Szerkesztő:LinguisticMystic/ru/безопасность/2

🛡️ 02.0. Module 02: Network Threats Introduction

This module introduces the various threats that networks face, including threat actors, the tools they use, and the types of attacks they carry out. It emphasizes understanding the motives and techniques behind these threats to implement effective defenses.

👥 02.1. Who is Attacking Our Network?

⚠️ 1. Key Terms in Network Security

Threat: A potential danger to assets like data, devices, or networks.
Vulnerability: A weakness in a system that can be exploited.
Attack Surface: The total number of points where an attacker can enter a system.
Exploit: A method used to take advantage of a vulnerability.
Risk: The likelihood of a threat exploiting a vulnerability, causing harm.

Risk Management Strategies: 1. Risk Acceptance: No action taken if the cost of mitigation exceeds the risk. 2. Risk Avoidance: Eliminating the risky activity altogether. 3. Risk Reduction: Implementing controls to reduce exposure. 4. Risk Transfer: Shifting risk to a third party, like insurance.

🕵️ 2. Types of Threat Actors

Threat actors vary in skill, motivation, and approach. They can be categorized into:

White Hat Hackers: Ethical hackers who identify vulnerabilities for organizations to fix.
Gray Hat Hackers: Individuals who exploit vulnerabilities without malicious intent but without permission.
Black Hat Hackers: Malicious hackers who exploit systems for personal gain or to cause harm.

Evolution of Threat Actors: 1. Script Kiddies: Inexperienced attackers using pre-made tools. 2. Vulnerability Brokers: Gray hat hackers who find and sell exploits, sometimes for rewards. 3. Hacktivists: Protesters using hacking to promote political or social causes. 4. Cybercriminals: Black hat hackers focused on financial gain, often part of organized crime. 5. State-Sponsored Hackers: Government-backed hackers focused on espionage, sabotage, and intelligence gathering.

💰 3. Cybercriminals

Cybercriminals operate for profit, often selling stolen data and exploits on the dark web.
They target businesses, consumers, and government institutions.
Cybercrime generates billions of dollars annually, impacting organizations worldwide.

🔍 4. Cybersecurity Tasks

To protect networks from threat actors, organizations must: - Partner with trustworthy IT vendors. - Keep security software up to date. - Conduct regular penetration tests. - Perform regular backups (cloud and local). - Change Wi-Fi passwords periodically. - Enforce strong password policies and two-factor authentication.

🚩 5. Cyber Threat Indicators

Indicators of Compromise (IOCs) help identify attacks: - Malware file signatures (e.g., hash values). - Suspicious DNS requests and IP addresses. - Unusual file changes or network activity. Indicators of Attack (IOAs): Focus on identifying attacker behavior and strategies to proactively defend against future threats.

🤝 6. Threat Sharing and Awareness

CISA (Cybersecurity and Infrastructure Security Agency): Promotes automated threat sharing between government and private sectors through the Automated Indicator Sharing (AIS) system.
ENISA (European Union Agency for Cybersecurity): Provides cybersecurity solutions for EU member states.
National Cybersecurity Awareness Month (NCASM): Promotes best practices like social media safety, software updates, and safe online shopping.

🔧 02.2. Threat Actor Tools Overview

Threat actors use sophisticated, automated tools to exploit network vulnerabilities. These tools range from simple password crackers to advanced malware frameworks. While some are created for ethical hacking (white hat), they can also be misused by malicious actors (black hat).

🗝️ 1. Password Crackers

Purpose: To discover or recover passwords through brute force, dictionary attacks, or rainbow tables.
Examples:
- John the Ripper – Open-source password recovery tool.
- Ophcrack – Uses rainbow tables for Windows password cracking.
- THC Hydra – Fast password cracker supporting many protocols.
- Medusa – Parallel brute-force password tool.

📶 2. Wireless Hacking Tools

Purpose: To exploit weaknesses in wireless networks, such as cracking WPA/WPA2 encryption.
Examples:
- Aircrack-ng – Suite for WEP and WPA cracking.
- Kismet – Network detector, sniffer, and intrusion detection.
- Firesheep – Sniffs unencrypted sessions over Wi-Fi.
- NetStumbler – Finds open wireless networks.

🌐 3. Network Scanning and Hacking Tools

Purpose: To identify active devices, open ports, and running services on a network.
Examples:
- Nmap – Popular port scanner for network discovery.
- Angry IP Scanner – Fast IP and port scanner.
- NetScanTools – Scans networks and identifies vulnerabilities.

📨 4. Packet Crafting Tools

Purpose: To create custom packets for testing firewall robustness and discovering vulnerabilities.
Examples:
- Hping – Sends custom TCP/IP packets for testing.
- Scapy – Advanced packet manipulation tool.
- Socat – Data transfer and testing tool.
- Yersinia – Exploits weaknesses in Layer 2 protocols.

📡 5. Packet Sniffers

Purpose: To capture and analyze network traffic, often used for reconnaissance.
Examples:
- Wireshark – Popular network protocol analyzer.
- Tcpdump – Command-line packet capture tool.
- Ettercap – Performs man-in-the-middle attacks.
- SSLstrip – Strips HTTPS encryption.

🛠️ 6. Rootkit Detectors

Purpose: To detect rootkits that hide malicious processes and activities.
Examples:
- AIDE – Integrity checking system.
- Chkrootkit – Finds rootkits on UNIX systems.
- RKHunter – Scans for rootkits and other security issues.

🔍 7. Vulnerability Scanners

Purpose: To identify known vulnerabilities in systems and applications.
Examples:
- Nessus – Comprehensive vulnerability scanner.
- OpenVAS – Open-source vulnerability scanning tool.
- Nikto – Web server vulnerability scanner.
- Core Impact – Commercial penetration testing platform.

📊 8. Exploitation Tools

Purpose: To exploit identified vulnerabilities for gaining unauthorized access.
Examples:
- Metasploit – Most popular penetration testing framework.
- Sqlmap – Automates SQL injection discovery and exploitation.
- Social-Engineer Toolkit (SET) – Used for social engineering attacks.
- Netsparker – Web application security scanner.

🖥️ 9. Forensic Tools

Purpose: Used for post-attack analysis and evidence gathering.
Examples:
- Sleuth Kit – Disk analysis and recovery.
- Autopsy – GUI for Sleuth Kit.
- EnCase – Digital forensic investigation platform.
- Maltego – Visual link analysis for threat intelligence.

🔑 10. Encryption Tools

Purpose: To protect data during storage and transmission.
Examples:
- VeraCrypt – Encrypts entire storage devices.
- OpenSSL – Encrypts communication channels.
- OpenVPN – Secures VPN connections.
- Stunnel – Encrypts non-secure connections.

🖥️ 11. Hacking Operating Systems

Purpose: Pre-configured OSs with hacking and penetration testing tools.
Examples:
- Kali Linux – Most popular penetration testing OS.
- Parrot OS – Lightweight, privacy-focused alternative.
- SELinux – Security-enhanced Linux.
- BackBox – Ubuntu-based penetration testing distro.

🕵️ 12. Debuggers

Purpose: Used to reverse-engineer malware and analyze binaries.
Examples:
- GDB – GNU debugger for Linux.
- WinDbg – Debugger for Windows systems.
- IDA Pro – Interactive disassembler and debugger.
- Immunity Debugger – Used for exploit development.

🚨 02.4. Common Network Attacks

Network attacks can be classified into three main categories:

Reconnaissance Attacks – Information gathering.
Access Attacks – Unauthorized data access or system control.
Social Engineering Attacks – Manipulating people to gain access.

🔍 1. Reconnaissance Attacks

Reconnaissance, or recon, is the first stage of an attack, where threat actors gather information about a target network. This step helps them identify potential vulnerabilities to exploit. Key Techniques:

Information Queries:
- Gathering initial data through search engines, WHOIS, and company websites.
Ping Sweeps:
- Identifying active devices by sending ICMP echo requests.
Port Scanning:
- Checking which ports are open and which services are running.
- Tools: Nmap, Angry IP Scanner, SuperScan.
Vulnerability Scanning:
- Identifying weaknesses in applications and OS.
- Tools: Nessus, OpenVAS, Core Impact.
Exploitation Tools:
- Attempting to exploit discovered vulnerabilities.
- Tools: Metasploit, Sqlmap, Social Engineer Toolkit (SET).

Goal: Collect enough data to plan an access attack without detection.

🔑 2. Access Attacks

Access attacks exploit vulnerabilities to gain unauthorized access to systems, applications, or data. Types of Access Attacks:

Password Attacks:
- Using brute force, dictionary attacks, or social engineering to guess passwords.
- Tools: John the Ripper, Hydra, Medusa.
Spoofing Attacks:
- Impersonating another device or user by falsifying data.
- Examples: IP spoofing, MAC spoofing, DHCP spoofing.
Trust Exploitation:
- Abusing trust relationships between devices to gain higher access privileges.
Port Redirection:
- Using a compromised system to bypass security controls and access other systems.
Man-in-the-Middle (MiTM) Attacks:
- Intercepting and modifying communication between two parties without their knowledge.
Buffer Overflow Attacks:
- Sending excessive data to a system’s memory buffer, causing it to crash or allowing malicious code execution.

Goal: Gain unauthorized access to data, escalate privileges, or control the system.

🎭 3. Social Engineering Attacks

Social engineering targets people rather than technology, manipulating individuals to gain access to systems or sensitive information. Common Techniques:

Pretexting:
- Pretending to need information to confirm someone’s identity.
Phishing:
- Sending fraudulent emails that appear to be from a trusted source.
- Spear Phishing: Targeted phishing attack aimed at a specific individual or organization.
Spam:
- Unsolicited emails containing harmful links or attachments.
Baiting:
- Leaving infected devices (e.g., USB drives) in public places for victims to find and use.
Quid Pro Quo (Something-for-Something):
- Offering a benefit in exchange for sensitive information.
Impersonation:
- Pretending to be someone else to gain trust.
Tailgating:
- Following an authorized person into a restricted area.
Shoulder Surfing:
- Watching someone enter passwords or sensitive data.
Dumpster Diving:
- Searching through trash to find confidential documents.

Goal: Trick users into revealing information or providing access.

🛡️ 4. Mitigating Network Attacks

Prevent Reconnaissance:
- Disable ICMP responses (ping).
- Implement port security and access control lists (ACLs).
- Monitor network traffic for unusual activity.
Block Access Attacks:
- Enforce strong password policies.
- Enable multi-factor authentication (MFA).
- Use encryption for sensitive communications.
- Regularly patch software and firmware.
Defend Against Social Engineering:
- Educate users about phishing and impersonation tactics.
- Implement strict identity verification protocols.
- Regularly test employees with simulated attacks.

🚫 02.5. Network Attacks Overview

Network attacks aim to disrupt services, gain unauthorized access, or evade security controls. This section covers:

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Buffer Overflow attacks
Evasion techniques

⚔️ 1. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

DoS attacks prevent legitimate users from accessing network resources by overwhelming systems with malicious traffic.

1.1. Types of DoS Attacks:

Overwhelming Traffic:
- The attacker floods the target with excessive traffic, consuming bandwidth and resources.
- Example: ICMP Flood or Ping of Death.
Maliciously Formatted Packets:
- Packets are crafted to exploit vulnerabilities in the target system.
- Example: Teardrop attack – sends fragmented packets that crash the system.

1.2. Distributed DoS (DDoS) Attacks

DDoS attacks are similar to DoS but originate from multiple systems, often part of a botnet. DDoS Components: - Attacker: Initiates the attack.
- Handlers: Command-and-control (C2) servers managing the botnet.
- Zombies (Bots): Infected devices used to launch the attack.
- Victim: The target of the attack. Example:
- Mirai Botnet: Targeted IoT devices with default credentials to launch massive DDoS attacks.

1.3. Common DDoS Attack Types:

Volumetric Attacks:
- Saturate bandwidth with high traffic.
- Example: UDP Flood.
Protocol Attacks:
- Exploit weaknesses in network protocols.
- Example: SYN Flood – exploits TCP handshake.
Application Layer Attacks:
- Target specific applications or services.
- Example: HTTP Flood.

1.4. Mitigation Techniques for DoS/DDoS:

Rate Limiting: Restricts traffic flow to prevent saturation.
Blackholing: Routes malicious traffic to a non-existent IP.
DDoS Mitigation Services: Cloud-based filtering of attack traffic.
Intrusion Prevention Systems (IPS): Detect and block abnormal traffic patterns.
Updating Firmware: Protects against known vulnerabilities.

🖥️ 2. Buffer Overflow Attacks

Buffer overflow attacks exploit memory management flaws in software, allowing threat actors to overwrite memory and execute malicious code. How It Works: 1. An attacker sends more data than the buffer can handle.
2. Excess data overflows into adjacent memory locations.
3. This can cause a crash or allow code execution with elevated privileges. Example:
- SQL Slammer Worm exploited a buffer overflow in Microsoft SQL Server. Mitigation Strategies: - Input Validation: Ensure proper data length and format.
- Address Space Layout Randomization (ASLR): Randomizes memory locations to prevent predictable overflow attacks.
- Data Execution Prevention (DEP): Prevents code execution in non-executable memory regions.
- Regular Patching: Fixes vulnerabilities in software.

🕵️ 3. Evasion Techniques

Evasion techniques help attackers bypass security defenses, such as firewalls, IDS/IPS, and antivirus systems. Common Techniques: 1. Fragmentation:
- Splits malicious payload into smaller packets.
- Firewalls may not reassemble packets for inspection.

Encryption:
- Encrypts payload to hide malicious content from detection systems.
- Example: SSL/TLS tunneling.
Obfuscation:
- Alters malicious code to avoid signature-based detection.
- Example: Polymorphic malware changes its code with each infection.
Traffic Flooding:
- Overwhelms IDS/IPS with excessive traffic to hide malicious activity.
Steganography:
- Hides malicious data within legitimate files, like images or audio.

🔐 4. Defense Against Network Attacks

To protect against DoS, buffer overflow, and evasion attacks, implement the following best practices:

Network Hardening:
- Disable unnecessary services and ports.
- Implement Access Control Lists (ACLs) to filter traffic.
Traffic Monitoring:
- Use IDS/IPS to detect unusual traffic patterns.
- Enable logging to identify attack attempts.
Patch Management:
- Regularly update software and firmware to fix known vulnerabilities.
Rate Limiting and QoS:
- Set limits on the number of requests per second.
DDoS Protection:
- Deploy cloud-based DDoS mitigation services.
Secure Coding Practices:
- Ensure developers follow secure coding guidelines to prevent buffer overflows.
Encryption and VPNs:
- Protect communication channels to prevent traffic interception.

🔒 02.6. Network Threats Summary

Network threats can originate from both external and internal sources. Understanding these threats is crucial for developing effective defense strategies.

👥 1. Threat Actors

Threat actors vary in skill, motivation, and tactics. They include:

Script Kiddies: Inexperienced attackers using pre-built tools.
Hacktivists: Politically or socially motivated attackers.
Vulnerability Brokers: Find and sell vulnerabilities, often for rewards.
Cybercriminals: Financially motivated, often part of organized crime.
State-Sponsored Hackers: Government-backed attackers targeting sensitive information.
Insider Threats: Employees or contractors who misuse their access.

🔧 2. Threat Actor Tools

Attackers use a variety of tools to exploit network vulnerabilities:

Password Crackers: John the Ripper, Hydra, Medusa.
Wireless Hacking Tools: Aircrack-ng, Kismet, NetStumbler.
Network Scanners: Nmap, Angry IP Scanner, Nessus.
Packet Sniffers: Wireshark, Tcpdump, Ettercap.
Exploitation Frameworks: Metasploit, Sqlmap.
Encryption Tools: VeraCrypt, OpenSSL.
Hacking OS: Kali Linux, Parrot OS.

🦠 3. Malware

Malware is malicious software designed to harm devices, steal data, or disrupt operations. Common types include:

Viruses: Spread by attaching to legitimate files.
Worms: Self-replicating and spread without user interaction.
Trojans: Disguise as legitimate software to execute malicious actions.
Ransomware: Encrypts files and demands payment for decryption.
Spyware: Monitors user activity and steals data.
Adware: Displays intrusive advertisements.
Rootkits: Hide malicious activities from detection.
Phishing: Tricks users into revealing sensitive information.

🚨 4. Common Network Attacks

Network attacks can be categorized into three main types:

Reconnaissance Attacks:
- Information gathering through scanning and probing.
- Example: Ping sweeps, port scanning, vulnerability scanning.
Access Attacks:
- Exploit vulnerabilities to gain unauthorized access.
- Example: Password attacks, spoofing, trust exploitation.
Denial-of-Service (DoS) and Distributed DoS (DDoS) Attacks:
- Overwhelm systems to disrupt services.
- Example: SYN flood, UDP flood, ICMP flood.

🎭 5. Social Engineering Attacks

Social engineering exploits human behavior to gain unauthorized access. Common tactics include:

Phishing: Deceptive emails to steal credentials.
Spear Phishing: Targeted phishing attacks on specific individuals.
Baiting: Leaving infected USB drives for users to find.
Pretexting: Fabricating scenarios to obtain information.
Impersonation: Pretending to be someone trustworthy.
Tailgating: Following an authorized person into a secure area.
Dumpster Diving: Searching trash for sensitive documents.

💣 6. Advanced Network Threats

Buffer Overflow: Overwrites memory to execute malicious code.
Evasion Techniques: Bypass security controls using encryption, fragmentation, or obfuscation.
Zero-Day Exploits: Attacks targeting unknown vulnerabilities.

🛡️ 7. Mitigation Strategies

To protect networks from threats, implement these best practices:

Network Security:
- Firewalls, IPS/IDS, and access control lists (ACLs).
- Disable unused ports and services.
Endpoint Protection:
- Install antivirus and antimalware software.
- Regularly update patches and firmware.
Authentication and Access Control:
- Enforce strong passwords and multi-factor authentication (MFA).
- Implement role-based access control (RBAC).
Data Protection:
- Encrypt sensitive data at rest and in transit.
- Regularly back up critical files.
User Awareness:
- Educate employees about phishing and social engineering tactics.
- Conduct regular security training and simulations.
Monitoring and Response:
- Use Security Information and Event Management (SIEM) systems.
- Implement logging and real-time alerting.

✅ 8. Key Takeaways

Network threats come from both external (hackers, malware) and internal (insiders) sources.
Malware, DoS, phishing, and buffer overflows are common attack methods.
Effective mitigation involves multi-layered security, regular updates, and user education.
Proactive monitoring and quick incident response reduce damage from attacks.