1
00:00:07,080 --> 00:00:09,810
- [Instructor] A backdoor can
be installed by an attacker

2
00:00:09,810 --> 00:00:11,870
to either allow future access

3
00:00:11,870 --> 00:00:15,450
or to collect information
to use in further attacks.

4
00:00:15,450 --> 00:00:18,570
So when the threat actor
gains access to a system,

5
00:00:18,570 --> 00:00:20,520
they usually want future access

6
00:00:20,520 --> 00:00:22,250
so they can control the system

7
00:00:22,250 --> 00:00:24,030
and they can carry other attacks.

8
00:00:24,030 --> 00:00:28,340
And they want that
access to be really easy.

9
00:00:28,340 --> 00:00:31,940
Now, many backdoor are installed
by users clicking something

10
00:00:31,940 --> 00:00:34,410
without realizing that
the link that they clicked

11
00:00:34,410 --> 00:00:37,313
or the file that they
opened is actually a threat.

12
00:00:38,200 --> 00:00:41,950
A backdoor can be implemented
as a result of a malware

13
00:00:41,950 --> 00:00:44,480
or as a result of a virus or a worm.

14
00:00:44,480 --> 00:00:47,970
And they're very popular nowadays

15
00:00:47,970 --> 00:00:50,160
to be able to actually gain access

16
00:00:50,160 --> 00:00:52,403
to a system and maintain persistence.

17
00:00:53,330 --> 00:00:56,280
Now, let's cover what are
man-in-the middle attacks.

18
00:00:56,280 --> 00:00:59,750
Man-in-the-middle attack
results when the attacker

19
00:00:59,750 --> 00:01:03,530
place themselves in
line between two devices

20
00:01:03,530 --> 00:01:05,150
that are actually communicating.

21
00:01:05,150 --> 00:01:07,160
So the reason that they do this

22
00:01:07,160 --> 00:01:10,000
is they intend to perform reconnaissance

23
00:01:10,000 --> 00:01:12,060
or to manipulate the data

24
00:01:13,543 --> 00:01:15,000
that is actually being transferred

25
00:01:15,000 --> 00:01:17,830
as it moves between those entities.

26
00:01:17,830 --> 00:01:21,280
Now this can happen at
layer two or at layer three.

27
00:01:21,280 --> 00:01:24,900
The main purpose of this
attack is actually to eavesdrop

28
00:01:24,900 --> 00:01:27,750
so that attacker can
actually see the traffic

29
00:01:27,750 --> 00:01:31,490
and of course steal the
traffic and manipulate it.

30
00:01:31,490 --> 00:01:34,100
Now, if this happens at layer two,

31
00:01:34,100 --> 00:01:37,000
the attacker spoof the
layer two MAC address

32
00:01:37,000 --> 00:01:40,550
to make the devices on the
LAN or the local layer network

33
00:01:40,550 --> 00:01:44,720
believe that the layer two
address of the attacker

34
00:01:44,720 --> 00:01:48,610
is the layer to address
of its default gateway.

35
00:01:48,610 --> 00:01:53,390
And this is often called ARP poisoning.

36
00:01:53,390 --> 00:01:56,720
So this is an example of
an ARP poisoning attack.

37
00:01:56,720 --> 00:01:58,250
Now frames that are supposed to go through

38
00:01:58,250 --> 00:01:59,540
the default gateway,

39
00:01:59,540 --> 00:02:02,470
in that case, they're
forwarded by the switch

40
00:02:02,470 --> 00:02:04,720
to the layer two address of the attacker

41
00:02:04,720 --> 00:02:06,330
on that same network.

42
00:02:06,330 --> 00:02:07,300
And then as a courtesy,

43
00:02:07,300 --> 00:02:09,640
the attacker can actually
forward the frames

44
00:02:09,640 --> 00:02:12,300
to the correct destination
so that the client

45
00:02:12,300 --> 00:02:15,490
will have connectivity that they need.

46
00:02:15,490 --> 00:02:17,790
And the attacker now sees all the data

47
00:02:17,790 --> 00:02:19,180
between the two devices.

48
00:02:19,180 --> 00:02:20,990
Now to mitigate this risk,

49
00:02:20,990 --> 00:02:23,920
you can use techniques
like ARP inspection.

50
00:02:23,920 --> 00:02:26,860
So ARP stands for Address
Resolution Protocol.

51
00:02:26,860 --> 00:02:30,220
So it's the ARP inspection functionality

52
00:02:30,220 --> 00:02:33,440
on Cisco switches to
actually prevent spoofing

53
00:02:33,440 --> 00:02:35,360
of the layer two addresses.

54
00:02:35,360 --> 00:02:38,070
Now the attacker could
also implement the attack

55
00:02:38,070 --> 00:02:40,350
by placing a switch into the network

56
00:02:40,350 --> 00:02:43,690
and manipulating the
Spanning Tree Protocol or STP

57
00:02:43,690 --> 00:02:45,960
to become the root switch.

58
00:02:45,960 --> 00:02:48,680
And then therefore gaining the ability

59
00:02:48,680 --> 00:02:51,250
to actually see any traffic
that needs to be sent

60
00:02:51,250 --> 00:02:53,563
throughout the root switch.

61
00:02:54,827 --> 00:02:56,860
A man-in-the-middle attack
can also occur at layer three

62
00:02:56,860 --> 00:02:58,330
like I mentioned before,

63
00:02:58,330 --> 00:03:01,350
and this can be done by a rogue router

64
00:03:01,350 --> 00:03:02,870
being placed in the network

65
00:03:02,870 --> 00:03:06,280
and then tricking the other
routers into believing

66
00:03:06,280 --> 00:03:10,450
that the new router has a
better path in the network.

67
00:03:10,450 --> 00:03:12,910
So this could cause network traffic

68
00:03:12,910 --> 00:03:16,760
to flow through the router,
through this rogue router,

69
00:03:16,760 --> 00:03:19,990
and again, allow the attacker
to steal network data.

70
00:03:19,990 --> 00:03:21,880
So you can mitigate this attack,

71
00:03:21,880 --> 00:03:24,870
which many different ways,

72
00:03:24,870 --> 00:03:26,130
many different features,

73
00:03:26,130 --> 00:03:28,000
and some of them include

74
00:03:28,000 --> 00:03:29,710
the Routing Authentication Protocols.

75
00:03:29,710 --> 00:03:33,380
So that's a best practice that
you should always implement.

76
00:03:33,380 --> 00:03:35,890
You should implement the authentication

77
00:03:35,890 --> 00:03:38,500
in routing protocol
within the organization.

78
00:03:38,500 --> 00:03:42,360
Also you can filter information
from being advertised

79
00:03:42,360 --> 00:03:45,230
or learned on a specific interface.

80
00:03:45,230 --> 00:03:47,700
So all those best practices

81
00:03:47,700 --> 00:03:50,830
will actually mitigate
those type of layer three

82
00:03:50,830 --> 00:03:52,670
rogue router attacks.

83
00:03:52,670 --> 00:03:55,640
A man-in-the-middle attack can also occur

84
00:03:55,640 --> 00:03:58,060
by compromising the victim's machine.

85
00:03:58,060 --> 00:04:01,420
So the attacker can install malware

86
00:04:01,420 --> 00:04:05,140
that can intercept the
packets sent by the victim

87
00:04:05,140 --> 00:04:07,500
and send them directly to the attacker.

88
00:04:07,500 --> 00:04:11,200
So this type of malware
can capture packets

89
00:04:11,200 --> 00:04:12,900
before they're encrypted.

90
00:04:12,900 --> 00:04:14,210
And if the victim,

91
00:04:14,210 --> 00:04:18,220
of course, is using TLS or SSL or HTPS

92
00:04:18,220 --> 00:04:19,320
or any other mechanisms,

93
00:04:19,320 --> 00:04:22,970
actually those packets are stolen

94
00:04:22,970 --> 00:04:24,930
or being sent to attacker

95
00:04:24,930 --> 00:04:27,480
even before they're actually encrypted.

96
00:04:27,480 --> 00:04:30,890
So think about that
you're accessing a bank

97
00:04:30,890 --> 00:04:32,400
through your browser

98
00:04:32,400 --> 00:04:35,050
and then, of course the
attacker can install malware

99
00:04:35,050 --> 00:04:37,880
that before the browser
actually encrypts the data

100
00:04:37,880 --> 00:04:40,070
to the bank or vice versa

101
00:04:40,070 --> 00:04:42,550
after the decryption is actually done,

102
00:04:42,550 --> 00:04:45,050
that data can be sent to the attacker.

103
00:04:45,050 --> 00:04:47,590
Now to safeguard data in motion,

104
00:04:47,590 --> 00:04:48,890
one of the best things you can do

105
00:04:48,890 --> 00:04:50,230
is to use of course encryption

106
00:04:50,230 --> 00:04:53,470
for the confidentiality
of the data in transit.

107
00:04:53,470 --> 00:04:56,610
If you use plain text
protocols for management

108
00:04:56,610 --> 00:05:00,040
like Telnet or HTTP, definitely
you're asking for it.

109
00:05:00,040 --> 00:05:01,473
The attacker who has implemented

110
00:05:01,473 --> 00:05:04,870
the man-in-the-middle attack
can definitely see the contents

111
00:05:04,870 --> 00:05:06,720
of those data packets,

112
00:05:06,720 --> 00:05:10,920
the clear text data
packets across the network.

113
00:05:10,920 --> 00:05:14,660
So that's why management protocols

114
00:05:14,660 --> 00:05:16,530
must have encryption built in.

115
00:05:16,530 --> 00:05:18,490
So you should actually use things

116
00:05:18,490 --> 00:05:22,450
like Secure Shell or SSH and HTTPS.

117
00:05:22,450 --> 00:05:25,570
And definitely, consider
that as a best practice.

118
00:05:25,570 --> 00:05:29,110
And also for in transit traffic,

119
00:05:29,110 --> 00:05:31,970
the use of VPN is definitely a given.

120
00:05:31,970 --> 00:05:35,100
So you want to actually use a VPN

121
00:05:35,100 --> 00:05:38,450
to protect and encrypt
data, sensitive data,

122
00:05:38,450 --> 00:05:42,380
that is actually transferred
in an untrusted network

123
00:05:42,380 --> 00:05:43,563
like the internet.