Posts

Showing posts from December, 2020

Cyber Kill Chain

What is Cyber Kill Chain? The CKC is the classical model developed by Lockheed Martin. The purpose of this model is to better understand the stages an attacker must go through to conduct an attack, and also helps the security teams to stop an attack at each stage. It also helps to identify to what extent the organization is compromised. It also helps to understand the strategies used by cybercriminals and how to defend against them. Phases of Kill Chain: There are seven phases of CKC model which are described below: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on objective Reconnaissance: In this phase the attacker tries to find out as much information as possible about the target like contact information and IT infrastructure of the target. There are two types of reconnaissance: Passive: Looking for publicly available information on the internet like using google, social media, whois, NSlookup, Shodan and dumpster diving. Active: gather i

RUDY Attack and it's prevention

RUDY Attack: It is the type of slow rate attacks. It also known as slow and low attack. It attempts to open a relatively few connections to the target server or website over a period of time, and leaves the connection as long as possible. How it works: It identifies the embedded form in the target site. After identification it sends the HTTP post request with abnormal long ‘content-type’ header field and then starts injecting the form with information, size of one byte packet at one time. This packet is not only sent in junks but at a very slow rate. So , a very long content-length field prevents the server from closing the connection. Ultimately the attacker exhausts the server connection table. Prevention Mechanisms: Server resource monitoring like memory, CPU usage, connection tables, application threads, long and open application connection or stuck application processes. Behavior analysis compares traffic and user behavior. Or if filling the form takes so much time like hours or m

Network Security Monitoring

  NSM: History: Todd Heberlein started NSM informally in 1988. It was the first NSM that used the network traffic as its source for generating alerts. Air Force Computer Emergency was the first organization who informally followed the NSM principles. In 1993, AFCERT with collaboration of Heberlein deployed the first version of NSM as the ASIM(Automated Security Incident Measurement). NSM: It is the best method from zero defense to some defense. By using this organization would prevent himself from being exposed or (prevent data breach). This is operated by the group of people known as CIRT(Computer incident response team). Benefits: Collect a rich amount of network derived data from different devices. CIRT analyses this data to find compromise assets. CIRT uses the NSM data to assess the cause of the incident. Does NSM Prevent Incidents? No it does not prevent incidents because breaches are inevitable. Intruders different techniques to cause the incident but by using NSM you can frustr