Ethical Hacking Unit-2

ETHICAL HACKING (Professional Elective – II)
UNIT - II
The Business Perspective:

Business Objectives
Security Policy
Previous Test Results
Business Challenges
Planning for a Controlled Attack:
Inherent Limitations
Imposed Limitations
timing is Everything
Attack Type
Source Point
Required Knowledge
Multi-Phased Attacks
Teaming and Attack Structure
Engagement Planner
The Right Security Consultant
The Tester
Logistics
Intermediates
Law Enforcement
The Business Perspective:

As digitization started taking root in the business world, more and more businesses became
susceptible to the risks of cybersecurity attacks.
Business Objectives
 To help train your workforce in recognizing a cyberattack; thereby enabling them to avoid
phishing emails and improving security from inside the organization.
 To equip your business with digital systems that are built to ward off hackers’ access and
safeguard information.
 To ensure your security systems are up to date by assessing and testing them using real-time
simulations of potential attacks
 To enhance customer & partnership trust in your business by securing sensitive information
during business transactions
 To help detect weak spots in your networks and systems which are vulnerable and re-
engineer them to be resistant to attacks.
Security Policy
As technology continues to become more relevant for businesses worldwide, the importance of
securing business-critical applications and their underlying tech stack continues to gain
prominence. With the changing threat landscape, it is often impractical to identify vulnerabilities in
real time by simply leveraging automated tools. To help with this, Ethical Hacking has been steadily
gaining popularity because of its effectiveness in simulating real-world attacks and identifying
gaps.
1. Reconnaissance
Before performing any penetration tests, hackers footprint the system and gather as much information
as possible. Reconnaissance is a preparatory phase where the hacker documents the organization’s
request, finds the system’s valuable configuration and login information and probes the networks. This
information is crucial to performing the attacks and includes:
 Naming conventions
 Services on the network
 Servers handling workloads in the network
 IP Addresses
 Names and Login credentials of users connected to the network
 The physical location of the target machine
2. Scanning
In this stage, the ethical hacker begins testing the networks and machines to identify potential attack
surfaces. This involves gathering information on all machines, users, and services within the network
using automated scanning tools. Penetration testing typically undertakes three types of scans:
Network Mapping
This involves discovering the network topology, including host information, servers, routers, and
firewalls within the host network. Once mapped, white hat hackers can visualize and strategize the
next steps of the ethical hacking process.
Port Scanning
Ethical hackers use automated tools to identify any open ports on the network. This makes it an
efficient mechanism to enumerate the services and live systems in a network and how to establish a
connection with these components.
Vulnerability Scanning
The use of automated tools to detect weaknesses that can be exploited to orchestrate attacks.While
there are several tools available, here are a few popular ethical hacking tools commonly used during
the scanning phase:
 SNMP Sweepers
 Ping sweeps
 Network mappers
 Vulnerability scanners
3. Gaining Access
Once ethical hackers expose vulnerabilities through the process’s first and second hacking phases,
they now attempt to exploit them for administrative access. The third phase involves attempting to
send a malicious payload to the application through the network, an adjacent subnetwork, or
physically using a connected computer. Hackers typically use many hacking tools and techniques to
simulate attempted unauthorized access, including:
 Buffer overflows
 Phishing
 Injection attacks
 XML External Entity processing
 Using components with known vulnerabilities
If the attacks are successful, the hacker has control of the whole or part of the system and may
simulate further attacks such as data breaches and Distributed Denial of Service (DDoS).
4. Maintaining Access
The fourth phase of the ethical hacking process involves processes to ensure the hacker can access
the application for future use. A white-hat hacker continuously exploits the system for further
vulnerabilities and escalates privileges to understand how much control attackers can gain once they
pass security clearance. Some attackers may also try to hide their identity by removing the evidence
of an attack and installing a backdoor for future access.
5. Clearing Tracks
To avoid any evidence that leads back to their malicious activity, hackers perform tasks that erase all
traces of their actions. These include:
 Uninstalling scripts/applications used to carry out attacks

 Modifying registry values
 Clearing logs
 Deleting folders created during the attack
For those hackers looking to maintain undetected access, they tend to hide their identity using
techniques such as:
 Tunneling
 Stenography
Having successfully performed all the 5 steps of ethical hacking, the ethical hacker then concludes
the steps of ethical hacking by documenting a report on the vulnerabilities and suggesting remediation
advice.
Business Challenges
The main issues and disadvantages with ethical hacking are:
1. Inconsistency of quality
Across the cyber industry, there are numerous ethical hackers and companies that offering ethical
hacking and Penetration Testing services. It can be challenging for businesses to cut through this
noise and to identify quality providers. The best place to start is to look at established businesses
where their main focus is providing offensive security services. Ensure that you speak directly to their
ethical hackers; review their accreditations; ask for client references, and review sanitised examples
of previous work.
2. Ethical hackers causing system interruption

Less experienced ethical hackers are more likely to cause issues and business interruption when
delivering their ethical hacking services. To mitigate this risk ensure that you always use experienced
ethical hackers who understand how to limit the risks of any potential system impact during their pen
test delivery. Furthermore, ask the pen test company to evidence and explain their policies,
procedures and commercial insurance should an incident occur.
3. Over-reliance on automated tools
Ethical hacking should be manually led, with the specialist relying on experience and knowledge and
only light assisted by automated software tools. If your ethical hacker relies heavily upon software
tools such as vulnerabilities scanning engines then you will be unlikely to gain significant value from
the ethical hacking engagement.
Planning for a Controlled Attack:
Command and control attacks, also referred to as C2 and C&C, are a type of attack in which a
malicious actor uses a malicious server to command and control already compromised machines over
a network. The malicious server (the command and control server) is also used to receive the desired
payload from the compromised network.In this post, we’ll be going over what a command and control
attack is in detail, how the attack works, and what can be done to defend against it.
How command and control attacks work
As mentioned above, command and control attacks control infected machines from a malicious
remote server. But how do the attackers infect those machines in the first place?
This is done through the typical “compromise channels”:
 Phishing emails or instant messages

 Malvertising
 Vulnerable web browser plugins
 Direct installation of malware (if the attacker is able to gain physical access to the machine)
Once the machine is successfully compromised, it will establish communication with the malicious
command and control server, indicating that it’s ready to receive instructions. The infected computer
will execute the commands coming from the attacker’s C2 server, which typically leads to the
installation of further malware. That gives the attacker complete control of the victim’s computer. As
more and more users within the organization fall for the phishing scheme or are otherwise
compromised, the malicious code typically spreads to more and more computers, creating a botnet –
a network of infected machines. Within a matter of time, the attacker gains complete control over that
network.
Devices that can be targeted with command and control attacks
Essentially any computing device can be targeted with a command and control attack. That means:
 Desktops/laptops
 Tablets
 Smartphones
 IoT devices
That last entry on the list is particularly worrisome because these devices tend to be rather insecure.
They have extremely limited user interfaces, making them difficult to control. They don’t tend to get
updated with security patches very often. And they tend to share a lot of data over the internet. You
may want to limit the number of IoT devices on your network.
What are the risks of command and control attacks?
 Data theft – Sensitive company data, like financial documents or proprietary information,
could be copied or transferred to the command and control server.
 Shutdown – An attacker could shut down any number of compromised machines. In a large-
scale command and control attack, they could even bring down the entire network.
 Reboot – Infected machines may suddenly and repeatedly shut down and reboot, disrupting
business operations.
 Malware/ransomware attacks – Once the attacker has compromised a machine on your
network, they’ve got access to your network. Depending on the permissions they managed to
obtain, they could do things like trigger the download of malware or encrypt sensitive data and
demand a ransom for the decryption key.
 Distributed denial of service Botnet – With enough compromised machines on the network,
the attacker will have access to a botnet: a network of infected computers ready to receive
malicious commands. A common use of botnets is to mount DDoS attacks. DDoS attacks
take down servers or networks by flooding them with traffic. Once the attackers have
established a botnet, they can instruct each machine to send a request to the targeted
server/network, which, with enough requests, can overwhelm the server/network to the point
of taking it offline.
Different command and control architectures
Different command and control server/client architectures are used in command and control attacks.
The architecture determines how the infected machine communicates with the command and control
server. Different architectures have been developed over time to avoid detection as much as possible.
There are three different command and control architectures.
1. Centralized architecture
The centralized architecture is probably the most common. It’s the classic client/server scheme, in
which all infected computers communicate with one central server that manages all of the responses.
However, this model is the easiest to detect and block because all the commands come from a single
source. Because of that, the command and control server’s IP address can quite readily be detected
and blocked. To try and mitigate this, some attackers use proxy servers, redirectors, and load
balancers in their C&C server configuration.
2. Peer-to-peer architecture
The peer-to-peer model works exactly like BitTorrent file transfers, in which there is no central server.
In this architecture, each infected computer acts as a node in the botnet, passing messages (i.e.,
commands) to any other node in the botnet. In this architecture model, the need for a central server is
eliminated. However, this architecture is often used in a hybrid setup. The peer-to-peer architecture is
used as a fallback in a hybrid configuration, should the central server be taken down or otherwise
compromised.
The peer-to-peer architecture model is much more difficult to detect than the centralized architecture
model. And even if detected, there’s a good chance you’ll only be able to take one node down at a
time – which will still cause you a substantial headache.
3. Random architecture
The random architecture model is the most difficult to detect. That’s also the reason why it came to
be: so that security staff can’t detect the chain of command of a botnet or trace and shut down the
C&C server. This architecture model works by sending commands to the infected host or botnet from
different random sources. Those sources could be links in social media comments, CDNs, email, IRC
chat rooms, etc. Attackers tend to choose trusted and frequently used sources to send the malicious
commands – heightening their chances of success.
Possible attack flow of a command and control attack
The following represents a typical attack flow in a command and control attack.
1. Malicious actors infect a system within an organization (often behind a firewall) with malware.
This is achieved through phishing emails, malvertising, vulnerable browser plugins, or direct
installation of malicious software through a USB stick or disc drive (physical access required),
etc.
2. Once the first machine is infected, the C&C channel is created, and the compromised system
pings the C&C server, letting it know that it’s waiting to receive commands. This
communication between the hosts and the C&C server is typically achieved over trusted
traffic channels, such as DNS.
3. Now that the C&C channel has been established, the infected system can receive further
instructions from the C&C server – so long as the malware isn’t detected. The C&C server will
likely use this channel to instruct the compromised host to do things like installing more
malicious software, encrypting data, and even recursively extracting data from the infected
host.
4. If the attackers are ambitious, they could use the C&C server to instruct the infected host to
scan for vulnerabilities on other hosts in an attempt to move laterally through the network.
That can lead to the creation of a network of compromised hosts (i.e., a botnet) and can
compromise an organization’s entire IT infrastructure.
Real-world examples of command and control attacks
Twitter
Twitter detected a sophisticated attack on its corporate network. It was a command and
control attack perpetrated by hacker group Wild Neutron or Morpho (it goes by both names),
who would use the same attack on Facebook, Apple, and Microsoft in the weeks ahead. The
attack on Twitter compromised approximately 250,000 user accounts, giving the attackers
access to their user names and email addresses, among other things.
Facebook
A few weeks after the Twitter hack, Facebook was hit with essentially the same command
and control attack as Twitter. However, perhaps because of foresight after having learned of
the Twitter hack, the attack failed to expose any customer data, and the malware did not
spread through the network. It was contained on a small number of laptops belonging to
Facebook engineers.
Apple
Apple wasn’t left behind in this 2013 hackathon. Like Facebook and Microsoft, Apple was hit
with the same attack in February. According to Apple, at the time, only a small number of
computers on its Cupertino campus were successfully attacked by the same group. The hack
exploited a Java vulnerability to compromise the machines (as with the other companies
affected). Apple issued a statement to Reuters saying that “[t]here is no evidence that any
data left Apple.” It may not have left, but it may have been viewed… Apple released an
update to Java to mitigate the exploit a few days later.
Microsoft
Again, a few weeks after the Twitter attack, Microsoft was similarly attacked by the same
group. The attackers managed to compromise Microsoft’s unfixed vulnerabilities database.
Needless to say, the attack could have been devastating. Microsoft issued a statement
saying, “We have no evidence of customer data being affected, and our investigation is
ongoing.” However, according to Reuters, Microsoft was very concerned that the
compromised information would lead to follow-up attacks. And that may well have happened.
Defending against command and control attacks
As is so often the case, the way to defend against command and control attacks depends on whether
you’re a user or an administrator. Different mitigation measures apply to each. We’ll provide both.For
system administrators
Provide security awareness training

You want your staff to be aware of the online threats they may be facing. Security training for your
staff will not only help you mitigate command and control attacks but many other types of attacks as
well. Security training promotes more secure habits within your organization and will lessen the risk
level of many of the online threats you face every day – specifically phishing attempts. On top of that,
your entire organization will be better prepared to deal with security events. You simply cannot lose
with this one.
Monitor your networks

You’re going to need visibility into the traffic flowing over your network. Specifically, you want to be on
the lookout for suspicious behavior occurring over your network. Some of the signs that may point to
an attack (command and control or otherwise) would be filename mismatches with their
corresponding hashes, properly named files being stored in odd locations, and user logins at unusual
times and unusual network locations being accessed.
Use an AI-based Intrusion Detection System (IDS)

It’s typically difficult for traditional IT defenses to identify suspicious behavior. That’s because they
tend to be binary in nature. They refer to the account’s permissions or an ACL and choose between
“yes” and “no” or “grant access” or “deny access.” But there is tech available today that can efficiently
scan for and detect unordinary events. AI-powered tech is being used across many industries today.
And IT security is not being left out. With an AI-based IDS, you can “teach” it via machine learning to
identify “normal” behavior patterns over your network. From that baseline, and with a bit of training, it
will be able to detect outlier behavior and may save you from a major headache.
Limit user permissions as much as possible

The principle of least privileges should be implemented in your organization. Assign each user with
the least amount of permissions required to do their work and nothing beyond that.
Set up Two-factor authentication (2FA) on all accounts that support it

2FA is a robust way to make it more difficult for malicious actors to abuse your credentials. Not only
that, but it may discourage many of them from trying.
Implement digital code-signing

Digital signing prevents unauthorized software from being executed unless it is signed by a trusted
entity. Don’t leave the door wide open by allowing any application from anywhere to be installed on
devices on your network. Put a whitelist in place through digital code-signing.
For users
These are primarily common-sense tips that can help you avoid various online threats. However, the
first four points are directly related to mitigating masquerade attacks.
 Don’t open attachments in emails unless you’re sure you know who the sender is and
you’ve confirmed with that person that they really did send you the email in question. You
should also make sure they’re aware the email contains an attachment and know what the
attachment is.
 Don’t click links (URLs) in emails unless you can confirm who sent you the link, what its
destination is, and that the sender is not being impersonated. Once you’ve done that, you
should scrutinize the link. Is it an HTTP or an HTTPS link? The vast majority of the legitimate
internet uses HTTPS today. Also, check the link for incorrect spelling (faceboook instead of
facebook or goggle instead of google)? If you can get to the destination without using the link,
do that instead.
 Use a firewall – All major operating systems have a built-in incoming firewall, and all
commercial routers on the market provide a built-in NAT firewall. You want to make sure
these are enabled. They could well be your first line of defense if you click a malicious link.
 Log out and reboot your computer – When you’re done working on your computer, log out
of your session and reboot the machine. That will clear things from memory that could be
used to compromise your computer.
 Use strong and complex passwords – The more complex your passwords are, the less
likely you are to fall victim to credential-based attacks. Depending on the attacker’s chosen
methodology, a successful command and control attack may well start off as a credential-
based attack.
 Use an antivirus program – Only purchase genuine and well-reviewed antivirus software
from legitimate vendors. Keep your antivirus updated and configure it to run frequent scans.
 Keep your operating system updated – You want the latest OS updates, as they contain
the latest security patches. Make sure you install them installed as soon as they’re available.
 Never click on pop-ups. Ever. Regardless of where they take you, pop-ups are just bad
news.
 Don’t give in to “warning fatigue” if your browser displays yet another warning about a
website you are trying to access. With web browsers becoming more and more secure, the
number of security prompts they display has gone up somewhat. You should still take your
browser’s warning seriously, and if your browser displays a security prompt about a URL
you’re trying to visit, listen to your browser and get your information elsewhere. That’s
especially true if you clicked a link you received by email or SMS – it could be sending you to
a malicious site. Don’t disregard your computer’s warning prompts.
Wrap-up
So that’s essentially the deal with command and control attacks. They can definitely be nasty insofar
as they could lead to complete network takeovers. But, as is the case with many other online attacks,
putting the security measures above into practice and promoting security awareness within your
organization is a good bet towards lowering the odds of falling prey to online attacks in general and
command and control attacks, specifically.
Inherent Limitations:
Understanding the limitations of internal control can help your business or organization better prevent
gaps in its information systems. Learn how with this helpful guide from the team at Reciprocity.
As the inherent risks confronting your organization or business grow, having the proper policies,
procedures, and technical safeguards in place to prevent problems and protect your assets is more
important than ever before. Together, these policies, procedures, and technical safeguards are
called internal controls.
Internal controls are designed to provide organizations with reasonable assurance regarding the
achievement of objectives in the following categories:
 reliability of financial reporting
 effectiveness and efficiency of business operations
 compliance with applicable laws and regulations
More generally, internal controls are typically established to avoid or minimize loss.
Internal controls do, however, have their limits. These limits can prevent the policies, procedures, or
technical safeguards you already have in place from effectively protecting your organization against
threats.
In this article we’ll take a closer look at the effectiveness of internal controls, including some of the
most common limitations to a company’s internal controls; so you can better position your business to
avoid putting itself at risk.
What Are Internal Controls?

There are three types of internal controls:
 detective
 preventative
 corrective
Detective controls seek to understand risks once those risks have occurred; corrective controls take
corrective action to remedy vulnerabilities. Preventative controls attempt to prevent those risks from
striking in the first place.
In information security, internal controls consist of security policies and procedures, plans, devices,
and software intended to strengthen your cybersecurity. Ultimately, internal controls aren’t just
important for the sake of your cybersecurity; they’re also important for avoiding financial losses,
reputational damage, and even regulatory fines and legal consequences.
A number of regulatory obligations and compliance frameworks require organizations to implement

and demonstrate security controls that enable your organization to manage its information security for
your information systems, networks, and devices. In many cases you may need to conduct an internal
audit, to assure that your control procedures are in place and that they’re working.
Audit procedures – that is, the processes and methods external or internal auditors use to obtain
sufficient and appropriate evidence to make a judgment about the effectiveness of an organization’s
internal controls – are usually associated with meeting regulatory compliance.
COSO
One common internal control framework is the Committee of Sponsoring Organizations
(COSO) framework, known as Internal Control-Integrated Framework. The COSO framework
provided the first common definition of internal control: “a process, effected by an entity’s board of
directors, management, and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives relating to operations, reporting and compliance.”
COSO’s framework guidelines were developed to help organizations assure that their financial
statements are accurate, their assets and stakeholders are protected from fraud, and their operations
are running effectively and efficiently. While the original purpose of the COSO framework in 1992 was
fraud deterrence, today (after a major overhaul in 2013) it is one of the most widely used frameworks
in the United States for internal controls.
At its core, COSO provides an approach that organizations can use to assess the effectiveness of
their own system of internal controls throughout the entire organization, from auditing to IT. The
framework also first introduced the five key elements of internal control, which we will discuss in more
detail in the following section.
5 Key Elements of Internal Control

As defined by COSO, the five elements of internal control each contain supporting principles and
points of focus to help organizations design, implement, conduct, monitor, and assess internal control
processes. The five elements of internal control are control environment, risk assessment, control
activities, information and communication, and monitoring activities.
Control Environment
The control environment is at the foundation for all the other internal control elements. It
encompasses your organization’s attitude about internal controls, under the assumption that your
board of directors and senior management are responsible for establishing the “tone at the top”
regarding the importance of internal controls and the expected standards of conduct. Ideally, other
employees will then follow suit.
An effective internal control environment should include the following seven factors:
 Integrity and ethical values.

 Commitment to competence.
 Human resource policies and practices.
 Assignment of authority and responsibility.
 Management’s philosophy and operating style.
 Board of directors or audit committee participation.
 Organizational structure.
Risk Assessment
The risk assessment process includes identifying, analyzing and prioritizing your organization’s risks.
It will ultimately inform the process for managing and mitigating risks.
An effective risk assessment should:
 Clearly specify objectives.

 Identify risks to the achievement of objectives.
 Consider the potential for fraud.
 Identify and assess significant changes.
 Include third-party and supply chain risks.
Control Activities
Control activities are the actions established by policies and procedures that help assure
management directives are carried out. Control activities should be performed at all levels of your
organization and at various stages within your business processes. They should address the risks
identified in your risk assessment, be clearly documented and clearly communicated to stakeholders
and staff, and evolve with the changing needs of your business.
Control activities should include:
 Performance reviews.
 Information processing.
 Physical controls.
 Segregation of duties.
Information and Communication
Information and communication are the systems and processes that support identifying, capturing,
and exchanging information that allows people to carry out their duties effectively.
Your information and communication systems should:
 Facilitate the acquisition, generation, and use of quality information throughout your organization.
 Define the processes for internally communicating information about internal controls.
 Define the processes for externally communicating information about internal controls.
Monitoring Activities
Monitoring activities are the processes that identify, monitor and report on the quality of your internal
controls.
Monitoring activities should include:
 Ongoing and/or separate evaluations.

 Evaluation and communication for any internal control deficiencies.
 Options for automation wherever possible.
timing is Everything
 A timing attack is a sophisticated way to circumvent security mechanisms and discover
vulnerabilities by studying how long it takes the system to respond to different inputs. In a
timing attack, the attacker gains information that is indirectly leaked by the application. This
information is then used for malicious purposes, such as guessing the password of a user.
Timing attacks are part of a wider family of attacks, called side-channel attacks.
 A side-channel attack is any attack based on information gained from the implementation of a
computer system, rather than weaknesses in the implemented algorithm (e.g. cryptanalysis and
software bugs). An attacker utilizes the data gained from monitoring patterns in physical
parameters such as EMF radiation, power consumption, response times, and acoustic emissions
during cryptographic operations performed by the system. The attacker can then break encryption
by leveraging this information to discover the associated key. Surprisingly detailed sensitive
information is being leaked out from a few high-profile, top-of-the-line web applications in
healthcare, taxation, investment and web search despite HTTPS protection.
How do timing attacks work?

 Timing characteristics of cryptographic operations vary depending on the encryption key. Different
systems require different amounts of time to process different inputs. The variables that influence
the timing characteristics include performance optimizations, branching and conditional
statements, processor instructions, RAM and cache hits.
 A timing attack looks at how long it takes a system to do something and uses statistical analysis to
find the right decryption key and gain access. The only information needed by the attacker is the
timing information that is revealed by the algorithms of the application. By supplying various inputs
to the application, timing the processing and statistically analyzing the information, the attacker
can guess the valid input.
How do timing attacks threaten encryption?

 The canonical example of a timing attack was designed by cryptographer Paul Kocher. He was
able to expose the private decryption keys used by RSA encryption without breaking RSA. In
his paper, Kocher mentions:
 “By carefully measuring the amount of time required to perform private key operations, attackers
may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other
cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often
requires only known ciphertext. Actual systems are potentially at risk, including cryptographic
tokens, network-based cryptosystems, and other applications where attackers can make
reasonably accurate timing measurements.”
 The general belief was that timing attacks were only applied in the context of hardware security
tokens such as smartcards. The assumption was that timing attacks could not be used to attack
general purpose servers, since decryption times are masked by many concurrent processes
running on the system. However, research by David Brumley and Dan Boneh of Stanford
University challenged this assumption. The two researchers demonstrated that they “can extract
private keys from an OpenSSL-based web server running on a machine in the local network. Our
results demonstrate that timing attacks against network servers are practical and therefore
security systems should defend against them.”
 The most notable vulnerability involving timing attacks are Meltdown and Spectre, which were
discovered in 2017 and affected most CPUs. In fact, Spectre is considered the most powerful
timing attack in history. Further information about these vulnerabilities can be found on the
website created by the researchers who discovered them.
How to protect against timing attacks

 The basic idea behind counter timing attacks is to ensure that information related to the execution
time doesn’t have a pattern that would enable the adversary to predict the key. As Kocher
mentions in his paper: “The most obvious way to prevent timing attacks is to make all operations
take exactly the same amount of time. Unfortunately, this is often difficult. Making software run in
fixed time, especially in a platform-independent manner, is hard.”
 Brumley and Doneh offer three possible solutions to the problem: “The most widely accepted
defense against timing attacks is to perform RSA blinding.” And they continue saying that “Two
other possible defenses are suggested often but are a second choice to blinding. The first is to try
and make all RSA decryptions not dependent upon the input ciphertext… Another alternative is to
require all RSA computations to be quantized, i.e., always take a multiple of some pre-defined
time quantum.”
 Timing attacks and other side-channel attacks are often overlooked while designing an algorithm.
Poor implementations of these cryptographic algorithms can make them vulnerable to an
adversary. They can leak vital information, disclose the encryption key and compromise the
encryption mechanism. The root causes of such vulnerabilities are the efforts to reduce execution
time and improve performance of cryptographic algorithms. The best way to mitigate these
vulnerabilities is to pay attention during the implementation of the algorithms to make them
resistant to these attacks, even if it comes at the cost of a reduction in overall performance. This is
especially important where security is top of the priority list.
Attack Type
• Malware
• Phishing
• SQL Injection Attack
• Cross-Site Scripting (XSS)
• Denial of Service (DoS)
• Session Hijacking and Man-in-the-Middle Attacks
• Credential Reuse
Malware
If you've ever seen an antivirus alert pop up on your screen, or if you've mistakenly clicked a
malicious email attachment, then you've had a close call with malware. Attackers love to use
malware to gain a foothold in users' computers—and, consequently, the offices they work in—
because it can be so effective.
“Malware” refers to various forms of harmful software, such as viruses and ransomware. Once
malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine,
to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from
your computer or network to the attacker's home base.
Attackers will use a variety of methods to get malware into your computer, but at some stage it
often requires the user to take an action to install the malware. This can include clicking a link to
download a file, or opening an attachment that may look harmless (like a Word document or PDF
attachment), but actually has a malware installer hidden within.
Phishing
Of course, chances are you wouldn't just open a random attachment or click on a link in any email
that comes your way—there has to be a compelling reason for you to take action. Attackers know
this, too. When an attacker wants you to install malware or divulge sensitive information, they often
turn to phishing tactics, or pretending to be someone or something else to get you to take an action
you normally wouldn’t. Since they rely on human curiosity and impulses, phishing attacks can be
difficult to stop.
In a phishing attack, an attacker may send you an email that appears to be from someone you
trust, like your boss or a company you do business with. The email will seem legitimate, and it will
have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email,
there will be an attachment to open or a link to click. Upon opening the malicious attachment, you’ll
thereby install malware in your computer. If you click the link, it may send you to a legitimate-
looking website that asks for you to log in to access an important file—except the website is actually
a trap used to capture your credentials when you try to log in.
In order to combat phishing attempts, understanding the importance of verifying email senders and
attachments/links is essential.
SQL Injection Attack

SQL (pronounced “sequel”) stands for structured query language; it’s a programming language
used to communicate with databases. Many of the servers that store critical data for websites and
services use SQL to manage the data in their databases. A SQL injection attack specifically targets
this kind of server, using malicious code to get the server to divulge information it normally
wouldn’t. This is especially problematic if the server stores private customer information from the
website, such as credit card numbers, usernames and passwords (credentials), or other personally
identifiable information, which are tempting and lucrative targets for an attacker.
An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that allow
the SQL server to run malicious code. For example, if a SQL server is vulnerable to an injection
attack, it may be possible for an attacker to go to a website's search box and type in code that
would force the site's SQL server to dump all of its stored usernames and passwords for the site.
Cross-Site Scripting (XSS)

In an SQL injection attack, an attacker goes after a vulnerable website to target its stored data,
such as user credentials or sensitive financial data. But if the attacker would rather directly target
a website's users, they may opt for a cross-site scripting attack. Similar to an SQL injection attack,
this attack also involves injecting malicious code into a website, but in this case the website itself
is not being attacked. Instead, the malicious code the attacker has injected only runs in the user's
browser when they visit the attacked website, and it goes after the visitor directly, not the website.
One of the most common ways an attacker can deploy a cross-site scripting attack is by injecting
malicious code into a comment or a script that could automatically run. For example, they could
embed a link to a malicious JavaScript in a comment on a blog.
Cross-site scripting attacks can significantly damage a website’s reputation by placing the users'
information at risk without any indication that anything malicious even occurred. Any sensitive
information a user sends to the site—such as their credentials, credit card information, or other
private data—can be hijacked via cross-site scripting without the website owners realizing there
was even a problem in the first place.
Denial-of-Service (DoS)
Imagine you're sitting in traffic on a one-lane country road, with cars backed up as far as the eye
can see. Normally this road never sees more than a car or two, but a county fair and a major
sporting event have ended around the same time, and this road is the only way for visitors to leave
town. The road can't handle the massive amount of traffic, and as a result it gets so backed up
that pretty much no one can leave.
That's essentially what happens to a website during a denial-of-service (DoS) attack. If you flood
a website with more traffic than it was built to handle, you'll overload the website's server and it'll
be nigh-impossible for the website to serve up its content to visitors who are trying to access it.
This can happen for innocuous reasons of course, say if a massive news story breaks and a
newspaper's website gets overloaded with traffic from people trying to find out more. But often,
this kind of traffic overload is malicious, as an attacker floods a website with an overwhelming
amount of traffic to essentially shut it down for all users.
In some instances, these DoS attacks are performed by many computers at the same time. This
scenario of attack is known as a Distributed Denial-of-Service Attack (DDoS). This type of attack
can be even more difficult to overcome due to the attacker appearing from many different IP
addresses around the world simultaneously, making determining the source of the attack even
more difficult for network administrators.
Session Hijacking and Man-in-the-Middle Attacks

When you're on the internet, your computer has a lot of small back-and-forth transactions with
servers around the world letting them know who you are and requesting specific websites or
services. In return, if everything goes as it should, the web servers should respond to your request
by giving you the information you're accessing. This process, or session, happens whether you
are simply browsing or when you are logging into a website with your username and password.
The session between your computer and the remote web server is given a unique session ID,
which should stay private between the two parties; however, an attacker can hijack the session by
capturing the session ID and posing as the computer making a request, allowing them to log in as
an unsuspecting user and gain access to unauthorized information on the web server. There are
a number of methods an attacker can use to steal the session ID, such as a cross-site scripting
attack used to hijack session IDs.
An attacker can also opt to hijack the session to insert themselves between the requesting
computer and the remote server, pretending to be the other party in the session. This allows them
to intercept information in both directions and is commonly called a man-in-the-middle attack.
Credential Reuse
Users today have so many logins and passwords to remember that it’s tempting to reuse
credentials here or there to make life a little easier. Even though security best practices universally
recommend that you have unique passwords for all your applications and websites, many people
still reuse their passwords—a fact attackers rely on.
Once attackers have a collection of usernames and passwords from a breached website or service
(easily acquired on any number of black market websites on the internet), they know that if they
use these same credentials on other websites there’s a chance they’ll be able to log in. No matter
how tempting it may be to reuse credentials for your email, bank account, and your favorite sports
forum, it’s possible that one day the forum will get hacked, giving an attacker easy access to your
email and bank account. When it comes to credentials, variety is essential. Password managers
are available and can be helpful when it comes to managing the various credentials you use.
Required Knowledge
Attack Patterns
Building software with an adequate level of security assurance for its mission becomes more and
more challenging every day as the size, complexity, and tempo of software creation increases
and the number and the skill level of attackers continues to grow. These factors each
exacerbate the issue that, to build secure software, builders must ensure that they have
protected every relevant potential vulnerability; yet, to attack software, attackers often have to
find and exploit only a single exposed vulnerability. To identify and mitigate relevant
vulnerabilities in software, the development community needs more than just good software
engineering and analytical practices, a solid grasp of software security features, and a powerful
set of tools. All of these things are necessary but not sufficient. To be effective, the community
needs to think outside of the box and to have a firm grasp of the attacker’s perspective and the
approaches used to exploit software.
These articles discuss the concept of attack patterns as a mechanism to capture and communicate
the attacker’s perspective. Attack patterns are descriptions of common methods for exploiting
software. They derive from the concept of design patterns applied in a destructive rather than
constructive context and are generated from in-depth analysis of specific real-world exploit examples.
Through analysis of observed exploits, the following typical information is captured for each attack
pattern:
 Pattern name and classification

 Attack prerequisites
 Description
 Targeted vulnerabilities or weaknesses
 Method of attack
 Attacker goal
 Attacker skill level required
 Resources required
 Blocking solutions
 Context description
 References
This information can bring considerable value for software security considerations through all phases
of the software development lifecycle (SDLC) and other security-related activities, including:
 Requirements gathering
 Architecture and design
 Implementation and coding
 Software testing and quality assurance
 Systems operation
 Policy and standard generation
Multi-Phased Attacks
A multiphase attack combines phishing with spear phishing and insider attack techniques. Difficult to
detect and challenging to prevent, multiphase attacks are especially popular in Microsoft 365 due to
growing popularity of the platform and the wide range of applications and data that can be breached
with a compromised Microsoft 365 account.
What is a multiphase attack?

Phishing attacks were traditionally a single event: a hacker sends a PayPal phishing email to your
inbox, tricks you into divulging your account login credentials on a phishing page, and then empties
your PayPal account. Rinse and repeat. In a multiphase attack, this initial act of deception is just the
beginning.
A multi-phase attack involves first scraping your account credentials via a phishing email and then
using the credentials to send phishing or spear phishing emails from the account. For example, the
hacker might first send a Microsoft 365 phishing email to compromise your Microsoft 365 account.
Then, using your Microsoft 365 account, the hacker, impersonating you, will send a phishing or spear
phishing email to someone in your company. Often, spear phishing emails will target users who have
the power to execute wire transfers, make purchases, or change direct deposit information. A link in
a phishing emailmight lead to another phishing page designed to scrape additional Microsoft 365
account credentials, or it could initiate a malware or ransomware download.
In the above scenario, the email recipient has no reason to suspect that it is not you who sent the
email requesting a wire transfer. And an email security filter won’t recognize the attack because the
email is sent from a legitimate Microsoft 365 account.
There are many variants on the multiphase attack. Armed with a legitimate account, the attacker can
conduct phishing attacks laterally within the organization and also spear phish external business
partners and vendors. In one recent case, the SEC revealed that an unnamed American corporation
had been fleeced to the tune of $45,000,000 in 14 separate events linked to one multiphase attack.
The main driver of multiphase attacks:
With 258 million active business users and a single point of entry into the entire suite, Microsoft 365 is
a remarkably fertile environment for malicious behavior. From SharePoint, OneDrive, and Teams file
repositories to email accounts, Microsoft 365 hosts a rich collection of sensitive data for businesses
around the world, including contact names and email addresses, contracts, and financials.
A single successful phishing attack on a Microsoft 365 user gives a hacker access to all that data. It’s
the single biggest driver of compromised Microsoft accounts and the sole reason Microsoft has been
the most impersonated brand in phishing attacks in six of the last eight quarters.
How hackers get inside and evade detection from Microsoft:

Microsoft 365’s native email security, Exchange Online Protection (EOP), is good at
identifying known threats, including bad senders or IPs. If an attacker sent dozens of similar phishing
emails to different targets, whether from inside or outside Microsoft 365, EOP would flag them and
block future attacks. Therefore, to successfully compromise a Microsoft 365 account, the attacker
must make each of their attacks individual and unique.
One way to get past the fingerprint scanning used by EOP and other traditional solutions is by
inserting random or invisible text into the messages. Attackers also us homoglyphs, e.g., substituting
the Greek letter Beta for the lower case “b” and so forth. Other techniques include:
 Randomizing content to make each message unique

 Using images disguised as text to bypass text-analysis filters
 Bypassing URL domain filtering using shorteners such as bit.ly
 Using subdomains
 Abusing redirection mechanisms
 Distorting images
Mitigating the multiphase attack risk:

Multiphase attacks require multi-tiered defenses or the stacking up of security layers. In the same way
that you might employ more than one type of firewall to improve your odds of stopping a network-
based attack, it makes sense to use a layered approach to Microsoft 365 security to block multiphase
attacks.
Because EOP’s fingerprint-based detection is sufficient for known threats, it’s important to maintain
the benefits of that native protection while adding another layer of email security that predicts and
block unknown, dynamic threats. The challenge to layering email security into Microsoft 365,
however, is email architecture. Secure Email Gateways (SEG), for example, sit outside EOP. This
architectural design creates a number of limitations:
 Requires an MX record change

 Is visible to hackers via a simple MX lookup
 Can’t scan internal email
To continue to get the benefits from EOP, an add-on email security solution should be integrated with
Microsoft 365 via API—able to scan from the inside and complement EOP rather than limit its
effectiveness. The solution should also go beyond fingerprint scanning and use a more modern
approach to threat detection, with a combination of heuristic rules and artificial intelligence to predict
and block attacks.
As for your users, provide phishing training as mistakes arise, e.g. clicking on a phishing URL. Users
are more likely to learn from contextual training based on a real event as it happens than annual
training. Finally, trust and act on what your users are reporting. Offer a feedback loop that allows
users to report suspicious emails and ensure there is a closed loop with the email filter so that the
engine learns from this feedback and continually improves.
Teaming and Attack Structure
What is red teaming?

Red teaming is a multi-layered, full-scope cyberattack simulation designed to test the effectiveness of
an organization’s security controls. This includes networks, applications, physical safeguards, and
even employees. As stated above, the purpose of conducting red teaming is to allow companies to
understand how resistant they are to real-world hacking adversaries.
Your Blue Team will then be tasked with defending the attack as if it was a real one.
Red teaming is similar to ethical hacking, during which actors don’t attempt any actual harm but
instead hack into systems to uncover vulnerabilities with the goal of improving defenses. Red teaming
is based on the idea that a company can’t really know how secure its systems are until they are
attacked. Rather than running the risk of real-world damage that may come from a genuinely
malicious attack, simulating one first via red teaming will uncover an organizations’ vulnerabilities so
they can be addressed before it’s too late.
How does red teaming work?

The best way to understand the details of red teaming is by looking at the process of how a typical red
team exercise unfolds. Most red teaming simulations have several stages:
 Goal-mapping: Organizations will first set primary goals for their red team. For example, one
goal may be to extract a particular piece of sensitive data from a particular server.
 Target reconnaissance: Once the red team is clear on their objectives, they will begin
mapping out the systems to be targeted, including networks, web applications, employee
portals, and even physical spaces.
 Exploit vulnerabilities: This is where the action in red teaming exercises really begins. Once
the red team knows which attack vectors they’ll use, they will employ tactics such as phishing
or XSS exploits to access your systems.
 Probing and escalation: Your red team will then try to move within your systems to achieve
their primary goal, and determine if there are additional vulnerabilities to exploit. Red teams
will continually escalate until the target is reached.
 Reporting and analysis: After the red team’s simulated attack is complete, you’ll go through a
reporting and analysis process to determine the path forward. You’ll see how your blue
(defensive security) team performed and which key vulnerabilities need to be addressed.
Experienced red teams use a wide variety of techniques to perform each of these steps. The main
thing to consider when reviewing the attack is that small vulnerabilities in single systems can build into
catastrophic failures when chained together. Real-world hackers will always be greedy and look to
exploit more systems and data than they originally came for.
Red teaming tools and common tactics

When executed properly, red teaming will result in a mock full-spectrum attack on your networks,
systems, and data. Red teams will use as many tools and techniques available to malicious hackers
as they can. Some of the more common red teaming tools and tactics are:
 Application penetration testing: App-level pen testing is designed to identify application layer
flaws such as cross-site request forgery, injection flaws, and weak session management.
 Network penetration testing: This type of pen test is for identifying network and system-level
flaws. This includes misconfigurations, wireless network vulnerabilities, rogue services, and
more.
 Physical penetration testing: You also need to understand the strength and effectiveness of
physical security controls through real-life exploitation. Red teams may try to stroll past
physical controls directly into server rooms or employee work terminals.
 Intercepting communication: To map your network or gain more information about the
environment, red teams will circumvent common security techniques by hacking
communications such as internal emails, texts, or even phone calls. to.
 Social engineering: Red teams will try to exploit weaknesses in people within your
organization by relying on human nature. They’ll try to manipulate employees into giving up
access credentials via phishing, phone calls, text messaging, or falsifying an identity on-site.
Red teaming is a full-scope, multi-layered attack simulation designed to measure how well your
people, networks, application, and physical security controls can withstand an attack from a real-life
adversary. Therefore, a strong red team will employ an array of tools, tactics, and strategies to breach
your defenses.
Red teaming benefits

At the broadest level, the value of red teaming is that it provides a comprehensive picture of
cybersecurity within your organization. Red teams should be as creative and resourceful as real-life
malicious actors who will inevitably probe and test every square inch of the potential attack surface.
The assessment doesn’t conclude after initial vulnerabilities are discovered and exposed, however.
The exercise will extend towards re-testing, lateral movement, and remediation phases that will test
just about every aspect of your cybersecurity strategy. You’ll be able to completely assess your
capability to detect, remediate and prevent targeted attacks.
In fact, the real work typically begins after a red team intrusion, when you’ll perform forensic analysis
of the attack and formulate ways to mitigate vulnerabilities. Red teaming also offers several other
benefits when used in conjunction with other threat analysis techniques:
 Identification of the risk and susceptibility of attack against key business information assets
and technology systems.
 Simulation of techniques, tactics, and procedures (TTPs) used by genuine threat actors in a
risk-managed and controlled environment.
 Assessment of your organization’s ability to detect, respond, and prevent sophisticated and
targeted threats before they take place.
 Encouragement of close engagement with internal incident response teams to provide
meaningful mitigation and comprehensive post-assessment debrief workshops.
 Compliance assistance; strengthen your cyber defense posture to be up to par with relevant
frameworks such as CCPA, FISMA, or HIPAA.
 Training and cybersecurity education of your entire staff, from the executive level down to
rank-and-file workers.
 Performance-metric gathering with regards to cyber defenses without the downside of a real-
life attack. You’ll collect measurements that are relevant to real-world performance.
 Prioritization of cybersecurity initiatives and expenses based on the results of the exercise.
Become more cost-efficient and address the most pressing needs first.
These are just a few of the main benefits that red teaming provides. Next, we’ll cover how to decide if
your organization needs red teaming and who benefits.
Who needs red teaming?

Just about any company and organization – public or private – can benefit from some form of red
teaming. Even if your company doesn’t work in technology or isn’t necessarily IT-focused, it’s still
likely that red teaming will be useful as hackers might be after the personal sensitive information of
customers in data stores or internal employees.
For smaller firms, it’s understandably more costly and difficult to deploy the significant resources
needed for comprehensive red teaming exercises. In this case, it’s typically worthwhile to contract out
the red teaming process, using experienced cybersecurity and compliance partner.
Red teaming considerations
Though almost every company can benefit from red teaming, the best time to undertake this practice
–and how frequently to do it – will vary according to your sector and the maturity of your cybersecurity
defenses.
Here are some key considerations to make when planning your future red teaming exercises:
 Automation: You should already be engaged in activities such as asset investigation and
vulnerability analysis. Your organization should also be combining automated technology with
human intelligence by implementing regular, robust penetration testing. Process automation
will make it easier to conduct, and measure the results of, red teaming.
 Preparation: Once you’ve completed several business cycles of vulnerability and pen testing,
you can start red teaming. Only after you’ve completed these preparations can the total value
of red teaming be realized. Attempting to bring in red teaming before establishing a solid and
consistent cybersecurity baseline will produce very little value.
 Comparison: To be truly effective, the insights produced by the red team need to be given
context by comparing against previous penetration testing and vulnerability assessment
activity.
We’ve mentioned penetration testing as both a tactic and key consideration within the realm of red
teaming. Therefore, it’s important to understand the differences and similarities between red teaming
and pen-testing.
Red teaming vs. penetration testing

Though pen testing is important, it is only one part of what a red team does. Red team operations
have broader objectives than pen testers, whose goal is often just to get access to a network.
Red team exercises are designed to emulate a more real-world advanced persistent threat (APT)
scenario and result in reviewing defensive strategies and detailed risk analysis. Penetration testing is
only a small part of red teaming. Red teaming includes evasion and persistence, privilege escalation,
and exfiltration, whereas penetration testing exercises only the first part of the cyber kill chain.
Time box
This is the time frame in which each activity is conducted. For pen testing, the time box is extremely
narrow – typically less than one day. For red teaming, the time box can be extended over multiple
days, weeks, and even months.
Tooling
Pen testing and red teaming also employ different tools and technologies. Employees will typically
conduct a pen test using commercially available software. Red teams are encouraged to use any tool,
trick, or tactic in their arsenal and think creatively while attempting to breach systems.
Awareness
This is one of the most distinct differences between Pen Testing and red teaming. With Pen Testing,
most of your employees are aware of what’s taking place. But red teaming exercises require that your
organization is completely unaware to get a real picture of your cyber defenses.
Vulnerabilities
Which vulnerabilities are attacked will also differ. In pen testing, known vulnerabilities are specified
and targeted to see how well-defended they are. Red teams won't just exploit a single vulnerability,
however. They’ll also seek out new ones in your network and attempt to move laterally.
Targeting
When conducting penetration testing, your test target vulnerabilities will be narrow and pre-defined.
You’ll target a specific firewall or password system, for instance. Red team targets are more fluid,
ranging across multiple domains and networks.
Testing
Penetration testing involves testing each system independently, one at a time, and is a much more
siloed approach than red teaming. When implementing red teaming, all your systems are targeted
simultaneously throughout the time box, giving you a better idea of your plan of defense and response
to a real hack.
Now that you’re informed about what red teaming is (and what it isn’t)it’s time to get up-to-speed on
what’s involved in the process and preparation.
What’s involved in a red team exercise?

To get the most out of a red team exercise, you’ll need to make the right preparations. This includes
knowing who and what will be involved. The systems and processes used by each organization are
different, and a high-quality red team exercise needs to be specifically tailored toward finding
vulnerabilities in your systems. For that reason, it’s important to understand several factors.
Know what you’re looking for

First, it’s important to understand which systems and processes you want to test. It’s possible that you
know you want web application testing, but you don’t have a sense of what that means for you, and
which of your other systems are integrated with your web apps. You need to understand your systems
well and patch any obvious vulnerabilities before you start a red team exercise.
Know your network

The better able you are to quantify your testing environment, the more accurate and specific your red
teaming exercises will be. Knowing the technical specifications of your network will also make post-
analysis more effective and valuable.
Know your budget

Red teaming can be performed at various levels of intensity, and a full spectrum simulated attack on
your network can prove costly, as you'll need to include social engineering and physical intrusion for a
comprehensive exercise. For this reason, it’s important to understand how much you are willing to
spend on your red team exercise and to set your scope accordingly.
Know your risk level

Some organizations tolerate a high level of risk as part of their standard business procedures. Others,
and particularly those working in industries in which there are detailed and complex compliance
requirements, need to have far lower risk tolerance. When conducting a red team exercise, it’s
important to focus on risks that present consequences for your business.
Red teaming examples

A great way to understand the basics of red teaming is to review some examples of how exercises
take place and what’s involved. Below are four different red team scenarios that illustrate what you
can potentially expect.
Social engineering: After online research of individuals within your organization, the red team then
attempts a social engineering attack. Legitimate-seeming emails or social media messages are sent
to try and trick employees to give up their access credentials or download malware. If the red team
does manage to fool someone, they’ll continue to move about the system undetected indefinitely
while testing even more vulnerabilities along the way.
Filtering bypass: The red team will test your web-based vulnerability by attempting to overcome your
file filtering system using an SQL injection. During a filtering bypass exercise, red teams will likely
exploit any software or safeguards that haven’t been patched because external attacks are easier
when the operating systems or programs are outdated. When complete, these scenarios relay exactly
how many vulnerable, unpatched programs or operating systems are present in a network.
Physical breach: During the reconnaissance phase, red teams will closely examine and monitor your
physical security measures in relation to your IT systems. They’ll see who comes and goes and how
they enter. They’ll then attempt to physically enter your server room by using a cloned employee
badge or building PIN code acquired via social engineering efforts. And in the case of extremely weak
physical access controls, red teams may even be able to walk the premises undetected and
unimpeded.
Application exploit: Web applications are often the first thing attackers encounter when looking at a
network perimeter, thereby presenting them with the most immediate opportunity of compromise. The
red team will attempt to exploit web application vulnerabilities through tactics such as cross-site
scripting, SQL injections, and cross-site request forgery. Once the ethical hackers gain control over a
single web application, they’ll use it as a springboard for further attack exercise activities.
These are simply a few potential scenarios of how red teaming might look at your organization. You’ll
want to work directly with your cybersecurity or red team partner to create and customize exercises
and scenarios that best suit your organization.
Engagement Planner
It's difficult to be vulnerable, no matter what the situation, even when we're talking about something
that's ultimately beneficial like having an external company come in and test your cybersecurity
environment.
Nevertheless, penetration testing and red teaming are security necessities for any prudent, forward-
thinking organization. That's why we wanted to share a few ideas on how you can help us help you
prepare for your next RedTeam Security engagement.
What Do We Mean By Engagement?

Before you get confused by all this talk of vulnerability and engagements, we're not proposing a
romantic relationship here. If you're working with us, you're looking for help securing your organization
from the industry's leading professionals.
Our engagement might involve:
 Application penetration testing — aiming to identify application layer flaws such as Cross Site
Request Forgery, Injection Flaws, Weak Session Management and many more.
 Network penetration testing — aiming to identify the network and system-level flaws including
misconfigurations, wireless network V=vulnerabilities, rogue services, and more.
 Physical penetration testing — understanding the strength/effectiveness of physical security controls
through real-life exploitation.
 Social engineering — aiming to exploit weaknesses in people and human nature, testing human
susceptibility to deceitful persuasion and manipulation through email phishing, phone/text message,
and physical/onsite pretexting.
 All of the above — Red teaming is a full-scope, multi-layered attack simulation designed to measure
how well your people, networks, applications, and physical security controls can withstand an attack
from a real-life adversary.
Keep in mind, too, there's a difference between penetration testing and red teaming. Even though
they are often used interchangeably, we like to put it in vivid terms — pen testers are pirates ready to
rampage and pillage wherever and whenever they can. Red teamers are more like ninjas, stealthily
planning multi-faceted, controlled, focused attacks.
5 tips to prepare for your penetration test or red team operation
Know what you are looking for from the engagement.
Sure, we listed all those types of engagement above because we wanted to show off all that we can
do. It also helps you to understand all that's available to you.
However, we don't recommend all of our services for all organizations. Far from it, in fact; we
specialize in creating tailor-made plans specific to your organization's needs. We like to make this
known in advance because it's much easier for us to accurately plan and price your engagement if we
know what you're looking to include from the outset.
Know What You Are Asking For.

This is related to the previous tip, of course. It's possible that you know that you want web application
testing, but you don't have a very deep sense of what that actually means for you.
We'd recommend reviewing some of our resources like our blog post on Understanding Application
Complexity to help you get a handle on what we'll be talking about and what that means for you.
Know The Numbers Ahead Of Time.

The better able you are to quantify your testing environment, the more accurate and specific we can
be. For example, be ready for us to ask you "how many IP addresses do you have?" Please, don't
hand us a five-page spreadsheet and make us count them by hand. Know the answer beforehand
and it'll be a whole lot more painless for the both of us.
Know Your Budget Parameters.

In order for us to work within your budget parameters, we need to know what they look like. The more
we know, the better able we are to determine if your budget matches your testing environment.
For example, we can't test 100 live hosts when you only have the budget to test 50. With all the
numbers at our disposal, in advance, we can work with you beforehand to determine priorities based
on your objectives, the importance of the testing items, and your risk level.
Know Your Appetite For Risk.

Asking this question is our chance to channel our inner financial advisors. With a better idea of your
risk threshold, we can make smart choices about what level of testing to conduct for your
organization.
If you are relatively risk-tolerant, for example, maybe we don't need to go as in-depth. If you're risk-
averse (or in an industry with strict security regulations or compliance requirements), we will want
to be as thorough as possible leaving no stone unturned.
Finally, provide as much detail as you can when answering our scoping questionnaire and during your
consultation with a RedTeam Security expert. Your responses help us ensure an accurate and
complete proposal, which helps us help you with your RedTeam engagement.
The Right Security Consultant
Security consultants at Red Tiger Security presented research in 2010 that indicates the current state
of security in industrial networks. Penetration tests were performed on approximately 100 North
American electric power generation facilities, resulting in more than 38,000 security warning and
vulnerabilities.1 Red Tiger was then contracted by the US Department of Homeland Security (DHS) to
analyze the data in search of trends that could be used to help identify common attack vectors and,
ultimately, to help improve the security of these critical systems against cyber-attack.
The results were presented at the 2010 Black Hat USA conference and implied a security climate that
was lagging behind other industries. The average number of days between the time
a vulnerability was disclosed publicly and the time the vulnerability was discovered in a control
system was 331 days—almost an entire year. Worse still, there were cases of vulnerabilities that were
over 1100 days old, nearly 3 years past their respective “zero-day.”2
What does this mean?

It says that there are known vulnerabilities that can allow hackers and cyber criminals entry into
control networks. Many of these vulnerabilities are converted into reusable modules using open
source penetration testing utilities, such as Metasploit and Kali Linux, making exploitation of those
vulnerabilities fairly easy and available to a wide audience. This says nothing of the numerous other
testing utilities that are not available free-of-charge, and that typically contain exploitation capabilities
against zero-day vulnerabilities as well. A more detailed look at ICS exploitation tools and utilities will
be discussed in Chapter 7, “Hacking Industrial Systems.”
It should not be a surprise that there are well-known vulnerabilities within control systems. Control
systems are by design very difficult to patch. By intentionally limiting (or even better, eliminating)
access to outside networks and the Internet, simply obtaining patches can be difficult. Actually
applying patches once they are obtained can also be difficult and restricted to planned maintenance
windows because reliability is paramount. The result is that there are almost always going to be
unpatched vulnerabilities. Reducing the window from an average of 331 days to a weekly or even
monthly maintenance window would be a huge improvement. A balanced view of patching ICS will be
covered later in Chapter 10, “Implementing Security and Access Controls.”
Security Consulting as a Profession

The security executive of a given firm devotes years to focusing on one organization—or a given
number of specific organizations, if the employer is a corporate or holding company. Put another way,
the executive’s view is limited, and such limitations tend to narrow one’s perspective. Only so much
tinkering, so much organizational realignment, so much security manual updating can occur. And a
company’s security mission rarely if ever dramatically changes.
The security consultant’s work is virtually limitless, even if the area of specialization is narrow.
Suppose a consultant specializes in retail security exclusively. The diversity in retail operations is
staggering and includes the following criteria:
• Type of merchandise being sold

• Number of stores
• Size of stores
• Location of stores
• Number of company employees
• Size and organizational design of the security or loss prevention department
• Mission of security department (apprehension or prevention)
• Warehouse and distribution system
• Inventory shrinkage performance history
• Known history of litigation problems
My own consulting practice is not restricted to retail, but in just that one specialty I have consulted a
range of clients:
• A membership department store with seven stores, all located within 150 miles of
each other
• An international mass-merchandiser
• A university’s student store operation
• An exclusive Beverly Hills high-fashion retailer with only one store
• A drugstore chain in northern Mexico
• A fashion department store’s regional division
• A Midwest discount chain with stores in several states
• A national shoe store firm
• A military post exchange
• A hardware store chain
Each of those retail consulting assignments had a different mission. Here are a few examples:
• One client had no formal or structured security department, so my task was to design
one from the ground up, write a security manual, and outline job descriptions.
• One client wanted a structured training program for agents who specialized in the
detection and apprehension of shoplifters.
• One retailer wanted an audiovisual program for all employees to convey the message
that security is everyone’s responsibility.
• Another retailer limited the scope of my work to analyzing the company’s distribution
system for what management suspected was a faulty system that facilitated internal
theft.
• Several retailers wanted to reduce inventory shrinkage without implementing major
organizational changes.
Thus the diversity represented in the needs of each consultant’s client makes for new challenges on
an ongoing basis. Nothing becomes routine. There’s no chance for burnout to occur. The horizons are
limitless. The adventure of each day is the daily motivator. And the day’s adventure proves to be the
day’s reward, the professional reward.
The Tester
Penetration testing attempts to exploit weaknesses or vulnerabilities in systems, networks, human

resources, or physical assets in order to stress test the effectiveness of security controls.
The different types of penetration tests include network services, applications, client side, wireless,
social engineering, and physical. A penetration test may be performed externally or internally to
simulate different attack vectors. Depending on the goals of each test, a penetration tester may or
may not have prior knowledge of the environment and systems they’re attempting to breach. This is
categorized as black box, white box, and gray box penetration testing.
A penetration test involves a team of security professionals who actively attempt to break into your
company’s network by exploiting weaknesses and vulnerabilities in your systems.
Penetration tests may include any of the following methods:
 Using social engineering techniques to access systems and related databases.

 Sending of phishing emails to access critical accounts.
 Using unencrypted passwords shared in the network to access sensitive databases.
These attempts can be far more intrusive than a vulnerability scan and may cause a denial of service
or increased system utilization, which may reduce productivity, and corrupt the machines.
In some cases, you may schedule penetration tests and inform staff in advance of the exercise.
However, this wouldn’t be applicable if you want to test how your internal security team responds to a
“live” threat.
Penetration tests differ both in their approach and in the weaknesses they attempt to exploit. The level
of information provided to the pen tester will determine their approach as well as the scope of the
project.
For example, will the penetration tester have knowledge of how a network is mapped, or are they
required to uncover this information on their own?
The different approaches to penetration testing include:
 Black Box
 White Box
 Gray Box
Black Box Penetration Testing

During a black box penetration test (also known as external penetration testing) the pen tester is
given little to no information regarding the IT infrastructure of a business.
The main benefit of this method of testing is to simulate a real-world cyber attack, whereby the pen
tester assumes the role of an uninformed attacker.
A black box penetration test can take up to six weeks to complete making it one of the longest types
of penetration tests. Businesses can expect to pay between $10,000 – $25,000 due to the level of
effort involved in planning, performing, testing, and completing the report.
This, of course, all depends on the scope of the project.
One of the easiest ways for pen testers to break into a system during a black box test is by deploying
a series of exploits known to work, such as Kerberoasting.
This method of testing is also referred to as the “trial and error” approach, however, there is a high
degree of technical skill involved in this process.
White Box Penetration Testing

White box penetration testing (also called clear box testing, glass box testing, or internal penetration
testing) is when the pen tester has full knowledge and access to the source code and environment.
The goal of a white box penetration test is to conduct an in-depth security audit of a business’s
systems and to provide the pen tester with as much detail as possible.
As a result, the tests are more thorough because the pen tester has access to areas where a black
box test cannot, such as quality of code and application design.
White box tests do have their disadvantages. For instance, given the level of access the pen tester
has it can take longer to decide what areas to focus on. In addition, this method of testing often
requires sophisticated and expensive tools such as code analyzers and debuggers.
White box tests can take two to three weeks to complete and cost between $4,000 – $20,000.
In the end, it doesn’t matter whether you perform a black box or a white box penetration test so long
as the primary goal of the test is being met.
Gray Box Penetration Testing
During a gray box penetration test, the pen tester has partial knowledge or access to an internal
network or web application.
A pen tester may begin with user privileges on a host and be told to escalate their privileges to a
domain admin. Or, they could be asked to get access to software code and system architecture
diagrams.
One main advantage of a gray box penetration test is that the reporting provides a more focused and
efficient assessment of your network’s security.
For instance, instead of spending time with the “trial and error” approach, pen testers performing a
gray box penetration test are able to review the network diagrams to identify areas of greatest risk.
From there, the proper countermeasures can be recommended to fill the gaps.
Types Of Penetration Testing
The different types of penetration testing include:
 Network Services
 Web Application
 Client Side
 Wireless
 Social Engineering
 Physical Penetration Testing
Logistics
Can your company weather a logistics disaster such as a terrorist attack, airport closure, or worker
strike? These sudden disruptions can strand you—along with your customers’ freight. Here are tips on
planning for a crisis, and handling emergency shipping when a major disruption happens, from Joel
Childs, vice president of marketing, FedEx Custom Critical.
1. Designate a business continuity point person. Because any disruption to your business can be
extremely costly, it’s imperative to make someone within your organization responsible for your
continuity planning. Give your point person the authority to carry out the job and make him or her
responsible for all actions and outcomes, including emergency shipments.
2. Define all possible disruptions to your business. Business disruptions come in all shapes and
sizes—from natural disasters, fires, and chemical spills, to system failures and call center outages,
work stoppages and unforeseen airport closures. Think through the gamut of scenarios that could
present a shipping emergency for your company
3. Hope for the best but plan for the worst. Outline the steps you’d need to take to remedy each
disruption scenario. This includes making sure that everyone involved—technology, operations,
purchasing, transportation—knows their role, as well as who is responsible for what actions.
4. Know where to get help. Because it’s almost a sure bet that you’ll need to expedite shipments in
an emergency, talk to carriers about their capabilities before a crisis arises. While all expedited
carriers are in business to speed shipments, they offer different types of services and have different
service records. As with any purchase, you need to select carefully. Do your shopping in advance so
that you’ve already identified your mission-critical carriers and will know who to contact immediately
during a crisis.
5. Understand all your transportation options. There are numerous cost- and time-related issues
to consider in choosing how you want to expedite your emergency shipments, including exclusive use
of vehicle, two-way tracking ability, 24/ 7/365 availability, special handling requirements, and domestic
vs. international capabilities. Your final carrier choice will depend a great deal on the nature of the
emergency and your recovery needs.
6. Test your plan. It helps if you test your recovery plan with your carriers up front to uncover any
problems with the process. The cost of a test run will likely be minimal compared to the effect on your
bottom line if your expedited transportation plans fail in a real emergency.
7. When an emergency strikes, put your plan into action. Keep a cool head and follow the actions
you’ve already outlined. Make sure everyone involved in the recovery effort maintains constant
communication with each other to help ensure that your efforts run as smoothly as possible.
8. Even the best-laid plans can go wrong. Unfortunately, Murphy’s Law has a way of creeping into
emergencies. Be prepared for last-minute glitches that may cause you to alter your plan. For instance,
if you planned to use a ground expedited carrier to transport a new generator for your facility but a
flood has washed out the main road, you’ll need to go to Plan B. The best advice: be flexible with your
contingency planning. You might need to explore more than one option to resolve the crisis.
9. Stay current on factors that can change your plan. Contingency planning is an ongoing process
because many factors can change your requirements. For instance, since the Sept. 11 attacks,
security measures for cargo tendered to commercial aircraft have not increased, but the scrutiny has.
According to FAA regulations, only “known” shippers who have customer records with the broker and
either an established shipping contract or an established business history can tender packages or
freight to commercial airlines.
10. If you don’t have a contingency plan, punt! Even if you don’t have a formal business continuity
plan, you can still help resolve your transportation emergencies by getting help from a quality
expedited carrier that can handle multiple modes.
Law Enforcement
In every country in the world, law enforcement officials are at the frontline of efforts to combat organized
crime. The building of criminal investigative and other law enforcement capacity is a core component
of UNODC's work. Technical assistance includes institutional and operational capacity building of law
enforcement and judicial bodies to strengthen investigation and prosecution of organized crimes.
Training is offered to police investigators, prosecutors and judges, criminal intelligence analysts,
specialized drug and organized crime investigators and customs officials.
UNODC delivers a range of trainings to law enforcement officers on topics of relevance to fighting
organized crime in their local contexts. It also employs modern technical training such as computer-
based training as well as assistance in improving information exchange between law enforcement
agencies, custom and border control authorities in different countries.
UNODC also supports evidence-based law enforcement responses by analyzing report questionnaires
submitted by States parties to the Organized Crime Convention. On this basis, research conducted by
UNODC is vital in identifying regional and global organized crime trends, forecasting future trends and
strengthening the capacity of States to respond reactively and proactively.
Criminal intelligence and information sharing
Criminal intelligence has been described as the lifeblood of the fight against transnational organized
crime. It is the foundation for all proactive investigations and a cross-cutting issue since the same
expertise and methodology is used for all serious crimes, including, corruption, drug trafficking, and
terrorism. A fundamental component of building law enforcement capacity involves enhancing
understanding of how criminal intelligence works and how practically to develop, share and use it.
In order to operate internationally, individual Member States must have the capacity within their own
law enforcement structures to collect, collate, analyze and disseminate information on criminals and the
organizations within which they operate. UNODC is supporting criminal intelligence capabilities of law
enforcement agencies through the provision of policy advice, assessment and gap analysis, and training
of criminal analysts (including in using specialist analytical software), front-line law enforcement and
policy makers, including through the use of a set of recently published criminal intelligence training
manuals.
In this context, UNODC has published a series of criminal intelligence guides for managers, analysts
and frontline law enforcement respectively, to serve as reference tools for law enforcement officials
performing their respective roles, or to accompany and reinforce training courses in the discipline.
Capacity building initiatives are supported by training that emphasizes the importance of international
cooperation in the investigation of transnational organized crime.
Before a State can begin to respond to criminal threats, it must first understand them. Effective
responses must be based on evidence as to the nature of organized crime and the extent to which
organized crime groups affect States. The SOCTA Handbook (not link to get the guide) (Guidance on
the use and preparation of serious organized crime threat assessments) is a guide to preparing a
national serious organized crime threat assessment. Produced by UNODC in conjunction with Interpol,
the SOCTA handbook represents the result of collaboration with dedicated law enforcement
professionals, representatives of international and non-governmental organizations as well as
academic institutions. The SOCTA handbook assists policy makers and managers to make better
decisions about their responses to serious crime and provides practitioners with guidance on carrying
out their own national threat assessments in line with international best practice.
In addition, UNODC supports the criminal intelligence capabilities for a growing number of regional
coordination centers such as the Central Asian Regional Information and Coordination Centre for
combating illicit drug trafficking (CARICC) based in Tajikistan; the Joint Planning Cell (JPC) which is
part of the Triangular Initiative; the Transnational Crime Units under the West African Coast Initiative
(WACI) and the and the Gulf Council Intelligence Centre (GCIC), based in Doha.
Note:- Self Learning topics[Previous Test Results, Imposed Limitations,
Source Point, Intermediates ]

Ethical Hacking Unit-2

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Ethical Hacking Unit-2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ethical Hacking Unit-2

Uploaded by

Copyright:

Available Formats

ETHICAL HACKING (Professional Elective – II)

The Business Perspective:

The Business Perspective:

 Uninstalling scripts/applications used to carry out attacks

2. Ethical hackers causing system interruption

Planning for a Controlled Attack:

How command and control attacks work

This is done through the typical “compromise channels”:

 Phishing emails or instant messages

Devices that can be targeted with command and control attacks

Different command and control architectures

Real-world examples of command and control attacks

Provide security awareness training

Monitor your networks

Use an AI-based Intrusion Detection System (IDS)

Limit user permissions as much as possible

Set up Two-factor authentication (2FA) on all accounts that support it

Implement digital code-signing

What Are Internal Controls?

A number of regulatory obligations and compliance frameworks require organizations to implement

5 Key Elements of Internal Control

 Integrity and ethical values.

 Clearly specify objectives.

 Ongoing and/or separate evaluations.

How do timing attacks work?

How do timing attacks threaten encryption?

How to protect against timing attacks

SQL Injection Attack

Cross-Site Scripting (XSS)

Session Hijacking and Man-in-the-Middle Attacks

 Pattern name and classification

What is a multiphase attack?

How hackers get inside and evade detection from Microsoft:

 Randomizing content to make each message unique

Mitigating the multiphase attack risk:

 Requires an MX record change

What is red teaming?

How does red teaming work?

Red teaming tools and common tactics

Red teaming benefits

Who needs red teaming?

Red teaming vs. penetration testing

What’s involved in a red team exercise?

Know what you’re looking for

Know your network

Know your budget

Know your risk level

Red teaming examples

What Do We Mean By Engagement?

Our engagement might involve:

Know What You Are Asking For.

Know The Numbers Ahead Of Time.

Know Your Budget Parameters.

Know Your Appetite For Risk.

What does this mean?

Security Consulting as a Profession

• Type of merchandise being sold