mod4mod4Client-Side AttacksClient-Side Attackslinks../mod4/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionObjectives and Topicsidsal4_011Welcome to the lesson on client-side attacks. When you have completed this lesson, you will be able to describe some types of client-side attacks and explain the relationship between client traffic flow and the network firewall. You will also be able to identify some basic kinds of client-side attack surfaces and attack vectors and describe how attacks evade detection. There are six topics in this lesson. After you have completed the Introduction, you will learn what client-side attacks are, how they differ from server-side attacks, and why client-side attacks are on the rise. You will then learn about the large number of client-side attack surfaces and the role of social engineering in attacks. You will also learn about client-side attack vectors and how attackers use email campaigns and malware hosting as a means to carry out client-side attacks. Finally, you will learn how attackers evade detection, for example, how they can hide their attacks in plain sight, and ways attackers evade signature-based antivirus software. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 16. Lesson title: Client Side Attacks. Topic title: Introduction. Screen title: Objectives and Topics. Four lesson learning objectives display in support of audio. Six topics display. The first topic is titled Introduction. The second topic is titled Client Side Attacks Overview. The third topic is titled Attack Surfaces. The fourth topic is titled Attack Vectors. The fifth topic is titled Evading Detection. The sixth and final topic is titled Conclusion. A text box displays that states: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service, or agency for guidance on the use of these products. Client-Side Attacks OverviewWhat are Client-Side Attacks?idsal4_022Client-side attacks are the most common way to carry out spamming, data theft, botnet infection, and other types of cyber crimes. Attackers cleverly get around protective firewalls and filters that are designed to control traffic coming into the network from the Internet. Their success depends on the ability to socially engineer users, who are inside the firewall, into initiating connections out through the firewall, thereby offering an invitation to the attacker back in through the security perimeter. Attackers try to trick users into clicking links, opening attachments and spam email, downloading malicious files, and visiting malicious websites. These kinds of user actions can cause the client machine to initiate Internet connections with malicious servers, process malicious data, and install malicious code. Once the attacker is invited inside the firewall, the attacker can gain access to personal or sensitive information or spread the infection to other systems. Despite the fact that client-side attacks are an extremely significant risk for information system security, security technology and infrastructure remains focused on protecting Internet exposed servers against direct remote attacks rather than implementing methodologies to mitigate client-side exploitation. Screen 2 of 16. Lesson title: Client Side Attacks. Topic title: Client Side Attacks Overview. Screen title: What are Client Side Attacks? Images of an attacker at a laptop and a user at his computer display. An image of a firewall with flames is added to the image of the user at his computer and a cloud labeled The Internet is displayed by the attacker. A line is drawn from the user to the attacker and then back from the attacker to the user through the firewall representing the attacker trying to trick the user. Text stem: Attackers trick users into; bullets in support of audio. Text stem: Users actions lead to; bullets in support of audio. Graphic showing the users name, password, and account number is displayed on top of the user. The name, password, and account number image moves along the lines from the user to the attacker. A line is drawn from the users computer to a computer network of three computers demonstrating the spread of infection to other systems. Text box displays: Client side attacks are a growing threat, yet security focuses on server side attacks. Server-Side Attacks vs. Client-Side Attacksidsal4_033Let's compare server-side attacks and client-side attacks. Server-side attacks are frontal attacks in which the attacker targets vulnerable listening services such as web, email, or DNS. Server-side attacks are not isolated to server class systems. Attacks can affect any machine with listening services such as client machines, mobile devices, printers, and networking devices. Client-side attacks occur from the inside-out where the attacker takes advantage of vulnerabilities in desktop applications. Web browsers and associated browser plug-ins are riddled with security vulnerabilities and expose users to significant risk. However, client-side targets are not limited to browsers and their related helper applications. Client-side targets include office productivity software; web and email clients; media players; document, image, and video readers; and instant messaging clients. Attackers typically leverage social engineering techniques to trick users into initiating Internet connections with malicious servers to process malicious data and install malicious code. This code targets client applications on the system, which gives the attacker access to sensitive information on the exploited system and provides a pivot point on the internal network. Once inside the security perimeter, the attacker is free to initiate additional client-side exploits. Server-class machines running client software are also susceptible to client-side exploits. Administrators or users check email, download and view manuals directly on the server itself, or do other general web surfing while updating applications or the operating system, providing attackers potential avenues for entry for exploits. Before moving on, take a few moments to review server-side and client-side attacks. Screen 3 of 16. Lesson title: Client Side Attacks. Screen title: Server Side Attacks vs. Client Side Attacks. On the left, an image displays labeled Server Side Attacks that shows a person sitting at a desk in front of a computer labeled Vulnerable System. There is a red line connecting the Vulnerable System to computer server image labeled Attacking System. Animated dots show data moving from the attacking to vunerable system. Text stem: Attacks can affect; bullets in support of audio. On the right, a second image displays labeled Client Side Attacks that shows the a copy of the same Vulnerable System from the first image with an animated line from the vulnerable system to a server image and then another line from the attacking system to the vulnerable system with label Trick users into downloading malicious content. Text stem: Attackers target vulnerabilities in; bullets in support of audio. Image of a user at a computer with a virus detected warning on the screen of the monitor displays. The vulnerable system image in the Client Side attacks diagram glows to show an exploited system and three additional computers are displayed with lines connecting them to the exploited system to represent additional exploits. A server class computer displays with code scrolling on the monitor. An email inbox and web browser display on another monitor. At the end of the audio, a table displays showing attack direction, attack targets, and attack methods for both server side and client side attacks, explanation follows. Server side attacks occur from the outside in while client side attacks happen from the inside out. Server side attack targets are listening services, including web email, and D N S, and machines including servers, client machines, mobile devices, printers, and networking devices. Client side attack targets are vulnerabilities in client applications, including web browsers and browser plug ins, office productivity software, web clients, email clients, media players, document image and video readers, and instant messaging. Server side attack methods breach the security perimeter. Client side attack methods use social engineering to trick users into accessing malicious data or files. Rollover 1 of 3. Rollover title: D N S. Domain name system. Rollover 2 of 3. Rollover title: Social engineering. Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack an enterprise. Rollover 3 of 3. Rollover title: Browser plug ins. Below is a list of commonly targeted browser plug-in type applications. The list is far from exhaustive: Java, Flash, Active X, Adobe Reader, Media Players, QuickTime, Windows Silverlight, Shockwave, Browser helper object, or B H O. A B H O is a plug in that runs automatically every time you start your Internet browser. A B H O can do almost anything, but generally, it will have something to do with helping you browse the Internet. Toolbars are a common kind of B H O.Inside-Out Firewallidsal4_044One reason client-side attacks are successful is the lack of sufficient firewall protection. Conventional security prevention and monitoring architectures are designed with the mindset that the bad guys are on the outside and the good guys are on the inside. The focus is to prevent malicious activity from penetrating the security perimeter and getting inside the network. Proper DMZ design, firewall deployment, server hardening, robust OS level patching, and running network and host-based firewalls continue to decrease the occurrence of successful external server-side attacks. But because the outside-in security model presumes that threats will come only from externally initiated inbound traffic, firewall configurations generally have relaxed filter rules for outbound connections from the internal network. The outside-in security model is not good at defending against malicious client-side activities that result from internal outbound traffic. Once a connection is established, malicious traffic can flow in both directions, regardless of whether the connection is initiated from outside or inside the firewall. Attackers exploit this two-way traffic flow by injecting malware in responses to outbound traffic that is initiated by internal users or previously compromised computers inside the firewall and taking advantage of vulnerabilities in client software. The firewall has effectively been turned inside out. Screen 4 of 16. Lesson title: Client Side Attacks. Screen title: Inside Out Firewall. Images of an attacker at a laptop and a user at his computer display. The users computer monitor shows a symbol representing a compromised system. Next to the users computer is a display of three desktop machines with the same symbol on the monitors. There is a line connecting the attacker and the three machines. A series of images display from left to right as follows. First is an attacker at a laptop with a thought bubble showing three target computers labeled Untrusted. Next, is the image of a router labeled Boundary Router. Third, is an image of a firewall labeled External Firewall. Fourth, is the image of an S M T P Server labeled D M Z. Following the server is the image of a firewall labeled Internal Firewall. Finally, there is an image of a computer user labeled Trusted. A line extends from the untrusted attacker, through the Boundary Router to the External Firewall where the line turns in a different direction and is labeled Intrusion Detected. Text, Firewall Blocked Attack is displayed. A circle is drawn around the D M Z server image. The circle enlarges to include both the External and Internal Firewall images. Text stem: Decrease success of server side attacks through; bullets in support of audio. A line joins the text to the image of the trusted user. A box displays around the circle containing the two firewalls and the D M Z. An animated line is drawn from the trusted user, going through the internal firewall, D M Z, external firewall, and boundary router to the untrusted attacker to represent the relaxed firewall filter rules for outbound connections. Text displays in support of audio. An additional line is drawn from the attacker to the trusted user, passing through the router, firewalls and server showing traffic in both directions. Data is animated passing along the two lines with symbols representing malware. Text displays in support of audio. Rollover 1 of 1. Rollover title: Outside In Security Model. Preventing server side attacks requires proper demilitarized zone, or D M Z design, firewall deployment, server hardening, O S patching, network firewalls, and host based firewalls.Client-Side Attacks Evade Conventional Security Measuresidsal4_055Once the security perimeter is breached, there are fewer internal security controls. Consider this typical scenario. A user initiates a connection with a public web server by opening a browser, typing in a URL, clicking on a link, or opening a bookmark. The client machine makes an outbound connection through the firewall and boundary router and across the untrusted network to the web server. Because it is outbound on port 80, the firewall allows the outbound traffic with little or no filtering. A two-way connection is established, and an attacker is free to push down all types of malicious data to the client. More often than not, there are no firewalls within the internal network. The IDSes are not configured for directional flow to effectively detect malicious traffic. And, IDSes do not have visibility into the various internal networks beyond the gateway. Security is largely dependent on the patch level of the client applications, anti-virus, and host-based IDSes. The way security prevention and monitoring devices are typically deployed makes it difficult to protect against client-side attacks. The ability to evade classic firewall filters, IDS configurations, and other security mechanisms coupled with pivoting increases the opportunity for server-side attacks. Once an attacker is inside the security perimeter, the server-side attack surface increases significantly. Screen 5 of 16. Lesson title: Client Side Attacks. Screen title: Client Side Attacks Evade Conventional Security Measures. Images of Untrusted Attacker, Boundary Router, External Firewall, S M T P Server D M Z, Internal Firewall, and the Trusted User are reprised from previous screen with the lines showing two way traffic and the symbols showing malware. Text stem: Typical scenario; bullets in support of audio. A box displays around the two firewalls, the D M Z server, and the boundary router. Text, ability to evade security mechanisms coupled with pivoting opens the door for server side attacks, displays as a call out from the DMZ. Attack SurfacesWhat is an Attack Surface?idsal4_066An attack surface is defined as an entry point into a system, network, or application that an adversary can leverage to potentially cause harm. The attack surface associated with client-side attacks is vast, and includes many different components normally leveraged for legitimate purposes. The client operating system is the first and most obvious source of vulnerabilities, but the attack surface includes all client-based applications. Office productivity applications such as Microsoft Office and OpenOffice, third-party applications like media players and the Adobe family of products, web access tools, and email clients are all points of exposure. Any application that parses or processes data or files is at risk for compromise. Currently, web traffic comprises the vast majority of data transferred, so all of the software that helps the browser display content is of particular concern. And with so many web browser extensions available, web related software is notoriously difficult to patch completely. Miss a patch and any of these client software targets has the potential to lead to a compromise of the client machine. Screen 6 of 16. Lesson title: Client Side Attacks. Topic title: Attack Surfaces. Screen title: What is an Attack Surface? Text displays in support of audio. The following sixteen icons display representing entry points into a system: Open Office, Real Player, bing, Google Toolbar, Microsoft Outlook 2010, Gmail by Google, Microsoft Office, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Quick Time, Adobe Acrobat, Adobe Flash, Adobe Shockwave, Microsoft Silverlight, and Java. Icons are highlighted and grouped as narrator addresses them. Bandages labeled patch are overlaid on most icons. Those without patches are highlighted to represent possible compromises. Human Vulnerabilitiesidsal4_077Client-side attacks typically require human interaction and often play on a person's inherent tendency toward trust. Attackers use social engineering tactics to exploit this tendency. Attackers also know that many users are unaware of the security issues related to client-side vulnerabilities. These factors, plus human error, create the human attack surface. Phishing and spear phishing are two common tactics used by attackers that leverage social engineering and lack of user awareness. In a phishing exploit, attackers attempt to acquire sensitive information from users. They typically send cleverly worded emails with attachments that contain malicious code, or emails with text and hyperlinks related to a popular news story or event, a promise of financial gain, or rogue security tools in an attempt to get users to click links to malicious web sites. A recent trend, similar to phishing, is SMSiShing where attackers send text messages that appear to be from a reputable source, such as a bank. Many users are not aware that mobile devices present a serious challenge to data security. Another recent technique involves attackers hijacking accounts on social networking sites to spread malware or spyware. Consider this example. An attacker hijacks your friend's Facebook account and then sends you a link to a video supposedly posted by your friend. Click the link and the attacker can do any number of things. It may be a harmless prank, or an attempt to download malicious code. While there are many ways attackers use social engineering to exploit users, a third trend to be familiar with is "search engine optimization poisoning" where attackers use a variety of techniques to achieve higher search rankings for a given website. What the attacker is attempting to do is to manipulate users into visiting a specific website. Client-side vulnerabilities make for the easiest entry point into a network or potential source of access to sensitive information. With users facing such an array of social engineering scams and attacks, a key variable in preventing client-side attacks is modifying user behavior through user awareness training, education about security issues, and clear, well-defined security policies. Screen 7 of 16. Lesson title: Client Side Attacks. Screen title: Human Vulnerabilities. Images of attacker at a laptop and user at a computer display. Text stem: Human attack surface exists because of; bullets in support of audio. A fishing rod displays from the attacker to the users computer monitor. An email with a hook though it, labeled Important Information for You! animates from the users computer. As a callout from the email, text displays: phishing often uses email to obtain sensitive information. Image of a cell phone displays with a definition of smishing. Next to the attacker the image of a web page labeled Social Network displays with overlaid text: Hijacked. A line extends from the attackers laptop to the users computer representing the video link sent. Happy faces appear on users monitor to represent harmless prank and malware symbol appears to show attempt to download malicious code. Images on users monitor are replaced by image of an internet search engine. Image of search engine is also enlarged on the opposite side of the screen. Text stem: Preventing client side attacks requires; bullets in support of audio. Sample search results display on search page. Social Networking image is reprised. Text displays in support of audio. Rollover 1 of 3. Rollover title: Smishing. Smishing utilizes Short Message Service or S M S text messaging. Attackers send text messages that appear to be from a reputable source, such as a bank. Rollover 2 of 3. Rollover Title: Phishing is a social engineering technique used by attackers to acquire sensitive information such as user names, passwords, and credit card details. It is usually carried out by email or instant messaging. Spear phishing is an attack targeted at a specific person or group of people, often high profile individuals. Rollover 3 of 3. Rollover title: Search Engine Optimization, or S E O. In an attempt to manipulate users into visiting a specific website, attackers use search engine optimization poisoning. Black hat S E O is the method of using unethical S E O techniques in order to obtain a higher search ranking. These techniques include things like keyword stuffing, cloaking, and link farming, with are used to game the search engine algorithms. Source: Doshi, Nishat. September 1, 2010. I Frames, Please Make Way for S E O Poisoning. Symantec. H T T P : // www dot Symantec dot com / connect / blogs / I frames dash please dash make dash way dash s e o dash poisoning. Reducing Attack Surfaceidsal4_088The only way to truly reduce the attack surface is to eliminate the potential targets of an attacker by disabling unneeded services, disabling features in applications, and removing non-business essential applications. It's akin to hardening a server for deployment on a DMZ. There would still be more than enough applications deemed business essential to provide for an ample attack surface. We mitigate this issue through patching. Client application patching is a challenge because there are so many third party software vendors and products deployed in a typical IT environment. It's extremely difficult to achieve 100 percent patch coverage. Administrators must patch the OS along with every application, plug-in, and extension to cover all potential vulnerabilities while an attacker needs only to find one chink in the armor. If a single patch is missed in the browser, for example, the browser becomes a point of exposure for the network. The user may surf to a website that could cause the client to download malicious code and, in turn, compromise the browser. From there, the attacker could compromise the client machine and assets on the network. Screen 8 of 16. Lesson title: Client Side Attacks. Screen title: Reducing Attack Surface. Sixteen icons display representing entry points into a system are reprised. One by one they are removed from the screen to represent disabling unneeded services, features in applications, and removing non business essential applications. The only three remaining icons are Microsoft Outlook 2010, Microsoft Office and Microsoft Internet Explorer. Shields display over remaining icons to represent patching. Original sixteen icons are reprised and patches stay with the three Microsoft icons. More patches are added. Text displays in support of audio. Icons glow in red where they are exposed between the patches to represent vulnerabilities. The Mozilla Firefox icon is highlighted as a point of exposure. Text box displays: Miss one patch and attacker could compromise the client machine and assets on the network. Attack VectorsWhat is an Attack Vector?idsal4_099In order for an adversary to be able to exploit a vulnerability, there must be some means for him to introduce code that takes advantage of that vulnerability. Attack vectors are methods or paths for delivering the malicious code. These vectors range from technical methods, such as code injection and cross-site scripting, to social engineering methods, such as phishing scams and email attachments. Attackers typically leverage social engineering to trick users into initiating Internet connections with malicious servers and process maliciously crafted content with the vulnerable application. The two primary client-side attack vectors include emailing malicious content and hosting malicious content on a website. Many variations upon these simple themes exist. First, we will look at email. Screen 9 of 16. Lesson title: Client Side Attacks. Topic title: Attack Vectors. Screen title: What is an Attack Vector? Images of an attacker at a laptop and a user at a laptop display with a firewall between them. A line animates between the two. A second line animates from the attacker to the user representing an exploited vulnerability. Text stem: Examples of attack vectors; bullets in support of audio. Text stem: Two primary client side attack vectors; bullets in support of audio. Rollover 1 of 3. Rollover title: Code Injection. Code injection is the insertion of custom code, typically malicious, directly into a program, script, or application to be rendered or processed by that application as a method to exploit the victim machine. Rollover 2 of 3. Rollover title: Cross Site Scripting. Cross site scripting, or X S S, attacks insert or modify scripts, such as Java Script, H T M L, Flash, Active X, or V B Script, that are embedded on a web page and are executed on the client side, in the users browser. Rollover 3 of 3. Rollover title: Leverage Social Networking. The success of social networking is dependent upon trust relationships and people publishing information in public or semi public spaces on the Internet. Attackers leverage these trust relationships and the relatively open nature of social networking sites to target victims. The targeting can take many forms, but is often accomplished by exploiting an individual trusted by the victim or trying to establish a trust relationship with the victim directly.Attack Vectors - Emailidsal4_1010One way to carry out a client-side attack is through an email campaign. The simplest and most straightforward approach is to send a malicious executable or script directly to the victim as an attachment. Upon executing the attachment, the victim machine is compromised by the exploit code run directly by the user. This approach is less likely to be successful in modern organizations as most mail filtering software disallows executable attachments. However, there is a variation on sending executable content that is often successful. Rather than sending a standalone executable or script, many client-side attacks will embed these executables or scripts within a seemingly innocuous attached document. The most common example is attaching an MS Office document that includes malicious Visual Basic for Applications, or VBA, code. The code executes when the document is opened. A variation of this type of exploit is using the document itself to carry out the client-side attack campaign. Instead of embedding executables as the malicious content, the document is designed to be malicious. This is called a file format attack. This type of attack involves maliciously crafted documents that, when rendered by the associated application such as Word or Adobe Reader, exploit vulnerabilities. Instead of running embedded malicious code, the goal is the exploitation of vulnerability in the application itself. Screen 10 of 16. Lesson title: Client Side Attacks. Screen title: Attack Vectors, Email. Image of the globe displays with multiple email images spread across the globe. Text displays: Email campaign: basic means of conducting client side attack. Text displays in support of audio. Malware symbol is added to all but one email image. One email is labeled Email Blocked. Text displays in support of audio. Rollover 1 of 4. Rollover title: E X E. E X E is a filename extension denoting an executable file. It is most commonly identified with Microsoft based systems. Rollover 2 of 4. Rollover title: V B S. V B S is a common file extension for executable Visual Basic scripts written using the V B Script scripting language. Rollover 3 of 4. Rollover title: P D F. Portable Document Format; most commonly associated with Adobe Acrobat. Rollover 4 of 4. Rollover title: file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code. Attack Vectors - Hostingidsal4_1111As with email based client-side exploits, the success of a web-based attack vector, for example malware hosting, is often dependent upon an element of social engineering. Consider this example. An attacker hijacks a social networking personal page. A user receives a link to a video in an email, or via Facebook, or perhaps through instant messaging from a "long lost" friend. The user selects the link, which opens a page with an embedded video player. The user launches the video and a popup appears on the screen with the warning that the proper codec must be downloaded to watch the video. The user wants to watch the video and so downloads the codec. But, after the new codec is installed, the video doesn't play. What happened? Why doesn't the video play? What happened is, by selecting the option to download the codec, the user unwittingly installed malicious software on the system. This could be a keylogger or backdoor program. Once the user downloads and runs the program, the malware controls the client machine. Even if the user suspected something was not quite right when the popup appeared and decided against downloading the codec, simply launching the friend's video could launch a series of browser-based attacks. Screen 11 of 16. Lesson title: Client Side Attacks. Screen title: Attack Vectors, Hosting. Image of globe displays with five computer users sitting at desks spread across the globe. Text box displays: Malware hosting, attacker entices user to download and execute malicious code. Four computer users are removed from the globe and an attacker at a laptop displays. Image of webpage labeled Social Network displays with an email. Text of email reads, Message: I havent seen you in forever! Check out my video to see what Ive been up to. A link displays. A video screen labeled Video displays. Play button is highlighted in video. Pop up message displays: To view the video, you need the updated version of Media Player. Download button displays. Progress bar showing video download progress animates. Video screen is all black. Question mark in thought bubble appears next to the computer user. Malware symbol displays on users computer and black video screen. Four previous computer users are reprised as attackers with malware symbols on their monitors and lines showing the connection of their computers. Text box displays describing a typical attack scenario. The attacker hijacks a persons webpage and inserts malicious script in a webpage. The user downloads a codec to view content and installs malicious code. Examples are keylogging and back door programs. Rollover 1 of 3. Rollover title: Codec. Codec is coder decoder software that compresses, or encodes, and decompresses, or decodes, data, most commonly digital media. Rollover 2 of 3. Rollover title: Keylogger. A keylogger is a hardware device or software designed to capture keystrokes input by the user on the keyboard. Rollover 3 of 3. Rollover title: Backdoor Program. A backdoor program is a means to access or maintain access to an application or system that bypasses security controls.Attack Vectors - Hosting Continuedidsal4_1212Another way malicious code is spread is through drive-by downloads. The user doesn't have to click a link or install a program. The person only has to visit the associated web page in order for the malicious code to be installed on the client machine. Drive-by downloads often install keyloggers to steal passwords and login information. A drive-by download can also be accomplished through script injection. An example is cross-site scripting, or XSS. The attacker inserts or modifies scripts, such as JavaScript, HTML, Flash, ActiveX, or VBScript, that are embedded on an otherwise trusted web page and are executed on the client-side, in the user's browser. For example, the attacker infects a legitimate website with a malicious script. This could be any website, like a bank. The script is executed on a client browser when the user visits the infected web page. The malicious script then redirects the user to a fraudulent look-alike page. A cookie is sent to the attacker's site, which gives the attacker access to the user's account and allows the attacker to hijack the user's session. Some script injection attacks attempt to trick users into thinking they are entering information and making legitimate transactions. After the user enters login information, the attacker has access to the account. In addition to accessing user accounts on attacked websites, attackers can use script injection to add advertising to web pages, change user settings, create JavaScript popups to take control of the user's browser, and redirect the user to malicious sites. Screen 12 of 16. Lesson title: Client Side Attacks. Screen title: Attack Vectors, Hosting Continued. Images of globe and five users with malware symbols are reprised. Text stem: Drive by download, bullets in support of audio. One user at computer is enlarged and banking website appears on his monitor. Text stem: Typical scenario, bullets in support of audio example. Login and password information displays on users monitor. Text stem: Script injection can, bullets in support of audio. Evading DetectionTacticsidsal4_1313To be successful, attackers need to ensure that their attacks are designed to succeed AND are not discovered. To decrease the chance of discovery, one tactic that proves extremely successful is to simply hide the attack in plain sight. Attackers do this by designing the initial attack and subsequent command and control code so the attack can travel over normal communication channels. Attacks are crafted to blend in with normal web and email traffic and evade security protections, like anti-virus software and intrusion detection systems. An additional method often employed by adversaries is the use of encrypted channels for communication. Merely having attacks launched over HTTPS on port 443 will often be enough to evade the majority of network based detection and prevention technologies. Encryption only helps evade network devices. Host-based countermeasures and diligent system administrators can still detect or prevent encrypted attacks. To evade this detection, attackers often use rootkit style functionality to hide the malware from even savvy system administrators. Malware capability is becoming more sophisticated. Attackers can create attacks that bypass or even disable the client's host-based firewall, antivirus engine, host intrusion prevention, and application whitelisting capabilities. Screen 13 of 16. Lesson title: Client Side Attacks. Topic title: Evading Detection. Screen title: Tactics. A server labeled Origination Host, malicious, displays on left side of the screen and a server labeled Destination Host displays on the right. An animated line connects the two servers showing data moving from the origin to the destination. Text stem: Tactic; bullet in support of audio. Circles with code inside replace the line joining the two servers. Most are outlined in green, harmless, but three are red, malicious. Malicious code circles enlarge and green circles are added the red outlines. Green outline is removed from the malicious code and padlocks labeled Encrypted are overlaid. Padlocks are replaced with toolboxes labeled Rootkit on malicious code. Malicious code circles are returned to regular size and put back in line with the harmless code. A firewall displays just before the destination host server. Line of code animates from malicious host to destination host and causes firewall to explode. Text appears as follows Attackers craft attacks to evade detection by: One, hiding in plain sight. Example, blend malicious code in with normal web and email traffic. Two, using encrypted channels for communication. Example, launch attack over H T T P S on port 4 4 3. Three, using rootkit style functionality to hide malware. And four, Creating sophisticated malware that can bypass or disable clients host based firewall, antivirus engine, host intrusion prevention and application whitelisting capabilities. Rollover 1 of 1: Rollover title: Whitelisting. Whitelisting is a technique that allows domains from trusted to untrusted networks or applications and file types permitted to run on a system. Evading Antivirus and Intrusion Detection Systemsidsal4_1414Attackers can also easily design malware to evade detection by signature-based antivirus software and update the malware when antivirus vendors do begin successfully detecting it. Various methods can be employed to attempt to bypass signature based antivirus and intrusion detection systems. Methods include using compilers and custom packers to both hide strings and also make reverse engineering of malware more difficult and leveraging polymorphic malware that can rapidly change to render even recently created signatures outdated. Attackers can send the attack over heavily fragmented or segmented traffic in an attempt to either overwhelm the IDS or to fill its buffers so that important code must be discarded. Or, the attacker may simply hope that the client has poor fragmentation and segmentation handlers that are prone to false negatives. Attackers can also use one compromised host to attack internal hosts within the same organization. This last technique is called pivoting. When an attacker uses pivoting, the attack often goes undetected as most security architectures are designed with the external threat in mind. It's very difficult, if not impossible, to trace client-side attack sources using only technical methods. Attackers have sophisticated ways to cover their tracks, which include invading poorly secured computers, and then using the infected systems to spawn more attacks anywhere in the world. Attackers can also spoof the source addresses of packets to hide the sender's actual identity. Most security and monitoring architectures are designed with an external attacker in mind, rather than an internally compromised host. Successful attacks can remain unnoticed for long periods of time. Once an attacker gains control of an internal host, detection becomes even more difficult. All these factors make client-side attacks an attractive way for cyber criminals to operate. Screen 14 of 16. Lesson title: Client Side Attacks. Screen title: Evading Antivirus and Intrusion Detection Systems. Malicious Origination Host and Destination Host server images and code images between the two are reprised from previous screen. Text stem: Ways to create malware that evades signature based antivirus software; bullets in support of audio. Text stem: Ways attackers cover their tracks; bullets in support of audio. Text, most security and monitoring architectures are designed with an external attacker in mind, displays with a warning symbol. Rollover 1 of 1. Rollover title: I D S. Intrusion Detection System. Knowledge Checkidsal4_1515Knowledge Check1500550Client-side exploits require users to carry out an action, so attackers leverage social engineering techniques to trick users into initiating Internet connections.True, for statement: Client-side exploits require users to carry out an action, so attackers leverage social engineering techniques to trick users into initiating Internet connections.False, for statement: Client-side exploits require users to carry out an action, so attackers leverage social engineering techniques to trick users into initiating Internet connections.Correct. User behavior often leads to successful attacks, such as phishing attacks. However, some client applications automatically download Internet content. An example is a drive-by-download. The user only has to visit the associated web page in order for the malicious code to be installed on the client machine.Incorrect. User behavior often leads to successful attacks, such as phishing attacks. However, some client applications automatically download Internet content. An example is a drive-by-download. The user only has to visit the associated web page in order for the malicious code to be installed on the client machine.Pivoting is an effective way for attackers to evade detection and increases the opportunity for server-side attacks.True, for statement: Pivoting is an effective way for attackers to evade detection and increases the opportunity for server-side attacks.False, for statement: Pivoting is an effective way for attackers to evade detection and increases the opportunity for server-side attacks.Correct. After gaining an initial foothold via one compromised machine on a network, the attacker can use pivoting to attack other systems on that network. The attacker can initiate server-side attacks against other systems on the internal network.Incorrect. After gaining an initial foothold via one compromised machine on a network, the attacker can use pivoting to attack other systems on that network. The attacker can initiate server-side attacks against other systems on the internal network.Any software that helps the browser display Web page content is part of the attack surface.True, for statement: Any software that helps the browser display Web page content is part of the attack surface.False, for statement: Any software that helps the browser display Web page content is part of the attack surface.Correct. Anything that will help your browser display content that Web developers put in their Web pages is a potential vulnerability, and can lead to complete compromise of the client machine.Incorrect. Anything that will help your browser display content that Web developers put in their Web pages is a potential vulnerability, and can lead to complete compromise of the client machine.Attackers use compilers and custom packers to hide strings to evade signature-based antivirus software.True, for statement: Attackers use compilers and custom packers to hide strings to evade signature-based antivirus software.False, for statement: Attackers use compilers and custom packers to hide strings to evade signature-based antivirus software.Correct. Attackers attempt to bypass signature-based antivirus and intrusion detection systems through a variety of methods. They can use compilers and custom packers to both hide strings and also make reverse engineering of malware more difficult.Incorrect. Attackers attempt to bypass signature-based antivirus and intrusion detection systems through a variety of methods. They can use compilers and custom packers to both hide strings and also make reverse engineering of malware more difficult.Proper DMZ design, firewall deployment, server hardening, and robust OS level patching can effectively stop client-side attacks from occurring.True, for statement: Proper DMZ design, firewall deployment, server hardening, and robust OS level patching can effectively stop client-side attacks from occurring.False, for statement: Proper DMZ design, firewall deployment, server hardening, and robust OS level patching can effectively stop client-side attacks from occurring.Correct. Conventional security measures presume that threats will come only from externally initiated inbound traffic. This outside-in model is not good at defending against malicious traffic which results from internal outbound traffic. Attackers exploit the fact that firewall configurations generally have relaxed filter rules for outbound connections from the internal network.Incorrect. Conventional security measures presume that threats will come only from externally initiated inbound traffic. This outside-in model is not good at defending against malicious traffic which results from internal outbound traffic. Attackers exploit the fact that firewall configurations generally have relaxed filter rules for outbound connections from the internal network.Attackers can hide attacks in plain sight by using encrypted channels for communication, using rootkit style functionality to hide malware, and designing the initial attack code to travel over normal communication channels.True, for statement: Attackers can hide attacks in plain sight by using encrypted channels for communication, using rootkit style functionality to hide malware, and designing the initial attack code to travel over normal communication channels.False, for statement: Attackers can hide attacks in plain sight by using encrypted channels for communication, using rootkit style functionality to hide malware, and designing the initial attack code to travel over normal communication channels.Correct. To decrease the chance of discovery, attackers can use any of these methods to evade detection. Another method is to create an attack that bypasses or even disables the client's host-based firewall, antivirus engine, host intrusion prevention, and application whitelisting capabilities.Incorrect. To decrease the chance of discovery, attackers can use any of these methods to evade detection. Another method is to create an attack that bypasses or even disables the client's host-based firewall, antivirus engine, host intrusion prevention, and application whitelisting capabilities.Now, check your knowledge of the variables at play in client-side attacks. Screen 15 of 16. Lesson title: Client Side Attacks. Screen title: Knowledge Check. There are 6 statements with two possible answer columns; the True column and the False column. Use your keyboard to cycle through the list of options. ConclusionSummary and Conclusionidsal4_1616Congratulations! You have completed the Client-Side Attacks lesson. You should now be able to describe some types of client-side attacks and explain the relationship between client traffic flow and the network firewall. You should also be able to identify some basic kinds of client-side attack surfaces and attack vectors and describe how attacks evade detection. Screen 16 of 16. Lesson title: Client Side Attacks. Topic title: Conclusion. Screen title: Summary and Conclusion. Lesson objectives display in support of audio.