Introdução à cibersegurança

agosto 22, 2025

Introdução à cibersegurança

Cenário de segurança cibernética

O cenário moderno de segurança cibernética é um ambiente hostil em rápida evolução com ameaças avançadas e agentes de ameaças cada vez mais sofisticados. Esta lição descreve o cenário atual da segurança cibernética, explica os desafios do aplicativo SaaS, descreve vários regulamentos e padrões de segurança e proteção de dados, identifica ameaças à segurança cibernética e perfis de invasores e explica as etapas do ciclo de vida do ataque cibernético .

Tendências de computação moderna

A natureza da computação corporativa mudou drasticamente na última década.

Introdução à Web 2.0 e aplicativos Web 2.0

Os principais aplicativos de negócios agora são comumente instalados junto com os aplicativos da Web 2.0 em uma variedade de endpoints. As redes que foram originalmente concebidas para partilhar ficheiros e impressoras são agora utilizadas para recolher enormes volumes de dados, trocar informações em tempo real, realizar negócios online e permitir a colaboração global. Muitos aplicativos Web 2.0 estão disponíveis como software como serviço (SaaS), baseados na Web ou aplicativos móveis que podem ser facilmente instalados pelos usuários finais ou que podem ser executados sem a instalação de nenhum programa ou serviço local no endpoint. O uso de aplicativos da Web 2.0 na empresa às vezes é chamado de Enterprise 2.0. Muitas organizações estão reconhecendo benefícios significativos do uso de aplicações e tecnologias Enterprise 2.0, incluindo melhor colaboração, maior compartilhamento de conhecimento e redução de despesas.

Serviços de sincronização e compartilhamento de arquivos
Os serviços de sincronização e compartilhamento de arquivos são usados para gerenciar, distribuir e fornecer acesso a conteúdo online, como documentos, imagens, música, software e vídeo. Exemplos incluem Apple iCloud, Box, Dropbox, Google Drive, Microsoft OneDrive, Spotify e YouTube.
Mensagens instantâneas (IM)
IM é usado para trocar mensagens curtas em tempo real. Exemplos incluem Facebook Messenger, Skype, Snapchat e WhatsApp.
Microblogging
Os serviços da Web de microblogging permitem que um assinante transmita mensagens curtas para outros assinantes. Exemplos incluem Tumblr e Twitter.
Suítes de produtividade de escritório
Os pacotes de produtividade de escritório consistem em processamento de texto baseado em nuvem, planilha e software de apresentação. Exemplos incluem Google Apps e Microsoft Office 365.
Software de acesso remoto
Remote access software is used for remote sharing and control of an endpoint, typically for collaboration or troubleshooting. Examples include LogMeIn and TeamViewer.
Remote Team Meeting Software
Remote team meeting software is used for audio conferencing, video conferencing, and screen sharing. Examples include Adobe Connect, Microsoft Teams, and Zoom.
Social Curation
Social curation shares collaborate content about particular topics. Social bookmarking is a type of social curation. Examples include Cogenz, Instagram, Pinterest, and Reddit.
Social Networks
Social networks are used to share content with business or personal contacts. Examples include Facebook, Instagram, and LinkedIn.
Web-Based Email
Web-based email is an internet email service that is typically accessed via a web browser. Examples include Gmail, Outlook.com, and Yahoo! Mail.
Wikis
Wikis enable users to contribute, collaborate, and edit site content. Examples include Socialtext and Wikipedia.

Web 3.0

The vision of Web 3.0 is to return the power of the internet to individual users, in much the same way that the original Web 1.0 was envisioned. To some extent, Web 2.0 has become shaped and characterized, if not controlled, by governments and large corporations dictating the content that is made available to individuals and raising many concerns about individual security, privacy, and liberty.

Managed Security Services

The global shortage of cybersecurity professionals – estimated by the International Information System Security Certification Consortium (ISC) squared to be 2.72 million in 2021 – is leading many organizations to partner with third-party security services organizations. These managed security service providers (MSSPs) typically operate a fully staffed 24/7 security operations centers (SOCs) and offer a variety of services such as log collection and aggregation in a security information and event management (SIEM) platform, event detection and alerting, vulnerability scanning and patch management, threat intelligence, and incident response and forensic investigation, among others.

Work-from-Home (WFH) and Work-from-Anywhere (WFA)

In the wake of the global pandemic, many organizations have implemented remote working models that include WFH and WFA. In many cases, these organizations have realized additional the benefits from these models, including increased operational efficiencies, higher employee productivity and morale, and greater access to a diverse talent pool that extends far beyond the immediate geographical region of the organization. “Ericsson Mobility Report, November 2021.” Ericsson. Accessed January 16, 2022.

New Application Threat Vectors

Exploiting vulnerabilities in core business applications has long been a predominant attack vector, but threat actors are constantly developing new tactics, techniques, and procedures (TTPs).

Protect Networks and Cloud Environments

To effectively protect their networks and cloud environments, enterprise security teams must manage the risks associated with a relatively limited, known set of core applications, as well as the risks associated with an ever-increasing number of known and unknown cloud-based applications. The cloud-based application consumption model has revolutionized the way organizations do business, and applications such as Microsoft Office 365 and Salesforce are being consumed and updated entirely in the cloud.

Application Classification

Many applications are designed to circumvent traditional port-based firewalls, so that they can be easily installed and accessed on any device, anywhere and anytime. Click the arrow for more information about how applications are classified and how difficult it has become to classify applications.

Tactics, Techniques, and Procedures (TTPs)

The following are the different types of TTPs:

Port Hopping

Port hopping allows adversaries to randomly change ports and protocols during a session.

Using Non-Standard Ports

An example of using non-standard ports is running Yahoo! Messenger over TCP port 80 (HTTP) instead of the standard TCP port for Yahoo! Messenger (5050).

Tunneling

Another method is tunneling within commonly used services, such as running peer-to-peer (P2P) file sharing or an IM client such as Meebo over HTTP.

Hiding Within SSL Encryption

Hiding in SSL encryption masks the application traffic, for example, over TCP port 443 (HTTPS). More than half of all web traffic is now encrypted.

Turbulence in the Cloud

Cloud computing technologies help organizations evolve their data centers from a hardware-centric architecture to a dynamic and automated environment. Cloud environments pool computing resources for on-demand support of application workloads that can be accessed anywhere, anytime, and from any device.

Public and Private Cloud Environments

Many organizations have been forced into significant compromises regarding their public and private cloud environments. Organizations can trade function, visibility, and security for simplicity, efficiency, and agility. If an application hosted in the cloud isn’t available or responsive, network security controls are typically “streamlined” out of the cloud design.

Click the card for more information about cloud security trade-offs.

SaaS Application Risks

The average employee uses at least eight applications. As employees add and use more SaaS apps that connect to the corporate network, the risk of sensitive data being stolen, exposed, or compromised increases. It is important to consider the security of the apps, what data they have access to, and how employees are using them.

Introduction to SaaS

Data is located everywhere in today’s enterprise networks, including in many locations that are not under the organization’s control. New data security challenges emerge for organizations that permit SaaS use in their networks. With SaaS applications, data is often stored where the application resides – in the cloud. Thus, the data is no longer under the organization’s control, and visibility is often lost. SaaS vendors do their best to protect the data in their applications, but it is ultimately not their responsibility. Just as in any other part of the network, the IT team is responsible for protecting and controlling the data, regardless of its location.

SaaS Security Challenges

Because of the nature of SaaS applications, their use is very difficult to control – or have visibility into – after the data leaves the network perimeter. This lack of control presents a significant security challenge: End users are now acting as their own “shadow” IT department, with control over the SaaS applications they use and how they use them. Click the arrows for more information about the inherent data exposure and threat insertion risks of SaaS.

Malicious Outsiders

The most common source of breaches for networks overall is also a critical concern for SaaS security. The SaaS application becomes a new threat vector and distribution point for malware used by external adversaries. Some malware will even target the SaaS applications themselves, for example, by changing their shares to “public” so that the data can be retrieved by anyone.
Malicious Insiders

The least common but real SaaS application risk is the internal user who maliciously shares data for theft or revenge purposes. For example, an employee who is leaving the company might set a folder’s share permissions to “public” or share it with an external email address to later steal the data from a remote location.
Accidental Data Exposure

Well-intentioned end users are often untrained and unaware of the risks their actions pose in SaaS environments. Because SaaS applications are designed to facilitate easy sharing, it’s understandable that data often becomes unintentionally exposed. Accidental data exposure by end users is surprisingly common and includes accidental share, promiscuous share, and ghost share.
Accidental Share

An accidental share happens when a share meant for a particular person is accidentally sent to the wrong person or group. Accidental shares are common when a name autofills or is mistyped, which may cause an old email address, the wrong name or group, or even an external user to have access to the share.
Promiscuous Share

In a promiscuous share, a legitimate share is created for a user, but that user then shares with other people who shouldn’t have access. Promiscuous shares often result in the data being publicly shared. These types of shares can go well beyond the control of the original owner.
Ghost (or Stale) Share

In a ghost share, the share remains active for an employee or vendor that is no longer working with the company or should no longer have access. Without visibility and control of the shares, tracking and fixing of shares to ensure that they are still valid is very difficult.

Compliance Challenges

Most companies and industries face constant data regulatory and compliance challenges. Compliance and security are not the same thing. Let's review some of the compliance challenges.

Change and Complicity

Many laws and regulations are obsolete or ambiguous and are not uniformly supported by international communities. Laws are constantly changing. Some regulations may also be inconsistent with other applicable laws and regulations, thus requiring legal interpretation to determine relevance, intent, or precedence. As a result, businesses and organizations in every industry struggle to achieve and maintain data compliance.

Compliance and Security

An organization can be fully compliant with all applicable cybersecurity laws and regulations, yet still not be secure. Conversely, an organization can be secure, yet not fully compliant. To further complicate this point, the compliance and security functions in many organizations are often defined and supervised by separate entities.

Standards and Regulations

Organizations worldwide handle huge amounts of customer data and personal information, making them a prime target for cyber criminals. New standards regulations are being enacted to protect and secure this data.

Payment Card Industry’s Data Security Standard

The Payment Card Industry's Data Security Standard (PCI DSS) establishes its own cybersecurity standards and best practices for businesses and organizations that allow payment card purchases. An ever-increasing number of international, multinational, federal, regional, state, and local laws and regulations also mandate numerous cybersecurity and data protection requirements for businesses and organizations worldwide.

European Union General Data Protection Regulations

The European Union (EU) General Data Protection Regulations (GDPR) apply to any organization that does business with EU citizens. GDPR regulations often apply more stringent standards for end user and data protections than those that are applied domestically. Some domestic companies have adopted a policy of complying with GDPR regulations, just in case their operations may interact with European or international consumers.

Attacker Profiles

News outlets are usually quick to showcase high-profile attacks, but the sources of these attacks is not always easy to identify. Each of the different attacker types or profiles generally has a specific motivation for the attacks they generate.

Here are some traditional attacker profile types. Because these different attacker profiles have different motivations, information security professionals must design cybersecurity defenses that can identify the different attacker motivations and apply appropriate deterrents. Click the arrows for more information about the profile type of each attacker.

Cyberattack Lifecycle

Modern cyberattack strategy has evolved from a direct attack against a high-value server or asset (“shock and awe”) to a patient, multistep process that blends exploits, malware, stealth, and evasion in a coordinated network attack (“low and slow”).

The cyberattack lifecycle illustrates the sequence of events that an attacker goes through to infiltrate a network and exfiltrate (or steal) valuable data. Blocking just one step breaks the chain and can effectively defend an organization’s network and data against an attack.

Click the arrows for more information about the particular attack lifecycle.

Reconnaissance (Attack)

Like common criminals, attackers meticulously plan their cyberattacks. They research, identify, and select targets, often extracting public information from targeted employees’ social media profiles or from corporate websites, which can be useful for social engineering and phishing schemes. Attackers will also use various tools to scan for network vulnerabilities, services, and applications that they can exploit, such as network analyzers, network vulnerability scanners, password crackers, port scanners, web application vulnerability scanners, and Wi-Fi vulnerability scanners.

Reconnaissance (Defense)

Breaking the cyberattack lifecycle at this phase of an attack begins with proactive and effective end-user security awareness training that focuses on topics such as social engineering techniques (for example, phishing, piggybacking, and shoulder surfing), social media (for example, safety and privacy issues), and organizational security policies (for example, password requirements, remote access, and physical security). Another important countermeasure is continuous monitoring and inspection of network traffic flows to detect and prevent unauthorized port and vulnerability scans, host sweeps, and other suspicious activity. Effective change and configuration management processes help to ensure that newly deployed applications and endpoints are properly configured (for example, disabling unneeded ports and services) and maintained.
Weaponization (Attack)

Attackers determine which methods to use to compromise a target endpoint. They may choose to embed intruder code within seemingly innocuous files such as a PDF or Microsoft Word document or email message. Or, for highly targeted attacks, attackers may customize deliverables to match the specific interests of an individual within the target organization.

Weaponization (Defense)

Breaking the cyberattack lifecycle at this phase of an attack is challenging because weaponization typically occurs within the attacker’s network. However, analysis of artifacts (both malware and weaponizer) can provide important threat intelligence to enable effective zero-day protection when delivery (the next step) is attempted.
Delivery (Attack)

Attackers next attempt to deliver their weaponized payload to a target endpoint via email, IM, drive-by download (an end user’s web browser is redirected to a webpage that automatically downloads malware to the endpoint in the background), or infected file share.

Delivery (Defense)

Breaking the cyberattack lifecycle at this phase of an attack requires visibility into all network traffic (including remote and mobile devices) to effectively block malicious or risky websites, applications, and IP addresses and prevent known and unknown malware and exploits.
Exploitation (Attack)

After a weaponized payload is delivered to a target endpoint, it must be triggered. An end user may unwittingly trigger an exploit by clicking a malicious link or opening an infected attachment in an email. An attacker also may remotely trigger an exploit against a known server vulnerability on the target network.

Exploitation (Defense)

Breaking the cyberattack lifecycle at this phase of an attack begins with proactive and effective end-user security awareness training that focuses on topics such as malware prevention and email security. Other important security countermeasures include vulnerability and patch management; malware detection and prevention; threat intelligence (including known and unknown threats); blocking risky, unauthorized, or unneeded applications and services; managing file or directory permissions and root or administrator privileges; and logging and monitoring network activity.
Installation (Attack)

Next, an attacker will escalate privileges on the compromised endpoint, for example, by establishing remote shell access and installing rootkits or other malware. With remote shell access, the attacker has control of the endpoint and can execute commands in privileged mode from a command-line interface (CLI) as if physically sitting in front of the endpoint. The attacker will then move laterally across the target’s network, executing attack code, identifying other targets of opportunity, and compromising additional endpoints to establish persistence.

Installation (Defense)

The key to breaking the cyberattack lifecycle at this phase of an attack is to limit or restrict the attackers’ lateral movement within the network. Use network segmentation and a Zero Trust model that monitors and inspects all traffic between zones or segments and provides granular control of applications that are allowed on the network.
Command and Control (Attack)

Attackers establish encrypted communication channels back to command-and-control (C2) servers across the internet so that they can modify their attack objectives and methods as additional targets of opportunity are identified within the victim network, or to evade any new security countermeasures that the organization may attempt to deploy if attack artifacts are discovered. Communication is essential to an attack because it enables the attacker to remotely direct the attack and execute the attack objectives. C2 traffic must therefore be resilient and stealthy for an attack to succeed. Attack communication traffic is usually hidden with various techniques and tools, including encryption, circumvention, port evasion, fast flux (or Dynamic DNS), and DNS tunneling.

Command and Control (Defense)

Breaking the cyberattack lifecycle at this phase of an attack requires:

Inspecting all network traffic (including encrypted communications)
Blocking outbound C2 communications with anti-C2 signatures (along with file and data pattern uploads)
Blocking all outbound communications to known malicious URLs and IP addresses
Blocking novel attack techniques that employ port evasion methods
Preventing the use of anonymizers and proxies on the network
Monitoring DNS for malicious domains and countering with DNS sinkholing or DNS poisoning
Redirecting malicious outbound communications to honeypots to identify or block compromised endpoints and analyze attack traffic
Act on Objective (Attack)

Attackers often have multiple, different attack objectives, including data theft; destruction or modification of critical systems, networks, and data; and denial-of-service (DoS). This last stage of the cyberattack lifecycle can also be used by an attacker to advance the early stages of the lifecycle against another target.

Act on Objective (Defense)

Monitoring and awareness are the primary defense actions performed at this phase. The 2018 Verizon Data Breach Investigations Report (DBIR) describes this strategy as a secondary motive in which web applications are compromised to aid and abet in the attack of another victim. For example, an attacker may compromise a company’s extranet to breach a business partner who is the primary target.
According to the DBIR, in 2014 there were 23,244 incidents where web applications were compromised with a secondary motive. The attacker pivots the attack against the initial victim network to a different victim network, thus making the initial victim an unwitting accomplice.

High-Profile Attacks

The goals of attackers have changed dramatically. Their goals are mostly associated with financial gain.

Video: High-Profile Attacks

Watch the video for more information about the scope or scale of the high-profile attacks that have occurred.

High-Profile Cyberattacks

The following are the different types of high-profile cyberattacks:

SolarWinds

In December 2020, the cybersecurity firm FireEye and the U.S. Treasury Department both reported attacks involving malware in a software update to their SolarWinds Orion Network Management System perpetrated by the APT29 (Cozy Bear/Russian SVR) threat group. This attack is one of the most damaging supply chain attacks in history, potentially impacting more than 300,000 SolarWinds customers, including the U.S. federal government and 425 of the Fortune 500 companies.

Colonial Pipeline

In May 2021, the Colonial Pipeline Company – which operates one of the largest fuel pipelines in the U.S. – was hit by the DarkSide threat actor group with a Ransomware-as-a-Service (RaaS) attack. Although the company acted quickly to shut down its network systems and paid the $4.4 million ransom, operations were not fully restored for six days, which caused major fuel shortages and other supply chain issues along the U.S. eastern seaboard. Additionally, the personal information –including the health insurance information, social security numbers, driver’s licenses, and military identification numbers – of nearly 6,000 individuals were compromised.

JBS S.A.

In May 2021, Brazil-based JBS S.A. – the largest producer of beef, chicken, and pork worldwide – was hit by a ransomware attack attributed to the REvil threat actor group. Although the company paid the $11 million ransom, its U.S. and Australia beef processing operations were shut down for a week.

Government of Ukraine

In January 2022, several Ukrainian government websites including the ministry of foreign affairs and the education ministry were hacked by suspected Russian attackers. Threatening messages were left on the websites during a period of heightened tensions between the governments of Ukraine and Russia.

MITRE ATT&CK Framework

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a comprehensive matrix of tactics and techniques designed for threat hunters, defenders, and red teams to help classify attacks, identify attack attribution and objective, and assess an organization's risk. Organizations can use the framework to identify security gaps and prioritize mitigations based on risk.

MITRE Started ATT&CK Against Enterprise Networks

MITRE started ATT&CK in 2013 to document the tactics, techniques and procedures (TTPs) that advanced persistent threats (APTs) use against enterprise networks. It was created out of a need to describe adversary TTPs that would be used by a MITRE research project called FMX. The objective of FMX was to investigate how endpoint telemetry data and analytics could help improve post-intrusion detection of attackers operating within enterprise networks. The ATT&CK framework was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time. Click the tabs for more information about three iterations of MITRE ATT&CK.

Sub-Techniques

Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) secrets.

Knowledge Check

Which three options describe the relationship and interaction between a customer and SaaS? (Choose three.)

Mobile devices are easy targets for attacks for which two reasons? (Choose two.)

Which path or tool is used by attackers?

Which kind of server is a master server that is designed to listen to individual compromised endpoints and respond with appropriate attack commands?

Compartilhe

Curso gratuito de inteligencia de fontes abertas - OSINT