Intruders

• In networked systems, a major concern is

hostile or unwanted access, where intruders
try to exploit vulnerabilities to gain
unauthorized access to sensitive data or
systems.
• Intruders can either access systems through
local means (within the organization) or
remotely via the network.
Real-world intrusion incidents in the field of
information security
• 1. Equifax Data Breach (2017)
• Overview: Equifax, one of the largest credit
reporting agencies, suffered a massive data
breach due to a vulnerability in their web
application framework.
• Outcome: Equifax faced significant public
backlash, lawsuits, and regulatory scrutiny,
resulting in over $700 million in settlements
and fines.
 Target Corporation
• Target Corporation experienced a data breach during the holiday
shopping season, affecting millions of customers.
• Impact:
• Approximately 40 million credit and debit card numbers and 70
million customer records were stolen, including:
– Names
– Addresses
– Phone numbers
– Email addresses
• Cause:
• Attackers gained access through stolen credentials from a third-party
vendor (an HVAC contractor) and installed malware on Target's
point-of-sale systems.
 Yahoo Data Breaches (2013-2014)
• Overview:
– Yahoo disclosed multiple data breaches occurring in 2013 and 2014,
revealed to the public in 2016.
• Impact:
– Over 3 billion user accounts were affected, compromising data such
as:
• Names
• Email addresses
• Phone numbers
• Birth dates
• Hashed passwords
• Yahoo faced:Criticism for delayed response and transparency.
• Reduction of $350 million in acquisition price by Verizon.
 WannaCry Ransomware Attack (2017)
• Overview:
– WannaCry was a global ransomware attack impacting hundreds of
thousands of computers across 150 countries.
• Impact:
– Major organizations, including the UK's National Health Service
(NHS), were severely disrupted. The attack encrypted data and
demanded ransom payments in Bitcoin.
• Cause:
– Exploited a vulnerability in Microsoft Windows known as
EternalBlue, leaked by a hacking group.
– Outcome:Highlighted vulnerabilities in outdated systems, leading to
increased investment in cybersecurity measures and patches across
organizations globally.
 There are three main classes of intruders:

• 1. Masquerader:
• Definition: A person who gains unauthorized access by
pretending to be a legitimate user.
• Example: Someone who steals login credentials and logs in as
another user, typically without any authorized privileges on
the system.
• Competence Level: Usually an outsider who doesn't have
internal access but manages to bypass authentication
mechanisms.
• Scenario: A hacker intercepts a user's session token and uses
it to access their account on a banking website, pretending to
be the legitimate user and making unauthorized transactions.
 2. Misfeasor:

• Access: This is an insider (a legitimate user) who

already has authorized access but misuses it.
• Intent: They abuse their given privileges to
perform actions they shouldn’t, often for
malicious purposes.
• Scenario: An employee with access to customer
data downloads sensitive information and sells
it to a competitor or uses it for personal gain,
violating company policies.
 Clandestine User
• A Clandestine User is an outsider intruder who sneaks into a
system and uses its privileges without being noticed.
• Definition: They access a system and make sure their activities
remain hidden so that no one knows they are there.
• Example: Imagine a hacker breaking into a sensitive system, then
changing or deleting records (like security logs) to cover their tracks
and avoid getting caught.
• Competence Level: These intruders are usually highly skilled and can
avoid detection by security systems like Intrusion Detection Systems
(IDS).
• Scenario: An attacker infiltrates a government agency's network to
steal sensitive information, such as defense strategies, while
carefully covering their tracks to avoid detection by security systems.
 Varying Levels of Competence:
• Low-Skill Attackers (Script Kiddies): Use pre-made tools
to exploit known vulnerabilities without understanding
how they work.
• Intermediate Attackers: Have a good grasp of system
vulnerabilities and can modify or craft attacks to exploit
these.
• Advanced Persistent Threats (APTs): These attackers
possess advanced technical skills and are usually part of
well-funded organizations (e.g., nation-states, corporate
spies) focused on long-term, stealthy intrusions.
 Intrusion Techniques
• 1. Target Acquisition and Information Gathering
• Objective: The attacker identifies potential targets
and gathers as much information as possible about
the system and its users.
• Methods: This may involve scanning networks,
social engineering, and using tools to collect data
such as:
– Usernames and roles
– Network architecture
– Software versions and vulnerabilities
 2. Initial Access
• Objective: The attacker seeks to gain entry into
the target system.
• Methods: Techniques may include:
– Phishing: Sending fraudulent emails to trick users into
revealing credentials.
– Exploiting Vulnerabilities: Using known vulnerabilities
in software or operating systems to gain access.
– Malware: Deploying malicious software to
compromise a system and create a backdoor for
further access.
 3. Privilege Escalation

• Objective: Once inside the system, the attacker aims to

gain higher privileges (like administrative access) to
perform more impactful actions.
• Methods: This can be achieved through:
– Exploiting Misconfigurations: Finding security
misconfigurations that allow for elevated privileges.
– Credential Harvesting: Acquiring passwords or tokens
through keylogging, dumping memory, or exploiting weak
password policies.
– Using Tools: Employing specialized tools that automate the
process of privilege escalation.
 4. Covering Tracks
• Objective: The attacker aims to hide their presence
and actions to avoid detection by security systems
and administrators.
• Methods: Techniques can include:
– Log Manipulation: Altering or deleting logs to remove
evidence of unauthorized access.
– Rootkits: Installing software that allows continued access
and hides the attacker's presence from security software.
– Using Encryption: Encrypting data or communications to
avoid detection.
 Key Goal: Acquiring Passwords
• Explanation:
A common aim in this attack methodology is
to acquire passwords, which allows the
attacker to exercise the access rights of the
account owner.
 Key Goal: Acquiring Passwords
• Explanation:
A common aim in this attack methodology is to acquire
passwords, which allows the attacker to exercise the access
rights of the account owner.
• Outcome: With acquired credentials, the attacker can:
• Access Sensitive Information: Gain access to confidential files,
databases, or applications.
• Move Laterally: Navigate through the network to compromise
other systems and accounts, increasing the scope of the attack.
• Execute Malicious Actions: Perform actions such as data
exfiltration, system damage, or deploying further malware that
can compromise the entire organization.
 What is Password Guessing?

Password guessing is one of the most common

types of cyber attacks. In this method, attackers
attempt to figure out someone’s password to
gain unauthorized access to their accounts, such
as email or social media.
 How It Works

• Known Login:
– Attacker starts with a username or login (like an email address) obtained from
various sources (phishing, leaks, public profiles).
• Default Passwords:
– Many systems have default passwords (e.g., "admin", "password"). Attackers
try these first.
• Short Passwords:
– Simple and short passwords (like "1234" or "abcd") are often targeted as they
are easier to guess.
• Dictionary Attacks:
– Attackers use lists of common words or phrases to guess passwords.
• Intelligent Guessing:
– Variations on the user’s name, birthdays, phone numbers, and shared
interests may be attempted.
 What is Password Capture?

• Password capture is a type of cyber attack

where an attacker seeks to obtain a user's
password through various methods.
• This can allow the attacker to impersonate
the user and gain unauthorized access to their
accounts.
 Methods of Password Capture

• Shoulder Surfing:
– Description: An attacker physically observes a user as they enter their
password, typically in public places like cafes, airports, or offices.
– How It Works: The attacker stands close enough to watch the user
type their password on a keyboard or touchscreen, capturing the
information without any technical tools.
• Trojan Horse Programs:
– Description: These are malicious software programs disguised as
legitimate applications.
– How It Works: Once installed on a user's device (often without their
knowledge), the Trojan horse can log keystrokes, capturing passwords
as they are entered. This data is then sent back to the attacker, who
can use it to access accounts.
 Methods of Password Capture
• Monitoring Insecure Network Logins:
– Description: Many older protocols (like Telnet, FTP) do not encrypt
data transmitted over the network.
– How It Works: Attackers can intercept unencrypted data, including
usernames and passwords, when users log in to their accounts.
This can occur on public Wi-Fi networks or insecure connections.
• Extracting Recorded Information:
– Description: After a successful login, attackers may extract stored
information from the device.
– How It Works: This can include browsing history, cached
passwords, or phone call logs, giving the attacker further insights
into the user’s activities and potentially revealing additional
credentials.
 The Reality of Security Failures
• Inevitability of Failures:
– No security system is perfect. Even the best-
designed systems can have vulnerabilities or
mistakes that allow intruders to break in. This
could happen due to software bugs,
misconfigurations, or human errors. Because of
this, it’s crucial to assume that breaches will
happen at some point.
 Intrusion detection
• Detecting Intrusions:
• Purpose: Intrusion detection systems (IDS) are designed to monitor
networks and systems for suspicious activities or violations of security
policies.
• Function: When a potential intrusion is detected, the system can alert
security personnel, allowing them to respond quickly to block the
threat.
• Quick Response:
• Blocking Attacks: If an intrusion is detected quickly, it allows the
organization to take immediate action to block the attack, minimizing
damage and data loss.
• Example: If an attacker is trying to exploit a vulnerability, a quick
detection can stop them before they can gain access to sensitive data.
 Intrusion detection
• Deterrence:
• Act as a Deterrent: Knowing that an intrusion detection system is in
place can deter potential attackers from trying to breach the system.
They may think twice before attempting an attack if they know they
might be caught.
• Collecting Information:
• Improving Security: Intrusion detection systems collect data about
attacks, such as how they happened, what methods were used, and
what was targeted. This information is valuable for improving
security measures in the future.
• Example: If a particular type of attack is detected frequently, the
organization can strengthen its defenses against that specific threat.
 Behavior of Intruders vs. Legitimate Users

• Assuming Different Behavior:

– Intruder vs. Legitimate User: Intruders typically
behave differently than legitimate users. For instance,
they may attempt to access unauthorized areas of a
system, use different login patterns, or perform
actions that are not typical for a regular user.
– Indicators of Intrusion: Certain behaviors, like trying
to access multiple accounts in a short time or making
repeated failed login attempts, can indicate malicious
intent.
 Imperfect Distinction:
– Challenges in Detection: While there are
differences between intruder behavior and
legitimate user behavior, it’s not always easy to tell
them apart. Some legitimate users might have
unusual behavior due to legitimate reasons (like
working late or using a new device).
– False Positives: This can lead to false positives,
where the system mistakenly identifies a legitimate
user as an intruder. This can frustrate users and
create additional workload for security teams.
 audit record
• An audit record in information security is a
documented log that captures information
about various activities or events occurring
within a system or network.
• These records are critical for ensuring
accountability, compliance, and security
monitoring. Here's a detailed explanation:
 Key Components of Audit Records

• Event Details:
– What Happened: Describes the specific action or
event, such as user logins, file access, system
changes, or security alerts.
– Timestamp: The date and time when the event
occurred, allowing for chronological tracking.
• User Identification:
– Who Did It: Records the identity of the user or
entity performing the action, often including
usernames or user IDs.
 Key Components of Audit Records

• Source Information:
• Where It Came From: Captures the IP address, device ID, or
location from which the action originated, providing context
about the source of access or activity.
• Outcome:
• Result of the Action: Indicates whether the action was
successful, failed, or resulted in an error, helping to assess
potential issues or breaches.
• System Components Involved:
• Affected Systems or Resources: Identifies which systems,
applications, or resources were involved in the event, aiding in
pinpointing areas of concern.
• 4. Sony Pictures Hack (2014)
• Incident: The Sony Pictures cyber attack led to the leaking of confidential information,
including employee data, internal emails, and unreleased films.
• Audit Record Detection: Suspicious activity in audit logs, such as unusual data transfers
and system access from unfamiliar IP addresses, was noted after the attack.
• Outcome: Sony suffered reputational and financial damage, leading to improved security
measures post-breach.
• 5. Capital One Breach (2019)
• Incident: A former employee of Amazon Web Services (AWS) exploited a misconfiguration
in a Capital One firewall, exposing data of 100 million customers.
• Audit Record Detection: Monitoring systems and audit logs detected unusual outbound
traffic and anomalous access to data, leading to the identification of the breach.
• Outcome: Capital One was fined $80 million for failing to protect data properly.
• 6. Edward Snowden’s NSA Leaks (2013)
• Incident: Edward Snowden, a former NSA contractor, leaked classified documents
revealing global surveillance programs.
• Audit Record Detection: Post-incident reviews of audit logs revealed unauthorized access
and downloads of classified information, which led to the identification of Snowden as the
source.
• Outcome: The leak sparked global debates on privacy, security, and government
surveillance, leading to reforms in intelligence practices.
 Approaches to Intrusion Detection
• statistical anomaly detection
– threshold
– profile based
• rule-based detection
– anomaly
– penetration identification
 statistical anomaly detection
• this method works by watching how a network or system normally
behaves over time to understand what "normal" looks like. If
something unusual happens that doesn't fit with this normal
behavior, it gets marked as suspicious or possibly harmful, like an
alert that something might be wrong.

• How It Works:
• Data Collection: The system collects data about typical user behavior
or network traffic patterns over time.
• Baseline Creation: Using statistical methods, the system determines
what constitutes "normal" activity. For example, it might analyze the
average number of login attempts, the typical times users access the
system, or common data access patterns.
• Anomaly Detection: When new data is collected, the system checks
for deviations from the established baseline. If an activity is
statistically unusual (like an unusually high number of login attempts
from one user), it is flagged for further investigation.
 threshold-Based Detection:
• Overview: This approach sets predefined limits (thresholds)
for various metrics. If the monitored activity exceeds these
thresholds, it triggers an alert.
• How It Works:
– Threshold Establishment: Security analysts determine acceptable
limits for certain activities, such as the maximum number of failed
login attempts within a specific time frame or the allowable data
transfer rates.
– Monitoring: The system continuously monitors these metrics in real
time.
– Alert Generation: When the monitored activities exceed the
established thresholds, the system generates an alert for security
personnel to investigate.
 Profile-Based Detection:

• Overview: This method builds detailed profiles for individual

users or systems based on their normal behavior. Any deviation
from this established profile is treated as a potential intrusion.
• How It Works:
– User Profiling: The system analyzes each user’s typical behavior,
including login times, accessed resources, and usage patterns.
– Behavior Monitoring: It continuously compares current user activity
against their established profile.
– Alert Generation: If a user exhibits behavior that significantly differs
from their profile (e.g., logging in at an unusual time or accessing files
they typically don’t), the system flags this for investigation.
 Rule-Based Intrusion Detection

• Rule-Based Intrusion Detection systems (IDS) work

by monitoring a system’s events and activities,
comparing them against a predefined set of rules
to determine whether certain behaviors are
suspicious or malicious.
• These rules are based on known patterns of attacks
or improper use of the system, and the system
applies them in real time to identify possible
security breaches.
•
 Example of Rule-Based intrusion Detection:

• Suppose the system observes that a user

normally logs in during work hours (9 AM to 5
PM).
• A rule might be generated stating that login
attempts outside these hours are abnormal.
• If the system detects the user logging in at 3
AM, it could flag this as suspicious since it
deviates from the established normal pattern.
 How Rule-Based Intrusion Detection Works:
• Observing System Events:
– The system constantly monitors various activities and events on the
network or computer system, such as user logins, file access, network
traffic, and system resource usage.
• Applying Rules:
– A set of predefined rules or signatures are used to analyze these
activities. These rules are based on known attack patterns (such as
brute force login attempts, unauthorized access to sensitive files, etc.).
– The IDS compares the observed behavior with the rules to decide if the
activity is suspicious or normal.
• Decision Making:
– If an event violates one of the rules (e.g., too many failed login
attempts in a short period), it is flagged as suspicious, and an alert is
generated.
– If the activity conforms to the rules, it is treated as normal.
 Rule-Based Anomaly Detection

• Rule-Based Anomaly Detection is a variation

of rule-based detection that focuses on
identifying unusual behaviors or anomalies in
system usage patterns rather than specific
known attack patterns.
• This method analyzes the historical usage
data of the system and generates rules that
define what “normal” behavior looks like.
 Example
• 1. Learning "Normal" Behavior:
• The system builds rules like:
• Rule 1: Normal login times are between 8:00 AM and 6:00 PM.
• Rule 2: No logins should occur on weekends or late at night.
• 2. Detecting Anomalies:
• Now, the system monitors activity. Here’s what could trigger an alert:
• Anomaly 1: An employee logs in at 2:00 AM. This deviates from the
usual login time and is flagged as suspicious. The system generates
an alert because the rule (normal login time) has been violated.
• Anomaly 2: An employee logs in on a Sunday afternoon. Since
weekends are typically non-working days, the system flags this as
unusual and suspicious.
 How Rule-Based Anomaly Detection Works:

• Analyzing Historical Data:

– The system first looks at past audit records (logs of activities like file access,
network usage, or user login patterns) to understand normal behavior.
– Based on this historical data, the system automatically generates rules that
define what is considered normal usage.
• Monitoring Current Behavior:
– After establishing a baseline of normal behavior, the system monitors the
current system activities in real time.
• Matching Behavior to Rules:
– The current behavior is continuously compared against the generated
rules.
– If the current activity conforms to the rules (i.e., matches historical
patterns of normal usage), it is treated as normal.
– If it deviates significantly from these rules, it is flagged as suspicious, as it
may indicate an anomaly or potential attack.
 Rule-based penetration identification
• Rule-based penetration identification is a method
used to detect security breaches or attempts to
exploit vulnerabilities in a system by relying on a set
of predefined rules.
• These rules are created based on known attack
patterns, system weaknesses, or suspicious
behaviors that experts have identified.
• It primarily uses expert systems technology to
detect potential penetrations (unauthorized access)
into the system.
 Key Concepts Explained in Detail:

• 1. Expert Systems Technology:In rule-based

penetration identification, the system uses
expert knowledge to detect suspicious activity.
• Security experts create rules that define what
malicious activities look like (e.g., common
hacking attempts, known vulnerabilities).
• The expert system then applies these rules in
real time to identify penetration attempts.
 2. Rules Identifying Known Penetration, Weakness Patterns, or
Suspicious Behavior:

• Known Penetrations: These are security breaches or exploits that have

been previously discovered, like SQL injection attacks, buffer
overflows, or privilege escalation.
• Weakness Patterns: These are vulnerabilities in the system (e.g.,
unpatched software, open ports) that could be exploited by attackers.
For instance, if an operating system has a flaw that allows
unauthorized users to access sensitive files, a rule would be set up to
watch for attempts to exploit this flaw.
• Suspicious Behavior: This includes unusual system activity, such as:
• Multiple failed login attempts from the same user.
• Unusual file access patterns.
• Abnormal network traffic, like a large number of data transfers outside
regular business hours.
 3. Rules Generated by Experts:

• Role of Security Experts: Experts who have deep

knowledge of system security and potential attack
methods interview security administrators, system
users, and review attack data to create rules that
identify vulnerabilities and threats.
• Codification of Knowledge:
– Experts translate their knowledge into a series of rules that
the expert system uses to detect potential threats.
– These rules are the foundation of the penetration detection
system, and their quality is critical to how well the system
performs.
 4. Quality of Rules Depends on Experts:

• Why It Matters: The effectiveness of rule-based

penetration identification is directly linked to how
well the rules are written. If the rules are too
broad or poorly defined, the system may:
– Generate false positives: Flagging legitimate behavior
as suspicious (e.g., mistaking a legitimate user’s login
attempt as an attack).
– Miss real threats: Failing to detect new or advanced
attacks because the rules don’t cover them.
6. Comparison of Audit Records or System
States Against Rules:
• The rule-based system compares audit records against
the predefined rules.
• The system collects data from system logs or audit
trails.
• It applies the rules to this data to see if any of the
logged activities match known penetration patterns or
weaknesses.
• System States: The rule-based system can also monitor
the current state of the system (such as memory usage,
active processes, and network connections) to detect
anomalies that suggest an attack.