1.2 Given a scenario, analyze potential indicators to determine the type of attack

Question 1

What is a PUP and a PUA?

Answer 1

Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)—software installed alongside a package selected by the user or perhaps bundled with a new computer system. Unlike a Trojan, the presence of a PUP is not automatically regarded as malicious. It may have been installed without active consent or consent from a purposefully confusing license agreement. This type of software is sometimes described as grayware rather than malware.

Question 2

What are the different types of viruses?

Answer 2

1.) Non-resident/file infector
2.) Memory resident
3.) Boot
4.) Script and macro viruses

Question 3

What is a multipartite and a polymorphic virus?

Answer 3

The term multipartite is used for viruses that use multiple vectors and polymorphic for viruses that can dynamically change or obfuscate their code to evade detection.

Question 4

What is the difference between a worm and a virus?

Answer 4

A computer worm is memory-resident malware that can run without user intervention and replicate over network resources. A virus is executed only when the user performs an action such as downloading and running an infected executable process, attaching an infected USB stick, or opening an infected Word document with macros enabled. By contrast, a worm can execute by exploiting a vulnerability in a process when the user browses a website, runs a vulnerable server application, or is connected to an infected file share.

Question 5

What is fileless maleware?

Answer 5

1.) Fileless malware does not write its code to disk. The malware uses memory resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. This does not mean that there is no disk activity at all, however. The malware may change registry values to achieve persistence (executing if the host computer is restarted). The initial execution of the malware may also depend on the user running a downloaded script, file attachment, or Trojan software package.

2.) Fileless malware uses lightweight shellcode to achieve a backdoor mechanism on the host. The shellcode is easy to recompile in an obfuscated form to evade detection by scanners. It is then able to download additional packages or payloads to achieve the actor’s actions and/or objectives. These packages can also be obfuscated, streamed, and compiled on the fly to evade automated detection.

3.) Fileless malware may use “live off the land” techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. If they can be executed with sufficient permissions, these environments provide all the tools the attacker needs to perform scanning, reconfigure settings, and exfiltrate data.

Question 6

What is adware?

Answer 6

Adware—this is a class of PUP/grayware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on. Adware may be installed as a program or as a browser extension/plug-in.

Question 7

What is spyware?

Answer 7

Spyware—this is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform Domain Name Service (DNS) redirection to pharming sites.

Question 8

What is a keylogger?

Answer 8

A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.

Question 9

What is a RAT?

Answer 9

A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs, but is designed specifically to operate covertly. Once the RAT is installed, it allows the threat actor to access the host, upload files, and install software or use “live off the land” techniques to effect further compromises.

Question 10

What is a backdoor?

Answer 10

Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control can be referred to as a backdoor.

Question 11

What is a bot and botnet?

Answer 11

A compromised host can be installed with one or more bots. A bot is an automated script or tool that performs some malicious activity. A group of bots that are all under the control of the same malware instance can be manipulated as a botnet by the herder program. A botnet can be used for many types of malicious purpose, including triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or performing cryptomining.

Question 12

What is command and control?

Answer 12

Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network.

A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.

Question 13

What is a rootkit?

Answer 13

Malware running with this level of privilege is referred to as a rootkit. The term derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file system down.

A rootkit is a program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system.

Question 14

What is ransomeware?

Answer 14

Ransomware is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism.

Question 15

What is cryptomaleware?

Answer 15

The crypto-malware class of ransomware attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate, unless the user has up to date backups of the encrypted files.

Question 16

What is a logic bomb?

Answer 16

A logic bomb isn’t necessarily malicious code but could be an event that triggers an undesirable event. A typical example is a disgruntled system administrator who leaves a scripted trap that runs in the event his or her account is deleted or disabled. Anti-virus software is unlikely to detect this kind of malicious script or program. This type of trap is also referred to as a mine.

Question 17

What is cuckoo?

Answer 17

If it is not detected by endpoint protection, you may want to analyze the suspect code in a sandboxed environment. A sandbox is a system configured to be completely isolated from its host so that the malware cannot “break out.” The sandbox will be designed to record file system and registry changes plus network activity. Cuckoo is packaged software that aims to provide a turnkey sandbox solution (cuckoosandbox.org).

Question 18

What is SHA?

Answer 18

Secure Hash Algorithm (SHA)—considered the strongest algorithm. There are variants that produce different-sized outputs, with longer digests considered more secure. The most popular variant is SHA-256, which produces a 256-bit digest.

Question 19

What is MD5?

Answer 19

Message Digest Algorithm #5 (MD5)—produces a 128-bit digest. MD5 is not considered to be quite as safe for use as SHA-256, but it might be required for compatibility between security products.

Question 20

What is hashing?

Answer 20

Hashing is the simplest type of cryptographic operation. A cryptographic hashing algorithm produces a fixed length string from an input plaintext that can be of any length. The output can be referred to as a checksum, message digest, or hash. The function is designed so that it is impossible to recover the plaintext data from the digest (one-way) and so that different inputs are unlikely to produce the same output (a collision).

Question 21

What is symmetric encryption?

Answer 21

A symmetric cipher is one in which encryption and decryption are both performed by the same secret key. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached. Symmetric encryption is used for confidentiality.

Question 22

What are two types of symmetric encryption?

Answer 22

Stream cipher and block ciphers.

Question 23

What is a stream cipher?

Answer 23

In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. The plaintext is combined with a separate randomly generated message, calculated from the key and an initialization vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext. The keystream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same keystream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self-synchronizing.

Question 24

What is a block cipher?

Answer 24

In a block cipher, the plaintext is divided into equal-size blocks (usually 128-bit). If there is not enough data in the plaintext, it is padded to the correct size using some string defined in the algorithm. For example, a 1200-bit plaintext would be padded with an extra 80 bits to fit into 10 x 128-bit blocks. Each block is then subjected to complex transposition and substitution operations, based on the value of the key used.

The Advanced Encryption Standard (AES) is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.

Question 25

What is a key length?

Answer 25

The range of key values available to use with a particular cipher is called the keyspace. The keyspace is roughly equivalent to two to the power of the size of the key. Using a longer key (256 bits rather than 128 bits, for instance) makes the encryption scheme stronger. You should realize that key lengths are not equivalent when comparing different algorithms, however.

Question 26

What is asymmetric encryption?

Answer 26

With an asymmetric cipher, operations are performed by two different but related public and private keys in a key pair.

Each key is capable of reversing the operation of its pair. For example, if the public key is used to encrypt a message, only the paired private key can decrypt the ciphertext produced. The public key cannot be used to decrypt the ciphertext, even though it was used to encrypt it.

The keys are linked in such a way as to make it impossible to derive one from the other. This means that the key holder can distribute the public key to anyone he or she wants to receive secure messages from. No one else can use the public key to decrypt the messages; only the linked private key can do that.

Asymmetric encryption can be used to prove identity. The holder of a private key cannot be impersonated by anyone else. The drawback of asymmetric encryption is that it involves substantial computing overhead compared to symmetric encryption. The message cannot be larger than the key size. Where a large amount of data is being encrypted on disk or transported over a network, asymmetric encryption is inefficient.

Question 26

What is asymmetric encryption?

Answer 26

With an asymmetric cipher, operations are performed by two different but related public and private keys in a key pair.

Each key is capable of reversing the operation of its pair. For example, if the public key is used to encrypt a message, only the paired private key can decrypt the ciphertext produced. The public key cannot be used to decrypt the ciphertext, even though it was used to encrypt it.

The keys are linked in such a way as to make it impossible to derive one from the other. This means that the key holder can distribute the public key to anyone he or she wants to receive secure messages from. No one else can use the public key to decrypt the messages; only the linked private key can do that.

Asymmetric encryption can be used to prove identity. The holder of a private key cannot be impersonated by anyone else. The drawback of asymmetric encryption is that it involves substantial computing overhead compared to symmetric encryption. The message cannot be larger than the key size. Where a large amount of data is being encrypted on disk or transported over a network, asymmetric encryption is inefficient.

Question 27

What is elliptic curve cryptogrophy?

Answer 27

Elliptic curve cryptography (ECC) is another type of trapdoor function that can be used in public key cryptography ciphers. The principal advantage of ECC over RSA’s algorithm is that there are no known “shortcuts” to cracking the cipher or the math that underpins it, regardless of key length. Consequently, ECC used with a key size of 256 bits is very approximately comparable to RSA with a key size of 2048 bits.

Question 28

What is a trapdoor function?

Answer 28

This type of algorithm is called a trapdoor function, because it is easy to perform using the public key, but difficult to reverse without knowing the private key.

Question 29

What is a digital signature?

Answer 29

A message digest encrypted using the sender’s private key that is appended to a message to authenticate the sender and prove message integrity.

Hashing proves integrity by computing a unique checksum from input. These two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message, with a digital signature.

Question 30

What is a key exchange?

Answer 30

Symmetric encryption is the only practical means of encrypting and decrypting large amounts of data (bulk encryption), but it is difficult to distribute the secret key securely. Public key cryptography makes it easy to distribute a key, but can only be used efficiently with small amounts of data. Therefore, both are used within the same product in a type of key exchange system known as a digital envelope or hybrid encryption. A digital envelope allows the sender and recipient to exchange a symmetric encryption key securely by using public key cryptography.

Question 31

What is perfect forward secrecy?

Answer 31

When using a digital envelope, the parties must exchange or agree upon a bulk encryption secret key, used with the chosen symmetric cipher. In the original implementation of digital envelopes, the server and client exchange secret keys, using the server’s RSA key pair to protect the exchange from snooping. In this key exchange model, if data from a session were recorded and then later the server’s private key were compromised, it could be used to decrypt the session key and recover the confidential session data.

This risk from RSA key exchange is mitigated by perfect forward secrecy (PFS). PFS uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server’s private key. Diffie-Hellman allows Alice and Bob to derive the same shared secret just by agreeing some values that are all related by some trapdoor function. In the agreement process, they share some of them, but keep others private. Mallory cannot possibly learn the secret from the values that are exchanged publicly

Question 32

What is a cipher suite? What are three parts of a cipher suite?

Answer 32

Lists of cryptographic algorithms that a server and client can use to negotiate a secure connection.

1.) A signature algorithm, used to assert the identity of the server’s public key and facilitate authentication.
2.) A key exchange/agreement algorithm, used by the client and server to derive the same bulk encryption symmetric key.
3.) The final part of a cipher suite determines the bulk encryption cipher. When AES is selected as the symmetric cipher, it has to be used in a mode of operation that supports a stream of network data.

Question 33

What is ephemeral?

Answer 33

In cryptography, a key that is used within the context of a single session only.

Question 34

What is cipher block chaining mode?

Answer 34

The Cipher Block Chaining (CBC) mode applies an initialization vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext.

An encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block

Question 35

What is counter mode?

Answer 35

Counter mode (CTM) makes the AES algorithm work as a stream cipher. Counter mode applies an IV plus an incrementing counter value to the key to generate a keystream. The keystream is then XOR’ed to the data in the plaintext blocks.

An encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CTM (counter mode) and CM (counter mode).

Question 36

What is an XOR?

Answer 36

An operation that outputs to true only if one input is true and the other input is false.

Question 37

How many counter modes of operation are there?

Answer 37

Two: Counter and cipher block chaining.

Question 38

How many authenticated modes of operation are there?

Answer 38

Two: Message authentication code (MAC) and authenticated encryption with additional data (AEAD).

Question 39

What are unauthenticated modes of operation and what are authenticated modes of operation?

Answer 39

Unauthenticated: Cipher block chaining and Counter mode. These modes do not provide message integrity or authentication.
Authenticated: Message authentication code and authenticated encryption with additional data (AEAD). These modes provide authentication and integrity.

Question 40

What is a message authentication code?

Answer 40

A message authentication code (MAC) provides an authentication and integrity mechanism by hashing a combination of the message output and a shared secret key. The recipient can perform the same process using his or her copy of the secret key to verify the data. This type of authenticated encryption scheme is specified in a cipher suite as separate functions, such as “AES CBC with HMAC-SHA.” Unfortunately, the implementation of this type of authenticated mode in AES CBC is vulnerable to a type of cryptographic attack called a padding oracle attack (docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode).

Question 41

What is an authenticated encryption with additional data (AEAD)?

Answer 41

The weaknesses of CBC arising from the padding mechanism means that stream ciphers or counter modes are strongly preferred. These use Authenticated Encryption with Additional Data (AEAD) modes of operation. In an AEAD scheme, the associated data allows the receiver to use the message header to ensure the payload has not been replayed from a different communication stream.

An AEAD mode is identified by a single hyphenated function name, such as AES-GCM or AES-CCM. The ChaCha20-Poly1305 stream cipher has been developed as an alternative to AES.

Question 42

How does cryptography support confidentiality? How is encryption/cryptography used for data?

Answer 42

Encryption supporting confidentiality is used for both data-at-rest (file encryption) and data-in-transit (transport encryption):

File encryption—the user is allocated an asymmetric cipher key pair. The private key is written to secure storage—often a trusted platform module (TPM)—and is only available when the user has authenticated to his or her account. The public key is used to encrypt a randomly generated AES cipher key. When the user tries to encrypt or decrypt files, the AES cipher key is decrypted using the private key to make it available for the encryption or decryption operation.

Transport encryption—this uses either digital envelopes or perfect forward secrecy. For HTTPS, a web server is allocated a key pair and stores the private key securely. The public key is distributed to clients via a digital certificate. The client and server use the key pair to exchange or agree on one or more AES cipher keys to use as session keys.

Question 43

How does cryptography support integrity and resiliency?

Answer 43

Both utilize message authentication code, which ensures proving the integrity and authenticity of a message by combining its hash with a shared secret.

Question 44

What is obfuscation?

Answer 44

A technique that essentially “hides” or “camouflages” code or other information so that it is harder to read by unauthorized users.