**Challenge 5: Difficulties in Breaking Down Threats and Well-understanding of the Actual Risk**

In some cases, it is difficult to determine the high-level threads and then breaking them to sub threats for easier deal with them. Also, it is challenging sometimes to identify the failure conditions in the system that may leads to threads. A deeper understand of these conditions is always preferable to the efforts to understand and mitigate these risks. Security teams should have the right framework and techniques for robust application security to effectively predict future and possible attack scenarios.

## **5. Environmental reconnaissance**

Reconnaissance can be defined in the context of cybersecurity as the practice of discovering and collecting information about a system to facilitate the activities of attackers. There are many tools that can be used for reconnaissance as the following section explain them under related categories [29].

#### **5.1 Social engineering techniques as reconnaissance tools**

These types of attacks can be used by attackers as psychological tricks to manipulate people and pushing them to do certain actions as exposing some sensitive information that can be seriously harmful for organization's security [30]. Good example of that, when attackers pretending to act a help desk technician and attempting to trick user into revealing his/her password on a telephone call. Basically, social engineering attacks can be understood as online running a con and there are six main reasons that make social engineering attacks feasible. They are authority and trust, intimidation, consensus and social proof also scarcity, urgency and familiarity and liking. In the first type of authority and trust, users can be tricked as they welling to follow orders from an unauthorized person due to perceived authority and assumption of trusts. In the second reason that making social engineering attacks feasible is

by pushing people to do things they supposed not to do by scaring people as telling something bad will be happened to them or to their organizations. In the third social engineering tactic namely as consensus and social proof, individuals are not exactly knowing how to react to certain situation and they just look to others and follow their behaviors. Sometimes this is called the herb mentality. Scarcity tactic can be achieved by making people believe that they will be missed-out if they not act quickly in certain scenario. For example, attackers can push people to install unauthorized Wi-Fi router in the office as the attackers claim that they upgrading Wi-Fi existing technology and the newly brand technology has left only one router at the time [31]. In urgency, the attackers create pressure environment on people to push them in this situation to act quickly as the time is running-out. In the final tactic as familiarity or liking, the social engineer, use flattery, false compliments or even fake relationships to manipulate the target's good side and then influence their activities.

As a conclusion, if you are cybersecurity analyst, you should be aware that attackers can use different social engineering attacks against your organization as attempts to gather critical information and influence activities.

#### **5.2 DNS harvesting as reconnaissance tools**

In general, Domains names and their associated IP addresses can be considered an excellent starting point to gather useful information about the true owners of systems. There are some utilities that can be used to learn more about remote systems. The first thing can be considered here is trying to learn about the host behind certain domain name. Here it is always useful to remember that the DNS translates domain names to IP addresses [32]. It is interesting point to know that, usually we can perform lookups functions manually to find out certain IP addresses associated with their domain name. To perform domain lookups on Linux or Mac systems, the dig command is the primary tool here. The alternative in windows systems is the nslookup command and it works basically in the same way. In some cases, where the IP address may consider the source of suspicious log entries or a host that might be shown in a netstat command. In general consideration the IP address or domain name that needed to learn more about, the whois utility allows to know more about the ownership of particular domain name or IP address. This whois lookup utility can be offered in many web sites such as domaintools.com. This site can give a good information about certain domain name such as the registrant organization and through which DNS registrar, when it was created and renewed. Even these websites utility can give the contact information for the owner of that particular domain such as the e-mail address, the street address and the telephone number in case needed to communicated with them regarding this domain. The same utility website can be used for looking up certain IP address and then can get all the information about that IP address as to which domain this IP address is registered for and the contact information that can be used to contact that organization when that is needed [33].

A very useful reconnaissance too can be considered also here in this context is Reverse Whois Lookup which allows to determine all domain names related to an email address. This can be very helpful to understand how different domains name may be related to each other. In general, there is a wide variety of Reverse Whois tools available on internet and the good example here is viewdns.info and this can be very useful to those attackers engaging in an attacks on particular domains as it gives good ideas about the owners and what other domain they maybe own [34].

#### *Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems DOI: http://dx.doi.org/10.5772/intechopen.105478*

As a conclusion, it is always recommended for all cyber security analyst professional to use all these tools and techniques against their own IP addresses and domains names to learn what things potential attackers might discover about the organization.

#### **5.3 Network scanning and mapping**

Discovering networks topologies and how these networks are connected to the hosts. Also, discovering the open ports of communication in certain server and the running operating system fingerprint are considered the most important types of information that hacker look for when attacking an organization network. The most important tools they can use here are the NMAP and ZENMAP [35]. These tools help in identifying the connected hosts and the topology of that connected network also, the discovery of open service port number and the Server OS running and its version. Here for example, these tools can show a report telling that there is a server running and listening to the port 3389 and here it can be discovered that this port is used by Microsoft Remote Desktop service. As difference between NMAP and ZENMAP, it is worthy to mention here that ZENMAP is extended graphical capabilities where graphical representation of the network topology can be presented with the capability to focus on certain host and analyze it in term of running port services as well as OS fingerprinting [36].

#### **5.4 Passive and active enumeration tools**

Passive enumeration tools such as Wireshark can gather information about network without directly interacting with the network or announcing their presence. In the other hand, active enumeration tools are directly interacting with the system to be able to capture more complete information but here there is a risk of being discovered by the system administrator. As example, NMAP conducts port scanning by sending requests to the remote server so this tool can be considered as active enumeration. Another interesting example here is Hping, which allows to scan specific TCP port such as port 80 that is used for HTTP connection or port 43 used for HTTPS or port 22 for secure shell protocol [36]. Using this Hping tool we can determine the level of security configurations and the potential security vulnerabilities in the system. Hping considered to be very useful tool as it allows of customization of the content of the sent packet for the purpose of advance penetration testing. Another interesting enumeration tool which is considered as opportunistic python script, is Responder. This tool waits for broadcast requests and then response to them for that it is called opportunistic tool as it captures traffic intended for other system aiming to trick users and drag them to log into a fake server then, Responder can be able to capture the user's credentials to be used later in other attacks [37, 38].

#### **5.5 Protocols analyzer tools**

Protocol analyzers tools are important for both professionals of network analyzing and Cyber security as well. These tools have the capability to capture actual packet traveling on a network and investigate them in great details. Wire Shark is the most famous tool under this category. It is free and open source packet analyzer that can be used for network troubleshooting based on the actual network traffic. The utilization of this tool for troubleshooting may include dropped packets, latency issues and discovery of unusual traffic based on some malicious activities [39, 40].

#### **5.6 Tools for wireless reconnaissance**

These types of tools usually analyze the wireless network environments and used mainly to test the security of a wireless network. The most common toolkit here is the Aircack-ng. This toolkit is a collection of tools that can be used in different stages in the context of the wireless reconnaissance efforts. In this section, the core component of this toolkit that can be used to test the security of the wireless networks. The first tool is Airmon-ng puts wireless interfaces into promiscuous mode to enable eavesdropping on wireless traffic. Airodump-ng is a tool for wireless packet capturing to capture data over a wireless network. Aircrack-ng is the most important tool in this toolkit that come with the capabilities to break encrypted keys used in the wireless network. Airreply-ng is tool that is used for traffic injection that can be used to inject certain traffic into a wireless network. This extra injected traffic can be reached to level enough to force the disconnect of legitimate wireless clients [41].

Another two widely used wireless reconnaissance tools are namely Reaver and Hashcat. Reaver is a tool allowing of Wi-Fi password retrieval as it exploit Wi-Fi Protected Setup (WPS) exposing the vulnerabilities to retrieve WPA and WPA2 passwords (Ram, 2016). As a good security practice, it is recommended to disable WPS encryption in the Wi-Fi network to not be vulnerable to Reaver attack. Hashcat which can be used to conduct Brute Force attacks against hashed passwords including WPA and WPA2 passwords [42, 43].

#### **5.7 The different perspectives of network security reconnaissance**

It's extremely important to understand the perspectives that can viewed on a network when conducting network reconnaissance. The different levels of network security controls can significantly limit accesses as well as the accuracy of the network scans. Network devices such as firewalls, intrusion detection system, switches and routers, all these devices restricted the access to the resources of the network and at the same time limit the accuracy of network scanning [44]. In line of that, open ports numbers can be seen differently if the scan of the network is performing internally or externally as the restricted firewall rules can be applied differently here. In brief, running scan internally or externally from the network can provide different views of the network as externally give the cybersecurity analyst with attack potentially from the internet while internally provides view of the internal attacks and both attacks aspects are important information. Besides these internal and external aspects of the network scanning and security analysis, there are other aspects to consider in network security reconnaissance such as if the scanned system is physical servers or virtual servers, are these servers running on-promises or in clouds? Are they wired or wireless? These all are affecting the scanning results which in turn affect the security reconnaissance aspects [45].

## **6. Cloud-based security services**

In the past decade, cloud computing can be considered as the most transformative development in information technologies. Most of the organizations around the world are adapting and retooling their entire IT strategies to be integrated with the cloud. Cloud in its simplest definition is the delivery of computing resources/services to remote client over a network. Example of these services or resources can be explain

#### *Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems DOI: http://dx.doi.org/10.5772/intechopen.105478*

as accessing the Gmail account is considered a use of cloud computing as google give an email service over the internet as no need for the end-user to know or care about the massive technical infrastructure that make the Gmail works. Also, when someone build a server in Amazon Web Services, he/she making use of cloud computing. Amazon make it appear as own server for that person but in fact, it's virtual server running in massive Amazon data center as hardware shared with many customers in the same time. The beauty of that is the technology that make this happening is invisible to the end-uses. Even, when writing scripts in SaleForce.com to automatically follow-up with clients, it is a use case of cloud computing as the written code of the scrip to make the follow-up e-mail happen is executed on top of Salesforec's cloudbased platform [46].

The discussion about cloud resources and services should cover the main cloud security risks. The risks associated with Application Programming Interfaces or APIs should be highly considered here. APIs provide developers with programmatic access to services as for example, Amazon Web Service's API enables creation and provisioning of server instances. If these APIs performed by unauthorized individuals, this will be considered a serious security risk issue. Developers should require strong authentication to prevent misuses or insecure APIs. Key management is important here and considered as same level importance for encryption keys as losing control of API key is a very serious risk issue.

The most common cloud-based security services of interests can be explained as the following sections.

#### **6.1 Cloud identity and access management (IAM)**

The threats and security challenges can be addressed under this category can include: Identity theft, unauthorized access, privilege escalation, Insider threat, fraud. Possible actions can be taken can be considered as assigning of duties based on identity entitlement and compliance-centric reporting [47–49].

#### **6.2 Cloud data loss prevention**

The threats and security challenges can be addressed under this category can include: Data misused by datacenter operator or others by unauthorized access, compromising the data integrity, issues caused by data sovereignty [50]. Possible actions can be taken for enhancement could be file/directory integrity via hashing, smart response for unstructured data matching and integrating intrusion detection solutions [51].

#### **6.3 Cloud web security**

The threats and security challenges can be addressed under this category can include: Malware, Spyware, Key loggers, Phishing, Viruses, Spams and Bandwidth consumption. Possible actions can be taken for enhancement could be: Policy enforcement to categorize web-sites security level, categorize websites based on IP/URL addresses, Domain rating and rating web-sites based on users' requests [52, 53].

#### **6.4 Cloud E-mail security**

The threats and security challenges can be addressed under this category can include: Phishing, Intrusion, Malware, Spam and address spoofing. Possible actions can be taken for enhancement could be: E-mail backup system policy, Data loss prevention for SMTP and webmail, Secure archiving, Mail encryption, Signing and time stamping [54, 55].
