SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

What goals do attackers set for VPOs

What goals do attackers set for VPOs
02.12.2024

Ruslan Rakhmetov, Security Vision


We've previously told you about the different types of malware (malicious software), but we want to pay extra attention not only to how they spread and infect devices, but also to the purposes they serve. In the current review, we'll cover the different groups of malware and what they do. First, let's focus on classifications. Like any software, malware varies in architecture, being either modular (consisting of several components that work together) or monolithic (which is a single entity without being divided into parts). Let's look at other types of classifications below.


In terms of the method of propagation, VPOs can be divided into stand-alone programmes (spread without user participation, like network worms), those spread through social engineering (when attackers use psychological manipulation to deceive the user), exploits (vulnerabilities in software for automatic penetration) and those requiring human intervention (e.g. opening a virus-infected email or file). The latter group includes interactive (e.g., requiring clicking on a link) and non-interactive VPOs (e.g., rootkits).


By infection method, malware can be file-based (if they infect executable files like *.exe, *.dll, etc.), fileless (if they work only in RAM), network-based (for example, worms that spread via the Internet), and bootable (these malware infect the boot sectors of hard discs or USB devices to run with or before the system).


These groups can include different VPOs targeting applications (e.g., browsers or office software), physical devices ( IoT , routers, industrial systems that require special protection), operating systems, BIOS, and drivers.


Malware can also differ in the way it disguises itself. Specialists distinguish between stealthy programs that disguise themselves in the system to avoid detection (e.g. rootkits), polymorphic programs that modify their code to avoid detection by antivirus, and metamorphic programs that completely rewrite their code each time they are infected.


These classifications can be combined in any combination: for example, an encryptor can be network-based, stealthy, and targeting mobile systems. Therefore, we will focus on the other groups and identify 12 types.


1. Adware - A VPO that constantly displays advertisements (via pop-ups with ads or redirects to third-party sites) and often includes hidden features (e.g. tracking). This type of VPO acts like an annoying street vendor that follows you around and constantly shouts out calls to buy its products. To protect yourself from this rather harmless pest, you should limit the installation of programmes and use anti-spam systems and special ad blockers.

2. Spyware is software that secretly collects user data, captures passwords, records actions or monitors websites you visit (e.g. Keylogger - records keystrokes). Its name comes from the first meaning of the comparison, because this type of VPO is like a secret spy, peeking at the user. You can protect yourself by using anti-spyware and limiting the installation of suspicious browser extensions.

Specialists separately distinguish Mobile Spyware, which is installed on smartphones to spy on the user: reading messages, tracking location or listening to calls. This type of Spyware is often installed manually by the attacker or the victim's partner and then captures calls, messages, GPS data. For transmission to the attacker. It acts like a private investigator watching the target or like a hidden camera in a hotel and a radio bug.


3. Ransomware often encrypts data and demands a ransom for its recovery, blocks access to files and demands money after entering the system. The most notorious kidnappers demanding ransom for a stolen wallet in the IT world are the WannaCry and Petya encryptors. You can save yourself by making backups, using antivirus and sandboxes, and simply not opening suspicious email attachments.

4. Scareware intimidates the user with false information, such as "virus detection" or "data threat" messages. They usually demand payment to "solve the problem". They first show users some kind of pop-up or scare message (e.g., "Your system is infected!"), then offer to download an antivirus or pay for a service to clean the system. Even if the victim pays, the programme either does nothing or installs even more malware on the device.


Scareware programmes act like quacks who diagnose diseases to sell a "cure", or like a fake scarecrow that scares birds away from a farm. Such a false "fire alarm" causes people to panic and evacuate for no reason, and actually works like a "Beware of Dog" sign, even when no vicious dog is behind the fence.


5. Encryptors (Ransomware) are RPOs that block access to user data by encrypting it and then demanding a ransom to restore it. They are ransomware or part of ransomware, spread via infected attachments, malicious websites or exploits, then encrypt the user's files, making them inaccessible. An encryptor acts like a door closed with a new lock, the key to which is in the thief's possession. In doing so, a kidnapper may manifest itself, demanding a ransom for the victim's release.

6. Exploits are toolkits that exploit vulnerabilities in a system and automatically find weaknesses and exploit them for attacks. For example, an Exploit Kit that attacks through the browser. They act like thieves looking for unlocked doors in a house. Installing an OS update and restricting access to unnecessary services can help in your defence.

7. Spam Bots - automatically send spam (adverts, phishing links, malicious attachments) to emails or social networks. The infected device becomes part of the botnet, and the programme itself sends messages to thousands of addresses. One of the most common examples of bot-like activity is a spam call with advertisements or a person who knocks on doors selling useless products and floods apartment building mailboxes with flyers.

8. Bots and Botnets are devices infected with software to participate in a network that can be used for attacks or spam. Such devices follow the attacker's commands, for example, participating in DDoS attacks . This is how Mirai Botnet acted in attacking servers. Devices are infected via Trojans, exploits or phishing emails and connect to a control server (C&C). The resources of the infected devices are then used for attacks or other tasks.

Botnets act like a mob of zombies in an apocalypse film, obeying the commands of the villain. You can protect yourself by configuring routers and IoT devices, which we described earlier.


IoT Malware is recognised by experts as a separate group. This is specific software targeting smart home devices (cameras, thermostats, smart TVs) or industrial equipment. Attackers scan the internet for vulnerable smart devices and gain access for espionage via exploits or simple passwords. Such malware controls devices without your knowledge, like a puppeteer in a puppet theatre or a neighbour who connects to your Wi-Fi network without permission.


9. Cryptojackers use the device's resources (CPU, video card) to mine cryptocurrency without the owner's knowledge. They are installed via Trojans, downloaders or malicious websites and start cryptocurrency mining, while slowing down the device and increasing power consumption. All the funds earned are sent to the attacker. It works like an intruder eating your food and using electricity, or like an illegal factory in your basement.

10. Logic Bombs are hidden malicious instructions that are activated when certain conditions occur, such as at a certain time or when a specific programme is launched. This group of VPO masquerades in a legitimate programme and waits for a condition (such as a certain date) to be met when it can delete files, damage the system or disable hardware. It is similar to a time bomb that explodes at a designated time or a sleeper spy that waits for a command to act. A harmless programme on the outside but harmful on the inside, a real spoon in the honey barrel.

11. Advanced Persistent Threats (APTs) are sophisticated and long-lasting attacks that target specific organisations, governments or companies. Attackers use an array of tools (including exploits, Trojans, and spyware) to gain access to a system, remain undetected, and collect data. They use phishing, vulnerabilities or social engineering, implement rootkits or backdoors to maintain access and spy on the user and systems, copying data. Like a slow poison, this VPO acts stealthily on the body over time and stays inside until it is uncovered.

12. Phishing software masquerades as normal websites, applications, or emails to trick victims into providing sensitive data such as passwords, credit card numbers, or logins. To do this, attackers create fake interfaces, such as a "malicious" copy of a bank login page. The victim is persuaded to enter their details thinking they are interacting with a real website, but the information entered is sent to the hacker who can use it to steal money or access the system. Phishing programmes work like a fake ATM machine that steals card details or a fake charity whose fees are used for personal gain.

It is important for a novice or student to understand the basic principles of UPR operation, detection and prevention. We have looked at different aspects that will help build a solid foundation in past reviews (here and here).


We also offer a small checklist of technical protection measures:


   - use anti-virus and anti-spyware programmes

   - regularly update software and operating systems

   - carefully configure firewalls

   - encrypt the data.


Behavioural measures complement this list: do not open suspicious emails and links, avoid downloading files from unreliable sources, use complex passwords and two-factor authentication. Companies should also conduct regular security audits and restrict access rights to critical data.

Recommended

Basics of Cryptography: what is encryption, hash sum, digital signature
Basics of Cryptography: what is encryption, hash sum, digital signature
How regreSSHion opened a new chapter in old OpenSSH attacks
How regreSSHion opened a new chapter in old OpenSSH attacks
Next Generation Firewall (NGFW) – what is it and what does it protect against
Next Generation Firewall (NGFW) – what is it and what does it protect against
Mobile threats, detection and prevention: How to know if your phone has a virus and how to remove it
Mobile threats, detection and prevention: How to know if your phone has a virus and how to remove it
IT asset management
IT asset management
New Security Vision VM Product Features
New Security Vision VM Product Features
What skills a SOC specialist should master
What skills a SOC specialist should master
Vulnerability scanner
Vulnerability scanner
Spam - what it is, what it can be and whether it is useful
Spam - what it is, what it can be and whether it is useful
Between biscuits and carrots: keeping the team in limbo
Between biscuits and carrots: keeping the team in limbo
CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
CyBOK. Chapter 2. Risk management and information security management. Part 2
CyBOK. Chapter 2. Risk management and information security management. Part 2

Recommended

Basics of Cryptography: what is encryption, hash sum, digital signature
Basics of Cryptography: what is encryption, hash sum, digital signature
How regreSSHion opened a new chapter in old OpenSSH attacks
How regreSSHion opened a new chapter in old OpenSSH attacks
Next Generation Firewall (NGFW) – what is it and what does it protect against
Next Generation Firewall (NGFW) – what is it and what does it protect against
Mobile threats, detection and prevention: How to know if your phone has a virus and how to remove it
Mobile threats, detection and prevention: How to know if your phone has a virus and how to remove it
IT asset management
IT asset management
New Security Vision VM Product Features
New Security Vision VM Product Features
What skills a SOC specialist should master
What skills a SOC specialist should master
Vulnerability scanner
Vulnerability scanner
Spam - what it is, what it can be and whether it is useful
Spam - what it is, what it can be and whether it is useful
Between biscuits and carrots: keeping the team in limbo
Between biscuits and carrots: keeping the team in limbo
CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
CyBOK. Chapter 2. Risk management and information security management. Part 2
CyBOK. Chapter 2. Risk management and information security management. Part 2