Question

1. Why is it critical for an organization to have a DoS attack response plan well before it happens?

2. Please discuss the techniques used by malware developers to disguise their code and prevent it from being analyzed.

Answer 1

1.

Firstly I have to know what is DoS ?

DoS simply means Denial of Service. DoS attack is an attack intended to take an organisation or service offline, or otherwise render resources unusable, which originates from single host or different hosts. According to me, DoS is an malicious attempt from multiple systems to make computer or network resources unavailable to its intended users, usually by interrupting or suspending services connected to the internet.

Organisations should start planning for DoS attacks in advance because it is much harder to respond after an attack is already under way. It is very critical for any organisation to become well prepared for these attacks to protect their working from these attacks.

The concept of DoS(Denial of Service) attacks has changed radically in recent years. High profile attacks against institutions, governments and private bodies have highlighted the importance of availability. This has profound implications on the threat landscape, risk profile and network architecture. The need for multi layered defense and cooperation is essential.

Therefore strategies to mitigate DoS, initially with prevention but eventually by designing multi layered defense strategies need to be adopted.

An effective, immediate response is difficult and may depend on third parties, such as DoS mitigation specialists. These external partners have large scale infrastructures and use a variety of technologies for identification, containment and remediation. Therefore, DoS attacks can be identified and mitigated before they reach the organisation premises.

There are some techniques to mitigate DoS attacks:

1. PREPARATION: Every organisation must ensure that the capacity of the entire infrastructure by a single or limited number of resources. Time to time update the recovery and continuity plan on new DoS developments. Define a clear response escalation path. Also establish alternative service and internet gateways.
2. IDENTIFICATION: Make a list of potential DoS attack initiators and investigate their possible motives. Identify the abused system and services. Understand if you are target of the attack or a collateral victim. Get a list of attacking IPs tracing them onto the log files. And lastly define the attack’s profile by using network monitoring and traffic analysis tools.
3. CONTAINMENT: modify the networks by switching to alternative sites or networks. Distribute attack traffic across network of data centres. And finally terminated the unwanted connections or processes on servers and routers.
4. REMEDIATION: Organisations must deny the connections using geographical information and place limits on the amount of traffic, maximum burst size, traffic priority on individual packet types.
5. RECOVERY: Ensure that the impacted services can be operational again. Also ensure that infrastructure performance is back to your baseline. Ensure that there are no collateral damages. Finally initiated suspended services, applications and modules.

2. The techniques used by malware developers to disguise their code and prevent it from being analysed are very important for any organisations to protect their data.

There are 4 malware evasion techniques which are used by malware developers.

1. PACKERS: A Packer is a program that compresses an executable to make it smaller. It wraps the compressed executable in the code necessary to decompress itself at run time. The act of compression changes the way the executable file looks. Signature based detection relies on malware researchers or automated systems finding a pattern in a known malware file, such as a hash or the number of binary patterns, to create a unique identifier, so the antivirus may not detect the packed file.
2. CRYPETRS: A Crypter is similar to the packer but adds additional obfuscation or encryption to the mix. Like a packer, its goals is to a file to avoid detection. In a nutshell, the crypter encrypts the original executable using an encryption algorithm- often something as a XOR cipher with a unique key. The crypter then creates a stub, which is the initial program that has everything it needs to decrypt and run the real embedded payload.
3. POLYMORPHIC MALWARE: At the highest level, polymorphic malware is a malware that repeatedly uses packing and crypting methods to change the way it looks. However, rather than using static keys as most crypters do, polymorphic malwares uses ,ore complex encrypting algorithms with random keys, variables, and decoders. The malware itself can mutate itself every time it copies itself to a new location or criminals can set up servers that automatically morph their malware variant every time its sent to a new victim. Server side polymorphic malware is very popular and likely accounts for a large majority of daily malware variants.
4. DOWLOADERS, DROPERS, AND STAGED LOADING: Many kinds of malwares use staging programs called droppers or downloaders to learn about a system before installing the real malware. Some of these droppers scope out a system first to avoid triggering security alerts when they download and install the real payload. They may seek out amd kill security processes or check to see If they are running on a virtual system. They may also download their secondary payloads using encrypted back channels to avoid network detection or inject malware directly into known Windows processes to avoid detection. On the downside, antivirus vendors can design signatures to recognize these droppers and downloaders, and modern antivirus programmes are good at defending themselves from dropper tricks.