Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Classifying all of the threats across the Internet ...


  • Please log in to reply
6 replies to this topic

#1 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 PM

Posted 12 March 2017 - 07:09 PM

For the purposes of fully understanding the terrain...
 
Is it possible to classify, by method, most internet malware attacks ?
(by this I refer to attacks where a specific end-user or other participant is not targetted) 
 
... and then ...
 
Is it possible to classify, by method, most internet hacking attacks ?
(by this I refer to attacks which involving some form of targetting of an end-user or other participant ) 
 
 
(I would classify DDoS as a special case - the packets only being harmful in large numbers.)
 
 
Maybe it's the sort of analysis that's already been done, in quarters such as Mozilla, Sans Institute, Kaspersky, Apple etc....
 
It was something that I had an interest in, originally, more than a year ago. At the time, it would've been useful to see all internet security issues classified in some way, even if only at a high level. As I say, I wasn't able to find it, but I think I now have something and so I offer that back.
 
But first it would be interesting to see if BC members know whether there's a website that already covers this. For this reason, I'll wait a few days before posting my own analysis (an initial draft).
 
I found something promising here but I have something slightly different in mind :
 
If you were, for example, an IT manager you'd probably want more than the above, good though it is. If you were the IT manager of a sensitive network, you'd want a complete list. In fact, you'd probably take a specialist training course. I don't plan to attend one of those - I might not even qualify. Either way, I'd like to find a kind of middle ground.
 
(When I do post further, I'll explain the purposes to which such a classification system could be put. IMHO.)

Edited by palerider2, 12 March 2017 - 07:11 PM.


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:17 PM

Posted 12 March 2017 - 08:16 PM

I'd think as a person who secures a network you'd be more concerned with the vectors than the mechanisms of attack. If you secure the first the second is irrelevant.

 

There is much information out there on that.



#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:06:17 PM

Posted 12 March 2017 - 10:18 PM

Well IT managers dont do the hands on work so they hear flashy words and think it all happens in the back ground but it doesnt.

Few things i have done and recommend you insist it happens at your workplace and or network at home.

 

1. Change file type association for .js,jse,wsf,hta,vbs,swh,vbs,ace,jar. Force them to open with notepad as this will eliminate say 80% of attack vectors.

2. Change Microsoft word,excel,outlook etc on both Unix (Less likley but still common ways to  get r00t access) based and Windows Operating system based computers to not execute macros on startup.

3. Stop executable's running from global variables such as %TMP%, %TEMP%, %APPDATA%, %LOCALAPPDATA% and also indent them up to 4 times IE(%TMP%\.\ & %TMP%\.\.\).

4. As on step 3,you can use wildards such as %localAppData%\Temp\*.zip\*.exe and also %localAppData%\Temp\*\*.exe etc etc etc.

5. Make sure the system is up to date and this includes all software and or add ons on browsers.

6. get rid of java (Browser plugin) and adobe flash, just pure junk and should just go and die where it belongs.

 

You do the above, and basically if some one clicks on a  word document and then clicks Enable on the macro, it would 9 times out of 10 download a .js file which is obfuscated and that in turn downloads a .exe file in the variables mentioned above.

Of course with application policies in place it aint going to do jack so basically makes it useless.

 

These are some, just some of the steps ihave taken to secure the client nodes where i work and we havnt had an infection yet, plenty of people have tried and even slipped through the mail filters but this will stop 99%, the last 1% comes down top the end users.


Edited by JohnnyJammer, 12 March 2017 - 10:20 PM.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:17 PM

Posted 12 March 2017 - 10:31 PM

I added a rule that no executable can run unless it is in Program Files/Program Files(x86)/Windows directories and then put admin rights on moving files into those directories. Kinda like your rule 3 and 4... just a little more ruthless. I've had to add exceptions, but generally it's been extremely effective.

 

I've had people who cannot install their malware, no matter how much they try, start a tech support ticket. :lmao:



#5 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 PM

Posted 12 March 2017 - 10:46 PM

TsVk!> "as a person who secures a network"
 
I wouldn't assume that, incidently. However, I believe it will become clear what the purpose(s) of the analysis are.
 
The question I ask is genuine enough though and I do seek the valued opinions of BC members. (I see 2 more - pending)
 
If you like, when you see the word 'method' in my opening post read 'vector'. After I've published the draft that I have, then you might disagree on terminology but that's still feedback.
 
Just for information: I plan for this thread to be accessible to all manner of folk, from novices to experts. However I believe that novices can be put of by terms such as vector. So sometimes (usually, in fact) I prefer the plain-language equivalent, as long as it doesn't confuse anyone. Anyway, thanks for joining in. Hopefully some links will follow. :)
 
An example of a vector in my list: exploiting one of the StageFright vulnerabilities
At a high-enough level it's quite similar to sending someone an email with a malicious attachment. But they are definitely distinct from each other. 
 
I argue that all internet threats can be laid out in tree-form. In other words: classified.
 
If it all amounts to a hill o' beans then I'm sure you'll be letting me know :)


#6 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:06:17 PM

Posted 13 March 2017 - 04:12 AM

I added a rule that no executable can run unless it is in Program Files/Program Files(x86)/Windows directories and then put admin rights on moving files into those directories. Kinda like your rule 3 and 4... just a little more ruthless. I've had to add exceptions, but generally it's been extremely effective.

 

I've had people who cannot install their malware, no matter how much they try, start a tech support ticket. :lmao:

No standard user should be able to write to C:\ an also C:\Program~1 folder anyway mate unless they have local admin access which im sure you know is a big no no.

 

 

TsVk!> "as a person who secures a network"
 
I wouldn't assume that, incidently. However, I believe it will become clear what the purpose(s) of the analysis are.
 
The question I ask is genuine enough though and I do seek the valued opinions of BC members. (I see 2 more - pending)
 
If you like, when you see the word 'method' in my opening post read 'vector'. After I've published the draft that I have, then you might disagree on terminology but that's still feedback.
 
Just for information: I plan for this thread to be accessible to all manner of folk, from novices to experts. However I believe that novices can be put of by terms such as vector. So sometimes (usually, in fact) I prefer the plain-language equivalent, as long as it doesn't confuse anyone. Anyway, thanks for joining in. Hopefully some links will follow. :)
 
An example of a vector in my list: exploiting one of the StageFright vulnerabilities
At a high-enough level it's quite similar to sending someone an email with a malicious attachment. But they are definitely distinct from each other. 
 
I argue that all internet threats can be laid out in tree-form. In other words: classified.
 
If it all amounts to a hill o' beans then I'm sure you'll be letting me know :)

 

You dont make sense mate, i out lined a fairly detailed way of prevention but for me to detail an attack method using no method of end user input would not be allowed here.

Accessing or breaching a network can be harder than people say it is, its nothing like the movies and you need to ensure you have left no foot print AT ALL!, this is even more critical than exploiting a network/server/service.

 

You see so called L337 Hax0rs on the news, but these are just kids who Ddos and SQL inject, them getting caught is a reinsurance they dont truly know how to be UN-traceable.



#7 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 PM

Posted 27 March 2017 - 07:05 PM

The analysis that I have begun to perform can be defined exactly.
 
a ) it considers a variety of scenarios which involve two parties: an end-user and another actor (who may have malicious intent)
b ) the potentially malicious party may be passive or active
c ) the end-user's browsing device could be any device that has ever existed, or even one that will exist
 
Taking ( c ) the end-user may have a browsing device that is a desktop, laptop, tablet or smartphone. Or it could be some other device.
 
Importantly, at the start of the exercise, the browsing device is deemed to be not compromised. 
 
That doesn't mean that it is free of vulnerabilities and it doesn't say anything about any preventative measures that may have been taken by the end-user. 
 
The analysis focusses on what the (potentially malicious) actor has to do to pose a threat to the end-user in some way. I believe that the threats can be summarised (and classified) as a tree, the root of which is shown in this post.
 
An explanation of the tree diagram: I have assigned the number 0 to the level containing 'All threats', so the branches coming from that are referred to as level 1. So far in this analysis, I've attempted to identify all of the level 1 threats. I haven't completed level 2 but I've indicated how that could develop. I probably need to add some words of explanation about those level 2 entries (but please see the next post).
 
      0                 1                                         2
 
            +---a DDoS attack the end-user
            |
All threats +---b Loss (theft) of private information 
            |
            +---c Compromise of the browsing device --+----ca via interface card
                                                      |
                                                      +----cb by hw plugged in
 
What's shown above is the high-level analysis. I'd like to hear feedback from BC members where I've missed any class of threat that should appear at level 1. (I suspect that some of these placements may need to be done judiciously.)
 
Looking at branch 1c, a browsing device could be compromised in several ways, but I currently believe that the analysis doesn't need to differentiate between them. Just to provide examples of that, here are some possible motivations for compromising the browsing device (but it's probably not a complete list) :
to turn it into a monitoring device
to remove any or all of the information from it
to perform a ransom attack on the end-user
to make the device permanently unusable
to recruit the device into a botnet
 
 
The next post will clarify what is meant by the entries shown at level 2 and it will also say something about the possible benefits of an analysis such as this. Thanks for the previous comments.
 
edit 'b )' with no space is an emoticon B)

Edited by palerider2, 27 March 2017 - 07:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users