Cyber attack chain
Intelligence gathering
Research/Detection/Network Scanning/Vulnerability Mining/Social Engineering
Tool preparation
Prepare attack tools, such as Trojan horses/backdoors/worms and other viruses, attack payloads, etc.
Load delivery
Direct penetration
Indirect: fishing
Social worker
Exploit
Exploit
Tempt users to click
Local code execution
Release load
Create a site
Internal diffusion
Repeat the above steps automatically
Establish channel
Control server communication, receive instructions
reach the goal
damage
Data theft
DDoS
spam
Mining
Internal diffusion (automatic)
Simplified cyber attack chain
Target reconnaissance
Accurately identify the target and collect detailed target information, such as network, mailbox, employees, social relations, external services, vulnerability information, etc., to prepare for subsequent attacks.
Boundary breakthrough
Break through the border protection, obtain a springboard, and break through the border through various means, such as application attacks, email phishing, watering hole attacks, U disk ferrying, etc., and begin to enter the real attack stage.
Lateral attack
Step by step, using the accused server as a springboard, comprehensively use various vulnerabilities and attack methods to obtain the permissions of other servers in the intranet, infiltrate the restricted area, and gradually reach the precise target service area.
Target strike
Precise strikes, strike targets based on the purpose of the attack, such as releasing ransomware, mining Trojan horses, stealing data, malicious destruction, etc.
Target information collection
Common information collection content
Company basic information collection
Mailbox collection
Employee information collection
Subdomain information
External service applications
Vulnerabilities that may be exploited
Internal company information that has been leaked
Network detection
Address scan
The attacker uses ICMP packets to detect the target address, or uses TCP/UDP packets to initiate a connection to a certain address, and determines whether there is a response packet to determine which target systems are indeed alive and connected to the target network.
Port scan
The attacker scans the ports to find the ports currently open by the attacked object to determine the attack method. In port scan attacks, attackers usually use Port Scan attack software to initiate a series of TCP/UDP connections, and determine whether the host uses these ports to provide services based on the response message.
Superscan
Nmap
Application scan
By simulating the request sent by the application and analyzing the response load of the web application, the security issues and the absence of the architecture are found.
Burp Suite
Vulnerability scan
Use vulnerability scanning tools to find vulnerabilities in systems, applications, and hosts.
Sparta
Network Architecture
Tracert packet attack
IP packet attack with routing records
IP packet attack with source routing option
IP packet attack with timestamp option
Phishing
Phishing attacks refer to the use of forgery, deception, social work and other means to gain the trust of the victim in order to carry out further attacks. It is mostly used as a means of boundary breakthrough, and it appears more frequently in APT attacks
Phishing attack classification
- Spear phishing
- Puddle attack
- U Disk Ferry
- Homograph phishing attack
- Pass-by download
- Misplaced domain name (fake URL)
- Phishing
- Online dating scam
Password cracking
Applications that can be attacked
rdp、smb 、ftp 、ssh、http 、ldap 、pop3 、redis、snmp 、telnet 、vnc
Common cracked dictionaries
- Password/Username top100
- Pinyin of commonly used Chinese names
- Personal information feature combination
- Big dictionary cracking
Network deception and monitoring
Common attack methods of network deception and monitoring
- arp attack
- ip spoofing
- Tcp session hijacking
- dns spoofing
- smb man-in-the-middle attack
- Man-in-the-middle forged ssl certificate attack
Overflow attack
Common vulnerability number:
ms06-040
ms08-067
ms10-087
ms11-021
ms12-020
ms17-010
cve-2017-8750
cve-2017-11882
Virus attack
Virus classification
Trojan Horse
Worm
Script virus
File virus
Destructive programs and macro viruses
Denial of service attack DDOS
Common attacks:
- syn flood
- ack flood
- udp flood
- cc attack
- Reflective amplification type ddos
- ntp reflection attack
- DNS reflection attack
- ssdp reflection attack
- memcached reflection attack
- Slow ddos
- thc ssl dos
APT (Advanced Persistent Threat) attack
APT contains three elements: advanced, long-term, and threat.
Advanced is reflected in two aspects
technical level
- Zero-day vulnerability
- Channel encryption
Investment level
- Comprehensive collection of information
- There is a goal, there is a division of labor
- Combination of multiple attack methods
APT attack process
APT attack method
Security defense method
Protocol identification (SA)
SA (Service Awareness) is a technology that determines the application to which an IP message belongs by analyzing the IP message, and summarizes all the rules identified by the protocol to form an SA-SDB. SA-SDB and SAEngine are used together to identify the traffic in the network. The device analyzes the network traffic according to the identification results, and can generate traffic reports or perform corresponding control strategies on the traffic, such as release, current limit, and block, etc.; It is the foundation of services such as security, content detection, content billing, and business control.
Intrusion Prevention (IPS)
URL classification
Antivirus (AV)-Malware Gateway Detection
Malware (including unknown threats) detection-sandbox detection
Malicious traffic detection: C&C detection, covert channel detection, etc.
Intelligence Utilization: Enhance NGFW threat detection capabilities
Step 1: (Deliver & Exploit) Hacker invades, enters the network, and controls broilers; Method: You can use vulnerabilities/malware (phishing, spam, etc.)
Step 2: The hacker issues instructions on the C&C server
Step 3: (Command & Control) The victim (lost host) communicates with the C&C server (HTTP, IRC, TCP, etc.) to obtain the next instructions (DDoS, click fraud, keylogging, sending spam, stealing sensitive information, Mining, horizontal diffusion, etc.)
Step 4: Attack target