WEBVTT

1
00:00:00.000 --> 00:00:01.320
In this lesson,

2
00:00:01.320 --> 00:00:04.500
we will learn about Attack Patterns.

3
00:00:04.500 --> 00:00:07.320
Attack patterns are tactics and techniques

4
00:00:07.320 --> 00:00:11.100
that threat actors use to exploit vulnerabilities

5
00:00:11.100 --> 00:00:12.690
in a system.

6
00:00:12.690 --> 00:00:16.410
In threat modeling, attack patterns may be modeled

7
00:00:16.410 --> 00:00:20.970
to include injection, authentication and authorization,

8
00:00:20.970 --> 00:00:23.280
and on-path attacks.

9
00:00:23.280 --> 00:00:27.450
Injection attacks involve inserting malicious code

10
00:00:27.450 --> 00:00:32.450
or commands into a system through vulnerable input points.

11
00:00:32.460 --> 00:00:35.610
Authentication and authorization attacks

12
00:00:35.610 --> 00:00:39.480
target the mechanisms that control user access.

13
00:00:39.480 --> 00:00:41.520
And on-path attacks,

14
00:00:41.520 --> 00:00:44.880
formerly known as man-in-the-middle attacks,

15
00:00:44.880 --> 00:00:47.280
occur when an attacker intercepts

16
00:00:47.280 --> 00:00:51.930
and potentially alters communications between two parties.

17
00:00:51.930 --> 00:00:54.330
Let's learn more about injection,

18
00:00:54.330 --> 00:00:59.010
authentication and authorization, and on-path attacks.

19
00:00:59.010 --> 00:01:01.770
First, we have injection attacks.

20
00:01:01.770 --> 00:01:04.500
Injection attacks occur when an attacker

21
00:01:04.500 --> 00:01:09.270
inserts malicious code or commands into a system

22
00:01:09.270 --> 00:01:11.670
via vulnerable input points,

23
00:01:11.670 --> 00:01:14.910
manipulating the application's behavior.

24
00:01:14.910 --> 00:01:18.360
One of the most common forms of injection attacks

25
00:01:18.360 --> 00:01:22.770
is structured query language or SQL injection,

26
00:01:22.770 --> 00:01:26.220
where an attacker sends harmful SQL statements

27
00:01:26.220 --> 00:01:29.340
through web application input fields.

28
00:01:29.340 --> 00:01:33.030
This type of attack can give unauthorized access

29
00:01:33.030 --> 00:01:36.630
to a database, allowing an attacker to view,

30
00:01:36.630 --> 00:01:41.340
modify, create, or delete sensitive information.

31
00:01:41.340 --> 00:01:45.150
Other injection types include command injection,

32
00:01:45.150 --> 00:01:48.390
where operating system commands are injected

33
00:01:48.390 --> 00:01:52.530
to gain control over the system's execution,

34
00:01:52.530 --> 00:01:55.830
code injection, which introduces other code

35
00:01:55.830 --> 00:01:59.040
directly into the application's code base

36
00:01:59.040 --> 00:02:03.840
to manipulate its functionality, and cross-site scripting,

37
00:02:03.840 --> 00:02:07.170
which targets user side script injections

38
00:02:07.170 --> 00:02:10.680
to manipulate content displayed to users

39
00:02:10.680 --> 00:02:13.380
or to steal session data.

40
00:02:13.380 --> 00:02:17.250
In SQL, sometimes called SQL injection,

41
00:02:17.250 --> 00:02:21.420
the attacker leverages poorly sanitized input fields

42
00:02:21.420 --> 00:02:26.100
to insert commands directly into SQL queries.

43
00:02:26.100 --> 00:02:29.490
For instance, in a vulnerable login form,

44
00:02:29.490 --> 00:02:32.250
an attacker might enter the string,

45
00:02:32.250 --> 00:02:37.160
'OR1=1;--

46
00:02:38.310 --> 00:02:42.150
They might enter that in the username or password fields,

47
00:02:42.150 --> 00:02:44.670
tricking the system into granting access

48
00:02:44.670 --> 00:02:46.980
without valid credentials.

49
00:02:46.980 --> 00:02:48.720
This exploit works

50
00:02:48.720 --> 00:02:53.400
because the application fails to properly sanitize input.

51
00:02:53.400 --> 00:02:55.830
So, the database interprets

52
00:02:55.830 --> 00:02:58.680
the injected structured query language

53
00:02:58.680 --> 00:03:01.290
as part of the query logic.

54
00:03:01.290 --> 00:03:04.110
Similar injection techniques can be used

55
00:03:04.110 --> 00:03:08.130
in command injection to manipulate system commands

56
00:03:08.130 --> 00:03:12.000
or in cross-site scripting to inject malicious scripts

57
00:03:12.000 --> 00:03:15.000
that run in other users' browsers.

58
00:03:15.000 --> 00:03:17.340
Mitigating injection attacks

59
00:03:17.340 --> 00:03:20.010
involves a validating and sanitizing

60
00:03:20.010 --> 00:03:22.800
all user input rigorously.

61
00:03:22.800 --> 00:03:24.780
Parameterized queries,

62
00:03:24.780 --> 00:03:27.510
also known as prepared statements,

63
00:03:27.510 --> 00:03:31.800
are especially effective against SQL injection

64
00:03:31.800 --> 00:03:35.460
as they separate code from data inputs.

65
00:03:35.460 --> 00:03:39.240
Meaning that the attacker cannot change the structure

66
00:03:39.240 --> 00:03:41.190
of the SQL statement

67
00:03:41.190 --> 00:03:44.670
through the web application input fields.

68
00:03:44.670 --> 00:03:48.630
Additionally, using web application firewalls

69
00:03:48.630 --> 00:03:52.320
can help detect and block suspicious requests,

70
00:03:52.320 --> 00:03:54.240
adding a layer of security

71
00:03:54.240 --> 00:03:58.440
to prevent injection vulnerabilities from being exploited.

72
00:03:58.440 --> 00:04:02.880
Second, we have authentication and authorization attacks.

73
00:04:02.880 --> 00:04:05.700
Authentication and authorization attacks

74
00:04:05.700 --> 00:04:10.440
focus on exploiting weaknesses in user access controls,

75
00:04:10.440 --> 00:04:14.130
allowing attackers to bypass login systems

76
00:04:14.130 --> 00:04:16.920
or gain unauthorized permissions.

77
00:04:16.920 --> 00:04:18.990
A common form of attack

78
00:04:18.990 --> 00:04:22.980
involves exploiting weak password reset mechanisms,

79
00:04:22.980 --> 00:04:26.250
where an attacker manipulates the reset process

80
00:04:26.250 --> 00:04:29.310
to gain access to user accounts.

81
00:04:29.310 --> 00:04:31.050
Other tactics include

82
00:04:31.050 --> 00:04:34.500
exploiting insecure access control lists

83
00:04:34.500 --> 00:04:37.620
or leveraging broken authentication flows,

84
00:04:37.620 --> 00:04:42.620
such as session hijacking to impersonate legitimate users.

85
00:04:42.810 --> 00:04:46.860
For example, a password reset attack on a system

86
00:04:46.860 --> 00:04:50.790
may take advantage of a password reset process

87
00:04:50.790 --> 00:04:53.730
with inadequate verification steps.

88
00:04:53.730 --> 00:04:56.550
Let's say the password reset process

89
00:04:56.550 --> 00:04:59.850
relies on easily accessible information,

90
00:04:59.850 --> 00:05:02.370
like a user's email address

91
00:05:02.370 --> 00:05:05.100
or basic knowledge based questions

92
00:05:05.100 --> 00:05:08.880
like birthday, location, or any other data

93
00:05:08.880 --> 00:05:11.640
that can be seen on social media accounts

94
00:05:11.640 --> 00:05:14.700
or found through open source intelligence.

95
00:05:14.700 --> 00:05:17.490
In this case, the attacker could bypass

96
00:05:17.490 --> 00:05:21.990
the intended security measures to gain access to the account

97
00:05:21.990 --> 00:05:25.440
by simply looking up the information online.

98
00:05:25.440 --> 00:05:27.810
Once in control of the account,

99
00:05:27.810 --> 00:05:30.090
the attacker could change the password,

100
00:05:30.090 --> 00:05:32.310
lock out the legitimate user,

101
00:05:32.310 --> 00:05:34.920
and access sensitive information

102
00:05:34.920 --> 00:05:37.800
or misuse account features.

103
00:05:37.800 --> 00:05:40.860
Or in the context of authorization,

104
00:05:40.860 --> 00:05:42.990
an attacker might then exploit

105
00:05:42.990 --> 00:05:45.700
flawed role-based access controls

106
00:05:45.700 --> 00:05:48.270
to elevate their privileges,

107
00:05:48.270 --> 00:05:52.050
gaining unauthorized access to restricted data

108
00:05:52.050 --> 00:05:55.560
or functionalities in an enterprise network.

109
00:05:55.560 --> 00:06:00.360
So to defend authentication and authorization attacks,

110
00:06:00.360 --> 00:06:04.950
administrators should employ multi-factor authentication

111
00:06:04.950 --> 00:06:06.780
not only for logins,

112
00:06:06.780 --> 00:06:10.170
but also for the password reset process,

113
00:06:10.170 --> 00:06:14.280
or adding additional complexity to the reset process

114
00:06:14.280 --> 00:06:17.250
by requiring unique verification codes

115
00:06:17.250 --> 00:06:19.530
sent to registered devices

116
00:06:19.530 --> 00:06:22.140
helps ensure only the legitimate user

117
00:06:22.140 --> 00:06:24.540
can reset their password.

118
00:06:24.540 --> 00:06:27.960
Finally, enforcing secure session management,

119
00:06:27.960 --> 00:06:30.480
strong session ID generation,

120
00:06:30.480 --> 00:06:33.960
and effectively configuring role-based permissions

121
00:06:33.960 --> 00:06:38.820
can also mitigate unauthorized actions within the system.

122
00:06:38.820 --> 00:06:42.900
Third and last, we have on-path attacks.

123
00:06:42.900 --> 00:06:44.280
On-path attacks,

124
00:06:44.280 --> 00:06:47.370
formerly known as man-in-the-middle attacks,

125
00:06:47.370 --> 00:06:50.670
occur when an attacker intercepts communications

126
00:06:50.670 --> 00:06:55.170
between two parties, such as a client and a server.

127
00:06:55.170 --> 00:06:59.100
By positioning themselves in the middle of these exchanges,

128
00:06:59.100 --> 00:07:02.820
attackers can eavesdrop on or alter data being sent

129
00:07:02.820 --> 00:07:06.060
and received, leading to data theft

130
00:07:06.060 --> 00:07:08.850
or malicious content injection.

131
00:07:08.850 --> 00:07:13.230
Common on-path attack types include packet sniffing,

132
00:07:13.230 --> 00:07:15.780
where attackers capture network traffic

133
00:07:15.780 --> 00:07:17.550
and session hijacking,

134
00:07:17.550 --> 00:07:20.820
where attackers take control of an active session

135
00:07:20.820 --> 00:07:23.790
between a user and an application.

136
00:07:23.790 --> 00:07:27.330
A typical on-path attack involves an attacker

137
00:07:27.330 --> 00:07:30.600
intercepting an altering network packets

138
00:07:30.600 --> 00:07:33.360
in an unprotected wifi network.

139
00:07:33.360 --> 00:07:37.440
For example, if a victim accesses their bank account

140
00:07:37.440 --> 00:07:40.560
over public wifi without encryption

141
00:07:40.560 --> 00:07:44.070
or with weak encryption, and the attacker positioned

142
00:07:44.070 --> 00:07:48.120
within the network or monitoring network communication,

143
00:07:48.120 --> 00:07:52.470
can intercept session tokens or login credentials.

144
00:07:52.470 --> 00:07:54.930
By capturing credentials, an attacker

145
00:07:54.930 --> 00:07:59.160
can then hijack the victim's session, view sensitive data,

146
00:07:59.160 --> 00:08:02.670
and even initiate unauthorized actions

147
00:08:02.670 --> 00:08:07.020
such as transferring funds or changing account details,

148
00:08:07.020 --> 00:08:10.500
all while appearing as the legitimate user.

149
00:08:10.500 --> 00:08:15.330
In some cases, attackers may also modify network packets

150
00:08:15.330 --> 00:08:17.640
to inject malicious content,

151
00:08:17.640 --> 00:08:20.880
further compromising the target device.

152
00:08:20.880 --> 00:08:23.790
So to prevent on-path attacks,

153
00:08:23.790 --> 00:08:27.960
encryption protocols such as transport layer security

154
00:08:27.960 --> 00:08:31.140
should be used to secure communications,

155
00:08:31.140 --> 00:08:33.300
ensuring data is encrypted

156
00:08:33.300 --> 00:08:36.210
and less of vulnerable to interception.

157
00:08:36.210 --> 00:08:39.060
Additionally, implementing certificates

158
00:08:39.060 --> 00:08:41.820
into the authentication process

159
00:08:41.820 --> 00:08:46.380
helps verify the authenticity of the parties involved.

160
00:08:46.380 --> 00:08:49.230
Finally, regular network monitoring

161
00:08:49.230 --> 00:08:51.750
and anomaly detection systems

162
00:08:51.750 --> 00:08:56.280
can also be used to identify unusual patterns

163
00:08:56.280 --> 00:08:59.160
that may indicate on-path attacks,

164
00:08:59.160 --> 00:09:02.790
enabling quicker response and mitigation.

165
00:09:02.790 --> 00:09:07.050
So remember, attack patterns are techniques

166
00:09:07.050 --> 00:09:11.880
that threat actors use to exploit system vulnerabilities.

167
00:09:11.880 --> 00:09:15.960
Commonly modeled in threat analysis to identify risks,

168
00:09:15.960 --> 00:09:19.860
like injection, authentication and authorization,

169
00:09:19.860 --> 00:09:22.050
and on-path attacks.

170
00:09:22.050 --> 00:09:25.950
Injection attacks involve inserting malicious code

171
00:09:25.950 --> 00:09:30.870
into vulnerable input fields to manipulate system behavior,

172
00:09:30.870 --> 00:09:35.250
often giving unauthorized access to sensitive data.

173
00:09:35.250 --> 00:09:39.060
Next, authentication and authorization attacks

174
00:09:39.060 --> 00:09:43.020
exploit weaknesses in user access controls,

175
00:09:43.020 --> 00:09:46.740
allowing attackers to bypass login systems

176
00:09:46.740 --> 00:09:48.810
or elevate privileges.

177
00:09:48.810 --> 00:09:52.050
In particular, password reset mechanisms

178
00:09:52.050 --> 00:09:54.510
and broken authentication flows

179
00:09:54.510 --> 00:09:59.310
are often targeted to gain unauthorized account access.

180
00:09:59.310 --> 00:10:01.800
Finally, on-path attacks,

181
00:10:01.800 --> 00:10:04.860
previously known as man-in-the-middle attacks,

182
00:10:04.860 --> 00:10:07.170
occur when an attacker intercepts

183
00:10:07.170 --> 00:10:12.170
and possibly alters communication between two parties,

184
00:10:12.240 --> 00:10:16.800
enabling data theft or malicious content injection.

185
00:10:16.800 --> 00:10:19.020
Preventative measures for these patterns

186
00:10:19.020 --> 00:10:24.020
include input validation, multi-factor authentication,

187
00:10:24.270 --> 00:10:28.740
encryption protocols, and anomaly detection systems

188
00:10:28.740 --> 00:10:30.243
such as Splunk.