.07 RG Vocab offensive security

Question 1

Penetration test and ethical hacking

Answer 1

A simulated series of tests performed by a team or
individual behaving in the same manner and using the same tactics, techniques, and
procedures (TTPs) as an advanced adversary while taking care not to do any harm to assets
or data

Question 2

Vulnerability assessment

Answer 2

A review of possible system weaknesses against a list of known
vulnerabilities, often with recommendations for update or correction
This type of assessment is nowhere near as comprehensive as a penetration test, but it can
provide a quick look into an organization’s points of weakness.

Question 3

Service Organization Control 2 (SOC 2) compliance

Answer 3

Used by businesses that deal in
finance and accounting, SOC 2 compliance requires ongoing security evaluations, including
periodic penetration testing.

Question 4

Payment Card Industry Data Security Standard (PCI DSS)

Answer 4

Businesses who maintain
customer payment card data must adhere to these standards to combat payment card
fraud. The PCI standards on penetration testing are among the most detailed of all regulatory
requirements, specifying differences between penetration tests and vulnerability scans.

Question 5

ISO 27001

Answer 5

This is largely a voluntary standard. Organizations that wish to establish the
depth of their internal process controls will seek this certification, which requires penetration
tests as part of the risk management portion.

Question 6

General Data Protection Regulation (GDPR)

Answer 6

The GDPR encompasses all businesses in
the European Union, particularly those that deal with the personally identifiable information
of European citizens. The GDPR guidelines require regular penetration tests to strengthen
data protection and privacy.

Question 7

Gray Hat Hacking

Answer 7

Often tied to bug bounties, this refers to the gray area between legal and
illegal, where practitioners may conduct pentest activities without explicit permission to
discover (and possibly profit from) vulnerabilities.

Question 8

ATT&CK

Answer 8

is an acronym that stands for “adversarial tactics, techniques, and common
knowledge.” The framework focuses on the offensive side of an attack rather than the
defensive.

Question 9

“Initial Access

Answer 9

consists of techniques that use various entry vectors to gain their initial
foothold within a network.” —MITRE (2019)
● Phishing
● Supply chain compromise

Question 10

“Lateral Movement

Answer 10

consists of techniques that adversaries use to enter and control
remote systems on a network.” —MITRE (2019)
● Access token manipulation
● Domain policy modification

Question 11

“Discovery

Answer 11

consists of techniques an adversary may use to gain knowledge about the
system and internal network.” —MITRE (2019)
● Account discovery
● Network sniffing

Question 12

Reconnaissance phase

Answer 12

The process of gathering information about a target

Question 13

Weaponization phase

Answer 13

Creating or sourcing the correct tools to exploit the target system

Question 14

Delivery phase

Answer 14

Getting the malicious payload to the target’s machine or system

Question 15

Exploitation phase

Answer 15

Implemented after successful delivery; a vulnerability is exploited to
gain access to the system.

Question 16

Installation phase

Answer 16

Installation of a backdoor or other system of persistence on the target
system often includes modifying or “time-stomping” logs to avoid detection.

Question 16

Installation phase

Answer 16

Installation of a backdoor or other system of persistence on the target
system often includes modifying or “time-stomping” logs to avoid detection.

Question 17

Command and Control (C2) phase

Answer 17

Opening and maintaining communication channels
between the target system and the attacker’s

Question 18

Action on Objects phase

Answer 18

The hacker achieves their goal or continues escalating and
pivoting through the system to establish more persistence or access more resources.
Exfiltration of data and destruction of systems can be aspects of this phase.

Question 19

Phishing

Answer 19

The most common social engineering technique whereby an attacker sends a
fraudulent email from a seemingly reputable and trusted source

Question 20

Vishing and smishing

Answer 20

Forms of phishing performed via phone calls or text messages

Question 21

Pretexting

Answer 21

Occurs when the attacker impersonates someone powerful or meaningful to
the target to get them to comply with demands

Question 22

Baiting

Answer 22

The attacker provides the victim with something enticing to lure them into a social
engineering trap.

Question 23

Tailgating and piggybacking

Answer 23

Occur when the attacker follows an individual into an
organization unnoticed

Question 24

Spear phishing

Answer 24

Researched, targeted attacks against specific individuals within an
organization

Question 25

Whaling

Answer 25

Highly targeted attacks against specific individuals within an organization—often
C-Suite executives, HR directors, or other managers with significant access to company
resources

Question 26

Nmap

Answer 26

An open-source tool that lets you perform scans on remote networks
It can discover protocols, open ports, and operating system information on remote
machines

Question 27

Nessus

Answer 27

Typically used as a vulnerability assessment tool but contains the same features as
Nmap; slower than Nmap but provides the ability to output clean reports and also suggests
mitigation measures

Question 28

Hydra

Answer 28

Commonly used to crack passwords to online services such as SSH, FTP, or IMAP
Tools such as this are the primary reason that enterprises rate-limit password attempts.

Question 29

Hashcat

Answer 29

The self-proclaimed “fastest and most advanced password recovery utility,”
Hashcat is the “go-to pentesting tool to crack hashes,” supporting various kinds of password
attacks.

Question 30

Metasploit

Answer 30

Allows the pentester to pick an exploit, select a payload, and fire it at a remote
target; touted as the “world’s most used penetration testing framework”

Question 31

Burp Suite

Answer 31

An effective web vulnerability scanner that offers many of the same features as
Nessus

Question 32

Kali Linux

Answer 32

Developed by the group Offensive Security (known as OffSec), Kali Linux is
prepackaged with most of the tools commonly used by penetration testers. It is free to
download and optimized for offense (not defense), meaning that it is easily exploited. Kali
Linux is used extensively in the extended program

Question 33

Denial of Service (DoS) / Distributed Denial of Service (DDoS)

Answer 33

“A malicious, targeted
attack that floods a network with false requests in order to disrupt business operations”
—CrowdStrike (2021)
The main difference between DoS and DDoS is the origin of the attack. A DOS attack
originates from a single system, whereas DDoS attacks originate from multiple systems.

Question 34

On-Path attack

Answer 34

An adversary places their system between a user and an external
connection endpoint (typically a web application) to collect personal data, passwords, and
banking details to impersonate an individual to gain access or additional information.