Category: Security
-
DNS Attack Vectors
Before looking at DNS Attack Vectors, let’s do a quick recap of what a DNS is, and what are it’s functions. What is a DNS? DNS, or Domain Name System, is a server that provides Name to IP Address resolution. When people visit websites, it’s much easier for them to remember words, such as Facebook […]
-
Domain Fronting and SNI
Domain fronting is a malicious act of appearing to request to visit a legitimate site (the front), while in actual fact, the request is going to another website. Domain fronting relies on the SSL technology to work, where the service provider is unable to see the actual malicious hostname the request is going to, but […]
-
The Cyber Kill Chain
The Cyber Kill Chain (CKC) is a sequential set of steps that takes place when an attack happens. There are many variations of the CKC by different companies such as , but the “trusted” and most convincing variant is by Lockheed Martin. This CKC is pretty straightforward, and by disrupting any part of the kill […]
-
Side Channel Data Exfiltration
A typical data exfiltration attack can be quite easy to spot. By monitoring the usage of common protocols such as HTTP, HTTPS, FTP or even DNS, we can deduce if a data exfiltration is taking place. Most modern DLP (Data Leak Prevention) solutions today that incorporate network analysis can perform such detection across multiple protocols. […]
-
Looking out for C2 Traffic
Types of C2 Communication When a host gets infected with a malware, sometimes it will attempt to call back to it’s Command and Control (C2) to get, or send information. There are 4 types of C2 communication traffic Beacon After a host has been compromised, the malware will send a message heartbeat to the C2 […]
-
What is UPnP? (And how it can be malicious)
UPnP, which stands for Universal Plug n Play, is a set of networking protocols used to facilitate adding of new devices to the network. It comes enabled default on most new routers. For example, when you connect a new printer to the network, it automatically becomes discoverable by all other devices without you having to […]
-
MITRE on Threat Detection
I just sat through a webinar by the folks at Red Canary, and they covered some questions regarding threat detection using the MITRE ATT&CK framework. The webinar sat down with the researchers who created MITRE, and it was quite insightful. Here are some of the notes I took that may be useful for present and […]
-
CSRF Tokens
If we look at source codes of HTML forms, we typically can spot this field being rendered on the webpage Sometimes it doesn’t have the name called CSRF Token, and it just appears as a random gibberish value being loaded. This post breaks down the purpose of the token, and what happens behind the scenes […]
-
OS Inference through Ping TTL
Terminologies Ping: An command to discover the availability of a target machine. It sends an ICMP Echo Request, and waits for an Echo Reply TTL: Time-To-Live, which tells the network routers how long the packet should live. For each router that passes the packet on, the TTL reduces by 1. Once TTL reaches 0, the […]
-
How to harden a Linux Kernel
Hardening means to make the something more secure and resilient to attacks. When people talk about hardening, they usually talk about server hardening, which includes things like IP / MAC address white listing Closing unused ports Uninstalling unused systems Disabling root login (no one can login as root, only a normal user who can sudo) […]
Code of The Day 