1.0 - Threats, Attacks and Vulnerabilities Flashcards
Code is changing after each use, so that signature-based scanning does not always work.
Type of threat?
Polymorphic Malware
Code is encrypted so that it cannot be decomplied or reverse engineered.
Type of threat?
Armored Virus
Files are encrypted, either permanently or until a ransom is paid.
Type of threat?
Crypto-Malware
Files are encrypted, and request for ransom is received.
Type of threat?
Ransomware
Malicious code that attaches itself to another piece of executable code. It only runs when the executable it is attached to is run.
Type of threat?
Virus
Malicious code that spreads across a network without being attached to another executable. Can also move via email, open network shares, IIS, SQL. Type of threat?
Worm
Software that appears to do one thing, such as a game, but also has embedded malicious code.
Type of threat?
Trojan
Threat that modifies the OS, often by re-writing the kernel.
Type of threat?
Rootkit
Malicious code that records keystrokes.
Type of threat?
Keylogger
Software that makes ads appear. Can be malicious or legitimate.
Type of software?
Adware
Software that monitors a user’s activities, including: keylogging, browsing, cheating on games, software usage.
Type of software?
Spyware
A large number of infected PCs that can be controlled by one malicious user.
Type of threat?
Botnet
A hacker installs a toolkit on a remote PC that lets them record keystrokes, take screenshots, install software, see and change system settings.
What is this toolkit called?
RAT (Remote-Access Trojan)
An administrator installs a piece of code that will delete files or do other damage if they are fired.
What is this called?
Logic Bomb (or Time Bomb if it will go off a specific number of days later)
A developer is able to get back into a system even after new layers of security have been added.
What method did they use.
Backdoor / Trapdoor. Often a hard-coded password, which is difficult to remove.
List common Indicators of Compromise (IOC)
Common IOCs are:
Network:
- Unusual outbound network traffic
- Geographical irregularities in network traffic
- HTML response sizes
- Mismatched port-application traffic
- Unusual DNS requests
- Signs of DDoS activity
- Web traffic with nonhuman behavior
Accounts:
- Anomalies in privileged user account activity
- Account login red flags
OS & Applications:
- Increase in database read volumes
- Large number of requests for the same file
- Suspicious registry or system file changes
- Unexpected patching of systems
- Mobile device profile changes
- Bundles of data in the wrong place
A threat returns even after the OS is wiped and reloaded while the system is air-gapped.
Likely type of threat?
Firmware Rootkit, possibly in a video card or expansion card firmware.
This threat loads before the OS, as a virtualization layer for the OS. This allows it to intercept hardware calls to the OS.
Virtual Rootkit or Vitual Machine-Based Rootkit (VMBR).
This type of threat operates at the OS level, giving it priviledged access to the system.
Kernal Rootkit
This type of threat infects libraries, such as .DLL files, so they can execute inside a target process to spoof it, or overwrite the memory of the target application.
Library Rootkit
Any threat will attack at least one of the three security requirements (the CIA of security). These are?
Confidentiality
Integrity
Availability
A user receives an email indicating that they need to login to resolve an account issue at a website.
What type of threat is this?
Phishing
Members of just the accounting team receive emails asking them to login to the corporate bank account, with an invalid link.
What type of attack is this?
Spear Phishing
The CEO receives a ficticious email or phone call, which was tailored just for her. What type of attack is this?
Whaling
A threat actor spoofs the company’s HR phone number and calls users asking them for personal information. What kind of attack is this?
Vishing
How can users protect against phishing and vishing attacks?
Never use the link or phone number provided in the incoming message.
Educate users about these threats.
Someone sparks up a conversation with an employee as they are heading into work, then follows them though the door without authenicating. What just happened and how can it be avoided?
The treat actor was Tailgating to gain entry to the building. Educating employees about proper entry procedures or a mantrap are possible solutions.
How might a threat actor avoid third-party authorization?
They may:
- Arrive with knowledge of an existing project or issue
- Use the guise of trouble to create a sense of urgency
- Name drop someone important who is currently unavailable
What types of parties might a threat actor impersonate?
Help Desk / Support
Contractors / Outside Parties
What is the best defense against impersonation attacks?
A standard process for verifying identity and user education.
An attacker goes through the organization trash looking for sensitive information. What is this technique called?
Dumpster Diving
An attacker watches the keypad on an ATM machine to get users’ PIN numbers, possibily from afar with a telephoto lens. What type of attack is this?
Shoulder Surfing
What are some methods to prevent shoulder surfing?
Blinders around PIN keypads
Keypads the move the numbers around
User education
Users receive a viral email telling them to delete an important system file in order to prevent future attacks. What is this?
A Hoax, but a damaging one.
A website is altered to distribute malware, often just to users in a certain geographical area. What is this attack called?
Watering Hole
These are difficult and time-consuming to setup, so they tend to use zero-day attacks, and are often backed by nation states.
A threat actor pretends to be calling from from the IRS. What social engineering principal are they using?
Authority
A threat actor implies that a user’s job may be on the line if they do not cooperate. What social engineering principal are they using?
Intimidation
A threat actor works within a group to push the decision making process in a particular direction. What social engineering principal are they using?
Consensus
A phishing email says that user only has a few minutes to reset their account. What social engineering principal is being used?
Urgency
An advertisment says that only a few items are left for sale. What social engineering principal is being used?
Scarcity
A threat actor talks to a user about how they have been in similar situations or had similar feelings. What social engineering principal is being used?
Familiarity
A social engineer’s goal is not to force someone to do something they don’t want to do, but to create a perception in their mind that they are doing the right thing. What social engineering principal is this?
Trust
Describe a social engineer’s primary goal and technique.
Their goal is to manipulate a person’s perception in order to change their actions.
They do this by preying on a person’s beliefs, biases and stereotypes.
A system if flooded with TCP SYN requests that return back to a non-existent IP address. This causes the system to lock up. What type of attack is this?
DoS (Denial of Service)
A threat actor is able to send commands to a few master systems, which control hundreds or thousands of zombie PCs, which are infected with the correct malware. When the order is received these systems all flood one target with requests, bringing it down. What type of attack is this?
DDoS (Distributed Denial of Service)
What precautions can be taken against DDoS attacks?
Precautions against DDoS attacks include:
- Consistent patching
- Shorter timeouts for TCP connections
- Distributed workloads
- Block ICMP packets at the border
- Scan your network for zombie systems (helps others more than you)
An attacker steals a cookie from a user and is able to hijack their session, by rerouting all communication through another PC. This allows the attacker to see the data being moved (if not encrypted) and see who the target is communicating with. What type of attack is this?
Man-in-the-Middle (session hijacking specifically)
Lack of input error-checking in programs is the root cause of this common attack where new commands are injected into a program through the input fields.
Buffer Overflow
Describe the 2014 Heartbleed attack.
It took advantage of a buffer overflow vulnerability in the OpenSSL library.
Describe some types of Injection attacks.
SQL injection - allows unauthorized SQL commands to run
XML injection - allows access to data
LDAP injection - allows access to data
Command injection - gives privledged command-line access
What is the difference between XSS and SQL injection?
XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application’s database.
Lack of input validation on a web site allows attackers to include a script and have it rendered. What is this method called?
Cross-Site Scripting (XSS)
How can Cross-Site Scripting (XSS) be migated?
Cross-Site Scripting (XSS) mitigation:
- Use anti-XSS libraries to strip scripts from the input strings
- Limit types of uploads, screen or whitelist uploads
- Testing with encoded and unencoded inputs to find vulnerabilities
A user is logged into a banking site. Meanwhile code is executed in a separate browser tab to perform a transaction at the site without the user’s knowledge. What type of attack is this?
Cross-Site Request Forgery (XSRF)
What methods can migate against Cross-Site Request Forgeries (XSRF)?
- Re-validate the user on important transactions
- Limit authentication time
- Cookie expiration
- Use anti-CSRF tokens in form submissions. These are sent to the user at authentication, then included in subsequent HTTP requests. This the most effective method.
An attacker gets standard access to a system, then duplicates an elevated token to run processes as an elevated user. What type of attack is this?
Privilege Escalation
What methods can mitigate privilege escalation attacks?
- Follow the least-privilege model
- Regularly review administrative accounts
- Monitor privileged accounts for unusual behavior
- Reduce processes and services that run in elevated mode
An attacker sends incorrect ARP and RARP requests to a network, feeding incorrect data into system ARP tables. They then use this corruption to setup a man-in-the-middle attack. What is this method?
ARP Poisoning
An attacker sends ICMP Ping commands to a network address, with the reply aimed at a specific PC. This floods the target PC with ping requests. When an attacker is able to create a greater effect than would be possible with a single client, what is it called?
Amplification
Running nslookup shows that a system’s local DNS cache is pointing certain DNS names to the wrong IP addresses. What type of attack has occurred?
DNS Poisoning
You login to GoDaddy to discover that you no longer own and control one of you domain names. What has occurred?
Domain Hijacking