Chapter 7

Protecting Against Advanced

Attacks

[Link] © 2021 YCDA, LLC

 Introduction

• Understanding Attack Frameworks

• Identifying Network Attacks

• Summarizing Secure Coding Concepts

• Identifying Malicious Code and Scripts

• Identifying Application Attacks

 Attack Frameworks
• Cyber Kill Chain
– includes seven elements tracking an attack from
reconnaissance to performing actions
• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command and Control (C2)
• Actions on Objectives
 Attack Frameworks
• Diamond Model of Intrusion Analysis
– identifies four key components of every intrusion
event
• Adversary
• Capabilities
• Infrastructure
• Victim
• MITRE ATT&CK (Adversarial Tactics, Techniques,
and Common Knowledge)
– matrix of ten tactics and techniques attackers use to
achieve each
 Network Attacks
• Denial-of-service (DoS)
– Comes from one system

• Distributed denial-of-service (DDoS)

– Multiple attacking computers
– Typically include sustained,
abnormally high network traffic
 Network Attacks
• SYN flood attack
– Common attack against Internet servers
– Disrupts the TCP three-way handshake
– Withholds 3rd packet
 Network Attacks
• Spoofing
– Impersonating or masquerading
as someone or something else
• MAC spoofing
• IP spoofing
• On-Path Attacks
– sometimes referred to as a man-in-the-middle attack
– is a type of proxy Trojan horse that infects vulnerable
web browsers
 Network Attacks
• Secure Sockets Layer (SSL) stripping attack
– Hypertext Transfer Protocol Secure (HTTPS)
connection to a Hypertext Transfer Protocol
(HTTP) connection

• Layer 2 Attacks
– attempt to exploit vulnerabilities at the Data Link
layer (Layer 2) of the Open Systems
Interconnection (OSI) model
 Network Attacks
• Secure Sockets Layer (SSL) stripping attack
– Hypertext Transfer Protocol Secure (HTTPS)
connection to a Hypertext Transfer Protocol
(HTTP) connection

• Layer 2 Attacks
– attempt to exploit vulnerabilities at the Data Link
layer (Layer 2) of the Open Systems
Interconnection (OSI) model
OSI MODEL
 ARP Poisoning
• ARP request
• ARP reply

• ARP on-path
attacks
– Previously
known as
man-in-the-
middle attack
 Layer 2 Attacks
• MAC flooding
– attack against a switch that attempts to overload it
with different MAC addresses
– sends a Simple Network Management Protocol
(SNMP) trap or error message

• MAC Cloning
– changing a system’s MAC address to another MAC
address
 DNS Attacks

• DNS poisoning
– Attempt to corrupt DNS data
– Protect against with DNSSEC
• URL redirection
– used to redirect traffic to a different page within a site
• Domain hijacking
– Attacker changes the registration of the domain name
– Typically done by using social engineering techniques
to guess owner’s password
 DNS Attacks

• Domain reputation
– helps ISPs determine an email is being sent by a
legitimate organization
• DNS sinkhole
– DNS server that gives incorrect results for one or
more domain names
• DNS log files
– record DNS quer
 Network Attacks

• Replay attacks/ session replays

– capture data in a session to impersonate one of

the parties in the session
– can occur on both wired and wireless networks
 Secure Coding Concepts

• OWASP
– Open Web Application Security Project
– focused on improving the security of software
• Code reuse
– saves time and helps prevent the introduction of
new bugs
• Dead code
– code that is never executed or used
 Input Validation
• Verifies validity of data before using it
– Verifies proper characters
– Uses boundary and/or range checking
– Blocks HTML code
– Prevents the use of certain characters
• Client-side vs server-side
– Server-side is more secure (many sites use both)
• Input validation prevents
– Buffer overflow, SQL injection, command injection, and
cross-site scripting attacks
 Error and Exception Handling

• Catch errors and provides feedback

– Prevent improper input from crashing an
application providing information to attackers

– Errors to users should be general

– Logged information should be detailed

 Secure Coding Concepts

• Third-party libraries

• Software Development Kits (SDKs)

– Provide software tools easy to reuse

• Code obfuscation
– Camouflage code
 Secure Coding Concepts

• Avoid race conditions

– Occur when two modules attempt to access the
same resource
– First module to complete the process wins
– Database locks prevent race conditions
 Software Diversity

• Outsourced Code Development

• Data exposure
• HTTP headers
– HTTP Strict-Transport-Security
– Content-Security-Policy
– X-Frame-Options
• Secure cookie
• Code signing
Common Methods of Testing Code

• Static code analysis

– examines the code without executing it
• Manual code review
– static code analysis where someone goes through the
code line by line
• Dynamic code analysis
– checks the code as it is running
• Sandboxing
– used to test applications within an isolated area
 Secure Coding Concepts

• Software version control

• Secure development environment

– includes multiple stages
• Development
• Test
• Staging
• Production
• Quality assurance
 Database concepts

• Tables related to each other with keys

• Database schema
 Database concepts
Tables
• Rows (also called records or tuples)
• Columns (also called attributes)
• Cells hold individual values (such as “Lisa”)
are cells
 Database concepts
Normalization
• Organizing tables and columns to reduce
redundant data and improve performance

• First normal form (1NF)

• Second normal form (3NF)
• Third normal form (3NF)
 Database concepts

1NF
• Each row within a table is unique
and identified with a primary key
• Related data is contained in a
separate table
• None of the columns include
repeating groups
 Database concepts

2NF (must be in 1NF)

• Non-primary key attributes are completely
dependent on the composite primary key

Composite key Publisher column in this

table violates this rule
 Database concepts
3NF (must be in 2NF and 1NF)
• All columns that aren’t primary keys are only
dependent on the primary key
• None of the columns in the table
are dependent on
non-primary key attributes.
PublisherCity column violates this rule
It is dependent on the BookID column
It is dependent on the Publisher column
 SQL Queries

SELECT * FROM Customers WHERE name = 'Homer Simpson‘

• Using SQL Injection

SELECT * FROM Customers WHERE name = ' ' or '1'='1' --'

• Result
SELECT * FROM Customers WHERE name = ' '
SELECT * FROM Customers WHERE '1'='1'
 SQL Injection Attack

• Used on unprotected web pages

to access backend databases
• Often use the phrase ' or '1'='1 '
• Tricks database into providing information
• Best protection
– Input validation & stored procedures
• XML injection (similar to SQL injection)
 SQL Injection Attack

• Protecting against SQL injection attacks

– Input validation

– Stored procedures
• Group of SQL statements that execute as a whole

– Parameterized stored procedures

• Stored procedure that accepts input as a parameter
• Stored procedure can perform input validation
 Secure Coding Concepts

• Provisioning and deprovisioning

– typically refer to user accounts

• Integrity measurement
– refers to the quality of the code

• Web server logs

 Scripting for Automation

• Automated courses of action

• Continuous monitoring
• Continuous validation
• Continuous integration
• Continuous delivery
• Continuous deployment
 Malicious Code and Scripts

• PowerShell
– task-based command-line shell and scripting
language that uses cmdlets
– Invoke-Command
• Bash (short for Bourne-Again Shell)
– command language interpreter for Unix and Unix-
like operating systems
– /bin/bash or /bin/sh
 Malicious Code and Scripts

• Python
– interpreted programming language
• Macros
– short instruction that will run a longer set of
instructions
• Visual Basic for Applications (VBA)
– event-driven tool
 Malicious Code and Scripts

• OpenSSL
– software library used to implement SSL and TLS
protocols

• SSH
– OpenSSH is a suite of tools that simplify the use of
SSH
 Application Attacks

• Zero day attack

– Attempts to exploit zero-day vulnerabilities

– Also known as zero day- exploit

 Memory Vulnerabilities

Application bugs
• Memory leak
– App consumes more and more memory
– Can crash operating system
• Integer overflow
– App attempts to use or create numeric value too big for
the available storage
– 8-bit storage
– 95 x 59 = 5,605 (needs at least 13 bits to store)
 Memory Vulnerabilities

• Buffer overflow and buffer overflow attack

– Occur when an application receives data that it
can’t handle
– Exposes system memory
– Often includes NOP instructions (such as x90)
– Can then insert malicious code into memory
– Input validation helps prevent buffer overflow
attacks
 Memory Vulnerabilities

• Pointer/object dereference
– A reference to a variable or object

– Pointer is the memory address of the variable or object

– If value is null results in error app tries to reference it

• Some compilers catch it and throw an error
• If compiler doesn’t catch it, a failed dereference operation can
cause app to crash
 Injection Attacks

• Dynamic Link Library (DLL) Injection

– attack that injects a DLL into a system’s memory
and causes it to run
• Lightweight Directory Access Protocol
Injection (LDAP)
– specifies the formats and methods used to query
databases of objects
 Injection Attacks

• Extensible Markup Language (XML) Injection

– Markup language commonly used to transfer data

• Directory traversal

– Attempts to access a file by including the full directory

path
 Application Attacks
• Web servers host web sites
– Apache
– IIS

• Protected by
placing in
screened subnet
 Application Attacks

• Cross-site scripting (XSS)

– Attackers embed malicious HTML or JavaScript
code
– Can be in web site or links in email
– Prevented with server-side input validation
– OWASP recommends use of library
 Application Attacks

• Cross-site request forgery (XSRF)

– Causes users to perform actions on websites
without their knowledge
– Attackers can use to steal cookies and harvest
passwords
– XSRF tokens successfully block this attack
 Application Attacks

• Server-Side Request Forgeries (SSRF)

– exploit how a server processes external
information

• Client-Side Request Forgeries

– occur if an attacker can inject code into the client-
side webpage
– use cookies
 Application Attacks

• Driver manipulation

– Shimming

– Refactoring code
 AI & ML
• Artificial intelligence (AI)
– Intelligence that machines can demonstrate
– Learn what works and keep doing it
– Learn what doesn’t work and stop
– Try new things

• Machine Learning (ML)

– Part of AI
– Technologies that help computer systems improve
with experience
 AI & ML

• Cybersecurity technologies
– Google uses machine learning to block as many as
100 million spam emails daily
– IBM’s Watson uses machine learning to detect
cyber threats as they’re happening
– The Balbix platform uses AI-powered risk
predictions to protect networks
 AI & ML

• Adversarial AI
– Attempts to fool AI models by supplying it with deceptive
input

• Tainted data (also known as data bias) for ML

– Can cause AI and ML systems to give inconsistent results

• Machine Learning Algorithms

– ML systems use algorithms to learn the environment
 Chapter 7 Summary

• Understanding Attack Frameworks

• Identifying Network Attacks
• Summarizing Secure Coding Concepts
• Identifying Malicious Code and Scripts
• Identifying Application Attacks
• Check out the free online resources