WAF (Web Application Firewall)

 Web Application Firewall

A web application firewall (WAF) is a security tool that monitors and filters data packets to and from web applications to protect them from threats. WAFs are a critical defense for online businesses that need to protect sensitive data, such as retailers, banks, healthcare, and social media.

Here's how a WAF works:

• Analyzes HTTP requests: A WAF examines the headers, query strings, and body of HTTP requests.
• Identifies threats: A WAF searches for malicious requests, suspicious patterns, and known threats.
• Blocks requests: When a threat is detected, a WAF blocks the request and alerts security teams.

WAFs can protect against a variety of threats, including:

• Malware
• Malicious bots
• Zero-day exploits
• Cross-site scripting (XSS)
• SQL injection
• Cross-site request forgery
• Distributed denial of service (DDoS) attacks
• Buffer Overflow

WAFs can be deployed in various ways, including network-based, host-based, or cloud-based. They are usually part of a suite of tools that work together to create a comprehensive defense against various attack vectors.

Distributed Reflected Denial of Service

 DRDoS Attack

DRDoS, or Distributed Reflection Denial of Service, is a type of cyberattack that aims to make a network resource unavailable to its intended users. It is a more advanced form of a DDoS attack known as a Reflected DDoS attack.

In a DRDoS attack, a hacker spoofs the target's IP address and sends requests to a third-party server. The third-party server then sends its response to the target's IP address, which can significantly increase traffic. This can overwhelm the target's resources and make it difficult to trace back to the original attacker.

DNS servers, NTP servers (using the monlist command), and Memcached servers are some examples of services that can be used in a DrDoS attack.

Some potential consequences of a DrDoS attack include:

• Damage to relationships with partners, customers, and other stakeholders
• Reputational damage
• Revenue loss
• Operational downtime

MALWARE TYPES - Part 2

Logic Bombs: A piece of code that is on a target PC/Sever until it is triggered by an event. That event can be a specific date or time, or when a certain condition is met. The event is specific to what the programmer coded the malware to run.

• It could be a script that runs every payday, if their name isn't included (meaning they have been laid off/fired) in the payroll report, the malware is triggered to run a predetermined time afterward.
• Another event could be when the company hires the 250th (just picked a random number for the example), employee.
• The date is another possibility, launched on a specific date.

Worms: Worms are a type of malware that self-replicates. The worm moves through the network consuming bandwidth. Worms take advantage of weaknesses in certain networking protocols. 

Worms are known to take advantage of the weakness found in SMBv1, spreading through the network over port 445, Microsoft's file-sharing port.

USB flash drives tend to be one of the easiest ways to introduce a worm into the network. Users will find a USB on a table or floor, pick it up and install it to see what is on the device and to determine the owner. There are vendors that will have out free USBs that are infected at conferences like Def Con.

Botnets:  A botnet is a collection of Internet-connected devices, PCs, webcams, etc. These devices are normally on 24 hours per day and have decent bandwidth. The owners of these devices are unaware that their device is participating in the botnet. The devices are known as zombies and perform whatever the handler has programmed them to do:

• DDoS; Distributed Denial of Service attack on a single target
• Send SPAM from these devices
• Download other malware like keyloggers

Botnets typically use anywhere from 5,000 to 20,000 devices

One of the largest DDoS attacks happened in November of 2016, which was an attack against DNS servers. This time the bot was comprised mostly of DVR players and digital cameras.