Open access peer-reviewed chapter
Abstract
Recently, cybersecurity threat management policy is important to be integrated in the management of any organization using information systems whether these organizations are big, medium or even small. As a good practice to be adopted, these organizations need to adapt to recent trends of security threats to prevent these threat or to minimize the risks associated to them. Understanding attackers’ behavior in crucial in the success of this journey and it’s always good to probe the systems as ethical hacking to identify possible security vulnerabilities and points of attacks. Modern information systems as cloud computing even should be considered in special care based on the characteristics of cloud security as data confidentiality, encryption and availability in the context of agile DevOps software project management. This book chapter presents the best practices to be adopted and how the organization adapts by setting realistic and reasonable security policies to intelligently manage different types of security threats.
Keywords
- cybersecurity
- intelligent threat management
- security vulnerabilities
- network traffic
- service ports
- hackers
- malicious attacks
- security defense
1. Introduction
Cybersecurity intelligent threat analysis and management is crucial in today modern information systems. Simply that can be explained as security attacks and threats are becoming more complicated, sometimes difficult to be detected and highly diverse in their characteristics and types. Cybersecurity analysts should always upgrade their skills and knowledge to cope with latest advances in threat attacks. They need to well-understand the different types of system vulnerabilities that attackers may use to hack the victim systems. Therefore, it is always important to have updated databases about different threat techniques, characteristics and their intended objectives. Hackers are usually patient to use different tools to understand and navigate through certain distributed systems that are under analysis for intended attacks based on the discovered system vulnerabilities. It is always good practices to understand the processes of hacking and the tools can be used to analyze the system and find the security weaknesses. As recommendations to leverage the security levels and maturity in organization, it is always important to real-time monitoring of the different system’s open services and automatically detect any unusual traffic patterns that may indicate possible attacks on the system. It brief, this situation can be described as continuous racing between attackers and cybersecurity analyst teams to lunch possible attacks from one side and to close these attacks or at least stop spreading them and minimize their risks also recover the system from these malicious harmful activities.
This chapter navigate through recent threat attacks based on definitions, characteristics, tools used to make them feasible and how different types of distributed computing system can be analyzed to scan possible system vulnerabilities. This chapter also discusses the effects of successful attacks and how to minimize these attacks’ risks to not allow at the end the malicious attackers achieve their objectives. The aims of this chapter are to have clear knowledge on modern security threats and then to convert that to recommendations and policies in organizations for highly security defense strategies and risk managements to response directly to possible attacks and save the organization valuable data and infrastructure assets.
Cyber security aims to protect the information and systems which consider the valuable assets of any organization. The three most important aspects of the information security are namely the confidentiality, integrity and availability. Confidentiality means only the authorized individuals have the right to access information and resources [1]. Considerable parts of malicious attacks are involving on disclosure to make sensitive information available to the public. Integrity concerns about making an organization’s information away from unauthorized changes and these changes can be usually by hacker intestinally or due to services disruption which happen accidently and resulting in changing the system’s stored data. Information security also highly concern about the data availability so that authorized individuals can access required information when needed [2]. There are types of security attacks aiming to undermine availability of data such as denial-of-service attack.
This chapter is organized in six sections to fully investigate the different types of malware threats in Section 2. In Section 3 development cycle as tools management and information threat intelligence in fully explained then, threat modeling as risk management for effective threat hunting is highlighted in Section 4. The different aspects of environmental reconnaissance are fully investigated in Section 5. Finally, cloud-based security services as identity and access management (IAM), data loss prevention, web security, e-mail service security and event management. Therefore, this chapter can be considered as a roadmap for investigating modern security threats and how to intelligently perform detection, prevention and risk mitigation/management of these security threats.
2. Malware threats
In the fields of Information and cyber security; it is highly important to understand the different characteristics of different malicious threats as how they can be propagated in systems and the malicious actions they perform. The discussion here is mainly about viruses, worms and Trojans horses. Computer viruses are named so as they behave similar to the biological virus [3]. They spread from one system to another based on some types of users’ actions such as opening an email attachment or even clicking a link in a malicious website also, inserting an infected USB drive in a system. In another way it can be said that viruses cannot be spread unless someone give them the hand and based on that, the best way of protection from viruses is educating other about them.
Second famous malware is the worms and they spread between system without even user interactions. Worms attack through the system vulnerabilities and once any system been affected the worm can use this system to spread to other connected network systems. As worms spread through the system’s vulnerabilities, the best way to protect against worms is to keep the systems and application updated to the most recent patches. Worms recently became more aggressive to the level they can cross the virtual barriers and cause serious physical damages.
Trojan horses pretend to be legitimate and beneficial piece of software to attract users to download or install and once the user run the programs then they behave in weird ways. Actually these malicious Trojan horses carry a harmful payload that can do unwanted actions behind the scenes [4]. The best way of protecting from these type of Trojan horses is the application control policy the can be approved by administrators. It is worthy to mention here that; remote access Trojan know by short name as RATs are special types of Trojan horses that allow hackers to remotely control affected systems.
2.1 Adware, spyware and ransomware
Each malware can be characterized by its specific propagation mechanism that determine how it spread to other systems also its payload that determine how it delivers its malicious contents in the infected system [5]. This section investigates the different three types of payloads for Adware, Spyware and Ransomware. Beginning with Adware which a common source method to generate revenues from online. Usually this adverting method is quite legitimate and allowing people to generate income from advertised online content. Unfortunately, this is also an opportunity for malware so, adware can consider a specific purpose malware that displaying advertisement to generate money for the malware author instead of the content owner. Some of the tricky mechanism can be used here by adware as for example directing search queries to search engine that is controlled by the malware author also, displaying pop-up while browsing and some cases changing the legitimate ads from content owner by content benefiting the malware author. This is for sure very harmful for the content author as it destroys their customers’ trust.
The second type of famous malware payload is the spyware. This malware generates information without the user’s permission and knowledge and send information to the malware author to use in any type of malicious action such as stealing account information or for identity theft [6]. Different techniques can be used as spyware such as keystroke loggers capture to trace user’s presses. In some cases, spyware monitor web sites visit to capture the usernames and passwords in accessing some sensitive web sites such as banks. These days monitoring web sites browsing is a common spyware activity that can be used to target advertising to specific users. Most dangerously, some spyware malwares can reach inside the system and are able to scan the hard drives and the cloud storage services to capture sensitive information like some social security numbers that can be useful at the end for identity theft.
The third famous type of malware is the ransomware. This type blocks the legitimate user’s access and use of a computer or data until ransom is paid. Encrypting files with secret key to be sold later is the most common way used in this malware. Recently, a very good example of ransomware is the CryptoLocker which is started 2014 and still used until today. Most commonly it arrivers to user’s email as an attachment in email message and once the user open that attachment, CryptoLocker starts encrypt files in the hardware using strong RSA encryption algorithms. The encrypted file may include office documents, image and CAD modeling which are considered the most important for the end-user. Usually the malware author has a dedicated control server to keep these encryption keys of the files. Then a deadline will be given to pay a ransom. Recently some surveys show that over 40% of the infected people or organization by CryptoLocker paid the ransom. In this context, it is worthy to mention also another type of malware called scareware which is similar to ransomware but it considered a bluff [6, 7]. It usually pops up messages as a sort of website adverting that designed to warn users about some security issues and to scare the end-users by telling them that their systems are compromised and then offer them solutions. The truth is no security issues and their offered solution is just a fake.
2.2 Malware mechanism as backdoor and logic bombs
The Previously discussed malwares are all have common thing as they are independent program developed and they are developed for malicious actions. Some malwares are not fit into this category as they are independent programs but code chunks that can be inserted into other applications for bad intentions [8, 9, 10]. Most common malware in this category are backdoors and logic bombs [8] Backdoors appear when programmer give themselves or others means for future access to a system. The tricks can be used here by simply making programming easier in ways to avoid logging in with user credentials or some mechanisms to allow access later when it happens that users accidently lock themselves out from their systems. End-users usually they not want the vendor to gain access to the system by installing these scripts or piece of code especially that backdoors might be fallen into the wrong persons’ hands. Backdoors can be happened with different ways as hardcoded account as certain user name and password are always used to provide access to the system. In some scenarios, when the end-users always use the default password as users forget or not bother to change and finally, there is always possibility to unknown access channels that can access the system by avoiding usual authentication processes. Logic bombs is another kind of malware that works by modifying existing code. In this type, some certain conditions (as specific date or time occurring, specific information in the file’s content or specific results from API calls) can be coded to trigger payload of harmful action to be executed [9, 10]. Logic bombs scenarios examples can be explained as certain programmer employee created malicious payload that it is inactivated as long as he/she appears in the system daily, once he/she disappeared as being fired for example, the harmful payload then can be activated.
2.3 Advanced malware techniques
These type of malware are developed to be escaped from being detected from normal anti-malware defense systems. The three good examples here are, rootkits, polymorphism and armored types of viruses. In the first type, the virus is designed to hack the root account which is the super user account which has an unrestricted access to the resources of the system and these privileges are usually preserved to system administrator [11]. After the hacker succeed in gaining access to normal user account then use the rootkit to move to the unrestricted super user access. The concept of this type of viruses can be explained as a technique that uses software techniques hiding other software to hack the system. A variety of malicious payload can be delivered by rootkits as backdoors, botnet agents and adware or spyware. Rootkits can attack the system in both levels of user modes or kernel mode and there is trade-off issue in each of these two modes. The user mode rootkit runs with the normal user privileges and they considered easy to write and difficult to detect however, in the privileges mode, the access to the system is in much advanced privileges with trade-off here that these viruses are difficult to write and relatively are easy to be detected.
The polymorphic viruses are advanced types of viruses that have the ability to fight signature detection. Viruses signature detection is very important concept for isolating viruses by discover their patterns and match that with known code pattern stored in dedicated database. Polymorphic viruses escaping signature detection by changing their behavior from time to time so that the virus files look different in each system been attacked so that no signature matching and that will inactivate the signature detection method. One clear method that polymorphic viruses use is different encryption with different key in each system being attacked to make the virus file look totally different. The virus loader has the decryption key that can retrieve the original virus code.
The third advanced type of malware known as armored viruses came with the ability to stop reverse engineering techniques which are usually used to analyze deeply the viruses at the level of the machine language or the assembly code that considered the DNA of the attacking viruses. The techniques followed in these type of viruses are writing the code in obfuscated assembly language that hide the true intention of the code sometimes also blocking the system debugger and using some techniques to stop the methods of sandboxing that used to isolate viruses.
2.4 Botnet
The concept of botnet can be understood as taking control of computer network using let us say worm viruses propagating through the network as startup from single infected computer. The hacker intention in affecting these network system is to steal the system power, storage or even the network connectivity by joining the infected system with botnets. These botnets can be considered as a collection of zombie computers been connected for malicious actions [12]. Once the hacker succeeds in hacking and gaining control of particular system in any technique discussed earlier then, he/she will join the network to the botnet. The infected network will be considered a victim and will be waiting for further instruction from the hacker. The hacker usually sells or rent this botnet to others to use them for spam delivery or distribution denial-of-services attacks, exposing the system for brute-force attacks to crack passwords or even mine bitcoins activities. It can be said here the key resources of these infected systems as storage, computing power or network connectivity are stolen maliciously. Usually in these type of scenarios the hackers not communicate directly with the infected system to avoid the risk of being discovered by security analyst team that will cut-off these connection of network once been discovered instead, hackers use indirect commands and control mechanisms to hide their true locations and usually the hackers here use punch of these techniques together at the same time to be able to gain control of the botnet to the longest possible time.
3. Threat intelligence
Threat intelligence can be described as the adoption of best practices in identifying latest security threats and the risks associated to these threats that can affect the functionaries and operations in an organization [13]. Threat intelligence is very important part of any organization cyber-security analysis program. Threat intelligence if been applied effectively it can significantly enhance organization security by making this organization updated to the latest security threats and how to deal with these risks fast and accurately. As security threat intelligent analyst, few points should be considered for this type of this highly demanded job recently as the following: First, effective information gathering from trusted common open-source like security web sites, news media, social medias and government-sponsored centers for security analysis as well as security research centers. With such information pinching security attacks can be performed to test the readiness level and the effectiveness of the security defense lines [14].
Threat intelligent centers can play very effective roles to leverage the readiness and maturity levels against latest threats trends by the engagement with security information briefing summarizing latest security critical issues. Examples can be varied as educating audience about IP reputation services to provide real-time information about IP involved on suspected security attacks. This useful information can be sent directly to be utilized in firewalls, intrusion prevention and other security tools. Threat intelligent sources can be evaluated in three main criteria namely are timeliness as how fast the reaction to the security threat as the accuracy of detecting these threat and how reliable the system in performing the necessary related defense action.
3.1 Development cycle of threat intelligence
It is important for cyber security analysts conducting threat intelligence to adopt best practices methodology in developing their threat intelligent techniques and solutions [15]. This Intelligence cycle can be defined by five phases. In the first phase of requirement, the security intelligence professionals get information from their top management about what type of information they should gather and this information usually are considered the facts as main concerns of the end-clients or customers of the organization. Analysis is the second phase of the intelligence cycle with the purpose of turning these collected facts into actionable intelligence. For example, intrusion detection log files can be collected and analyzed in response to the rise of SSH attacks. For the sake of informative decision-taking procedures, the third phase of intelligence as dissemination to share useful information to end-clients in forms of technical reporting. Finally, feedback from end-client should be gathered to determine their satisfaction level and how to improve intelligence collection efforts in near future [16].
3.2 Threat indicators tools management
Threat indictors are the properties that describe a threat. These types of information are used to identify and describe certain threat. These indicators can include IP addresses, signatures of malicious detected files, highlighted communication patterns and any other types of identifiers can be used in cybersecurity to threat intelligence as all these collaborators should understand certain common communication language. So, if threat detected with the aids of these tools it will be very easy and efficient to inform other about that particular threat even in automated fashion [17]. The fist important threat sharing indicator tool for information sharing is the Cyber Observable Expression (CybOX) for categorizing security observations that helps in understand the properties of the intrusion attempts or malicious software. The second tool for this information exchange is the Structured Threat Information Expression (or STIX) which is a standardized language that communicate security information between organizations and their systems. It uses the properties from the first tool and make language easy to use in structured manner. Trusted Automated Exchange of Indicator Information (TAXII) is tool containing services to effectively share security information between organizations and their systems. So at the end. TAXII can considered as framework for exchanging messages written as STIX language [18].
3.3 Threat intelligent information sharing
Previously discussed technological tools as TAXII, STIX and CybOX are enablers for sharing threat intelligence information between different organizations and systems. These tools give and added security values to different business functions within an organization such as the incident response team, vulnerability management team, risk management team, security engineering team and detection and monitoring team. The automated share information between tools and these different teams is the key achievement issue here. Threat information sharing in collaboration manner between different organizations is highly recommended and required and to facilitate such information sharing, Information and Analysis Centers (or ISACS) bring together different cybersecurity teams from different organizations to help sharing security of specific industry in confidential manners [19].
3.4 Use cases where threat intelligent is highly effective solution
Some of the use cases which show the importance of threats intelligence development in detection and treatments for these security problems can be shown for detecting unauthorized network connections, monitoring events that may change the user credentials, monitoring antivirus logs to identify insecure ports and services, managing replicas to ensure data protection and generating compliance reports in suitable formats by collecting system and security logs. Security compliance as GDPR can be enhanced significantly with good utilization of threat intelligent modeling for use cases where data protection is needed as verification and auditing security control, enable periodical reporting to data owners by providing structural access to log information, monitoring critical changes of users credentials also, managing data breaches by managing security alerts and analyze the full impact of the incidents.
4. Threat modeling
Threat modeling to be performed effectively, it needs some preprocessing modules such as performing threat research and then identifying and understanding the different types of possible threats [20, 21]. Once an organization can effectively model possible threats then threat hunting can be performed to significantly reduce and manage the different cybersecurity threats.
4.1 Conducting threat research
This step is important to understand better the environment that certain organization operate in also, to understand the motivations and levels of capabilities of the potential attackers. This can lead to better understanding of how to defend against these possible attacks. The aim of threat research is to know how attackers think and behave. Two important techniques can be followed in threat research to identify potential threats. The first technique is the reputational threat research to discover potential attackers based on their IP addresses, emails, domains that been previously involved in some attacks. This is very good practice to block future possible attacks from these sources. The second technique is the behavioral threat research aiming to potential malicious actors by observing the similarities of their behaviors when they attacked in the past [22].
4.2 Threat identification and understand the different types of attacks
To help organization keep tracking different types of threats efficiently, it is highly recommended that the security professionals use threats modeling techniques that can classify the different potential threats and categorize them based on their degree of risks. To properly identify the potential threat in an organization, a structured approach as threat management can be used. This structured approach can be utilized in three ways to efficiently identify threats. The first is the assets-focused approach and here the analysts base their analysis on an organization asset’s inventory to identify the potential threat for each asset. The second structure approach in analyzing possible threat is the threat focused approach to properly understand all the possible threat that might affect the different information system within the organization. As for example, the different hacking techniques that might gain access to the network. These type of hacking can come from different parties include known hackers, trusted partners and even from the employees. Finally; a service focused approach can be used to identify the impact of various threats on each specific service when different services in an organization offered by different service providers. For example, when an organization is using certain API and expose it to the public, it is good practice to think about all the interfaces offering by that API and the threat can be associated with each interface. Identifying properly the different threat an organization maybe can be threaten by, is the first step toward proper threat modeling processes [23].
Once different security threats can be properly identified, security analysts should move forward to fully understand the possible attacks. The most commonly used model that help in categorizing these attack is the Microsoft STRIDE model. In this model. Each letter represents a category of attack as S stand for spoofing attack which uses falsified identity information to get access to the system and here the best control against spoofing is to use strong authentication. T indicate Tempering attack which is type of attack that make unauthorized changes to the system and disrupt the data integrity. R indicates Repudiation which is type of attack aiming to deny responsibility for an action and even can go further in blaming third-party, here digital signature can be very useful against such type of attack. I indicate information disclosure and in this type of attack, a theft of confidential information is intended and disclose it publically. D refers to the denial of service attacks (DOS) and this attack is trying to prevent the legitimate users accesses to information or the system they need. Finally; E standing for elevation of privileges which is also sometimes knowns as privileges escalation. This attack tries to use normal user account and then transform that to superuser account or root account in a purpose to exceed legitimate privileges [24]. A system diagrams that illustrate the data flow and relations between system modules is quite helpful in understanding the impact of different attacks in certain organization. These types of diagrams can be used in reduction analysis that breaks down the system into smaller components to properly perform assessment in each of them. This helps in simplifying complex systems to make thorough security reviews.
There are two important terms that should be clear to the security analysts as the “Total Attack Surface” which considers all of the systems and services that could be considered as potential entry points for an attacker. Also, the “Attack Vector” which can be defined as a means used by an attacker to gain initial access to a system or network [25].
4.3 Threats modeling as threat risk management
Threat modeling involve some important factors such as capabilities of the malicious hackers. Here by understanding the levels of sophistication and tools available to the potential hackers, it can give better understanding about how these attackers may approach and attack an organization. Another factor to be understood is the total attack surface and the potential attack vectors as these are two keys of characteristics to understand the types of attacks to be faced. Then, the factor of Impact as prioritize the different types of threats. Finally; the factor of Likelihood as combination between the impact of a threat can cause in an organization if it occurred and the likelihood of that threat to be materialized. As recommendation of the adoption of best practices, the threat modeling should be periodically prompt analysis of the security infrastructure. The significant benefit of using the efficient threat modeling is that it can detect repeated system inefficiencies such as data theft or data leakage and that may indicate the importance in using for example a data loss prevention (DLP) system to help cover the inefficiencies [26].
4.4 Effective threat hunting after proper threats Modeling
Threat hunting is an organized and systematic approach to clearly discover and find indicators of compromise on networks using different analytical techniques [27]. Threat hunting uses a combination tested security techniques as well as new analytic tools and technologies to monitor and tack signs of suspicious activities. Google trends can be considered as very good example in this context and it shows us how threat hunting grew rapidly recently as organization adopted this new approach. Threat hunting requires mind shifting from defense-focused to offense-focused approach. Here is very good to think as hackers who involved on activities attacking our organization. To conduct effective threat hunting, it is highly recommended to begin by establishing hypotheses and these hypotheses can be based upon profiling threat actors and their engaged activities or maybe hypotheses can be formulated based on possible information vulnerabilities. Once these hypotheses formulated then the thinking should be focused on the indicators of compromises that can be associated to these hypotheses if we assume them are true. These indicators might be considered as any unusual signs in the system such as unusual binary files with malicious or unknown content or some unpredicted modifications appeared in the system. This may include as well unexpected processes in the system or pattern of unusual consumption of resources. Sometimes even presence of unexpected account can be pointing or indicating to possible intended attack. Deviation of network traffic patterns is also considering obvious indicator here. Unexplained log entries and unapproved system configurations changes. All these indicators are the core of the threat hunting process [28].
4.5 Overall advantages and limitations of threat modeling
Six main beneficial aspects can be explained as on how threat modeling can help the security team to significantly enhance safety of the organization’s technology assets. These benefits can be explained as the following points:
Reducing attack surface: the attack surface here can be considered as the total number of vulnerabilities that an organization might be exposed to across the entire enterprise environment. This can be achieved as the ability to identify, track and maintain list of vulnerabilities to help security team take the important steps to mitigate them. Also, reducing the attack complexity is another very important benefit of adopting threat modeling in reducing attack surface. This can be accomplished by helping the team to breakdown a system and look at it from different perspectives to better understand it from end to end and this can help a lot in preventing risks to be propagated into end line. In this context, it is worthy to mention also that threat modeling in reducing the area of exposure and minimizing the attack surface of a system.
Prioritizing threads, mitigation efforts and budgeting: threats modeling help organization quantifying risks and vulnerabilities and focus their attention and resources to minimize surface attacks in purposeful and effectives ways.
Identify and eliminate single point of failure: organizations adopting a layered view of defensive tools to protect their assets can gain the advantage of reducing the chance that allow cyber attackers to take the maximum benefit of a single point of failure in a system.
Understand the complete cyber kill chain: the kill chain breaks down the security individual steps and tactics, then evaluate and test for risks and communicate for each of them. This is in the line of the efforts to allow organizations to stop security threats at each stage.
Improve organization’s security maturity: by quantifying existing security practices, monitor security adopted programs and better structuring of security evaluation standards and policies.
Improve organizational security posture at the individual application level: the aspects of achieving this can be highlighted as increase operational feasibility as developers can focus their attention on developing fixes and innovative service while security experts ensure solid controls are in place. Also, quality assurance can be more guaranteed at the early stage of the system which is the design phase as the key security mitigations can be considered as secure coding guidelines. Threat modeling also improves collaboration by mixing perspectives and experiences of different security professional teams.
Although threat modeling helps in many aspects in stopping and mitigating the risks of security breaches and attacks, still there are considerable challenges to be highlighted for the wide practical deployment and adoption of threat modeling. These challenges can be identified in five main aspects as the following:
Challenge 1: Processes saturation related to Threat Modeling This challenge is due to numerous availability of threat modeling methodologies that may create confusion especially for teams lacking highly security expertise. This may lead to wrong choices for defense policies or cybersecurity investments.
Challenge 2: Scaled-up Modern Application Deployment The recent departure of IT applications from physical servers and networking infrastructure to cloud computing infrastructure added new complexities related to responsibilities, expanded technologies, scope changes and associated risks which are no usually easy to be handled by the development teams.
Challenge 3: More systems entries points that are still not well recognized The most obvious examples here are modern cloud services provider like AWS where many entry points are not yet recognized and these may include publicly-exposed management plane, APIs and services. These are significantly more complex in comparison with known entry points especially for the Data Flow Diagram (DFDs) and Processes Flow Diagram (PFDs).
Challenge 4: Vulnerability May Be Raised in Modern Authentication Security Token As an example here, in AWS, temporary authentication tokens are transferable and they might be used outside the application environments. This is for sure can create a new security threat to be considered.
Challenge 5: Difficulties in Breaking Down Threats and Well-understanding of the Actual Risk In some cases, it is difficult to determine the high-level threads and then breaking them to sub threats for easier deal with them. Also, it is challenging sometimes to identify the failure conditions in the system that may leads to threads. A deeper understand of these conditions is always preferable to the efforts to understand and mitigate these risks. Security teams should have the right framework and techniques for robust application security to effectively predict future and possible attack scenarios.
5. Environmental reconnaissance
Reconnaissance can be defined in the context of cybersecurity as the practice of discovering and collecting information about a system to facilitate the activities of attackers. There are many tools that can be used for reconnaissance as the following section explain them under related categories [29].
5.1 Social engineering techniques as reconnaissance tools
These types of attacks can be used by attackers as psychological tricks to manipulate people and pushing them to do certain actions as exposing some sensitive information that can be seriously harmful for organization’s security [30]. Good example of that, when attackers pretending to act a help desk technician and attempting to trick user into revealing his/her password on a telephone call. Basically, social engineering attacks can be understood as online running a con and there are six main reasons that make social engineering attacks feasible. They are authority and trust, intimidation, consensus and social proof also scarcity, urgency and familiarity and liking. In the first type of authority and trust, users can be tricked as they welling to follow orders from an unauthorized person due to perceived authority and assumption of trusts. In the second reason that making social engineering attacks feasible is by pushing people to do things they supposed not to do by scaring people as telling something bad will be happened to them or to their organizations. In the third social engineering tactic namely as consensus and social proof, individuals are not exactly knowing how to react to certain situation and they just look to others and follow their behaviors. Sometimes this is called the herb mentality. Scarcity tactic can be achieved by making people believe that they will be missed-out if they not act quickly in certain scenario. For example, attackers can push people to install unauthorized Wi-Fi router in the office as the attackers claim that they upgrading Wi-Fi existing technology and the newly brand technology has left only one router at the time [31]. In urgency, the attackers create pressure environment on people to push them in this situation to act quickly as the time is running-out. In the final tactic as familiarity or liking, the social engineer, use flattery, false compliments or even fake relationships to manipulate the target’s good side and then influence their activities.
As a conclusion, if you are cybersecurity analyst, you should be aware that attackers can use different social engineering attacks against your organization as attempts to gather critical information and influence activities.
5.2 DNS harvesting as reconnaissance tools
In general, Domains names and their associated IP addresses can be considered an excellent starting point to gather useful information about the true owners of systems. There are some utilities that can be used to learn more about remote systems. The first thing can be considered here is trying to learn about the host behind certain domain name. Here it is always useful to remember that the DNS translates domain names to IP addresses [32]. It is interesting point to know that, usually we can perform lookups functions manually to find out certain IP addresses associated with their domain name. To perform domain lookups on Linux or Mac systems, the dig command is the primary tool here. The alternative in windows systems is the nslookup command and it works basically in the same way. In some cases, where the IP address may consider the source of suspicious log entries or a host that might be shown in a netstat command. In general consideration the IP address or domain name that needed to learn more about, the whois utility allows to know more about the ownership of particular domain name or IP address. This whois lookup utility can be offered in many web sites such as domaintools.com. This site can give a good information about certain domain name such as the registrant organization and through which DNS registrar, when it was created and renewed. Even these websites utility can give the contact information for the owner of that particular domain such as the e-mail address, the street address and the telephone number in case needed to communicated with them regarding this domain. The same utility website can be used for looking up certain IP address and then can get all the information about that IP address as to which domain this IP address is registered for and the contact information that can be used to contact that organization when that is needed [33].
A very useful reconnaissance too can be considered also here in this context is Reverse Whois Lookup which allows to determine all domain names related to an email address. This can be very helpful to understand how different domains name may be related to each other. In general, there is a wide variety of Reverse Whois tools available on internet and the good example here is viewdns.info and this can be very useful to those attackers engaging in an attacks on particular domains as it gives good ideas about the owners and what other domain they maybe own [34].
As a conclusion, it is always recommended for all cyber security analyst professional to use all these tools and techniques against their own IP addresses and domains names to learn what things potential attackers might discover about the organization.
5.3 Network scanning and mapping
Discovering networks topologies and how these networks are connected to the hosts. Also, discovering the open ports of communication in certain server and the running operating system fingerprint are considered the most important types of information that hacker look for when attacking an organization network. The most important tools they can use here are the NMAP and ZENMAP [35]. These tools help in identifying the connected hosts and the topology of that connected network also, the discovery of open service port number and the Server OS running and its version. Here for example, these tools can show a report telling that there is a server running and listening to the port 3389 and here it can be discovered that this port is used by Microsoft Remote Desktop service. As difference between NMAP and ZENMAP, it is worthy to mention here that ZENMAP is extended graphical capabilities where graphical representation of the network topology can be presented with the capability to focus on certain host and analyze it in term of running port services as well as OS fingerprinting [36].
5.4 Passive and active enumeration tools
Passive enumeration tools such as Wireshark can gather information about network without directly interacting with the network or announcing their presence. In the other hand, active enumeration tools are directly interacting with the system to be able to capture more complete information but here there is a risk of being discovered by the system administrator. As example, NMAP conducts port scanning by sending requests to the remote server so this tool can be considered as active enumeration. Another interesting example here is Hping, which allows to scan specific TCP port such as port 80 that is used for HTTP connection or port 43 used for HTTPS or port 22 for secure shell protocol [36]. Using this Hping tool we can determine the level of security configurations and the potential security vulnerabilities in the system. Hping considered to be very useful tool as it allows of customization of the content of the sent packet for the purpose of advance penetration testing. Another interesting enumeration tool which is considered as opportunistic python script, is Responder. This tool waits for broadcast requests and then response to them for that it is called opportunistic tool as it captures traffic intended for other system aiming to trick users and drag them to log into a fake server then, Responder can be able to capture the user’s credentials to be used later in other attacks [37, 38].
5.5 Protocols analyzer tools
Protocol analyzers tools are important for both professionals of network analyzing and Cyber security as well. These tools have the capability to capture actual packet traveling on a network and investigate them in great details. Wire Shark is the most famous tool under this category. It is free and open source packet analyzer that can be used for network troubleshooting based on the actual network traffic. The utilization of this tool for troubleshooting may include dropped packets, latency issues and discovery of unusual traffic based on some malicious activities [39, 40].
5.6 Tools for wireless reconnaissance
These types of tools usually analyze the wireless network environments and used mainly to test the security of a wireless network. The most common toolkit here is the Aircack-ng. This toolkit is a collection of tools that can be used in different stages in the context of the wireless reconnaissance efforts. In this section, the core component of this toolkit that can be used to test the security of the wireless networks. The first tool is Airmon-ng puts wireless interfaces into promiscuous mode to enable eavesdropping on wireless traffic. Airodump-ng is a tool for wireless packet capturing to capture data over a wireless network. Aircrack-ng is the most important tool in this toolkit that come with the capabilities to break encrypted keys used in the wireless network. Airreply-ng is tool that is used for traffic injection that can be used to inject certain traffic into a wireless network. This extra injected traffic can be reached to level enough to force the disconnect of legitimate wireless clients [41].
Another two widely used wireless reconnaissance tools are namely Reaver and Hashcat. Reaver is a tool allowing of Wi-Fi password retrieval as it exploit Wi-Fi Protected Setup (WPS) exposing the vulnerabilities to retrieve WPA and WPA2 passwords (Ram, 2016). As a good security practice, it is recommended to disable WPS encryption in the Wi-Fi network to not be vulnerable to Reaver attack. Hashcat which can be used to conduct Brute Force attacks against hashed passwords including WPA and WPA2 passwords [42, 43].
5.7 The different perspectives of network security reconnaissance
It’s extremely important to understand the perspectives that can viewed on a network when conducting network reconnaissance. The different levels of network security controls can significantly limit accesses as well as the accuracy of the network scans. Network devices such as firewalls, intrusion detection system, switches and routers, all these devices restricted the access to the resources of the network and at the same time limit the accuracy of network scanning [44]. In line of that, open ports numbers can be seen differently if the scan of the network is performing internally or externally as the restricted firewall rules can be applied differently here. In brief, running scan internally or externally from the network can provide different views of the network as externally give the cybersecurity analyst with attack potentially from the internet while internally provides view of the internal attacks and both attacks aspects are important information. Besides these internal and external aspects of the network scanning and security analysis, there are other aspects to consider in network security reconnaissance such as if the scanned system is physical servers or virtual servers, are these servers running on-promises or in clouds? Are they wired or wireless? These all are affecting the scanning results which in turn affect the security reconnaissance aspects [45].
6. Cloud-based security services
In the past decade, cloud computing can be considered as the most transformative development in information technologies. Most of the organizations around the world are adapting and retooling their entire IT strategies to be integrated with the cloud. Cloud in its simplest definition is the delivery of computing resources/services to remote client over a network. Example of these services or resources can be explain as accessing the Gmail account is considered a use of cloud computing as google give an email service over the internet as no need for the end-user to know or care about the massive technical infrastructure that make the Gmail works. Also, when someone build a server in Amazon Web Services, he/she making use of cloud computing. Amazon make it appear as own server for that person but in fact, it’s virtual server running in massive Amazon data center as hardware shared with many customers in the same time. The beauty of that is the technology that make this happening is invisible to the end-uses. Even, when writing scripts in SaleForce.com to automatically follow-up with clients, it is a use case of cloud computing as the written code of the scrip to make the follow-up e-mail happen is executed on top of Salesforec’s cloud-based platform [46].
The discussion about cloud resources and services should cover the main cloud security risks. The risks associated with Application Programming Interfaces or APIs should be highly considered here. APIs provide developers with programmatic access to services as for example, Amazon Web Service’s API enables creation and provisioning of server instances. If these APIs performed by unauthorized individuals, this will be considered a serious security risk issue. Developers should require strong authentication to prevent misuses or insecure APIs. Key management is important here and considered as same level importance for encryption keys as losing control of API key is a very serious risk issue.
The most common cloud-based security services of interests can be explained as the following sections.
6.1 Cloud identity and access management (IAM)
The threats and security challenges can be addressed under this category can include: Identity theft, unauthorized access, privilege escalation, Insider threat, fraud. Possible actions can be taken can be considered as assigning of duties based on identity entitlement and compliance-centric reporting [47, 48, 49].
6.2 Cloud data loss prevention
The threats and security challenges can be addressed under this category can include: Data misused by datacenter operator or others by unauthorized access, compromising the data integrity, issues caused by data sovereignty [50]. Possible actions can be taken for enhancement could be file/directory integrity via hashing, smart response for unstructured data matching and integrating intrusion detection solutions [51].
6.3 Cloud web security
The threats and security challenges can be addressed under this category can include: Malware, Spyware, Key loggers, Phishing, Viruses, Spams and Bandwidth consumption. Possible actions can be taken for enhancement could be: Policy enforcement to categorize web-sites security level, categorize websites based on IP/URL addresses, Domain rating and rating web-sites based on users’ requests [52, 53].
6.4 Cloud E-mail security
The threats and security challenges can be addressed under this category can include: Phishing, Intrusion, Malware, Spam and address spoofing. Possible actions can be taken for enhancement could be: E-mail backup system policy, Data loss prevention for SMTP and webmail, Secure archiving, Mail encryption, Signing and time stamping [54, 55].
6.5 Cloud intrusion management
The threats and security challenges can be addressed under this category can include: Intrusion and Malware. Possible actions can be taken for enhancement could be: Centralized reporting with administrator notifications capability, prevent local evasion by remote storage or transmission of integrity information, AI anomaly detection and solid intrusion management of API [56, 57].
6.6 Cloud information security and event management
The threats and security challenges can be addressed under this category can include: Insecure APIs Interfaces, Malicious insiders, Account hijacking, Fraud. Possible actions can be taken for enhancement could be: Standardization of log formats, Log monitoring, Heuristic control and use of specialized systems, integration with physical security (cameras and phones) [58, 59].
7. Conclusions
Knowledge based system containing the different and latest types of cybersecurity threats is highly recommended to be integral parts of the operation in today IT organizations. This knowledge-based system can be extended to decision-support system to detect, prevent and minimize the risks of security risks in real-time manner. But, reaching to this level of security maturity level is never be an easy task as this requires the engagement and being updated about the latest practices of different threats identification, intelligent network traffic analysis, ethical hacking to probe the system under analysis for possible security attacks and risks management policies for system recovery if the attacks been successful. Having the capabilities for fast adaptation is the key point here to prevent and treat most of the outsiders or insider’s security attacks. With all these effort cybersecurity intelligent threat modeling can be easily and widely adopted for solid security defense in modern IT information systems including cloud computing and in the context of agile software project management such as DevOps agility context.
References
- 1.
Craigen D, Diakun-Thibault N, Purse R. Defining cybersecurity. Technology Innovation Management Review. 2014; 4 (10):13-21 - 2.
Roldán-Molina G, Almache-Cueva M, Silva-Rabadão C, Yevseyeva I, Basto-Fernandes V. A comparison of cybersecurity risk analysis tools. Procedia Computer Science. 2017; 121 :568-575 - 3.
Rehman R, Hazarika GC, Chetia G. Malware threats and mitigation strategies: A survey. Journal of Theoretical and Applied Information Technology. 2011; 29 (2):69-73 - 4.
Chen Z, Roussopoulos M, Liang Z, Zhang Y, Chen Z, Delis A. Malware characteristics and threats on the internet ecosystem. Journal of Systems and Software. 2012; 85 (7):1650-1672 - 5.
Aycock J. Getting There. In: Spyware and Adware. Advances in Information Security. Boston, MA: Springer; 2011; 50 .https://doi.org/10.1007/978-0-387-77741-2_2 - 6.
Yadav N, Kaur G, Kaur S, Vashisth A, Rohith C. A complete study on malware types and detecting ransomware using API calls. In: 2021 9th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO). 2021. pp. 1-5 - 7.
Bansal U. A review on ransomware attack. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC). 2021. pp. 221-226 - 8.
Shalaginov A, Dyrkolbotn GO, Alazab M. Review of the malware categorization in the era of changing cybethreats landscape: Common approaches, challenges and future needs. In: Malware Analysis Using Artificial Intelligence and Deep Learning. Cham: Springer; 2021. pp. 71-96 - 9.
van Oorschot PC. Malicious Software. In: Computer Security and the Internet. Cham: Springer; 2021. pp. 183-211 - 10.
Yongwang T, Xin L, Qizheng D. Malicious Code Detection Technology based on Bi-GRU and Self-attention. In: Proceedings of the 2019 2nd International Conference on Algorithms, Computing and Artificial Intelligence. 2019. pp. 585-590 - 11.
Sharma S, Rama Krishna C, Sahay SK. Detection of advanced malware by machine learning techniques. In: Ray K, Sharma T, Rawat S, Saini R, Bandyopadhyay A, editor. Soft Computing: Theories and Applications. Advances in Intelligent Systems and Computing. vol 742. Singapore: Springer; 2019. https://doi.org/10.1007/978-981-13-0589-4_31 - 12.
Subedi KP. PhD Dissertation. A Framework for Analyzing Advanced Malware and Software. The University of Memphis. 2018 - 13.
Conti M, Dargahi T, Dehghantanha A. Cyber threat intelligence: Challenges and opportunities. In: Cyber Threat Intelligence. Cham: Springer; 2018. pp. 1-6 - 14.
Tounsi W, Rais H. A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers &Security. 2018; 72 :212-233 - 15.
Abu MS, Selamat SR, Ariffin A, Yusof R. Cyber threat intelligence–issue and challenges. Indonesian Journal of Electrical Engineering and Computer Science. 2018; 10 (1):371-379 - 16.
Du L, Fan Y, Zhang L, Wang L, Sun T. A summary of the development of cyber security threat intelligence sharing. International Journal of Digital Crime and Forensics (IJDCF). 2020; 12 (4):54-67 - 17.
Brown S, Gommers J, Serrano O. From cyber security information sharing to threat management. In: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security. 2015. pp. 43-49 - 18.
Casey E, Back G, Barnum S. Leveraging CybOX™ to standardize representation and exchange of digital forensic information. Digital Investigation. 2015; 12 :S102-S110 - 19.
Abomhara M, Køien GM. Cyber security and the internet of things: Vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility. 2015; 4 :65-88 - 20.
Hussain S, Kamal A, Ahmad S, Rasool G, Iqbal S. Threat modelling methodologies: A survey. Science International (Lahore). 2014; 26 (4):1607-1609 - 21.
Bojanc R, Jerman-Blažič B. A quantitative model for information-security risk management. Engineering Management Journal. 2013; 25 (2):25-37 - 22.
Stedmon A, Paul D. Conducting ethical research in sensitive security domains: Understanding threats and the importance of building trust. In: Iphofen R, O’Mathúna D, editors. Ethical Issues in Covert, Security and Surveillance Research (Advances in Research Ethics and Integrity, Vol. 8), Emerald Publishing Limited. Bingley. 2021. pp. 159-176. https://doi.org/10.1108/S2398-601820210000008012 - 23.
Agrafiotis I, Nurse JR, Goldsmith M, Creese S, Upton D. A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity. 2018; 4 (1):tyy006 - 24.
Hamed T, Ernst JB, Kremer SC. A survey and taxonomy of classifiers of intrusion detection systems. In: Computer and Network Security Essentials. Cham: Springer; 2018. pp. 21-39 - 25.
Simmons C, Ellis C, Shiva S, Dasgupta D, Wu Q. AVOIDIT: A cyber attack taxonomy. In: 9th Annual Symposium on Information Assurance. 2014. pp. 2-12 - 26.
Alneyadi S, Sithirasenan E, Muthukkumarasamy V. A survey on data leakage prevention systems. Journal of Network and Computer Applications. 2016; 62 :137-152 - 27.
Steingartner W, Galinec D, Kozina A. Threat defense: Cyber deception approach and education for resilience in hybrid threats model. Symmetry. 2021; 13 (4):597 - 28.
Buchanan B. The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations. Oxford University Press. 2017. Retrieved 19 Jun. 2022, from https://oxford.universitypressscholarship. com/view/10.1093/acprof:oso/9780190665012.001.0001/ acprof-9780190665012 - 29.
Arabia-Obedoza MR, Rodriguez G, Johnston A, Salahdine F, Kaabouch N. Social engineering attacks a reconnaissance synthesis analysis. In: 2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). IEEE; 2020. pp. 0843-0848 - 30.
Ozkaya E. Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert. Packt Publishing Ltd. 2018 - 31.
Fiermonte M. The Threat of Social Engineering to Networked Systems. Utica College; 2019 - 32.
Hu Q , Asghar MR, Brownlee N. Measuring IPv6 DNS reconnaissance attacks and preventing them using DNS Guard. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2018. pp. 350-361 - 33.
Skwarek M, Korczynski M, Mazurczyk W, Duda A. Characterizing vulnerability of DNS AXFR transfers with global-scale scanning. In: 2019 IEEE Security and Privacy Workshops (SPW). IEEE; 2019. pp. 193-198 - 34.
Hudák P. Analysis of DNS in Cybersecurity. Brno: Masaryk University, Faculty of Informatics; 2017 - 35.
Calderon P. Nmap: Network Exploration and Security Auditing Cookbook - Second Edition (2nd ed.). Packt Publishing. 2017. Retrieved from: https://www.perlego.com/book/527158/nmap-network-exploration-and-security-auditing-cookbook-second-edition-pdf (Original work published 2017) - 36.
Lastovicka M, Jirsik T, Celeda P, Spacek S, Filakovsky D. Passive os fingerprinting methods in the jungle of wireless networks. In: NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium. 2018. pp. 1-9 - 37.
Bhatnagar D, Som S, Khatri SK. Advance persistant threat and cyber spying-the big picture, its tools, attack vectors and countermeasures. In: 2019 Amity International Conference on Artificial Intelligence (AICAI). IEEE; 2019. pp. 828-839 - 38.
Ramadhan RA, Aresta RM, Hariyadi D. Sudomy: Information gathering tools for subdomain enumeration and analysis. In: IOP Conference Series: Materials Science and Engineering. 2020 - 39.
Bagyalakshmi G, Rajkumar G, Arunkumar N, Easwaran M, Narasimhan K, Elamaran V, et al. Network vulnerability analysis on brain signal/image databases using Nmap and Wireshark tools. IEEE Access. 2018; 6 :57144-57151 - 40.
Sija BD, Goo Y-H, Shim K-S, Hasanova H, Kim MS. A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view. Security and Communication Networks. 2018;2018:17, 8370341. https://doi.org/10.1155/2018/8370341 - 41.
Astudillo K. Wireless Hacking 101 ([edition unavailable]). Babelcube Inc. 2021. Retrieved from: https://www.perlego.com/book/2984611/wireless-hacking-101-pdf (Original work published 2021) - 42.
Ram JR Sak B. Mastering Kali Linux Wireless Pentesting [Book]. Publisher: Packt Publishing Ltd. 2016. 310 p - 43.
Lundgren M, Persson J. Constructing and Evaluating a Raspberry Pi Penetration Testing/Digital Forensics Reconnaissance Tool (Dissertation). 2020. Retrieved from http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-42805 - 44.
Mazurczyk W, Caviglione L. Cyber reconnaissance techniques. Communications of the ACM. 2021; 64 (3):86-95 - 45.
White R, Caiazza G, Jiang C, Ou X, Yang Z, Cortesi A, et al. Network reconnaissance and vulnerability excavation of secure DDS systems. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). 2019. pp. 57-66 - 46.
Manna M. A cloud-based encryption for document storage using salesforce. com. Journal of Engineering and Applied Science. 2018; 13 :2382-2387 - 47.
Pramod N, Muppalla AK, Srinivasa KG. Limitations and challenges in cloud-based applications development. In: Software Engineering Frameworks for the Cloud Computing Paradigm. London: Springer; 2013. pp. 55-75 - 48.
Indu I, Anand PR, Bhaskar V. Identity and access management in cloud environment: Mechanisms and challenges. Engineering Science and Technology: An International Journal. 2018; 21 (4):574-588 - 49.
Schulze R. Identity and access management for cloud services used by the payment card industry. In: International Conference on Cloud Computing. Cham: Springer; 2018. pp. 206-218 - 50.
Manzoor CS, Shabina G. Challenges of data protection and security in cloud computing. Proceedings of the International Conference on Innovative Computing & Communication (ICICC) 2021. July 3, 2021. Available at SSRN: https://ssrn.com/ abstract=3879599 orhttp://dx.doi. org/10.2139/ssrn.3879599 - 51.
Bhardwaj A, Goundar S. A framework to define the relationship between cyber security and cloud performance. Computer Fraud & Security. 2019; 2019 (2):12-19 - 52.
Prasath R, Santhosh GT, Ratchnayaraj IAJ, Jemiline E. The security in web application of cloud and IoT service. Materials Today: Proceedings. 2020 - 53.
Paul P, Aithal PS. Cloud security: An overview and current trend. International Journal of Applied Engineering and Management Letters (IJAEML). 2019; 3 (2):53-58 - 54.
Hashmi A, Ranjan A, Anand A. Security and compliance management in cloud computing. International Journal of Advanced Studies in Computers, Science and Engineering. 2018; 7 (1):47-54 - 55.
Cidon A, Gavish L, Bleier I, Korshun N, Schweighauser M, Tsitkin A. High precision detection of business email compromise. In: 28th {USENIX} Security Symposium ({USENIX} Security 19). 2019. pp. 1291-1307 - 56.
Helmiawan MA, Fadil I, Sofiyan Y, Firmansyah E. Security model using intrusion detection system on cloud computing security management. In: 2021 9th International Conference on Cyber and IT Service Management (CITSM). 2021. pp. 1-5 - 57.
Devi S, Sharma AK. Understanding of intrusion detection system for cloud computing with networking system. International Journal of Computer Science and Mobile Computing (IJCSMC). 2020 - 58.
Adam I, Ping J. Framework for security event management in 5G. In: Proceedings of the 13th International Conference on Availability, Reliability and Security. 2018. pp. 1-7 - 59.
Al-Rashdi ZA, Dick M, Al-Rashdi RA, Al-Husaini Y. Information Security Accountability in the Cloud Computing Context—A Comprehensive Review. In: Montasari R, Jahankhani H, Al-Khateeb H, editors. Challenges in the IoT and Smart Environments. Advanced Sciences and Technologies for Security Applications. Cham: Springer; 2021. https:// doi.org/10.1007/978-3-030-87166-6_8