2. Introduction
• Understanding threat actors
• Determining malware types
• Recognizing common attacks
• Blocking malware and other
attacks
• Educating users
3. Threat
Actors
• Open-source intelligence
– Info freely available (such as from
web sites and social media)
• Script kiddie
– Little expertise, sophistication, or
funding
• Hacktivist
– Part of an activist movement
• Insider
– Employee (can become a malicious
insider)
• Organized crime
– Typically motivated by money
• Competitor
4. Threat
Actors
• Nation state/advanced
persistent threat (APT)
– Identify a target and persistently
attack until they gain access
– Often remain in network for months
or years
– China APT1
– Russia APT 28 (Fancy Bear)
– Russia APT 29 (Cozy Bear)
6. Determining
Malware
Types
• Worms
– Self replicating
• Logic bombs
– Executes in response to an event
• Backdoors
– Provides an alternate method of
access
– Many types of malware create
backdoors
7. Understanding
Malware
• Trojan Horse
– Appears to be useful but is malicious
– Pirated software, rogueware, or games
– Also infect systems via USB drives
• Drive-by downloads
– Attackers compromise a web site to gain
control of it
– Attackers install a Trojan embedded in the
web site’s code
– Attackers attempt to trick users into visiting
the site
– When users visit, the web site attempts to
download the Trojan onto the users’
systems
• Remote access Trojan (RAT)
9. Determining
Malware
Types
• Keylogger
– Capture’s keystrokes
• Spyware
– Can access a user’s private data and
result in loss of confidentiality
• Adware
– Pop-ups that market products to users
– Blocked with pop-up blockers
10. Bots and
Botnets
• Bots – software robots
• Botnets
– Controlled by criminals (bot herders)
– Manage command and control centers
– Malware joins computers to robotic
network
• Zombies or clones
– Computers within botnet
– Join after becoming infected with malware
11. Determining
Malware
Types
• Rootkits
– System level or kernel access
– Can modify system files and system access
– Hide their running processes to avoid
detection with hooking techniques
– File integrity checker can detect modified
files
– Inspection of RAM can discover hooked
processes
12. Social
Engineering
• Flattery and conning
• Assuming a position of authority
• Encouraging someone to:
– Perform a risky action
– Reveal sensitive information
• Impersonating
• Tailgating
13. Social
Engineering
• Impersonating
– Such as an authorized technician
• Shoulder Surfing
– Can be in person looking at a computer
– Can be with a remote camera
• Tricking users with hoaxes
14. Social
Engineering
• Tailgating
– Closely following authorized personnel
without providing credentials
– Mitigated with mantraps
• Dumpster diving
– Searching through trash looking for
information
– Mitigated by shredding or burning papers
15. Social
Engineering
• Watering hole attack
– Attacker identifies websites trusted by
group of users
– Attacker infects these websites
– Users go to infected (but trusted) websites
– Prompted to download files
16. Recognizing
Other Attacks
• Spam – unwanted email
• Phishing – malicious spam
– Attempt to trick users into revealing
sensitive or personal information
– Links within email can also lead
unsuspecting users to install malware
– Often spoof email address with your friend’s
names
– Phishing to Validate E-mail Addresses
– Phishing to Get Money
$$$
17. Recognizing
Other Attacks
• Spear phishing
– Targets specific groups of users
– Could target employees within a company
or customers of a company
• Whaling
– Targets high-level executives
– Digital signatures provide assurances to
recipients about who sent an email
– Digital signatures can reduce the success
of spear phishing and whaling
• Vishing – Uses phone or VoIP
19. Privilege
Escalation
• Occurs when a user or process
accesses elevated rights and
permissions
• Attackers attempt to gain more
privileges
• Malware attempts to gain more
privileges
• Administrators have two accounts
– One account for regular use
– One for administrative use
– Goal is to mitigate privilege escalation
attempts
20. Blocking
Malware
• Spam filter on mail gateways
• Anti-malware software on mail
gateways
• Anti-malware software on all systems
• Block at boundaries
– Firewalls
– UTM systems
21. Blocking
Malware
• Antivirus software
– Signature-based detection
• Detects known malware based
on signature definitions
• Heuristic-based detection
– Detects unknown malware based
on behavior
• Checking file integrity with hashes
• Data execution prevention (DEP)
22. Blocking
Malware
• Advanced malware tools
– AMP
• Spam filters can block spam
– Network-based spam filters block into
network
– End-user spam filters restrict
spam on user’s system
24. Best Practices
• Don’t click on links within emails from
unknown sources
• Don’t open attachments from
unknown sources
• Be wary of free downloads from the
Internet
• Limit information you post on social
media sites
• Back up your data regularly
• Keep computer up to date with
current patches
• Keep antivirus software up to date