The importance of using backups to prepare for ransomware attacks

Image credit: David Rangel

Ransomware attacks are a growing threat to individuals and organizations alike. These attacks involve hackers encrypting a victim's data and demanding a ransom payment in exchange for the decryption key. In many cases, victims are left with no choice but to pay the ransom in order to regain access to their data. However, one effective way to protect against ransomware attacks is to use backups.

Backups are copies of data that can be used to restore a system in the event of data loss. By regularly backing up data, organizations and individuals can ensure that they have a copy of their data that is safe from ransomware attacks. This means that even if an attack occurs, the victim can simply restore their system from a backup and avoid having to pay the ransom.

In addition to providing protection against ransomware attacks, backups also offer other benefits. For example, they can be used to restore data in the event of other types of data loss, such as data corruption or hardware failure. This can save organizations and individuals a significant amount of time and money that would otherwise be spent trying to recover lost data.

Furthermore, backups can be stored in multiple locations, such as on a local device, on a remote server, or on a cloud-based service. This provides an additional layer of protection against data loss. For example, if a local backup is lost due to a hardware failure, the victim can still restore their data from a remote or cloud-based backup.

In conclusion, using backups is an important way to protect against ransomware attacks. By regularly backing up data, organizations and individuals can ensure that they have a copy of their data that is safe from ransomware attacks. This can save them from the potentially costly and time-consuming process of trying to recover lost data. In addition, storing backups in multiple locations provides an additional layer of protection against data loss.

(This article was written by ChatGPT, an Artificial Intelligence chat bot! Learn more about it here!)

How to prepare for a cybersecurity interview

Photo credit: Brooke Cagle

To prepare for a cybersecurity interview, there are a few key steps you can take. First, it is important to research the company and the specific role you are applying for. This will help you understand the company's mission, products, and services, and will give you a better idea of what the role entails.

It is also important to review the job description and requirements, and to be prepared to discuss your relevant experience and skills. Be sure to highlight any experience you have working with cybersecurity tools, technologies, and best practices, and be prepared to discuss any relevant certifications or qualifications you have.

In addition to reviewing the job description and requirements, it is also important to familiarize yourself with common cybersecurity interview questions. Some common questions you may be asked include:

  • What is your experience with cybersecurity tools and technologies?

  • How do you stay up-to-date with the latest developments in the field of cybersecurity?

  • Can you describe a time when you identified and resolved a complex technical issue?

  • How do you approach security risk assessments and threat analysis?

By researching the company, reviewing the job description and requirements, and familiarizing yourself with common interview questions, you can be well prepared for your cybersecurity interview.

(This article was written by ChatGPT, an Artificial Intelligence chat bot! Learn more about it here!)

What are some of the best entry-level jobs in cybersecurity?

Photo credit: ThisIsEngineering

There are many different entry-level jobs in the field of cybersecurity, and the best ones will depend on your specific interests, skills, and experience. Some of the most common entry-level jobs in the field include:

  1. Security analyst: Security analysts are responsible for monitoring and analyzing an organization's network for security threats, and implementing measures to prevent and mitigate those threats.

  2. Cybersecurity specialist: Cybersecurity specialists are responsible for implementing and maintaining the security of an organization's computer systems and networks.

  3. Information security officer: Information security officers are responsible for developing and implementing an organization's security policies and procedures, and ensuring that they are followed.

  4. Network security engineer: Network security engineers are responsible for designing and implementing secure network architectures, and for maintaining and troubleshooting network security systems.

  5. Security consultant: Security consultants are experts in cybersecurity who are hired by organizations to provide guidance and advice on security-related matters.

In general, entry-level jobs in cybersecurity often involve a combination of technical skills, such as knowledge of computer systems and networks, and softer skills, such as problem-solving and communication. To be successful in these jobs, you should have a strong foundation in computer technology and a willingness to learn and adapt to new technologies and challenges.

(This article was written by ChatGPT, an Artificial Intelligence chat bot! Learn more about it here!)

How to Pivot into a Cybersecurity Career

Image credit: Jefferson Santos

If you are interested in pivoting into a cybersecurity career, there are a few steps you can take to prepare. First, it is important to understand the basics of computer technology and networks. You should have a good understanding of how computers work, and be familiar with different operating systems and network architectures. You can gain this knowledge through online courses, books, or by taking classes at a local college or university.

It is also important to gain hands-on experience with cybersecurity tools and technologies. This can be done through internships, part-time jobs, or by participating in online cybersecurity challenges and competitions. These experiences will not only help you learn more about cybersecurity, but they will also help you develop the practical skills and expertise needed to succeed in this field.

In addition to gaining technical knowledge and hands-on experience, it is also important to develop your problem-solving skills. Cybersecurity professionals are often called upon to identify and resolve complex technical issues, so having strong problem-solving skills is essential.

Overall, the key to preparing for a career in cybersecurity is to gain a strong foundation in computer technology and networks, develop hands-on experience with cybersecurity tools and technologies, and hone your problem-solving skills. With dedication and hard work, you can successfully pivot into a career in cybersecurity.

(This article was written by ChatGPT, an Artificial Intelligence chat bot! Learn more about it here!)

What is the OWASP Top Ten?

The OWASP Top 10 is a list of critical security vulnerabilities for web applications.  OWASP stands for the Open Web Application Security Project, which is a nonprofit foundation dedicated to improving the security of software.  The OWASP Top Ten list is updated every several years to reflect the changing cybersecurity landscape and to direct focus onto the most important current security issues.  The OWASP Top Ten for 2021 is as follows:

  • A01:2021-Broken Access Control allows an attacker to gain access to user accounts. The attacker in this context can function as a user or even an administrator of the system. This can be secured by ensuring that all accounts use the principle of least privilege and unused accounts are disabled immediately.

  • A02:2021-Cryptographic Failures occur when important stored or transmitted data is compromised. This vulnerability is also known as “Sensitive Data Exposure.” This can be improved by properly encrypting data at rest as well as data in transit.

  • A03:2021-Injection, or more specifically “Code Injection,” occurs when invalid data is sent by an attacker into a web application in order to make the app do something it was not designed to do. Writing secure code that is resistant to input fuzzing can help secure against this type of vulnerability.

  • A04:2021-Insecure Design is a generic term for web application vulnerabilities that are related to design flaws. Improvements in this category require the use of threat modeling, secure design patterns and principles, and reference architectures.

  • A05:2021-Security Misconfiguration describes design or configuration weaknesses that are the result of errors or shortcomings. Proper development and quality assurance testing will help secure against misconfigurations.

  • A06:2021-Vulnerable and Outdated Components relates to devices with known vulnerabilities that need to be patched. If a device or piece of software cannot be patched, it should be removed or replaced with a more secure option.

  • A07:2021-Identification and Authentication Failures leads to compromised passwords, keywords, and sessions which can translate to stolen user identity. This can be secured through proper user authentication and session management, as well as user education regarding password hygiene.

  • A08:2021-Software and Data Integrity Failures can occur when software updates or critical data is used without verifying integrity. This can be improved through hashing techniques to verify data accuracy and integrity.

  • A09:2021-Security Logging and Monitoring Failures are common when logging is not performed frequently and consistently. This type of failure can result in data exfiltration and other attacks.

  • A10:2021-Server-Side Request Forgery happens when a web application fetches a remote resource without validation, which can give an attacker access to critical data regardless of firewalls or other defensive tools. Proper validation is required to protect against this threat.

For more information about each vulnerability and how to defend against these attacks, check out the OWASP Top Ten website.  Thanks for reading - check out my YouTube channel for more!

https://owasp.org/www-project-top-ten/

LAB: SpiderTrap

This a description of my experience working on the labs offered by Black Hills Information Security called “Advanced C2 PCAP Analysis” and “RITA.” I completed these labs in May of 2022 as part of the “Active Defense - Cyber Deception” live class offered by John Strand and Antisyphon Training. If you want to do the labs yourself, check out their class here! The lab walkthroughs are also available on GitHub.

Image credit: Nathan Dumlao

This lab covers a tool called SpiderTrap that can be used to catch and slow down web crawling bots that attempt to enumerate your web server for malicious reasons. It does this by generating lots of random links for the spider to examine and waste it’s time with.

I began the lab by opening my virtual machine in VMware, which was provided by BHIS as part of the class downloads. I opened a terminal as administrator, clicked the dropdown menu and opened an Ubuntu shell. I changed directories into the location of the spidertrap installation (/opt/spidertrap) and ran ifconfig to determine my IP address. I then started the trap by running the following command:

python3 spidertrap.py

This displayed the randomly generated links, which just lead to more random links if they are clicked on. Below is a screenshot of the result. I then stopped the tool from running.

I then moved on to the next step of the lab, which was to start SpiderTrap again, but this time with a directory list enabled to make the links look like real directories, which further obfuscates that fact that this is acting as a trap.

A normal penetration test involves starting with an automated scan, where the pentester starts the scan and then lets it run while doing something else. If they run into SpiderTrap while the automated scan is running, this could either fill the pentester’s hard drive or completely exhaust the memory of the pentester’s computer. Either way, it is disruptive and can slow down a penetration tester or attacker, which gives time for network defenders to take further action to secure the systems.

You can learn more about SpiderTrap here. Thanks for reading!

LAB - Advanced C2 PCAP Analysis | Using RITA as an “Easy Button”

This a description of my experience working on the labs offered by Black Hills Information Security called “Advanced C2 PCAP Analysis” and “RITA.” I completed these labs in May of 2022 as part of the “Active Defense - Cyber Deception” live class offered by John Strand and Antisyphon Training. If you want to do the labs yourself, check out their class here! The lab walkthroughs are also available on GitHub.

These labs show two ways of analyzing packet capture data, also known as PCAP analysis. The “manual” way is by using tcpdump to look at SYN packets, while the “easy” way is to use an open source tool called RITA.

The first step of the “manual way” was to open a Windows terminal as Administrator. I then opened an Ubuntu tab, as seen in the image below.

Next, I moved into the directory where the pcap file was stored and ran the following command (see below) to analyze the file with tcpdump. As stated in the lab instructions, “the –nA option tells tcpdump not to resolve names (n) and print the ASCII text of the packet (A).” The “-r” option allows us to read the file, and piping it through “less” allows us to view the data section by section.

sudo tcpdump -nA -r covertC2.pcap | less

Running this command opens a tcpdump session. The information displayed here is certainly not easy to parse if you are just getting started looking at pcap data. The interesting data here is the SYN packets that are all 30 seconds apart. To see the SYN packets, run the following command:

sudo tcpdump -r covertC2.pcap 'tcp[13] = 0x02'

This filters the data by showing “all packets with the SYN bit (0x02) set in the 13th byte offset in the TCP/IP header (tcp[13]).” This confirms that the packets are all 30 seconds apart. We can also grep any instances of “hidden” using the following command:

sudo tcpdump -nA -r covertC2.pcap | grep "hidden"

This returns some random-looking data followed by an “=” sign. This indicates Base64 encoded data, which could be malicious or benign. Either way, it should encourage us to dig deeper and look into this data more. In this case, this data appears to be a malicious PowerShell command to “download and execute Powersploit, which then invokes a Metasploit Meterpreter on the system.”

Without a solid understanding of tcpdump and python, malicious code like this might go unnoticed on a network. An easier way to detect this type of code is by using an open source tool such as RITA.

The “beacons” tool in RITA sorts connections by the consistency of their “heartbeat.” A value of “1” is considered perfect, where a connection is happening at a consistent interval. The image above shows the destination IP of 138.197.117.74 with a nearly perfect “heartbeat score.” A consistent heartbeat is not inherently dangerous, but the egregious number of connections (4532) in this case is very suspicious. This is an indication of a beacon that is calling home to wait for commands from an attacker.

Another way to use RITA is to look at when specific requests are being made for certain domains. By clicking “DNS,” we can see that there were over 40,000 requests for a website called “nanobotninjas.” This is a strong indicator of a backdoor present on the network that is receiving (or waiting for) commands from an attacker.

Open source tools like RITA are great for visualizing data patterns over longer time spans. Understanding the data in this context allows defenders to see trends and take appropriate actions to protect their networks. You can learn more about RITA here. Thanks for reading!

What is the Log4j Vulnerability?

Log4j is a widely-used library of log files for applications written in the Java programming language. It copies down everything that happens when a Java program runs. NPR spoke to Andrew Morris, founder and CEO of cyber intelligence firm GreyNoise, who described Log4j as “…a modular component that's used in many, many different kinds of software. And its job is... just basically recording things that happened and writing them to another computer somewhere else.” In December of 2021, Log4j was found to be vulnerable to remote code execution.

Put more simply, Log4j is a vulnerable logging library that allows attackers to take control of remote devices running Java software. This represents a severe security risk. Gadgets 360 reports that "the Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade," said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the US Computer Emergency Readiness Team.

One of the most popular programs affected by this vulnerability is Minecraft. John Hammond, a noted cybersecurity researcher, recently posted a video showing how Log4j could be exploited in Minecraft, allowing a remote user to access the calculator of a system (proving that any other program or command could also be run). Tech Times posted an article detailing how Minecraft users can defend against this threat.

Unfortunately, Minecraft is not the only vulnerable software. Speaking to CNET, Nadir Izrael (CTO and co-founder of IoT security company Armis) said that “generally speaking, any consumer device that uses a web server could be running Apache. Apache is widely used in devices like smart TVs, DVR systems and security cameras. Think about how many of these devices are sitting in loading docks or warehouses, unconnected to the internet, and unable to receive security updates. The day they're unboxed and connected, they're immediately vulnerable to attack."

To mitigate this threat, users should continue to install all security patches and updates as soon as possible. As companies roll out patches to this vulnerability, it is important to stay on top of those updates!