Malware

In cybersecurity, a threat actor is the entity that's responsible for intentional malicious activity.

 

So, it’s important as a cybersecurity analyst, that we have a sense of why, threat actors do what they do. It can help explain, the motivations and can lead us to the point where we have more insight so we can better protect against these types of threats, or at least minimize their impact.

 

Before we define various categories of threat actors, let's think for a moment about what the motivations would be. Why do individuals or groups, or organizations, or nation-states, execute cybersecurity attacks? One reason is bragging rights. This is definitely true at the individual level. Some attackers will get a feeling of power by being able to brag about some of their cybersecurity attack exploits.

 

Of course, there’s always, financial gain. Why do groups get involved with deploying ransomware? Because the payoffs can be enormous, for a minimal amount of work.

 

Political meddling. There have been plenty of allegations over the years between various nation-states about, meddling in the political process to, try to influence the outcome, which will benefit some parties in some kind of way.

 

Another motivation, would include ideological agendas. Different countries around the world have different ideas on how the world should be run, and where the balance of power should be. And as a result, some of these ideologies, which also include differing religions and belief systems, can influence attacks on other, nation-states that don’t share those same values.

 

That leads into, military. Cybersecurity, espionage, and ultimately, attacks can be conducted, by nation-states, as a form of military action, otherwise called cyberwarfare. Where, we aren’t necessarily using physical soldiers and artillery mechanisms and so on, to wage war, but rather are using cybersecurity attacks, to control supply lines, to control social infrastructure constructs like power grids, fresh water supplies, and so on.

 

And then, of course, there’s always extortion. Trying to blackmail, victims into some kind of a payout, which falls under the category of being financial gain, so it’s all very terrible stuff. But the fact is it exists.

 

So moving on to threat actors, let's not forget about the insider threat. This is often referred to as the zero-trust model, which implies that, of course, we have limited trust and we, treat external influences on our networks as hostile. That is the perspective you should also take, on the inside. Because what if we have a compromised, user or a device inside the network? We need to be prepared to defend against those types of threats.

 

Now sometimes that will be intentional, by insiders such as disgruntled employees. But often it’s unintentional, perhaps due to a lack of security training and awareness, where users might unintentionally, open up a file attachment that looks like an invoice from a vendor when really, it’s an infected file.

 

A hacktivist, is a threat actor type. Hacktivists try to promote their ideology, whatever that entails, whether it's based on religion, based on global balance of power, based on some kind of protest against an issue such as climate change, it could be anything. So these activities are not normally hidden.

 

The whole idea is to promote an ideology, sometimes through cyberattacks. That would include things like distributed denial-of-service attacks or (DDoS) attacks, where a number of infected machines, otherwise called bots or zombies, are instructed, to flood a target victim network with useless traffic, thus preventing legitimate traffic from getting through.

 

Another favorite technique of hacktivist types of groups includes website defacement, to get their point across, or taking over social media accounts of public figures. What also should come to mind are reports we've heard over the years of the international hacking group named Anonymous, which seems to focus on internet vigilantism.

 

Another threat actor type, of course, would be organized crime. The payoffs can be enormous because of the large potential victim reach, which is the entire Internet, global as opposed to just local or regional potential victims, as related to traditional organized crime mechanisms. There is low risk when you think about it, over the Internet, you can be quite anonymous, including through VPN tunnels, so that crimes can be perpetrated from anywhere in the world with an Internet connection. And it can be difficult to trace some of these types of connections.

 

Then there’s untraceable payments, such as through cryptocurrency. It’s not necessarily, untraceable if someone is not careful. From a malicious actor's standpoint in setting up a digital payment account, that kind of stuff can be traced. If we can link a person or an organization to a digital account, then in that way things can be traced by law enforcement. But another aspect of untraceable payments is making connections to the Internet, over some kind of a VPN or an encrypted overlay network like the Tor network, through the dark web.

 

And then we have nation-state threat actors. There seem to be more and more media reports about this. Certainly in past years, whether or not it can be proven, but we’re talking here about partially or fully funded, government threat actors.

 

If, you take the perspective for a moment, of a malicious government in the sense that they want to, attack another nation-state, or, steal military secrets. Whatever the case might be, ideally, they would fund other groups, under the radar, to do their dirty work for them. So they could wipe their hands of it and have plausible deniability. So often, nation-states will target other governments to disrupt the political process for financial gain, to try to reduce the power of other governments.

 

It also involves cyber espionage, which really means spying, such as installing advanced persistent threat or APT malware on government computers, that stay quiet for many years at a time and remains undetected. So often this involves hiring, skilled hacking groups.

 

Sometimes, reverse engineering and analyzing how malware is created, some of the comments within it can lead to clues about who created the malware. But of course, nation-state attackers, can intentionally, create code that appears to be from another nation. So it can be very difficult to trace these things back sometimes.

 

An effective cybersecurity plan within an organization, has the ability for early detection, of indicators of compromise, and part of that, is detecting malicious activity, by determining outliers from normal baselines of activity and security configurations. So this is all about threat hunting, which means we want to detect, potential security issues before they become issues.

 

In order to do this properly, we need to establish what is normal, in terms of performance, such as amount of memory utilization, CPU utilization on a given host, and network utilization for given network segments. We then need to have network and security baselines, an example of which would be to know which devices should be on the network from previous scans, compared to what's been detected on a current scan.

 

A security baseline would apply, for example, to a Windows client operating system, perhaps running on laptops used by employees, where we have a standard security configuration. And we need to be able to not only apply that, but detect non-compliance. All of these things are going to facilitate threat identification.

 

Pictured on the screen, we’ve got a screenshot of the Microsoft Azure cloud and its security recommendations. Using the Azure Monitor tool, we can determine if there are any, security misconfigurations, within our environment, even those that might not comply with specific standards. Like PCI DSS or regulations like GDPR.

 

In the left-hand navigator, Advisor recommendations has been selected. Over on the right we have a Rating bar, with High impact, Medium impact, and Low impact potential threats. [Video description begins] High impact, Medium Impact, and Low impact threats are represented by red, orange, and blue colors respectively. [Video description ends] For example, the second High impact threat, states that Microsoft Defender for Containers should be enabled. So if you're using containerized applications in the cloud, which in this case it detects that we are, it's making a recommendation based on that. The third High impact security recommendation is focused on making sure we have MFA enabled for privileged admin accounts. So this is great, it is constantly looking at our configurations in the background to come up with these recommendations.

 

Our next screenshot is of the Nessus vulnerability scanning tool. There are many vulnerability scanning tools out there, Nessus is just about one of them. But what we have a list of are hosts shown by IP address. The host at the top, whose address is 192.168.2.1 is showing a small amount of potential vulnerabilities. In the colored bar, the red, orange, and yellow, only take up a tiny portion of the overall bar, which here is showing, as having mostly informational messages.[Video description begins] The vulnerabilities classified as Critical, High, Medium, Low, and Info are represented by the colors dark red, red, orange, yellow, and light blue respectively. [Video description ends]

 

Using vulnerability scanning tools like Nessus also means that you can save these results and run future scans and compare the two to see what's different. That can be one way to detect things on the network that should not be there. And of course, the vulnerability scan results themselves, if we were to click on any of these hosts would take us into the details so we know which issues need to be addressed. Perhaps we would update a security baseline that we would then deploy, from a centralized tool, to all of our devices.

 

Security baselines can also be used, along with performance baselines, to detect potential malicious activity, such as an abnormally high number of running processes on a given host compared to what is normally running. Or, exceptionally high resource consumption, whether it’s CPU utilization, network traffic in an outbound direction from a host, something beyond what we’d normally would expect is always going to raise eyebrows. Of course, a lot of these tools are automated and will notify admins, when these types of things are detected.

 

We then have to think about settings for operating systems and applications. Part of our baseline might lock things down, such as preventing users from turning off real-time endpoint malware protection, preventing users, from delaying the application of patches, and of course, making sure we only have the needed running services on machines, only the open ports that are absolutely required. And the same with installed components. So reduce the attack surface, get rid of stuff that isn't absolutely needed.

 

Other ways that malicious activity might be determined, would be by looking at things like impossible travel time. This concept, might apply to a user with a sign-in at a given geographical location, and that same account is then used from maybe a country on the other side of the planet, minutes later. How could the user have traveled to that location in that small amount of time? Of course, we also have to consider, in this day and age, that a VPN could make it look like the traffic is coming from anywhere. But this is one of the things that's used to detect potential malicious activity for user sign-ins, both on-premises and in the cloud.

 

The same type of thing is always examined when it comes to abnormal use of privileges, such as an employee in the finance department, accessing all, documents on a given server, or all rows in a database that they do have access to, although they normally only access smaller amounts of data at a given time. So all of these things are important for the detection of malicious activity.

 

Cybersecurity analysts need to make sure there is a centralized and automated recurring schedule for security compliance scanning. These compliance scans, can be applied to various aspects of IT systems. For example, we might have a compliance scan for a network segment where we know sensitive data is hosted. That happens much more frequently, than a compliance scan for another network with less sensitive data.

 

We've talked about how it's important to have an automated way to periodically compare past and current scans to see if there's anything new, whether things have been removed from the network, or perhaps things have been added, that shouldn’t be. Security compliance scanning can also have auto-remediation enabled. So if we detect some kind of configuration drift from a secure configuration standard, say, on a laptop, then it will remediate that and lock it back down, while of course notifying administrators.

 

Let's take a few minutes to talk about some standard potential indicators of compromise, such as abnormal operating system processes. Not just the number of them, but their presence that normally aren't there. Unusual network traffic patterns, whether it’s for traffic coming in or for traffic leaving the network. Unusual patterns related to storage capacity utilization or new unauthorized or rogue devices on the network. Again, comparing past and current scans will easily identify those types of things. Picking up device configuration changes that weren’t authorized through a change management system. Such as changes to the Windows Registry or changes to client web browser homepages.

 

So all of these things could be potential indicators of compromise that must be assessed, to determine if they actually do represent a threat.

 

Social engineering is rampant these days. Perhaps you've received an email message that is obviously some type of a scam, trying to trick you into providing sensitive information. Or you get a call on the phone, supposedly from a credit card company asking you to verify a purchase, with credit card details, the list goes on and on and on.

 

So social engineering, what is this? This is trickery, it’s deception by a malicious actor. So they can try to somehow benefit from the information that they would be given as a result of their trickery and deception. The goal is to make sure that victims are fooled into believing what they're being told and ultimately divulging perhaps sensitive information like usernames or passwords or credit card information. Which could also in an IT environment, ultimately allow access to secured resources for the malicious actors.

 

So what are some social engineering techniques? And this is something, that is paramount in that it, should be a part of user security training, which needs to happen frequently, because this is probably the biggest thing you can do in an organization to protect, sensitive data processed and stored by digital systems.

 

So one social engineering technique is impersonating a government official. Such as from the tax department, stating that a warrant has been issued for your arrest unless you pay an outstanding income tax amount. So it's really based on fear, and people that may not know any better, or perhaps the elderly might believe that this is actually true. Now you'll know something's up. If this is a phone call, let's say, and they’re asking for, some kind of unique social security number. Well, if they're the tax department, wouldn't they have it already since they called you?

 

Another technique is impersonating someone else in power, like law enforcement. Such as a pop-up on a screen in a web browsing session that states you must pay a fine.

 

Of course, then there are phishing campaigns, such as through email messages, which is an attempt to trick people into maybe clicking a link or downloading a file and opening it. Phishing campaigns can also be conducted via social media such as, “Oh look, here’s a video with you in it!“. People being curious creatures as they are, will probably click that link to see what the video was all about.

 

Or it could be an SMS text message, trying to trick you into sending a money order, or some kind of an e-transfer payment. Perhaps if you're trying to buy something in an online marketplace, of course, it could be just a regular phone call, as per our other previous two examples of impersonation.

 

Social engineering might also be done for the purpose of extortion or blackmail. There are so many email campaigns related to this. That states that your web camera has been turned on, you have been recorded over a long period of time, and unless you want that video released, out to the public, you will pay a fee. So it's based on fear tactics once again.

 

So social engineering then, does not have to be sophisticated in the sense of using technology. So it can be done without malware. So an attacker might impersonate, let's say, a communications provider technician over the phone, with their ultimate goal being they want to get into a wiring closet or a server room on-premises somewhere.

 

So the attacker after that call would then show up dressed convincingly. So they look the part, they would sound the part, there was already a call, so they are expected. The victim, such as a front desk receptionist, might allow the attacker then into a server room or a wiring closet because they appear legitimate. So now the attacker would have physical access to all of that equipment, which means that they would have bypassed a lot of security configurations just by gaining physical access to a device. So if they have physical access to a storage array, for example, you want to make sure that you have encryption enabled, in case those physical storage devices are stolen.

 

Let's take a look at how a social engineering attack might work through phishing. So the victim, let’s say, receives a legitimate-looking email. Legitimate means it might be related to where the user has an account either personally or through the company, such as a supplier. So there would be a company logo that looks legitimate. The email message might contain a link.

 

The victim would then be fooled into clicking the link thinking it's legitimate. Perhaps the link states it's where you would click to open up an invoice, and it looks like it's from a valid supplier that we do business with. However, people need to understand if you didn't ask for something or if it’s out of the normal method of doing things, always treat it as being hostile. So the link that was clicked, would download perhaps and install malware, or it might trick the user into providing credentials to a fake website because it links to a site that looks real, but is just used to harvest credentials. It all really sounds terrible and deceptive, and it all really is, but that's just the way it is out there. We need to be aware of this and so does everybody in the organization.

 

A ransomware example could be very similar, where a victim might receive a legitimate-looking email message. It might contain a malicious file attachment, but of course, the user doesn't know it's malicious. The user is tricked into opening the file attachment, at which point that might be a trigger, for ransomware to either get installed on the device or to execute on the device, depending on what's in the attachment.

 

The ransomware would talk to the command and control (C2) server somewhere, and perhaps generate a key pair that's used to encrypt data files. Normally, a public key encrypts and the private key decrypts, or it could be just a single key, symmetric. Either way, victims are coerced into providing a ransom payment in exchange for receiving a decryption key, whether it’s symmetric or asymmetric.

 

Pictured on the screen, we have an example of a real phishing email message. Something about are you ready to pick up your first $5,000 out of the 7.5 million? Through some kind of inheritance, all you have to do, is provide your name, address, mobile number, age, country, occupation, and normally this will try to trick you into providing some kind of an initial payment to gain access to the full amount of the funds. Obviously, it’s a scam. This is preying on people, perhaps wanting to get a break, getting easy money, those things just don’t exist.

 

So one very effective way to conduct security training and awareness for users is to include numerous messages like this, or to have some kind of a game, Gamify it, make it fun, and interesting where you have dozens of email messages and participants must guess which are phishing and which are legitimate.

 

You might even gamify this further over time, by letting employees know they will periodically receive email messages. They won't know when or which ones that are designed to trick them, but not do anything malicious, but rather record the fact that something could have happened.

 

This happens within organizations today, and it's a great way to make sure people have a healthy dose of suspicion about them, when it comes to technology.

 

Of course, social engineering these days has a wide reach over the Internet. Through social media sites, through SMS text messaging on phones, even email messages that try to trick users to click a link and sign into a website or open a file attachment, the list goes on and on.

 

So what we're going to be doing here is we're going to be using Kali Linux. Kali Linux is a penetration testing tool, that includes a tool called the Social Engineering Toolkit. So you can download Kali for free and run it as a virtual machine, or you can install it on a real machine, it doesn’t make a difference. But it is an important part of the toolbox used by many penetration testers.

 

At the same time, we also have Metasploitable 2 on the rapid7.com website, this is an intentionally vulnerable virtual machine that you can [Video description begins] The host selects a tab from the browser and navigates to the rapid7.com website. [Video description ends] download and run. So we’re going to be using both Kali Linux and Metasploitable 2, in this demo.

 

One of the many things you can do with Metasploitable 2, is sign into the DVWA website, that literally stands for Damn Vulnerable Web Application. [Video description begins] The host selects a tab from the browser and the screen is now displaying the DVWA website. [Video description ends] Notice the URL here, includes a login page, login.php where we have both [Video description begins] The URL reads 192.168.2.34/dvwa/login.php [Video description ends] a Username and a Password field.

 

What I’m going to do is copy that URL. Basically, what I’m going to do, is I’m going to execute an attack, by running a small web server where I clone or copy this page, this site. And this is something I would normally include in an email phishing campaign to try to trick users to click on it. You know the type of email messages you get. Click here to sign into your account, before your subscription expires or whatever the case might be.

 

So normally we would do this by tricking your user to follow a link. But let's see how to set up the fake, mini web server stack that clones this real site. So I've downloaded and run Kali Linux, and I've signed in with the user Kali and a password of Kali. [Video description begins] The Kali Linux application is open in the background. [Video description ends] Now different versions of this tool will have different signing credentials, but that's what we've got here, for the 2021 version.

 

I’m going to run sudo setoolkit, social engineering tool kit. Press enter, so here we have a menu-driven system, that asks what we would like to do. Well, we want to execute a social engineering attack, I’ll press 1. [Video description begins] The Select from the menu: section displays the following options serially, Option 1, Social - Engineering Attacks. Option 2, Penetration Testing (Fast-Track). Option 3, Third Party Modules. Option 4, Update the Social-Engineer Toolkit. Options 5, Update SET configuration. Option 6, Help, Credits, and About. And Option 99, Exit the Social-Engineer Toolkit. [Video description ends]

 

We then want to go into number 2, which is labeled Website Attack Vectors. [Video description begins] The Select from the menu: section now displays the following options serially, Option 1, Spear-Phishing Attack Vectors. Option 2, Website Attack Vectors. Option 3, Infectious Media Generator. Option 4, Create a Payload and Listener. Option 5, Mass Mailer Attack. Option 6, Arduino-Based Attack Vector. Option 7, Wireless Access Point Attack Vector. Option 8, QRCode Generator Attack Vector. Option 9, Powershell Attack Vectors. Option 10, Third Party Modules. Option 99, Return back to the main menu. [Video description ends] So I’ll press 2 and enter.

 

The next thing we want to do is run number 3, Credential Harvester Attack Method, I want to try to harvest user credentials. [Video description begins] The options are listed on the screen serially and they read, Java Applet Attack Method. Metasploit Browser Exploit Method. Credential Harvester Attack Method. Tabnabbing Attack Method. Web Jacking Attack Method. Multi-Attack Web Method. HTA Attack Method. Option 99 reads Return to Main Menu. [Video description ends]

 

One of the most common ways that's done is by setting up a fake website that looks like the real thing. Users try to sign-in with their credentials, which you then have captured, and either the site simply doesn't log them in or redirects the user to the real site, where when they try to sign-in again, they would sign-in successfully. The user might just think oops, perhaps I typed in my password incorrectly, if they’re typing in passwords and not using password manager tools.

 

So I’m going to press number 3 and then I’ll press number 2 [Video description begins] Three options are listed serially on the screen, namely, Web Templates, Site Cloner, and Customer Import. Option 99 reads Return to the Webattack Menu. [Video description ends] for Site Cloner. It wants the IP address where we want [Video description begins] The center pane displays a note which reads *IMPORTANT* READ THIS BEFORE ENTERING IN THE IP ADDRESS *IMPORTANT* [Video description ends] the resultant harvested credentials to appear.

 

The default here in square parentheses is the IP address of this Kali Linux host where I'm typing all of this in. [Video description begins] The IP address reads [192.168.2.37] : [Video description ends] That’s what I want, so I’ll press enter. It then asks for the URL to clone. So I'll specify the URL for the login PHP page that we were looking at previously, and I'll press enter. [Video description begins] The host pastes the URL link 192.168.2.34/dvwa/login.php into the Enter URL to clone: field. [Video description ends]

 

So basically it has set up a listener for connections, to what appears to be a real website. Now what we need to do is somehow trick users, into connecting to the website, in this example, at 192.168.2.37 So maybe in an email phishing campaign, we would provide a link and maybe obfuscated, or shorten it using a URL shortener tool or some kind of way to make it not so obvious, that it’s just a basic IP.

 

Or, if you can manage to compromise a user's system, you might modify their local hosts file, so the DNS name resolves to this IP. Of course, this is an internal private IP address. If you’re doing this, as a pen tester, you probably want that to be a public IP that, people would be tricked into following the link to.

 

So we're going to open up a web browser for this Kali Linux station, where we’ve got the cloned website, 192.168.2.37 [Video description begins] The host pastes the IP address into the browser and a DVWA website opens. Two fields namely, Username and Password are visible in the center pane. A Login button can be seen below the two fields. [Video description ends] It looks like the real DVWA sign-in page.

 

Of course, it's been copied and cloned. So if I were to put a name, let’s say fakeuser, and a password, let’s say fakepassword and click Login, it just kind of blips and that happens sometimes, oops, maybe I typed in the username incorrectly or whatever the case might be. And if you really want to get in-depth, there are ways to configure this and modify it so it redirects users after it's gathered the credentials to the real site.

 

But let’s go back and take a look at our Kali Linux host. Just like that, It says there was a USERNAME field on the form, and the username that was entered was fakeuser. For the password, fakepassword was entered. [Video description begins] The Kali Linux application displays multiple prompts reading, POSSIBLE USERNAME FIELD FOUND: username = fakeuser. POSSIBLE PASSWORD FIELD FOUND: password = fakepassword. POSSIBLE USERNAME FIELD FOUND: Login= Login. A note reading WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT can be seen at the bottom of the window. [Video description ends]

 

Now depending on the website and how it authenticates users will determine if this will work correctly. So for this particular type of attack to work correctly, there needs to be a username and a password field. So at this point, an attacker, would have a username and a password for the site that they cloned that would give them access to that site in some way.

 

So it’s important, that at all levels within an organization, users understand, how important it is not to just randomly click on links that look legitimate, without thinking a few times about it.

 

There’s enough malware out there on the Internet to make your head spin. Malware, is malicious software, and it’s a force to be reckoned with. We have to take a lot of steps to prevent malware, from infiltrating our networks in the first place. And if it does occur, we need to be able to detect it and respond to it as quickly as possible. Contain the incident, when preparing to mitigate the impact of malware.

 

Some of the questions you might want to ask yourself include, who are the attackers? In other words, why are they targeting our network, our hosts, and our sensitive data? What do they want? And maybe that's the answer. They want access to sensitive data, like credit card information that can sell to others on the Dark web.

 

These days, ransomware attacks on very large corporations are very targeted attacks indeed, and one of the reasons is because the attacker teams, will determine, how much these corporations make annually, what their cybersecurity insurance policies are, and the like.

 

Another question to consider is how will they attack? How will that malware get into our network? Will it be through phishing email messages? Will it be through infected USB thumb drives? Will it be by tricking people working from home to download infected files? Maybe for the latest Hollywood blockbuster movie that's not yet been released? Of course, people shouldn't be downloading that anyway, but it's a great way to infect people's computers.

 

And of course, we then have to ask how can we mitigate the threat? Number one on top of the list, always, user security awareness. People need to understand how incredibly easy it is to click on a link on a web page, download a file you shouldn’t be downloading. Click on a link in social media, opening a mail message that looks legitimate, and clicking a link. That’s all it takes to infect an entire network.

 

Depending on the type of threat detection tools you're using and scanning tools, it might not detect certain types of malware, especially when it comes to zero-day type of exploits. Zero-days are those that are not yet known by the vendor. So of course, how could there be a fix yet? So how do you defend against that? User security awareness. And like I said, a healthy dose of suspicion, be very careful.

 

So the general malware infection process begins with, reconnaissance. The attackers might do some reconnaissance to determine if there are machines that might be more vulnerable than others. Or, as I mentioned, determining which corporations make the most money and have the most cybersecurity insurance and thus are most likely to pay a ransom in the case of ransomware. So in one form or another, reconnaissance is completed.

 

In some cases, it might just be a mass email message with a phishing campaign, some kind of a scam. So in that kind of an example, there's not necessarily reconnaissance per se, but in step two, one way or another, a user is tricked, into providing sensitive information over the phone, or tricked into trying to sign into a fake website or clicking an infected file attachment. And step three the malware infects the device. Depending on the type of malware, it might not even be detected by malware scanners, and depending on the nature of the malware, it will determine what happens next.

 

But the user might be blackmailed, data might be exfiltrated through that compromised system. Data might be encrypted, as in the case of ransomware, or even deleted. The infected computer is called a bot, and a collection of those is called a botnet. So over time and it might be far in the future, so the malware might remain dormant and undetected for an extended period of time. But in the future, a botnet might then be instructed to run a DDoS attack against a victim. So they'll be told to wake up, so to speak, and to send useless traffic, to a victim network.

 

So there are many different types of malware, one of which is a trojan. A trojan, you could think of as being a wolf in sheep’s clothing. It looks benign and innocent, really it’s not. So it looks like it could be useful software, for example. And when people are tricked to install it, it itself is malware. Or the Trojan might just be a delivery mechanism used to deliver other types of malware, like ransomware. So oftentimes you'll get a collection of techniques used together for more sophisticated malware types, they don't each have to be a specific categorical type.

 

A traditional virus exists by attaching itself to files on a computer, it can affect office productivity, such as in a Microsoft Word macro virus, for example, that is triggered when that document is opened. Or a virus might be introduced via app installers, where people are tricked into downloading what appears to be free and great software. Or a virus might be introduced by fooling people into downloading something they want, like music or movies that they're trying to get illegally. Which in fact might actually be the song or the movie, but also includes malware. So that would involve illegal intellectual property, at least the illegal violation of copyright laws.

 

Worms are another type of malware. These are different than traditional virus, in that they don't have to be attached to a file. They have the sophistication to scan for vulnerable hosts, so once one internal machine is compromised, it can then self-propagate itself over the network, potentially if it detects vulnerable systems.

 

And of course, we have the infamous ransomware that we keep hearing over and over about in the media, it’s a serious problem. Ransomware comes in a couple of different forms where it can prevent the system from starting up unless a ransom is paid. In addition to that, or instead of that, it might encrypt data files, and in the same way, present a message on the screen where a ransom must be paid, usually through cryptocurrency, which is hard to trace, to receive a decryption key.

 

So, there’s no guarantee that a decryption key will be provided, and it could be argued that the payment of ransom could also encourage future activity of this type. It certainly does not serve as a deterrent for the attackers. They're making money by doing next to nothing.

 

We also have to think about network segmentation and the possibility of a malware outbreak, this would be all about incident containment. So in our diagram on the left, we have a production network in the bottom left. Ideally, that would be separate from other networks. Because it might have very sensitive business processes, it might result in sensitive data.

 

So let's say that we have a number of IoT devices. Perhaps those IoT devices are used to control industrial equipment or environmental controls in an office space. Whatever the case is, IoT devices are generally considered not to be secure. Now, that's a general broad stroke, but consumer-grade IoT devices, have notoriously proven not to be secure, where sometimes default settings, such as in a built-in web admin stack, can’t be changed, and updates are never made available.

 

So therefore, one way to continue using those in a reasonably safe manner as a compensating control would be to place them on their own IoT devices network, their own separate VLAN, perhaps. And limiting access from those devices to the production network, either partially or entirely through the firewall.

 

Now, in our diagram, that internal firewall would regulate the traffic between the IoT devices network and the production network. Of course, it would be connected perhaps to a screened subnet if we have public services that we wanted to make available. Like a public website that we are hosting. And the second layer of firewall would regulate the traffic between the Internet and the screened subnet.

 

What can we do to mitigate the impact of malware? Even though am repeating myself, it's an important message. Periodic user training and awareness. Of course, up-to-date malware scanning solutions, ideally one that can be centrally managed and monitored. You don't want to have to go to each and every device to configure, malware scanning tools. You want that centralized, and you also want alerts, to be centralized.

 

If malware is detected on a host, and perhaps even auto-remediation scripts to disconnect it from the network, if malware is detected, that would be part of your incident containment as part of your incident response plan.

 

The other thing is that malware scanning solutions can't be based solely on signatures of known past malware. Instead, they should also, in addition to that, consist of user behavior analytics. Which would look at, what might be considered to be suspicious behavior, such as a single user process on a machine running in the user space, requesting more and more and more memory.

 

So having a strong knowledge, of malware in terms of various types, why attackers execute malware, and what we might do to mitigate it, goes a long way, in enhancing an organization's security posture.

 

There are a number of reasons for malware and email analysis, including learning about how malware works or how infected or social engineering email messages are crafted. And understanding how these techniques manifest themselves also allows us to help mitigate their impact. So we can either manually or through automation, analyze malware and email messages.

 

This also means correlating, multiple logged events that can be related to this, that’s the beauty of threat hunting tools and machine learning. It can learn over time, how to correlate different types of events together. That together, when viewed as a timeline, can help explain how attacks occurred.

 

Most modern threat hunting tools that analyze malware, email, and other types of digital data, are automated using machine learning or ML algorithms, and there are even free online services for malware and email analysis, such as VirusTotal or Cuckoo Sandbox. These will be able to tell you, for example, if you upload a file that you suspect is infected, or that if you copy and then paste a suspected fraudulent link in an email message, you might be able to determine and get some insight as to whether it's malicious or not.

 

Besides the standard malware detection through signatures of known past behavior, malware analysis can also include abnormal process or user behavior. This is behavior analytics, and it can include numerous factors including impossible travel time, such as how could a user sign-in that might have happened an hour ago in the United States now occur from Poland?

 

Malware analysis can also look for what is considered to be abnormal usage patterns, such as scouring the file system, seeking data files or malware analysis might include taking a look at processes that are more active during abnormal times of day, such as during off-peak business hours. Software developers and security engineers can even get to the point of reverse engineering (RE) or running malware once it’s sandboxed, using specialized debugging and disassembler tools.

 

Reverse engineering also includes a number of behavioral analytic activities, including static analysis. Static analysis means you are analyzing malware, but it's not running, so decompiling it and viewing its code. Whereas dynamic analysis means you have sandboxed the malware, you have detonated it, and you are examining its behavior. Naturally, the best way to get the most out of malware in terms of learning about it, is both a combination of static and dynamic analysis.

 

Reverse engineering teams will look at things like crypters. Crypters are used to obfuscate or hide the malware payload to evade detection by malware scanners, or at least that's what they attempt to do. The Packer component of malware is used to compress, the encrypted malware payload. Again, this is just another technique that malware authors will take, in an attempt to defeat signature-based malware scanners. As you might guess, not anyone has the correct skill set to perform reverse engineering of malware.

 

That’s malware, and then we have the analysis of email messages. There are some terms here that are absolutely paramount in doing this properly, one of which is DomainKeys Identified Mail, otherwise just referenced as (DKIM), DKIM. The purpose of DKIM is to make sure that messages haven’t been tampered with, while they’re in the midst of being transferred, and ultimately delivered to the recipient. The DKIM signature is usually part of the header of the email message, and viewing the header will vary depending on the mail tool you're using for reading email.

 

The next thing we should be aware of is, Domain-based Message Authentication, Reporting and Conformance, otherwise called (DMARC). Spelled DMARC, (DMARC) is a way to detect bogus email messages. And then we have SPF, the Sender Policy Framework. This is a way to verify that the sending servers are the legitimate servers that are allowed to send email for a given DNS domain for the sender. Looks like we have a message being sent from skillsoft.com It’s checking that the legitimate skillsoft.com SMTP servers are the originators of transferring that mail. This is a great way to mitigate against, spam. Here we’ve got a screenshot of Microsoft Outlook.com specifically, viewing a message header. Now of course, we’re always concerned about what is inside of an email, but we'll get to that in a moment.

 

Here we’re looking at the header or the addressing and pathing information for how that message was delivered. Notice the highlighted section here in the mail header, which is saying for DKIM that a signature was verified. So this appears to be a valid authentic mail message that was not tampered with while in transit. Viewing the message header will vary depending on the mail reader you're using, as we've stated.

 

Now, the other thing with email analysis is very basic and non-sophisticated, such as glaring spelling and grammar errors within an email. A lot of spammers and phishing email campaigns might originate in different countries, with different cultures than where the recipient is reading that message, so look for spelling and grammar errors. Be careful about links in email messages, even if the link looks legitimate when you hover over it, it might be obfuscated. It might be modified so that it looks legitimate, but really it's not. So don’t click links in email.

 

In the same way, be very selective about clicking on file attachments in email messages. And certainly, if this is not a specific email message you have requested, never click the file attachments or links within it. Another thing to do is to take a look visually at the sender's email address. Does it look legitimate? If we have an email that supposedly came from the tax department, like the Canada Revenue Agency, let's say, why does it look like the sender's email address is a long Gmail address? That doesn’t add up.

 

So there are some simple, basic things we can do to analyze emails to determine that they are fraudulent.

 

Scripting languages are that standard double-edged sword, where it can be used by the good folks to do good things, but it can also be used by the bad folks to do malicious things. But there are some things that we have to cover that are constant, regardless of who’s using scripting languages, and what is that?

 

This is not compiled. It’s not a compiled binary program that ends up being a binary on Linux or an executable on Windows that you can run. Instead, scripts are interpreted by a script interpreter. So, for example, if you want to run a Python script on your machine, you need to have a Python interpreter installed, if it’s not already there.

 

You could say that scripting is kind of a smaller and softer version of actually writing and compiling code. However, you can still accomplish pretty much anything with scripting. You can use it for task automation, whether for good or for bad. So it could be used for malware delivery and/or malware execution. But on the good side of things, a scripting language might be used for detection, of suspicious activity or for auto-remediation, perhaps of non-compliant devices whose security configurations have strayed, from the standard accepted security baseline.

 

So common scripting languages would include Linux shell scripts. Shell scripts are called as such because they use a specific shell interpreter, such as the Bourne Again shell or Bash, or sh shell. There’s also cshell, korn shell, and many others. Normally, a Linux shell script will have a .sh file extension that’s not required, but it is just standard. And of course, in order to execute a shell script, the invoker needs to have at least read and execute permissions. Depending on what commands are in the script, will determine if they need other privileges as well.

 

A Microsoft PowerShell script runs on multiple platforms. When PowerShell first came out, around the 2006-2007 era, it only ran on Windows machines. But nowadays it has evolved massively to the point where you can run PowerShell on just about anything, so it’s multi-platform, and a PowerShell script will normally have a .ps or a ps1 file extension.

 

PowerShell is a little bit different than running a Linux shell script because PowerShell is actually object-oriented. Anyone that’s written code or scripted, might have experience with this, and would probably agree that object-oriented programming is very powerful and easier to manipulate than languages that only result in text, and require skill in parsing and manipulating text, as is the case with Linux shell scripts.

 

Another common scripting language would be Python. So in order to run a Python script, you need to have a Python interpreter installed. Python scripts normally have the .py file extension. This is just three of the most common scripting languages that I have run into. You might have a different opinion on what the most common scripting languages are, whether it’s JavaScript or Ruby, and so on.

 

So a Bash shell script would look something like this. The first line would be the shebang line, as they call it, because what this does is identify the shell interpreter that is to be used to run the rest of the commands in the script.

 

Here we’re just clearing the screen. We’re initializing a variable called totalsize and currentsize, both with a value of 0. You can have multiple Linux commands on the same line. If they’re separated with a ; . Then there’s a For loop, where there’s a placeholder variable called i, that’s looping through all the htm files in /web/* files.

 

And then there’s a do-done loop where essentially what we’re doing is tallying up the total size of htm files, in the webfiles directory. And then we're echoing that back, and then piping that out to the tee command, which allows us to have output go to more than one place, such as the screen with the echo command, and then writing it out to a .txt file. [Video description begins] The Bash shell script being displayed on the screen reads, #!/bin/bash clear; let totalsize=0;let currentsize=0 for i in /webfiles/*.htm do let currentsize= 'ls -l $i | tr -s " "| cut -f5 - d " "' let totalsize = $totalsize+$currentsizedone echo "The total space used is "$totalsize "bytes." | tee \ /html_file_results.txt [Video description ends] Now our shell script example could have been anything. This is just to give us a general sense of what the syntax looks like in a shell script. It could do anything.

 

In the same way, why don’t we take a minute to look at a sample PowerShell script. If only for the sake of being familiar with what PowerShell looks like. Comments, are prefixed with a # or a pound symbol. Here we’ve got a variable, called $result that we’re setting to a value of false. And then we have an if statement, where we’re checking DNS client settings to see if dnssecvalidation is required, does it eq $true. And if so, then we’re returning a message that says “Name resolution policy table is configured.” And we’re setting the $result =$true.

 

Otherwise, the else part is it's going to say that the “Name resolution policy table is not configured.” And we’re setting the $result variable =$false and returning the $result variable. [Video description begins] The PowerShell script reads, #The Default Domain Policy GPO contains the Name Resolution Policy Table Settings $result=$false if ((get-dnsclientrptpolicy) .dnssecvalidationrequired -eq $true) { "Name resolution policy table is configured." $result=$true } else { "Name resolution policy table is not configured." $result=$false } $result [Video description ends] The point is not what this script is doing, it's simply to get familiar with PowerShell.

 

PowerShell also includes an integrated scripting environment, otherwise called the PowerShell ISE. This is installed with a normal Windows installation. [Video description begins] A screenshot of the Windows PowerShell ISE window is being displayed in the background. [Video description ends] It's just kind of a graphical environment where color codes your code and can give you help, stuff that you wouldn’t get if you’re using just a basic text editor to write PowerShell scripts.

 

Our last example here is of a Python script again, just to get a sense of what it looks like. So here we’re importing a library that has SMTP capabilities. We’re establishing a server variable by calling upon our, smtplib specifically the SMTP method, giving it a server name and a port number. Then we have a comment, much like in PowerShell, it’s a number sign or a # symbol. Then we're doing a login to the server by specifying the credentials. And then we are sending an email message by setting the content and sending a message to a recipient. [Video description begins] The Python script displayed on the screen reads, import smtplibserver = smtplib. SMTP ('smtp. fakeserver.com', 587) #Next, log in to the server server. login ("[email protected]", "#$%SHSKk5") #Send the mail msgcontent = "Hello world!" server. sendmail ("Ibrenner@quick24×7.com", msgcontent ) [Video description ends]

 

Now these are not scripts that are malicious. These are not scripts that will remediate, some kind of sophisticated security incident. They’re just basic scripts.

 

As a cybersecurity analyst. We don't have to be experts working with the details of scripting, but we should have a general sense of how, common scripting languages are used and how to invoke or run those scripts. The reason for this, is that it’s commonly used, to automate administration of various environments, whether on-premises or in the cloud, and so it could be a potential attack vector, so we have to be aware of this. And also sometimes malware will propagate itself using scripting languages. So those are compelling reasons defining why as cybersecurity analysts we should at least have a sense of this if we don't have already.

 

Here on my Windows computer, I'm already in a PowerShell prompt environment, but from the Start menu, if I were to type in the word power, I could choose to launch Windows PowerShell, which I’ve done here. You might choose to right-click and Run as administrator, depending on the nature of the PowerShell commands or cmdlets you’ll be running.

 

You can also spawn the Windows PowerShell ISE, the Integrated Scripting Environment. When you do that, you get a working environment where you can control how [Video description begins] The Windows PowerShell ISE opens in the background. A ribbon containing tabs labeled as File, Edit, View, Tools, Debug, Add-ons, and Help can be seen at the top of the window. A toolbar can be seen below the ribbon, and it displays icons representing options such as Run Script, Save, Show Script Pane Right, Show Script Pane Maximized, Show Script Pane Top, and so on. [Video description ends] the screen is displayed using the buttons in the Toolbar. But one way is to have your script contents at the top with all your commands, and then to have an output window as you test each line of the script or the whole script in its entirety. [Video description begins] The host selects the Show Script Pane Top option from the toolbar. [Video description ends]

 

For example, if I were to put in get-service up at the top, I could click the Run button or press F5, if I’m a keyboard type of person to execute that. The output will show down below. So the integrated scripting environment is just a bit of an easier way to work on PowerShell scripting than using, say, a basic text editor like Notepad.

 

Here I’ve got a script I’ve created called Host_Details and the normal file extension for a PowerShell script is .ps1 So we're going to go ahead and take a look at the contents of this script. Bear in mind this is a scripting language, what can it do? [Video description begins] There are 16 lines of code in the script. Lines 2,4,6,8 and 16 are blank. Line 1 reads, cls. Line 3 reads $datevar=Get-Date. Line 5 reads,$osvar=Get-CimInstance -ClassName Win32_OperatingSystem. Line 7 reads, $svcvar=Get-Service | ?{$_.status -eq "Running"}| Line 9 reads Write-Host "Date and time:"$datevar. Line 10 reads Write-Host. Line 11 reads, Write-Host "Host OS Details:". Line 12 reads $osvar. Line 13 reads, Write-Host. Line 14 reads, Write-Host "Running Services:". Line 15 reads $svcvar | Format-Table. [Video description ends]

 

It would be better to ask what can it not do. The sky is really the limit. Not only does Microsoft allow PowerShell to run on multiple platforms like Linux, Unix, the macOS, and of course Windows. And there are third-party vendors like Amazon Web Services, and VMware to name but just a few that build PowerShell libraries or modules, that have plenty of PowerShell cmdlets that you can use to manage those types of things, to manage those types of environments. So there’s a lot you can do, this is just but one simple example.

 

In line 1 of our script, we are clearing the screen, cls. In line 3, we are initializing a variable. In PowerShell, when you initialize a variable, you begin with a $ sign and then you give a variable name. But also when you refer to the variable later, such as to display its contents, you also need to use the $ sign. [Video description begins] The host is referring to lines 3 and 9 of the code. [Video description ends] So on line 3, all we’re doing is taking the result of the Get-Date command and storing it in the $datevar variable.

 

Remember you've got a command prompt environment down here. So if you wanted you could just type get-date and press enter to see the output. [Video description begins] The output is displayed in the Output window. [Video description ends] You could also put your cursor on a line that you want to execute. Let’s say we don’t want to execute the whole script, just line 3. So I can click the button at the top in the Toolbar that says Run Selection. Or you can press F8 on the keyboard, same thing. It will only execute line 3.

 

Now there’s no output, because the output of Get-Data has been stored in the $datevar variable. So I could simply type in $date [Video description begins] The host is typing the command in the Output window. [Video description ends] and notice as I’m typing, the Helper dropdown list is adjusting itself. Which is a great thing about the ISE, it knows there’s a variable called $datevar. When I press enter, it returns the contents of the dollar $date variable. So this is pretty handy.

 

The next thing we’re doing is using the Get-CimInstance cmdlet with the -className parameter, to retrieve some interesting information about the operating system. [Video description begins] The host is referring to line 5 of the code. [Video description ends] For example, if I copied just that PowerShell cmdlet and not the initialization of the variable, we could just run that by itself. [Video description begins] The output is displayed in the Output window. [Video description ends] So it’s returning things like the SystemDirectory where the OS is installed, the BuildNumber, the RegisteredUser, and the SerialNumber. Okay. And we’re storing that in a variable called $osvar

 

In line 7, we’re running Get-Service but this time we’re piping it with the | symbol to a filtering expression where we only want to see those services where the $_.status -eq “Running” Now Get-Service let’s say returns 100 services because that's how many you have installed on your computer. Well, we need to evaluate each of those 100 services to check its status.

 

So you can think of piping as kind of being internal looping. Now if we're going to loop through something, we need a temporary placeholder variable for each service. The built-in temporary placeholder variable, when you’re working with piping, in PowerShell, or looping is $_ the ? is just shorthand, for a cmdlet called where-object, which is for filtering. And then we have the open and closed parentheses and our expression within it. So that’s only going to return “Running” services.

 

The next thing I'm doing in the script is I'm simply using a series of Write-Host statements to write back some literal text, as well as some of the contents of variables. [Video description begins] The host is referring to lines 9 to lines 14 of the code. [Video description ends] Adding blank lines with just a simple Write-Host statement, and in some cases, displaying the variable under its literal text to maintain some of its formatting. At the bottom, I’m piping my $svcvar variable, the | symbol, to Format-Table so that it gets formatted in a tabular format.

 

Okay, let’s run the whole script with the Run Script button, and let’s scroll back up through the output, so what do we have here? Well, it looks like it gave us the Date and time we have host OS Details, down below. The BuildNumber and so on are shown. And then of course we have a list of all of the running services on the host.