Information Assurance

Information assurance is the overarching approach for identifying, understanding, and managing risk
through an organization’s use of information and information systems.

It has the objectives of maintaining the following services or attributes:

• Confidentiality - Confidentiality refers to our ability to protect our data from those who are not
authorized to view it.

• Integrity - Integrity is the ability to prevent people from changing your data in an unauthorized or
undesirable manner. As well the ability to reverse unwanted authorized changes.

• Availability - Availability refers to the ability to access our data when we need it.

• Nonrepudiation - it refers to the ability to ensure that someone cannot deny the authenticity of their
actions.

• Authentication - refers to the process of verifying the identity of users, devices, or systems before
granting them access to sensitive information or resources.

Information Security - Information security is a subdomain of information assurance. It focuses on the

CIA triad.

Information Protection - It is best viewed as a subset of information security. It is often defined in terms
of protecting the confidentiality and integrity of information through a variety of means such as policy,
standards, physical controls, technical controls, monitoring, and information classification or
categorization

Cybersecurity - It is used to describe the measures taken to protect electronic information systems
against unauthorized access or attack.

It is primarily concerned with the same objectives of information security within the scope of electronic
information systems’ CIA.

Cybersecurity Threats and Trends for 2020

 Phishing Gets More Sophisticated —

 Ransomware Strategies Evolve — Ransomware attacks are believed to cost victims billions of dollars
every year, as hackers deploy technologies that enable them to literally kidnap an individual or
organization’s databases and hold all of the information for ransom.
 Cyber-Physical Attacks — The same technology that has enabled us to modernize and computerize
critical infrastructure also brings risk. The ongoing threat of hacks targeting electrical grids,
transportation systems, water treatment facilities, etc., represent a major vulnerability going
forward. According to a recent report in The New York Times, even America’s multibillion-dollar
military systems are at risk of high-tech foul play.
 IoT Attacks — The Internet of Things is becoming more ubiquitous by the day (according to
[Link], the number of devices connected to the IoT is expected to reach 75 billion by 2025). It
includes laptops and tablets, of course, but also routers, webcams, household appliances, smart
watches, medical devices, manufacturing equipment, automobiles and even home security systems.
 Cryptojacking
 Smart Medical Devices and Electronic Medical Records (EMRs)
 Connected Cars and Semi-Autonomous Vehicles
 Social Engineering
 A Severe Shortage of Cybersecurity Professionals

ADVANCED PERSISTENT THREATS

An advanced persistent threat is an attack in which an unauthorized user gains access to a system or
network and remains there for an extended period of time without being detected. The goal of advanced
persistent threats is most often data theft.

Advanced persistent threats are highly customized and sophisticated, designed specifically to get around
the existing security measures in place within a company.

Lockheed Martin Cyber Kill Chain

When discussing the persistent nature of the APT, Lockheed Martin developed a model in 2011 called
the Cyber Kill Chain, as shown here, adapted to show cost to remediate.

Reconnaissance

Reconnaissance are the steps taken by an adversary prior to the attack. They often involve techniques
that are both passive and active. Passive techniques are performed without even sending a packet to the
target of the attack. Instead, metadata is gathered indirectly through public documents, public sources,
search engines, and cached web archives. Active reconnaissance, on the other hand, involves interacting
with the target’s website, open interfaces, and may even involve port and service scanning, API scanning
(enumeration), and vulnerability scanning.

Weaponization

Weaponization involves the crafting of, or selection of, existing exploits to take advantage of the
vulnerabilities found during the reconnaissance phase. Normally, an APT does not have to do anything
fancy or use a zero-day exploit at this stage of the attack. There are normally unpatched publicly known
vulnerabilities that may be used. However, in rare cases, an adversary may craft a special exploit to a
custom payload, containing a trojan or other backdoor, that provides command and control and further
functionality as desired.

Delivery

During this phase of the attack, the attacker sends the exploit and payload to the target to take
advantage of a discovered vulnerability. This may involve exploiting a discovered web or e-mail
vulnerability, or perhaps an open API interface. Unfortunately, there are often easier ways into an
enterprise, such as a simple phishing attack, which is still effective after billions of dollars in training and
awareness. Other forms of social engineering attacks may be used here as well.

Exploitation

During this phase, the cyber weapon is detonated and executed in some fashion, either by that “helpful”
user or automatically by an application such as an e-mail client or web browser plugin. At this point, the
attacker’s code is executing on the target host. When directly attacking a port or service, the delivery and
exploitation phase are the same.

Installation

During this phase, the attacker normally performs two actions:

Gain persistence

Download and execute a secondary payload.

When it comes to persistence, the worst thing that can happen to an attacker at this phase is the user
closing the application running the malicious code or, even worse, rebooting the computer, severing all
connections. Therefore, the first intention of the adversary is to quickly gain some form of persistence.

This secondary payload is normally required, as the primary payload must be small, evade anti-virus, and
often fit within the confines of a carrier document or file. However, this secondary payload may be much
larger in size, may execute entirely in memory, and further evade many antivirus technologies. The
secondary payload may contain a standard and readily available attack framework, such as a remote
access trojan (RAT). Some attackers have even started to use our own tools against us, such as
Metasploit.

Command and Control (C2)

After the execution of the secondary payload, the attacker will normally have some form of command
and control (C2), a military phrase, whereby the attacker may direct the activities of the remote access
tool (RAT) or attack framework. This may be a simple form of communication that perhaps sleeps for a
day (or longer) and then wakes up and phones home, checking for commands to execute. Further, this
C2 may leverage a more sophisticated scheme of tunneling through common traffic, custom encryption,
or communication protocols.

Actions on Objectives
Finally, after all that effort, which may only take seconds to complete, the adversary will perform actions
on objectives, which is also a military phrase that means complete the mission, complete the task you
came to do. Often, this involves moving laterally across the organization, discovering sensitive
information, gaining enterprise administrative privilege, establishing more forms of persistence and
access, and ultimately exfiltration of the sensitive data, extortion through ransomware, bitcoin mining,
or some other profit motive.

(Methods)Courses of Action for the Cyber Kill Chain

During each phase of the Cyber Kill Chain, there are methods of dealing with an active attack and
breaking the Cyber Kill Chain of an adversary, as discussed next.

Detect

During each phase, you may detect the attacker, but it is often more feasible to detect the attack in its
early phases. The further the attacker digs into the network, the more they begin to look like a normal
user and the harder it is to detect them. There is one prominent exception here, the “deceive” method,
which we will discuss in a moment.

Deny

An effective method to deal with an attacker is to “deny” them access to sensitive resources. However,
that turns out to be harder than it sounds. Again, if an attacker is simply taking advantage of a
discovered vulnerability that bypasses the built-in access control mechanisms, it may not be possible to
deny access to that system, particularly if it is Internet-facing. However, for secondary systems, further
network segmentation and access controls should be deployed to deny the attacker. On the extreme end
of this defense is Zero Trust, which is becoming popular and, if properly deployed, would greatly improve
this method.

Disrupt

The act of disrupting the attacker involves increasing their cost, either through new forms of antivirus or
operating system updates that bring new forms of memory protection, such as Data Execution
Prevention (DEP), address space layout randomization (ASLR), and Stack Canaries. As the attacker
evolves, we as defenders should evolve too. This is particularly important on external-facing systems, but
we cannot stop there. All systems and internal segments of the network should be considered vulnerable
and employ methods to disrupt the attacker, thus slowing them down and buying precious time to
detect them.

Degrade
To degrade an attacker means to limit their ability to be su ccessful. For example, you may throttle
outbound data over a certain threshold to limit exfiltration. Further, you may block all outbound traffic,
except through approved and authenticated proxies, which may buy you time as you detect those
attempts before the attacker figures it out and then uses those proxies.

Deceive

To deceive the enemy is, again, as old as warfare itself. It is a basic element of cyber operations and is
most effective for an attacker who has made it past all other defenses but is lurking and poking around
the internal network. The hope is that the attacker steps on one of the digital mouse traps (i.e.,
honeypots) you deployed for the purpose of detecting that very act.

Destroy

Unless you happen to work for a nation-state-level cyber force, you probably won’t be able to “hack
back.” However, you may destroy an attacker’s foothold in your own network when it’s discovered. A
word of caution here: you will need to perform careful planning and ensure that you pull the attacker out
by the roots; otherwise, you may start a dangerous game of hide-and-seek, angering the attacker, who
may be deeper in your network than you originally think.

Footprinting refers to the process of gathering information about a target, including its IP address range,
domain names, network infrastructure, and other publicly available details. The goal is to map out the
organization’s infrastructure and identify areas that could be vulnerable to attack.

Types of Footprinting:

1. Passive Footprinting: Involves collecting publicly available information without directly

interacting with the target system. This might include searching through public records, domain
registration details, and social media sites.

2. Active Footprinting: Involves directly interacting with the target network or system, such as
scanning its ports or testing for open vulnerabilities. This method is riskier as it can alert the
target to potential malicious activity.

Key Footprinting Techniques:

1. DNS Interrogation
2. Network Scanning
3. Website Footprinting
4. Social Engineering
5. Publicly Available Information

Information Gathering Tools:

Nmap: For network mapping and scanning, detecting open ports and services.

Netcat: A versatile networking tool used for port scanning, banner grabbing, and more.

Whois Lookup: Provides information about domain registration details.

Shodan: A search engine that helps identify IoT devices and systems exposed to the internet.

DNSstuff: A toolset for looking up DNS records, Whois information, and other networking details.

Maltego: A powerful tool for collecting open-source intelligence (OSINT) that links entities like
names, email addresses, domains, and social media accounts.

Google Dorking: Using advanced Google search operators to discover sensitive information indexed
by Google.