welcome and in this video course we are looking at the cyber ops associate version one course this course is going to cover the skills and knowledge needed for successfully handling the tasks and duties responsibilities of an associate level security analyst working at a security operations center the goal of this video series is to help prepare learners for the cisco 200-201 certification that's focusing on understanding the cisco cyber security operation fundamentals course known as c b r o p s module 14 common threats and attacks so in this video we're looking at malware common attacks things like reconnaissance access social engineering service buffer overflows and an invasion so again we're covering light explanation of these not super in-depth but at least for a basic level of understanding so first group malware first of all there are different types of malware normally we refer to malware as code or software that is designed to do some damage that means it can disrupt steal or inflict or do other things that might do damage time things that consume times things like that there are some common versions of malware even though we like to think of the term virus as just a virus but virus is a type of malware worms and trojans are all different forms of malware so the interesting part is when we get used to actually being able to describe the different malicious code as what it is it makes it easier so again the most common ones so this is not a complete list this is just the common ones viruses worms trojans we also have things that might be like adware or ransomware or other versions of where all right so let's look at viruses a little bit more in depth so virus is the type of malware and it spreads itself by making a copy of itself in another program so after the program is run then the virus min spreads its code further and further thus infecting as many computers as possible a simple virus may install itself in one line of code maybe the 50th line of code it just kind of depends on the sophistication of the virus viruses sometimes can be harm harmless sometimes it can be very harmful it really just depends on the motives behind the virus most viruses are spread by removable media and email these are the most common ways of distributing viruses email being number one and removable media being number two trojan horses this is also malware it's a software that appears to be a legitimate but it may contain malicious code so just like a trojan horse like using the trojan wars it pretty much comes in pretending to be something legit and in reality it inside is some malicious content users are commonly tricked into loading an executable that the trojan heart is part of thus being able to load it on their system the code is fairly flexible some of them just like viruses range from easy to more complex it can cause lots of damage it can also actually supply remote access to a system or it can actually create a back door into the system more custom trojan horses with specific targeting is actually extremely difficult to detect and making these a lot harder to get rid of than just a traditional virus so again when we're looking at a trojan horse we may not even think about it but trillion horses can be extremely persistent and extremely painful normally cl uh training horses are classified according to the damage that they cause or kind of how they gain access to the system for example we have a remote access trojan horse we have a proxy or an ftp or a key logger or a ddos type trojan horse we have a destructive trojan horse so depending on what happens that decides kind of the category of the trojan horse now this is not a complete list these are just some of the different types of trojan horses and lastly we can talk about worms so worms are similar to viruses because they do replicate themselves but they actually try to exploit the network the worm basically crawls through shares and they try to inject themselves in random locations sharing themselves through the network they want to go system the system hiding their tracks worms can run without any host program and that's the main difference between a virus and a worm a worm can just run by itself however once the host is infected the worm will spread throughout the system and it will try to spread through anything connected to that system in example 20 of 2001 code red worm had initially infected about 650 servers 20 hours later 300 000 plus servers so worms are actually increasingly dangerous and can spread the initial infection of like an sql slammer worm is known uh the worm that ate the internet essentially slammer was a ddos type attack that exploited a buffer overflow bug in microsoft sql server the number infected servers kept doubling every few seconds the infected servers did not have the update or the patch until six months after this issue hence you got to stay on top of patching you have to stay on top of protection and actually following the security policies not just saying you're going to do them but actually doing them so there are a few things that make up a worm if you're doing the reading inside netacad you should get the video but in the video you should be pointing out vulnerability sometimes a propagation mechanism and a payload these are the three things that make up the worm and kind of how effective they are so again enabling the vulnerability basically the worm installs itself using an exploit mechanism could be like an email or a trojan horse or something else once that's done after you gain access to the device it starts replicating itself that's the propagation and then lastly is the actual malicious code that comes from the worm so the worm components actually have this type of life cycle here with the code red worm we looked at basically 19 19 days to propagate after that they did a ddos attack after that they stopped and uh went dormant for a few days and they kept repeating the cycle and they kept going through it the thing with worms is they never stop spreading on the internet after it's released it will propagate throughout anything it has access to unless it's found and eradicated once the worm actually has made its way onto a system it's going to try its dengust to spread all over that system since we talked about viruses and and worms we also have to talk about ransomware or other forms of wear ransomware is the type of malware it typically denies access to a system resource and that system resource is held hostage until you pay normally it's data but it doesn't always have to be data it will use encryption algorithms to encrypt data and other files and other objects normally it's done through emails or malicious advertising this is known as malvertising and these are vectors for ransomware campaigns to actually be deployed sometimes they're also issued through social engineering and that's when a cyber criminal can pretend to be a security technician doing random phone calls and will get a suspect or potential victim to download the malware on their machine inadvertently we have other forms of malware like scareware and adware and spyware we also have special types of viruses called root kits that kind of actually embed themselves into like core system components we also have fishing fishing in an attempt to convince someone to divulge information and you pretend to be someone that you're not so these are other forms of malware that are equally scary and also growing so one thing you're going to keep in mind malware is made to just make an end user's life a little more difficult typically the attacker does want to gain access to someone's system or to someone's information or account or something but it's normally a hindrance if nothing else so when we look at common malware behavior for example that's going to be thinking uh like the appearance of the desktop might be strange or changing av and firewalls may be turned on and off systems either running extremely slow freezing or crashing regularly email spontaneously being sent without your knowledge that's a telltale sign that there is some malware there files being uh modified or deleted resources like memory and processing upped network connectivity issues web browser speeds file browser speeds unknown random port opens and processes listening on ports that typically don't happen processes or services running or just in general just weird behavior we do have a lab looking at and researching forms of malware so do make sure to get that done all right the next area is network attacks looking at reconnaissance access and social engineering so again the main types of network types of tax are three main categories reconnaissance access or dos type attacks a reconnaissance attack basically is about information gathering or reconnaissance the attacker uses the recon or the reconnaissance or information gathering a type of attack to basically see what they can find maybe using unauthorized discovery maybe they're mapping systems services vulnerabilities and this can be done either passively or actively passively meaning not actually interacting with the system where actively actually is hitting the systems to see what's going on normally recon attacks proceed access or dos based attacks if you know what the system is or what they're running you're more likely to be able to focus your attack on that specific target system so recon attacks are typically done first so what are some of the techniques used by the reconnaissance attacks normally again the goal is to gather information they could initiate like a ping sweep or a nmap scan or vulnerability scanner they may run other exploration type tools like sql map or some type of social engineering toolkit or netsparker it really just depends on how they want to gather information normally you'll see the initial port scan and that'll be like in map or super scan or netscan in-map is probably going to be the most common uh portion of it so if we're looking at how we do this we could do it from the internet and that means maybe uh scanning into a local network from the internet if that's allowed you may do some type of open source intelligence to gather information may do like whois type lookups and i see addresses you could also do a ping sweep and that's going to be internal you're going to be assuming that you're on the local lan to gather information if you are on the local lan you may do a port scan and that's where you're going to see what ports their states their services and what versions they're running and again that's typically meaning that you're going to be local if you're doing it through the internet you're going to hit their router or assuming they do have a router you're going to hit their edge and you may only be limited you will be limited to whatever information you're able to gather that way oftentimes organizations are not going to have all of their internal machines where they're all sitting on the internet actually listening and responding to all the different ports that are there in our reading we do have a video on the reconnaissance based attacks kind of running through what we just talked about when we're talking network-based attacks these are going to be things like password attacks or spoofing attacks password attacks are ways to gain access to critical passwords the spoofing attacks are different ways that the attacker may pose to be someone that they're not maybe falsifying data maybe spoofing their information all of them to either do things like a trust exploration a port redirect possibly man in the middle or buffer overflow based attacks all of them again trying to pretend to be something that they're not to get information again trust exploration uh is one way where we are pretending to be someone else and when we're not and we pretend because we have the same type information that our victim may have a port redirect that's where we start trying to redirect ports going into our networks to try to bypass their security process man in the middle that is where you actually have someone physically in between the devices maybe listening or capturing and being able to relay information a buffer overflow attack basically sends tons of data and attempts to overload the targets buffer thus being able to slip in a little easier social engineering again we have a video in our lecture if you want to go through that short video social engineering attacks typically have fishing or spear phishing phishing is again being a threat actor sending fraudulent emails to victims or possible victims pretending to be legitimate that way you could get them to open the email click on the link or provide certain types of information before we can do fishing we have pre-texting and that's where a threat actor pretends to be someone else to confirm information we have spear phishing and that's where the threat actor creates a targeted phishing attack tailored to a specific individual or organization normally going after you know a bigger individual we also still have just a traditional spam type social engineering attacks and that's just a mass amount of junk mail other forms of social engineering could be things like quid pro quo something for something a baiting that's where a threat actor will leave malware infected uh drives a removable media places hoping someone grabs them impersonation or tailgating tailgating is where you're following someone in behind extremely quickly shoulder surfing is where you're looking for someone's shoulder to look at sensitive information or just plain old simple dumpster diving looking through garbage to see what you can find so earlier i'd said something about some type of engineering tool kit or set this is the social engineering tool kit was designed to help white hat hackers and other professionals create these types of social engineering attacks on their own networks for training basically aiding security professionals ethically so that they could educate their users on how to look at and how to protect against very specific types of threats so there are strengthening the weakest link and that's typically the organization and the personnel the organization because they may have policies and procedures but they may not actually enforce all of the policies and procedures so that's why they are a pretty weak link the social engineering typically targets the person because they are classified as the weakest link so one of the most effective security measures that you can actually have is the trained personnel to be more of a security aware security conscious type culture our next lab is on social engineering and identifying ways to recognize and prevent them our next major section is about network attacks denial of services buffer overflow as well as evasion so again we do have a simple video in our reading about denial of service attacks but essentially a denial of service attack is a way to overload a potential victim so they cannot respond if you have one person targeting one victim that's a dos attack if you have multiple people targeting one victim then that's a distributed denial of service or a ddos based attack so it's the purpose of a dos attack a big part of that is to essentially overwhelm the in-device with tons of traffic sometimes you can do maliciously formatted packets sometimes you can just send tons of packets it really just depends so when we keep saying das a dos attack denial of service is re use as much data as possible just cram it down them see what happens well one machine may not be able to affect that much traffic so we have a distributed denial of service or a ddos attack and what we can do is we can have things like zombies or bots or our bot nets or some type of controller like a handler or a bot master actually control are zombies and bots that kind of makes up the botnets to target a victim that way you have one device controlling many in our lecture we do have a video looking at a simple botnet we have it again a demonstration of the uh ddos app attack using that botnet and then after that we have to talk about buffer overflows the basically the thing here is buffers have a finite amount of resources and if you overload them they may do something that's abnormal so threat actors will use the buffer overflow dos attack define system memory related flaws that way you can exploit those flaws for instance some type of remote denial of service attack was discovered in windows 10 where the threat actor could create a malicious code to access out of the scope type memory you would still be able to gain access to a systems machine using that method you also have the older options like ping of death where the threat actor will send a ping of death which is an echo request and an ip packet that will then be received but it's actually larger than the maximum maximum packet size and some machines don't know how to process it so it just kind of crashes after that we have the evasion method the evasion methods basically are breaking up into a few different categories encryption and tunneling this invasion technique will use the tunneling to hide or scramble the payloads we have resource exhaustion and this evasion technique basically will target the host that it's too busy to properly use security detection mechanisms and overload them that way we have the traffic fragmentation and in this type of evasion technique it will split malicious payloads into multiple small payloads so that they're less likely to be found we also have protocol level misinterpretation so this evasion technique will occur when the network defense is not properly handled correctly for like a pdu and a check somewhere ttl value if you're able to trick the firewall into ignoring these types of packets then we can have protocol level misinterpretation we also have a track a traffic substitution and a traffic insert insertion type attack more importantly we have things like our pivoting this type of technique assumes the threat actor is already compromising inside host and they actually start funneling traffic through that host that way it doesn't look like it's coming from the outside network but from a local machine that everything is being pivot from root kits are not really a ddos type of thing they are evasion technique this is where you bury a virus or malicious code in a system setting or a system configuration file that way they're less likely to be found an experienced threat actor normally goes this route lastly we have things like proxies that way our traffic isn't going out but our traffic is going to a proxy and then the proxy goes out that way we can kind of try to evade our traffic from being found out if it's malicious based traffic all right that's the end of this chapter so we looked at things like trojans and malware types or common types of malware types we looked at ddos and dos-based attacks we looked at access types attacks we looked at distributed denial of service based attacks and botnet as well as goals of threat actors if you have any questions or anything please feel free to reach out again with this material being able to ask questions and discuss some of the topics in the lecture help build long-term retention so do not be afraid to communicate with this topic again i'm here if you need anything thank you