Download - Cyber Security Terms
PRESENTATIONON
CYBER SECURITY TERMS
Suryaprakash Nehra 1130606
OUTLINE
Introduction to Cyber SecurityBotnetWatering Hole attackSpear Phishing attacKDistributed Denial of Service(DDoS)Conclusion
BOTNET A Botnet is a network of compromised computers
under the control of a remote attacker controller of a botnet is able to direct the
activities of these compromised computers Botnet Terminology
Bot Herder (Bot Master) Bot Bot Client IRC Server Command and Control Channel (C&C)
INTRODUCTION TO BOTNET(TERMINOLOGY)
IRC ChannelIRC Server
Code Server
IRC ChannelC&C Traffic
Updates
Victim
Attack
Bot Master
BOTNET IN NETWORK SECURITY
Internet users are getting infected by bots Many times corporate and end users are trapped
in botnet attacks Today 16-25% of the computers connected to the
internet are members of a botnet In this network bots are located in various
locations It will become difficult to track illegal activities This behavior makes botnet an attractive tool for
intruders and increase threat against network security
HOW BOTNET IS USED??
Distributed Denial of Service (DDoS) attacks
Sending Spams Phishing Addware Spyware Click Fraud
BOTNET DETECTION
Two approaches for botnet detection based on
Setting up honeynets Passive traffic monitoring
Signature based Anomaly based DNS based
BOTNET DETECTION:SETTING UP HONEYNETS
Windows Honey pot
Honeywall Responsibilities:
DNS/IP-address of IRC server and port number(optional) password to connect to IRC-serverNickname of botChannel to join and (optional) channel-password
BOTNET DETECTION:SETTING UP HONEYNETSBot
1. Malicious Traffic
Sensor
3. Authorize2. Inform bot’s IP
Bot Master
BOTNET DETECTION:TRAFFIC MONITORING
Signature based: Detection of known botnets
Anomaly based: Detect botnet using following anomalies
High network latency High volume of traffic Traffic on unusual port Unusual system behaviour
DNS based: Analysis of DNS traffic generated by botnets
BOTNET DETECTION Determining the source of a botnet-based attack
is challenging: Traditional approach:
Every zombie host is an attackerBotnets can exist in a benign state for
an arbitrary amount of time before they are used for a specific attack
New trend: P2P networks
PREVENTING BOTNET INFECTIONS
Use a Firewall Use Antivirus (AV) software Deploy an Intrusion Prevention System (IPS) Define a Security Policy and Share Policies with your users systematically
WATERING HOLE ATTACK• Watering Hole is a computer attack strategy identified in
2012 by RSA Security, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and Infects one or more of them with malware.
• How does it work ? Determine Target Group Identify Vulnerabilities on those Websites Inject Threat into Website Sit in the Tall Grass and Wait for Targets to Come to You
Why it is effective ??
PREVENT WATERING HOLE ATTACK
• Timely Software Update • Vulnerability shielding • Network traffic detection• Correlating well-known APT (Advanced
Persistent threat) activities
SPEAR PHISHING ATTACK• Spear phishing is an email that appears to be from an
individual or business that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.
Business impact
• Theft of sensitive information
• Secondary use of compromised machines
• Incident response and recovery costs
HOW TO DEFEND AGAINST SPEAR PHISHING ATTACKS
• Security awareness training
• Boundary defence • Continuous vulnerability assessment and remediation
DDoS Attack• Distributed-Denial-of-Service attack – DDoS is a type of DOS attack where multiple compromised
systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.
• DoS vs DDoS– DoS: when a single host attacks– DDos: when multiple hosts attacks simultaneously
How does DDos Attack work?
• build a network of computers • discover vulnerable sites or hosts on the network • exploit to gain access to these hosts • install new programs (known as attack tools) on the compromised
hosts • hosts that are running these attack tools are known as zombies • many zombies together form what we call an army
• building an army is automated and not a difficult process nowadays
How to find Vulnerable Machines?
• Random scanning• Hit-list scanning• Topological scanning• Local subnet scanning• Permutation scanning
How to propagate Malicious Code?
• Central source propagation This mechanism commonly uses HTTP, FTP, and remote-procedure call (RPC) protocols
• Back-chaining propagation :• copying attack toolkit can be supported by simple port listeners or
by full intruder-installed Web servers, both of which use the Trivial File Transfer Protocol (TFTP)
• Autonomous propagation
DDos Attack Taxonomy– There are mainly two kinds of DDoS attacks
• Typical DDoS attacks, and• Distributed Reflector DoS (DRDoS) attacks
– Typical DDoS Attacks:
– DRDoS Attacks: • slave zombies send a stream of packets with the victim's IP
address as the source IP address to other uninfected machines (known as reflectors)
• the reflectors then connects to the victim and sends greater volume of traffic, because they believe that the victim was the host that asked for it
• the attack is mounted by noncompromised machines without being aware of the action
Comparison
A Corporate Structure Analogy
DEFENCE MECHANISMS• SIGNATURE DETECTION
• ANOMALY DETECTION
• HYBRID SYSTEM
