The Certified Ethical Hacker (CEH) certification exam is neither easy nor designed to be easy. If it was not hard, everyone would do it – its difficulty is what makes it great. Ethical hackers are the essential workers of the IT, cybersecurity, and software development world, and the CEH certification is one of their baseline requirements. This guide covers the basics of ethical hacking. It's useful to CEH exam candidates and people who are concerned about the vulnerabilities in their environments.

This comprehensive overview will help you to do the following:

• Cover the basics of the CEH certification.
• Gain a strong and practical understanding of ethical hacking.
• Know the requirements and the skills you need to become a CEH.
• Evaluate yourself against ethical hacking standards.
• Decide whether the CEH certification is right for you.

This chapter will meet these goals through the following topics:

• The benefits of the CEH certification
• Information security
• The Cyber Kill Chain
• The behavioral identification of attackers
• Information security controls
• Information security laws and standards

The US Department of Defense (DoD) issued the directive 8570.1 in 2005 instructing everybody that handles US government IT to have baseline IT certifications, including ethical hacking. This is one of the most important reasons cybersecurity professionals pursue the CEH certification.

Besides being an industry standard, the CEH certification is internationally recognized, making it valid and valuable in IT industries across the world.

It is also a valuable certification on any IT résumé. It means a candidate understands how hackers think, and with everything that's been going on recently as far as hacking and technology are concerned, IT experts with this certification are, and will remain, in high demand.

Is the CEH certification right for you?

You will get the most out of this certification if you are a cybersecurity officer within your company or if you are a penetration tester, internal or external auditor, security professional-standard administrator or consultant site administrator, or a techie home user who wants to know how secure your environment is.

The requirements and the skills you need to become a CEH

There are standards to maintain as a CEH. This includes skills, values, and ethics from the International Council of E-Commerce Consultants (EC-Council) Code of Ethics, which you can find at https://www.eccouncil.org/code-of-ethics. The most critical of these requirements include the following:

• Privacy
• Disclosure
• Area of expertise
• Unauthorized usage
• Authorization
• Disclosure
• Project management
• Knowledge sharing
• Confidence
• Legal limits
• Underground communities

Let's look at them in detail.

Privacy

Ethical hackers come across information they are not allowed to use, steal, share, modify, change, or destroy. From security numbers to customer databases and intellectual property, their access is unlimited. It is their responsibility to guard that information at all times.

Disclosure

It is not uncommon for ethical hackers to uncover things that are uncomfortable to see, watch, or talk about. If they stumble upon such information or content, their duty is to report it. They owe it to the authorities or the concerned people to disclose everything they discover, however unsettling, gross, grave, or discomforting.

Area of expertise

An ethical hacker should not misrepresent themselves, feigning to know more than they do. Ethical hacking demands honesty about what an ethical hacker can and cannot do and openness about their level of knowledge, skill sets, and limitations. If you lack the necessary experience or training to handle something that's outside your realm, it is ethical to ask the company or employer to get an expert to handle it.

Unauthorized usage

An ethical hacker is to avoid using illegal or unethically obtained software and hardware. Also, if they uncover evidence of unauthorized usage in a company, they should not accept bribes to keep their lips sealed or join in for personal gain.

Authorization

An ethical hacker needs to limit themselves to using resources, data, and/or information in authorized ways. Also, when working, an ethical hacker lets the company know how they intend to use data or information. They should also ensure that they get consent where necessary and avoid cutting corners.

Disclosure

When an ethical hacker discovers an issue in hardware or software, they verify with or notify the hardware manufacturer that their product is faulty before going public with information about the vulnerability. If the manufacturer does nothing about it, they blow the whistle to save users and share the solution if possible. Some folks would refer to this as a zero-day vulnerability, meaning that the vulnerability has been discovered before the vendor has any idea that it exists.

Project management

Ethical hackers need great management skills to be efficient and to manage their projects effectively. They need to set clear goals, have a reasonable project timeline, and communicate.

Knowledge sharing

Ethical hackers commit to learning, keeping abreast with new developments, sharing new discoveries, engaging fellow EC-Council members, and creating public awareness. They do this by teaching or giving free lectures, spreading information on social media platforms, and enlightening the people they know on securing hardware and software and how to use this knowledge.

Confidence

Confidence, as an ethical hacker, means you should always present yourself in a professional, honest, and competent manner. This means even when you're competing with someone else for a particular project. In layman's terms, no backstabbing, folks. Now, as we go through the chapters in this book, we're going to be introducing some tools that can be extremely dangerous to networks. As an ethical hacker, you need to make sure that you have experience with any software, tricks, or tools you utilize against a network. An engagement is not the time or place to learn a new tool or technique. You need to be extremely careful. Do not fix issues you discover that are not within the scope of your project. Even if you think you know what's best for your company or their company, you always get guidance and permission for any action. There is no compromise. What we mean by this is that you are in no way going to purposely compromise or cause a company or organization's system to become compromised through the process of your professional dealings with them.

Legal limits

Whatever project an ethical hacker accepts needs to be approved, authorized, and legal. The code of ethics informs all their decisions. They always know what they are doing and what's expected of them; they are aware of their limitations, know what they can and cannot do, and know what's considered fair play and what's malicious.

Underground communities

Ethical hackers commit to not engaging in black-hat activities or associating with communities of black-hat hackers. They don't aid or help black-hat hackers advance their mission; they only engage them to find out what's new, what they know, what they do, and how they think.

Ethical hacking is a proactive cybersecurity approach that involves the use of hacking methods, concepts, and tools to uncover weaknesses in a system before a potential attacker exploits them.

An ethical hacker thinks like an attacker or a criminal profiler. They know how to steal passwords and usernames, and how to find and exploit vulnerabilities and get away with it. Ethical hackers use the same tactics that the bad guys use. The only difference is that they have permission to do it. Also, ethical hackers bring more to the table. Here are some of the most important skills, ideal behaviors, and principles ethical hackers use:

• Expertise in architectures, programs, and networks – You need to know the ins and outs of how Transmission Control Protocol/Internet Protocol (TCP/IP) works. You need to understand networking structures and functions. You don't necessarily need to be an expert in all programs, but you do need to know how programs are installed, the modifications they make, and the possible security threats they pose.
• Proficiency in vulnerability research – Ethical hackers need to keep up with the bad guys. So, find out as much as you can about new vulnerabilities. Additionally, ensure that you are good at the hacking techniques that attackers use because you might need to try them out on a particular target.
• A good understanding of the hacking techniques attackers use – Ethical hackers are not vendor-specific; they understand the techniques attackers use across the board – the hacks that can be used against routers, Intrusion Detection Systems (IDSes), and so on.
• Follow the code of conduct – Ethical hackers adhere to a strict code of conduct as required by the EC-Council.
• Disclose to the appropriate people – Ethical hackers owe it to their employers and clients to disclose what they ought to. They have a duty to disclose to authorities what they uncover if it is illegal. Ethical hackers also come across vulnerabilities in their clients' systems or infrastructures when evaluating them. The code bars them from exposing such information. They know what is off limits.
• They are good at the tactics and strategies attackers use – They know the tactics and the strategies. They don't just make stuff up or take shortcuts.
• They understand no means no – If a client or employer gives specific guidelines of what's allowed and what's not, an ethical hacker will draw a line between the two and respect that decision. They will not try to cross it, and if there is a change of scope, they ensure it is done in writing.
• They never target a system or network they don't own or are not allowed into – It's not a skill per se, but if during the test a good ethical hacker is told to stop, they do so. Failure to do so has turned the lives of some ethical hackers upside down.
• They note and report results – They report all results, even if it might hurt someone whose good books they want to be in, such as the manager who recommended them for that penetration testing job.
• They report their findings to legal authorities – They know they have a duty to report illegal activities or plans to the authorities and, as such, they ensure that the contract allows that. However, some jurisdictions place a legal responsibility on ethical hackers, even if the contract forbids such disclosures. Failure to report to legal authorities makes the ethical hacker an accessory to the crime. There are other ways out of such situations, including laws such as the Whistleblower Protection Act, which safeguards ethical hackers in specific types of disclosures.
• Confidentiality – When an ethical hacker encounters information that is deemed confidential, they know who to share their findings with, unless it goes against the laws of the land.

Honing important skills, embracing the principles of ethical hacking, and knowing the ways of attackers are key. I wrote this chapter to give you the information you need to pass your CEH exam and know what you need to navigate the cybersecurity world. We've also covered different types of attacks and how attackers exploit vulnerabilities. Our next step is information security controls – our weapon against attackers.

For a proper foundation in information security, this section covers the following topics:

• Information security – a general overview
• The Confidentiality, Integrity, and Availability (CIA) triad
• Types of cyberattacks
• The hacking phases
• The types of hackers

You'll be able to broadly define information security, as well as understanding the CIA triad, knowing various types of cyberattacks and the stages of hacking, understanding the types of attackers and their motivations, and knowing the steps of the Cyber Kill Chain (CKC) methodology.

An overview of information security

Information security is the process of securing data and information systems that process, store, and transmit data against illegal access. Organizations must protect their information, as it is a key asset.

Behind most breaches, attackers have motivations and objectives. A motive arises from the belief that a target has something important. The goal of the attack could be to interrupt the target organization's day-to-day activities, or to steal important information for fun, or even payback. As a result, the attacker's goals are determined by their emotional state. Once the hacker/attacker has defined their objective, they might use a variety of tools, strategies, and methodologies to take advantage of flaws in a system.

Information security is part of information risk management. It refers to the processes and measures designed to protect and maintain the confidentiality, integrity, and availability of information. This goal of information security is commonly known as the CIA triad; these three components guard against cyberattacks that lead to unauthorized or unlawful access, use, sharing, modification, scanning, stealing, and/or destruction of information.

The CIA triad

The CIA triad is a security model that informs the policies and efforts an organization puts in place to secure its data from unauthorized access. Let's look at its components in detail.

Confidentiality

Confidentiality is guarding against theft or unauthorized or unintentional access of data. The first step toward achieving this is authenticity, which is the verification process that requires the user to prove their identity or their claim to the rightful ownership of an account before access is allowed. Big companies whose databases attackers have compromised are increasingly hitting the headlines. Attackers target them for highly prized customer information. Attackers also go after governments for military, political, criminal, and other similar reasons.

An example of the damage a breach of confidentiality can cause happened in Utah. A hospital backed up their records and sent them through a courier service. The driver changed his mind along the way and headed home for the weekend, instead of dropping the tapes off at the Granite Mountain Records Vault (a vault system that is dug out of a granite mountain in Utah). Someone with itchy fingers saw the well-wrapped package and broke into the car. In an instant, the aluminum metal case bearing patients' vital medical records and confidential information was gone.

The hospital ended up spending thousands of dollars seeking identity protection services for patients whose personal and vital information landed in the wrong hands. Besides this kind of loss of data, there's the risk of data modification without authorization and accountability, which is known as non-repudiation. If John Doe modifies a document under a secure system, there needs to be a way to tell whether or when that happened.

Integrity

After you have proved your authenticity, you expect to find your data safe, not altered. You want to be sure you can trust the source and the keeper of this data. For example, when trying to access your bank account, you want to be certain you are accessing your account on your bank's app or site and that the data you will find on there is valid and protected.

Availability

People have a right to access their data whenever they want, but sometimes attackers stand in the way of this by launching a Denial-of-Service (DoS) attack. DoS refuses users access to accounts or resources. How does this benefit attackers? This is a common malicious attack against businesses. It stops users from transacting or accessing a service or resource. This denial of availability costs companies millions of dollars and, sometimes, users.

Types of cyberattacks

Cyberattacks happen when attackers – people with different goals and motivations – spot and take advantage of vulnerabilities in a system. They do this to gain access to a network or to get valuable or confidential data without authorization.

Attackers violate systems or processes to disrupt operations, steal crucial or confidential information, or seek retribution. They can cause chaos within an organization, instill fear, create financial losses, and ruin the reputation of an organization or business by publicizing their political stands, propaganda, religious beliefs, and so on, using the target's mediums of communication.

Cyberattacks fall under different categories. These include the following:

• Passive attacks
• Active attacks
• Close-in attacks
• Insider attacks
• Distribution attacks
• Phishing attacks

Let's look at these in detail.

Passive attacks

A passive attack is also known as a sniffing attack or an eavesdropping attack. Attackers monitor traffic and then intercept data before it reaches recipients.

Active attacks

Unlike passive attacks, active attacks are disruptive. Active attackers are usually out to exploit a vulnerability and cause harm. Most systems detect them. An active attacker will try to disrupt the communication or services between systems, throw things into disarray or cause hiccups within the network's security, and attempt to gain access. Some tricks include a DoS attack, a man-in-the-middle attack, session hijacking, and SQL injection.

Close-in attacks

In close-in attacks, the attacker is usually physically close to the target or the network. Their motive is to gather, change, or disrupt flowing information. Examples of close-in attacks are eavesdropping, shoulder surfing, and dumpster diving. Social engineering also falls under this category. An attacker deceives the target into sharing personal or confidential information and then uses it fraudulently.

Insider attacks

As the name suggests, insider attacks come from the inside. Attackers use their privilege and access to violate policies from within to compromise information systems. They do this by stealing physical devices, planting malware, backdoors, or keyloggers.

Distribution attacks

In these attacks, the attacker will either tamper with or modify hardware or software before installation. The attack begins soon after installation. To accomplish this, an attacker tampers with the hardware or software at its source or during transmission. A perfect example of a distribution attack is SolarWinds' attack in 2020. After accessing and adding malicious code to SolarWinds' software systems, attackers produced and sent Trojanized updates to the software program users. Victims of this attack included 425 Fortune 100 and 500 companies, including titans such as Cisco, Intel, and Microsoft, leading telecommunication companies, top US government agencies – including the Department of State, the Department of Homeland Security, and the Department of Energy – and reputable learning institutions.

Phishing attack

A phishing attack is also a popular form of cyberattacking. Cyberattackers use a trick, where they create a fake website that looks exactly like the original one. Once the cyberattackers are done with the development of the fake website, they send an email to the customers with the link to the fake website. When the customers try to log in using the username and password, the cyberattackers record it, and they use the same information on the real website to access the customer's account.

The technology triangle

The technology triangle, like the Bermuda Triangle, is mysterious, just not as big. It is a pain in the neck for everyone involved with technology – hardware developers, the coffee-loving IT person, and that software developer who sits in the corner looking at their screen all day.

Figure 1.1 – The technology triangle

One concept that makes their heads hurt is usability (the GUI environment) versus functionality (the features) versus security (the restrictions), as seen in Figure 1.1.

Usually, the dilemma is striking a good balance between these. It's hard because sometimes moving from usability means losing security and functionality, while inclining toward security makes you lose functionality and usability.

Finding this balance is tricky, and that's why some operating systems lean more toward one area. An example is the Windows 2000 server when the internet was brand new and everybody wanted a piece of it. Trying to be nice, Microsoft set up servers for their users and whenever a user deployed the operating system, it would automatically install the Internet Information Services (IIS), which is a web server environment. This web server environment had every feature turned on and had more holes than Swiss cheese. While it was helpful to users who were not tech-savvy, Microsoft compromised on security.

Microsoft then introduced Windows Vista with the annoying UAC popup that's always asking whether you are sure you want to do something. Do you want to allow this app to make changes to your device? Do you want to allow this app from an unknown publisher to make changes to your device?

Typing in a username and password irks most users, so, while Microsoft moved a bit toward security, they lost usability and functionality.

Microsoft is a perfect example of this dilemma. Their user-friendly interface has in many situations actually created vulnerabilities for their platform. Reports show a 181% increase in the number of reported vulnerabilities between 2016 and 2020.

Most people are always wondering why they have to jump through IT hoops to use software or hardware. They want a plug-and-play IT world where all they need to do is head to the local technical store, grab what they need, plug it in, push a few buttons, and voilà! It's ready. Some companies understand this need and strive to make their products as easy to use as possible. While it is easy to achieve usability, most easy-to-use hardware and software is vulnerable to attacks.

Types of hackers

Hacking is gaining unauthorized access to information or data in a computer or system, or configuring a different mechanism that makes a device or the target of the hack operate differently to how it was intended.

There are different types of hackers and they are differentiated by the activities they carry out and their motives.

Black-hat hackers

A black-hat hacker carries out the type of attacks where they don't have permission or authorization to be on the target network or to be doing what they're doing. They're lawbreakers.

White-hat hackers

Unlike black-hat hackers, white-hat hackers are authorized to be on a system and to be doing what they are doing. They are the good guys. They don't use or misuse the information they have access to as professional security – they only share exploits about the bad guys with the white-hat community for the good of everyone.

Important Note

The hat color terms come from Hollywood. Back in the early days of film, the bad guy was identifiable from the black hat that he wore, while the hero would wear a white hat. This actually continues today in film, as I'm sure we've all seen a villain dressed in black while the hero is dressed in white (you know, a long time ago in a galaxy far, far away…).

Gray-hat hackers

Gray-hat hackers are reformed black-hat hackers. However, it's still hard to trust them because they can always relapse in a moment of weakness. They can be white-hat today, but if they get a deal that's too good to turn down, their ethical hacking principles may go out the window and they will name their price.

Suicide hackers

As the name suggests, a suicide hacker is carefree. They don't bother to cover their tracks after an attack. Their mission is the only thing that matters.

Script kiddies

Script kiddies are as clueless as they come. They are ambitious but lack real training and experience. They rely on YouTube videos and other free online resources and tools to hack and perform unauthorized activities. Most script kiddies work inside our network infrastructures.

Spy hackers, cyberterrorists, and state-sponsored hackers

These are high-profile, malicious hackers. They do the dirty work for governments, government agencies, organized groups, and big corporations fighting for the lion's share in the market. They are mostly driven by religious beliefs, political affiliation or agenda, business opportunity, and so on. Like suicide hackers, they stop at nothing. They focus on executing their mission; everything else, including repercussions, is secondary.

The difference between a spy hacker and a state-sponsored hacker is that a spy hacker gets their paycheck from a rival business to steal intellectual property, while the state-sponsored hacker gets paid by a government or government agency. State-sponsored hacking makes it possible for states to get hold of secrets from other countries, military organizations, and multinational companies or organizations.

Hacktivist

A hacktivist is an attacker who gains unauthorized access to a network or files to further economic ideologies or political or social agenda.

Hacktivists' motivations vary, from vandalism to protest, humiliating and/or calling out an individual, a group, a company, or a government. Their attacks often include defacing or disabling their target's website.

Other major targets of hacktivism are big corporations, such as Apple and Microsoft, and the big pharmaceutical industry. Tons of vegan animal rights activists and eco-activists also use hackers to push their beliefs or to go after certain companies.

Hacking phases

What comes to your mind when someone talks about the most secure system? Most people think of Linux and other operating systems. But attackers can attack or hack these technologies because they all have loopholes and vulnerabilities.

A friend (I cannot confirm whether I was involved with this or not) who was involved with a penetration test at a bank showed up at the branch with a new blade server and announced that he was running late, and needed to install a new server to make things work faster.

He feigned it was very heavy to make them hurry up. To his surprise, they did and let him in the server room unaccompanied. He rummaged through a shelf of tape backups and put some in his bag. He also grabbed a couple of hard drives that had important data and then deployed the server through a backdoor.

As a security professional, you need to anticipate any form of attack and avert it. If there is no digital hack, look out for a physical one or a social engineering hack. Your job is to discourage, deter, misdirect, and slow attackers in every way possible.

Hackers have time on their hands and are always looking for any opportunity or vulnerability to gain access to your system or information.

Having a good grasp on how hackers think helps security professionals look in the right places. This is especially important because attackers don't carry out their mission in one go. It's a process with phases. With each step or phase, the attacker inches closer to the target's environment. Let's look at each of these phases a little closer.

Reconnaissance/footprinting

This is the first phase of hacking. It involves looking at a target and trying to figure out who they are and what they have to offer. It is the most time-consuming phase for attackers, but it comes with a big payoff. The attacker gathers as much information about your company as possible and then prepares the attack based on it.

There are two ways to do this:

• Passive reconnaissance
• Active reconnaissance

Passive reconnaissance

There is no direct interaction with the target in a passive reconnaissance, so the target does not know that an attacker is looking at them. Passive reconnaissance also involves researching a target on common and public platforms.

In a passive hack, the attacker goes through the company's web page like a typical visitor, except that he or she is there to gather information. For example, a hacker can head to a company's website to look at job openings. It's neither wrong nor illegal.

Social engineering is another passive reconnaissance technique. Usually, it exploits human psychology to gain access to systems, locations, data, and information. Attackers use social engineering to manipulate people to share personal or critical information about themselves that is useful in advancing the attack.

Marketers are masters of social engineering. They will set a table at your local grocery store or mall and offer you free samples – small tasty pieces of beef or a mouthwatering bite-sized burrito. You will not know what hit you – even if you don't buy whatever they are promoting, you will listen to what they have to say about their products, and that could be the whole point of their being at the store.

Attackers use the same technique to harvest information.

Active reconnaissance

In an active reconnaissance, the attacker has direct interaction with the target. The attacker will engage with the target's system, scan the network from an internal or external perspective, and also conduct a port scan, seeking open ports.

An example of an active reconnaissance technique is when an attacker pings the target's server. That's touching the target's server, right? It's a bold move. Attackers use active reconnaissance when they discover or have every reason to believe it is unlikely that their activities will be noticed.

Dumpster diving

Old credit cards, water bills, receipts, lost IDs, companies' internal memos, forms, financial statements, lists, and so on carry valuable information that can be used by attackers. Like detectives, attackers search through trashcans, dustbins, and the like, looking for items that will help them complete target profiles.

A classic example of dumpster diving happened in the '90s, when the Department of Justice was investigating Microsoft for their practices. The Oracle Corporation hired a detective agency that went dumpster diving on the Microsoft campus and came up with information that pointed to Microsoft having some under-the-table deals.

The New York Times reported, "The Oracle Corporation acknowledged today that it had hired a prominent Washington detective firm to investigate groups sympathetic to its archrival, the Microsoft Corporation, an effort that yielded documents embarrassing to Microsoft in the midst of its antitrust battle with the government."

Scanning

Scanning is the phase where an attacker tries to gather as much information as they can. They do this using active techniques such as ping sweeps and passive techniques such as passive scanning. An attacker sniffs the traffic and identifies the target's machines and operating systems, looking for a way in, or what we call an attack vector or attack surface.

Gaining access

An attacker can also map out systems, other hardware devices, attempt to detect where a target's firewalls are, where the routers are, find out whether they can discover the IP address scheme, and so on. It tells them which targets to stay clear of and the targets they need not waste time on. Security professionals counter these attacks by gaining as much knowledge as possible about the latest attack tools and the system vulnerabilities that attackers have figured out a new way to exploit.

The next thing you'll want to do is shield your system from tools such as a port scanner that looks for ports that may be opened up by services. To protect your system, ensure that services are not running on machines that they shouldn't be running on. Properly audit the systems.

Another useful tool is a vulnerability scanner, which attackers also use – except, of course, they use the pirated versions. This tool will tell you, "Man, your default machines don't have the latest service pack installed for Windows 7 or Windows 8.1!". The thing with scanning is, if you're not scanning for vulnerabilities, somebody else who shouldn't be doing it will do it in an attempt to get into your network.

Maintaining access

After making their way in, attackers want to maintain access. An attacker can decide to pull the system out and use it as a launch pad for what they want to do with it. They can use the system to carry out attacks, and finish scanning out or footprinting the target's environment to install Wireshark to sniff the network and send results back to their location. They can also decide to install a Trojan that steals usernames and passwords, or scans for documents with certain number sequences.

Experienced attackers wind up hardening the target's machine. If they pwn (take control of) your machine completely, they want to make sure they maintain total control of it. They inject their own backdoors or Trojans, effectively clearing the vulnerabilities they exploited. It might stop other attackers but not them, because they will use a different mechanism next time.

The Term pwned

No, we did not misspell this word. It is slang spelling of the word "owned." It came from the game Warcraft, where a programmer misspelled "owned" within the game text. If you beat another player, the message was supposed to say, "Dale has been owned," but instead we were given, "Dale has been pwned." It means that you've been dominated by another player or, in the world of hacking, I have total control of your system.

To stop this, install a honeypot or a honeynet (fake systems and fake networks). It will attract attackers, but they will only end up wasting their time and energy on the fake target. You will have distracted or slowed them down.

Clearing tracks

This is the fifth and the last stage of an attack. After getting into the system, getting or doing what they wanted, the next smart move is covering their tracks – leaving the place as neat and clean as they found it, or better.

Most attackers get rid of their own entries in the log files to ensure you don't suspect they were there, because they know if the first entry in a log file was deleted, the target or security professional will want to know who deleted the file.

After that, they install a rootkit to hide their tools. Alternatively, they use steganography and hide their secret data inside the target's MP3s, or even images, to avoid detection in the white space (the unused bits in a TCP header).

This is known as a cyber blind, as an analogy to a duck blind, which is used by hunters to hide where ducks frequent, waiting to lay an ambush.

The purpose/goal of cyberattacks

So, where do these cyberattackers come from? Generally, people call them hackers or cybercriminals, but we are going to call them attackers. There is a huge difference between a hacker and an attacker. Let me explain: if we talk about a hacker, it is simply someone who exploits a target to work outside its intended purpose. A great example of this is back when I purchased my first Xbox; I modified it so that I could put a bigger hard drive inside and store all my games on it. I never needed to grab a DVD! Or how about rooting your Android device? Typically, these actions are not illegal but rather modifying systems/targets to do something different.

On the other hand, an attacker is someone who has a different motive/goal/objective to gain unauthorized access to a target. Normally, they use the same techniques, but they are looking for different outcomes (mostly illegal ones). Attackers can be internal or external to an organization and a threat to known or unknown vulnerabilities in an IT infrastructure.

We can summarize their goals by highlighting most of the objectives that attackers have:

• To disrupt an organization or the operations of a business
• To grab/steal information that is either important or private
• To take an act of revenge after losing out to an organization
• To create a financial issue
• To hurt the reputation of an organization

The Cyber Kill Chain – understanding attackers and their methods

The Cyber Kill Chain (CKC) are steps that trace stages of an attack, right from reconnaissance through to exfiltration of data. There are several models for describing the general process of an attack on system security. This model was first developed by Lockheed Martin.

Phases of the CKC

Here are the phases of the CKC.

Reconnaissance

In the reconnaissance phase, attackers gather general knowledge about the system or network. It can be a passive or active attack.

Weaponization

The attacker is going to couple the payload code – which is going to enable access remotely – with exploit code that will exploit the software and/or the security flaw.

Delivery

Here, the attacker identifies a vector to transmit the weaponized code to the target environment. They can use a website, an email attachment, or a USB drive.

Exploitation

This step is the weaponization of the code. The malware gets triggered when the target clicks on the link in the malicious email or runs the code off of a USB drive they found lying in the parking lot.

Installation

This mechanism, also known as the backdoor, enables the weaponized code (malware) to run a remote access tool for the intruder and to achieve persistence on the target system.

Command and Control (CNC)

This is when the weaponized code gives the attacker access to the target's network or system. The weaponized code establishes an outbound channel to a remote server that can be used to control the remote access tool and possibly download more tools to expand the attack.

Actions and objectives

In this phase, the intruder uses the access they've achieved to collect information from the target system and begins to transfer it through the remote system. The intention could be data exfiltration, encryption for ransom, data destruction, and so on.

Tactics, techniques, and procedures

The term Tactics, Techniques, and Procedures (TTPs) relates to the activity and method patterns associated with specific threat actors or groups of threat actors. TTPs are useful for assessing threats and characterizing threat actors, and security professionals can also utilize them to bolster an organization's security architecture. The term tactics refers to a set of rules that specify how an attacker performs. The term techniques refers to an attacker's technical approaches to achieving intermediate results during an attack.

TTPs should be understood by organizations in order to secure their networks from threat actors and prospective attacks. TTPs allow enterprises to block assaults at the outset, protecting the network from catastrophic harm. They help you understand the mindset of an attacker and predict what an attacker might try to do next.

Adversary behavior identification

The process of identifying the common tactics or strategies used by an adversary to conduct attacks on an organization's network is known as adversary behavioral identification. It provides security professionals with information on upcoming threats and exploits. It aids in the planning of network security architecture and the adaptation of a variety of security procedures as a defense against various cyberattacks. Common behaviors to watch out for include the following.

Internal reconnaissance

At this stage, the attacker collects internal information about a target network to be able to move through the network. The attacker will do reconnaissance internally –enumeration of systems and hosts, and looking out for different types of commands that are being issued on the target's network, including activities such as attempting to resolve hostnames or IP addresses. Activating remote systems is beneficial for averting this.

PowerShell

PowerShell is a great automation tool for users, but attackers exploit it as an automation tool to transfer data from the target network (data exfiltration) and to launch further attacks. Monitoring PowerShell transcript logs and Windows event logs can help identify the presence of an attacker.

The command-line interface processes

Attackers use command-line tools to gain access to target systems – to read files or their contents, modify files, create accounts, and so on. They're very easy to do from a command-line interface. Security professionals detect this behavior by looking for logs with process IDs that bear unfamiliar numbers and letters. Malicious files getting downloaded is also a pointer to this type of attack.

Suspicious proxy events

The adversary tries to create and configure multiple domains pointing to the same host to allow fast switches between domains. In this kind of attack, speed is of the essence for attackers. They have to switch quickly to elude security professionals. To catch them, check the data feeds that are generated by those domains to find unspecified domains.

HTTP user agent

In HTTP-based communication, the server identifies the connecting HTTP client using a user agent field. Attackers modify the content of the HTTP user field to communicate with any system that may be compromised or have a vulnerability to carry out attacks against it.

CNC servers

Attackers use CNC servers to communicate remotely to the systems that they've compromised. They do this through an encrypted session. To stop them in their tracks, a security professional needs to be on the lookout for unwanted open ports, encrypted traffic – especially outbound connection attempts – and so on.

DNS tunneling

Intruders use DNS tunneling to hide malicious traffic. An intruder can communicate with a CNC, bypassing security controls to grab data off of the target systems, and so on. Unfortunately, because it's in a DNS tunnel, it just looks like normal DNS traffic going through the network.

Web shell

Here, attackers use web shells to change the web server by creating a shell within the website itself, allowing them remote access to the functionality of the target server. A security professional can identify web shells running in a network by analyzing server logs, error logs, and suspicious streams that might pop up on this, such as user agent strings.

Data staging

Once intruders gain access to a target network, they stage or create different data-staging techniques to collect and combine as much information or data as they can. They can collect financial information, data about customers, employees, business models, tactics, and so on.

Most IT professionals deploy or create network infrastructure layouts to track their networks. Once intruders gather this information, they exfiltrate data or destroy it. To prevent this, security professionals look at event logs, and for data-staging areas by monitoring network traffic for malicious files.

Historically, security tools have depended on the identification of malware signatures, but there's little chance of this type of detection beating an experienced attacker. They know better than to use outdated tactics. It's very unlikely they will use tools that can be found in a database of known file-based malware, which explains why threat research has moved beyond the identification of static malware signatures.

Indicators of compromise

An Indicator of Compromise (IoC) is a residual sign that an asset or network has successfully been attacked or is being attacked. Often, an IoC can be identifiable because intruders are using some type of tool that leaves behind an ID, such as a malware signature.

Most IoCs require subjective judgment calls based on the security professional's experience and knowledge of the target system, because these IoCs are mostly identified through suspicious activities – not obvious incidences. It's also important to note that there are multiple targets and vectors of an attack, and potential IoCs will be different too. Correlating multiple IoCs to produce a complete and accurate narrative of events is key.

Common IoCs

Let's look at some common IoCs:

• Unauthorized software or unauthorized files
• Suspicious emails
• Suspicious registry or filesystem changes
• Unknown ports and protocol usage
• Excessive bandwidth usage – especially on the outbound side
• Rogue hardware devices
• Service disruption and defacement, maybe of a web page
• Suspicious or unauthorized account usage

Multiple IoCs can be linked to identify a pattern of an attacker's behavior. This behavioral analysis can then be used to model threats and perform proactive threat hunting.

One way of identifying a threat is associating indicators you discover in your logs with reputation data. A reputation threat research source will identify IP address ranges to a DNS domain that's associated with malicious activities, such as sending spam or a particular Dynamic Denial-of-Service (DDoS) attack.

"I don't even call it violence when it's self-defense. I call it intelligence," Malcolm X said.

These words capture the essence of information security controls – designed to help us protect networks.

Enter ethical hacking

So, what is the necessity of ethical hacking? Why do we need to do this? Well, we hear – almost daily – about how fast technology is moving. Because it's moving and growing so fast, it adds complexity. And because of rapid growth, and complexity, it creates issues for us.

So, with ethical hacking, we are going to try to accomplish the following:

1. First of all, you need to review systems and infrastructure, such as hardware, copy machines, switches, and Wi-Fi access points.
2. The next step is to test the current security, and you can do that via a pentest. After testing the current security, you will know how bad your system is, and by looking into that, you will be able to create solutions to cover the loopholes when it comes to the security of your system/computer.

   Pen Test

   A pen test is also known as a penetration test. It is a simulated cyberattack on your computer system to monitor for exploitable vulnerabilities.

3. The next thing you need to do is retest the solutions to ensure that the created solutions are helpful.
4. Now, when we're looking at this, we typically also need to be aware of both scope and limitation. The scope of ethical hacking is part of the risk assessment, auditing, as well as fraud. There are also best practices and a really good look at governance.

   Ethical Hacking

   Ethical hacking is commonly used as a penetration test to identify vulnerabilities and risk, identify the loopholes in a security system, and take corrective measures against those attacks.

The importance of ethical hacking

Ethical hacking is practiced to guard sensitive data from attackers. It works to protect your resources from attackers who want to exploit the vulnerability. Using ethical hacking, a company or organization can discover security vulnerabilities and risks.

Attackers keep themselves updated, figure out new mechanisms, and take advantage of new technologies to steal your data by gaining unauthorized access to your system/data.

In this scenario, you need somebody who can help to counteract these types of attacks, that is, an ethical hacker.

Ethical Hackers

They are security specialists who conduct these assessments. The proactive work that they do supports improving the security posture of an organization.

Understanding defense-in-depth strategies

Earlier on, we mentioned that information security controls work as self-defense or a safeguard for the cybersecurity of your computer. One of the baselines for securing your networks is using a defense-in-depth strategy (Figure 1.2). This means deploying different protections at different levels.

Layered protection

To understand the layer protection strategy, we'll take a look at banks and how bank robbers look at them. So, how does a skilled bank robber look at the bank they are planning to rob? They plan the robbery following these steps:

1. First, they'll case the joint. In this step, they look at things such as the parking lot area to ensure successful entry and exit, marking where the doors are, how to access which section of the bank, and where the safe is.
2. The robber then looks at the bank's security measures, such as CCTV cameras, the security alarm, security guards, and so on.
3. Lastly, they go inside and interact with the bank staff. This presents them with the opportunity to familiarize themselves with the bank's processes and procedures.

Banks invest in the best security equipment and personnel, but we still read about robberies. Banks improve their security by putting in place various security measures. In our world, we call that layered protection. We come up with different security layers for separate components.

Figure 1.2 – A defense-in-depth strategy is designed to put "roadblocks" at each level to slow attackers

Layered protection is used in the protection of data that travels between various servers and components in the enterprise. Most organizations will deploy a corporate firewall in order to keep attackers out. The companies think that the firewall is good enough, but they let their application server talk to their database server without any security measures between them. While this approach is a good start, encrypting the data streaming between the two servers would be better in case an attacker penetrates the firewall. We can protect the resource by isolating the application server behind another firewall, effectively adding another layer to our defenses.

A single layer of protection can never adequately safeguard any company. Even if one door is closed, hackers will immediately locate another wide open, and they will exploit any weaknesses. On the other hand, you may fix the gaps in your security by using a variety of defenses simultaneously, such as firewalls, malware scanners, IDSes, data encryption, and integrity auditing solutions.

Important Note

We can't stop attackers. Our job is to slow them down or at least discourage them.

There's a difference between a law and a standard or guideline. A standard is a document created through consensus and approved by a body that governs a particular industry. It is a foundation upon which common rules, guidelines, and activities for that particular environment stand.

Let's start with the basics.

Payment Card Industry Data Security Standard

Almost everybody that is involved with the credit card-processing process, including processors, merchants, issuers, and others, have to adhere to these standards in order to accept credit cards. These standards include the following:

• Payment Card Industry Data Security Standard (PCI DSS) audits – to ensure they have built and are maintaining a secure network. They confirm you have your firewall configurations in place.
• Protecting the cardholder data – to ensure that you're not using defaults for system passwords, and so on. It also includes protecting the cardholder data itself – meaning you need to encrypt it while it's in motion or in storage.
• A Vulnerability Management Program (VMP) – this shows that you are able to maintain a VMP – that you use and regularly update your antivirus or anti-malware software solutions, as well as the programs involved in every system that is used in the credit card process.
• Strong access controls – to ensure that we restrict access to cardholder information so that the business doesn't get everything; they only get what they need at any given time and it's on a need-to-know basis. This ensures that only the data that's needed is transmitted or received by that business.
• Going through and assigning unique IDs to each person with computer access.
• Restricting physical access to any of the cardholder information that the company is storing.
• We also have to prove that we regularly monitor and test our networks, and of course, we're going to update those in time.
• Information security policy – you have to prove you have a policy in place and that you're going to maintain it and update it for anybody that's involved in the process of handling any type of credit card information.

ISO, IEC 2701 2013

This standard specifies the requirements for implementing, maintaining, establishing, and continually improving information security management systems within an organization. So, we're going to make sure that we establish security requirements and goals for the organization as far as security is concerned, and then we're going to make sure that we do so in a cost-effective manner. We are going to make sure that it also helps us with any type of compliance – whether it's regulations or laws – and we're going to make sure that we define a new information security management process as we evolve.

It also helps us to check the status of information security activities within the organization. It's also used by organizations to help us provide information security information to customers if need be.

Health Insurance Portability and Accountability Act

If you are based in the US, you have probably had interaction with the Health Insurance Portability and Accountability Act (HIPAA). When you go to the doctor, or any type of medical professional, they always have a signed HIPAA form.

HIPAA provides federal protections for any individual's health information that's maintained or stored by any type of health company, medical professional, or hospital.

They have also laid out several rules for administrative, physical, and technical safeguards. This includes things such as electronic transactions and code set standards. Any transaction, including health claims, payment, remittance, claim status, authorizations, and payments, has to be secured – whether it's in motion, in storage, or at rest.

Privacy rules

This establishes another standard to protect people's medical records and other personal health information, including who the health care provider is, what the health plan is, and so on – all this information has to be secure. It also gives us (the patients) the right to control our health information, including the right to look at, and actually get, a copy of our health records.

Security rule

This rule requires appropriate physical, technical, and administrative safeguards to make sure that we have CIA of electronically protected health information.

National identifier

This is basically ensuring that each employer has a national number that identifies them on all of the different transactions that may take place.

Enforcement rule

This contains provisions related to any type of compliance and investigation, as well as the possibility of imposing penalties for violations of any HIPAA rules.

The Sarbanes-Oxley (SOX) Act

This was created in 2002 to help protect the public and investors by adding additional accuracy and reliability when it comes to corporate disclosures. Now, unfortunately, this act actually doesn't go through and tell the organization how they must store their records. Instead, it describes the records that the organization must store and how long they must store them for.

The key requirements for SOX are organized into several titles, including the following:

• Public Company Accounting Oversight Board: This creates a central oversight board tasked with going through and making sure that audits are performed, as well as helping to handle quality control.
• The auditor independence: This helps to specify that new auditors are required to be rotated. It also restricts auditing companies from providing consulting services to their clients.
• Corporate responsibility: This looks at the interaction between auditors that may be external, as well as corporate auditors, or committees, and their responsibilities. It also goes through and helps to specify the behaviors of corporate officers, and issues penalties for noncompliance.
• Reporting requirements: This covers all applicable laws, rules and regulations, orders, directives, and other requirements of a supervisory body that mandates retention of financial transactions or similar information.
• The analyst's conflict of interest: This one provides a code of conduct for security analysts and makes sure they disclose any knowledgeable conflicts of interest that they may have.
• Commission resources and authority: This goes through and helps to define the Security Exchange Commission's (SEC's) authority to censor or bar security professionals from working if they've violated any of these other titles.
• The studies and reports: This goes through and specifies the different types of studies that the SEC can conduct and how they report their findings.
• The corporate and criminal fraud accountability: This was created in 2002 and it has seven sections, describing the different criminal penalties for going through and altering financial records or manipulating them – fudging the numbers or interfering with investigations.
• The white-collar crime penalty enhancement: This sounds pretty serious, doesn't it? This actually goes through and increases the criminal penalties associated with white-collar crimes, whereby it recommends stronger sentencing guidelines.
• The corporate tax returns: This basically tells us that the CEO should sign the company tax return… which is almost a given, right?
• Corporate fraud accountability: This goes through and identifies any type of tampering or fraud as criminal offenses and then connects those offenses to specific penalties.

The Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) incorporates two different treaties that were signed back in 1996 by the World Intellectual Property Organization. It helps to define the legal prohibition against circumventing any technical protection measures that are out there for copyright holders. You are not supposed to be able to rip a DVD because a given film company has rights to it. That's where the DMCA comes into play. It guards against copyright infringement.

Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) was passed in 2002 and creates several different standards and guidelines that are required by congressional legislation. FISMA is a framework that's effective for information security controls that are out there. It includes things such as standards for categorizing information and information systems by the impact that that system or information would have on the business if it were breached. There's also a standard for minimizing security requirements for information and information systems, as well as some suggestions for us, because selecting security controls and assessing those security controls also gives us some suggestions for security authorization systems.

General Data Protection Regulation

General Data Protection Regulation (GDPR) is at a global level and went into effect in 2018. It's very stringent when it comes to privacy and security laws globally and carries some very hefty fines for anybody who violates it. While it is an EU-specific law, it has implications for services based all over the world that service geographies in the EU.

GDPR includes various protections and accountability principles:

• Lawfulness transparency and fairness: This means that the processing of data has to be lawful, transparent, and fair to the data subject.
• The purpose limitation: This basically tells you, "You better have a reason for handling this type of data!".
• Storage limitation: Normally, this identifies that you can only store personal information for a specific period of time and for a specific purpose.
• Data minimization: This ensures that we're only collecting and processing the information that's necessary for the particular purpose of getting that information.
• Accuracy: This states that you have to keep personal data accurate and up to date.
• Accountability: In this case here, the data controller is responsible for making sure that they adhere to GDPR compliance with all these different principles.
• Integrity and confidentiality: This means that when it comes to this data, we're typically going to make sure that it's encrypted with good encryption, not something that's outdated just because our app only works with this particular type of encryption. So yeah, you've got to keep up to date.

The Data Protection Act 2018

The Data Protection Act (DPA) 2018 is a framework for data protection that came out of the UK, and it's designed to protect individuals when it comes to personal data – making sure that personal data is processed lawfully. It also talks about the rights that an organization may or may not have to different personal information. It also sets out different protection rules for law enforcement and how to handle data protection when it comes to other areas, such as national security or even defense.

Important Note

With this said, every country has its own laws and standards. Find out which laws and acts apply to you based on your location.

This chapter laid a solid foundation for certified ethical hackers. It covered the fundamentals of ethical hacking, including why we do what we do, the strategies we use, and the information security laws and standards that security professionals need to have at their fingertips.

To cover all the basics, it introduced you to cyberattacks, attackers, ethical hackers, hacking techniques, and strategies, and what happens in both the good guys' and the bad guys' camps.

After listing the benefits of having a CEH certification, the chapter covered the fundamentals of CEH.

It gave you a pretty good grasp on information security, the tenets of the CIA triad, types of cyberattacks, the hacking phases cybersecurity professionals watch out for, the technology triangle, types of hackers and how to identify them by the way they behave and the attacks they carry out, the hacking phases and what happens at each stage, why cyberattacks happen, and what motivates attackers.

It also covered the behavioral identification of attackers, the methods attackers use to execute attacks, and the strategies and techniques cybersecurity professionals use to discourage, deter, misdirect, or slow them.

It also got you to study the world's best hacker framework, the CKC, as you went through the steps that trace the stages of an attack, right from reconnaissance through to exfiltration of data.

Now that we've got a good understanding of information security, let's next dive deeper into how attackers begin to target organizations by performing reconnaissance and footprinting. The next chapter will show you how easy it is to discover intelligence, such as systems being used, names of employees, infrastructure layouts, and even data on social media that could help attackers breach a network.

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. What is the goal of ethical hacking?
   1. To detect security flaws before they are exploited by attackers
   2. To search for updates and patches
   3. To get a competitive advantage over your rivals
   4. To put your security skills to the test
2. What does covering your tracks mean?
   1. Determining the extent of the investigation
   2. Concealing activity
   3. Cleaning up following a pentest
   4. Using a rootkit to hide tools
3. What is the name of a set of software tools that allows an attacker to access a target remotely and remain hidden for long durations without detection?
   1. GDRP
   2. A rootkit
   3. A social engineering kit
   4. SIEM
4. Which of the following attacks is considered hard to detect?
   1. Distribution
   2. Insider
   3. Close-in
   4. Active
   5. Passive