The document discusses various tactics, techniques and common knowledge for detecting cyber attacks. It outlines general security problems like authenticity, authorization, confidentiality, integrity and availability. It then discusses specific techniques used in cyber attacks like escalation of privilege, credential dumping, modifying file system permissions and disabling security tools. It provides details on how each technique works and potential ways to detect them, such as monitoring specific Windows registry keys or processes. The overall document serves as a guide on common cyber attack vectors and approaches for detection.

1. DETECTING CYBER ATTACKS
LAN NGUYEN
VERAMINE

2. XIN CHÂN THÀNH CẢM ƠN CÁC NHÀ TÀI
TRỢ
VERAMINE 2

3. OUTLINES
• General Security Problems
• Need to handle to secure IT computer networks
• Computer Systems, Hardware, Software, Data
• Detections
• Tactics, Techniques and Common Knowledge
3

4. GENERAL SECURITY PROBLEMS
1. Authenticity
• Multifactor. Should include Hardware-Support factor. E.g. Taiwan ID cards with weak
random.
• Mutual Authentication: e.g. may help prevent fishing
• FIDO: Strong Authentication Standard. U2F: Universal Second Factor (Yubico)
• Zero Trust
2. Authorization / Access Control
• Very widely applied to Principals and Resources
• Separate Networks. Classified Networks.
• Role-based Principals
• OS: Ring 0 – Ring 3
4

5. GENERAL SECURITY PROBLEMS
3. Confidentiality
• Reduce protecting TBs to thousands bits
• Following Encryption Standards. Crypto Agility
• Key Management is Vital. Hardware Security Module (HSM)
4. Integrity and Non-repudiation
• Signatures and Authenticated Encryption
• Code Signing: Signing process need to be carefully protected. E.g. Ccleaner AV. Flame.
• You can say Blockchain belongs to cybersecurity
• Side effect: Not deniable and accountability. E.g. Signing off releasing software
5. Availability
• DDOS
• Build efficient software: CPU, RAM, Network
• Data Replication and Backup 5

6. GENERAL SECURITY PROBLEMS
6. Monitoring and Auditing
• High Quality Data Collection: Wide Variety but Not too much
• About Processes, Users, Network, Protocols, Registries, Files, Services,
Permissions
• “CCTV” Cameras to Record and Replay
7. Detection
• Data Analysis to find intrusion alerts. Good data collection means good
detection
• Rule-based and Machine Learning
6

7. GENERAL SECURITY PROBLEMS
8. Investigation
• From alerts, find intrusion scope, timeline, approaches and signatures
• Track the intrusion spans: malicious user logons, C&C connections…
• Search, correlate and analyze on Memory, Files and other data
9. Response
• From Investigation results, find a good plan to quickly cleanup the IT
network
• Isolate, suspend and stop malicious endpoints, users, processes,
binaries, network traffic
10.Remediation and Prevention
• Measures, policies and rules to prevent similar attacks
7

8. SECURITY DESIGN PRINCIPLES
Principle Explanation
Open design Assume the attackers have the sources and
the specs.
Fail-safe defaults Fail closed; no single point of failure.
Least privilege No more privileges than what is needed.
Economy of mechanism Keep it simple.
Separation of privileges Don’t permit an operation based on a single
condition.
Total mediation Check everything, every time.
Least common mechanism Beware of shared resources.
Psychological acceptability Will they use it?
8

9. DETECTIONS
• All about https://attack.mitre.org/wiki/Technique_Matrix
• The Attack Dictionary
9

10. ESCALATION OF PRIVILEGE (EOP)
• Attacker exploit bugs to raise privilege level, such as from user
to system
• MITRE says “Detecting software exploitation may be difficult”
• But detection is possible with 100% accuracy, no FP or FN,
based on security permission data
10

11. CREDENTIAL DUMPING
• Harvesting passwords
• Tools: mimikatz, gsecdump
• With System level, open lsass.exe process to decrypt and read
passwords
• Detection is highly accurate
11

12. LSA PACKAGES
• Windows Security Support Provider (SSP) DLLs are loaded into the
Local Security Authority (LSA) process, then have access to passwords
• Modify some Registries to add new SSPs
• Detection by monitoring these Registries
• HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages
• HKLMSYSTEMCurrentControlSetControlLsaNotification Packages
• HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages
• HKLMSYSTEMCurrentControlSetControlLsaOSConfigSecurity Packages
12

13. CHANGE DEFAULT FILE ASSOCIATION
• File association selections are stored and edited in the Windows
Registry
• Modify the file association to call an arbitrary program for a file
extension
• Detection when the default File Association registry key is
modified
[HKEY_CURRENT_USER]SoftwareMicrosoftWindowsCurrentV
ersionExplorerFileExts
13

14. FILE SYSTEM PERMISSIONS WEAKNESS
• Processes execute binaries with improperly set permissions then the
binary may be overwritten with another binary using lower level
permissions
• The replaced binary will also execute under higher level permissions,
which could include SYSTEM. This technique can also be used for
persistence.
• Service binary replacement and Installers loading from weakly-ACL'd
directories.
• Detection when a process running at high privilege loads a binary
that is ACL'd to allow low privilege user tampering.
14

15. ACCESSIBILITY FEATURES
• Windows contains accessibility features launched with a key
combination before user logon. An adversary can use it to get a
command prompt or backdoor without logon.
• In recent Windows, the replaced binary needs to be signed for x64,
must reside in %systemdir%... The debugger method is a
workaround.
• Detection by Monitoring Registries within
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionImage File Execution Options 15

16. DISABLING SECURITY TOOLS
• Killing security software or event logging processes, deleting
Registry keys…
• Build tamper-resistant security software
• Detection by Deception/Traps of Security Software
16

17. FILE DELETION
• Adversaries may remove malware, tools to clean footprint
• Should preserves a copy of every binary that was loaded by any
process on any system
• They can go to Binary Analysis Pipeline (BAP) to assess a
suspicion score to it.
• And download to any customer.
17

18. APPINIT DLLS
• For persistence, DLLs specified in the AppInit_DLLs value in
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows are loaded by user32.dll into
every process that loads user32.dll.
• Detection where an application has modified the AppInit DLL
registry settings.
18

19. BYPASS USER ACCOUNT CONTROL (UAC)
• Elevate privileges to perform a task under administrator-level
permissions by prompting the user for confirmation.
• Bypass e.g. rundll32.exe load a specifically crafted DLL which loads
an auto-elevated COM object and performs a file operation in a
protected directory. Or malicious software may also be injected into a
trusted process to gain elevated privileges without prompting a user.
• Detection by tracking the state of each process token and reports any
token changes, e.g. unexpected Integrity Level (IL) change from
Medium to High
19

20. COMPONENT OBJECT MODEL HIJACKING
• Adversaries can use this system to insert malicious code that
can be executed in place of legitimate software through
hijacking the COM references and relationships as a means for
persistence.
• Hijacking a COM object requires a change in the Windows
Registry to replace a reference to a legitimate system
component.
• Detection by monitoring Registries of COM, such as Icon
Overlay Handler.
20

21. LOCAL PORT MONITOR
• A port monitor can be set through the AddMonitor API call to set a
DLL to be loaded at startup. This DLL will be loaded by the print
spooler service, spoolsv.exe. Or, an arbitrary DLL can be loaded for a
pathname to
HKLMSYSTEMCurrentControlSetControlPrintMonitors.
• The spoolsv.exe process also runs under SYSTEM level permissions.
• Detection monitoring registry keys under
HKLMSYSTEMCurrentControlSetControlPrintMonitors
• Better, Detection highlights any unknown, new, or suspicious Print
Spooler service DLL image loads
21