WEBVTT

1
00:00:00.000 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:04.500
we will learn about Malicious Code Attacks.

3
00:00:04.500 --> 00:00:06.090
Malicious code attacks

4
00:00:06.090 --> 00:00:10.710
are the insertion of harmful software or code into a system

5
00:00:10.710 --> 00:00:15.450
to disrupt, steal, or manipulate data and operations.

6
00:00:15.450 --> 00:00:18.360
Malicious code attack concepts include

7
00:00:18.360 --> 00:00:20.280
implants and poisoning.

8
00:00:20.280 --> 00:00:23.310
Implants are malicious code or hardware

9
00:00:23.310 --> 00:00:26.790
inserted into a system, often stealthily.

10
00:00:26.790 --> 00:00:30.750
Implants may be used to create a persistent backdoor

11
00:00:30.750 --> 00:00:34.800
that attackers can use for ongoing access and control

12
00:00:34.800 --> 00:00:36.210
to a machine.

13
00:00:36.210 --> 00:00:37.830
Next, poisoning occurs

14
00:00:37.830 --> 00:00:40.890
when attackers tamper with the data or environment

15
00:00:40.890 --> 00:00:44.580
used by a system to manipulate its behavior.

16
00:00:44.580 --> 00:00:47.760
Let's learn more about implants and poisoning.

17
00:00:47.760 --> 00:00:49.890
First, we have implants.

18
00:00:49.890 --> 00:00:53.100
Implants are a type of malicious code attack

19
00:00:53.100 --> 00:00:56.220
where an attacker inserts a persistent back door

20
00:00:56.220 --> 00:01:00.420
or unauthorized code into a system allowing continuous,

21
00:01:00.420 --> 00:01:02.520
often stealthy access.

22
00:01:02.520 --> 00:01:05.790
Implants can take the form of software, firmware,

23
00:01:05.790 --> 00:01:08.730
or even hardware that hides within a system

24
00:01:08.730 --> 00:01:12.990
to provide attackers with a remote connection and control.

25
00:01:12.990 --> 00:01:17.400
Implants are particularly dangerous because once implanted,

26
00:01:17.400 --> 00:01:20.910
they may remain undetected for extended periods,

27
00:01:20.910 --> 00:01:24.960
giving attackers repeated access to sensitive information

28
00:01:24.960 --> 00:01:27.600
or the ability to manipulate the system

29
00:01:27.600 --> 00:01:29.820
over a long period of time.

30
00:01:29.820 --> 00:01:33.870
The use of implants is common in advanced persistent threat

31
00:01:33.870 --> 00:01:36.360
tactics, techniques, and procedures.

32
00:01:36.360 --> 00:01:39.420
A software implant could be a malicious script

33
00:01:39.420 --> 00:01:42.030
hidden within a legitimate application.

34
00:01:42.030 --> 00:01:44.340
For example, imagine a scenario

35
00:01:44.340 --> 00:01:47.070
where an attacker gains access to a server

36
00:01:47.070 --> 00:01:50.490
and injects code that creates a hidden back door,

37
00:01:50.490 --> 00:01:54.840
allowing remote access every time the application runs.

38
00:01:54.840 --> 00:01:58.410
A simple Python implant might look like this.

39
00:01:58.410 --> 00:02:02.130
This is a code snippet not the entirety of the code

40
00:02:02.130 --> 00:02:03.600
that would be processed.

41
00:02:03.600 --> 00:02:05.460
In the example on the screen,

42
00:02:05.460 --> 00:02:08.490
the implant_backdoor function

43
00:02:08.490 --> 00:02:10.980
collects environmental variables,

44
00:02:10.980 --> 00:02:12.780
which could include credentials

45
00:02:12.780 --> 00:02:15.210
and sends them via a post request

46
00:02:15.210 --> 00:02:17.850
to the myattackersite.com

47
00:02:17.850 --> 00:02:22.200
every time the process_data function is called

48
00:02:22.200 --> 00:02:25.050
making the implant difficult to detect

49
00:02:25.050 --> 00:02:28.110
because it's embedded in the applications flow.

50
00:02:28.110 --> 00:02:31.410
So to mitigate implant vulnerabilities,

51
00:02:31.410 --> 00:02:35.100
organizations should employ rigorous code reviews,

52
00:02:35.100 --> 00:02:37.320
especially when dealing with code

53
00:02:37.320 --> 00:02:40.650
from external or unverified sources.

54
00:02:40.650 --> 00:02:44.873
Additionally, endpoint monitoring tools such as OSSEC,

55
00:02:45.780 --> 00:02:49.170
CrowdStrike and Carbon Black should be employed

56
00:02:49.170 --> 00:02:52.170
to detect unusual system behavior.

57
00:02:52.170 --> 00:02:55.980
Finally, regular integrity checks on critical files

58
00:02:55.980 --> 00:02:58.680
and configurations should be conducted

59
00:02:58.680 --> 00:03:03.300
to uncover unauthorized and malicious code modifications.

60
00:03:03.300 --> 00:03:05.190
Second, we have poisoning.

61
00:03:05.190 --> 00:03:07.230
Poisoning is a malicious attack

62
00:03:07.230 --> 00:03:08.850
where an attacker manipulates

63
00:03:08.850 --> 00:03:13.140
the data or environment of a system to alter its behavior

64
00:03:13.140 --> 00:03:15.930
or produce incorrect outcomes.

65
00:03:15.930 --> 00:03:19.680
Poisoning often targets data-driven systems such as

66
00:03:19.680 --> 00:03:22.230
machine learning models or databases

67
00:03:22.230 --> 00:03:25.650
and feeds them manipulated or misleading data.

68
00:03:25.650 --> 00:03:29.670
This type of attack can degrade the system's accuracy

69
00:03:29.670 --> 00:03:32.400
or cause it to behave unpredictably,

70
00:03:32.400 --> 00:03:35.430
which is particularly harmful in applications

71
00:03:35.430 --> 00:03:39.570
where accuracy and reliability are particularly important,

72
00:03:39.570 --> 00:03:43.230
like in security software or financial models.

73
00:03:43.230 --> 00:03:46.710
An example of poisoning occurs in machine learning

74
00:03:46.710 --> 00:03:50.910
where an attacker intentionally introduces malicious data

75
00:03:50.910 --> 00:03:53.100
into a model's training set.

76
00:03:53.100 --> 00:03:55.710
For instance, consider an email filter,

77
00:03:55.710 --> 00:04:00.360
trained to detect spam based on a data set of email samples.

78
00:04:00.360 --> 00:04:02.130
If the attacker gains access

79
00:04:02.130 --> 00:04:05.010
and injects benign looking spam emails

80
00:04:05.010 --> 00:04:06.420
into the training data,

81
00:04:06.420 --> 00:04:09.030
the model could learn to become less effective

82
00:04:09.030 --> 00:04:10.920
at identifying spam.

83
00:04:10.920 --> 00:04:13.980
In code a simplified poisoning script snippet

84
00:04:13.980 --> 00:04:15.690
might look like this.

85
00:04:15.690 --> 00:04:18.457
In the example on the screen, the email,

86
00:04:18.457 --> 00:04:20.490
"Discount offer just for you!"

87
00:04:20.490 --> 00:04:22.320
Is mislabeled as ham,

88
00:04:22.320 --> 00:04:26.130
which is a term used for legitimate nonspam emails.

89
00:04:26.130 --> 00:04:28.380
This mislabeling is intentional

90
00:04:28.380 --> 00:04:30.660
and designed to confuse the model

91
00:04:30.660 --> 00:04:34.410
by training it to misclassify similar spam messages

92
00:04:34.410 --> 00:04:35.490
as legitimate.

93
00:04:35.490 --> 00:04:39.030
Over time if enough misleading labels like this

94
00:04:39.030 --> 00:04:42.450
are introduced, the model's accuracy will degrade,

95
00:04:42.450 --> 00:04:45.660
making it more likely to allow spam messages

96
00:04:45.660 --> 00:04:47.970
into users inboxes.

97
00:04:47.970 --> 00:04:51.990
Poisoning attacks like this can be particularly damaging

98
00:04:51.990 --> 00:04:53.970
in real world applications

99
00:04:53.970 --> 00:04:57.690
as they can alter the model's behavior in subtle ways

100
00:04:57.690 --> 00:05:01.650
that accumulate and result in significant vulnerabilities.

101
00:05:01.650 --> 00:05:05.820
Such attacks may lead to poor performance in spam detection,

102
00:05:05.820 --> 00:05:09.840
allowing harmful or fraudulent messages to bypass filters

103
00:05:09.840 --> 00:05:11.760
and reach end users.

104
00:05:11.760 --> 00:05:13.980
So to protect against poisoning,

105
00:05:13.980 --> 00:05:17.280
it's essential to control access to training data,

106
00:05:17.280 --> 00:05:20.580
ensuring only trusted sources can modify it.

107
00:05:20.580 --> 00:05:23.400
Next, employing data validation checks

108
00:05:23.400 --> 00:05:27.270
can also help detect abnormal patterns in the data.

109
00:05:27.270 --> 00:05:30.060
Finally, monitoring the model's performance

110
00:05:30.060 --> 00:05:32.550
for sudden shifts or accuracy drops

111
00:05:32.550 --> 00:05:34.890
can indicate possible poisoning.

112
00:05:34.890 --> 00:05:38.400
And retraining the models with clean, validated data

113
00:05:38.400 --> 00:05:40.920
helps maintain system integrity.

114
00:05:40.920 --> 00:05:44.160
So remember, malicious code attacks

115
00:05:44.160 --> 00:05:46.830
happen when harmful software or code

116
00:05:46.830 --> 00:05:50.790
is inserted into a system to disrupt, steal,

117
00:05:50.790 --> 00:05:53.310
or manipulate data processes.

118
00:05:53.310 --> 00:05:57.870
Two main types of these attacks are implants and poisoning.

119
00:05:57.870 --> 00:06:00.210
Implants are stealthy back doors,

120
00:06:00.210 --> 00:06:04.170
often embedded into software, firmware or hardware

121
00:06:04.170 --> 00:06:07.770
giving attackers continuous access and control

122
00:06:07.770 --> 00:06:08.940
over a system.

123
00:06:08.940 --> 00:06:10.560
Poisoning on the other hand

124
00:06:10.560 --> 00:06:13.860
involves tampering with the data or environment

125
00:06:13.860 --> 00:06:17.490
a system relies on often causing it to make errors

126
00:06:17.490 --> 00:06:19.440
or behave unpredictably.

127
00:06:19.440 --> 00:06:23.190
Both implants and poisoning attacks can be damaging,

128
00:06:23.190 --> 00:06:26.430
so strong security measures, including monitoring

129
00:06:26.430 --> 00:06:30.933
and data validation can help prevent these types of attacks.