01 Network Attacks and Defense Strategies

Question 1

Threat Sources

List each threat source

Answer 1

• Natural: Floods, fires, power failure
• Unintentional: unskilled admin, accidents, lazy/untrained employee
• Intentional

Question 2

Define Threat Actor

Answer 2

Individual or group that breaks into the system to achieve a specific goal.

Question 3

List types of Threat Actors

Answer 3

• Hacktivist: Promotes political agenda
• Cyber Terrorist: motivated by religious or political beliefs.
• Suicide Hacker: aims to bring down infrastructure for a “cause”. Not deterred by jail time.
• State Sponsored Hacker: employed by gov to hack other gov.
• Script kiddies: unskilled hacker who use tools made by real hackers.
• Industrial Spies: Attack companies for commercial purpose.
• Insider Threat: Threat that originates from people within org.

Question 4

Vulnerability

Answer 4

Existing weaknesses in assets that can be exploited.

Question 5

Which TCP/IP Protocols are inherently insecure?

Answer 5

HTTP (Hyper Text Transfer Protocol)
FTP (File Transfer Protocol)
ICMP (Internet Control Message Protocol)
SNMP (Simple Network Management Protocol)
SMTP (Simple Mail Transfer Protocol)

Question 6

What is IIS?

Answer 6

Internet Information Services

Question 7

List the Network Security Vulnerabilities of a Configuration:

Answer 7

• User account Vuln: sending user/pass over unencrypted network.
• System Account Vuln: Setting weak passwords for user accounts.
• Internet Services Misconfig: Misconfig of services such as Apache, IIS, enabling JavaScript, FTP.
• Default Password Settings
• Network Device Misconfig: Improper setup of network devices such as routers.

Question 8

List the Network Security Vulnerabilities of a Security Policy:

Answer 8

• Unwritten Policy
• Lack of Continuity: in implementing & enforcing the policy
• Politics: challenges for implementation of a consistent security policy.
• Lack of awareness: of the security policy

Question 9

What is Risk?

Answer 9

The potential loss or damage that can occur when there is a threat to an asset in presence of an exploitable vulnerability.

Question 10

What formula represents Risk?

Answer 10

Risk = Asset + Threat + Vulnerability

Question 11

What is an ATTACK?

Answer 11

An action initiated for exploiting vulnerabilities to actualize a threat.

Question 12

What formula represents an ATTACK?

Answer 12

Attack = motive (goal) + Method (TTPs) + vulnerability

Question 13

Define TTP’s

Answer 13

Tactics, techniques, & Procedures.

Question 14

What is a MOTIVE?

Answer 14

Originates from the notion that the target system stores or processes something of value.

Question 15

What techniques can attackers use in the recon phase to obtain information?

Answer 15

• Social Engineering
• Port Scanning
• DNS footprinting
• Ping Sweeping

Question 16

What Network information is obtained from recon?

Answer 16

• Domain Names
• Internal Domain Names
• Network Blocks
• IP addresses of reachable systems
• Rogue/private websites
• open ports
• versions of OS
• Running TCP & UDP services
• Access Control Mechanisms & Access Control Locations (ACM/ACL)
• Network Protocols
• VPN Points
• Running Firewalls
• Analog/digital #’s
• Authentication mechanisms
• System Enumeration

Question 17

What is a network sniffing attack?

Answer 17

is a process of monitoring & capturing all data packets passing through a network.

Question 18

Man-in-the-Middle Attack

Answer 18

• Intruder deploys a station between client & server
• The TCP connection is split into 2 connections: 1. Client to attack connection 2. attacker to server connection.
• Enables intruder to read, modify & insert fraudulent data into the TCP connection.

Question 19

TCP

Answer 19

Transmission Control Protocol

Question 20

Password Attack

Answer 20

Attacker uses techniques such as:
-brute force,
-social engineering
-Spoofing
-Phishing
-Malware
-Sniffing
-Keylogging
to crack or obtain the password

Question 21

Privilege Escalation Attack

Answer 21

Attacker gains access to a network using a non admin account, and escalates privileges to become admin.
The attacker exploits design flaws, programming errors, bugs, and configuration oversight in the OS or app to gain admin access.

Question 22

2 Types of Privilege Escalation:

Answer 22

1. Vertical privilege escalation: shifting from a user account to an account with higher privileges.
2. Horizontal privilege escalation: Shifting from one user account to another with same privileges.

Question 23

DNS Poisoning Attack

Answer 23

• Manipulation of IP addresses in the DNS cache

- A corrupt DNS redirects user requests to a malicious website/resource.

Question 24

ARP

Answer 24

Address Resolution Protocol

Question 25

ARP Poisoning Attack

Answer 25

ARP spoofing/poisoning involves sending a large # of forged entries to the target machines ARP cache.

Question 26

DHCP

Answer 26

Dynamic Host Configuration Protocol

-Assigns valid IP addresses to host systems out of pre-assigned DHCP pool

Question 27

DHCP Starvation Attack

Answer 27

• Process of inundating DHCP servers with fake DHCP requests and using up all available IP addresses
• This results in a DoS attack where the DHCP server cannot issue new IP addresses to genuine host requests.
• New clients cannot obtain access to the network resulting in a DHCP starvation attack.

Question 28

DHCP DORA

Answer 28

DISCOVER, OFFER, REQUEST, ACKNOWLEDGE

-Stands for the message flows between the client and server.

Question 29

How does a DHCP server assign IP addresses to clients?

Answer 29

Dynamically

Question 30

DNS Spoofing Attack

Answer 30

• Attacker places a rogue DHCP server between the client and the real DHCP server.
• When a client sends a request, the rogue DHCP server intercepts the coms and acts as a DHCP server by replying with a fake IP address.
• This results in the client being diverted to the attackers system

Question 31

MAC Spoofing Attack

Answer 31

• Launched by sniffing a network for MAC addresses of clients using a switch port, and re-using one of those addresses.
• By intercepting the network traffic, the attacker replicates a legitimate users MAC address to receive all the traffic intended for the specific user.
• Mac spoofing enables an attacker to gain access to the network by faking the identity of another user already on the network.

Question 32

Network based DoS Attack:

Answer 32

Attacker floods the network with large amounts of traffic, exhausting the victims connection resources.

Question 33

Types of DoS Attacks:

Answer 33

• TCP SYN Flooding
• UDP Flooding
• ICMP Smurf Flooding
• Intermittent flooding

Question 34

UDP

Answer 34

User Datagram Protocol

Question 35

DDoS Attack

Answer 35

• multitude of compromised systems attack a single target

- Causes financial loss and damage to reputation

Question 36

2 types of DDoS

Answer 36

1. Network Centric: Overloads a resource by consuming bandwidth
2. Application Centric: overloads a services by flooding it with packets

Question 37

Types of Malware:

Answer 37

• Virus: Self replicating, attaches itself to another program, computer boot sector, or document.
• Trojan: appears to be legitimate/useful software but contains hidden harmful code.
• Adware: software program that tracks a users browsing patterns and displays ads
• Spyware: software code that extracts user info & sends it to attacker.
• Root Kit: a software program that conceals activities from detection by OS.
• Backdoor: enables attacker to bypass authentication and gaining admin access without password.

Question 38

APT’s

Answer 38

Advanced Persistent Threat

• Attacker gains access to a network and remains there undiscovered for a long period of time.
• Purpose: to obtain sensitive information vs causing damage.

Question 39

SQL

Answer 39

Structured Query Language

Question 40

SQL Injection

Answer 40

• Malicious SQL queries to directly manipulate a database.
• Executed through URL, application fields and search bars.
• Only possible when an application executes Dynamic SQL Statements & Stores procedures with arguments based on user input.

Question 41

XXS Attack

Answer 41

Cross Site Scripting

• exploits vulns in dynamically generated web pages, enables attacker to inject scripts into web pages.
• Inject malicious javascript, VBscript, ActiveX, HTML or Flash

Question 42

Parameter Tampering Attack

Answer 42

Manipulation of parameters exchanged between client and server in order to modify app data such as user creds, permissions, price & quantity of products.

Question 43

Directory Traversal Attack

Answer 43

• attackers can manipulate variables that reference files with ../ sequences and its variations
• enables access to restricted directories.

Question 44

CSRF Attack

Answer 44

Cross-site Request Forgery

-Exploits web page vulnerabilities that enable an attacker to force a users browser to send malicious requests

Question 45

Application-level DoS attack

Answer 45

Attacker exhausts server resources by sending hundred of resource intensive tasks, such as retrieving large image files.

Question 46

Session HIJacking

Answer 46

• Attacker takes over a valid TCP communications session between two computers
• Can sniff all information in transit
• Attacker steals a valid session ID and uses it to auth himself with server

Question 47

Types of Social Engineering Attacks:

Answer 47

• Impersonation
• Eavesdropping
• Shoulder Surfing
• Dumpster diving
• Piggy backing: authorized person holds door open for intruder
• Tail gating: following authorized person inside without their knowledge

Question 48

Email Attack Types:

Answer 48

• Malicious email attachments
• User redirection (links)
• Email Phishing: link sent looks like the real website
• Email Spamming

Question 49

Rooting Android

Answer 49

Grants root access

Question 50

Jailbreaking IOS

Answer 50

Installing a modified set of kernel patches that enable a user to run third party apps

Question 51

Mobile Devices Specific Attacks:

Answer 51

• Rooting
• jailbreaking
• uploading malicious app to the app store
• mobile spamming (texts/calls)
• SMS Phishing
• Bluebugging

Question 52

2 types of Bluebugging attack

Answer 52

1. Bluesnarfing: stealing info via bluetooth

2. Bluebugging: gaining control over a device via bluetooth.

Question 53

OWASP

Answer 53

Open Web Application Security Project

Question 54

OWASP Top 10 Cloud Security Risks:

Answer 54

1. Accountability and Data Ownership: Using public cloud for hosting business services can cause severe risk for the recoverability of data
2. User Identity Federation: Creating multiple user identities for different cloud providers makes it complex to manage multiple user Ids and credentials
3. Regulatory Compliance: lack of transparency and different regulatory laws in different countries
4. Business continuity and resiliency: risk or monetary loss if the cloud provider handles business continuity improperly
5. User privacy and secondary usage of data: the default share feature in social websites can jeopardize the privacy of a users personal data
6. Service and data integration: unsecured data in transit is susceptible to eavesdropping and interception attacks
7. Multi Tenancy and Physical security: inadequate logical segregation may lead to tenants interfering with the security features of each other
8. Incidence analysis and forensic support: due to distributed storage of logs across the cloud, law enforcement agencies may face challenges in forensics recovery
9. Infrastructure security: misconfiguration of infrastructure may allow network scanning for vulnerable applications and services
10. Non-Production environment exposure: using non production environments increases the risk of unauthorized access, information disclosure, and information modification.

Question 55

War Driving

Answer 55

attackers drive with wifi enabled laptops to detect open wireless networks.

Question 56

Client Mis Association

Answer 56

an attacker sets up a rogue access point outside the corporate perimeter and tricks employees to connect to it

Question 57

Unauthorized Association:

Answer 57

Attackers infect a victim machine and active APs (access point) to provide them with an unauthorized connection to the enterprise network

Question 58

Honey Pot access point attack:

Answer 58

An attacker traps people by using fake APs(access point)

Rogue Access Point Attack: Rogue wireless access points placed in a 802.11 network can be used to hijack connections of legitimate network users.

Question 59

Misconfigured Access point Attack:

Answer 59

Enables intruders to steal the SSID(service set identifier) giving them access to the network

Question 60

Ad Hoc Connection attack

Answer 60

wifi clients communicate directly via an ad hoc mode that does not require an AP to relay packets.

Question 61

AP MAC Spoofing

Answer 61

a hacker spoofs the mac address of a WLAN client’s equipment to act as an authorized client and connect to the AP as the client and eavesdrop on the traffic

Question 62

DoS Attack:

Answer 62

disrupts network connections by sending broadcast “de-authenticate” commands

Question 63

WPA-PSK Cracking

Answer 63

attackers sniff and capture auth packets and run a brute force attack to crack the WPA-PSK key

Question 64

Raidus Replay:

Answer 64

Attackers replay the valid radius server response and successfully auth to the client without valid credentials

Question 65

MAC Spoofing attack:

Answer 65

spoofs the mac of a client and attempts to authenticate to the AP, which leads to the updating of the mac address info in the network routers and switches

Question 66

WEP cracking:

Answer 66

sniff and capture packets and run wep cracking programs to obtain web key

Question 67

Man-in-the-Middle

Answer 67

attackers deploy a rogue AP and spoof the clients MAC address to position themselves between the real AP and the client to listen to the traffic

Question 68

Fragmentation Attack:

Answer 68

attackers obtain 1500 bytes of pseudo rando generation algorithm (PRGA) to generate forged wep packets that are in turn used for various injection attacks

Question 69

Jamming Signal Attack:

Answer 69

an attacker stakes out the are from a nearby location with a high gain amplifier, drowning out the legitimate access point.

Question 70

CEH Hacking Methodology: Successful black hat operations typically follow five phases:

Answer 70

1. Recon
2. Scanning
3. Gaining Access
4. Maintaining access
5. Clearing Tracks

Question 71

Lockheed Martin Cyber Kill Chain Methodology:

Answer 71

1. Recon: gather data on the target to probe for weak points
2. Weaponization: create a deliverable malicious payload using an exploit and a backdoor
3. Delivery: send a weaponized bundle to ethe victim using email, USB, etc.
4. Exploitation: exploit a vulnerability by executing code on the victim’s machine
5. Installation: install a malware on the target system
6. Command and Control: create a command-and-control channel to communicate and pass data back and forth.
7. Actions on Objectives: Perform actions to achieve intended objectives/goals

Question 72

MITRE Attack Framework:

Answer 72

Pre-Attack:

• Recon
• Weaponize

Enterprise Attack:

• Deliver
• Exploit
• Control
• Execute
• Maintain

Question 73

Goal of Network Defense:

Answer 73

is to prevent unauthed access, misuse, modification, service denial, or any degradation and disruptions.

Question 74

IA:

Answer 74

Information Assurance

Question 75

IA Principles:

Answer 75

• Confidentiality: Ensures information is not disclosed to unauthorized parties
• Integrity: Ensures information is not modified or tampered with by unauthorized parties
• Availability: ensures information is available to authorized parties without any disruptions.
• Non-repudiation: Ensures that a party in a communication cannot deny sending the message
• Authentication: ensures the identity of an individual is verified by the system or service

Question 76

Network Defense Benefits:

Answer 76

• Protect: information assets
• Comply: with government and industry specific regulation

Ensure: secure communication with clients and suppliers

Reduce: the risk of being attacked

Gain: competitive edge over competitor by providing more secure services

Question 77

Network Defense Challenges:

Answer 77

• Distributed computing environments: with the advancement in modern technology and to meet business requirements, networks are becoming vast and complex, potentially leading to serious security vulnerabilities. Attackers exploit exposed security vulnerabilities to compromise network security
• Emerging Threats: Potential threats to the network evolve each day. Network security attacks are becoming technically more sophisticated and better organized.
• Lack of network Security Skills: Organizations are failing to defend themselves against rapidly increasing network attacks due to the lack of network security skills.

Question 78

Computer Network Defense Involves:

Answer 78

applying a set of rules, processes, and measures to protect the integrity, confidentiality and availability of the networks information systems and resources.

Question 79

4 types of Network Security Approaches:

Answer 79

• Preventive Approaches: consist of methods or techniques that are used to avoid threats or attacks on the target network
• Reactive approaches: Consists of methods or techniques that are used to detect attacks on the target network
• Retrospective Approaches: Consists of methods or techniques that examine the cause for attacks, and contain, remediate, eradicate, and recover from damage cause by the attack on the target network.
• Proactive Approaches: consist of methods or techniques that are used to make informed decisions on potential attacks in the future on the target network.

Question 80

Continual/Adaptive Security Strategy:

Answer 80

Organizations should adopt adaptive security strategy, which involves implementing all four network security approaches.

Question 81

4 Adaptive Security Activities:

Answer 81

• Protect: this includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities of the network
• Detect: This involves continuous monitoring of network and identifying abnormalities and their origins (Continuous Threat Monitoring)
• Respond: This involves a set of actions taken to contain, eradicate, mitigate, and recover from the impact of attacks on the network. (Incident Response)
• Predict: This involves identifying most likely attacks, targets, and methods prior to materialization of a potential attack. (risk & vulnerability assessment, attack surface analysis, threat intelligence)

Question 82

Defense-in-depth Security Strategy:

Answer 82

• Protect endpoints
• Protect network
• Protect data

Question 83

Administrative Security Controls:

Answer 83

Management implements admin access controls to ensure the safety of the organization.

Question 84

Examples of Admin Security Controls:

Answer 84

• Regulatory framework compliance
• Security Policy
• Employee Monitoring and Supervising
• Information Classification
• Security awareness and Training

Question 85

Physical Security Controls:

Answer 85

• Fences
• Locks
• Badge system
• Security guards
• Biometric system
• Mantrap doors
• Lighting
• Motion detectors
• CCTVs
• Alarms

Question 86

Technical Security Controls::

Answer 86

A set of security measures taken to protect data and systems from unauthorized personnel.

Question 87

Examples of Technical Security Controls:

Answer 87

• Access controls
• Authentication
• Authorization
• Auditing
• Security protocols
• Network security devices 1:46.13

Question 88

Multi Layered Security:

Answer 88

1. Policies, Procedures, and Awareness
2. Physical
3. Perimeter: Server, DNS, routers, firewalls, switches
4. Internal Network
5. Host
6. Application
7. Data