Chapter 2.

0
Methods of
Security Attack
Part 1
DFC20313 Cybersecurity Fundamentals
Prepared By: Fatimah Zahra
CLO & PLO
Upon completion of this course, students should be able
to:

CLO1
Explain cybersecurity threats and hazard using
appropriate tools and techniques for secured
environment in organizations

PLO2
Apply design and architecture to
Information Technology solutions using
appropriate tools and techniques.
Topic
Content
2.1 Explain security attacks.

01 2.1.1 Describe classification of security attacks

Identify types of security attacks
2.1.2 Identify types of security attacks

2.2 Determine common types of social

02
engineering.
2.2.1 Describe Impersonation based social
engineering
2.2.2 Identify Computer-based social engineering
2.2.3 Identify Mobile-based social engineering

03 2.3 Determine cyber kill methodology.

2.3.1 Define Cyber kill methodology flow
 Goals and motivation can vary among the

What is the attackers.

Malicious users could be motivated by financial

purpose of
gain, information theft, curiosity, or pride; they
purposely attack the network with the goals of
accessing proprietary information, modifying
information, and denying access to information.

security attacks, Non-malicious users, on the other hand,

typically have no motivation to negatively affect

and what outcome

the network; however, they might inadvertently
compromise the security of the network by
choosing weak passwords or installing
unauthorized software.

could the attackers So their motivation might be to use something

that will make their access easier, but the result

be expecting?
might be an exposed network.
 classification of security attacks
Insider attacks
Passive attacks
An insider threat is a security risk that
A passive attack is a network attack in which originates from within the targeted
a system is monitored and sometimes organization. It typically involves a current or
scanned for open ports and vulnerabilities. former employee or business associate who
The purpose of a passive attack is to gain has access to sensitive information or
information about the system being privileged accounts within the network of an
targeted; it does not involve any direct organization, and who misuses this access.
action on the target.

Active attacks
An active attack is a network exploit in which Distribution attacks
a hacker attempts to make changes to data
on the target or data en route to the target. SECURITY Distribution attacks involve compromising
There are several different types of active hardware or software during its
attacks. However, in all cases, the threat manufacturing or distribution phase.
actor takes some sort of action on the data Attackers introduce backdoors or malicious
in the system or the devices the data code that can be exploited later. Examples
resides on. include:
Supply Chain Attacks: Inserting malicious
components into products before they reach
the end user.
 Active and Passive attacks
An active attack is a network exploit in Passive attack is a network attack in
which a hacker attempts to make changes which a system is monitored and
to data on the target or data and route to sometimes scanned for open ports
the target. and vulnerabilities.

There are several different types of active The purpose of a passive attack is to
attacks. However, in all cases, the threat gain information about the system
actor takes some sort of action on the data being targeted; it does not involve
in the system or the devices the data any direct action on the target.
resides on.
Passive attacks include active
Attackers may attempt to insert data into reconnaissance and
the system or change or control data that is passive reconnaissance.
already in the system.
In a computer security context,
reconnaissance is the act of
exploring a system or network in
order to gather information before
conducting a full attack.
 Types of passive attacks
Passive attacks can take various forms, including the •Spying. An intruder might masquerade as an
following: authorized network user and spy without interaction.
•Traffic analysis. This involves analyzing network With that access, an intruder might monitor network
traffic as it moves to and from the target systems. traffic by setting the network adapter to
These types of attacks use statistical methods to promiscuous mode to capture all encrypted data traffic
analyze and interpret the patterns of communication on a network.
exchanged over the network. These attacks can be •War driving. War driving detects vulnerable Wi-Fi
performed on encrypted network traffic, but they are networks by scanning them from nearby locations with
more common on unencrypted traffic. a portable antenna. This type of passive attack is
•Eavesdropping. Eavesdropping occurs when an typically carried out from a moving vehicle. Hackers
attacker intercepts sensitive information by listening to sometimes plot out areas with vulnerabilities on a map
phone calls or reading unencrypted messages using a GPS. War driving can be done just to steal an
exchanged in a communication medium. Although internet connection or as a preliminary activity for a
eavesdropping is similar to snooping, snooping is future attack.
limited to gaining access to data during transmission. •Dumpster diving. In this type of attack, intruders
•Footprinting. This is the process of gathering as look for information stored on discarded devices or
much information as possible about the target even passwords in trash bins. The intruders can then
company's network, hardware, software and use this information to facilitate covert entry to a
employees. Footprinting gathers information on the network or system.
target, such as IP address, domain name system
information and employee ID. Footprinting is also the
first step in gathering information for a penetration test
.
 Types of active attacks
Masquerade attack

In a masquerade attack, the intruder pretends

to be a particular user of a system to gain
access or to gain greater privileges than they
are authorized for. Masquerade attacks are
conducted in several different ways, including
the following:
•using stolen login identifications (IDs) and
passwords;
•finding security gaps in programs; and
•bypassing the authentication
An attempt may come from an employee inside
an organization or from an outside threat actor
using a connection to the public network. Weak
authentication can provide a point of entry for a
masquerade attack and make it easy for an
attacker to gain entry. If attackers successfully
receive authorization and enter the network,
depending on their privilege level, they may be
able to modify or delete the organization's In a masquerade attack, the threat actor sends a message that appears to come from a legitimate source.
data. Or they may make changes to network
configuration and routing information.
 Types of active attacks
Session hijacking attack
A session hijacking attack is also called a
session replay attack. In it, the attacker takes
advantage of a vulnerability in a network or
computer system and replays the session
information of a previously authorized system
or user. The attacker steals an authorized
user's session ID to get that user's login
information. The attacker can then use that
information to impersonate the authorized
user.
A session hijacking attack commonly occurs
over web applications and software that use
cookies for authentication. With the use of the
session ID, the attacker can access any site
and any data that is available to the system or
the user being impersonated.

In a hijacking attack, the threat actor gets a copy of a message and resends it to the recipient who is
fooled into thinking it's coming from the original sender.
 Types of active attacks
Session hijacking attack
A session hijacking attack is also called a
session replay attack. In it, the attacker takes
advantage of a vulnerability in a network or
computer system and replays the session
information of a previously authorized system or
user. The attacker steals an authorized user's
session ID to get that user's login information.

The attacker can then use that information to

impersonate the authorized user.
A session hijacking attack commonly occurs over
web applications and software that use cookies
for authentication. With the use of the session
ID, the attacker can access any site and any
data that is available to the system or the user
being impersonated.

With a message modification attack, the threat actor intercepts a message, changes it and then sends it
on to the intended recipient.
 Types of active attacks
DoS attack

In a denial-of-service (DoS) attack, the attackers overwhelm

the victim's system, network or website with network traffic,
making it difficult for legitimate users to access those
resources. Two ways a DoS attack can occur include:

 Flooding. The attacker floods the target computer

with internet traffic to the point that the traffic
overwhelms the target system. The target system is
unable to respond to any requests or process any
data, making it unavailable to legitimate users.

 Malformed data. Rather than overloading a system

with requests, an attacker may strategically send
data that a victim's system cannot handle. For
example, a DoS attack could corrupt system memory,
manipulate fields in the network protocol packets or Know the four signs of a denial-of-service attack.
exploit servers.

In a distributed DoS (DDoS) exploit, large numbers of

compromised systems -- also referred to as a botnet or zombie
army -- attack a single target with a DoS attack. A DDoS uses
multiple devices and locations to launch requests and
overwhelm a victim's system in the same way a DoS attack
does.
How to prevent an active attack

Firewalls and intrusion prevention systems (IPSes)

Random session keys

Kerberos authentication protocol

One-time passwords (OTPs)

https://www.techtarget.com/whatis/definition/active-attack
 Insider attacks
Insider attacks are performed by trusted persons who have
physical access to the critical assets of the target. An insider attack
involves using privileged access to violate rules or intentionally
cause a threat to the organization's information or information
systems.

Examples of insider attacks:

o Eavesdropping and wiretapping
o Theft of physical devices
o Social engineering
o Data theft and spoliation
o Pod slurping
o Planting keyloggers, backdoors, or malware

https://quizlet.com/606575303/ethical-hacking-c701-flash-cards/
 Distribution
attacks
Distribution attacks occur when malicious users modify
hardware or software prior to its installation. This modification
can occur at the source or while the hardware or software is in
transit. A software back door created by the software vendor is
an example of a distribution attack.

Examples of distribution attacks include backdoors created by software

or hardware vendors at the time of manufacture.
Attackers leverage these backdoors to gain unauthorized access to the
target information, systems, or network.

o Modification of software or hardware during production

o Modification of software or hardware during distribution

types of security attacks
 types of security attacks

Reconnaissance attack is a type of security

attack that an attacker uses to gather all possible information about the
target before launching an actual attack. An attacker uses a
reconnaissance attack as a preparation tool for an actual attack.

Types of reconnaissance attacks

Social reconnaissance attacks Hacker uses social engineering to

gather information about the target. Users share a lot of personal and
business information on social networking sites.

Public reconnaissance attacks Hacker collects information about the

target from public domains. Companies share location and business
model information on their websites. A hacker can use this information
to determine the location of the target. From this information, a hacker
can also determine what kind of infrastructure the target uses.

https://www.computernetworkingnotes.com/ccna-study-guide/reconnaissance-attacks-tool
s-types-and-prevention.html
 types of security attacks
Access attacks require some sort of intrusion
capability. These can consist of anything as simple as gaining an
account holder's credentials to plugging foreign hardware directly
into the network infrastructure. They usually happen when
Reconnaissance Attacks have already performed by the
hacker/attacker.
General Distinction of Access Attacks
A. Logical access attacks like exploitation through brute force
attacks or testing passwords on the net by rainbow tables or
dictionary attacks tend to create a ton of traffic on the network
and can be easily spotted by even a lower experienced level
network monitor

B. Physical access is really either access to the hardware or

access to the people. Social engineering is very dangerous and
hard to defend against simply because your users are usually
the weakest link in cybersecurity. The easiest type of social
engineering attack involves sending out phishing emails
designed to hook someone that way or getting a key logger on a
person inside’s computer to gain credentials that may escalate
privileges of the attacker.
 types of security attacks
There are several common types of access attacks:
•Port Redirection
•Password attack
This is when a threat actor uses a compromised system as a base
Threat actors attempt to discover critical system passwords using various
for attacks against other targets.
methods such as phishing attacks, dictionary attacks, brute-force attacks,
•Man-in-the-middle attack
network sniffing, or social engineering techniques. Brute-force password
The threat actor is positioned in between two legitimate entities in
attacks involve repeated attempts using tools such as Ophcrack,
order to read, modify, or redirect the data that passes between the
L0phtCrack, THC Hydra, RainbowCrack, and Medusa.Pass-The-Hash
two parties.
•Pass-The-Hash
•IP, MAC, DHCP Spoofing
The threat actor already has access to the user’s machine and uses
Spoofing attacks are attacks in which one device attempts to pose
malware to gain access to the stored password hashes. The threat actor
as another by falsifying address data. There are multiple types of
then uses the hashes to authenticate to other remote servers or devices
spoofing attacks. For example, MAC address spoofing occurs when
without using brute force.
one computer accepts data packets based on the MAC address of
•Trust Exploitation
another computer that is the actual destination for the data.
Threat actors use a trusted host to gain access to network resources. For
example, an external host that accesses an internal network over VPN is
What is the solution?
trusted. If that host is attacked, the attacker may use the trusted host to
gain access to the internal network.
 types of security attacks
Denial-of-service (DoS) attack is a type of
cyber attack in which a malicious actor aims to render a computer or
other device unavailable to its intended users by interrupting the
device's normal functioning. DoS attacks typically function by
overwhelming or flooding a targeted machine with requests until
normal traffic is unable to be processed, resulting in denial-of-service
to addition users. A DoS attack is characterized by using a single
computer to launch the attack.

Most Common Forms of DoS Attacks

•Ping flood: overwhelms the target with excessive ICMP echo requests,
exhausting its capacity to handle legitimate traffic.

•SYN flood: floods the target system with SYN packets, exhausting its
resources and preventing legitimate connections.

•Smurf attack: spoofs the victim’s IP address and floods it with ICMP
echo requests, overwhelming bandwidth and resources.

•HTTP/HTTPS flood: floods web servers with high-volume

HTTP/HTTPS requests, causing degraded performance or unavailability.
 types of security attacks
In summary, the main differences between DoS and DDoS attacks
Distributed Denial-of-service (DoS) attack involves
are:
multiple sources, often compromised computers forming a botnet,
1.Scale: DoS attacks originate from a single or small number of
simultaneously launching a coordinated attack on the target.
sources, while DDoS attacks involve multiple sources distributed
across a botnet or network.
These sources, controlled by the attacker, generate a massive
2.Resources: DoS attacks aim to exhaust the resources of a
volume of traffic directed towards the target, overwhelming its
targeted system, network, or application, while DDoS attacks aim to
resources, and causing service disruption.
overwhelm the collective resources of the target by harnessing the
power of multiple sources.
DDoS attacks amplify the impact by distributing the attack traffic
3.Coordination: DoS attacks are typically executed by a single
across multiple sources, making them more difficult to mitigate.
attacker, whereas DDoS attacks require coordination among multiple
Examples of DDoS attacks include DNS Amplification, NTP
compromised sources to launch a distributed attack.
Amplification, and Botnet-based attacks.
4.Impact: DDoS attacks tend to have a greater impact due to the
increased volume of attack traffic and the distributed nature of the
attack, making them more challenging to defend against.

Both DoS and DDoS attacks pose significant threats to the

availability and stability of online services. Successful attacks can
lead to financial losses, reputational damage, and potential security
breaches.

Organizations and individuals need to implement robust security

measures, such as traffic filtering, network monitoring, and DDoS
mitigation services, to defend against these attacks and ensure
uninterrupted service delivery.
 types of security attacks

Malicious code refers to any software or

code that is intentionally designed to harm or
exploit a computer system, network, or data.
It is created with malicious intent and can
perform a variety of harmful actions. Here
are some common types of malicious code:
Types of Malicious Code
The Trojan Horse is a malicious program that masks itself as
a legitimate one. It appears to do its expected duties while
executing dangerous code in the background without the user's
knowledge. This helps the threat to go undetected.
Trojans are generally classified according to the type of malicious
actions they perform. Trojan Horses cannot reproduce or spread
themselves. However, their malicious elements may include viruses,
worms, or other damaging code.
Viruses are malicious software that copies itself and
spreads to other computers. Its malicious code attaches to
macro-enabled programs. Computer viruses come in different forms
and include Polymorphic, Compression, Macro, Boot sector,
Multipart, and Stealth viruses. A virus cannot, however, spread
automatically and requires a carrier. This means that it travels
through USB connections or downloaded files from the internet.
Once a virus infiltrates your device, it can then self-propagate and
spread through the system and connected networks.
Worms are malicious software that can spread itself
without attaching to a program. The self-replicating code is like
viruses but more infectious. It often uses security flaws in a
computer network to spread. Malware of this form is considered
more dangerous due to the malicious code it carries. It can cause
bandwidth degradation or denial of service through aggressive self-
propagation.
 Class activity
How to Avoid
Malicious Code
Attack???
End of
Chapter 1
Part 1