01 CyberSecurityIntro II

0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Computer Attack and Defense
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
Cybersecurity an Introduction
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
Ivan Zelinka
1010101001010101010101010101101101010110110010101100100
MBCS CIPT, www.bcs.org/
1011011010101101100101011001001011001001010101010101010
http://www.springer.com/series/10624
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
Department of Computer Science
0101010101011011010101101100101011001001011011010101101
Faculty of Electrical Engineering and Computer Science, VŠB-TUO
100101011001001011001001010101010101010010101010101010
17. listopadu 15 , 708 33 Ostrava-Poruba
Czech Republic
10101101101010110110010101100100101101101
www.ivanzelinka.eu
Topics 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Cybersecurity introduction
1010101010101001010101010101010101101101010110110010101
• Real-time monitoring of100100101100100101010101010101001010101010101010101101
intrusion
1010101101100101011001001011001001010101010101010010101
• Basics of cybersecurity.
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Objectives 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
The objectives of the lesson are:
1010101010101001010101010101010101101101010110110010101
• Introduce basics of cybersecurity.
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
• Cybersecurity and its place.
0101010101010110110101011011001010110010010110010010101
• Examples. 0101010101001010101010101010101101101010110110010101100
• Future challenges. 100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
• Consequences.
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Lecture Structure0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Understanding the Cybersecurity Landscape
1010101010101001010101010101010101101101010110110010101
• The Role of Malware in100100101100100101010101010101001010101010101010101101
Cyberattacks
1010101101100101011001001011001001010101010101010010101
• Why Traditional Security Solutions Fail to Control Advanced Malware
0101010101010110110101011011001010110010010110010010101
• What Next‐Generation0101010101001010101010101010101101101010110110010101100
Security Brings to the Fight
• 100101100100101010101010101001010101010101010101101101
Creating Advanced Threat Protection Policies
0101101100101011001001011001001010101010101010010101010
• Ten Things to Look for in a Cybersecurity Solution
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
What is a Cyber Security?
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
‘Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers,
0101010101010110110101011011001010110010010110010010101
programs and data from attack, damage or unauthorized’
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
http://whatis.techtarget.com/definition/cybersecurity
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
‘A major part of Cyber Security is to fix broken software’
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
What is a Cyber Crime?
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
‘‘Cyber crime encompasses any criminal act dealing with computers and networks (called hacking). Additionally,
0101010101010110110101011011001010110010010110010010101
cyber crime also includes traditional crimes conducted through the Internet.’
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
http://www.webopedia.com/TERM/C/cyber_crime.html
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
‘A1011011010101101100101011001001011001001010101010101010
major attack vector of Cyber Crime is to exploit broken software’
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
History 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Understanding the Cybersecurity Landscape
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Spy and War Landscape
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
Space
100100101100100101010101010101001010101010101010101101
Hacking
1010101101100101011001001011001001010101010101010010101
Air
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
Cyber
100101100100101010101010101001010101010101010101101101
space Malware
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
Ground
0101010101010101010110110101011011001010110010010110110
Ocean Other
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Viruses
1011010101101100101011001001011001001010101010101010010 Hackers
Viruses infect computers through email Hackers are people who “trespass” into
1010101010101010110110101011011001010110010010110010010
attachments and file sharing. They delete your computer from a remote location.
1010101010101001010101010101010101101101010110110010101
files, attack other computers, and make They may use your computer to send
100100101100100101010101010101001010101010101010101101
your computer run slowly. One infected spam or viruses, host a Web site, or do
computer can cause problems for all other activities that cause computer
1010101101100101011001001011001001010101010101010010101
computers on a network. malfunctions.
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
Identity Thieves Spyware
1010101001010101010101010101101101010110110010101100100
People who obtain unauthorized access Spyware is software that “piggybacks” on
to your1011011010101101100101011001001011001001010101010101010
personal information, such as programs you download, gathers
Social0101010101010101010110110101011011001010110010010110110
Security and financial account information about your online habits, and
numbers. They then use this information transmits personal information without
1010110110010101100100101100100101010101010101001010101
to commit crimes such as fraud or theft. your knowledge. It may also cause a wide
0101010101011011010101101100101011001001011011010101101
range of other computer malfunctions.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
What is
1010101101100101011001001011001001010101010101010010101
Cyber-safety Consequences of
0101010101010110110101011011001010110010010110010010101
Threats Inaction
Cyber-safety?
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
Cyber-safety Cyber-safety at Campus Cyber-
0101010101010101010110110101011011001010110010010110110
Actions Home &Work safety Services
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
CONSEQUENCES OF INACTION
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
Loss of access to the campus computing network
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
Loss of confidentiality, integrity and/or availability of
0101101100101011001001011001001010101010101010010101010
valuable university information, research and/or
1010101010110110101011011001010110010010110010010101010
personal electronic data
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
Lawsuits, loss of public trust and/or grant
0101010101011011010101101100101011001001011011010101101
opportunities, prosecution, internal disciplinary
100101011001001011001001010101010101010010101010101010
action or termination of employment
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• The State of Today’s Intrusions
1010101010101001010101010101010101101101010110110010101
• Target (customer information)
100100101100100101010101010101001010101010101010101101
• Sony Pictures (intellectual property)
1010101101100101011001001011001001010101010101010010101
• U.S. Office of Personnel
0101010101010110110101011011001010110010010110010010101
Management (employee information)
• Anthem Blue Cross (customer
0101010101001010101010101010101101101010110110010101100
information)
• Lenovo (hacktivism) 100101100100101010101010101001010101010101010101101101
• NASA hacked 0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
• Spear phishing https://youtu.be/BnmneAjVrM4
1010101001010101010101010101101101010110110010101100100
• targeted phishing campaign that appears more credible to its victims by gathering specific information about the
1011011010101101100101011001001011001001010101010101010
target, and thus has a higher probability of success.
0101010101010101010110110101011011001010110010010110110
• Spear phishing, and 1010110110010101100100101100100101010101010101001010101
phishing attacks in general, are not always conducted via email. A link is all that’s required, such as
a link on Facebook or on a message board or a shortened URL on Twitter.
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
NASA Hacked 101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• WATCH: Proof NASA edits out UFOs? What Gary McKinnon found on 2-year hack spree
1010101010101001010101010101010101101101010110110010101
• A HACKER believes he100100101100100101010101010101001010101010101010101101
saw proof NASA DOES edit out pictures of alien Unidentified Flying Objects (UFOs) from
1010101101100101011001001011001001010101010101010010101
its images before public release.
0101010101010110110101011011001010110010010110010010101
• By JON AUSTIN, PUBLISHED: 04:18, Tue, Dec 8, 2015 | UPDATED: 10:39, Tue, Dec 8, 2015
0101010101001010101010101010101101101010110110010101100
• http://www.express.co.uk/news/science/624901/WATCH-Proof-NASA-edits-out-UFOs-What-Gary-McKinnon-found-on-
2-year-hack-spree 100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
• See at https://youtu.be/n1CggoA_O1M
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Monitoring 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Possible Links 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• https://www.akamai.com/us/en/resources/visualizing-akamai/enterprise-threat-monitor.jsp?theme=light
1010101010101001010101010101010101101101010110110010101
• http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16643&view=map
100100101100100101010101010101001010101010101010101101
• 1010101101100101011001001011001001010101010101010010101
http://map.norsecorp.com/
• 0101010101010110110101011011001010110010010110010010101
http://map.honeynet.org/
0101010101001010101010101010101101101010110110010101100
• https://cybermap.kaspersky.com/
100101100100101010101010101001010101010101010101101101
• http://threatmap.fortiguard.com/
0101101100101011001001011001001010101010101010010101010
• 1010101010110110101011011001010110010010110010010101010
https://www.stateoftheinternet.com/trends-visualizations-security-real-time-global-ddos-attack-sources-
types-and-targets.html
1010101001010101010101010101101101010110110010101100100
• 1011011010101101100101011001001011001001010101010101010
http://dds.ec/pewpew/index.html
0101010101010101010110110101011011001010110010010110110
• http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-botnet-map/index.html
1010110110010101100100101100100101010101010101001010101
• https://www.stateoftheinternet.com/trends-visualizations-security-real-time-global-ddos-attack-sources-
0101010101011011010101101100101011001001011011010101101
types-and-targets.html100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
HACKING MAP 101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• HACKING MAP: Watch1010101010101001010101010101010101101101010110110010101
live as 'China launches countless hack attacks on UK and USA‘
• It LOOKS like laser warfare
100100101100100101010101010101001010101010101010101101
with China and the USA blasting each other with Russia and Europe caught in the
middle. 1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
• By JON AUSTIN, PUBLISHED: 12:13, Wed, Jul 29, 2015 | UPDATED: 16:16, Thu, Jul 30, 2015
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps Index
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1. Norse 1010101010101001010101010101010101101101010110110010101
2. Digital Attack Map 100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
3. FireEye
0101010101010110110101011011001010110010010110010010101
4. SUCURI 0101010101001010101010101010101101101010110110010101100
5. Wordfence 100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
6. Kaspersky
1010101010110110101011011001010110010010110010010101010
7. Threat Cloud 1010101001010101010101010101101101010110110010101100100
8. Trend Micro 1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
9. AKAMAI 1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - Norse
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Norse map (http://map.norsecorp.com/#/) shows the attack origins, attack types, attack target, attacker IP,
1010101010101001010101010101010101101101010110110010101
attacker geo, and ports. You can filter the map by following geolocation and protocols.
100100101100100101010101010101001010101010101010101101
• Norse maintain world’s 1010101101100101011001001011001001010101010101010010101
largest threat intelligent network with over 8 million sensors on more than 6000
applications. 0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• By geolocation
100101100100101010101010101001010101010101010101101101
• Global (default), South East Asia, West Asia, Latin America, Europe, US & China
0101101100101011001001011001001010101010101010010101010
• By protocols 1010101010110110101011011001010110010010110010010101010
• Telnet, Netis, RFB (Remote framebuffer), Microsoft-DS, HTTP, MS WBT
1010101001010101010101010101101101010110110010101100100
• SIP, SSH, XSAN File system
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
See also https://www.youtube.com/watch?v=bWXIJSiagBY
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Digital Attack Map (http://www.digitalattackmap.com), watch daily DDoS attack worldwide with Digital Attack Map. You can
1010101010101001010101010101010101101101010110110010101
filter the map with multiple options.
100100101100100101010101010101001010101010101010101101
• By attacks size
• Large
1010101101100101011001001011001001010101010101010010101
• Unusual 0101010101010110110101011011001010110010010110010010101
• Combined 0101010101001010101010101010101101101010110110010101100
• By attack type 100101100100101010101010101001010101010101010101101101
• TCP Connection (filling connections)
0101101100101011001001011001001010101010101010010101010
• Volumetric (eating bandwidth)
1010101010110110101011011001010110010010110010010101010
• Fragmentation (pieces of1010101001010101010101010101101101010110110010101100100
packets)
• Application
1011011010101101100101011001001011001001010101010101010
• Source & destination port number
• Duration 0101010101010101010110110101011011001010110010010110110
• DDoS is dangerous to your 1010110110010101100100101100100101010101010101001010101
online business, it can take down your online presence and hurt the reputation and financially.
More than 2000 DDoS daily 0101010101011011010101101100101011001001011011010101101
attacks are being observed by Arbor Networks. If you are a business owner or web administrator
then you may consider protecting your online assets from DDoS by using services like Incapsula, Cloud Flare, SUCURI.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - FireEye
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• FireEye Cyber Threat Map (https://www.fireeye.com/cyber-map/threat-map.html) give you a nice summary of
1010101010101001010101010101010101101101010110110010101
total attacks today with following data.
100100101100100101010101010101001010101010101010101101
• Top 5 reported industries
1010101101100101011001001011001001010101010101010010101
• Top attacker by country
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• It’s not as detailed as above two but still useful if you are just looking for data in industry and country wise.
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - SUCURI
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• SUCURI shows you data about WordPress brute force attacks. This data is not real-time but updated daily.
1010101010101001010101010101010101101101010110110010101
• Visualization is divided100100101100100101010101010101001010101010101010101101
into four sections.
1010101101100101011001001011001001010101010101010010101
• Overall failed login every day.
0101010101010110110101011011001010110010010110010010101
• Origin of attacks by country.
0101010101001010101010101010101101101010110110010101100
• Origin of attacks by ASN (Autonomous System Number)
100101100100101010101010101001010101010101010101101101
• Attacks per hour.
0101101100101011001001011001001010101010101010010101010
• On an average, more than 1 million attacks are targeted on WordPress using brute force techniques.
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - Wordfence
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Wordfence (https://www.wordfence.com/) is one of the popular WordPress security plugins with more than 1
1010101010101001010101010101010101101101010110110010101
million active installed.100100101100100101010101010101001010101010101010101101
Wordfence shows you the real-time attacks and blocked by their plugin on WordPress
websites. 1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - Kaspersky
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Kaspersky (https://cybermap.kaspersky.com/#)
1010101010101001010101010101010101101101010110110010101
• Cyberthreat real-time map by Kaspersky shows you the real-time attack detected by their various source system.
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
• On-Scanner access 0101010101010110110101011011001010110010010110010010101
• On Demand Scanner 0101010101001010101010101010101101101010110110010101100
• Web Anti-virus 100101100100101010101010101001010101010101010101101101
• Mail Anti-virus 0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
• Intrusion Detection System
• Vulnerability Scan 1010101001010101010101010101101101010110110010101100100
• Kaspersky Anti-spam 1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
• Botnet Activity detection
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
• You can have data in table format under stats page.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - Threat Cloud
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Threat Cloud (https://threatmap.checkpoint.com/ThreatPortal/livemap.html)
1010101010101001010101010101010101101101010110110010101
• Threat Cloud by Check100100101100100101010101010101001010101010101010101101
Point shows the attacks data for today and yesterday. Also, an option to view the top
1010101101100101011001001011001001010101010101010010101
target and source countries.
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - Trend Micro
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Trend Micro (https://www.trendmicro.com/en_us/security-intelligence/breaking-news.html)
1010101010101001010101010101010101101101010110110010101
• Botnet threat activity map
100100101100100101010101010101001010101010101010101101
by Trend Micro shows the monitored malicious network activity to identify
1010101101100101011001001011001001010101010101010010101
command-and-control servers.
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - AKAMAI
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• AKAMAI (https://www.trendmicro.com/en_us/security-intelligence/breaking-news.html)
1010101010101001010101010101010101101101010110110010101 is real-time web
monitor by AKAMAI shows network & attack traffic overview which you can filter by regions.
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Cyber Attack Maps - NetScout
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• NetScout (https://horizon.netscout.com/) is real-time web monitor shows DDoS.
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
Examples
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• http://www.digitalattackmap.com/
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Exploring the Data, http://www.digitalattackmap.com/
1010101010101001010101010101010101101101010110110010101
• The Digital Attack Map100100101100100101010101010101001010101010101010101101
displays global DDoS activity on any given day. Attacks are displayed as dotted lines,
1010101101100101011001001011001001010101010101010010101
scaled to size, and placed according to the source and destination countries of the attack traffic when known.
Some features include: 0101010101010110110101011011001010110010010110010010101
• Use the histogram at0101010101001010101010101010101101101010110110010101100
the bottom of the map to explore historical data.
100101100100101010101010101001010101010101010101101101
• Select a country to view DDoS activity to or from that country.
• Use the color option0101101100101011001001011001001010101010101010010101010
to view attacks by class, duration, or source/destination port.
1010101010110110101011011001010110010010110010010101010
• Use the news section to find online reports of attack activity from a specified time.
1010101001010101010101010101101101010110110010101100100
• View the gallery to explore some examples of days with notable DDoS attacks.
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Exploring the Data, 1010101010101001010101010101010101101101010110110010101
http://www.digitalattackmap.com/
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
https://threatmap.checkpoint.com/ThreatPortal/livemap.html
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
https://www.fireeye.com/cyber-map/threat-map.html
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Exploring the Data, http://map.norsecorp.com/#/
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Exploring the Data 1010101010101001010101010101010101101101010110110010101
• Kaspersky, https://cybermap.kaspersky.com/stats/ , https://cybermap.kaspersky.com/#
100100101100100101010101010101001010101010101010101101
• Fortinet Threat Map,1010101101100101011001001011001001010101010101010010101
http://threatmap.fortiguard.com/
• DIGITAL ATTACK MAP,0101010101010110110101011011001010110010010110010010101
https://www.arbornetworks.com/attack-map
• Who’s Attacking Whom?0101010101001010101010101010101101101010110110010101100
Realtime Attack Trackers, https://krebsonsecurity.com/2015/01/whos-attacking-whom-
realtime-attack-trackers/
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Digital Attack Map
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
The State of Today’s Intrusions
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Script kiddies and today’s state of art…
1010101010101001010101010101010101101101010110110010101
• Examples 100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
• Target (customer information): In December 2013…
0101010101010110110101011011001010110010010110010010101
• Sony Pictures (intellectual property): In November 2014…
0101010101001010101010101010101101101010110110010101100
• U.S. Office of Personnel Management (employee information): In June 2015…
100101100100101010101010101001010101010101010101101101
• Anthem Blue Cross (customer information): In February 2015…
0101101100101011001001011001001010101010101010010101010
• Lenovo (hacktivism): In February 2015…
1010101010110110101011011001010110010010110010010101010
• Spear phishing … 1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
War Games (1983) – typical
1010110110010101100100101100100101010101010101001010101
example of0101010101011011010101101100101011001001011011010101101
script kiddies
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Targeted intrusions 101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• General idea 1010101010101001010101010101010101101101010110110010101
• Advanced malware is100100101100100101010101010101001010101010101010101101
a key component of targeted, sophisticated, and ongoing attacks, and it can be customized to
compromise specific1010101101100101011001001011001001010101010101010010101
high‐value systems in a target network. In these cases, an infected endpoint inside the network
can be used to steal 0101010101010110110101011011001010110010010110010010101
login credentials and initiate lateral movement in order to gain access to protected systems and to
establish backdoors in case any part of the intrusion is discovered.
0101010101001010101010101010101101101010110110010101100
• Carbanak: The Great Bank Robbery (August 2013, 100 institutions, aggregated losses estimated at $1 billion.)
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
Ethical hacking –
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
Slídilové / Sneakers (1992)
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
DoS, DDoS, and botnets101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• General idea 1010101010101001010101010101010101101101010110110010101
• Bots (individual infected endpoints) are often used in distributed denial‐of‐service attacks (DDoS) — to overwhelm a
100100101100100101010101010101001010101010101010101101
target server or network with traffic from a large number of bots.
1010101101100101011001001011001001010101010101010010101
• Botnets themselves are 0101010101010110110101011011001010110010010110010010101
dubious sources of income for cybercriminals. Botnets are created by cybercriminals
to harvest computing 0101010101001010101010101010101101101010110110010101100
resources (bots).
100101100100101010101010101001010101010101010101101101
• Control of botnets (through CnC servers) can then be sold or rented out to other cybercriminals for various
0101101100101011001001011001001010101010101010010101010
nefarious purposes.
1010101010110110101011011001010110010010110010010101010
• DDoS botnets represent a dual risk for organizations. The organization itself can potentially be the target of a
1010101001010101010101010101101101010110110010101100100
DDoS attack, resulting1011011010101101100101011001001011001001010101010101010
in downtime and lost productivity.
• The DDOS attack against 0101010101010101010110110101011011001010110010010110110
GitHub (designed to combat censorship in China: GreatFire and cn‐nytimes).
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
DoS, DDoS, and botnets101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Advanced persistent threats
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• General idea 1010101010101001010101010101010101101101010110110010101
• Advanced persistent100100101100100101010101010101001010101010101010101101
threats (APTs) are a class of threats that often combine advanced malware
1010101101100101011001001011001001010101010101010010101
and botnet components to execute a far more deliberate and potentially devastating attack. As
0101010101010110110101011011001010110010010110010010101
the name applies, an APT has three defining characteristics:
0101010101001010101010101010101101101010110110010101100
• Advanced: In addition to advanced malware and botnets, the attackers typically have the skills to
100101100100101010101010101001010101010101010101101101
develop additional exploitation tools and techniques, and may have access to sophisticated electronic
0101101100101011001001011001001010101010101010010101010
surveillance equipment, satellite imagery, and even human intelligence assets.
1010101010110110101011011001010110010010110010010101010
• Persistent: An APT may persist over a period of many years. The attackers pursue specific objectives and
1010101001010101010101010101101101010110110010101100100
use a low‐and‐slow approach to avoid detection. The attackers are well organized and typically have
1011011010101101100101011001001011001001010101010101010
access to substantial financial backing to fund their activities, such as a nation‐state or organized crime.
0101010101010101010110110101011011001010110010010110110
• Threat: An APT1010110110010101100100101100100101010101010101001010101
is a deliberate and focused, rather than opportunistic, threat that can cause real
damage. 0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Advanced persistent threats
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Stuxnet: When sanctions alone aren’t enough
1010101010101001010101010101010101101101010110110010101
• Stuxnet is a computer 100100101100100101010101010101001010101010101010101101
worm that was used in an APT against Iran’s nuclear program. It was discovered in 2010,
1010101101100101011001001011001001010101010101010010101
but may have been operating, in different variations, as early as 2005. The worm initially infected endpoints
0101010101010110110101011011001010110010010110010010101
running Microsoft Windows, then targeted programmable logic controllers (PLCs) running Siemens Step7
0101010101001010101010101010101101101010110110010101100
software. In addition to collecting information about Iran’s nuclear program, the attack enabled its controllers
100101100100101010101010101001010101010101010101101101
to cause Iran’s nuclear centrifuges to spin faster and tear themselves apart. Stuxnet is believed to have
destroyed 20 percent 0101101100101011001001011001001010101010101010010101010
of Iran’s nuclear centrifuges.
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
The Changing Face of Cybercriminals
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Cybercriminals have evolved from the prototypical “whiz kid” — sequestered in a basement, motivated by
1010101010101001010101010101010101101101010110110010101
notoriety, and fueled by100100101100100101010101010101001010101010101010101101
oversized cans of energy drinks — into bona fide cybercriminals, often motivated by
significant financial gain1010101101100101011001001011001001010101010101010010101
and sponsored by nation‐states, criminal organizations, or radical political groups.
Today’s attacker fits the0101010101010110110101011011001010110010010110010010101
following profile:
• Has far more resources 0101010101001010101010101010101101101010110110010101100
available to facilitate an attack
100101100100101010101010101001010101010101010101101101
• Has greater technical depth and focus
0101101100101011001001011001001010101010101010010101010
• Is well funded 1010101010110110101011011001010110010010110010010101010
• Is better organized 1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
The Role of Malware in Cyberattacks
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Identifying unique traits of advanced malware
1010101010101001010101010101010101101101010110110010101
• 100100101100100101010101010101001010101010101010101101
Analyzing modern cyberattack strategy
1010101101100101011001001011001001010101010101010010101
• Recognizing opportunities to limit and counter threats
0101010101010110110101011011001010110010010110010010101
• Malware importance 0101010101001010101010101010101101101010110110010101100
• Malware vs Antimalware 100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Recognizing Key Characteristics of Advanced Malware
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Distributed, fault‐tolerant architecture (resistance against deleting, malfunctioning, etc. – PCs, infect paths,…)
1010101010101001010101010101010101101101010110110010101
• 100100101100100101010101010101001010101010101010101101
Multifunctionality (based on CnC servers, variable functionality)
1010101101100101011001001011001001010101010101010010101
• Polymorphism (principles, importance, obstacles)
0101010101010110110101011011001010110010010110010010101
• Obfuscation (XOR, AES, packer compression, garbage code,…)
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Encrypted Data 101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• An encrypted block of1010101010101001010101010101010101101101010110110010101
data in the W95/Fix2001 worm.
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
• Decryption routine that uses a simple XOR decryption. The decryption loop will decrypt 87h bytes, with the
1010101001010101010101010101101101010110110010101100100
constant value 19h coming backwards, as shown
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Obfuscated Code101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Another possibility for1010101010101001010101010101010101101101010110110010101
the attacker to challenge disassembling is to use some sort of selfmodifying code.
When the code is examined in the disassembler, it might not be easily read.
100100101100100101010101010101001010101010101010101101
• Consider a simple file-writing
1010101101100101011001001011001001010101010101010010101
function under DOS:
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
• Slightly Obfuscated Code
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Polymorphic Viruses
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Polymorphic virus = virus with a high number of mutant Decryptors, of the order to 106
1010101010101001010101010101010101101101010110110010101
• 1260 virus, the first polymorphic
100100101100100101010101010101001010101010101010101101
virus
1010101101100101011001001011001001010101010101010010101
• 1990 shifting key insertion redundant instructions skeleton Decryptors changes (prologue, decoding,
0101010101010110110101011011001010110010010110010010101
increment)
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Understanding Modern101100100101100100101010101010101001010101010101010101
Cyberattack Strategy
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Modern cyberattack strategy has evolved. In addition to direct, open attacks against a high‐value server or
1010101010101001010101010101010101101101010110110010101
asset, today’s attack strategy also employs a patient, multistep, covert process that blends exploits, malware,
100100101100100101010101010101001010101010101010101101
and evasions in a coordinated attack. The cyberattack life cycle is a sequence of events that an attacker goes
1010101101100101011001001011001001010101010101010010101
through to successfully infiltrate an organization’s network and steal data from it.
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1. Reconnaissance (a space exploration, scanners, social engineering,…)
1010101010101001010101010101010101101101010110110010101
2. Weaponization and100100101100100101010101010101001010101010101010101101
delivery (malware payload determination, email attach…)
1010101101100101011001001011001001010101010101010010101
3. Exploitation (Once exploitation has succeeded, an advanced malware payload can be installed.)
0101010101010110110101011011001010110010010110010010101
• Social engineering
0101010101001010101010101010101101101010110110010101100
• Software exploits 100101100100101010101010101001010101010101010101101101
4. Installation, ensure0101101100101011001001011001001010101010101010010101010
persistence (resilience or survivability)
• Rootkits 1010101010110110101011011001010110010010110010010101010
• Bootkits (protected by
1010101001010101010101010101101101010110110010101100100
full‐disk encryption.)
• Backdoors 1011011010101101100101011001001011001001010101010101010
• Anti‐AV software 0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
5. Command and control (CnC)
1010101010101001010101010101010101101101010110110010101
• Encryption with SSL, 100100101100100101010101010101001010101010101010101101
SSH
• For example, BitTorrent is known for its use of proprietary encryption and is a favorite tool — both for infection and CnC.
1010101101100101011001001011001001010101010101010010101
• Circumvention 0101010101010110110101011011001010110010010110010010101
• via proxies, remote desktop access tools (such as LogMeIn!, RDP, and GoToMyPC),
0101010101001010101010101010101101101010110110010101100
• Port evasion 100101100100101010101010101001010101010101010101101101
• Fast Flux (or Dynamic0101101100101011001001011001001010101010101010010101010
DNS)
6. Actions on the objective. 1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Understanding Modern Cyberattack Strategy
101100100101100100101010101010101001010101010101010101
Simply
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Exploration of enemy system 
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Simply
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Weapons and attack 1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Simply
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Defense 1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Key Security Lessons and Opportunities
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
For all their sophistication, advanced attacks exhibit some vulnerabilities of their own. Some key observations
1010101010101001010101010101010101101101010110110010101
and opportunities to consider include the following:
100100101100100101010101010101001010101010101010101101
• Communication is the1010101101100101011001001011001001010101010101010010101
lifeblood of an attack
• Numerous opportunities exist to detect and correlate
0101010101010110110101011011001010110010010110010010101
• The framework, rather0101010101001010101010101010101101101010110110010101100
than the functionality, is the threat
100101100100101010101010101001010101010101010101101101
• Threats exist across multiple disciplines, and so too must security
0101101100101011001001011001001010101010101010010101010
• Applications: Can hide and enable threats.
1010101010110110101011011001010110010010110010010101010
• URLs and websites: Can host and enable threats.
1010101001010101010101010101101101010110110010101100100
• Exploits: Create command‐line (or shell) access to the target, often with escalated privileges (such as administrator or
root). 1011011010101101100101011001001011001001010101010101010
• Malware: Controls and0101010101010101010110110101011011001010110010010110110
uses the compromised target.
1010110110010101100100101100100101010101010101001010101
• Files: Used to update malware and steal data.
• Security must expand 0101010101011011010101101100101011001001011011010101101
beyond the perimeter to include network, endpoint, and cloud environments
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Why Traditional Security Solutions Fail to
0101010101010101001010101010101010101101101010110110010
Control Advanced101100100101100100101010101010101001010101010101010101
Malware
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Today’s threat landscape renders traditional port‐based firewalls, intrusion prevention systems (IPSs), and other
1010101010101001010101010101010101101101010110110010101
security solutions largely100100101100100101010101010101001010101010101010101101
ineffective at protecting an organization’s networks, endpoints, and cloud
environments. 1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• Tracking the path of malware and exploits
100101100100101010101010101001010101010101010101101101
• Discovering the hidden nature of advanced malware
0101101100101011001001011001001010101010101010010101010
• Hashing out signature‐based
1010101010110110101011011001010110010010110010010101010
detection
1010101001010101010101010101101101010110110010101100100
• Taking aim at targeted malware
1011011010101101100101011001001011001001010101010101010
• Breaking with traditional security solutions
0101010101010101010110110101011011001010110010010110110
• Understanding the need1010110110010101100100101100100101010101010101001010101
for a fully integrated security solution
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Control Advanced Malware
101100100101100100101010101010101001010101010101010101
Rapidly Expanding Attack Vectors
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Today’s threat landscape renders traditional port‐based firewalls, intrusion prevention systems (IPSs), and other
1010101010101001010101010101010101101101010110110010101
security solutions largely100100101100100101010101010101001010101010101010101101
ineffective at protecting an organization’s networks, endpoints, and cloud
environments.
1010101101100101011001001011001001010101010101010010101
To deliver malware to users in unexpected ways. Sample applications include
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• File transfer apps 100101100100101010101010101001010101010101010101101101
• Instant messaging 0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
• Webmail, as well as organizational email
1010101001010101010101010101101101010110110010101100100
• Social media platforms1011011010101101100101011001001011001001010101010101010
• Microsoft Office 0101010101010101010110110101011011001010110010010110110
• 1010110110010101100100101100100101010101010101001010101
Workflow and collaboration applications
0101010101011011010101101100101011001001011011010101101
• Software‐as‐a‐Service 100101011001001011001001010101010101010010101010101010
(SaaS) applications
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
A Lack of Comprehensive End‐to‐End Visibility
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
A cyberattack is a well‐orchestrated set of tools with a set flow comprising different capabilities. Isolated
1010101010101001010101010101010101101101010110110010101
security solutions that lack the ability to communicate with other security solutions will only have visibility
100100101100100101010101010101001010101010101010101101
into one part or component of an attack, and will therefore be ineffective in preventing the attack.
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• Nonstandard ports and port hopping
100101100100101010101010101001010101010101010101101101
• SSL encryption 0101101100101011001001011001001010101010101010010101010
• Tunneling 1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
• Proxies
1011011010101101100101011001001011001001010101010101010
• Anonymizers and circumventors
0101010101010101010110110101011011001010110010010110110
• Encoding and obfuscation
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Hash‐Based Signature Avoidance
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• The lack of communication and information sharing among customers and vendors also allows malware to
1010101010101001010101010101010101101101010110110010101
spread as the malware100100101100100101010101010101001010101010101010101101
is “new” for every organization
• 1010101101100101011001001011001001010101010101010010101
The traditional approach to detecting and blocking malware is based on the simple notion of collecting
samples of malware and0101010101010110110101011011001010110010010110010010101
then writing a signature for that sample only
0101010101001010101010101010101101101010110110010101100
• Advanced malware has taken this weakness and expanded upon it by evolving techniques to avoid being
100101100100101010101010101001010101010101010101101101
captured in the wild and to avoid the signatures that have already been created
0101101100101011001001011001001010101010101010010101010
• Payload‐based signatures can detect multiple variants of malware, stopping even those variants that haven’t
1010101010110110101011011001010110010010110010010101010
been seen in the wild 1010101001010101010101010101101101010110110010101100100
yet
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Targeted Malware 1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Before malware became a networked threat, the main goal was often to replicate and spread the malware as
1010101010101001010101010101010101101101010110110010101
widely as possible 100100101100100101010101010101001010101010101010101101
• In fact, this is how the1010101101100101011001001011001001010101010101010010101
security industry ranked malware for many years — how many endpoints could the
0101010101010110110101011011001010110010010110010010101
malware infect in a certain period of time
0101010101001010101010101010101101101010110110010101100
• This widespread replication made new malware samples readily available and relatively easy to collect
100101100100101010101010101001010101010101010101101101
• Advanced malware has changed that model, however. Advanced malware is more intelligent and highly
0101101100101011001001011001001010101010101010010101010
networked, which enables an attacker to remotely control the target user(s)
1010101010110110101011011001010110010010110010010101010
• These types of malware 1010101001010101010101010101101101010110110010101100100
are often specifically designed for a particular user or network. Stuxnet is an example
of targeted malware 1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Targeted Malware 1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
TM it’s designed to run 1010101010101001010101010101010101101101010110110010101
only in a specific network with specific assets on the network. This approach
accomplishes two very important things:
100100101100100101010101010101001010101010101010101101
• It makes it extremely1010101101100101011001001011001001010101010101010010101
unlikely that a sample of the malware will be captured in the wild, because there are
only a few samples to0101010101010110110101011011001010110010010110010010101
be caught instead of millions, making it unlikely that protective signatures will be
0101010101001010101010101010101101101010110110010101100
generated and distributed.
100101100100101010101010101001010101010101010101101101
• It’s designed to avoid infecting networks that are not the intended target, and thereby avoids drawing
0101101100101011001001011001001010101010101010010101010
unwanted attention to itself. This targeted approach is rapidly becoming a hallmark of some of the world’s
1010101010110110101011011001010110010010110010010101010
most sophisticated network attacks targeting intellectual property.
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Traditional Network Controls Are Ineffective
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Traditional network security solutions simply were never designed to meet the challenges of advanced
1010101010101001010101010101010101101101010110110010101
malware. 100100101100100101010101010101001010101010101010101101
• 1010101101100101011001001011001001010101010101010010101
Traditional firewalls and IPS solutions classify traffic, a firewall allows or blocks traffic, and an IPS determines
0101010101010110110101011011001010110010010110010010101
which signatures to apply, all based on port.
0101010101001010101010101010101101101010110110010101100
• As a result, a threat that is evasive and dynamic, such as advanced malware, can simply bounce to an
100101100100101010101010101001010101010101010101101101
unexpected port, gain access to the network, and avoid detection.
0101101100101011001001011001001010101010101010010101010
• Further 1010101010110110101011011001010110010010110010010101010
• Firewalls 1010101001010101010101010101101101010110110010101100100
• Intrusion prevention1011011010101101100101011001001011001001010101010101010
• Proxies 0101010101010101010110110101011011001010110010010110110
• Endpoint protection1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
• Virtual and cloud protection
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
Crossing Legacy Security Silos
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
Over the years, organizations have tried to compensate for the inherent deficiencies in port‐based firewalls by
1010101010101001010101010101010101101101010110110010101
implementing a range of100100101100100101010101010101001010101010101010101101
supplementary security devices, such as host‐based solutions and standalone
appliances. 1010101101100101011001001011001001010101010101010010101
• Network versus host‐based
0101010101010110110101011011001010110010010110010010101
approaches
0101010101001010101010101010101101101010110110010101100
• Integrating multidisciplinary solutions
100101100100101010101010101001010101010101010101101101
• Not everything that should be inspected actually is, because these solutions either can’t see all the traffic or rely on
0101101100101011001001011001001010101010101010010101010
the same port‐ and protocol‐based classification scheme as port‐based firewalls.
1010101010110110101011011001010110010010110010010101010
• Information is not easily correlated, and the all‐important context between events is lost due to security solutions
1010101001010101010101010101101101010110110010101100100
being separated into their specialized silos.
1011011010101101100101011001001011001001010101010101010
• Policy management, access control rules, and inspection requirements are spread across multiple devices and
0101010101010101010110110101011011001010110010010110110
consoles, making it difficult to develop and enforce a consistent security policy.
1010110110010101100100101100100101010101010101001010101
• Performance suffers due to relatively high aggregate latency because the same traffic is scanned and analyzed on
multiple devices. 0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
What Next‐Generation Security
0101010101010101001010101010101010101101101010110110010
Brings to the Fight101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Addressing blind spots with innovative security solutions
1010101010101001010101010101010101101101010110110010101
• 100100101100100101010101010101001010101010101010101101
Keeping the organization safe from malware infections
1010101101100101011001001011001001010101010101010010101
• Finding the indicators of compromise already in the network
0101010101010110110101011011001010110010010110010010101
• Next‐generation security and the most important weapons in the fight against advanced malware
0101010101001010101010101010101101101010110110010101100
• 100101100100101010101010101001010101010101010101101101
Fully analyzed all available threat data and protection
0101101100101011001001011001001010101010101010010101010
• Methodology to limit exposure to malware — as well as to detect and remediate network, endpoint, and
1010101010110110101011011001010110010010110010010101010
mobile devices that may already be infected.
1010101001010101010101010101101101010110110010101100100
• Importance of orchestration and correlation between different security solutions, such as the next generation
1011011010101101100101011001001011001001010101010101010
firewall and other innovative security solutions for endpoints and cloud environments, to ensure an effective
0101010101010101010110110101011011001010110010010110110
and comprehensive security strategy.
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Brings to the Fight 101100100101100100101010101010101001010101010101010101
The Next‐Generation Firewall
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• The next‐generation firewall provides a fully integrated approach to threat prevention in a unified context.
1010101010101001010101010101010101101101010110110010101
• True coordination of multiple
100100101100100101010101010101001010101010101010101101
security disciplines
• application identity, 1010101101100101011001001011001001010101010101010010101
• malware and exploit0101010101010110110101011011001010110010010110010010101
detection,
• intrusion prevention, 0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
• URL filtering,
0101101100101011001001011001001010101010101010010101010
• file type controls,
1010101010110110101011011001010110010010110010010101010
• content inspection. 1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Preventing Infection with Next‐Generation Firewalls
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• One of the most important steps that an organization can take to control advanced malware is to reduce
1010101010101001010101010101010101101101010110110010101
attack vectors and eliminate the ability for malware to hide in the network.
100100101100100101010101010101001010101010101010101101
• Today the majority of1010101101100101011001001011001001010101010101010010101
vectors used by malware are virtually unchecked, and malware traffic is typically small
enough to easily blend0101010101010110110101011011001010110010010110010010101
into the background of “normal” network traffic.
0101010101001010101010101010101101101010110110010101100
• By regaining full visibility and control of exactly what traffic is allowed into the network and why, security
100101100100101010101010101001010101010101010101101101
teams can accomplish both of these goals.
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Reduce the attack surface 1010101010101001010101010101010101101101010110110010101
• To reduce the attack surface100100101100100101010101010101001010101010101010101101
on the network, in virtual environments and on endpoints, organizations must
1010101101100101011001001011001001010101010101010010101
• Enforce positive control of all network traffic to prevent unnecessary or high‐risk traffic, even when encryption or port
evasion techniques are 0101010101010110110101011011001010110010010110010010101
used to hide the traffic.
• Establish policies for0101010101001010101010101010101101101010110110010101100
approved applications and uses based on work needs and culture, by determining
100101100100101010101010101001010101010101010101101101
• What applications and protocols are in use on the network, on endpoints and in the cloud
0101101100101011001001011001001010101010101010010101010
• What applications are required for work and who needs to use them
• What dual‐use or personal
1010101010110110101011011001010110010010110010010101010
applications does the organization want to allow
• What data can be shared across IT and non‐IT applications
1010101001010101010101010101101101010110110010101100100
• What devices can connect to your network and how you ensure that they comply with your security policies
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Control advanced malware enabling applications
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
Preferred social networking/personal use applications and
10101101101010110110010101100100101101101
techniques for advanced malware.
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Actively test unknown1010101010101001010101010101010101101101010110110010101
files
• In‐line enforcements100100101100100101010101010101001010101010101010101101
include
• Dynamic protections1010101101100101011001001011001001010101010101010010101
for newly identified unknown malware, zero‐day exploits, and their variants
• Protections for related malware that may use the command and control servers or infrastructure
0101010101010110110101011011001010110010010110010010101
• Protections for threats that leverage the same command and control strategy
0101010101001010101010101010101101101010110110010101100
• Protections for threats that use related domains and URLs
100101100100101010101010101001010101010101010101101101
• Reports of behavioral indicators of compromise (IoCs) for which to identify infected endpoints on the network
0101101100101011001001011001001010101010101010010101010
• Automated mechanisms to aid in remediation efforts
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
files
• Control enabling applications by
100100101100100101010101010101001010101010101010101101
• Blocking the use of known “bad” applications, or applications that have no legitimate purpose on your organization’s network (such as P2P
1010101101100101011001001011001001010101010101010010101
file‐sharing and others)
0101010101010110110101011011001010110010010110010010101
• Limiting application usage to users and groups that have a legitimate and approved work need
0101010101001010101010101010101101101010110110010101100
• Disabling specific features in risky applications, such as file transfers, desktop sharing, and tunneling
100101100100101010101010101001010101010101010101101101
• Preventing drive‐by downloads from compromised web pages that automatically download malicious files without the user’s knowledge
• Decrypting SSL traffic0101101100101011001001011001001010101010101010010101010
selectively, based on application and URL categories (for example, decrypting social networking and webmail, but
not financial traffic) 1010101010110110101011011001010110010010110010010101010
• Inspecting and enforcing
1010101001010101010101010101101101010110110010101100100
any risky application traffic that is permitted using Zero Trust network design and segmentation that will leverage
next‐generation firewalls, advanced endpoint protection, and SaaS application security, to provide truly integrated intrusion and threat
1011011010101101100101011001001011001001010101010101010
prevention, malware protection, and URL filtering
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
files
• Prevent use of circumventors
100100101100100101010101010101001010101010101010101101
• Traditional network 1010101101100101011001001011001001010101010101010010101
security.
• These applications include:
0101010101010110110101011011001010110010010110010010101
• Remote desktop technologies
0101010101001010101010101010101101101010110110010101100
• Proxies
100101100100101010101010101001010101010101010101101101
• Purpose‐built circumventing applications
0101101100101011001001011001001010101010101010010101010
• Remote desktop technologies are popular among end‐users and IT support teams. Such technologies introduce two important risks:
1010101010110110101011011001010110010010110010010101010
• When a user connects to a remote PC, he is free to surf to any destination and use any application without that traffic being inspected by the
firewall. 1010101001010101010101010101101101010110110010101100100
• Remote desktop technologies potentially allow an unauthorized user to gain full access to an endpoint inside the trusted network.
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
files
• Prevent use of circumventors
100100101100100101010101010101001010101010101010101101
• Prevent the use of circumventors by
1010101101100101011001001011001001010101010101010010101
• Limiting remote desktop use, for example, to IT support personnel only
0101010101010110110101011011001010110010010110010010101
• Securely enabling SSH but preventing SSH tunneling
0101010101001010101010101010101101101010110110010101100
• Blocking unapproved proxies and encrypted tunnels, such as UltraSurf and Hamachi
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
files
• Investigate any unknown traffic and traffic patterns
100100101100100101010101010101001010101010101010101101
• Unknown traffic regularly sent by the same client endpoint should be investigated to determine whether it’s being
1010101101100101011001001011001001010101010101010010101
generated by a legitimate application that is not recognized or by a potential malware infection. Security teams can
0101010101010110110101011011001010110010010110010010101
also investigate where the traffic is going:
0101010101001010101010101010101101101010110110010101100
• Does it go out to known malicious websites or to socialnetworking sites?
100101100100101010101010101001010101010101010101101101
• Does it transmit on a regular schedule?
0101101100101011001001011001001010101010101010010101010
• Does someone attempt to download or upload files to an unknown URL?
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
files
• You can quickly and systematically manage unknown traffic and traffic patterns by
100100101100100101010101010101001010101010101010101101
• Applying a policy on1010101101100101011001001011001001010101010101010010101
the firewall to block all unknown traffic, or allow and inspect it
• Monitoring traffic to0101010101010110110101011011001010110010010110010010101
unknown URLs and blocking downloads or uploads on those sites
• Blocking traffic to malicious URLs ✓ Determining what internal applications exist on the network, and either applying an application
0101010101001010101010101010101101101010110110010101100
override (renaming the traffic) or creating a custom signature
100101100100101010101010101001010101010101010101101101
• Analyzing unknown or suspicious files in a sandbox to uncover malicious behaviors
• Using packet captures0101101100101011001001011001001010101010101010010101010
(PCAP) to record the unknown traffic and submit it to your security vendor
1010101010110110101011011001010110010010110010010101010
• Utilizing behavioral malware reports and other forensics or reporting tools to determine whether the traffic is a threat
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
files
• Investigate “unknown” traffic for potential unauthorized user behavior or malware activity:
100100101100100101010101010101001010101010101010101101
• Track source, destination, and volumes of unknown traffic.
1010101101100101011001001011001001010101010101010010101
• Correlate against URL, IPS, malware, and file‐transfer records.
0101010101010110110101011011001010110010010110010010101
• Define custom application IDs for any internal or custom applications, as needed.
0101010101001010101010101010101101101010110110010101100
• Deliver PCAPs to your security vendor for further analysis and identification.
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Finding Infected Hosts1010101010101001010101010101010101101101010110110010101
with Next‐Generation Firewalls
• Even with the best of100100101100100101010101010101001010101010101010101101
controls, endpoints may inevitably be infected with malware — perhaps through a new type of
malware, an unknown vector, or a USB drive.
1010101101100101011001001011001001010101010101010010101
• Sandbox analysis takes time. During this gap from unknown to known, malware has proven time and again that it is
0101010101010110110101011011001010110010010110010010101
possible to infect even the most heavily secured systems.
0101010101001010101010101010101101101010110110010101100
• Thus, it’s prudent to assume endpoints will be infected and develop the skills necessary to find infected endpoints in
100101100100101010101010101001010101010101010101101101
the network. 0101101100101011001001011001001010101010101010010101010
• This can be a challenging task, given that the malware may have already avoided traditional malware signatures and
1010101010110110101011011001010110010010110010010101010
may already have root level access on an infected endpoint.
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Instead, you need to100100101100100101010101010101001010101010101010101101
analyze unusual or unknown behaviors that are observed on the network.
• Communication is the Achilles’ heel of advanced malware.
1010101101100101011001001011001001010101010101010010101
• It must communicate 0101010101010110110101011011001010110010010110010010101
in order to function and must be difficult to find and trace. These basic requirements create
patterns that can be0101010101001010101010101010101101101010110110010101100
used to identify malware traffic or behaviors that stand out from the normal network traffic —
even if the malware is100101100100101010101010101001010101010101010101101101
completely new and unknown.
• Find command‐and‐control traffic
0101101100101011001001011001001010101010101010010101010
• Automate tracking and correlation
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Automate tracking and correlation
100100101100100101010101010101001010101010101010101101
• Unknown TCP/UDP:1010101101100101011001001011001001010101010101010010101
APT traffic is often encrypted and unknown. Tracking unknown TCP and UDP activity is a great starting point for
finding infected endpoints.
0101010101010110110101011011001010110010010110010010101
• Dynamic DNS (DDNS): Malware will often use DDNS to bounce traffic between multiple infected hosts with an ever‐changing list of IP
addresses, making it0101010101001010101010101010101101101010110110010101100
very difficult to track the true source and destination of malware.
100101100100101010101010101001010101010101010101101101
• Known malware sites: The URL filtering engine of a next‐generation firewall constantly tracks sites that have hosted malware whether
0101101100101011001001011001001010101010101010010101010
intentionally or unintentionally.
• Recently registered 1010101010110110101011011001010110010010110010010101010
domains: Malware often uses new domains as it moves around to avoid detection and to recover. Repeated visits to a
newly registered domain are not conclusive but may be evidence of an infection.
1010101001010101010101010101101101010110110010101100100
• IP addresses instead of domain names: Advanced malware often uses IP addresses, as opposed to normal user (human) browsing that
1011011010101101100101011001001011001001010101010101010
typically prefers friendly URL addresses.
0101010101010101010110110101011011001010110010010110110
• IRC traffic: IRC traffic is one of the most well‐known communication methods for malware, and provides additional evidence of a malware
infection. 1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Safe Enablement through Smart Policies
1010101010101001010101010101010101101101010110110010101
• The purpose of security policies is to reduce the risk of being infected by advanced threats in the first place.
100100101100100101010101010101001010101010101010101101
• Also meeting your organizational requirements.
1010101101100101011001001011001001010101010101010010101
• Application controls 0101010101010110110101011011001010110010010110010010101
• Enablement is about0101010101001010101010101010101101101010110110010101100
knowing and understanding users and their behaviors, and applications and their associated risks.
100101100100101010101010101001010101010101010101101101
• Enabling Facebook usage while protecting the organization.
0101101100101011001001011001001010101010101010010101010
• User controls 1010101010110110101011011001010110010010110010010101010
• Given the ever‐growing numbers and types of applications, how will an employee know which applications are allowed
1010101001010101010101010101101101010110110010101100100
and which are prohibited?
1011011010101101100101011001001011001001010101010101010
• How is the list of unapproved applications updated, and who ensures that employees know the list has changed?
0101010101010101010110110101011011001010110010010110110
• What constitutes a policy violation? ✓ What are the ramifications of policy violations — a reprimand or termination of
1010110110010101100100101100100101010101010101001010101
employment? 0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Network controls 1010101010101001010101010101010101101101010110110010101
• Given that advanced 100100101100100101010101010101001010101010101010101101
threats most often use the network for infection and ongoing command and control, the network
is an obvious and critical policy‐enforcement point.
1010101101100101011001001011001001010101010101010010101
• Endpoint controls 0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• The end‐user’s machine is the most common target for advanced malware and is a critical point for policy
enforcement. 100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
• Endpoint policies must incorporate ways of ensuring that antivirus and various host‐based security solutions are
1010101010110110101011011001010110010010110010010101010
properly installed and up to date.
• As with employee policies,
1010101001010101010101010101101101010110110010101100100
desktop controls are a key piece to the safe enablement of applications in the organization.
1011011010101101100101011001001011001001010101010101010
• Desktop controls present IT departments with significant challenges. Careful consideration should be applied to the
0101010101010101010110110101011011001010110010010110110
granularity of the desktop controls and the impact on employee productivity.
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• The drastic step of desktop lockdown to keep users from installing their own applications is a task that is easier said
100100101100100101010101010101001010101010101010101101
than done and, if used alone, will be ineffective. Here’s why:
1010101101100101011001001011001001010101010101010010101
• Remotely connected0101010101010110110101011011001010110010010110010010101
laptops, Internet downloads, USB drives, and email are all means of installing applications that may or may not be
allowed on the network.
0101010101001010101010101010101101101010110110010101100
• Completely removing administrative rights is difficult to implement and, in some cases, severely limits end‐user capabilities to an
unacceptable level. 100101100100101010101010101001010101010101010101101101
• USB drives are now 0101101100101011001001011001001010101010101010010101010
capable of running applications, so a web‐based application, for example, can be accessed after network admission is
granted. 1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Advanced endpoint protection must do the following:
100100101100100101010101010101001010101010101010101101
• Prevent all exploits, 1010101101100101011001001011001001010101010101010010101
including those utilizing unknown zero‐day vulnerabilities
• Prevent all malware,0101010101010110110101011011001010110010010110010010101
without requiring any prior knowledge of specific malware signatures
• Provide detailed forensics against prevented attacks, in order to strengthen all areas of the organization by pinpointing the targets and
0101010101001010101010101010101101101010110110010101100
techniques used
100101100100101010101010101001010101010101010101101101
• Be highly scalable and lightweight to seamlessly integrate into existing operations with minimal to no disruption
• Integrate closely with0101101100101011001001011001001010101010101010010101010
network and cloud security for quick data exchange and cross‐organization protection
1010101010110110101011011001010110010010110010010101010
• Addressing Mobile and Remote Users
• bring your own app 1010101001010101010101010101101101010110110010101100100
(BYOA) policies.
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Ten Things to Look for in a
0101010101010101001010101010101010101101101010110110010
Cybersecurity Solution
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1. Enforce Allowed Interactions Between Your Data and Users
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
2. Identify Threats Everywhere and Always
1010101101100101011001001011001001010101010101010010101
3. Protect Data at Multiple Stages in the Attack Lifecycle
0101010101010110110101011011001010110010010110010010101
4. Outsmart Threats Designed to Outmaneuver Security Tools
0101010101001010101010101010101101101010110110010101100
5. Translate New Intel 100101100100101010101010101001010101010101010101101101
into Protections in Security Policies
0101101100101011001001011001001010101010101010010101010
6. Get Intel and Protection against the Latest Attacks
1010101010110110101011011001010110010010110010010101010
7. Enable Quick and Accurate Mitigation
1010101001010101010101010101101101010110110010101100100
8. Coordinate Actions 1011011010101101100101011001001011001001010101010101010
across Individual Security Technologies
0101010101010101010110110101011011001010110010010110110
9. Keep Your Organization Running
1010110110010101100100101100100101010101010101001010101
10. Be Easy to Use 0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Top Seven Cyber-safety Actions
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1. Install OS/Software Updates
1010101010101001010101010101010101101101010110110010101
2. 100100101100100101010101010101001010101010101010101101
Run Anti-virus Software
1010101101100101011001001011001001010101010101010010101
3. Prevent Identity Theft
0101010101010110110101011011001010110010010110010010101
4. Turn on Personal 0101010101001010101010101010101101101010110110010101100
Firewalls
5. 100101100100101010101010101001010101010101010101101101
Avoid Spyware/Adware
0101101100101011001001011001001010101010101010010101010
6. Protect Passwords 1010101010110110101011011001010110010010110010010101010
7. Keep in you organization robust password policy
1010101001010101010101010101101101010110110010101100100
8. Back up Important1011011010101101100101011001001011001001010101010101010
Files
0101010101010101010110110101011011001010110010010110110
9. Organize security1010110110010101100100101100100101010101010101001010101
courses for the users
10. Do not trust to anyone
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
TOP SEVEN CYBER-SAFETY ACTIONS
0101010101010101001010101010101010101101101010110110010
Install OS/Software Updates
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Updates-sometimes called patches-fix problems with your operating system (OS) (e.g., Windows XP, Windows
1010101010101001010101010101010101101101010110110010101
Vista, Mac OS X) and software programs (e.g., Microsoft Office applications).
100100101100100101010101010101001010101010101010101101
• Most new operating systems1010101101100101011001001011001001010101010101010010101
are set to download updates by default. After updates are downloaded, you will be
0101010101010110110101011011001010110010010110010010101
asked to install them. Click yes!
0101010101001010101010101010101101101010110110010101100
• To download patches for your system and software, visit:
100101100100101010101010101001010101010101010101101101
• Windows Update: http://windowsupdate.microsoft.com to get or ensure you have all the latest operating system updates only.
0101101100101011001001011001001010101010101010010101010
Newer Windows systems are set to download these updates by default.
• 1010101010110110101011011001010110010010110010010101010
Microsoft Update: http://www.update.microsoft.com/microsoftupdate/ to get or ensure you have all the latest OS and Microsoft
1010101001010101010101010101101101010110110010101100100
Office software updates. You must sign up for this service.
• Apple: http://www.apple.com/support
1011011010101101100101011001001011001001010101010101010
• Unix: Consult documentation or online help for system update information and instructions.
0101010101010101010110110101011011001010110010010110110
• Be sure to restart your 1010110110010101100100101100100101010101010101001010101
computer after updates are installed so that the patches can be applied immediately.
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Run Anti-Virus Software
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• To avoid computer problems caused by viruses, install and run an anti-virus program like Sofos, Eset, Avast,...
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
• Periodically, check to see if your anti-virus is up to date by opening your anti-virus program and checking the Last
updated: date. 1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
• 0101010101001010101010101010101101101010110110010101100
Anti-virus software removes viruses, quarantines and repairs infected files, and can help prevent future viruses.
100101100100101010101010101001010101010101010101101101
• UC Davis students, faculty and staff can get Sophos for their work and home computer for FREE on the Internet
0101101100101011001001011001001010101010101010010101010
Tools CD (available from IT Express in Shields Library).
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
• Sophos can also be downloaded for free from the UC Davis Software License Coordination Web site
1011011010101101100101011001001011001001010101010101010
(https://my.ucdavis.edu/software/).
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Prevent Identity Theft
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Don't give out financial1010101010101001010101010101010101101101010110110010101
account numbers, Social Security numbers, driver’s license numbers or other personal
identity information unless you know exactly who's receiving it. Protect others people’s information as you would
100100101100100101010101010101001010101010101010101101
your own.
1010101101100101011001001011001001010101010101010010101
• Never send personal or0101010101010110110101011011001010110010010110010010101
confidential information via email or instant messages as these can be easily intercepted.
0101010101001010101010101010101101101010110110010101100
• Beware of phishing scams - a form of fraud that uses email messages that appear to be from a reputable business
100101100100101010101010101001010101010101010101101101
(often a financial institution) in an attempt to gain personal or account information. These often do not include a
0101101100101011001001011001001010101010101010010101010
personal salutation. Never enter personal information into an online form you accessed via a link in an email you
1010101010110110101011011001010110010010110010010101010
were not expecting. Legitimate businesses will not ask for personal information online.
1010101001010101010101010101101101010110110010101100100
• 1011011010101101100101011001001011001001010101010101010
Order a copy of your credit report from each of the three major credit bureaus-Equifax, Experian, and Trans Union.
0101010101010101010110110101011011001010110010010110110
Reports can be ordered online at each of the bureaus’ Web sites. Make sure reports are accurate and include only
those activities you have 1010110110010101100100101100100101010101010101001010101
authorized.
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Turn on Personal101100100101100100101010101010101001010101010101010101
Firewalls
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Check your computer's security settings for a built-in personal firewall. If you have one, turn it on. Microsoft
1010101010101001010101010101010101101101010110110010101
Vista and Mac OSX have built-in firewalls. For more information, see:
100100101100100101010101010101001010101010101010101101
• Mac Firewall
1010101101100101011001001011001001010101010101010010101
• (docs.info.apple.com/article.html?path=Mac/10.4/en/mh1042.html)
0101010101010110110101011011001010110010010110010010101
• Microsoft Firewall (www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx)
0101010101001010101010101010101101101010110110010101100
• Unix users should consult system documentation or online help for personal firewall instructions and/or
recommendations. 100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
• Once your firewall is turned on, test your firewall for open ports that could allow in viruses and hackers.
1010101010110110101011011001010110010010110010010101010
the one on http://www.auditmypc.com/firewall-test.asp simplify this process.
Firewall scanners like1010101001010101010101010101101101010110110010101100100
• 1011011010101101100101011001001011001001010101010101010
Firewalls act as protective barriers between computers and the internet.
0101010101010101010110110101011011001010110010010110110
• 1010110110010101100100101100100101010101010101001010101
Hackers search the Internet by sending out pings (calls) to random computers and wait for responses.
Firewalls prevent your0101010101011011010101101100101011001001011011010101101
computer from responding to these calls.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Avoid Spyware/Adware
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Spyware and adware take up memory and can slow down your computer or cause other problems.
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
• Use Spybot and Ad-Aware to remove spyware/adware from your computer. UC Davis students,
1010101101100101011001001011001001010101010101010010101
faculty and staff can0101010101010110110101011011001010110010010110010010101
get Spybot and Ad-Aware for free on the Internet Tools CD (available from IT
Express in Shields Library).
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
• Watch for allusions to spyware and adware in user agreements before installing free software
0101101100101011001001011001001010101010101010010101010
programs. 1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
• Be wary of invitations to download software from unknown internet sources.
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Protect Passwords101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Do not share your passwords, and always make new passwords difficult to guess by avoiding dictionary
1010101010101001010101010101010101101101010110110010101
words, and mixing letters, numbers and punctuation.
100100101100100101010101010101001010101010101010101101
• 1010101101100101011001001011001001010101010101010010101
Do not use one of these common passwords or any variation of them: qwerty1, abc123, letmein,
password1, iloveyou1, (yourname1), baseball1.
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
• Change your passwords periodically.
100101100100101010101010101001010101010101010101101101
• 0101101100101011001001011001001010101010101010010101010
When choosing a password:
• Mix upper and1010101010110110101011011001010110010010110010010101010
lower case letters
• Use a minimum of 8 characters
1010101001010101010101010101101101010110110010101100100
• Use mnemonics to help you remember a difficult password
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
• Store passwords in a safe place. Consider using KeePass Password Safe (http://keepass.info/), Keychain
(Mac) or an encrypted1010110110010101100100101100100101010101010101001010101
USB drive to store passwords. Avoid keeping passwords on a Post-it under your
0101010101011011010101101100101011001001011011010101101
keyboard, on your monitor or in a drawer near your computer!
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Protect Passwords
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
Back Up Important Files
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Reduce your risk of 1010101010101001010101010101010101101101010110110010101
losing important files to a virus, computer crash, theft or disaster by creating
back-up copies. 100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
• 0101010101010110110101011011001010110010010110010010101
Keep your critical files in one place on your computer’s hard drive so you can easily create a back up
copy. 0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
• Save copies of your0101101100101011001001011001001010101010101010010101010
important documents and files to a CD, online back up service, flash or USB
drive, or a server. 1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
• Store your back-up media in a secure place away from your computer, in case of fire or theft.
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
• 0101010101011011010101101100101011001001011011010101101
Test your back up media periodically to make sure the files are accessible and readable.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
CYBER-SAFETY AT0101010101010101001010101010101010101101101010110110010
HOME
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Physically secure your computer by using security cables and locking doors and windows in the
1010101010101001010101010101010101101101010110110010101
dorms and off-campus housing.
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
• Avoid leaving your laptop unsupervised and in plain view in the library or coffee house, or in your car,
0101010101010110110101011011001010110010010110010010101
dorm room or home.0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
• Set up a user account and password to prevent unauthorized access to your computer files.
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
• Do not install unnecessary programs on your computer.
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
• Microsoft users can 0101010101010101010110110101011011001010110010010110110
download the free Secunia Personal Software Inspector (https://psi.secunia.com/),
which lets you scan 1010110110010101100100101100100101010101010101001010101
your computer for any missing operating system or software patches and
provides instructions0101010101011011010101101100101011001001011011010101101
for getting all the latest updates.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
CYBER-SAFETY AT0101010101010101001010101010101010101101101010110110010
WORK
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Be sure to work with1010101010101001010101010101010101101101010110110010101
your technical support coordinator before implementing new cyber-safety
measures. 100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
• Talk with your technical support coordinator about what cyber-safety measures are in place in your
0101010101010110110101011011001010110010010110010010101
department. 0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
• Report to your supervisor any cyber-safety policy violations, security flaws/weaknesses you discover
0101101100101011001001011001001010101010101010010101010
or any suspicious activity by unauthorized individuals in your work area.
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
• Physically secure your computer by using security cables and locking building/office doors and
1011011010101101100101011001001011001001010101010101010
windows. 0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
• Do not install unnecessary programs on your work computer.
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Ten Things to Look for in a Cybersecurity Solution
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
 You can find more about cyber-safety on the UC Davis Computer Security Web site
100101100100101010101010101001010101010101010101101101
(http://security.ucdavis.edu/).
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Glossary 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• advanced persistent threat (APT): An Internet‐borne attack usually perpetrated by a group of individuals with
1010101010101001010101010101010101101101010110110010101
significant resources, such as organized crime or a rogue nation‐state.
100100101100100101010101010101001010101010101010101101
• 1010101101100101011001001011001001010101010101010010101
adware: Pop‐up advertising programs that are commonly installed with freeware or shareware.
0101010101010110110101011011001010110010010110010010101
• APT: See advanced persistent threat.
0101010101001010101010101010101101101010110110010101100
• backdoor: Malware that enables an attacker to bypass normal authentication to gain access to a compromised
100101100100101010101010101001010101010101010101101101
system. 0101101100101011001001011001001010101010101010010101010
• 1010101010110110101011011001010110010010110010010101010
BitTorrent: A P2P file‐sharing communications protocol that distributes large amounts of data widely without
1010101001010101010101010101101101010110110010101100100
the original distributor incurring the costs of hardware, hosting, and bandwidth resources.
1011011010101101100101011001001011001001010101010101010
• bootkit: A kernel‐mode variant of a rootkit, commonly used to attack computers that are protected by full‐disk
0101010101010101010110110101011011001010110010010110110
encryption.
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Glossary 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• bot: A target machine1010101010101001010101010101010101101101010110110010101
that is infected by malware and is part of a botnet (also known as a zombie).
• botnet: A broad network100100101100100101010101010101001010101010101010101101
of bots working together.
1010101101100101011001001011001001010101010101010010101
• Box: A SaaS‐based online storage application that employs SSL encryption. It’s frequently used by corporate
0101010101010110110101011011001010110010010110010010101
organizations so that users can upload, download, and share files publicly and privately.
0101010101001010101010101010101101101010110110010101100
• DDNS: See dynamic DNS. DDoS: See distributed denial‐of‐service.
100101100100101010101010101001010101010101010101101101
• 0101101100101011001001011001001010101010101010010101010
distributed denial‐of‐service (DDoS): A large‐scale attack that typically uses bots in a botnet to crash a targeted
network or server. 1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
• drive‐by download: Software, often malware, downloaded onto a computer from the Internet without the
1011011010101101100101011001001011001001010101010101010
user’s knowledge or permission.
0101010101010101010110110101011011001010110010010110110
• dynamic DNS (DDNS):1010110110010101100100101100100101010101010101001010101
A technique used to update domain name system (DNS) records for networked devices
in real time. 0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Glossary 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Internet relay chat (IRC): An application layer protocol that facilitates near real‐time communication in a
1010101010101001010101010101010101101101010110110010101
client–server networking model.
100100101100100101010101010101001010101010101010101101
• IPsec: An open‐standard 1010101101100101011001001011001001010101010101010010101
protocol used for secure VPN communications over public IP‐based networks.
0101010101010110110101011011001010110010010110010010101
• IRC: See Internet relay chat.
0101010101001010101010101010101101101010110110010101100
• logic bomb: A set of instructions secretly incorporated into a program so that if a particular condition is
100101100100101010101010101001010101010101010101101101
satisfied, the instructions will be carried out, usually with harmful effects.
0101101100101011001001011001001010101010101010010101010
• 1010101010110110101011011001010110010010110010010101010
malware: Malicious software or code that typically damages or disables, takes control of, or steals information
1010101001010101010101010101101101010110110010101100100
from a computer system. Broadly includes viruses, worms, Trojan horses, logic bombs, rootkits, bootkits,
backdoors, spyware, and 1011011010101101100101011001001011001001010101010101010
adware.
0101010101010101010110110101011011001010110010010110110
• master boot record (MBR): Information contained in the first sector of a storage device that identifies how
1010110110010101100100101100100101010101010101001010101
and where an operating system is located so that it can be loaded into memory.
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Glossary 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• MBR: See master boot1010101010101001010101010101010101101101010110110010101
record.
• 100100101100100101010101010101001010101010101010101101
next‐generation firewall (NGFW): A firewall beyond traditional port‐based controls that enforces policy based
1010101101100101011001001011001001010101010101010010101
on application, user, and content regardless of port or protocol.
0101010101010110110101011011001010110010010110010010101
• NGFW: See next‐generation firewall.
0101010101001010101010101010101101101010110110010101100
• Nmap: A security scanner used to discover network hosts and services.
100101100100101010101010101001010101010101010101101101
• packet capture (PCAP): 0101101100101011001001011001001010101010101010010101010
An API for capturing network packets.
1010101010110110101011011001010110010010110010010101010
• PCAP: See packet capture. RDP: See Remote Desktop Protocol.
1010101001010101010101010101101101010110110010101100100
• Remote Desktop Protocol (RDP): A proprietary Microsoft protocol that provides remote access to a computer.
1011011010101101100101011001001011001001010101010101010
• rootkit: Malware that0101010101010101010110110101011011001010110010010110110
provides privileged (root‐level) access to a computer.
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Glossary 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Secure Shell (SSH): A 1010101010101001010101010101010101101101010110110010101
set of standards and an associated network protocol that establishes a secure channel
between a local computer and a remote computer.
100100101100100101010101010101001010101010101010101101
• Secure Sockets Layer 1010101101100101011001001011001001010101010101010010101
(SSL): A transport layer protocol that provides session‐based encryption and
0101010101010110110101011011001010110010010110010010101
authentication for secure communication between clients and servers.
0101010101001010101010101010101101101010110110010101100
• Skype: An online service that offers instant messaging, voice, and video calls using voice over IP (VoIP)
100101100100101010101010101001010101010101010101101101
communication methods.
0101101100101011001001011001001010101010101010010101010
• Simple Mail Transfer Protocol (SMTP): An Internet standard for email transmission that uses TCP port 25.
1010101010110110101011011001010110010010110010010101010
• SMTP: See Simple Mail 1010101001010101010101010101101101010110110010101100100
Transfer Protocol.
1011011010101101100101011001001011001001010101010101010
• spear phishing: A targeted phishing attempt that seems more credible to its victims and thus has a higher
0101010101010101010110110101011011001010110010010110110
probability of success. For example, a spear‐phishing email may spoof an organization or individual that the
1010110110010101100100101100100101010101010101001010101
recipient actually knows.
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Glossary 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• SSH: See Secure Shell.1010101010101001010101010101010101101101010110110010101
SSL: See Secure Sockets Layer. SYN: TCP synchronization bit. TCP: See Transmission
Control Protocol. 100100101100100101010101010101001010101010101010101101
• Transmission Control 1010101101100101011001001011001001010101010101010010101
Protocol (TCP): A connection‐oriented protocol responsible for establishing a connection
between two hosts and 0101010101010110110101011011001010110010010110010010101
guaranteeing the delivery of data and packets in the correct order.
0101010101001010101010101010101101101010110110010101100
• Trojan horse: A program designed to breach the security of a computer system while ostensibly performing
100101100100101010101010101001010101010101010101101101
some innocuous function.
0101101100101011001001011001001010101010101010010101010
• UDP: See User Datagram Protocol.
1010101010110110101011011001010110010010110010010101010
• User Datagram Protocol1010101001010101010101010101101101010110110010101100100
(UDP): A connectionless‐oriented protocol often used for time‐sensitive, low‐latency
communications that 1011011010101101100101011001001011001001010101010101010
don’t require guaranteed delivery.
0101010101010101010110110101011011001010110010010110110
• web widget: A small application that an end‐user can install and run within a web page.
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Conclusion 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Cyberspace, cyber crime and cyber security?
1010101010101001010101010101010101101101010110110010101
• What are consequences 100100101100100101010101010101001010101010101010101101
of inaction has been explained.
1010101101100101011001001011001001010101010101010010101
• Cyber Attack Maps.
0101010101010110110101011011001010110010010110010010101
• Role of malware in cyberattacks.
0101010101001010101010101010101101101010110110010101100
• 100101100100101010101010101001010101010101010101101101
Modern cyberattack strategy - phases.
0101101100101011001001011001001010101010101010010101010
• Advanced attacks and its vulnerabilities.
1010101010110110101011011001010110010010110010010101010
• Why Traditional Security Solutions Fail to Control Advanced Malware?
1010101001010101010101010101101101010110110010101100100
• Vectors of attack. 1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
• Advanced threat protection policies.
1010110110010101100100101100100101010101010101001010101
• Top seven cyber-safety0101010101011011010101101100101011001001011011010101101
actions.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Questions 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1. Cyberspace. What is it? To what "spaces" does it belong?
1010101010101001010101010101010101101101010110110010101
2. What is a cyber crime?100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
3. What is a cyber security?
4. What are consequences 0101010101010110110101011011001010110010010110010010101
of inaction?
0101010101001010101010101010101101101010110110010101100
5. 5 pillars of cybersecurity - explain.
100101100100101010101010101001010101010101010101101101
6. Difference between cybersecurity and cybersafety.
0101101100101011001001011001001010101010101010010101010
7. Key characteristics of advanced malware, Explain.
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
8. What is it targeted malware?
1011011010101101100101011001001011001001010101010101010
9. What is spear phishing?
0101010101010101010110110101011011001010110010010110110
10. Cyber Attack Maps - explain and introduce 5 of them.
1010110110010101100100101100100101010101010101001010101
11. What does it means CnC?
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
12. What does it means DDoS?
10101101101010110110010101100100101101101
Questions 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
13. What does it means Botnet? Explain.
1010101010101001010101010101010101101101010110110010101
14. Explain advanced persistent threats.
100100101100100101010101010101001010101010101010101101
15. Explain role of malware1010101101100101011001001011001001010101010101010010101
in cyberattacks.
16. 0101010101010110110101011011001010110010010110010010101
Modern cyberattack strategy - explain phases.
0101010101001010101010101010101101101010110110010101100
17. Advanced attacks exhibit some vulnerabilities - explain.
100101100100101010101010101001010101010101010101101101
18. Why Traditional Security Solutions Fail to Control Advanced Malware?
0101101100101011001001011001001010101010101010010101010
19. Vector of attack and its1010101010110110101011011001010110010010110010010101010
structure. Explain.
20. 1010101001010101010101010101101101010110110010101100100
What does it means: actively test unknown files?
1011011010101101100101011001001011001001010101010101010
21. What is it advanced threat protection policies? Explain.
0101010101010101010110110101011011001010110010010110110
22. Ten things to look for in a cybersecurity solution, explain.
1010110110010101100100101100100101010101010101001010101
23. Top seven cyber-safety0101010101011011010101101100101011001001011011010101101
actions, explain.
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Want to Know More?
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
• Szor, P., 2005. The Art1010101010101001010101010101010101101101010110110010101
of Computer Virus Research and Defense: ART COMP VIRUS RES DEFENSE _p1. Pearson
Education. 100100101100100101010101010101001010101010101010101101
• 1010101101100101011001001011001001010101010101010010101
Igor Hák, Moderní počítačové viry, www.viry.cz
0101010101010110110101011011001010110010010110010010101
• FILIOL, Eric. Computer viruses: from theory to applications. Springer Science & Business Media, 2006.
0101010101001010101010101010101101101010110110010101100
• SAXE, Joshua; SANDERS, Hillary. Malware Data Science: Attack Detection and Attribution. No Starch Press,
100101100100101010101010101001010101010101010101101101
2018. 0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
100100101100100101010101010101001010101010101010101101
1010101101100101011001001011001001010101010101010010101
0101010101010110110101011011001010110010010110010010101
0101010101001010101010101010101101101010110110010101100
100101100100101010101010101001010101010101010101101101
Thank you for your attention
0101101100101011001001011001001010101010101010010101010
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
ivan.zelinka@ieee.org
1011011010101101100101011001001011001001010101010101010
www.ivanzelinka.eu
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101
Copyright 0101010101010101001010101010101010101101101010110110010
101100100101100100101010101010101001010101010101010101
1011010101101100101011001001011001001010101010101010010
1010101010101010110110101011011001010110010010110010010
1010101010101001010101010101010101101101010110110010101
This didactic material100100101100100101010101010101001010101010101010101101
is meant for the personal use of the student only, and is copyrighted. Its
reproduction with modification is strictly forbidden in compliance with and in force of the law on
1010101101100101011001001011001001010101010101010010101
Authors rights.
0101010101010110110101011011001010110010010110010010101
Permission to make digital or hard copies of part or all of this work for personal or classroom use is
0101010101001010101010101010101101101010110110010101100
granted without fee 100101100100101010101010101001010101010101010101101101
provided that copies are not made or distributed for profit or commercial
advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-
0101101100101011001001011001001010101010101010010101010
party components of this work must be honored. For all other uses, contact the owner/author(s).
1010101010110110101011011001010110010010110010010101010
1010101001010101010101010101101101010110110010101100100
1011011010101101100101011001001011001001010101010101010
0101010101010101010110110101011011001010110010010110110
1010110110010101100100101100100101010101010101001010101
0101010101011011010101101100101011001001011011010101101
Copyright©NAVY.CS.VSB.CZ
100101011001001011001001010101010101010010101010101010
10101101101010110110010101100100101101101

01 CyberSecurityIntro II

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 CyberSecurityIntro II

Uploaded by

Copyright:

Available Formats

0101010101010101001010101010101010101101101010110110010

You might also like