This document discusses various aspects of cyber warfare and security. It introduces cyber deterrence and its challenges. It then describes components of a reference model for cyber security including surveillance, penetration testing, honey nets, forensics, attribution, monitoring, reconnaissance, scanning, vulnerability analysis and exploitation. For each component, it provides details on the concept and relevant tools. The document aims to provide an overview of the cyber warfare landscape and approaches.
2. Cyber Deterrence
Cyber Deterrence is “to prevent an enemy from conducting future
attacks by changing their minds, by attack their technology, or more
palpable such as confiscation, termination, incarceration, death or
destruction”.
Challenges
To inherit difficulty of assigning attribution on the inherit.
To unpredictability of the effects of cyber attacks.
The potential for damage due to counter-realization
3. Reference Model
Surveillance Penetration Testing
Integration Advanced
Honey nets Forensics
Attribution Monitoring
Reconnaissance Scanning
Vulnerability
Analysis
Exploitation
Data Fusion Meta Model
Adapters
Knowledge
Services
Parallel
Scanning
Botnet
Installation
DDoS
Botnet
Operation
4. Attacker Organization
Attack Server Attack Server
Control
Server
Control
Server
Control
Server
Control
Server
Bot Infected
PC
Bot Infected
PC
Bot Infected
PC
Bot Infected
PC
Bot Infected
PC
Victim Mode
Foreign
Govt.
Defender
5. Surveillance
Computer and Network Surveillance is the monitoring of computer
Activity and Data Stored on a hard Drive, or Data being Transferred
over computer networks such as the internet.
The monitoring is often carried out covertly and may be completed
by governments, corporations, criminal organizations, or individuals.
It may or may not be legal and may or may not require authorization
from a court or other independent government agencies.
6. Honey Nets
Two or more Honeypots on a network form a honey net. Typically, a
honey net used for monitoring a larger and/or more diverse network
in which one honeypot be sufficient.
Honeypot Is a computer security mechanism set to detect, deflect,
counteract attempts at unauthorised use of information security.
Honey nets and honeypots are usually implemented as parts of larger
network intrusion detection systems.
A honey farm is a centralized collection of honeypots and analysis
tools.
7. Tools for Honey nets
High-Interaction Honeypots
Honey wall CDROM Sebek Honey Bow
High Interaction Honeypot Analysis Toolkit (HIHAT)
Low-Interaction Honeypots
Capture-HPC HoneyC
Honeypot Infrastructure
Google hack Honeypot Honey mole Honey stick
Data Analysis
Honey snap Capture BAT
8. Forensics
Forensics is methodology of collect, preserve, and analyse scientific
evidence during the course of an investigation.
It is mainly two types:
* Physical Forensics *Digital Forensics
Physical forensics includes the fingerprints, DNA, or any item in the
Physical world
Digital forensics includes the Network, data storage, small devices,
computer, or any other digital devices in the electronic world.
Digital forensics commonly consists of 3 stages: acquisition or imaging
of exhibits, analysis, and reporting.
9. General rules of Digital forensics
Never mishandle and never work with the original evidence.
Never trust the operating system and the original evidence device.
Document everything in the every step of the forensics phase.
Preserve the evidence for next stage usage.
Tools of Digital Forensics
Digital forensics framework (DFF) SANS SIFT Wireshark
The sleuth Kit (+Autopsy) EnCase FTK Imager
Volatility Magic Tree COFEE
CAINE Xplico DEFT HELIX3
10. Attribution
Attribution is fundamental, In the computer network intrusions, attribution
is commonly seen as one of the most intractable technical problems. As
either solvable or not solvable, and as dependent mainly on the available
forensic evidence.
Cyber attribution is the attempt to track and lay blame on the perpetrator
of a cyber attack or hacking exploit.
The attribution problem is the idea the identifying the source of a cyber
attack or cyber crime is often complicated and difficult because there is no
physical act to observe and attackers can use digital tools to extensively
cover their tracks
11. Monitoring
The monitoring is the supervising activities in progress to ensure they are
on-cource and on-schedule in meeting the objectives and predominance
targets.
The computer monitoring use for the Device, network, web, or any other
digital device controlling, analysing, and supervise the activities of
program. It is useful for computer administrators, auditors, and
investigators, and security engineers.
Some of popular monitoring tools are:
Nagios Zabbix PRTG SAM WebWatcher
OP5 Zenose Core Open Nms Munin
12. Penetration Testing
It is a type of security testing that is used to test the insecurity of an
application.
It is conducted to find the security risk which might be present in the
system.
It is normally evaluates a system’s ability to protect its networks,
applications, endpoints and users from external or internal threats.
It is also attempts to protect the security controls and ensures the only
authorised access.
It has just seven steps:
13. Planning and preparation
Reconnaissance
Discovery
Analysing Information and risks
Active Intrusion attempts
Final Analysis
Report Preparation
Penetration testing replicates the actions of an external or/and internal
cyber attacker/s that is intended to break the information security and
hack the valuable data or disrupt the normal functioning of the
organization.
14. Reconnaissance
It is a preparation phase of attacker gather the Information about the target. Commonly
have seen steps listed below:
Gather Initial Information
Determine the network range
Identify active machines
Discover open ports and access points
Fingerprint the operating System
Uncover services on ports
Map the network
15. Foot printing
It is a part of reconnaissance process which is used for gathering
possible information about a target computer system or network.
During this phase, a hacker can collect the following information:
Domain name
IP Addresses
Namespaces
Employee information
Phone numbers
E-mails
Job Information
16. Scanning
Scanning is useful for attack gather Information and vulnerability
Information.
Scanning is the act of sending networking traffic to host. The goal is to get
Response back that tell details about the network.
Goals of scanning :
* live host details * services details * Port Details
* Protocols * os and application versions etc..
Scanning can be performed over any network connection.
Targets are network devices and hosts etc…
Goals are gather port, protocols, server, banner etc…
20. Vulnerability Analysis
Also know as Vulnerability assessment , is a process that defines, identifies, and
classifies the security holes(vulnerabilities) in a computer, network, or
communication infrastructure.
Vulnerability analysis can forecast the effectiveness of proposed countermeasures
and evaluate their actual effectiveness after they are put into use.
It has several steps such as define and classifying network or system resource,
assigning relative levels of importance to the resource, developing a strategy to
deal with the most serious potential problems first , and Defining and
implementing ways to minimize the consequence if an attack occurs.
21. Usefulness of data to
attacker
Interaction with target chance of detection
OSINT, Passive Reconnaissance
Infra Structure, Host detection, port scanner
OS, Service, application, protocols
Vulnerability scanning
22. Vulnerability Assessment Tools
OpenVas
Nexpose Community
Metasploit framework
Retina CS community
Burp Suite
Nikto
OWASP Zen Attack Proxy (ZAP)
Clair
Moloch
23. Exploitation
In Computing, an exploit is an attack on a computer system, especially one
that takes advantage of a particular vulnerability that the system offers to
intruders.
A remote exploit works over a network and exploits the security
vulnerability without any prior access to the vulnerable system.
A local exploit requires prior access to the vulnerable system and usually
increases the privileges of the person running the exploit past those
granted by the system administrator.
Many exploits are designed to provide super user-level access to a
computer system.
24. Some types of Exploits
Arbitary Code Execution
Buffer Overflow
Code Injection
Heap Spraying
Cross-side scripting
HTTP header injection
HTTP request smuggling
DNS Rebinding
Clickjacking
Cross-side request forgery (CSRF)
Ip spoofingEavesdropping
DoS
IP spoofing