WEBVTT

00:00:01.010 --> 00:00:03.060
Let's take a look at malware.

00:00:03.400 --> 00:00:08.039
Well, malware used to stand for malfeasance software,

00:00:08.360 --> 00:00:12.070
but since we all have a problem trying to spell malfeasance,

00:00:12.240 --> 00:00:15.440
we often call it today, malicious software.

00:00:15.910 --> 00:00:19.840
Malware is software that was written to do harm.

00:00:20.090 --> 00:00:21.860
It was written to damage.

00:00:21.860 --> 00:00:25.610
It wasn't a bug or some type of a problem in the software,

00:00:25.780 --> 00:00:31.120
but rather, it was software written in order to try to harm somebody's system.

00:00:31.680 --> 00:00:34.060
As we say, malware, for example,

00:00:34.060 --> 00:00:39.810
is often written by different hackers to try to get around some security

00:00:39.810 --> 00:00:44.160
controls, maybe take over a system, or steal some data.

00:00:45.160 --> 00:00:49.430
The idea is that malware has evolved a lot over the years.

00:00:49.530 --> 00:00:54.680
We used a lot of terms like virus, and worm, and so on, and

00:00:54.790 --> 00:00:57.900
those in the early days were quite different.

00:00:57.910 --> 00:01:03.440
But now a lot of malware today is also kind of a combination of

00:01:03.450 --> 00:01:08.450
many different types of malware. And malware authors went from

00:01:08.450 --> 00:01:11.080
being what we often called script kiddies,

00:01:11.180 --> 00:01:15.630
where people were just casually doing this for fun, to a very

00:01:15.630 --> 00:01:18.720
professional type of skill as we see it today.

00:01:19.860 --> 00:01:24.180
We try to prevent malware through anti‑malware systems.

00:01:24.380 --> 00:01:24.730
Now,

00:01:24.730 --> 00:01:30.230
the best way to prevent malware is through awareness training, telling

00:01:30.230 --> 00:01:33.710
people what to watch for, don't click on that link,

00:01:33.720 --> 00:01:36.520
don't open that attachment, for example.

00:01:37.310 --> 00:01:41.300
And we, of course, back that up with a number of really good

00:01:41.350 --> 00:01:44.790
anti‑malware tools. We have, for example,

00:01:44.790 --> 00:01:49.530
anti‑virus systems, anti‑spam systems that very often are

00:01:49.530 --> 00:01:53.020
looking for known signatures of types of attacks.

00:01:53.870 --> 00:02:00.000
It's important that we monitor in two places. We monitor network traffic, so

00:02:00.000 --> 00:02:05.190
we see malware going through a network, but we also monitor on endpoint

00:02:05.190 --> 00:02:09.639
devices to see if that device itself has been affected.

00:02:11.140 --> 00:02:14.480
One of the things we will often do if we see something

00:02:14.480 --> 00:02:18.610
suspicious is we'll put it into a sandbox.

00:02:19.000 --> 00:02:23.660
The idea of a sandbox is that it's an isolated environment.

00:02:24.080 --> 00:02:25.700
So, let's say, for example,

00:02:25.700 --> 00:02:30.010
a security professional sees something that could be malware.

00:02:30.020 --> 00:02:30.280
Well,

00:02:30.280 --> 00:02:34.270
they don't want to run it on their machine to see what it does, instead

00:02:34.270 --> 00:02:38.450
they'll put it into a virtual machine where it's very closely limited

00:02:38.460 --> 00:02:43.930
and very often then not network connected. That as an isolated sandbox

00:02:43.940 --> 00:02:49.540
where now they can let that malware, or suspected malware, execute and

00:02:49.540 --> 00:02:50.780
see what it does.

00:02:51.280 --> 00:02:57.420
It's important that we isolate both the actual sandbox itself,

00:02:57.430 --> 00:03:01.620
but also the system, so even if something does go wrong,

00:03:01.620 --> 00:03:04.300
it can't spread to other systems.

00:03:04.930 --> 00:03:09.300
We do this a lot when we're doing forensics. We need to look at something,

00:03:09.300 --> 00:03:13.910
and obviously you don't want it, whatever that bad stuff is, to now appear

00:03:13.910 --> 00:03:17.280
on your machine or the investigator's machine.

00:03:17.680 --> 00:03:21.020
So we'll put it into a separate area for that reason.

00:03:22.240 --> 00:03:24.850
When we're looking at malware analysis,

00:03:25.350 --> 00:03:29.820
we want to see what does this malware try to do? What are its

00:03:29.830 --> 00:03:35.320
intents, what are its techniques, so that we can see how it executes

00:03:35.330 --> 00:03:40.440
and how it operates in that sandbox and learn how to prevent that

00:03:40.440 --> 00:03:43.330
malware from infecting other systems.

00:03:44.440 --> 00:03:49.330
These sandboxes are usually a virtual environment, an environment

00:03:49.330 --> 00:03:53.120
we've set up on a system where it is virtual,

00:03:53.120 --> 00:03:57.690
but it's not running directly on the physical hardware of the system.

00:03:57.890 --> 00:03:58.710
Instead,

00:03:58.710 --> 00:04:02.100
a virtual environment is an environment which is a

00:04:02.100 --> 00:04:05.700
logical configuration of a system.

00:04:05.840 --> 00:04:12.370
And in that way, as a virtual environment, we can now try to

00:04:12.660 --> 00:04:16.600
execute it, and if it does something wrong,

00:04:16.620 --> 00:04:19.290
the nice thing about a virtual environment, it's just

00:04:19.290 --> 00:04:23.500
logical, we just power it down, and we can restart the

00:04:23.500 --> 00:04:26.660
system with no lasting damage to it.

00:04:28.610 --> 00:04:32.880
One of the ways we learn what attackers do is through

00:04:32.880 --> 00:04:35.850
the use of honeypots and honeynets.

00:04:36.160 --> 00:04:40.720
We set out something that is attractive to an intruder.

00:04:40.840 --> 00:04:44.210
You could call it a target of opportunity if you like.

00:04:44.810 --> 00:04:50.570
Something, for example, in our demilitarized zone that has an attractive name,

00:04:50.570 --> 00:04:53.480
executive bonus scheme, or something like this.

00:04:54.270 --> 00:04:54.850
Now,

00:04:54.860 --> 00:04:59.840
nobody should be looking at that because it doesn't belong to anybody

00:04:59.840 --> 00:05:03.560
that really is there in our demilitarized zone.

00:05:04.190 --> 00:05:06.510
But we want to see who does look at it.

00:05:06.840 --> 00:05:11.310
They're a little curious because it's something that is attractive to them.

00:05:11.690 --> 00:05:17.950
And the idea is we learn who goes there. We learn the types of tools they

00:05:17.950 --> 00:05:23.780
use to break into that system. So we learn their attack behaviors, and that

00:05:23.780 --> 00:05:27.610
allows us to build better defenses as well.

00:05:28.210 --> 00:05:34.020
We can analyze the type of traffic on that network or attacking that

00:05:34.020 --> 00:05:39.270
host, the honeypot itself. A honeypot being a host, honeynet being the

00:05:39.270 --> 00:05:42.610
network that is leading up to that host.

00:05:43.270 --> 00:05:48.260
We also have to watch out for something we call side channel attacks. So

00:05:48.260 --> 00:05:54.210
they're not attacking the actual host directly. You take,

00:05:54.210 --> 00:05:55.900
for example, with cryptography,

00:05:56.440 --> 00:06:01.320
they don't necessarily attack the cipher text or the algorithm, instead

00:06:01.320 --> 00:06:07.470
they attack the actual memory units and CPU units that are being used

00:06:07.470 --> 00:06:10.980
to try to process that encrypted traffic.

00:06:11.380 --> 00:06:16.450
That gives us information about how these attacks are configured.

00:06:18.850 --> 00:06:24.710
We have many different types of attacks we face. When we take a look at malware,

00:06:24.710 --> 00:06:29.380
for example, at a high level, it often goes after applications.

00:06:29.810 --> 00:06:35.850
We see spam going after email. We see people trying to intercept traffic,

00:06:35.850 --> 00:06:41.170
say on a wireless or even between two communicating processes, and

00:06:41.170 --> 00:06:43.520
we'll call that the man‑in‑the‑middle attack.

00:06:44.330 --> 00:06:48.540
We've seen, of course, many attacks that take advantage of a flaw

00:06:48.540 --> 00:06:53.940
within the software, and that flaw or that unprotected software

00:06:53.950 --> 00:06:56.860
has created a target of opportunity.

00:06:56.940 --> 00:07:00.040
We've seen this a lot with different types of commercial

00:07:00.040 --> 00:07:03.940
software where the moment a vulnerability is found,

00:07:04.090 --> 00:07:09.260
the attackers, just in mass, actually then develop a number

00:07:09.260 --> 00:07:13.530
of different ways to try to break into that software through

00:07:13.530 --> 00:07:15.380
that detected vulnerability.

00:07:16.460 --> 00:07:18.570
The other thing is session management.

00:07:18.800 --> 00:07:23.410
We've had a number of attacks, such as Cross‑Site Request Forging, that was

00:07:23.410 --> 00:07:28.260
a very good example of a session management type of attack because a person

00:07:28.260 --> 00:07:32.680
didn't log out property and their session could be taken over by somebody

00:07:32.680 --> 00:07:37.390
else in something we'll often call session hijacking. This is why it's

00:07:37.390 --> 00:07:42.060
important we have things like timeouts, so if a person has not used their

00:07:42.060 --> 00:07:43.310
system for a few minutes,

00:07:43.320 --> 00:07:47.790
it'll just lock it out. And it could be that it's not been used because the

00:07:47.790 --> 00:07:52.240
person forgot to log out, or maybe they just lost their internet

00:07:52.240 --> 00:07:55.950
connection, and all of a sudden, they couldn't even log out because they

00:07:55.950 --> 00:07:58.770
weren't connected to that application anymore.

00:07:58.930 --> 00:08:02.410
So we have a timeout that kicks in after a few minutes of

00:08:02.420 --> 00:08:05.310
inactivity and just terminates that session.

00:08:06.830 --> 00:08:09.490
We also have attacks at the transport layer.

00:08:09.860 --> 00:08:13.500
We have flooding of traffic, such as a SYN flood attack.

00:08:14.020 --> 00:08:17.380
The best example of a SYN flood attack is when you're standing

00:08:17.380 --> 00:08:20.930
talking to a good friend, and all of a sudden, your 3‑year old

00:08:20.930 --> 00:08:22.880
granddaughter comes up and says Grandpa,

00:08:22.890 --> 00:08:26.720
Grandpa, Grandpa, Grandpa, Grandpa, that's a SYN flood.

00:08:27.190 --> 00:08:30.500
She's trying to get your attention, she's trying to synchronize,

00:08:30.650 --> 00:08:36.220
but quite simply, you're not able to hold a conversation with

00:08:36.230 --> 00:08:39.970
anybody else while you're under a SYN flood attack.

00:08:40.299 --> 00:08:42.450
And this is what we've seen with a number of the

00:08:42.450 --> 00:08:44.670
distributed Denial of Service attacks.

00:08:44.860 --> 00:08:51.900
You have a flood of synchronization requests come in that certainly make it

00:08:51.900 --> 00:08:56.260
impossible to carry on any type of legitimate business.

00:08:57.180 --> 00:09:01.850
We've also seen this with UDP. We've seen where UDP, there's been a

00:09:01.850 --> 00:09:06.350
whole flood of traffic coming in using the UDP protocol.

00:09:07.050 --> 00:09:11.800
There's been attacks using things like TCP sequence numbers to hijack or

00:09:11.800 --> 00:09:15.300
take over somebody else's established say banking session.

00:09:16.090 --> 00:09:18.600
And, of course, this is where the man‑in‑the‑middle

00:09:18.600 --> 00:09:21.180
attack becomes again, a problem.

00:09:21.300 --> 00:09:25.070
Can somebody get in between the two people that are trying to

00:09:25.070 --> 00:09:28.900
talk and may be able to take over that session,

00:09:29.420 --> 00:09:34.450
take over your banking session, or could they alter the traffic, rerouting money

00:09:34.450 --> 00:09:39.200
to a different location, for example? At the network layer,

00:09:39.200 --> 00:09:45.620
we also have attacks. We have things like IP spoofing, ICMP, Internet

00:09:45.620 --> 00:09:50.510
Control Message Protocol, and we talked earlier about how this lent

00:09:50.510 --> 00:09:53.720
itself to that attack known as the ping of death.

00:09:54.350 --> 00:09:59.970
You can have floods of ICMP traffic. And some of you have noticed this.

00:10:00.170 --> 00:10:02.920
You may have a person that if you send them an email,

00:10:02.930 --> 00:10:05.760
you know you're going to get seven or eight emails back.

00:10:05.840 --> 00:10:08.340
That's the type of, should we say, your flooding

00:10:08.340 --> 00:10:13.810
attack. And in the area of using ICMP,

00:10:14.150 --> 00:10:21.000
it's the sort of case if I send a ping off to a large broadcast address where

00:10:21.000 --> 00:10:25.250
there's many machines and they all reply back, there's going to be a whole

00:10:25.250 --> 00:10:31.560
flood of these replies coming back that I could target or divert those off to

00:10:31.570 --> 00:10:38.160
an unsuspecting victim. That was sometimes known as the smurf attack. At the

00:10:38.160 --> 00:10:41.330
data link and physical layers, we also have attacks there.

00:10:41.730 --> 00:10:45.980
If we're using wireless, does somebody jam the wireless signal, is

00:10:45.980 --> 00:10:51.570
somebody sniffing the wireless traffic going by, or did someone damage the

00:10:51.570 --> 00:10:55.660
cable or even intercept the cable to tap into it?

00:10:56.270 --> 00:11:01.020
We've seen cases where people stole the copper cable so they could sell it.

00:11:01.480 --> 00:11:04.180
So these are all types of attacks that can very

00:11:04.180 --> 00:11:07.360
definitely affect network communications.