95%(97)92 out of 97 people found this document helpful
This preview shows page 3 - 6 out of 17 pages.
access points are set up by malicious attacks and insider threat, these points can be used to attackthe network and it is important to know these rogue access point just the same as the authorized access points. Rogue access points are not set up by the administrator but can be identified by cross-referencing the service set identifier (SSID) against a preconfigured list of approved access
4Incident Responsepoints, due to it frequently broadcasting SSIDs that are not approved by the company. “In some cases, access points are set up directly between two client devices. These ad hoc access points are considered to be rogue by default, as they provide a vulnerable means for compromise because they are not directly managed by the organization's security team.” [UMU17] The Cyber Kill Chain provides a framework for the life cycle of a cyber attack. This framework was created by Lockheed Martin to help those who use it to better understand, detect and respond to a cyber attack. The Cyber Kill Chain focuses heavily on the intrusion techniques and has 7 steps in the model. The first six steps of the model are focused on intrusion and the laststep is focused on the purpose which can last for months while attackers slowly meet their objectives. The steps according to [Pro] are listed below:ReconnaissanceThe first step of the Cyber Kill Chain is to select a target. The attackers will then "fingerprint" the target, which are characteristics specific to that target. They then use that information to create a blueprint of IT systems and search for vulnerabilities, both technical and human to exploit and breach the network. WeaponizationIn the next step, the attackers re-engineer core malware to suit their purposes. That malware mayexploit previously unknown vulnerabilities, also known as zero-day exploits, or other combinations of vulnerabilities. The re-engineering of the malware reduces the likelihood of being detected by traditional security solutions, which involves placing it in a benign or legitimate document like a press release or contract document. Delivery
5Incident Response“The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the US ProTech Computer Incident Response Team (USPT-CIRT) for the years 2005-215, are email attachments, websites, and removable media such as a USB stick.” [Pro] This stage is the first and most important for defenders to block an attempted attack but blocking the attack will defect certain key capabilities and other important data. This stage is designed to measure the effectiveness of factional intrusion attempts that are blocked. ExploitationAt this stage, the malware is triggered. After the malware is delivered, exploitation triggers intruders’ code. Most commonly an application or operating system vulnerability is targeted or could exploit users themselves or leverage an operating system feature that auto executes code.