Part 4 of Cybera’s Introduction to Cybersecurity series
Once you have developed a full inventory of your operational environment (as outlined in our previous post), the next step is to try and uncover the intentional and unintentional dangers they face.
From a security standpoint, threats and attacks are two separate but critical issues. For network security in particular, it is important to grasp the difference between the two.
- Threat: in the realm of information security, a threat is the presence of a persistent hazard to your information’s integrity. This might take the shape of a physical human threat, a computer virus or malware, or something else.
- Attack: a deliberate and malicious action or activity that aims to exploit vulnerabilities, compromise the integrity or availability of your data or systems, or gain unauthorized access to sensitive information.
In this post, we will focus on the most common threats that organizations in Canada are facing.
Types of threats to be aware of
The origin of the threat may be accidental or environmental, human negligence, or human failure.
At a high level, security threats include anything that interrupts, interceps, fabricates, or modifies vital assets and services, and can include both malicious threats (spyware, malware, etc) and non-malicious threats (i.e. natural disasters).
Threats typically fall under these categories:
Malicious software hosted on websites or other servers that can be accessed/downloaded by unaware users.
- Command and Control (C&C) Callbacks
Devices that have been compromised will communicate with the attackers’ infrastructure to download instructions and malware .
- Newly Seen Domains
Domains that have become active very recently. These are often used to create lookalike websites, through which users can be attacked.
Fraudulent email or telephone communications, or websites, that aim to trick users into handing over personal or financial information.
An attacker co-opts a user’s computing resources to mine crypto currencies.
- Dynamic DNS
Enables outside users to gain access to resources (such as servers or webcams) on a local network by utilizing its “dynamic” IP address.
- Potentially Harmful Domains
Domains that exhibit suspicious behavior and may be part of an attack.
- DNS Tunneling VPN
A VPN service that allows users to disguise their traffic by tunneling it through an organization’s DNS protocol. These can be used to bypass corporate policies regarding access and data transfer.
Specific examples of common threats include:
Also known as advertising-supported software, this software package automatically renders advertisements in order to generate revenue for the author. The advertisements may be in the user interface of the software or presented in the web browser. Adware may cause tabs to open automatically that display advertising, make changes to the home page settings in your web browser, offer ad-supported links from search engines, or initiate redirects to advertising websites.
- Advanced Persistent Threat (APT)
A set of stealthy and continuous computer hacking processes, often orchestrated by cyber criminals targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives.
A type of Trojan (see below) that enables threat actors to gain remote access and control over a system. The backdoor is often the final stage in gaining full control over a system.
A number of internet-connected systems infected with malware whose actions are coordinated by C&C servers. The infected systems are referred to as bots. The most typical uses of botnets are DDoS attacks on selected targets, and the propagation of spam.
- Browser Hijacker
Any malicious code that modifies a web browser’s settings without a user’s permission. This is done to inject unwanted advertising into the user’s browser, or redirect them to fraudulent or malicious sites. It may replace the existing home page, error page, or search page. It can also redirect web requests to unwanted destinations.
- Bulletproof Hosting
A service provided by some domain hosting or web hosting firms that gives customers considerable leniency in the kinds of material they may upload and distribute. This type of hosting is often used for spamming, phishing, and other illegal cyber activities.
- Drive-by Download
Any download that happens without a person’s consent or knowledge.
A program or malware component that has been designed to install some sort of malware (ransomware, backdoor, etc.) onto a target system. The dropper may download the malware from a C&C server, or from other remote locations.
- Exploit Kit
A software kit designed to run on web servers with the purpose of identifying software vulnerabilities in the client machines communicating with it, as well as discovering and exploiting vulnerabilities.
- Fast Flux Botnet
A DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts that are acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed C&C, web-based load balancing, and proxy redirection to make malware networks more resistant to discovery and counter-measures.
- Information Stealer
A Trojan that can harvest keystrokes, screenshots, network activity, and other information from systems it is installed on. It may also covertly monitor and collect screen/video shots of user’s behaviour and harvest personally identifiable information, including names and passwords, chat programs, websites visited, and financial activity. Collected information may be stored locally and later retrieved, or may be transmitted to a C&C server.
A type of malware or malicious code used in the loading of a second-stage malware payload onto a victim’s system. The loader is able to hide a malware payload inside the actual loader code, instead of contacting a remote location to download a second-stage payload.
Involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Malvertising is often used in exploit kit redirection campaigns.
- Mobile Trojan
A Trojan designed to target and infect mobile phones running Android, iOS, Windows or other mobile operating systems.
- Point-of-sale Malware
Used by cybercriminals within point-of-sale terminals to obtain credit card and debit card information. It does this by reading the device memory from the retail checkout point-of-sale system.
Computer malware that is covertly installed on a victim’s computer in order to encrypt files. A ransom is then demanded to decrypt the files or to prevent the attacker from publishing the victim’s data.
- Remote Access Trojan (RAT)
Malware that allows covert surveillance or unauthorized access to a compromised system. A RAT makes use of specially configured communication protocols. The actions it performs can vary, but typically follow the Trojan techniques of monitoring user behaviour, exfiltrating data, lateral movement, and more.
A collection of computer software, typically malicious, that enables access to a computer — or areas of its software — that would not otherwise be allowed (for example, to an unauthorized user). It often masks its existence.
A form of malicious software or website that uses social engineering to give the perception of a threat in order to manipulate users into buying or installing unwanted software. Instead of remediation, the malicious software or remote entity delivers malware to the computer.
A DNS sinkhole, also known as a sinkhole server, is a DNS server that gives out false information to prevent the use of the domain names it represents. Traffic is redirected away from its intended target. These sinkholes are often used to disrupt botnet command and control servers.
An unwanted, unsolicited message that can be received through email or SMS texts. Spam is sent to many users in bulk, often using a botnet. Spam can contain advertising, scams, or solicitations. In the case of malicious spam, or “malspam”, it contains malicious attachments or links that lead to malware.
Gathers information about a person or organization without their knowledge, often by asserting control over a computer.
Malware that is used to compromise a system by misleading users of its true intent. Trojans typically create a backdoor to exfiltrate personal information, and can also deliver additional malicious payloads.
Malware that replicates itself in order to spread to other computers. Worms typically spread through the computer network or removable storage devices that are shared between systems, relying on security failures on the target computer.
Many organizations run cyber threat self-assessments to determine where they should focus their monitoring, protection, and remediation efforts.
In our next article we continue discussing threats and attacks, specifically looking at how an attack is different from a threat.
Previous posts in Cybera’s Introduction to Cybersecurity series
Engage with us in cybersecurity discussions
Are there particular cybersecurity topics you’d like to chat with us about, or have us organize a community discussion about? Let us know via firstname.lastname@example.org.