An industrial control system (ICS) includes the devices and systems that are used to manage industrial production and operation. ICSs include systems that monitor different types of utilities, such as gas, electrical, water, and sewage (Chapple & Seidl, 2015, p. 243). The ICSs are an attractive target for an APT because damaging or destroying an ICS can have a crippling effect on a wide region. To counteract the malicious goal of the enemy and protect its resources and weapons, the military often utilizes a Kill Chain, sometimes referred to as a kinetic Kill Chain. The concept of a Kill Chain is best described as a series of steps that involves finding a target, tracking it, and eventually attacking it with the intent to either damage or …show more content…
He can do it by looking for publicly available information on the Internet.” (p. 1). The APT probably used Active Reconnaissance to gather information about the computers connected to the power plant network. It amassed useful information by using common Internet tools and services. By using port scans, the APT was able to discover the ports that were opened on the servers, which subsequently revealed the services that were running on the servers. At that point, the APT could have attacked the vulnerable ports to gain access to the computer systems.
The APT also might have taken advantage of the Passive Reconnaissance techniques to attack its target. By using tools, such as NSLOOKUP, TRACERT and WHOIS database, the APT could have gathered information about the domain names, computer names, IP addresses, DNS resource records, host names, SMTP servers, and Web servers. Once the APT had gathered all the data, it could have used more advance tools like NMAP. Tools such as NMAP allow the use of TCP fingerprinting, which could have led to the discovery of the operating systems that were running on computers at the power plant. The APT could have also used TELNET, FTP and HTTP to gain information about the Web servers, browsers, plugins, etc. With information on operating systems, open vulnerable ports, and the services at its disposal, the APT could have launched a DDoS, buffer overflow exploits, and other attacks against the target.
The first step in the Cyber Kill Chain is
Utilizing two simple command switches, -O and -v, provided a wealth of information about the host system. Most notably, it listed all of the open ports, protocols, and the operating system of the target system. This quick gathering of information enabled the execution of more detailed commands against specific ports to expose specific vulnerabilities. This information can then be used to address any specific vulnerabilities that are
The attack performed on the network had the intention of making the online services provided to students unusable during a critical time of need for those systems. The attack was first performed by acquiring the Administrator password for the systems and using each system to perform a large quantity of requests for service to the web servers. By dissecting what occurred steps can be put in place to prevent such an attack in the future. This attack can be summarized in a few bullets:
After initial intrusion malicious software is installed on victim host that is re-ferred as RAT (remote access Trojan). RAT takes the responsibility to connect with attacker and regularly performed the actions that instructed by attacker. At this intruder take the full command and control (C2) over target host. The fact is that the initial connection is established by victim host, not by the attacker [6]. This will happens mainly for two reasons: (i) organizations firewall usually allows the connections initialized by internal hosts, and (ii) this will help the attacker to not to detected easily. Because intrusion detection systems [7] can easily detect the extremely suspicious activity such as downloads from outside hosts.
Initially the Linux (Ubuntu) is run on an virtual machine using VMWARE. The attack performed is on the IP address of the Linux OS.
To detect a cyberattack on the power grid, Western Interconnection should implement a system that will allow public and private authorities to receive Indications and Warning (I&W) when a cyberattack is in its early phase. Koester and Cohen (2012) discuss their Electric Power Grid Indications & Warning Tool in their paper. The purpose of this tool is “to provide near real-time I&W to alert private and public sector authorities when the likely causes of outage events are malicious activity.” (Koester & Cohen, 2012, p. 1). The tool minimizes false alarms due to severe weather and high temperatures. Implementing this solution will allow administrators at the Western Interconnection power grid to take precautionary measures as necessary. For example, the substations can be manually shutdown in case of a cyberattack, to prevent potential damage and spread of malware.
In round two of the simulation, an attack on DTL Power left services down for hours last Wednesday. The cyber-attack left residential, business, and government customers in the dark for hours. During the forensic investigation, evidence revealed that the cause of the attack was a worm intrusion that caused a reduction in DTL system functions. This reduction in system functions resulted in an excessive amount of downtime. The confidentiality, integrity, and availability of DTL?s system was compromised. Cyberterrorism tools such as port scanners were found in our system. These tools were not detected prior to the investigation.
Sophisticated hackers have expanded their threat matrix to include cyber-attacks on the computer systems used to operate the world’s pipelines. Supervisory Control and Data Acquisition (“SCADA”) systems are increasingly subject to targeted attacks. Cyber-attacks can be perpetrated over the Internet from anywhere in the world and are capable of disrupting safe pipeline operation causing spills, explosions, or fires. The 2008 explosion on the Baku-Tbilisi-Ceyhan oil pipeline in Turkey was reportedly caused by a cyber-attack.
The first area that the hackers attacked was inadequate wireless network security; this is how the hacker gains access into the TJX Companies, Inc. system. From the investigation it was found that a retail store was using wire equivalent privacy (WEP) protocol. WEP is a weak security protocol that can be easily cracked. The current industry stand requires the use of WPA (Wi-Fi Protected Access) protocol or higher to protect you wireless network (Berg, G. 2008, August). Hackers used this first vulnerability to gain access into the TJX Companies, Inc. system and were able to move on from the
THIS IS MY ORIGINAL WORK, PLEASE DO NOT SUBMIT IT AS YOUR OWN, BUT USE IT AS A GUIDE WHILE WRITING YOUR OWN…
Attack caused by: Malware. The hackers used custom-made software to evade detection, relying on tools that hadn’t been used in previous attacks. Home Depot’s store registers had been infected with a new variant of “BlackPOS” , a malware strain
The illustration [1] below shows how the hackers got access through different networks that were connected.
The NIMS model of incident Command Systems (ICS) will be used as the framework for all responses to hazardous material releases. This will allow flexibility to rapidly activate and establish an organizational structure around the functions that need to be performed to efficiently mitigate an incident (Washoe County LEPC, 2006).
Ping sweeps and port scans are the most popular technique that hacker and attackers used to gain access to the network. Ping sweeps and port scans are dangerous security treat if they are left undetected.
In 1997 the National Security Agency (NSA) tested the Pentagon’s cyber security in an exercise named “Eligible Receiver”. Within two days of the exercise, the NSA team had penetrated the classified command network and was in complete control of network. Two years later, the United States Air Force experienced a computer breach in which huge amounts of data were being exfiltrated from research files located on airbases. “Gigantic amounts of data were being shipped out from a lot of computers in the Defense Network and from many data systems in the national nuclear laboratories of the Energy Department.” (Clarke, p. 111) File case named “Moonlight Maze”, by the FBI day-lighted two important aspects of information security. Computer specialist
Abstract— The development of unmanned aerial vehicles (UAV) technology has increased at an incredible rate in recent years. The market currently includes many different varieties and classes of UAVs, but none currently offer long range beyond line of sight flight over cellular networks. The only existing networks currently utilized for long-range flight are i-Fi networks. However, flying over Wi-Fi has range limitations that restrict the full use of the UAVs. Therefore, the goal of this project is to design a UAV control system using existing cellular networks as the primary mode for communication. In order to accomplish this objective, an Android OS based application that is capable of sending and receiving signals between two Android smartphones will be designed. One of the phones will be on the UAV itself and the other in the hand of the pilot. Through these devices, the user will be able to control the UAV while also receiving critical information from the drone— such as Global Positioning System (GPS) location, live video feed, system statuses, and flight diagnostics from the UAV. A hardware interfacing circuit will be designed to interpret the control signals from the phone and pass them to the UAV for flight control. Additionally, a crash avoidance algorithm incorporating the position of other flying UAVs will be integrated into the system. This will provide a platform to reduce the number of user based crashes as well as reducing the risk of damaging a UAV.