1.2 Given a scenario, analyze potential indicators to determine the type of attack.

Question 1

Malware

Answer 1

software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

Question 2

Ransomware

Answer 2

A cryptoviral Malware that threatens to publish the victim’s personal data or perpetually block access to it unless an amount of currency is paid. While some simple versions may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the payments, making tracing and prosecuting the perpetrators difficult. Payment doesn’t guarantee a full return of the data, or prevent the threat actor from releasing the data harvested on dark web.

Question 3

Trojan Horse and Remote Access Trojan (RAT)

Answer 3

malware that is a file, program, or piece of code that appears to be legitimate and safe, but is actually malware. Usually are packaged and delivered inside legitimate software, and they’re often designed to spy on victims or steal data. Usually also downloads additional malware after you install them. A more advanced version give the attack remote access the the infected host.

Question 4

Potentially unwanted programs (PUPs)

Answer 4

A program that may be unwanted, despite the possibility that users consented to download it. Includes spyware, adware and dialers, bloatware, and are often downloaded in conjunction with a program that the user wants.

Question 5

Fileless Malware

Answer 5

A type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, this malware does not require an attacker to install any code on a target’s system, making it hard to detect.

• A stealth attack. Does a good job of avoiding anti-virus detection.
• Operates in RAM, and never installs in a file or application.

Question 6

Command and control

Answer 6

A computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.

Also can serves as the headquarters for compromised machines in a botnet. It can be used to disseminate commands that can steal data, spread malware, disrupt web services, and more. systems used by botnets may follow any of these three models: the centralized model, the peer-to-peer [P2P] model, and the random model.

Question 7

Command and Control: Cenralized

Answer 7

Functions much like the traditional client-server relationship. A malware “client” will phone home and check for instructions. In practice, an attacker’s server-side infrastructure is often far more complex than a single server and may include redirectors, load balancers, and defense measures to detect security researchers and law enforcement. Public cloud services and Content Delivery Networks (CDNs) are frequently used to host or mask activity. It’s also common for hackers to compromise legitimate websites and use them to host command and control servers without the owner’s knowledge.

Question 8

Command and Control: Peer-To-Peer

Answer 8

command and control instructions are delivered in a decentralized fashion, with members of a botnet relaying messages between one another. Some of the bots may still function as servers, but there is no central or “master” node. This makes it far more difficult to disrupt than a centralized model but can also make it more difficult for the attacker to issue instructions to the entire botnet. P2P networks are sometimes used as a fallback mechanism in case the primary C2 channel is disrupted.

Question 9

Command and Control: Out of Band and Random

Answer 9

A number of unusual techniques have been observed for issuing instructions to infected hosts. Hackers have made extensive use of social media platforms as unconventional C2 platforms because they are rarely blocked. A project called Twittor aims to provide a fully functional command and control platform using only direct messages on Twitter. Hackers have also been observed using Gmail, IRC chat rooms, and even Pinterest to issue C&C messages to compromised hosts. It’s also been theorized that command and control infrastructure could be entirely random, with an attacker scanning large swaths of the Internet in hopes of finding an infected host.

Question 10

Bots and Botnet

Answer 10

self-propagating malware that infects its host and connects back to a central server(s). The server functions as a “command and control center”, or a network of compromised computers and similar devices. Malicious Host have the “worm-like ability to self-propagate,” and can also:

    Gather passwords
    Log keystrokes
    Obtain financial information
    Relay spam
    Capture and analyze packets
    Launch DoS attacks
    Open back doors on the infected computer
    Exploit back doors opened by viruses and worms

usually used to infect large numbers of computers in order to create a larger network of infected hosts.

Question 11

CryptoMalware

Answer 11

a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies.

Question 12

Logic Bomb

Answer 12

is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company.

Question 13

Spyware

Answer 13

is software with malicious behavior that aims to covertly gather information about a person or organization and send it to another entity in a way that harms the user. For example, by violating their privacy or endangering their device’s security.

Question 14

Keyloggers

Answer 14

a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information.

Question 15

Rootkit

Answer 15

is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software

Question 16

Backdoor

Answer 16

is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.

Question 17

Password attacks

Answer 17

any of the various methods used to maliciously authenticate into password-protected accounts. These attacks are typically facilitated through the use of software that expedites cracking or guessing passwords.

Question 18

Password Spraying

Answer 18

an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password.

Question 19

Dictionary Attack

Answer 19

a method of breaking into a password-protected computer, network or other IT resource by systematically entering every word in a dictionary as a password.

Question 20

Brute Force Attack

Answer 20

a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks.

Question 21

What is the difference between online and offline brute force?

Answer 21

In case of an offline attack, the attacker has access to the encrypted material or a password hash and tries different key without the risk of discovery or interference. In an online attack, the attacker needs to interact with a target system.

Question 22

Rainbow Table Attack

Answer 22

a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space–time tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple key derivation function with one entry per hash. Use of a key derivation that employs a salt makes this attack infeasible.

Question 23

Plaintext/unencrypted

Answer 23

is usually ordinary readable text before it is encrypted into ciphertext, or readable text after it is decrypted.

Question 24

Physical Attacks

Answer 24

intentional offensive actions which aim to destroy, expose, alter, disable, steal or gain unauthorized access to physical assets such as infrastructure, hardware, or interconnection.

Question 25

Malicious Cable

Answer 25

any cable (electrical or optical) which performs an unexpected, and unwanted function. Data exfiltration, GPS tracking, and audio eavesdropping are the primary malicious functions.

Question 26

Malicious Flash Drive

Answer 26

A device that contains a predefined attack script. This in turn allows them to access and copy users’ data, gain access to their keyboard and screen which allows them to see everything they do or eventually to encrypt their data in exchange for a ransom.

Question 27

RFID Card Cloning

Answer 27

An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain.

Question 28

Credit Card cloning/Skimming

Answer 28

making an unauthorized copy of a credit card.

Question 29

Adversarial Artificial Intelligence

Answer 29

the use of artificial intelligence and machine learning within offensive cyber activity.

Question 30

Tainted training data for machine learning (ML)

Data poisoning

Answer 30

this technique involves an attacker inserting corrupt data in the training dataset to compromise a target machine learning model during training.

Question 31

Security of machine learning algorithms

Answer 31

Cross check and verify the training data
Constantly retrain with new, more, and better data
Train the AI with possible poisoning. What would the attacker try to do?

Question 32

Supply Chain Attack

Answer 32

is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. The attack can occur in any industry, from the financial sector, oil industry, to a government sector. This attack can happen in software or hardware

Question 33

Cryptographic attacks

Answer 33

a method for circumventing the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme.