Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objectives
Research and analyze cyber security incidents
Background / Scenario
In 2016, it was estimated that businesses lost $400 million dollars annually to cyber criminals. Governments,
businesses, and individual users are increasingly the targets of cyberattacks and cybersecurity incidents are
becoming more common.
In this lab, you will create three hypothetical cyber attackers, each with an organization, an attack, and a
method for an organization to prevent or mitigate the attack.
Note: You can use the web browser in virtual machine installed in a previous lab to research security issues.
By using the virtual machine, you may prevent malware from being installed on your computer.
Required Resources
PC or mobile device with Internet access
Scenario 1:
a. Who is the attacker?
ANSWER:
The attacker is computer network student at a university with friends failing classes and possible bullying.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 4 www.netacad.com
Lab – Visualizing the Black Hats
The student group developed a keystroke logger to capture the keystrokes of all university staff to gain
network logins and passwords. With the group being computer networking students without a huge
amount of time on their hands they opt to go for a hypervisor-based keylogger. The keylogger can reside
in a malware hypervisor running underneath the OS, which remains untouched. It effectively becomes a
VM. The example I found of this is a rootkit based on x86 virtualization called Blue Pill.
e. What was the target and vulnerability used against the business?
ANSWER:
As the creator of Blue Pill has claimed, any detection program could be fooled by the hypervisor and such
a system could be almost 100% undetectable. Since AMD virtualization is seamless by its design, a
virtualized gust is not supposed to be able to find out if they’re a guest or not on the system. Therefore,
the only way programs like Blue Pill could be detected is if the virtualization implementation were not
functioning correctly.
AMD and other security researchers say this statement is implausible and virtualization could be detected
by a timing attack relying on external sources of time.
Scenario 2:
a. Who is the attacker?
ANSWER:
The hacker in this scenario is a person within a major corporation like PayPal attempting to get financial
gain.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 4 www.netacad.com
Lab – Visualizing the Black Hats
ANSWER: the motive of the hacker is to accomplish financial gain by tricking people into putting their
bank information into a false website link sent via email.
e. What was the target and vulnerability used against the business?
ANSWER: The attacker collects information from social media about potential targets, including their
personal and professional relationships and other personal details. The attacker then uses this
information to craft a personalized message that looks and sounds authentic to convince the target to
respond to the sender’s request. The sender may request that the user reply directly to the email, or the
message may include a malicious link or attachment that installs malware on the target's device, or
directs the target to a malicious website that is set up to trick them into giving sensitive information like
passwords, account information or credit card information.
By doing this the attacker can make the company they work for appear to be unreliable. People are less
likely to use a service if they believe it’s a scam for their money. While this one employee is in fact the
one doing the scamming, it reflects on the company.
Scenario 3:
a. Who is the attacker?
ANSWER:
The attacker is a hacker attempting to bring down a government website or service.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 4 www.netacad.com
Lab – Visualizing the Black Hats
e. What was the target and vulnerability used against the business?
ANSWER: PoD attacks exploit legacy weaknesses, which may have been patched in target systems.
However, in an unpatched system, the attack is still relevant and dangerous. Recently, a new type of PoD
attack has become popular. This attack, commonly known as a Ping flood, the targeted system is hit with
ICMP packets sent rapidly via ping without waiting for replies.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 4 www.netacad.com