniffer attacks. Several techniques are available for mitigating access attacks: strong password security, principle of minimum trust, cryptography, and applying operating system and application patches. > >To minimize the number of DoS attacks, a network utilization software package should be running at all times. DoS attacks could be a component of a larger offensive. DoS attacks can lead to problems in the network segments of the computers being attacked. Historically, many DoS attacks were sourced from spoofed addresses.