CYT - Identifying Security Threats (Lesson)

Identifying Security Threats

Introduction

Have you or someone you know been affected by malicious software?

In this lesson you will learn about the types of malware, its impact on our lives, and how to avoid or at least mitigate its negative impacts.

Identifying Security Threats Presentation

Malware

Do you know what was the very first piece of malware?

The very first computer virus in the world was named Brain Virus. It was released in 1986 and was designed to infect the IBM PC by replacing the boot sector of a floppy disk with a copy of the virus. The creators of the Brain virus were two brothers from Pakistan, Basit Farooq Alvi and Amjad Farooq Alvi.

Brain Virus was not created with malicious intent, though. Instead, the Alvi brothers developed it as a means to protect their medical software from piracy, and they even included their contact information within the code of the virus. When a computer was infected, the Brain Virus would change the volume label of the floppy disk to "(c)Brain."

As the virus spread and began to appear in unexpected places globally, it marked the beginning of what would become a significant issue in the computing world – the proliferation of computer viruses and malware. This initial experience highlighted the potential for code to spread between machines and led to greater awareness and the eventual development of the antivirus software industry.

Do a quick Internet search! What are some recent malware threats?

Let’s talk about the types of malicious software aka malware!

Types of Malicious Software

Virus

A virus is a program that attaches to a host file with the goal of installing itself on a system.

A virus is added to an executable file so that when that app runs, the virus installation is activated. When a virus runs it performs some action that is either malicious or simply annoying.

Worm

A worm is a program that reproduces itself and can transport from system to system without attaching to a file. A worm resides in active memory and keeps replicating itself.

When a worm replicates enough to consume massive system resources, the device's operating system will slow down or even crash.

What is the difference between a virus and a worm? A virus needs another program or host to replicate but a worm can do it on its own, yikes!

Ransomware

Ransomware is a type of malware designed to block access to a computer system or encrypt its data until a ransom is paid. The attacker typically demands a ransom in cryptocurrency, such as Bitcoin, to maintain anonymity. Here's a breakdown:

In 2017, the WannaCry ransomware hit over 200,000 computers in 150 countries in just one day!

Download Infographic Script Links to an external site.

Trojan

A Trojan file appears to be a legitimate program but it contains malicious code. It will usually entice the user to play a game, song, etc. but it has a hidden program.

The main difference between a Trojan and a virus or worm is that a Trojan does not replicate itself.

LOTS of Internet free games are actually Trojans for malware. You happily download the free software and install it on your device and it happily installs some extra malware code in the background, uh-oh!

The most dangerous type of Trojan is the RAT (Remote Access Trojan), which is essentially a backdoor packed inside a Trojan. The Trojan delivers code onto your machine that makes it possible for the hacker to remotely access your system and control it!

Backdoor Programs

Examples of malicious backdoors NetBus BackOrifice SubSeven T0rnkit Examples of legitimate backdoors VNC PC Anywhere

Backdoor programs create a mechanism for gaining access to a computer by leaving a port open or creating a bogus user with privileges. There are reasons why a legitimate user would want to be able to access their computer remotely when they are away from home or the office. However, hackers are able to exploit this backdoor access.

Here is what happens:

  1. Trojans or other malware are used to deliver a Backdoor program onto your computer or device.
  2. The Backdoor program is used to communicate back to the “Command and Control server” aka C2C server or botmaster.
  3. The C2C server sends your PC program code to perform an action, such as sending out spam, stealing information, or participating in a Distributed Denial of Service attack (more on this later).
  4. Your computer is now part of a botnet of other computers that can be multiplied into a very powerful mass attack!

Compromised computers, unknown to their innocent owners, are being used by hackers to send out large volumes of spam, launching distributed denial-of-service attacks, or stealing confidential information. This typically happens to home users who are not properly protected with up-to-date anti-virus software, firewalls, and security patches.

Logic Bomb

A logic bomb is a small program that is timed to perform an operation on a system. It can also be triggered by an external event. A programmer might install a logic bomb on a system, timing it to go off long after they have left the company. A logic bomb is often the tool of a disgruntled insider like an employee who has been terminated or someone who is in the pay of a competitor.  Logic Bombs are also called “Time Bombs” when the trigger for a logic bomb is time or date based.

Root Kit

Root Kit is a group of programs installed by an attacker to gain complete control of a computer. It changes how the operating system functions and can hide its processes and actions so that it is not detected by anti-malware or the user. Usually, a malicious actor will use a Backdoor to install a Root Kit.  With the two of these together, they will have unlimited access to and control over your PC!

How to STOP it? Bad news – you can’t! It is too difficult to be sure all of the rootkit is removed.  The solution is to wipe the hard drive and reinstall the operating system and files.

Review of Malware

It may seem like all of this malware is essentially the same thing but they each have their unique task to perform:

  • Trojan -- deliver backdoor to the victim’s system;
  • Backdoor -- allow access to the victim’s system;
  • Root Kit -- take over control of the victim’s system.

Worms, viruses, and logic bombs are not often part of this chain.  They are usually single-task oriented.

**In real life, there are very few actual viruses that need a host file anymore, as it is MOSTLY worms and trojans out there.

Zero Day Attack

Zero Day is an attack that takes advantage of code flaws that have VERY recently been discovered. The key to a Zero Day Attack is that there is a time period where the flaw is not known to exist so there are no defenses or signatures against it. The vulnerability window is the time between the start of attacks and the time a solution is released.

  1. Software is developed but unbeknownst to the developers, it contains a security vulnerability.
  2. A bad actor finds a vulnerability either before the developer or exploits it before a developer has an opportunity to release an update or patch.
  3. Attackers release malware to exploit software while the vulnerability is still open and unpatched.
  4. After hackers release the exploit, either the public detects identity or data theft or the developer uncovers and creates a patch.

Zero Days are part of the larger picture of system attacks.  However, they are NOT actually malware. Instead, a Zero Day is a flaw that exists in the code of an application or operating system (OS).  Of course, most programs have some sort of flaws, but the ones we care about are the areas in which the programmer made the code work but didn’t think through the security of the application.  This means that there is a vulnerability and once that vulnerability is discovered, it can be exploited. 

Zero Day exploits can be sold for a LOT of money depending on what type of application is vulnerable, from $1,000 to $100,000!

Zero Day Vulnerability Timeline

Advanced Persistent Threat

Advanced Persistent Threat (APT) is an attack that uses sophisticated methods to establish a presence on a system or network for an extended period of time. It maintains multiple ways in and out, often used to exfiltrate data.

Signs of an APT Attack:

  • off-hours activity showing up in logs
  • large unknown files or strange data flows
  • multiple RATs found by security scans
  • spear-phishing emails
  • pass the hash tools

The APT is a corporate cybersecurity department’s nightmare as it is a sophisticated attack with multiple components.  It is typically used for a targeted attack, not an attack of opportunity.  In other words, the attacker wants something from a specific company or organization.  It may be intelligence from a government agency or the plans for a new drug from a pharmaceutical company. 

An APT is installed so that there can be a continuous infiltration of this entity over a long period of time in order to “exfiltrate” the desired data. Exfiltrate means using stealthy methods to perform unauthorized transfer of data. 

It can be very difficult to identify an APT on a system or network, but most companies know that it is not “whether” you have an APT but rather “when” because everyone will eventually have one if they are a healthy profitable entity.  The best bet is to either notice attempts to get in or notice the extra activity.

Do a quick Internet search! What are some recent vulnerabilities that have been exploited?

What did you learn?

The point of this lesson was to learn about various types of cybersecurity threats.

At the beginning of this lesson, you learned that the Brain virus was created so that the authors could prevent people from making illegal copies of their medical-monitoring software. It is important to consider that there are many different types of possible threat actors with a wide range of motivations for their actions.

Who and Why - Cyberthreat Activity

You should now be able to discuss various types of malicious software and how it can affect your computer.

Types of Malware Flashcard Activity

Key Terms Review

There are 2 slides in this review activity.  Please click on the right arrow on the bottom right of the first slide to advance the slides.

 

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.