1.2 Given a scenario, analyze potential indicators to determine the type of attack. Flashcards
Malware
software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Ransomware
A cryptoviral Malware that threatens to publish the victim’s personal data or perpetually block access to it unless an amount of currency is paid. While some simple versions may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the payments, making tracing and prosecuting the perpetrators difficult. Payment doesn’t guarantee a full return of the data, or prevent the threat actor from releasing the data harvested on dark web.
Trojan Horse and Remote Access Trojan (RAT)
malware that is a file, program, or piece of code that appears to be legitimate and safe, but is actually malware. Usually are packaged and delivered inside legitimate software, and they’re often designed to spy on victims or steal data. Usually also downloads additional malware after you install them. A more advanced version give the attack remote access the the infected host.
Potentially unwanted programs (PUPs)
A program that may be unwanted, despite the possibility that users consented to download it. Includes spyware, adware and dialers, bloatware, and are often downloaded in conjunction with a program that the user wants.
Fileless Malware
A type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, this malware does not require an attacker to install any code on a target’s system, making it hard to detect.
- A stealth attack. Does a good job of avoiding anti-virus detection.
- Operates in RAM, and never installs in a file or application.
Command and control
A computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
Also can serves as the headquarters for compromised machines in a botnet. It can be used to disseminate commands that can steal data, spread malware, disrupt web services, and more. systems used by botnets may follow any of these three models: the centralized model, the peer-to-peer [P2P] model, and the random model.
Command and Control: Cenralized
Functions much like the traditional client-server relationship. A malware “client” will phone home and check for instructions. In practice, an attacker’s server-side infrastructure is often far more complex than a single server and may include redirectors, load balancers, and defense measures to detect security researchers and law enforcement. Public cloud services and Content Delivery Networks (CDNs) are frequently used to host or mask activity. It’s also common for hackers to compromise legitimate websites and use them to host command and control servers without the owner’s knowledge.
Command and Control: Peer-To-Peer
command and control instructions are delivered in a decentralized fashion, with members of a botnet relaying messages between one another. Some of the bots may still function as servers, but there is no central or “master” node. This makes it far more difficult to disrupt than a centralized model but can also make it more difficult for the attacker to issue instructions to the entire botnet. P2P networks are sometimes used as a fallback mechanism in case the primary C2 channel is disrupted.
Command and Control: Out of Band and Random
A number of unusual techniques have been observed for issuing instructions to infected hosts. Hackers have made extensive use of social media platforms as unconventional C2 platforms because they are rarely blocked. A project called Twittor aims to provide a fully functional command and control platform using only direct messages on Twitter. Hackers have also been observed using Gmail, IRC chat rooms, and even Pinterest to issue C&C messages to compromised hosts. It’s also been theorized that command and control infrastructure could be entirely random, with an attacker scanning large swaths of the Internet in hopes of finding an infected host.
Bots and Botnet
self-propagating malware that infects its host and connects back to a central server(s). The server functions as a “command and control center”, or a network of compromised computers and similar devices. Malicious Host have the “worm-like ability to self-propagate,” and can also:
Gather passwords
Log keystrokes
Obtain financial information
Relay spam
Capture and analyze packets
Launch DoS attacks
Open back doors on the infected computer
Exploit back doors opened by viruses and worms
usually used to infect large numbers of computers in order to create a larger network of infected hosts.
CryptoMalware
a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies.
Logic Bomb
is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company.
Spyware
is software with malicious behavior that aims to covertly gather information about a person or organization and send it to another entity in a way that harms the user. For example, by violating their privacy or endangering their device’s security.
Keyloggers
a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information.
Rootkit
is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software
Backdoor
is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.
Password attacks
any of the various methods used to maliciously authenticate into password-protected accounts. These attacks are typically facilitated through the use of software that expedites cracking or guessing passwords.
Password Spraying
an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password.
Dictionary Attack
a method of breaking into a password-protected computer, network or other IT resource by systematically entering every word in a dictionary as a password.
Brute Force Attack
a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks.
What is the difference between online and offline brute force?
In case of an offline attack, the attacker has access to the encrypted material or a password hash and tries different key without the risk of discovery or interference. In an online attack, the attacker needs to interact with a target system.
Rainbow Table Attack
a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space–time tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple key derivation function with one entry per hash. Use of a key derivation that employs a salt makes this attack infeasible.
Plaintext/unencrypted
is usually ordinary readable text before it is encrypted into ciphertext, or readable text after it is decrypted.
Physical Attacks
intentional offensive actions which aim to destroy, expose, alter, disable, steal or gain unauthorized access to physical assets such as infrastructure, hardware, or interconnection.
Malicious Cable
any cable (electrical or optical) which performs an unexpected, and unwanted function. Data exfiltration, GPS tracking, and audio eavesdropping are the primary malicious functions.
Malicious Flash Drive
A device that contains a predefined attack script. This in turn allows them to access and copy users’ data, gain access to their keyboard and screen which allows them to see everything they do or eventually to encrypt their data in exchange for a ransom.
RFID Card Cloning
An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain.
Credit Card cloning/Skimming
making an unauthorized copy of a credit card.
Adversarial Artificial Intelligence
the use of artificial intelligence and machine learning within offensive cyber activity.
Tainted training data for machine learning (ML)
Data poisoning
this technique involves an attacker inserting corrupt data in the training dataset to compromise a target machine learning model during training.
Security of machine learning algorithms
Cross check and verify the training data
Constantly retrain with new, more, and better data
Train the AI with possible poisoning. What would the attacker try to do?
Supply Chain Attack
is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. The attack can occur in any industry, from the financial sector, oil industry, to a government sector. This attack can happen in software or hardware
Cryptographic attacks
a method for circumventing the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme.
