The A to Z of Cyber Security
From BEC scams to DDoS attacks, and quantum cryptography to zero-days, here’s our brief guide to the world of cyber security.
A is for Authentication
Authentication is one of the fundamentals of cyber security and a core requirement for any kind of transaction or for access to private data. The standard form of authentication is what’s known as “single factor”, i.e. a username and password. However, the rise of online fraud has severely tested its limits. Usernames are easily guessed (usually a person’s name or email address) and, all too often, so are passwords (since many people pick weak, easy-to-guess passwords such as “abc123”, “123456” and… ummmm… “password”). Even a strong password has its limitations, since it can be stolen, either through a data breach or phishing (see below). As a result, we’ve seen a move towards more robust forms of authentication, including two factor authentication (2FA) where the user has to input an additional, private piece of information (such as a pin code) and biometric authentication, where a fingerprint or facial recognition (such as in the new iPhone X) is employed.
B is for Business Email Compromise
As a form of fraud, Business Email Compromise (BEC) scams are among the most lucrative for cyber criminals. According to the FBI, roughly US$5 billion was lost to BEC scams between October 2013 and December 2016. Also known as “whaling” or “CEO fraud”, BEC scams don’t require too much technical sophistication and instead rely on social engineering. How do they work? Scammers will usually send an email purporting to come from the CEO, asking the recipient to initiate an urgent wire transfer. The emails are usually sent to a senior member of the finance department, often the CFO. If the recipient falls for the email, they could be duped into sending huge sums to accounts controlled by the scammers. Losses of hundreds of thousands of dollars have frequently been seen and, in some cases, millions have been stolen.
C is for Cryptocurrencies
The arrival of cryptocurrencies such as Bitcoin has had a major impact on cybersecurity. Cryptocurrencies have quickly become the default currency on the cyber underground, since they’re easily traded and offer a greater degree of anonymity than traditional financial systems. Their arrival played a central role in the growth of ransomware, providing a payment mechanism that was easily automated and hard to trace. A surge in the value of many cryptocurrencies over the past year has prompted a growing number of cyber criminals to get involved in it by distributing crypto-mining malware and effectively outsourcing their mining to unsuspecting victims.
D is for Denial of Service (DoS)
One of the biggest causes of online disruption is denial of service attacks, where websites or the networks of entire organizations are knocked offline, usually by flooding them with traffic. The most common form of attack these days is the Distributed Denial of Service (DDoS) attack, where attackers use botnets of thousands of infected devices to generate the sheer volume of traffic needed to knock even the most well-resourced organizations offline. DDoS attacks are carried out for a variety of reasons. In some cases, it’s simple malice, but in others the attackers are seeking to extract money from the targeted organization in exchange for calling off the attacks. Other motives may revolve around “hacktivism”, where an organization is attacked for political reasons.
E is for Exploit Kit
Exploit kits are one of the methods cyber criminals use to infect people with malware. What are they? Essentially they allow attackers to use a website to infect unsuspecting visitors. They work by exploiting vulnerabilities in software in order to install malware. Usually, exploit kit operators will compromise third-party web servers and inject malicious code into the web pages hosted on them. This code directs browsers to the servers hosting the exploit kit itself. The exploit kit will analyze the visiting computer in order to identify the most appropriate exploit for the victim’s computer. This exploit will then be used to attempt to deliver malware to their computer.
F is for Fileless Threats
The success of any cyber attack largely depends on the likelihood of discovery, and it goes without saying that attackers put considerable time and effort into minimizing that risk. The more evidence you leave on a computer, the greater that risk, and one of the main kinds of evidence we see are files installed on a computer. One tactic we’ve seen growing in popularity in recent years is fileless threats; malware that never writes itself to the hard disk but instead remains resident in memory, which could evade the attention of security software that only scans the hard disk. They aren’t undetectable though. Our way of combating this threat is memory exploit mitigation (MEM) techniques in our products, which can proactively block remote code execution exploits (RCE), along with our heuristic based memory scanning, which can detect memory-only threats.
G is for Grayware
The divide between legitimate software and malware is often blurred. Grayware occupies the murky middle ground. Grayware is applications that may not have any recognizable malware concealed within them but can nevertheless be in some way harmful or annoying to the user. It could track their web browsing habits, serve up unwanted ads or dial up premium rate numbers. In many cases, grayware authors often maintain a veneer of legitimacy by outlining the application’s capabilities in the small print of the software license agreement.
H is for Hacking
We’ve all heard of websites or companies being hacked. But what does “hacking” actually mean? In its original incarnation, hacking simply meant finding new ways of doing things with computers and software. That could be good (improving the performance of something) or bad (finding a way onto a computer you shouldn’t have access to). Nowadays hacking tends to be employed as a catch-all phrase for all sorts of malicious activity from data breaches, to web page defacement, to bank fraud. Often it doesn’t even involve any programming skill on the part of the attacker. It’s even used as an excuse for embarrassing behavior. Post something you regret saying on social media? “Sorry folks, my account was hacked”.
I is for IoT
There was once a time when it was just computers that were connected to the internet. Then it was cellphones. Now, it’s pretty much…. everything. Household appliances, security systems, home heating and lighting, and even cars are all becoming Internet-enabled. That makes the Internet of Things (IoT) one of the new frontiers for cyber security. We’ve long heard predictions about ransomware on home appliances and hijacking of cars, but threats against IoT have now gone from theory to reality. At the moment, attacks are less elaborate than some of the predicted scenarios. By and large, attackers have taken advantage of poor security on IoT devices to add them to botnets (the most notable of which has been Mirai), which have been mainly used to perform DDoS attacks.
J is for JavaScript
What’s this doing on the list you ask? JavaScript is a widely used scripting language and is, in itself, no way malicious. However, in recent times, JavaScript has been by far the most popular file format for malicious email attachments. If you’re lured into opening it, the script will run and download malware to your computer. In some cases, these JavaScript downloaders are easy to spot, since they’ll bear the .JS extension, but attackers will often attempt to obfuscate the file type by adding additional extensions (e.g. invoice.docx.js) or by hiding them in a zipped archive.
K is for Keylogger
Malware comes in lots of varieties. One of the oldest is the keylogger, which does what it says on the tin, recording every keystroke on an infected computer. It remains one of the most effective ways of stealing information, including user names, passwords, and private communications such as emails and instant messages. Keyloggers are often included as features in financial or spying Trojans and can be doubly effective information stealing tools when combined with screen grabbers, which take snapshots of what’s on the user’s screen.
L is for Living off the Land
Living off the Land describes a cyber attack strategy that eschews traditional tools such as malware and zero-day vulnerabilities in favor of alternatives, such as using operating system features, legitimate tools, and cloud services, to compromise networks. Why would attackers do this? Living off the Land can make attacks more difficult to detect, since it’s harder to spot malicious use of legitimate tools compared to the presence of malware. It’s something we’ve seen more of in recent years as attackers are forced to work harder to stay under the radar.
M is for Man-in-the-Middle
A man-in-the-middle attack (MITM for short) is a tactic used to intercept and/or alter supposedly private or secure communications. Generally speaking, the attacker will need to either exploit a vulnerability or use some kind of malware to perform a successful MITM attack. For example, the reason why the FREAK vulnerability, which was discovered in 2015, was so serious was that it facilitated MITM attacks against secure connections. Financial Trojans frequently use a variant of MITM called man-in-the-browser (MITB) to intercept secure banking sessions and alter pages in order to dupe victims into disclosing their banking credentials.
N is for Necurs
The single biggest distribution channel for malware, scams, and other kinds of online threats is spam email. The major cyber crime groups generally outsource their distribution to specialist outfits who control vast botnets of thousands of infected computers that power their spamming operations. A small handful of spam botnets dominate malware distribution and, for the past few years, the Necurs botnet has been the daddy of them all. Nothing illustrates this more than the fact that when Necurs briefly went offline for a few months last year, the email malware rate plummeted. In December 2016, the last month of Necurs operations before the pause, one in 98 emails blocked by Symantec contained malware. In January 2017, that rate dropped to one in 772.
O is for One-Time Password
As the number of accounts we have that require authentication grows, the challenge of keeping them secure becomes greater. In some cases, a simple username and password combination is deemed insufficient and extra layers of security are applied, such as two-factor authentication (2FA). One approach to 2FA is the one-time password (OTP), which is only valid for a single login. This reduces the risk around a stolen password being reused. How do they work? OTPs are usually generated on a small device contained in a keyring fob or by a smartphone app.
P is for Point-of-Sale malware
Remember there was a huge number of payment card breaches at major retailers a couple of years ago? Most of them were caused by point-of-sale (POS) malware. POS terminals can be infected with malware like any other connected device. When a card is swiped, its details are briefly stored in the terminal’s memory while being transmitted to the payment processor. This provides a brief window for malware on the terminal to copy the card data, which it then transmits back to the attackers. The technique is known as “memory scraping”. The rash of breaches forced retailers and payment providers into upping their security. The introduction of EMV, chip-and-pin type cards to replace traditional magnetic stripe cards has helped to reduce the threat posed by memory scraping POS malware.
Q is for Quantum Cryptography
Cryptography is core to cyber security. As computing power continually increases, the strength of encryption needs to increase in parallel. If it doesn’t, then sooner or later, someone is going to build a computer fast enough to perform a brute force attack (i.e. attempting all possible encryption key combinations). 256-bit encryption, which is the strongest standard in common use, is still an unimaginably long time away from being cracked in this fashion. However, the advent of quantum computing does pose a threat to traditional cryptography since it is theoretically possible for it to break public key cryptography at some point. If that comes to pass, the answer could lie in quantum cryptography, where quantum computing is used to create new and more secure forms of cryptography, a quantum solution to a quantum problem, so to speak.
R is for Ransomware
Ransomware has arguably been the number one cyber security concern over the last few years. A number of factors coalesced to make it a potent threat. First of all, cyber criminals mastered the art of employing strong encryption on infected computers. Secondly, the advent of cryptocurrencies such as Bitcoin meant criminals had an accessible and relatively anonymous payment mechanism. Thirdly, mass-mailing spam botnets such as the aforementioned Necurs meant they could spread their malware far and wide, maximizing the number of potential victims.
S is for Spear Phishing
Phishing emails are designed to look like they come from somebody else and are usually designed to trick the recipient into disclosing information. For example, it could be an email pretending to come from a bank asking customers to change their password and providing a link to a bogus website designed to harvest credentials. Spear phishing emails are a variation on that theme, the difference being that they are targeted at specific individuals. Like regular phishing emails, they could be designed to trick the recipient into disclosing credentials. Or they could be used to lure people into installing malware by asking them to open a malicious attachment or follow a malicious link. The tactic is often used in BEC scams (see above) and targeted attacks (see below)
T is for Targeted Attack
Most of the activity we see involving malware is indiscriminate. Cyber criminals usually don’t really care who their victim is as long there is a possibility of profiting from them. Targeted attacks are very different. They’re usually the work of organized, state sponsored groups and their main motivation is espionage. By and large, that means intelligence gathering, but targeted attacks can include disruption, subversion and sabotage. Although quite small in number when compared to ordinary cyber crime, targeted attacks nevertheless pose a significant threat. Usually the attackers are more skillful and better resourced than run-of-the mill cyber criminals and are often targeting highly sensitive information.
U is for Update
Sick and tired of getting constant reminders to update your software to the latest version (which inevitably arrive when you’re busiest)? Avoid clicking “no” or “later” where possible. Software updates play an important role in keeping you secure. Vendors will regularly roll out patches for newly discovered vulnerabilities (see below) in the latest version. If you don’t apply the update, attackers could exploit unpatched vulnerabilities and infect your computer.
V is for Vulnerability
No piece of software is perfect and, even after years of testing, new bugs are often found. Vulnerabilities are a type of bug that permit someone to use the software in a way that wasn’t intended. There are numerous types of vulnerabilities. Some can allow an attacker to crash the software. Others may permit denial of service conditions or allow someone to gain privileges they shouldn’t have. The most serious kinds of vulnerabilities are what’s known as remote code execution vulnerabilities, which allow attackers to run arbitrary code on the vulnerable computer and can be triggered remotely, such as from another computer on the network or over the internet.
W is for WannaCry
WannaCry was undoubtedly the cyber security news story of 2017. These days it’s quite rare for a single piece of malware to cause overnight panic. WannaCry was similar to most families of ransomware we’ve seen in recent except for one critical difference — it incorporated a Windows exploit known as “EternalBlue” that enabled it to self-propagate, infecting other computers on a network and spreading across the internet. The vulnerability exploited by EternalBlue had been patched by Microsoft two months earlier, but there were enough unpatched computers online for WannaCry to cause chaos. Hundreds of thousands of computers were hit.
X is for XSS
Cross Site Scripting (XSS) is one of the most commonly used methods to attack visitors to a website. XSS works by exploiting vulnerabilities in web applications that permit attackers to insert their own code on to other people’s websites. This could permit attackers to steal other users’ credentials or cookies, allowing them to access their accounts and/or impersonate them.
Y is for YARA
As the number of new malware threats multiplies every year, protecting against them presents a constant challenge, requiring innovative new tools and techniques. One tool that is growing in popularity is YARA. An open source initiative, YARA is a tool firms can use to identify and flag malware. While many traditional signature-based detection technologies rely on matching file hashes, YARA additionally works by creating rules that instead flag files based on matching code strings.
Z is for Zero Days
Vulnerability exploits are a key tool for attackers attempting to compromise a computer or web server. Zero-day vulnerabilities are the holy grail for attackers; they are previously unknown vulnerabilities that have yet to be patched by the software vendor. There’s a thriving market for new zero days and attackers are willing to pay big money for critical vulnerabilities in commonly used software. Many software vendors are attempting to fight back by paying “bug bounties” to researchers who find vulnerabilities in their products.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
