Book Image

Mastering Defensive Security

By : Cesar Bravo
Book Image

Mastering Defensive Security

By: Cesar Bravo

Overview of this book

Every organization has its own data and digital assets that need to be protected against an ever-growing threat landscape that compromises the availability, integrity, and confidentiality of crucial data. Therefore, it is important to train professionals in the latest defensive security skills and tools to secure them. Mastering Defensive Security provides you with in-depth knowledge of the latest cybersecurity threats along with the best tools and techniques needed to keep your infrastructure secure. The book begins by establishing a strong foundation of cybersecurity concepts and advances to explore the latest security technologies such as Wireshark, Damn Vulnerable Web App (DVWA), Burp Suite, OpenVAS, and Nmap, hardware threats such as a weaponized Raspberry Pi, and hardening techniques for Unix, Windows, web applications, and cloud infrastructures. As you make progress through the chapters, you'll get to grips with several advanced techniques such as malware analysis, security automation, computer forensics, and vulnerability assessment, which will help you to leverage pentesting for security. By the end of this book, you'll have become familiar with creating your own defensive security tools using IoT devices and developed advanced defensive security skills.
Table of Contents (23 chapters)
1
Section 1: Mastering Defensive Security Concepts
7
Section 2: Applying Defensive Security
15
Section 3: Deep Dive into Defensive Security

Deep dive into the core of cybersecurity

A master possesses a higher knowledge and understanding of their domain. In this case, you should understand all the concepts, terminology, and attacks to confidently speak as a cybersecurity expert. It is not about repeating what you are told; it is about acquiring a level of understanding in which you can explain all these topics to the point that everyone will understand them (even if they are not familiar with IT concepts).

The cybersecurity triad

A CISO once told me: If you want to see whether the person talking about an attack really knows their business, just ask: What element of the CIA triad is being impacted by this attack? If no response is forthcoming, that person is a newbie. If the answer is not clear or lacking in arguments, that person is a junior, but if the response clearly outlines what elements of the triad will be affected by the attack and why, then you are talking with an expert.

This triad is especially important when working on defensive security because it will help you to prioritize the risks based on the impact and how that impact correlates with the business.

This is especially important for organizations as this helps them to identify priority areas to invest in (and to provide more resources) to reduce the impact or damage to the company in the event of a cyber attack. For example, an attack on the availability of the informational web page of an HR company may result in a minimal impact on the business, while an attack on the confidential information that they manage could be catastrophic.

Figure 1.1 – CIA triad

Figure 1.1 – CIA triad

Figure 1.1 shows the three components of the CIA triad: Confidentiality, Integrity, and Availability. Now, let's take an in-depth look at each of these three concepts.

Confidentiality

The attacks affecting confidentiality are based on access by an unauthorized person to the company's data. But how do you know who can access which kinds of data? The best way to respond to this question is by following the best practice that says that all companies must have their data classified and labeled based on its sensitivity. That way, you can effectively determine how to put in place the appropriate controls. The data can be classified as follows:

  • Restricted: This is the most important data the company possesses as it may include trade secrets that, if disclosed, could have a catastrophic impact on the company.
  • Confidential: This is data that companies must keep confidential (on a need-to-know basis). Many times, this type of data is associated with some external regulations, and sanctions and fines may apply if disclosed.
  • Private: This is less sensitive data. However, it is not intended for public consumption and should be maintained within the organization.
  • Public: This is data that is intended for public distribution (most of the time, it is available and indexed online).

Integrity

Besides keeping the data confidential, we also need to ensure that data is not altered by a malicious actor. In fact, we need to ensure that appropriate mechanisms are in place to ensure that the data will only be changed by authorized parties.

This is especially relevant if your company runs a transactional website (such as an e-commerce website) because an attacker may attack your database and create or modify discount codes and, by the time you discover the issue, your merchandise may already be sold and delivered for a fraction of the original price.

What makes these attacks more dangerous is that the attacker will not just apply this discount to their purchase but for everyone. Therefore, you may find 1,000 orders discounted by 99%, making it harder for you to identify who performed the attack.

The most famous hacks to banks were caused because the integrity of the data was compromised.

Therefore, due to the impact of these kinds of attacks, companies must proactively and constantly invest time and resources to prevent them.

Availability

These attacks aim to disrupt the availability of a given system, network, or web resource.

Except for online stores, these are the less dangerous type of attack; however, such attacks are also the most common type of attack. In fact, the majority of the attacks performed by Hacktivist groups aim to disrupt system availability.

Types of attacks

To implement a good defensive strategy, you must understand the current threat landscape and the most common types of attacks—you cannot be protected against the unknown. Some sources separate the attacks by type based on the area of impact; for example, network attacks and physical attacks. However, such a high-level categorization is too simple for a master like you, so instead, I am going to provide you with an extensive and up-to-date list of the most common types of attacks that you may encounter today, as seen in Figure 1.2:

Figure 1.2 – Cybersecurity threat landscape

Figure 1.2 – Cybersecurity threat landscape

Now, let's explore each of these categories so as to have a better understanding of the current threat landscape.

Malware

Everyone is familiar with this type of attack. In fact, almost everyone will be affected by this type of attack at least once in their life. However, while most of them can be prevented with good and up-to-date antivirus software, it is worthwhile keeping an eye on new threats to ensure that our protection mechanisms are capable of dealing with new threats.

To enhance the efficacy of these types of attacks, normally they are used in conjunction with other tactics to spread it, for example, by using social engineering.

Important note

There are several types of malware, including RAT, Trojans, Worms, Ransomware, Spyware, and more. Each of them is different and you must understand their unique characteristics to be able to appropriately defend against them.

As a fun fact, I recall when I discovered that the reason for me having to re-install the OS of my mom's computer every week was due to my brother believing in his good luck when surfing the internet:

Figure 1.3 – Samples of "You Won" malware

Figure 1.3 – Samples of "You Won" malware

Now, let's look at the biggest threat to the security of any corporation, infiltration through social engineering:

Social engineering

As technology enthusiasts, we often focus on securing our systems and networks. In fact, we may invest a lot of time, effort, and resources in building a robust cybersecurity environment, but that will not be complete until you include the weakest actor, the user.

I have seen many cases when a company suffers a catastrophic attack, not because their expensive systems were breached, not because they were attacked by a sophisticated zero-day vulnerability, but because an employee inadvertently provided their credentials to an attacker.

This topic is normally overlooked, and criminals know that, so you must understand and apply all the strategies, mechanisms, and systems to avoid these types of attacks in your organization. In Chapter 4, Patching Layer 8, we will go in deep about how to defend against attacks including phishing, spear phishing, whaling, pharming, and more.

Man-in-the-middle attacks

Imagine you are on a date in the mall, and you want to show a video, but Murphy's law intervenes and your internet speed is extremely slow. However, there is a Wi-Fi network called Free Wi-Fi – sounds like a miracle, right? Well, let me tell you that it is not your lucky day. Chances are that a cybercriminal knows that cellular reception is poor in that area and lays a trap to capture all your data without you even noticing it.

While this is a simplistic case of a man-in-the-middle-attack, it shows you how easy it is to achieve it.

Important note

In terms of techniques, the criminal may use one of the many available, such as session hijacking, IP spoofing, replay, or eavesdropping. These will be covered in depth in Chapter 8, Enhancing Your Network Defensive Skills.

Denial-of-service attack

The all-time favorite attack employed by hacktivists, the Distributed Denial-of-Service (DDoS) attack, is very interesting because it may affect you in two ways, as an attacker, and as a target. As mentioned earlier, the impact of these kinds of attacks depends on the nature of business; however, your infrastructure can be used by an attacker to launch a Botnet-based attack on another company and that will have serious implications for your company regardless of the type of business.

Botnets

A Botnet is a network of infected devices that are remotely controlled by an attacker (normally using a command and control server) to perform a plurality of tasks without the consent and knowledge of the owner of the device. The controlled or infected machines are normally called zombies and, as mentioned, they will perform background tasks such as DDoS attacks, sending spam, and mining cryptocurrency (Bitcoins).

One interesting variant of these attacks is the SYN flood attack. This attack is very interesting and clever, and it is based on the TCP three-way handshake. But wait, what is a TCP three-way handshake?

Let me do an analogy to explain it: Imagine that you (the client) need a cab (the server), so you decided to call the cab (SYN). When the cab arrives, it informs you that it is at the gate (SYN-ACK) and waits for your confirmation to pass (ACK). Now, imagine that you never confirm and keep calling more cabs. Eventually, your driveway will be full of cabs, preventing the arrival of any other car to your house.

Figure 1.4 – SYN flood attack

Figure 1.4 – SYN flood attack

I know this SYN Flood Attack may sound very technical, but that doesn't make it less common. Additionally, there are many other ways to execute a DDOS attack, and another cool example is the teardrop attack.

Teardrop attack

The teardrop attack leverages an old vulnerability in which the system tries to reassemble fragmented packets, but since they were corrupted, the system crashes (by taking the CPU to 100%). As mentioned, this is an old vulnerability and an up-to-date system should not be affected. However, there is a new version called FragmentSmack, which affects current OSes, including Windows 10 and Linux distributions (see CVE-2018-5391). The good thing is that there are already patches for both.

Important note

As a walkaround in Windows systems, you can disable packet reassembly as follows:

Netsh int ipv4 set global reassemblylimit=0

Netsh int ipv6 set global reassemblylimit=0

There are other types of DDoS attacks, including the Ping of Death and Smurf Attacks (using ICMP packets), but these are old attacks that you should be already familiar with, so I am not going to waste your time on them.

Zero-day exploits

These types of attacks are one of the most dangerous ones because they will hit us by surprise.

When dealing with these types of attacks, reacting fast is the key. In fact, you need to be on the lookout for new vulnerabilities all the time, so that you can understand them, evaluate whether they affect your infrastructure, and find a workaround or mitigation until an official solution or patch is released.

There are many sites and blogs with cybersecurity news; however, as you may know, fake news is prevalent, so you will need to make sure you use a responsible source that provides you with the best information. Personally, I would recommend that you use the following sites to stay up to date with the latest vulnerabilities and threats:

DNS attacks

I recall the times when you modify the host file on a Windows 2000 machine just to have some fun by redirecting pages around. However, things have changed and now there are many more sophisticated DNS-related attacks.

Figure 1.5 – Old school DNS attacks

Figure 1.5 – Old school DNS attacks

Now, let's take a look at everything you need to know about the most popular DNS attacks today.

DNS hijacking

In this attack, the computer is normally affected by malware that points the computer to the attacker's DNS server instead of a trusted DNS, allowing the attacker to control and redirect all the traffic.

Here are some defensive measures that can be taken:

  • Protect endpoints against malware attacks.
  • Always check the URL of the site.
  • When possible, type the URL instead of clicking on links (especially from emails)
  • Implement DNSSEC.
  • Check and/or monitor the Host file for modifications.
  • You can also use this web page to check whether your DNS is compromised: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS.

Man-in-the-middle

This attack uses the same principle as the one mentioned previously. It is about intercepting a DNS request and replaying it with a bogus website in response. To achieve this, the attacker intercepts the request between the victim and the real DNS to provide the user with a response to a malicious site.

Here are some defensive measures that can be taken:

  • Avoid connecting to open hotspots.
  • Avoid connecting to public networks.
  • Avoid connecting to free Wi-Fi.

DNS router attack

In this case, the attacker leverages a vulnerability on the router to perform the redirection to the malicious site.

Here are some defensive measures that can be taken:

  • Change the default admin and connection passwords on your network devices (routers, access points, and so on).
  • Keep the firmware of your network devices up to date.
  • Try purchasing network devices of known reputation (a bad quality firmware device may be vulnerable).

DNS cache poisoning

This is very similar to DNS hijacking, but in this case, the attacker just modifies the DNS cache to send future requests to malicious sites.

The following diagram depicts an exemplary embodiment of a cache poisoning attack:

Figure 1.6 – Cache poisoning attack flow

Figure 1.6 – Cache poisoning attack flow

But don't worry, here are some defensive measures that you can take against this threat:

  • Place your DNS resolvers inside your firewall.
  • Remove unnecessary DNS resolvers to reduce risks.
  • DNS servers must be hardened to ensure all unnecessary services are removed (thus reducing the points of failure and potential vulnerabilities).
  • Use a random source port, randomize the query ID, and use random case (uppercase/lowercase) in domain names.
  • Flush your DNS cache macOS (Catalina):
    sudo killall -HUP mDNSResponder
  • Flush your DNS cache Windows:
    ipconfig /Flushdns
  • Clear your browser cache.

Additionally, in case you have a system exposed to external users, it is recommended to implement a "reboot and restore" system, so in case someone changes the DNS locally, those values will be deleted (and restored to their original values) once the computer is rebooted or the user is logged out.

Domain hijacking and redirection

This attack is aimed at web resources (web pages, web apps, and so on). Here, the attacker will modify the DNS on your domain registrant to send all the traffic aimed at your page to another server. Here, the attackers use misspelled names or letters that look similar to the original to fool the user into believing that they are accessing the real site.

Here are the defensive measures that can be taken:

  • Register your domains with a trusted company.
  • Avoid registering domains with several vendors.
  • Use crazy long random passwords for your DNS admin account (based on a password manager).

Let's consider an example.

Do you think these two domains are the same: I2C2x.com and l2C2x.com?

They look the same, but they are not, and that is one of the tactics used on these types of attacks (and also in some phishing attacks) to trick the victim into thinking that they are on the original site when they are not.

In this example, the first domain has an uppercase i, while in the second example, it uses a lowercase L, similar to the eye, but clearly not the same domain.

DNS tunneling

This is a very clever attack in which the attacker uses DNS queries and responses to exfiltrate data without detection. This exfiltration mechanism allows the attacker to bypass most network controls. However, this attack is very complex as it requires the attacker to have control over the machine where the data resides (normally by using a command and control malware), the internal DNS server, an external DNS server, and a domain.

Normal DNS query:

C:\Users\Cesar> Nslookup mysite.com
Server:  dns.google
Address:  8.8.8.8
Non-authoritative answer:
Name:    mysite.com
Address:  168.82.172.128

DNS tunneled query:

C:\Users\Cesar> Nslookup company_exfiltrated_data123.com
Server:  dns.google
Address:  8.8.8.8
*** dns.google can't find company_exfiltrated_data123.com: Non-existent domain

Here are the defensive measures that can be taken:

  • Set up monitors to track anomalies on DNS traffic (many of these attacks exponentially increase the number of DNS queries to exfiltrate large amounts of data).
  • Analyze DNS queries to identify anomalies.

    DNS tunneling tools

    There are several tools for exfiltrating the data, including dns2tcp and heyoka, and some other tools designed to sniff the content of the DNS queries, including dnshunter and reassemble_dns.

Remember that this is a sample list that you can use as a baseline, but there are many other types of attacks that I won't mention here but will be covered later, for example, IoT attacks, web-based attacks, and more. However, keep in mind that a master should continue researching to stay up to date and always be on the lookout for new threats and vulnerabilities.