Attack Surfaces and Vulnerabilities
In the first blog of this series, we became familiar with some well-used cybersecurity terminology. This blog will look at some well-known attack and threat types and how they can be perpetrated. As a couple of readers pointed out, the definition of threat should focus on malicious (or inadvertent) actions on a computer system. So, although the network may allow threats to gain entry into an organization, it’s a specific target or vulnerable system that allows a threat to take hold.
This blog will look at three common categories of attack: Network, Web Application, and Endpoint.
Denial of Service: The goal of a denial of service (DoS) attack is to make a machine or network resource unavailable to legitimate users by flooding the resource with an excessive volume of packets, rendering it inaccessible or even crashing the system. Some examples include TCP SYN floods and buffer overflows.
Distributed Denial of Service: Incoming traffic flooding the victim originates from many different sources, making it harder to isolate a specific source to block. Distributed denial of service (DDoS) attacks have grown in impact due to increased capacity and bandwidth that allow for larger amounts of bogus traffic to be directed at a target system. Application-specific attacks also exist that focus on network infrastructure and infrastructure management tools, or applications that may be flooded with maliciously crafted requests.
Man-in-the-middle: MITM occurs when a malicious actor hijacks an exchange between two parties, allowing the attacker to intercept, send, and receive data meant for someone else. In another form of MITM, an attacker may use a sniffer program to eavesdrop on a legitimate exchange. Some examples include email hijacking and Wi-Fi eavesdropping.
Web Application Attacks
SQL injection: Based on the of insertion or "injection" into an SQL query to manipulate a standard SQL query to exploit non-validated input vulnerabilities in a database, allowing attackers to spoof identity, tamper with, disclose, or destroy existing data. An inline attack can be accomplished by placing meta characters into data inputs (for example, $username = 1' or '1' = '1), which may then be executed as predefined SQL commands in the control plane, as in SELECT * FROM Users WHERE username='1' OR '1' = '1', which can return an actual value due to the condition OR ‘1’ = ‘1’.
Other examples of injections involve the use of end of line or inline comments, stacked queries, IF statements, and strings without quotes, as well as many others.
Cross-site scripting (XSS): Injects malicious code into a vulnerable web application. Unlike SQL injection that targets an application, XSS exploits a vulnerability within a website or web application, facilitating the delivery of a malicious script to a victim’s browser. There are two categories of XSS: Stored or Persistent.
Reflected XSS reflects a malicious script off of a web application and onto a user’s browser through an embedded link that is activated when clicked on.
Buffer overflows: This condition exists when a program writes more data to an allocated buffer than it can store, leading to corrupted data, program crashes, or enabling the execution of malicious code by overwriting a function’s return pointer, thereby transferring control to the malicious code. Attackers research and identify buffer overflows products and components, and then attempt to exploit them.
Command and control (C2): A C&C server is a computer controlled by an attacker that is used to send commands to systems compromised by malware and receive stolen data from a target network, and which also allows attackers to move laterally inside a network. C&C servers also serve as the control point for compromised machines in a botnet.
Rootkit: A rootkit is a “hidden” program designed to provide continued privileged access to a computer. A rootkit may consist of a collection of tools that enable administrator-level access to a computer or network, or they can be associated with malware such as concealed Trojans, worms, and viruses.
Port scanning: Hackers conduct port-scanning techniques to identify potential vulnerabilities associated with specific computer ports. While not an attack in itself, this activity is often known as reconnaissance, which is often the precursor to other activities.
This is a summary of the some of the more well-known attack types. It is a starting point only, and the reader is encouraged to research the ever-evolving threat landscape to understand the challenges faced by cybersecurity professionals in their quest to mitigate and protect against compromise. In the next blog, we will review some of the typical tools and methods available for these challenges.