Security product notes

What is the best description of a worm?
malware that can independently replicate and spread without human intervention

What are the two words that make up the term "malware"?
malicious and "software"

What are the two words that make up the term "rootkit" and where do they come from?
“Root” refers to privileged access on a Unix operating system and “kit” refers to the various software components that make up the program.

Why are rootkits considered so dangerous?
They can gain and maintain privileged access undetected.

Types of malware

Malware categories include the following:

• Worms. A worm is a standalone program that can self-replicate and spread over a network. Unlike a virus, a worm spreads by exploiting a vulnerability in the infected system or through email as an attachment masquerading as a legitimate file. A graduate student created the first worm (the Morris worm) in 1988 as an intellectual exercise. Unfortunately, it replicated itself quickly and soon spread across the internet.
• Ransomware. As the name implies, ransomware demands that users pay a ransom—usually in bitcoin or other cryptocurrency—to regain access to their computer. The most recent category of malware is ransomware, which garnered headlines in 2016 and 2017 when ransomware infections encrypted the computer systems of major organizations and thousands of individual users around the globe.
• Scareware. Many desktop users have encountered scareware, which attempts to frighten the victim into buying unnecessary software or providing their financial data. Scareware pops up on a user's desktop with flashing images or loud alarms, announcing that the computer has been infected. It usually urges the victim to quickly enter their credit card data and download a fake antivirus program.
• Adware and spyware. Adware pushes unwanted advertisements at users and spyware secretly collects information about the user. Spyware may record the websites the user visits, information about the user's computer system and vulnerabilities for a future attack, or the user’s keystrokes. Spyware that records keystrokes is called a keylogger. Keyloggers steal credit card numbers, passwords, account numbers, and other sensitive data simply by logging what the user types.
• Fileless malware. Unlike traditional malware, fileless malware does not download code onto a computer, so there is no malware signature for a virus scanner to detect. Instead, fileless malware operates in the computer's memory and may evade detection by hiding in a trusted utility, productivity tool, or security application. An example is Operation RogueRobin, which was uncovered in July 2018. RogueRobin is spread through Microsoft Excel Web Query files that are attached to an email. It causes the computer to run PowerShell command scripts, providing an attacker access to the system. As PowerShell is a trusted part of the Microsoft platform, this attack typically does not trigger a security alert. Some fileless malware is also clickless, so a victim does not need to click on the file to activate it.

What is a PE file?

Portable executable file format is a type of format that is used in Windows (both x86 and x64).

As per Wikipedia, the portable executable (PE) format is a file format for executable, object code, DLLs, FON font files, and core dumps.

The PE file format is a data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code. Before PE file there was a format called COFF used in Windows NT systems.

Explain Antimalware and antivirus solutions

The four main types of malware detection are:

• Signature-based scanning. This is a basic approach that all antimalware programs use, including free ones. Signature-based scanners rely on a database of known virus signatures. The success of the scanner depends on the freshness of the signatures in the database.
• Heuristic analysis. This detects viruses by their similarity to related viruses. It examines samples of core code in the malware rather than the entire signature. Heuristic scanning can detect a virus even if it is hidden under additional junk code.
• Real-time behavioral monitoring solutions. These seek unexpected actions, such as an application sending gigabytes of data over the network. It blocks the activity and hunts the malware behind it. This approach is helpful in detecting fileless malware.
• Sandbox analysis. This moves suspect files to a sandbox or secured environment in order to activate and analyze the file without exposing the rest of the network to potential risk.

What are the Steps of the Cyber Security Kill Chain?

Step 1: Reconnaissance

During the Reconnaissance phase, a malicious actor identifies a target and explores vulnerabilities and weaknesses that can be exploited within the network. As part of this process, the attacker may harvest login credentials or gather other information, such as email addresses, user IDs, physical locations, software applications and operating system details, all of which may be useful in phishing or spoofing attacks

Reconnaissance is the first step in the cyber security kill chain and utilizes many different techniques, tools, and commonly used web browsing features including:

• Search engines
• Web archives
• Public cloud services
• Domain name registries
• WHOIS command
• Packet sniffers (Wireshark, tcpdump, WinDump, etc.)
• Network mapping (nmap)
• DIG command
• Ping
• Port scanners (Zenmap, TCP Port Scanner, etc.)

There is a wide range of tools and techniques used by hackers to gather information about their targets, each of which exposes different bits of data that can be used to find doors into your applications, networks, and databases which are increasingly becoming cloud based. It’s important that you secure your sensitive data behind cloud-based SASE defenses, encryption and secure web pages in order to prevent attackers from stumbling on compromising information while browsing through your publicly-accessible assets, including apps and cloud services.

Step 2: Weaponize

Once an attacker has gathered enough information about their target, they’ll choose one or several attack vectors to begin their intrusion into your space. An attack vector is a means for a hacker to gain unauthorized access to your systems and information. Attack vectors range from basic to highly technical, but the thing to keep in mind is that, for hackers, targets are often chosen by assessing cost vs. ROI.

Everything from processing power to time-to-value is a factor that attackers take into account Typical hackers will flow like water to the path of least resistance, which is why it is so important to consider all possible entry points along the attack surface (all of the total points in which you are susceptible to an attack) and harden your security accordingly.

The most common attack vectors include:

• Weak or stolen credentials
• Remote access services (RDP, SSH, VPNs)
• Careless employees
• Insider attackers
• Poor or no encryption
• System misconfiguration
• Trust relationships between devices/systems
• Phishing (social engineering)
• Denial of service attacks
• Man-in-the-middle attacks (MITM)
• Trojans
• SQL injection attacks
• And many others

Remember: a hacker only needs one attack vector to be successful. Therefore, your security is only as strong as its weakest point and it’s up to you to discover where those potential attack vectors are. Ransomware attacks continue to exploit remote access services to gain entry, make lateral movements, detect sensitive data for exfiltration, all before encrypting and making ransom requests.

So typically once an attacker is in, their next move is to find different ways to move laterally throughout your network or cloud resources and escalate their access privileges so their attack will gather the most valuable information, and they’ll stay undetected for as long as possible. Preventing this kind of behavior requires adopting “Zero Trust” principles, which, when applied to security and networking architecture, consistently demands reaffirmation of identity as users move from area to area within networks or applications.

Step 3: Delivery

Now that a hacker has gained access to your systems, they’ll have the freedom they need to deliver the payload of whatever they have in store for you (malware, ransomware, spyware, etc.). They’ll set up programs for all kinds of attacks, whether immediate, time-delayed or triggered by a certain action (logic bomb attack). Sometimes these attacks are a one-time move and other times hackers will establish a remote connection to your network that is constantly monitored and managed.

Malware detection with Next Gen SWGs to TLS decrypt and inspect web and cloud traffic are key components for preventing the delivery of these types of payloads. Increasingly attacks are cloud delivered with 68% of malware using cloud delivery versus web delivery. Running inline threat scanning services for web and cloud traffic along with accounting for the status of all endpoint devices is crucial in ensuring your company is not infected with any malicious software.

Step 4: Exploit

Once the attacker’s intended payload is delivered, the exploitation of a system begins, depending on the type of attack. As mentioned before, some attacks are delayed and others are dependent on a specific action taken by the target, known as a logic bomb. These programs sometimes include obfuscation features in order to hide their activity and origin in order to prevent detection.

Once the executable program is triggered, the hacker will be able to begin the attack as planned, which leads us to the next few steps, encompassing different types of exploitations.

Step 5: Installation

Immediately following the Exploitation phase, the malware or other attack vector will be installed on the victim’s system. This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now assume control.

If a hacker sees the opportunity for future attacks, their next move is to install a backdoor for consistent access to the target’s systems. This way they can move in and out of the target’s network without running the risk of detection by reentering through other attack vectors. These kinds of backdoors can be established through rootkits and weak credentials, and so long as their behavior doesn’t throw up any red flags to a security team (such as unusual login times or large data movements), these intrusions can be hard to detect. SASE architecture is uniting security defenses to collect rich metadata on users, devices, apps, data, activity and other attributes to aid investigations and enhance anomaly detection.

Step 6: Command and Control

In Command & Control, the attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.

Now that the programs and backdoors are installed, an attacker will take control of systems and execute whatever attack they have in store for you. Any actions taken here are solely for the purpose of maintaining control of their situation with the target, which can take all kinds of forms, such as planting ransomware, spyware, or other means for exfiltrating data in the future.

Unfortunately, once you learn of an intrusion and exfiltration, it is probably too late—the hackers have control of your system. That’s why it’s important to have safeguards that monitor and evaluate data movements for any suspicious activity. A machine is far more likely to detect and prevent malicious behavior faster than any network administrator.

Phase 7: Actions on Objective/Persist

In this stage, the attacker takes steps to carry out their intended goals, which may include data theft, destruction, encryption or exfiltration.

Over time, many information security experts have expanded the kill chain to include an eighth step: Monetization. In this phase, the cybercriminal focuses on deriving income from the attack, be it through some form of ransom to be paid by the victim or selling sensitive information, such as personal data or trade secrets, on the dark web.

Generally speaking, the earlier the organization can stop the threat within the cyber attack lifecycle, the less risk the organization will assume. Attacks that reach the Command and Control phase typically require far more advanced remediation efforts, including in-depth sweeps of the network and endpoints to determine the scale and depth of the attack. As such, organizations should take steps to identify and neutralize threats as early in the lifecycle as possible in order to minimize both the risk of an attack and the cost of resolving an event.