cyber security terms

Download Cyber Security Terms

Post on 08-Jan-2017

509 views

Category:

Engineering

0 download

Embed Size (px)

TRANSCRIPT

PRESENTATION ON BOTNET

PRESENTATIONON CYBER SECURITY TERMSSuryaprakash Nehra 1130606

OUTLINEIntroduction to Cyber SecurityBotnetWatering Hole attackSpear Phishing attacKDistributed Denial of Service(DDoS)Conclusion

BOTNETA Botnet is a network of compromised computers under the control of a remote attackercontroller of a botnet is able to direct the activities of these compromised computers Botnet Terminology Bot Herder (Bot Master) Bot Bot Client IRC Server Command and Control Channel (C&C)

INTRODUCTION TO BOTNET(TERMINOLOGY)

IRC Channel

IRC Server

Code Server

IRC ChannelC&C TrafficUpdates

VictimAttackBot Master

BOTNET IN NETWORK SECURITY Internet users are getting infected by bots Many times corporate and end users are trapped in botnet attacks Today 16-25% of the computers connected to the internet are members of a botnet In this network bots are located in various locations It will become difficult to track illegal activities This behavior makes botnet an attractive tool for intruders and increase threat against network security

HOW BOTNET IS USED??Distributed Denial of Service (DDoS) attacks Sending Spams Phishing Addware Spyware Click Fraud

BOTNET DETECTIONTwo approaches for botnet detection based on Setting up honeynets Passive traffic monitoring Signature based Anomaly based DNS based

BOTNET DETECTION:SETTING UP HONEYNETS

Windows Honey pot Honeywall Responsibilities:

DNS/IP-address of IRC server and port number(optional) password to connect to IRC-serverNickname of botChannel to join and (optional) channel-password

BOTNET DETECTION:SETTING UP HONEYNETS

Bot1. Malicious Traffic

Sensor

3. Authorize2. Inform bots IPBot Master

BOTNET DETECTION:TRAFFIC MONITORINGSignature based: Detection of known botnets Anomaly based: Detect botnet using following anomalies High network latency High volume of traffic Traffic on unusual port Unusual system behaviour DNS based: Analysis of DNS traffic generated by botnets

BOTNET DETECTIONDetermining the source of a botnet-based attack is challenging: Traditional approach:Every zombie host is an attackerBotnets can exist in a benign state for an arbitrary amount of time before they are used for a specific attack New trend: P2P networks

PREVENTING BOTNET INFECTIONSUse a Firewall Use Antivirus (AV) software Deploy an Intrusion Prevention System (IPS) Define a Security Policy and Share Policies with your users systematically

WATERING HOLE ATTACKWatering Holeis a computerattackstrategy identified in 2012 by RSA Security, in which the victim is a particular group (organization, industry, or region). In thisattack, the attacker guesses or observes which websites the group often uses and Infects one or more of them with malware.

How does it work ? Determine Target Group Identify Vulnerabilities on those WebsitesInject Threat into Website Sit in the Tall Grass and Wait for Targets to Come to You Why it is effective ??

PREVENT WATERING HOLE ATTACKTimely Software Update Vulnerability shielding Network traffic detectionCorrelating well-known APT (Advanced Persistent threat) activities

SPEAR PHISHING ATTACKSpear phishingis an email that appears to be from an individual or business that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC. Business impact

Theft of sensitive information

Secondary use of compromised machines

Incident response and recovery costs

HOW TO DEFEND AGAINST SPEAR PHISHING ATTACKS Security awareness training

Boundary defence Continuous vulnerability assessment and remediation

DDoS AttackDistributed-Denial-of-Service attack DDoSis a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.DoS vs DDoSDoS: when a single host attacksDDos: when multiple hosts attacks simultaneously

How does DDos Attack work?

build a network of computers discover vulnerable sites or hosts on the network exploit to gain access to these hosts install new programs (known as attack tools) on the compromised hosts hosts that are running these attack tools are known as zombies many zombies together form what we call an army

building an army is automated and not a difficult process nowadays

How to find Vulnerable Machines?

Random scanningHit-list scanningTopological scanningLocal subnet scanningPermutation scanning

How to propagate Malicious Code?

Central source propagation This mechanism commonly uses HTTP, FTP, and remote-procedure call (RPC) protocols

Back-chaining propagation :copying attack toolkit can be supported by simple port listeners or by full intruder-installed Web servers, both of which use the Trivial File Transfer Protocol (TFTP)

Autonomous propagation

DDos Attack TaxonomyThere are mainly two kinds of DDoS attacks Typical DDoS attacks, andDistributed Reflector DoS (DRDoS) attacksTypical DDoS Attacks:

DRDoS Attacks: slave zombies send a stream of packets with the victim's IP address as the source IP address to other uninfected machines (known as reflectors)the reflectors then connects to the victim and sends greater volume of traffic, because they believe that the victim was the host that asked for it the attack is mounted by noncompromised machines without being aware of the action

Comparison

A Corporate Structure Analogy

DEFENCE MECHANISMSSIGNATURE DETECTION

ANOMALY DETECTION

HYBRID SYSTEM

THANK YOU

Recommended

View more >