15 Oct Write this reflection for lab Weekly Learning and Reflection? In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact

Lab-3: Cyber Threat Analysis

In Lab-3, you will do some cyber threat analysis by browsing several websites and services maintained by either security companies, volunteers, or hackers. Nothing will harm your computer as long as you don't push the limits by clicking on the links and ignoring the browser's security warnings.

To ensure %100 security, you can consider using the Firefox browser inside your Kali VM instead of using the browser at your computer. If you proceed with your computer, then it is recommended to update your browser if it is out of date.

Section-1: Analysis of zone-h.org

Zone-h.org is used and most probably operated by hackers to share the websites that they defaced. They don't provide any details on how they hacked the website; instead, they share the URL of the defaced website and a mirror for the defaced webpage.

If you are planning to use your computer instead of Kali VM, it is strongly suggested to open a new incognito/InPrivate/Private browser window for the following steps:

1) Enter the website: www.zone-h.org

2) Click on the Archive menu on the top menu. You will see the result screen similar to below:

There is a lot of information on defaced websites on this page, including the original URL and the hacked version of the website (on the mirror link at the rightmost column). Hacked versions of the websites give some clues on the motivations of the hackers; you can see political reasons, have some fun, or a basis to make cyberspace secure.

The legends M and R provide more insight on the defacement. M means mass defacement. If you click one of the M letters, you can see the defacements initiated from a specific IP address. Mass defacements are usually succeeded by the help of scripts. Hackers prepare the scanning and exploitation scripts, scan thousands of websites for a particular vulnerability, and exploit the ones that have the specific vulnerability.

3) Click on one of the M letters you spotted, and see the websites defaced from the same IP address. You can see the IP address in the address bar.

Note: You can perform a whois query to see the detailed information about the IP address you found, including contact information and geographical location.

4) To see a redefacement, you can click one of the R letters you spotted.

Below is an example screenshot of a redefacement, myschool.ng website has been defaced twice in two years.

5) You can click the ENABLE FILTERS link at the top and search for the websites with gov extension. You can see the result of this query below.

Section-2: Pastebin.com

A pastebin site hosts the text-based data such as source codes, code snippets, and anything worth sharing. Pastebin.com is the oldest pastebin site. Pastebin.com had been hosting the pastes of the hacktivist group, Anonymous. After pastebin.com started monitoring the site for illegally pasted data, Anonymous began to a new service: https://anonpaste.org. This pastebin site is used for hacktivist purposes. Anybody can paste text here and -so-called- securely sent. You cannot search among pasted content.

There are many small and restricted pastebin sites on the dark web. A specific hacker group may share things like exploit codes, malicious payloads internally. They also use the pastebin services to share the information they stole like passwords, credit card numbers, etc.

You can see the public pastes in the pastebin website. Google indexes public pastes. You can perform the following searches on Google and check whether there are pastes in pastebin.com. Please review the search sites to get an idea of what kind of information is being shared among hackers in the pastebin.

· Exploit code site:pastebin.com

· Shellcode site:pastebin.com

· Malware code site:pastebin.com

· Keylogger code site:pastebin.com

Section-3: Interactive Threat Maps

There are many websites and services that provide threat intelligence data. Some of them provide information for free; most of them offer paid subscriptions.

These are two services from Cisco and SANS Institute, respectively.

https://talosintelligence.com/reputation_center/: Shows the malicious hosts spreading malware and sending spam e-mail on the world map. You can check the reputation of the IP addresses and domain names on this serves as well.

https://isc.sans.edu/threatmap.html: Shows the density of the different threat feed per country.

SANS Institute provides a FightBack service on this address: https://isc.sans.edu/fightback.html. They forward the strong cases to the ISPs after analyzing the logs and other evidence provided by the Internet user.

Last but not least, the following blog page provides the top 10 cyber-attack maps; it is worth reviewing as it gives the screenshots and a fair amount of information.

https://securitytrails.com/blog/cyber-attack-maps

Section-4: Fighting with Spam and Malware

Thousands of phishing websites try to trick people into believing that they are on the official website so that they try to steal sensitive information like passwords, credit card numbers, SSNs. If you come up with such a website, you can submit it to Phishtank.org. Phishtank database has been used by reputation engines and virus scanners, such as virustotal.com. Therefore you help to secure cyberspace. The website of PhishTank is https://phishtank.org.

URLhaus does a similar thing for the websites that spread virus. The website of URLhaus is https://urlhaus.abuse.ch.

You can review both web services. For example, enter the PhishTank website and see the recent submissions similar to below:

You can click on the ID numbers to see the phishing websites.

Section-5: Checking URLs

Below services are just two examples by which you can check websites:

https://www.virustotal.com: Check the website if it spreads malware, or it is a phishing website. Currently, VirusTotal makes the controls of the submitted URLs using ~80 different antivirus services.

https://sitecheck.sucuri.net: Check the website for malware and blacklisting.

You can choose some websites from PhishTank and URLhaus and scan them using VirusTotal and Sucuri’s SiteCheck.

Weekly Learning and Reflection 

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.