2.1.

2 Networks Are Targets

Networks are routinely under attack. It is common to read in the news about
yet another network that has been compromised. A quick internet search for
network attacks will return many articles about network attacks, including
news about organizations which have been compromised, the latest threats
to network security, tools to mitigate attacks, and more.

To help you comprehend the gravity of the situation, Kapersky maintains the
interactive Cyberthreat Real-Time Map display of current network attacks.
The attack data is submitted from Kapersky network security products that
are deployed worldwide. The figure displays a sample screenshot of this web
tool, which shows these attacks in real time. Many similar tools are available
on the internet and can be found by searching for cyberthreat maps.

2.1.3 Reasons for Network Security

Network security relates directly to an organization's business continuity.

Network security breaches can disrupt e-commerce, cause the loss of
business data, threaten people’s privacy, and compromise the integrity of
information. These breaches can result in lost revenue for corporations, theft
of intellectual property, lawsuits, and can even threaten public safety.

Maintaining a secure network ensures the safety of network users and

protects commercial interests. Keeping a network secure requires vigilance
on the part of an organization’s network security professionals. They must
constantly be aware of new and evolving threats and attacks to networks,
and vulnerabilities of devices and applications.

Many tools are available to help network administrators adapt, develop, and
implement threat mitigation techniques. For instance, the Cisco Talos
Intelligence Group website, shown in the figure, provides comprehensive
security and threat intelligence to defend customers and protect their assets.

Another group, called the Cisco Product Security Incident Response Team
(PSIRT), is responsible for investigating and mitigating potential
vulnerabilities in Cisco products. The figure displays a sample Cisco Security
Advisories page which lists these vulnerabilities in real time and provides
network administrators with information to help mitigate them.
2.1.4 Vectors of Network Attacks

An attack vector is a path by which a threat actor can gain access to a

server, host, or network. Attack vectors originate from inside or outside the
corporate network, as shown in the figure. For example, threat actors may
target a network through the internet, to disrupt network operations and
create a denial of service (DoS) attack.

Note: A DoS attack occurs when a network device or application is

incapacitated and no longer capable of supporting requests from legitimate
users.

An internal user, such as an employee, can accidentally or intentionally:

 Steal and copy confidential data to removable media, email,

messaging software, and other media.

 Compromise internal servers or network infrastructure devices.

 Disconnect a critical network connection and cause a network outage.

 Connect an infected USB drive into a corporate computer system.

Internal threats have the potential to cause greater damage than external
threats because internal users have direct access to the building and its
infrastructure devices. Employees may also have knowledge of the corporate
network, its resources, and its confidential data.

Network security professionals must implement tools and apply techniques

for mitigating both external and internal threats.

2.1.5 Data Loss

Data is likely to be an organization’s most valuable asset. Organizational

data can include research and development data, sales data, financial data,
human resource and legal data, employee data, contractor data, and
customer data.

Data loss, or data exfiltration, is when data is intentionally or unintentionally

lost, stolen, or leaked to the outside world. The data loss can result in:

 Brand damage and loss of reputation

 Loss of competitive advantage

  Loss of customers

 Loss of revenue

 Litigation/legal action that results in fines and civil penalties

 Significant cost and effort to notify affected parties and recover from
the breach

Network security professionals must protect the organization’s data. Various

Data Loss Prevention (DLP) controls must be implemented that combine
strategic, operational, and tactical measures.

Common data loss vectors are displayed below.

Email/Social Networking

The most common vector for data loss includes instant messaging software
and social media sites. For instance, intercepted email or IM messages could
be captured and reveal confidential information.

Unencrypted Devices

A stolen corporate laptop typically contains confidential organizational data.

If the data is not stored using an encryption algorithm, then the thief can
retrieve valuable confidential data.

Cloud Storage Devices

Saving data to the cloud has many potential benefits. However, sensitive
data can be lost if access to the cloud is compromised due to weak security
settings.

Removable Media

One risk is that an employee could perform an unauthorized transfer of data

to a USB drive. Another risk is that a USB drive containing valuable corporate
data could be lost.

Hard Copy

Corporate data should be disposed of thoroughly. For example, confidential

data should be shredded when no longer required. Otherwise, a thief could
retrieve discarded reports and gain valuable information.

Improper Access Control

Passwords are the first line of defense. Stolen passwords or weak passwords
which have been compromised can provide an attacker easy access to
corporate data.

Packet Tracer - Investigate a Threat Landscape

Objectives

Part 1: Investigate a Network Configuration Vulnerability

Part 2: Investigate a Phishing Malware Vulnerability

Part 3: Investigate a Wireless Network and DNS Vulnerability

Background / Scenario

The threat landscape consists of all the vulnerabilities that can be exploited
by threat actors. Every cybersecurity incident involves the exploitation of
vulnerabilities by different types of threat actors. Some threat actors want
money, others want to be famous, and yet others want to destroy
information and infrastructure.

In this activity, you will investigate three vulnerabilities that can be exploited
by threat actors.

Note: In this activity, both the Data Center and ISP/Telco sites are locked.

Instructions

Part 1: Investigate a Network Configuration Vulnerability

Sometimes network security vulnerabilities can happen by accident. For

example, forgetting to update server or host software may expose known
vulnerabilities that could easily be mitigated with a simple update. Similarly,
vulnerabilities may be introduced when a network device is not configured
properly, or a device is defective. In this part, you will explore a vulnerability
that results from a device that is not properly configured with security best
practices.

Step 1: Use a guest network to gain access to other devices on the

network.

a. In Greenville, locate Smartphone 3 just outside of

the Home location.
Mary is the owner of this smartphone. She is a friend of Bob who lives in the
[Link] is studying to eventually get a job in cybersecurity defense and
is familiar with network penetration testing. She noticed that a guest wireless
network is open and accessible by anyone. She connected to the guest
network and used Nmap to run a scan, which can identify and discover
details about all the active devices. One of the devices appears to be a
webcam. Its IP address is [Link].

b. Click Smartphone 3, and then click Command Prompt. Enter

the command ping [Link]. After one or two
#Request timed out# messages, the remaining pings should be
successful.

Mary informs Bob that the network is very vulnerable to attack. Someone
could take control of the webcam, for example, and watch video from inside
the house. Bob invites Mary to come in, investigate the issue, and propose a
solution.

Step 2: Explore the Home network to identify the vulnerability.

A. Click Home. Knowing that home routers typically control

home wireless networks, Mary heads straight for the home
office and sits behind the desk. She will use the Home Office
PC to connect to the router. But first she needs to determine
the IP address.
B. Click Home Office PC > Desktop tab > Command Prompt,
and then enter the command ipconfig.

C. Next, Mary uses the Web Browser to connect to the Home Wireless
Router. Close the Command Prompt and click Web Browser. Enter
the default gateway IP address.

D. Bob does not have the documentation for the router nor does he know
the login credentials. Mary looks up the router model on the internet
and discovers that the default credentials use admin for both the

E. username and password. Login to Home Wireless

[Link] Wireless. Review the Basic Wireless Settings for each
of the three radios that are part of the wireless router.
F. Click the Wireless Security submenu.
 G. Mary was able to access the network from outside without logging in;
therefore, she investigates further. Click the Guest Network submenu
and investigate the settings.

A wireless Guest network should only provide access to the internet for
guests. It should not permit guests to access the devices on local network
inside the house. In this case, guests can access the local network. This
indicates that the home router is misconfigured.

Part 2: Investigate a Phishing Malware Vulnerability

Phishing is a type of social engineering attack where a threat actor disguises

themself as being a legitimate, trusted source in order to trick you into
installing malware on your device, or share personal or financial information.
Phishing attacks typically come through emails or phone calls. Unlike other
network vulnerabilities, the primary vulnerability in phishing attacks is the
users of the network. For this reason, an important defense against phishing
is training users on how to prevent phishing exploits.

In this part, you will simulate and investigate a phishing attack.

Note: This activity is for demonstration purposes only. Writing and sending
phishing email messages is unethical and is considered a criminal attack in
most jurisdictions.

Step 1: Pose as a threat actor and create a phishing email.

a. Navigate to the Cafe network

b. Click the Cafe Hacker Laptop > Desktop tab > Email.

c. Click Compose.

Use your imagination to write a phishing email. Your objective is to persuade

the user to copy and paste a URL from your email message into their
browser. Include the link [Link] in the email. You can look for
example phishing emails online to see how threat actors write this type of
email.

Note: Links in phishing emails are typically active or #hot# links. All the
victim has to do is click it. However, Packet Tracer does not support the use
of active links inside the email client.
 d. Send your email to three people inside the Branch Office network.
Their email addresses are as follows:

 user1@[Link]

 user2@[Link]

 user3@[Link]

Step 2: Open the emails received from the threat actor.

a. Navigate to the Branch Office.

b. Click one of the devices, either PC-BR1, Laptop BR-1, or Laptop BR-
2.

c. Click Desktop tab > Email, and then click Receive. You should
receive the email that you just sent.

Note: Packet Tracer may take up to a minute to converge. You may need to
click Receive several times if the email is not successfully retrieved.

d. Optional: Go to the other victim devices, open their Email client, and
click Receive to verify that they also received your phishing email.

Step 3: Pose as a victim and follow the phishing instructions.

a. Read the email and copy the website address.

b. Close the Mail Browser window, and then click Web Browser.

c. Paste the URL into the URL field, and then Go.

Note: Packet Tracer may take up to a minute to converge. You can click Fast
Forward Time (Alt+D) to speed up the process.

In a real world situation, this email is typically spread by a virus that

automatically sends malicious emails to all the addresses in your contact list.

Employees should be trained how to identify phishing emails and the actions
that should be taken to prevent damage from them. In addition,
organizations can configure firewalls, intrusion prevention systems, and
other security devices and software, to block phishing emails before entering
the network. Some businesses subscribe to services that compile and
maintain lists of malicious websites. The security devices in the organization
can then uses these lists to automatically update filters for blocking
malicious traffic.

Part 3: Investigate a Wireless Network and DNS Vulnerability

Your average network user tends to trust open Wi-Fi networks out in public
places. Using Wi-Fi instead cellular data services can provide faster data
rates and be more cost effective. However, threat actors can configure a
laptop with a Wi-Fi interface that can act as both a Wi-Fi access point and a
Wi-Fi client. This means that threat actors can create their own wireless
networks and broadcast a convincing SSID to potential victims in public
places. Threat actors use these rogue access points to create main-in-the-
middle attacks. In this attack, threat actors can capture and read all the
wireless traffic from devices that associate with the rogue access point,
potentially learning usernames, passwords, and other confidential
information.

In this part, you will investigate how a rogue access point can be used to
entice users to connect to a fake wireless network. When combined with
network services such as DHCP and DNS, users can become victims of
malicious website attacks through DNS hijacking.

Step 1: Connect to the threat actor’s wireless network.

a. Navigate to the Cafe. Notice the threat actor sitting in the corner.

b. Click the Hacker Backpack and investigate the contents. In his

backpack, he has a wireless router and a network sniffer. His goal is to
intercept user traffic and direct it to a malicious server.

c. Return to the Cafe and click the Cafe Customer laptop

> Desktop tab > PC Wireless application.

d. Click the Connect tab. You may need to click Refresh to see the list of
available wireless networks.

e. Click any of the Cafe_WI-FI_FAST network names and then

click Connect.

Step 2: Visit your favorite social media site.

a. Close the PC Wireless application and click Web Browser.

b. In the URL field, enter [Link], and then click Go. This
website is a supposed to be a legitimate social network in this
simulation.
Step 3: Investigate the source of the attack.

a. Close the Web Browser and click IP Configuration.

b. In the Cafe, click VPN Laptop > Desktop tab > IP Configuration.

c. Click Cafe Customer from your task bar to bring it back into view and
then arrange the two IP Configuration windows side by side.
Compare the values between the two devices.

d. Investigate the Cafe Hacker Laptop.

On the Café Hacker Laptop, click the Services tab > DNS.

e. Locate the Name for the [Link] website. Note that the
IP address is the same IP address as is associated
with [Link] from the phishing attack earlier.

f. Under Services, click DHCP. Notice that the DNS server address
distributed to the hosts over DHCP is the same one assigned to Café
Customer.

Summary

In this activity, we have looked at three different ways in which vulnerabilities can
lead to exploits. As an informed network user or cybersecurity professional, it is
your responsibility to think about the different ways in which such vulnerabilities
can be detected and mitigated before a cyber attack [Link] of document

2.2 Who is Attacking Our Network?

2.2.1 Threat, Vulnerability, and Risk

We are under attack and attackers want access to our assets. Assets are
anything of value to an organization, such as data and other intellectual
property, servers, computers, smart phones, tablets, and more.

Threat: >A potential danger to an asset such as data or the network itself.

Vulnerability:> A weakness in a system or its design that could be

exploited by a threat.
Attack surface:> An attack surface is the total sum of the
vulnerabilities in a given system that are accessible to an attacker.
The attack surface describes different points where an attacker
could get into a system, and where they could get data out of the
system. For example, your operating system and web browser could
both need security patches. They are each vulnerable to attacks and
are exposed on the network or the internet. Together, they create
an attack surface that the threat actor can exploit.

Exploit

The mechanism that is used to leverage a vulnerability to

compromise an asset. Exploits may be remote or local.

A remote exploit is one that works over the network without any
prior access to the target system. The attacker does not need an
account in the end system to exploit the vulnerability.

In a local exploit, the threat actor has some type of user or

administrative access to the end system. A local exploit does not
necessarily mean that the attacker has physical access to the end
system.

Risk :> The likelihood that a particular threat will exploit a particular
vulnerability of an asset and result in an undesirable consequence.

><

Risk management is the process that balances the operational costs

of providing protective measures with the gains achieved by
protecting the asset.

There are four common ways to manage risk, as shown below:??

Risk acceptance::> This is when the cost of risk management options

outweighs the cost of the risk itself. The risk is accepted, and no action is
taken.

Risk avoidance::> This means avoiding any exposure to the risk by

eliminating the activity or device that presents the risk. By eliminating an
activity to avoid risk, any benefits that are possible from the activity are also
lost.
Risk reduction::> This reduces exposure to risk or reducing the impact of
risk by taking action to decrease the risk. It is the most commonly used risk
mitigation strategy. This strategy requires careful evaluation of the costs of
loss, the mitigation strategy, and the benefits gained from the operation or
activity that is at risk.

Risk transfer::> Some or all of the risk is transferred to a willing third party
such as an insurance company.

Other commonly used network security terms include:

 Countermeasure - The actions that are taken to protect assets by

mitigating a threat or reducing risk.

 Impact - The potential damage to the organization that is caused by

the threat.

Note: A local exploit requires inside network access such as a user with an
account on the network. A remote exploit does not require an account on the
network to exploit that network’s vulnerability.

As we know, “hacker” is a common term used to describe a threat actor.

However, the term “hacker” has a variety of meanings, as follows:

 A clever programmer capable of developing new programs and coding

changes to existing programs to make them more efficient.

 A network professional that uses sophisticated programming skills to

ensure that networks are not vulnerable to attack.

 A person who tries to gain unauthorized access to devices on the

internet.

 An individual who run programs to prevent or slow network access to a

large number of users, or corrupt or wipe out data on servers.
An attack vector is a path by which a threat actor can gain access to a server, host, or
network. Attack vectors originate from inside or outside the corporate network, as
shown in the figure. For example, threat actors may target a network through the
internet, to disrupt network operations and create a denial of service (DoS) attack.

1. White hat hackers are ethical hackers who use their programming skills
for good, ethical, and legal purposes. They may perform network
penetration tests in an attempt to compromise networks and systems
by using their knowledge of computer security systems to discover
network vulnerabilities. Security vulnerabilities are reported to
developers and security personnel who attempt to fix the vulnerability
before it can be exploited. Some organizations award prizes or
bounties to white hat hackers when they provide information that helps
to identify vulnerabilities.

2. Grey hat hackers are individuals who commit crimes and do arguably
unethical things, but not for personal gain or to cause damage. An
example would be someone who compromises a network without
permission and then discloses the vulnerability publicly. Grey hat
hackers may disclose a vulnerability to the affected organization after
having compromised their network. This allows the organization to fix
the problem.

3. Black hat hackers are unethical criminals who violate computer and
network security for personal gain, or for malicious reasons, such as
attacking networks. Black hat hackers exploit vulnerabilities to
compromise computer and network systems.

4. 2.2.3 Evolution of Threat Actors

1> Script kiddies :> Script kiddies emerged in the 1990s and
refers to teenagers or inexperienced threat actors running existing
scripts, tools, and exploits, to cause harm, but typically not for profit.
2>Vulnerability brokers :> typically refers to grey hat hackers who
attempt to discover exploits and report them to vendors, sometimes
for prizes or rewards.

3>Hacktivists:> is a term that refers to grey hat hackers who rally and
protest against different political and social ideas. Hacktivists publicly
protest against organizations or governments by posting articles,
 videos, leaking sensitive information, and performing distributed denial
of service (DDoS) attacks.
4> Cybercrimina :> is a term for black hat hackers who are either self-employed or
working for large cybercrime organizations. Each year, cyber criminals are
responsible for stealing billions of dollars from consumers and businesses.
________---------------

2.2.4 Cybercriminals
Cybercriminals are threat actors who are motivated to make money
using any means necessary. While sometimes cybercriminals work
independently, they are more often financed and sponsored by
criminal organizations. It is estimated that globally, cybercriminals
steal billions of dollars from consumers and businesses every year.
Cybercriminals operate in an underground economy where they buy,
sell, and trade exploits and tools. They also buy and sell the personal
information and intellectual property that they steal from victims.
Cybercriminals target small businesses and consumers, as well as large
enterprises and industries.

2.2.5 Cybersecurity Tasks

Threat actors do not discriminate. They target the vulnerable
end devices of home users and small-to-medium sized
businesses, as well as large public and private organizations.
To make the internet and networks safer and more secure, we
must all develop good cybersecurity awareness. Cybersecurity
is a shared responsibility which all users must practice. For
example, we must report cybercrime to the appropriate
authorities, be aware of potential threats in email and the
web, and guard important information from theft.
Organizations must take action and protect their assets, users,
and customers. They must develop and practice cybersecurity
tasks ?
1. Cybersecurity checklist
2. Trustworthy IT vendor
3. Security software up-to-date
4. Regular penetration tests
5. Backup to cloud and hard disk
6. Periodically change WIFI password
7. Security policy up-to-date
8. Enforce use of strong passwords
 9. Two factor authentication

2.2.6 Cyber Threat Indicators

Many network attacks can be prevented by sharing information about
indicators of compromise (IOC). Each attack has unique identifiable
attributes. Indicators of compromise are the evidence that an attack
has occurred. IOCs can be features that identify malware files, IP
addresses of servers that are used in attacks, filenames, and
characteristic changes made to end system software, among others.
IOCs help cybersecurity personnel identify what has happened in an
attack and develop defenses against the attack. A summary of the IOC
for a piece of malware is shown in the figure.

Malware File - "[Link]"

sha256 6a6c28f5666b12beecd56a3d1d517e409b5d6866c03f9be4
4ddd9efffa90f1e0
sha1 eb019ad1c73ee69195c3fc84ebf44e95c147bef8
md5 3a104b73bb96dfed288097e9dc0a11a8

DNS requests
domain [Link]
domain [Link]
domain _sips._tcp.[Link]
domain [Link]

Connections
ip [Link]
ip [Link]

For instance, a user receives an email claiming they have won a big
prize. Clicking on the link in the email results in an attack. The IOC
could include the fact the user did not enter that contest, the IP
address of the sender, the email subject line, the URL to click, or an
attachment to download, among others.

Indicators of attack (IOA) focus more on the motivation behind an

attack and the potential means by which threat actors have, or will,
compromise vulnerabilities to gain access to assets. IOAs are
concerned with the strategies that are used by attackers. For this
reason, rather than informing response to a single threat, IOAs can
help generate a proactive security approach. This is because strategies
can be reused in multiple contexts and multiple attacks. Defending
against a strategy can therefore prevent future attacks that utilize the
same, or similar strategy.

2.2.7 Threat Sharing and Building Cybersecurity Awareness

Governments are now actively promoting cybersecurity. For instance,
the US Cybersecurity Infrastructure and Security Agency (CISA) is
leading efforts to automate the sharing of cybersecurity information
with public and private

organizations at no cost. CISA uses a system called Automated

Indicator Sharing (AIS). AIS enables the sharing of attack indicators
between the US government and the private sector as soon as threats
are verified. CISA offers many resources that help to limit the size of
the United States attack surface.

The CISA and the National Cyber Security Alliance (NCSA) promote
cybersecurity to all users. For example, they have an annual campaign
in every October called “National Cybersecurity Awareness Month”
(NCASM). This campaign was developed to promote and raise
awareness about cybersecurity.

The theme for the NCASM for 2019 was “Own IT. Secure IT. Protect
IT.” This campaign encouraged all citizens to be safer and more
personally accountable for using security best practices online. The
campaign provides material on a wide variety of security topics
including:

- Social media safety -- Updating

privacy settings
- Awareness of device app security -- Keeping
software up-to-date
- Safe online shopping -- Wi-Fi safety -- Protecting
customer data

The European Union Agency for Cybersecurity (ENISA) delivers advice

and solutions for the cybersecurity challenges of the EU member
states. ENISA fills a role in Europe that is similar to the role of CISA in
the US.

Current State of Affairs

Network security relates directly to an organization's business

continuity. Network security breaches can disrupt e-commerce, cause
the loss of business data, threaten people’s privacy, and compromise
the integrity of information. These breaches can result in lost revenue
for corporations, theft of intellectual property, lawsuits, and can even
threaten public safety.

Many tools are available to help network administrators adapt,

develop, and implement threat mitigation techniques, including the
Cisco Talos Intelligence Group. An attack vector is a path by which a
threat actor can gain access to a server, host, or network. Attack
vectors originate from inside or outside the corporate network.

Data is likely to be an organization’s most valuable asset. Various DLP

controls must be implemented, that combine strategic, operational,
and tactical measures. Common data loss vectors include email and
social networking, unencrypted data devices, cloud storage devices,
removable media, hard copy, and improper access control.

Who is Attacking Our Network?

Understanding network security requires you to understand the

following terms: threat, vulnerability, attack surface, exploit, and risk.
Risk management is the process that balances the operational costs of
providing protective measures with the gains achieved by protecting
the asset.
Four common ways to manage risk are risk acceptance, risk avoidance,
risk reduction, and risk transfer.
Hacker is a term used to describe a threat actor. White hat hackers are
ethical hackers using their skills for good, ethical, and legal purposes.
Grey hat hackers are individuals who commit crimes and do unethical
things, but not for personal gain or to cause damage. Black hat hackers
are criminals who violate computer and network security for personal
gain, or for malicious reasons, such as attacking networks. Threat
actors include script kiddies, vulnerability brokers, hacktivists,
cybercriminals, and state-sponsored hackers. Many network attacks
can be prevented by sharing information about IOCs. Many
governments are promoting cybersecurity. CISA and NCSA are
examples of such organizations.