CYBER SECURITY

Unit 1:
Cyber Security Fundamentals: Network Security Concepts: Information Assurance
Fundamentals, Basics of Cryptography: Symmetric and Asymmetric, DNS, Firewalls,
Virtualization, Radio-Frequency Identification Microsoft Windows Security Principles:
Windows Tokens, Window Messaging, Windows Program Execution, Windows Firewall

Unit 2:
Attacker techniques and motivations: Anti forensics, Tunneling Techniques, Fraud
Techniques, and Threat Infrastructure

Unit 3:
Exploitation: Techniques to gain a Foothold, Misdirection, Reconnaissance, and Disruption
Methods

Unit 4:
Malicious Code: Self-Replicating Malicious Code, Evading Detection and Elevating
Privileges, Stealing Information and Exploitation.

Unit 5:
Defense and Analysis Techniques: Memory Forensics, Honeypots, Malicious Code Naming,
Automated Malicious Code Analysis Systems, Intrusion Detection Systems

1
 Unit 1
Cyber Security Fundamentals
Network security is the practice of protecting a computer network from unauthorized
access, misuse, or attacks. It involves using tools, technologies, policies and procedures to
ensure the confidentiality, integrity, and availability of systems and data within the network
to ensure that data travelling over the network is safe and secure, keeping sensitive
information away from hackers and other threats.

Network Security Concepts

Network Security involves strategies, policies, and technologies used to protect the
integrity, confidentiality, and availability of computer networks and data.

1. CIA Triad

The foundation of all security models:

 Confidentiality: Ensuring only authorized users can access information.

 Integrity: Ensuring information is not altered by unauthorized users.
 Availability: Ensuring systems and data are accessible when needed.

2. Authentication

 Confirms the identity of a user, device, or system.

 Methods: Passwords, biometrics, OTPs, digital certificates.

3. Authorization

 Determines what an authenticated user or system is allowed to do.

 Example: Role-Based Access Control (RBAC).

4. Encryption

 Converts readable data into a scrambled format (ciphertext).

 Types:
o Symmetric Encryption (same key to encrypt and decrypt)
o Asymmetric Encryption (public and private key pair)

5. Firewalls

 Acts as a barrier between trusted and untrusted networks.

 Filters traffic based on rules (IP address, port, protocol).

2
6. Intrusion Detection & Prevention Systems (IDS/IPS)

 IDS: Monitors and alerts on suspicious traffic.

 IPS: Detects and blocks malicious traffic in real-time.

7. Access Control

 Limits access to networks, systems, and data based on policies.

 Examples:
o MAC (Mandatory Access Control)
o DAC (Discretionary Access Control)

8. Virtual Private Network (VPN)

 Creates a secure, encrypted connection over the internet.

 Used for safe remote access.

9. Email and Web Security

 Filters phishing emails and malicious websites.

 Prevents malware from entering through browsers and email clients.

10. Patch Management

 Regularly updating software/hardware to fix security vulnerabilities.

11. Denial of Service (DoS/DDoS) Protection

 Safeguards against attacks that flood and overwhelm a network, making it

unavailable.

12. Security Monitoring & SIEM

 Tracks and analyzes security-related events and logs.

 SIEM: Security Information and Event Management tools for threat detection.

13. Network Segmentation

 Divides the network into smaller zones.

 Limits access and contains breaches.

14. Endpoint Security

 Secures end-user devices (laptops, mobiles).

 Includes antivirus, device control, and data protection tools.

3
Information Assurance Fundamentals
Information Assurance refers to the practice of ensuring the confidentiality, integrity,
availability, and non-repudiation of essential information and associated information systems.

The process of protecting against and controlling the risk associated with the usage, storage,
and transmission of data and information systems is known as information assurance (IA).
The following functionalities for data and associated information systems are often ensured
by information assurance processes

Integrity

Integrity refers to the confidence that all information systems are safe and secure. IA strives
to ensure integrity by installing anti-virus software on all computer systems and ensuring that
all employees with access understand how to use their systems properly to prevent malware
and viruses from accessing information systems.
IT Governance offers a number of e-learning courses to raise employee understanding of
subjects like phishing and ransomware, which helps to lessen the risk of systems being
hacked and data being exposed.

Availability

The term 'availability' refers to the capacity of individuals who require information to obtain
it. Only individuals who are aware of the hazards connected with information systems should
have access to it.

Authentication

Authentication entails verifying that persons with access to data are who they claim to be.
Two-factor authentication, strong passwords, biometrics, and other devices are examples of
ways to improve authentication. Not only may authentication be used to identify individuals,
but it can also be used to identify other devices.

Confidentiality

Information security is concerned with information secrecy, which means that only those
with permission may read sensitive data. This phase is closely matched by the General Data
Protection Regulation's (GDPR) six data processing principles, which state that personal data
must be handled securely 'using suitable technological and organizational means' ('integrity
and confidentiality').

Non-repudiation

The last pillar states that anybody with access to your organization's information system
cannot deny doing a task within it since there should be procedures in place to confirm that
they did so.

4
Cryptography
Cryptography is a technique of securing information and communications using codes to
ensure confidentiality, integrity and authentication. Thus, preventing unauthorized access to
information. The prefix "crypt" means "hidden" and the suffix "graphy" means "writing". In
Cryptography, the techniques that are used to protect information are obtained from
mathematical concepts and a set of rule-based calculations known as algorithms to convert
messages in ways that make it hard to decode them. These algorithms are used for
cryptographic key generation, digital signing, and verification to protect data privacy, web
browsing on the internet and to protect confidential transactions such as credit card and
debit card transactions.

Features of Cryptography
Confidentiality: Information can only be accessed by the person for whom it is
intended and no other person except him can access it.
Integrity: Information cannot be modified in storage or transition between sender and
intended receiver without any addition to information being detected.
Non-repudiation: The creator/sender of information cannot deny his intention to send
information at a later stage.
Authentication: The identities of the sender and receiver are confirmed. As well
destination/origin of the information is confirmed.
Interoperability: Cryptography allows for secure communication between different
systems and platforms.
Adaptability: Cryptography continuously evolves to stay ahead of security threats and
technological advancements.

Symmetric and Asymmetric

1. Symmetric Cryptography
When the plain text is encrypted and decrypted using the same key, it is known as
symmetric encryption. It is also known as "shared-key" or "private-key" encryption. It
ensures confidentiality by ensuring only authorized parties with the key can access the
original data.
The key is a piece of a shared secret between the two parties involved hence it is 'shared-
key' and is kept secret, hence the name 'private-key' is justified.

 Key Concept: Uses one key for both encryption and decryption.
 Key Sharing: The sender and receiver must both have access to the same secret key.
 Speed: Faster and more efficient for encrypting large amounts of data.
 Examples:
5
 o AES (Advanced Encryption Standard)
o DES (Data Encryption Standard)

How it works:

1. Sender encrypts the message using a shared key.

2. Receiver decrypts it using the same key.

Example:
plaintext
CopyEdit
Key: ABC123
Plaintext: Hello
Encrypted: Zx9@#
Decrypted using same key: Hello

2. Asymmetric Cryptography

Public-key cryptography or asymmetric-key cryptography is another type where the same

key is not used for the encryption and decryption processes, instead, it involves the use of
two keys – the public key and the private key

 Concept: Uses a pair of keys – one public and one private.

 Usage:
o Public key is shared with everyone.
o Private key is kept secret by the owner.
 Speed: Slower than symmetric encryption.
 Examples:
o ECC (Elliptic Curve Cryptography)
o DSA (Digital Signature Algorithm)

How it works:

1. Sender encrypts the message using the recipient’s public key.

2. Receiver decrypts it using their private key.

Example:
plaintext
CopyEdit
Public Key: (shared)
Private Key: (kept secret)
Plaintext: Hello
Encrypted with Public Key: @7Jd!
Decrypted with Private Key: Hello

6
Differences
Feature Symmetric Asymmetric

Keys Used Single key (shared) Key pair (public and private)

Speed Fast Slower

Key Distribution Challenging Easier (public key is sharable)

Security Less secure if key is leaked More secure for communication

Example Use Case File encryption, VPNs Secure email, digital signatures

DNS (Domain Name System)

The Domain Name System (DNS) translates human-readable domain names (e.g.,
www.google.com) into machine-readable IP addresses (e.g., 142.250.190.14), enabling
internet communication
 It enables computers to locate and communicate with each other on the internet.
 Functions as a hierarchical, distributed database.
 Queries pass through multiple levels:
o Root server
o Top-Level Domain (TLD) server
o Authoritative server (stores the specific IP address).
 Ensures seamless website access using easy-to-remember names instead of numerical IP
addresses.

7
When we type a website like https://www.kru.ac.in in our browser, our computer tries to
find the IP address.
First, it checks the local cache (our browser, operating system, or router) to see if it
already knows the IP address.
If the local cache doesn’t have the IP, the query is sent to a DNS resolver to find it.
DNS resolver may check host files (used for specific manual mappings), but usually, it
moves on.
Resolver sends the query to a Root DNS server, which doesn't know the exact IP address
but points to the TLD server (e.g., .org server for this example).

TLD server then directs the resolver to the authoritative nameserver for
geeksforgeeks.org.

8
 Authoritative name server knows the exact IP address for kru.ac.in and sends it back to
the resolver.
Resolver passes the IP address to our computer. Our computer uses the IP address to
connect to the real server where the website is hosted. The website loads in our browser.

Firewalls

A firewall is a security device or software that monitors and controls incoming and
outgoing network traffic based on predefined security rules. It acts as a barrier between a
trusted internal network and untrusted external networks, like the internet.

Purpose of a Firewall

 Prevent unauthorized access

 Block malicious traffic
 Allow safe communication
 Protect sensitive data

How a Firewall Works

1. A request comes from the internet to your device.

2. The firewall checks:
o Is the IP address trusted?
o Is the port number allowed?
o Is the protocol safe?
3. Based on rules, the firewall:
o Allows the traffic
o Blocks the traffic
o Logs the event for review

9
Virtualization

Virtualization allows multiple virtual machines (VMs) to run on a single physical machine.
Each VM behaves like an independent system with its own operating system and
applications.

How Virtualization Helps Cyber security

1 Isolation

 Each VM is isolated from others. If one VM is compromised, others remain

unaffected.
 Useful for sandboxing—testing malware or untrusted software in a safe, isolated
environment.

2 Containment

 Attackers breaking into a VM cannot easily escape to the host machine or other VMs.
 Limits the spread of malware or ransom ware within an organization.

3 Snapshots & Rollback

 VMs can be snap shotted (saved at a point in time).

 If an attack or corruption happens, the VM can be quickly rolled back to a clean
state.

4 Testing & Analysis

 Security teams use VMs to analyze malware, test patches, and simulate attacks.
 Helps in forensics—examining a cloned VM without touching production systems.

5 Disaster Recovery

 Virtualized environments can be backed up and restored more easily.

 Reduces downtime after security incidents.

6 Software-defined Security

 Virtualized networks can be managed with software-defined networking (SDN).

 Enables micro-segmentation: breaking the network into smaller, more secure zones.

7 Cloud Security

 Cloud computing heavily uses virtualization.

 Enables scalable, flexible security architectures (virtual firewalls, intrusion detection
systems, etc.).

10
Radio-Frequency Identification
Radio Frequency Identification (RFID) is a form of wireless communication that
incorporates the use of electromagnetic or electrostatic coupling in the radio frequency
portion of the electromagnetic spectrum to uniquely identify an object or person. It uses
radio frequency to search, identify, track, and communicate with items and people.

It is a method that is used to track or identify an object by radio transmission over the web.
Data is digitally encoded in an RFID tag which might be read by the reader. This device
works as a tag or label during which data is read from tags that are stored in the database
through the reader as compared to traditional barcodes and QR codes. It is often read
outside the road of sight either passive or active RFID.

Microsoft Windows Security Principles:

Windows Tokens

Windows operating systems, tokens are critical components in the security model. They
are used by the system to represent the identity and privileges of a user or process when
accessing system resources.

An access token is a data structure created by Windows after successful user

authentication. It contains:

 The user’s SID (Security Identifier)

 SIDs of groups the user belongs to
 Privileges (e.g., shutdown the system, backup files)
 The owner of the token
 The default DACL (Discretionary Access Control List)
 A token type (Primary or Impersonation)

11
The token is attached to every process and thread the user runs, and it's used to check access
permissions when those processes attempt to interact with system objects.

Types of Windows Tokens

Type Purpose

Assigned to a user’s initial process at logon; represents the user's

Primary Token
identity.

Impersonation Allows a thread to impersonate another user's security context (e.g.,

Token for file access).

How Access Tokens Work

1. User logs into Windows.

2. The LSASS (Local Security Authority Subsystem Service) authenticates the user.
3. LSASS creates an access token for that user.
4. The Winlogon process creates the user’s desktop session using the token.
5. Any process started by the user inherits this token.

Window Messaging
Windows Messaging (Windows Message System)

Windows Messaging is a communication mechanism used by the Windows operating

system to allow interaction between windows, applications, and the OS itself. It is a
fundamental part of the Windows GUI event-driven architecture.

Windows messaging allows:

 Applications to send and receive messages (events or commands).

 The OS to notify windows about events like keystrokes, mouse movement, resizing,
etc.
 Inter process communication in some cases (e.g., SendMessage across processes).

Components

Component Description

Every Windows application runs a loop that waits for and

Message Loop
processes messages.

Message Queue Stores incoming messages for the application until they are

12
Component Description

processed.

WindowProcedure
A function that receives and handles messages for a window.
(WndProc)

Constants like WM_PAINT, WM_KEYDOWN,

Message Types
WM_LBUTTONDOWN.

Common Message Functions

Function Purpose

PostMessage( ) Posts a message to a window’s queue (asynchronous).

SendMessage( ) Sends a message and waits for processing (synchronous).

GetMessage( ) Retrieves a message from the queue.

DispatchMessage( ) Sends the message to the appropriate WndProc.

TranslateMessage( ) Converts virtual-key messages to character messages.

Program Execution
Program Execution in Windows (or General OS Context)

Program execution is the process by which a computer runs a program—transforming static

code into a running process. This involves loading the program into memory, allocating
resources, and executing instructions.

Stages of Program Execution

1. Program Load

 The executable file (e.g., .exe on Windows, ELF on Linux) is read from disk.
 The operating system loader parses the file format.

2. Memory Allocation

 Code, data, and stack segments are loaded into RAM.

 Heap space is set up for dynamic memory.

13
3. Process Creation

 A Process Control Block (PCB) is created:

o Process ID
o Registers
o Memory mappings
o Open handles
 On Windows, this is handled via the CreateProcess( ) API.

4. Thread Initialization

 At least one thread is started (the main thread).

 The instruction pointer (IP) points to the entry point (usually main() or WinMain()).

5. Execution

 The CPU begins executing instructions.

 The process can:
o Make system calls (e.g., file I/O)
o Create threads
o Load DLLs or libraries

6. Termination

 The process finishes or is killed.

 OS cleans up:
o Memory
o Handles
o Child processes

Windows Firewall

Windows Firewall is a built-in network security tool in Microsoft Windows that monitors
and filters incoming and outgoing traffic based on security rules. It acts as a barrier between
your computer and potential threats from the internet or network.

Feature Description

Inbound Rules Control traffic coming into your computer.

Outbound Rules Control traffic going out of your computer.

Port Filtering Block or allow traffic based on port numbers (e.g., 80, 443).

14
Feature Description

Application
Allow/block specific programs from accessing the network.
Filtering

Use different rules depending on the network type: Domain, Private,

Profiles
or Public.

Logs dropped packets and successful connections for audit and

Logging
troubleshooting.

Firewall Profiles

Profile Use Case

Domain Connected to an organization's domain.

Private Trusted home/work networks.

Public Untrusted networks (e.g., coffee shops, airports). Most restrictive.

How to Access Windows Firewall Settings

Steps:

1. Open Control Panel

2. Go to System and Security
3. Click Windows Defender Firewall
4. Configure settings or go to Advanced Settings for rule customization

Security Benefits

Benefit Description

Application Control Prevent untrusted apps from accessing the network.

Network Isolation Protects your device based on the network it's connected to.

DDoS& Worm
Block known exploit ports/protocols.
Protection

Enforce network rules in corporate environments using Group

Policy Enforcement
Policy.

15
16
 Unit 2
Attacker techniques and motivations
Attackers, whether they are individuals or groups, use a variety of techniques and are driven
by different motivations. Understanding both is essential for building effective cyber security
defences.

1. Attacker Motivations

a. Financial Gain

 Cybercriminals target individuals, businesses, or financial institutions to steal money

directly or indirectly.
o Examples: Ransom ware, banking Trojans, credit card fraud, phishing scams.

b. Espionage

 Nation-states or corporate spies steal sensitive data for political, military, or

business advantage.
o Examples: Intellectual property theft, government secrets, insider information.

c. Ideological (Hacktivism)

 Hacktivists promote political or social agendas through disruption or data leaks.

o Examples: Website defacements, DDoS attacks against institutions, data
dumps.

d. Revenge or Personal Grievance

 Disgruntled employees or individuals may attack former employers or associates.

o Examples: Sabotage, data deletion, leaking internal documents.

e. Reputation and Challenge

 Script kiddies or gray-hat hackers may be motivated by fame, curiosity, or

demonstrating skill.
o Examples: Website defacements, unauthorized network access, bug
exploitation.

f. Terrorism

 Cyberterrorists aim to create fear or disrupt critical infrastructure.

o Examples: Power grid attacks, water supply compromise.

17
2. Common Attacker Techniques

a. Social Engineering

 Phishing: Email or SMS scams trick users into revealing credentials.

 Pretexting: Creating a fabricated scenario to get information.
 Baiting: Offering something enticing to trick users into installing malware.

b. Malware

 Ransomware: Encrypts files and demands payment.

 Trojan Horse: Malware disguised as legitimate software.
 Spyware/Keyloggers: Steal data and monitor activity.

c. Credential Theft

 Brute-force attacks: Guessing passwords systematically.

 Credential stuffing: Using leaked credentials on multiple sites.
 Keylogging: Capturing keystrokes to obtain login info.

d. Network Attacks

 Man-in-the-Middle (MitM): Intercepting communications between two parties.

 DNS Spoofing: Redirecting users to malicious websites.
 Packet sniffing: Monitoring unencrypted network traffic.

e. Exploitation of Vulnerabilities

 Zero-day exploits: Attacks against unknown or unpatched flaws.

 SQL injection: Injecting code into queries to access databases.
 Cross-site scripting (XSS): Running malicious scripts in web browsers.

f. Denial of Service (DoS) / Distributed DoS (DDoS)

 Overwhelming a system with traffic to render it unusable.

g. Insider Threats

 Employees or contractors abusing their access to cause harm.

18
Anti forensics

Anti-forensics refers to techniques attackers use to hinder, manipulate, or avoid detection,

investigation, and analysis of their activities by digital forensics professionals. These methods
aim to:

1. Destroy or hide evidence

2. Obfuscate true actions
3. Mislead investigators
4. Delay or prevent attribution

Common Anti-Forensics Techniques

1. Data Destruction

 Secure deletion: Overwriting files with random data to prevent recovery.

 File wiping tools: (e.g., shred, SDelete) erase data beyond standard recovery.
 Disk formatting: Erasing an entire disk to remove traces of activity.
 Memory wiping: Clearing RAM or cache to prevent volatile data recovery.

2. Data Hiding

 Encryption: Encrypting files or partitions to block access without keys.

 Steganography: Hiding data inside images, videos, or audio files.
 Alternate data streams (ADS): Hiding data in file metadata or unused disk areas
(common in NTFS).
 Obfuscation: Using encoded scripts, packing malware, or polymorphic code to
disguise intent.

3. Time stomping

 Altering file timestamps (creation, access, modification) to confuse timelines.

 Tools: touch (Unix), Time stomp (Windows).

4. Trail Obfuscation

 Log tampering: Deleting, modifying, or injecting fake logs to erase tracks.

 Proxy chains and VPNs: Hiding IP addresses through multiple routing points.
 MAC spoofing: Changing MAC addresses to avoid device identification.

5. Misleading Forensics

 False artifacts: Creating misleading or fake evidence to confuse analysts.

19
  Attribution manipulation: Planting clues that falsely implicate another actor (false
flags).

6. Disabling Security Tools

 Anti-antivirus techniques: Code that disables or evades antivirus detection.

 Rootkits: Hide malicious processes, files, or registry keys from the OS and forensic
tools.
 Process injection: Injecting code into legitimate processes to evade scrutiny.

Tunneling Techniques
Tunneling techniques are methods used by attackers (and sometimes legitimate users) to
encapsulate or hide data within other protocols to bypass security controls, evade detection,
or exfiltrate data. These techniques are often used to:

 Bypass firewalls, IDS/IPS, or proxies.

 Maintain covert communication with compromised systems.
 Obscure command-and-control (C2) traffic.

Common Tunneling Techniques

1. Protocol Tunneling

Encapsulating one protocol within another to bypass restrictions.

SSH Tunneling (Port Forwarding)

 Encapsulates traffic within an encrypted SSH session.

 Used for:
o Bypassing firewalls
o Accessing internal services remotely

b. VPN Tunneling

 Encrypts all network traffic between client and server.

 Protocols: OpenVPN, L2TP/IPsec, WireGuard.

c. DNS Tunneling

 Encodes data in DNS queries/responses.

 Often used for:
o Data exfiltration
o Command-and-control (C2) communications
 Tools: Iodine, DNSCat2, DNScapy
20
d. ICMP Tunneling

 Hides data in ICMP Echo (ping) packets.

 Tools: Ptunnel, ICMP Tunnel

2. HTTP/HTTPS Tunneling

 Embeds malicious or covert traffic inside HTTP/HTTPS requests.

 Allows attackers to blend with normal web traffic.
 Tools: HTTPTunnel, WebShells, C2 frameworks like Cobalt Strike, Metasploit.

3. Obfuscated Tunneling

 Uses encrypted, encoded, or fragmented payloads to evade detection.

a. Tor (The Onion Router)

 Routes traffic through multiple encrypted relays.

 Common for:
o Anonymous C2 servers
o Hidden services (.onion)

b. Domain Fronting(no longer widely supported)

 Tricks content delivery networks (CDNs) to disguise traffic destinations.

 Used by tools like Meek (used in Tor bridges).

4. Application-Layer Tunneling

 Abuses legitimate applications for covert communications.

Examples:

 Slack, Discord, Telegram bots: Exfiltrating data or C2 via API calls.

 Google Sheets or Dropbox: Covert data staging in cloud services.

5. Custom or Covert Channels

 Developing unique protocols to hide traffic in unexpected places.

Examples:

o Encoding data in video/audio streams

o Covert channels using CPU load, LED blinking, etc. (advanced)

21
Fraud Techniques

Cyber fraud involves deception to steal money, data, or access. It includes both technical and
social methods:

1. Phishing & Social Engineering

 Phishing: Deceptive emails that trick users into giving credentials or clicking
malicious links.
 Spear Phishing: Targeted attacks, often personalized.
 Vishing (Voice phishing) and Smishing (SMS phishing): Fraud via phone or text.
 Business Email Compromise (BEC): Impersonating executives to trick staff into
sending money or data.

2. Credential Stuffing

 Using leaked username/password pairs on different websites.

 Automated with tools like Sentry MBA, Snipr, or OpenBullet.

3. Fake Websites / Clones

 Duplicates of real websites used to collect login data or payment info.

 Used in phishing campaigns and payment fraud.

4. Payment Fraud

 Carding: Using stolen credit card info to make purchases.

 BIN attacks: Guessing card numbers based on known Bank Identification Numbers.
 Chargeback fraud: Claiming a valid purchase was unauthorized.

5. Account Takeover (ATO)

 Gaining control of legitimate user accounts (bank, social media, email).

 Used for financial theft or to launch additional scams.

6. Fake Apps / Malware

 Apps disguised as legitimate that steal data, perform fraud, or install spyware.
 Often distributed via unofficial app stores or phishing links.

7. Synthetic Identity Fraud

 Creating new identities using real and fake data (e.g., SSNs + fake names).
 Used to open bank accounts, obtain credit, or apply for government aid.

22
Threat Infrastructure

Threat actors rely on a robust underground infrastructure to conduct fraud at scale:

1. Command-and-Control (C2) Servers

 Control infected machines (botnets), deliver payloads, or extract data.

 Often hidden behind fast-flux DNS or bulletproof hosting.

2. Bulletproof Hosting

 Hosting providers that ignore abuse reports and allow illegal content (e.g., phishing
kits, malware, C2).
 Usually located in jurisdictions with weak cybercrime laws.

3. Proxy & VPN Services

 Used to mask IPs during fraud operations.

 Include residential proxies, botnets, VPN chains, and Tor.

4. Phishing Kits & Malware-as-a-Service

 Ready-made phishing templates or malware sold on underground forums.

 Even low-skilled attackers can launch attacks using these kits.

5. Dark Web Markets

 Markets like (formerly) Hydra, Genesis, or private forums sell:

o Stolen credentials
o Credit card data
o Malware, exploits, and services
o Fake documents (IDs, passports)

6. Automated Tools

 Used for credential stuffing, spamming, reconnaissance, and attacks.

7. Money Mule Networks

 People (witting or unwitting) used to launder stolen money.

 Often recruited via job scams or on social media.

23
 Unit 3
Exploitation
Exploitation is a core phase in the cyber attack lifecycle where an attacker takes advantage
of a vulnerability to gain unauthorized access, execute code, or escalate privileges on a
system.

Definition: Exploitation is the act of leveraging a software, hardware, or human vulnerability

to breach a system's security.

 The goal is often to:

o Execute malicious code
o Gain system access
o Bypass authentication
o Escalate privileges
o Move laterally across networks

Types of Exploits

1. Remote Code Execution (RCE)

 Allows attackers to run code on a target system remotely.

 Often the most critical type of vulnerability.
 Example: Log4Shell (CVE-2021-44228)

2. Privilege Escalation

 Vertical: Gain higher-level permissions (e.g., from user to admin).

 Horizontal: Access resources of another user at the same level.
 Tools: Mimikatz, WinPEAS, LinPEAS

3. Local Exploits

 Require access to the system first.

 Exploits misconfigurations or vulnerable software locally.

4. Zero-Day Exploits

 Target vulnerabilities that are unknown to the vendor and the public.
 Highly valuable and often used by nation-state actors or advanced threat groups.

24
5. Client-Side Exploits

 Triggered when a user interacts with a malicious file or website.

 Common in phishing campaigns (e.g., malicious PDFs, macros in Office docs).

Techniques to gain a Foothold

Gaining a foothold is a critical early step in a cyber attack, where an attacker establishes
initial and persistent access to a target environment. This foothold allows them to expand
their access, gather information, and eventually execute broader objectives like lateral
movement, data exfiltration, or sabotage.

1. Initial Access Techniques

These are methods attackers use to enter a network or system for the first time.

a. Phishing

 Sends malicious emails with links or attachments.

 Payloads may include:
o Credential harvesters
o Malware-laced Office macros
o Remote access Trojans (RATs)

b. Drive-by Downloads

 A user visits a compromised website that automatically delivers malware.

 Often uses browser or plugin vulnerabilities.

c. Malicious Attachments / Documents

 Office files, PDFs, or ZIPs that include:

o Embedded scripts
o Exploit code
o Droppers

d. Watering Hole Attacks

 Compromise a site known to be visited by targets.

 Inject malicious JavaScript or downloaders.

e. Public-Facing Applications

 Exploiting web apps with RCE, file upload flaws, or misconfigurations.

 Example: Shellshock, Log4Shell
25
f. Compromised Credentials

 Used in brute force, credential stuffing, or abuse of reused passwords.

 Especially dangerous if MFA is not enforced.

g. Supply Chain Attacks

 Compromising trusted software or service providers.

 Example: SolarWinds Orion breach

2. Establishing Persistence (Maintaining Foothold)

Once inside, attackers establish persistence to survive reboots and maintain long-term
access.

a. Malware Installation

 Dropper installs a backdoor (e.g., RAT or rootkit).

 Connects to C2 server for further instructions.

b. Scheduled Tasks / Cron Jobs

 Attackers create automated tasks to re-run malware or re establish access.

c. Registry Run Keys (Windows)

 Modify:
o HKCU\Software\Microsoft\Windows\CurrentVersion\Run
o To launch malware on startup.

d. Startup Folder Shortcuts

 Drop scripts or executables into Windows Startup folder.

e. Abusing Legitimate Tools (Living off the Land)

 Tools like PowerShell, WMI, or certutil used to run malicious commands without
triggering AV.

f. Web Shells

 Upload PHP, ASPX, or JSP shells on vulnerable web servers.

 Provide backdoor access via browser.

26
g. User Account Creation

 Create hidden or backdoor user accounts for later access.

Misdirection

Misdirection in cyber security refers to techniques attackers use to confuse, distract, or

deceive defenders, obscuring the real nature of an attack or their presence in the system. It's
a strategic part of both offensive operations and advanced persistent threats (APTs), often
used to delay detection, misattribute actions, or redirect attention away from key
activities.

What Is Misdirection in Cyber security?

Definition: Misdirection is the deliberate use of false indicators or deceptive tactics by

attackers to manipulate how defenders perceive and respond to an attack.

Objectives of Misdirection

 Conceal true intent or origin

 Divert investigators from real attack paths
 Delay incident response
 Frame another actor or nation-state
 Overwhelm with noise or false positives

Common Misdirection Techniques

1. False Flags

 Inserting clues to suggest another attacker or country is responsible.

o Language settings in malware (e.g., Cyrillic, Mandarin).
o Use of tools known to be used by certain APT groups.
o Timestamps or working hours mimicking foreign time zones.

2. Log Poisoning / Tampering

 Injecting misleading or fake entries into logs.

 Deleting real logs or inserting false IPs, users, or actions to cover tracks.

3. Decoy Files and Systems

 Creating or manipulating files to waste analyst time.

 Fake databases, honey documents, or bait data to distract from real targets.

27
4. Living Off the Land (LotL)

 Using legitimate system tools (e.g., PowerShell, WMI, certutil) instead of malware to
avoid triggering security alerts.

5. Multiple Attack Vectors

 Launching simultaneous attacks (e.g., phishing + DDoS) to divert resources while

the real breach happens quietly.

6. Redundant Payloads or Malware

 Dropping several malware variants so defenders focus on the “noisy” one while the
stealthy backdoor remains hidden.

7. Data Flooding / Alert Noise

 Triggering lots of alerts to overwhelm security teams.

 Causes "alert fatigue" and makes real threats easier to miss.

Reconnaissanse and Disruption Methods

Reconnaissance and Disruption Methods—two critical but contrasting aspects of the cyber
attack lifecycle:

Reconnaissance

Reconnaissance is the first phase of a cyber attack, where attackers gather information
about a target to plan their intrusion. It can be passive (without direct interaction) or active
(involving engagement with target systems).

1. Types of Reconnaissance
a. Passive Reconnaissance

 Collects info without alerting the target.

 Sources:
o WHOIS data
o DNS records
o Social media, company websites
o Job postings (e.g., tools/technologies in use)
o Publicly exposed documents (PDFs with metadata)
o OSINT tools: Recon-ng, Maltego, theHarvester

28
b. Active Reconnaissance

 Directly engages with systems, increasing detection risk.

 Techniques:
o Network scanning (e.g., Nmap)
o Port scanning
o Banner grabbing
o Service enumeration
o Vulnerability scanning (e.g., Nessus, OpenVAS)

2. Tools Used
Tool Function

Nmap Port scanning and host discovery

Shodan Find Internet-facing devices

theHarvester Email, domain, and subdomain collection

SpiderFoot Automated OSINT framework

Google Dorks Advanced search operators to find sensitive data

Disruption Methods

Disruption involves tactics meant to degrade, deny, or destroy the availability or integrity
of systems, services, or data. It’s often a goal in hacktivism, cyberwarfare, or ransomware
operations.

1. Denial-of-Service (DoS) and Distributed DoS (DDoS)

 Floods systems or networks to make services unavailable.

 Can be volumetric (bandwidth exhaustion), protocol-based, or application-level.
 Tools: LOIC, HOIC, Mirai botnet variants.

2. Data Wiping and Ransomware

 Ransomware encrypts files and demands payment.

 Wipers destroy data permanently.
o Example: NotPetya masqueraded as ransomware but was destructive.

3. Supply Chain Attacks

 Compromise software or service providers to inject malicious code.

 Disrupt downstream systems or entire industries.

29
 o Example: SolarWinds breach

4. System/Service Sabotage

 Modifying or deleting critical configs.

 Overwriting boot sectors (e.g., MBRLocker).
 Bricking devices (e.g., targeting firmware).

5. Psychological and Strategic Disruption

 Fake data injection to manipulate decision-making.

 Disinformation via hacked social accounts or websites.
 Causing chaos or loss of trust (e.g., fake emergency broadcasts).

30
 Unit 4
Malicious Code
Malicious Code – Overview and Types

Malicious code refers to software or scripts intentionally designed to cause harm, disrupt
operations, steal data, or gain unauthorized access. It includes various forms of malware
and attack scripts that can infect, control, or damage systems and networks.

Characteristics

 Unwanted behaviour (e.g., data theft, spying, destruction)

 Intentional and deceptive deployment
 Self-replication or remote control (in many cases)
 May be embedded in software, email attachments, websites, or documents

Common Types of Malicious Code

Type Description Example

Virus Attaches to legitimate files; spreads by user action Michelangelo, CIH

WannaCry, SQL
Worm Self-replicates and spreads without user action
Slammer

Trojan Horse Appears legitimate but hides malicious code Emotet, Zeus

LockBit, REvil,
Ransomware Encrypts data and demands ransom
WannaCry

Spyware Secretly monitors and reports user activity FinFisher, Pegasus

Adware Displays unwanted ads, often bundled with free software Fireball

Rootkit Hides malware presence from OS and security tools Necurs

Keylogger Records keystrokes to steal credentials Olympic Vision

Backdoor Provides remote access bypassing authentication Poison Ivy

Fileless
Resides in memory; uses native tools like PowerShell Astaroth, Cobalt Strike
Malware

Executes a malicious function when specific conditions

Logic Bomb Time-triggered attacks
are met

31
Methods of Delivery

 Phishing emails (e.g., Office macros, malicious attachments)

 Malicious links and downloads (watering hole attacks, drive-by downloads)
 Compromised software updates (supply chain attacks)
 USB drops (physical infiltration)
 Malicious advertisements (malvertising)

Defensive Strategies

Layer Mitigation

Endpoint EDR solutions (CrowdStrike, Defender ATP), behavior-based AV

Network IDS/IPS, DNS filtering, segmentation

Email Spam filters, attachment sandboxing, URL rewriting

Application Least privilege, application whitelisting, patching

User Awareness Security training, phishing simulations

Malicious Code Lifecycle

1. Delivery – Email, USB, web

2. Execution – Triggers via script, user click, vulnerability
3. Persistence – Stays resident (e.g., registry changes, scheduled tasks)
4. Privilege Escalation – Gains higher permissions
5. Payload Execution – Data theft, encryption, spying, etc.
6. Communication – Connects to Command and Control (C2) server
7. Cover Tracks – Deletes logs, hides files, disables AV

Detection Tools

Tool Purpose

VirusTotal Analyze files/URLs

Wireshark Network traffic analysis

Sysinternals Suite Inspect running processes, autoruns

YARA Signature-based detection of malware

Cuckoo Sandbox Behavioral malware analysis

32
 Tool Purpose

Hybrid Analysis Cloud-based sandbox analysis

Self-Replicating Malicious Code

Self-replicating malicious code is a type of malware that can automatically copy itself and
spread to other files, systems, or networks without user intervention. This capability
enables rapid propagation and widespread infection.

Characteristics

 Automatic propagation: No manual execution needed beyond initial infection.

 Spreads across files, devices, or networks.
 Can cause widespread disruption or form botnets.
 Often exploits vulnerabilities or network protocols.

Types of Self-Replicating Code

Type Description Example

Spreads over networks by exploiting vulnerabilities or open WannaCry, Blaster, SQL

Worm
ports. Does not need to attach to other programs. Slammer

Attaches to executable files or documents and replicates Michelangelo, CIH

Virus
when the infected file is run by the user. (Chernobyl) virus

Macro Infects documents (e.g., MS Word/Excel) and replicates

Melissa virus
Virus when the document is opened.

Boot Sector Infects the boot sector of storage devices, spreading when the
Brain virus
Virus system boots.

Self-Replication Works

1. Infection: Initial execution or delivery on a host system.

2. Replication: Copies itself into other files, memory, or networked machines.
3. Propagation: Moves to other systems via network shares, removable media, or email.
4. Activation: Executes payloads or awaits triggers on infected systems.

Propagation Vectors

 Network exploits (e.g., SMB vulnerabilities)

 Removable media (USB drives)
 Email attachments with macros
 File sharing and P2P networks

33
Defenses

 Keep software and OS patched.

 Use strong email filtering and block macros by default.
 Employ network segmentation and firewalls.
 Use EDR/AV solutions that detect unusual replication behavior.
 Educate users on risks of removable media and phishing.

Real-World Examples
Worm/Virus Name Year Impact/Description

WannaCry (Worm) 2017 Exploited SMB vulnerability, encrypted data ransomware

Melissa (Macro Virus) 1999 Spread via infected Word docs in emails

ILOVEYOU (Virus) 2000 Spread by email with a malicious VBScript attachment

SQL Slammer (Worm) 2003 Network worm that caused massive internet outages

Evading Detection and Elevating Privileges

Got it! Here’s a concise but detailed overview of Evading Detection and Elevating
Privileges — two crucial tactics attackers use post-intrusion to maintain stealth and gain
greater control over systems.

Evading Detection

Attackers use various methods to avoid being spotted by security tools, analysts, or
automated defenses.

Common Techniques:
Technique Description

Alter malware code to make analysis difficult (e.g., encryption, packing,

Code Obfuscation
polymorphism).

Runs in memory using legitimate tools (PowerShell, WMI) to avoid

Fileless Malware
disk-based detection.

Hide malicious processes, files, or network connections at the OS or

Rootkits
kernel level.

Attempts to stop antivirus, endpoint detection and response (EDR), or

Disabling Security Tools
logging services.

Anti-VM / Sandbox Malware detects virtualized environments or sandboxes and alters

34
 Technique Description

Techniques behavior to avoid analysis.

Uses legitimate system tools to execute malicious actions, avoiding

Living off the Land (LotL)
suspicious binaries.

Log Manipulation Deletes or alters event logs to cover tracks.

Masks C2 traffic inside legitimate domains or services to avoid network

Domain Fronting
detection.

Techniques to Elevate Privileges

After gaining initial access, attackers seek higher privileges (e.g., admin, root) to:

 Bypass security controls

 Access sensitive data
 Maintain persistence
 Move laterally within networks

Common Privilege Escalation Methods:

Technique Description

Use OS or application bugs (e.g., kernel exploits) to gain

Exploiting Vulnerabilities
elevated rights.

Extract hashed or plaintext credentials from memory or disk

Credential Dumping
(e.g., Mimikatz).

Pass-the-Hash / Pass-the- Use stolen hashes or Kerberos tickets to authenticate without

Ticket cracking passwords.

Abusing Misconfigurations Exploit weak permissions on files, services, or scheduled tasks.

DLL Hijacking Inject malicious DLLs into higher-privilege processes.

Token Impersonation Impersonate tokens of higher-privilege users or services.

Bypassing UAC Use techniques to elevate privileges without triggering User

(Windows) Account Control prompts.

Sudo Exploits Exploit sudo misconfigurations or bugs to run commands as

(Linux/Unix) root.

Example Attack Flow

35
 1. Initial access via phishing.
2. Run PowerShell script (LotL) to deploy malware without files on disk.
3. Use Mimikatz to dump credentials from memory.
4. Perform Pass-the-Hash to move laterally.
5. Exploit an unpatched Windows kernel vulnerability to gain SYSTEM privileges.
6. Disable antivirus services and clear event logs.
7. Install rootkit to maintain stealth.

Defensive Measures

Defense Description

Identify suspicious actions rather than just known

Behavior-based detection
signatures.

Least privilege principle Limit user and service rights to reduce attack surface.

Patch management Regularly update OS and applications.

Credential hygiene Use MFA, rotate passwords, limit cached credentials.

Endpoint Detection and Response

Monitor processes, memory, and logs for anomalies.
(EDR)

Audit and monitor logs Centralized, immutable logging with alerting.

Network segmentation Contain lateral movement opportunities.

Stealing Information and Exploitation

Stealing Information and Exploitation—two pivotal attacker objectives and methods in

cyber intrusions:

Exploitation

Exploitation is the act of taking advantage of vulnerabilities, misconfigurations, or human

errors to gain unauthorized access or execute malicious actions.

Common Exploitation Techniques

Technique Description Examples

Software Buffer overflows, SQL injection, RCE EternalBlue, Heartbleed,

Vulnerabilities (Remote Code Execution) Log4Shell

Social Engineering Phishing, pretexting, baiting Spear phishing emails, fake

36
 Technique Description Examples

calls

Open databases, unsecured

Misconfigurations Weak permissions, default credentials
cloud storage

Unknown vulnerabilities exploited before Stuxnet, recent supply chain

Zero-Day Exploits
patches exist attacks

Automated login attempts using leaked Automated bots attacking

Credential Stuffing
credentials login pages

Cross-Site Scripting Stored or reflected XSS

Inject malicious scripts into web pages
(XSS) attacks

Stealing Information

Attackers often aim to exhilarate sensitive data like personal info, intellectual property, or
credentials.

Methods of Information Theft

Method Description Tools/Examples

Capture keystrokes to steal Hardware key loggers, software like

Keylogging
passwords Olympic Vision

Network Sniffing Intercept network traffic Wireshark, Ettercap

Data Exfiltration via Sending stolen data to attacker’s

HTTP(S), DNS tunneling, FTP
C2 server

Database Dumping Extracting entire databases SQL Injection, database admin exploits

Man-in-the-Middle Intercept and alter

ARP spoofing, SSL stripping
(MitM) communications

Capturing screen contents or

Screen Scraping Remote access Trojans (RATs)
screenshots

Accessing poorly secured cloud

Cloud Storage Theft Misconfigured AWS S3 buckets
resources

DefenseAgainst Exploitation and Data Theft

Defense Strategy Details

37
 Defense Strategy Details

Patch Management Regularly update and patch software

Input Validation Sanitize all user inputs to prevent injection

Multi-Factor Authentication (MFA) Adds extra layer beyond passwords

Network Encryption Use TLS/SSL to protect data in transit

Data Loss Prevention (DLP) Monitor and block unauthorized data transfers

Endpoint Security Use antivirus, EDR to detect malware

User Training Teach phishing recognition and safe practices

Real-World Example: Equifax Breach (2017)

 Exploit: Unpatched Apache Struts vulnerability (CVE-2017-5638)

 Information Stolen: Personal data of ~147 million people (SSNs, birthdates,
addresses)
 Cause: Failure to patch known vulnerability
 Result: Massive regulatory fines and damage to reputation

38
 Unit 5
Defense and Analysis Techniques

Defense Techniques

1. Perimeter Defense

 Firewalls: Control inbound/outbound traffic based on security rules.

 Intrusion Detection/Prevention Systems (IDS/IPS): Monitor and block suspicious
activity.
 Web Application Firewalls (WAF): Protect web apps from injection, XSS, and
other attacks.

2. Endpoint Protection

 Antivirus/Antimalware: Detect and block known malicious software.

 Endpoint Detection and Response (EDR):Behavioral monitoring and advanced
threat hunting.
 Application Whitelisting: Allow only approved applications to run.

3. Network Security

 Segmentation: Limit access between network segments to reduce lateral movement.

 VPNs and Encryption: Secure data in transit.
 Network Access Control (NAC): Enforce security policy on devices connecting to
network.

4. Identity and Access Management (IAM)

 Multi-Factor Authentication (MFA): Adds layers of identity verification.

 Least Privilege: Grant users minimum necessary permissions.
 Privileged Access Management (PAM): Control and audit privileged accounts.

5. Patch Management

 Regular updates and patches to fix known vulnerabilities.

6. User Awareness Training

 Phishing simulations and security best practices training.

Analysis Techniques

39
1. Log Analysis

 Review system, network, application logs for unusual activity.

 Use SIEM (Security Information and Event Management) platforms like Splunk,
ELK.

2. Malware Analysis

 Static Analysis: Examine code without execution (disassembly, signature matching).

 Dynamic Analysis: Run malware in sandbox environments to observe behavior.
 Tools: Cuckoo Sandbox, IDA Pro, Ghidra.

3. Network Traffic Analysis

 Monitor packets for anomalies using tools like Wireshark, Zeek (Bro).
 Detect unusual communication to C2 servers or data exfiltration.

4. Forensics

 Disk and memory imaging to preserve evidence.

 Analyzeartifacts to trace attacker behavior.
 Tools: Autopsy, FTK, Volatility (memory forensics).

5. Threat Intelligence

 Use external data on known threats, Indicators of Compromise (IOCs).

 Feeds from services like MISP, AlienVault OTX.

6. Behavioral Analysis

 Use machine learning to identify deviations from normal patterns.

 Detect zero-day or fileless malware.

Memory Forensics

Memory forensics is the process of analyzing a computer’s volatile memory (RAM) to

extract useful information about running processes, malware, network connections, and
system activity — especially when disk-based evidence is incomplete or tampered with.

 Many advanced malware samples and attacks (fileless malware, rootkits) operate
primarily in memory.
 Volatile memory contains live data like running processes, decrypted code,
credentials, and network sockets.
 Helps detect malware that hides from disk scans.
 Critical for investigating sophisticated intrusions and lateral movement.
40
Concepts
Aspect Description

Volatile Data Data lost on shutdown or reboot

Process Memory Includes code, injected DLLs, decrypted malware

Network Artifacts Open connections, sockets, DNS cache

Credential Artifacts Password hashes, tokens in memory

Registry in Memory Live system configuration and malware persistence

Common Tools
Tool Purpose

Volatility Leading open-source memory analysis framework

Rekall Another popular memory forensic tool

LiME Linux Memory Extractor for live memory acquisition

FTK Imager Capturing memory snapshots

DumpIt Windows memory acquisition tool

Typical Memory Forensics Workflow

1. Acquire Memory Image

Use tools like DumpIt or LiME to capture a snapshot of the system’s RAM safely.
2. Validate Image Integrity
Check hash values (MD5/SHA256) to ensure image wasn’t tampered with.
3. Analyze Processes and DLLs
o List active processes and their memory space.
o Detect injected or hidden processes.
4. Search for Indicators of Compromise (IOCs)
o Suspicious strings, network connections, mutexes.
o Malware signatures or code fragments.
5. Extract Credentials
6. Tools can dump passwords, hashes, tokens from memory.
7. Investigate Network Activity
Identify connections to C2 servers or lateral movement.
8. Report Findings
Summarize evidence for incident response or legal purposes.

41
Challenges

 Large data volume — requires experience and automated tools.

 Memory image acquisition without contamination.
 Frequent OS updates mean tools need to support multiple OS versions.

Honeypots

A honeypot is a decoy system or resource designed to attract attackers so defenders can

detect, study, and analyze malicious activity without risking real assets.

Purpose of Honeypots

 Detect attacks early by attracting attackers.

 Gather intelligence on attacker techniques and tools.
 Distract attackers away from real targets.
 Test defenses in a controlled environment.
 Improve security posture by understanding attacker behavior.

Types of Honeypots
Type Description Use Case

Simulates services with limited functionality; Detect automated scans, simple

Low-Interaction
safer and easier to deploy malware

Real systems with full OS allowing attackers Deep analysis of attacker

High-Interaction
to fully interact behavior, APT research

Research Collect extensive data on new threats and

Security research labs, threat intel
Honeypots attack methods

Production Deployed inside enterprise networks to detect Early warning for attacks in
Honeypots and alert on intrusions corporate environment

How Honeypots Work

1. Setup decoy systems/services mimicking real assets (web servers, databases, IoT
devices).
2. Monitor all activity on these systems closely.
3. Record attacker actions like reconnaissance, exploitation attempts, malware
uploads.
4. Analyze collected data to update defenses and share threat intelligence.
5. Optionally, respond or contain the attack within the honeypot.

42
Common Honeypot Tools
Tool Description

Honeyd Creates multiple virtual hosts/services

Kippo/ Cowrie SSH honeypot that logs attacker sessions

Dionaea Captures malware exploiting network services

Glastopf Web application honeypot for detecting web attacks

Modern Honeypot Platforms T-Pot, MHN (Multi-Honeypot Network)

Benefits

 Provides early attack detection.

 Helps understand attacker tactics and tools.
 Can slow or misdirect attackers.
 Enhances incident response capabilities.
 Lowers false positives compared to other detection tools.

Risks and Considerations

 Honeypots themselves can be attacked or compromised.

 May attract legal liability if used improperly.
 Requires proper isolation to avoid attackers pivoting to real systems.
 Generates lots of data—needs resources for monitoring and analysis.

Malicious Code Naming

Malware important

 Communication: Helps cyber security professionals share threat intelligence.

 Tracking: Enables tracking of malware families and variants.
 Analysis: Helps in understanding malware behaviour patterns.
 Public Awareness: Informs organizations and users about threats.

Common Naming Conventions

Naming Basis Description Example

Based on what malware does or how it WannaCry (ransomware),

Functionality/Behavior
acts Keylogger

Payload or Impact Based on the damage or payload type CryptoLocker (encrypts files)

43
 Naming Basis Description Example

Based on malware lineage or creator

Family or Origin Zeus (banking trojan), Stuxnet
group

Conficker (from “conference”),

Discovery Context Named after where or how discovered
Slammer

Unique strings or filenames in

File or Code Traits Nimda (admin spelled backward)
malware

Sometimes authors embed names or

Author-chosen Name NotPetya, BlackEnergy
signatures

Date or Variant
Indicating version or outbreak time Mirai.B, Emotet v3
Numbers

Challenges in Malware Naming

 Different vendors often give different names to the same malware.

 Polymorphic malware changes code but maintains behaviour.
 Overlapping families can cause confusion.
 Naming disputes can complicate threat intelligence sharing.

Automated Malicious Code Analysis Systems

Automated systems analyze suspicious files or code without manual intervention, helping
security teams quickly identify, classify, and respond to malware.

Types of Automated Analysis

Type Description Examples/Tools

Examines code or binaries without executing YARA rules, VirusTotal,

Static Analysis
them PEStudio

Executes code in sandboxed environment to Cuckoo Sandbox, Joe

Dynamic Analysis
observe behaviour Sandbox

Combines static and dynamic techniques for

Hybrid Analysis Hybrid Analysis platform
deeper insight

Focuses on system and network behavior Sysmon + Splunk

Behavioral Analysis
changes during execution correlation

Heuristic/AI-based Uses machine learning to detect unknown or Cylance, CrowdStrike,

Analysis polymorphic malware SentinelOne

44
Automated Analysis Works

1. Input Sample Submission

Malware samples or suspicious files are uploaded or collected automatically.
2. Static Analysis Phase
o Extract metadata (hashes, file headers).
o Scan for known signatures or suspicious strings.
o Detect obfuscation or packing.
3. Dynamic Analysis Phase
o Run sample in isolated sandbox.
o Monitor API calls, file changes, network traffic, registry modifications.
o Capture screenshots or memory dumps.
4. Behavioral Profiling
o Identify indicators like persistence mechanisms, C2 communication.
o Detect anomalies compared to normal baselines.
5. Reporting and Alerts
o Generate detailed reports with indicators of compromise (IOCs).
o Automatically share data with threat intelligence platforms.

Popular Automated Analysis Tools & Platforms

Tool/Platform Focus Area

VirusTotal Aggregates multiple antivirus scan results and metadata

Cuckoo Sandbox Open-source dynamic malware analysis sandbox

Hybrid Analysis Free online sandbox combining static/dynamic analysis

Joe Sandbox Commercial deep malware analysis solution

MalwareBazaar Repository of malware samples for research and automated analysis

ANY.RUN Interactive online sandbox with real-time monitoring

Benefits

 Speeds up malware triage and investigation.

 Scales analysis for large volumes of samples.
 Detects new or polymorphic malware through behavior.
 Provides rich data for incident response and threat hunting.

Limitations

 Evasion Techniques: Malware can detect sandboxes and alter behaviour.

 False Positives/Negatives: Automated tools may miss subtle or novel attacks.
 Resource Intensive: Sandboxing can require significant compute power.

45
  Context Missing: Automation can miss contextual intelligence analysts provide.

Typical Use in Security Workflow

 Incoming suspicious files automatically sent to automated system.

 Alerts generated if malware is detected.
 Analysts review reports for deeper manual analysis.
 IOCs integrated into security tools like IDS/IPS, EDR, firewalls.
 Continuous feedback improves automated detection models.

Intrusion Detection Systems

An Intrusion Detection System monitors network traffic or system activities for malicious
actions or policy violations and alerts security teams.

Types of IDS
Type Description Examples

Network-based IDS Snort, Suricata, Zeek

Monitors network traffic for suspicious patterns
(NIDS) (Bro)

Monitors activities on individual hosts (file OSSEC, Wazuh,

Host-based IDS (HIDS)
changes, logs) Tripwire

Some commercial
Hybrid IDS Combines both network and host monitoring
solutions

How IDS Works

1. Traffic or Event Collection

Captures packets (NIDS) or system events/logs (HIDS).
2. Analysis Engine
Compares data against known signatures or looks for anomalies.
3. Detection Methods:
o Signature-based Detection: Matches known attack patterns or malware
signatures.
o Anomaly-based Detection: Flags behaviour deviating from normal baseline.
o Stateful Protocol Analysis: Understands protocol behaviour to spot misuse.
4. Alerting
Generates alerts or logs for security teams to investigate.

Features

 Real-time monitoring and alerting.

 Packet and protocol inspection.

46
  Integration with SIEM for correlation.
 Ability to perform deep packet inspection.
 Logging for forensic analysis.

Popular IDS Tools

Tool Description

Snort Widely used open-source NIDS with signature and protocol analysis

Suricata High-performance open-source IDS/IPS with multi-threading

Zeek (Bro) Network monitoring framework focused on protocol analysis and logging

OSSEC Open-source HIDS for log analysis and file integrity monitoring

Wazuh Fork of OSSEC with enhanced capabilities and cloud support

IDS vs. IPS

IDS (Detection) IPS (Prevention)

Detects and alerts on attacks Detects and blocks attacks in real-time

Passive monitoring Inline, actively blocks traffic

Requires manual intervention Can automatically respond

47