1.2 Given a scenario, analyze potential indicators to determine the type of attack

Question 1

What is Malware?

Answer 1

The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.

Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of the system or network may not want to occur.

Question 2

Ransomware (Malware)

Answer 2

Ransomware is malware that takes over a computer and then demands a ransom.

One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted with ransomware.

Question 3

Trojans (Malware)

Answer 3

Trojans or Trojan horses, are a type of malware that is typically disguised as legitimate software.

They are called Trojan horses because they rely on unsuspecting individuals running them, thus providing attackers with a path into a system or device.

Question 4

Worms (Malware)

Answer 4

Unlike Trojans that require user interaction, worms spread themselves. Although worms are often associated with spreading via attacks on vulnerable services, any type of spread through automated means is possible.

Worms also self-install, rather than requiring users to click on them.

Question 5

Potentially unwanted programs (PUPs)
(Malware type)

Answer 5

Potentially unwanted programs or PUPs are programs that may not be wanted by the user but are not as dangerous as other types of malware. PUPs are typically installed without the user’s awareness or as part of a software bundle or other installation.

Potentially unwanted programs can be detected and removed by most anti-malware and anti-virus programs, and organizations may limit user rights to prevent installation of additional software or to limit which software can be installed to prevent installation of PUPs and other unwanted apps on their organizationally owned device.

Question 6

Fileless virus (Malware type)

Answer 6

Fileless virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites, and they exploit flaws in browser plug-ins and web browsers themselves.

Once they have successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system by the same process at reboot through a registry entry or other technique.

Question 7

Command and Control (Malware)

Answer 7

A computer controlled by an attacker or cyber criminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.

C&C servers are the core of a botnet. They allow attackers to manage the botnet, and advanced C&C tools have a broad range of capabilities that can help attackers steal data, conduct DDoS attacks on massive scale, deploy and update additional malware capabilities, and respond to attempts by defenders to protect their networks.

Question 8

Bots (Malware)

Answer 8

Bots are remotely controlled systems or devices that have a malware infection.

Groups of bots are known as botnet, and botnet are used by attackers who control them to perform various actions.

Question 9

Cryptomalware (Malware type)

Answer 9

Cryptomalware, which encrypts files and then holds them hostage until a ransom is paid.

Question 10

Logic bombs (Malware)

Answer 10

Logic bombs, unlike the other types of malware described here, are not independent malicious programs. Instead, they are functions or code that are placed inside other programs that will activate when set conditions are met.

Some malware uses this type of code to activate when a specific date or set condition is met.

Question 11

Spyware (Malware type)

Answer 11

Spyware is malware that is designed to obtain information about an individual, organization or system.

Many spyware packages track users browsing habits, installed software, or similar information and report it back to central servers.

Spyware is most frequently combated using anti malware tools or user awareness.

Question 12

Keyloggers (Malware type)

Answer 12

Keyloggers are programs that capture keystrokes, although keylogger applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices.

Best practice for prevention is to ensure that malware containing keylogger is not installed, including patching and systems management, as well as use of anti malware tools

MFA can help limit the impact of keylogger, even if it can’t defeat the key logger itself.

Question 13

Remote access Trojan (RAT)
(Malware type)

Answer 13

RAT provide attackers with remote access to systems.

Security awareness and anti malware tools help combat RATs

Question 14

Rootkit (Malware)

Answer 14

Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.

Many modern rootkits also include capabilities that work to conceal the rootkit from detection through any of a variety of techniques, ranging from leveraging filesystem drivers to ensure that users cannot see the rootkit files, to infecting startup code in the master boot record (MBR) of a disk, thus allowing attacks against full-disk encryption systems.

Question 15

Backdoor (Malware type)

Answer 15

Backdoors are methods or tools that provide access that bypass normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications.

Detecting backdoors can sometimes be done by checking for unexpected open ports and services, but more complex backdoor tools may leverage existing services.

Question 16

Spraying (Password attacks)

Answer 16

Password spraying attacks are a form of brute-force attack that attempts to use a single password or small set of password against many accounts

Question 17

Dictionary (Password attacks)

Answer 17

Dictionary attacks are yet another form of brute-force attack that uses a list of words for their attempts

Question 18

Brute-force attacks (Password attacks)

Answer 18

Which iterate through passwords until they find one that works.

Attack methods:

Offline - against a compromised or captured password store

Online - against a live system that may have defenses in place

Question 19

Rainbow table (Password attacks)

Answer 19

Rainbow tables are an easily searchable database of precomputed hashes using the same hashing methodology as the captured password file.

The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table. They then search through lists of hashed values, looking for matches to the rainbow table.

Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks.

A salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase

Question 20

Plain-text/unencrypted
(Password attacks)

Answer 20

Protocols and authentication methods that leave credentials unencrypted, like basic authentication and telnet (tcp 23)

Question 21

Malicious Universal Serial Bus (USB) cable
(Physical attacks)

Answer 21

Less likely to be noticed than a flash drive.

The advantage of a malicious USB cable is that it can be effectively invisible when it replaces an existing cable and will not be noticed in the same way that a flash drive might be.

Question 22

Malicious flash drive (Physical attacks)

Answer 22

May be dropped in locations where they are likely to be picked up and plugged in by victims.

An additional layer of social engineering is sometimes accomplished by labeling the drives with compelling text that will make them more likely to be plugged in.

Question 23

Card cloning
(Physical attacks)

Answer 23

Card cloning attacks focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access.

Question 24

Skimming
(Physical attacks)

Answer 24

Use hidden or fake readers or social engineering and hand-held readers to capture (skim) cards, and then employ cloning tools to use credit cards and entry access cards for their own purposes.

Question 25

Adversarial Artificial Intelligence (AI)

Answer 25

Adversarial AI is a developing field where AI is used by attackers for malicious purposes. The focus of adversarial AI attacks currently tends to deal with data poisoning, providing security and analytic AI and ML algorithms with adversarial input that serves the attacker’s purpose, attacks against privacy.

—Tainted training data for machine learning (will be a target)

—Security of machine learning algorithms
(Will be increasingly important)

Question 26

Artificial intelligence

Answer 26

Which focuses on accomplishing “smart” tasks by combining ML, deep learning, and related techniques that are intended to emulate human intelligence.

Question 27

Machine Learning

Answer 27

ML which is a subset of AI. ML systems modify themselves as they evolve to be better at the task that they are set to accomplish.

Question 28

Supply-chain attacks

Answer 28

Attempt to compromise devices, systems, or software before it even reaches the organization.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161

Question 29

Cloud-based vs. on-premises

Answer 29

On premises — 100% yours
Cloud based — shared responsibility model

With cloud based you will no longer have the ability to audit access to the facility or to check on what occurred to a specific physical machine.

Question 30

Cryptographic attacks

Answer 30

1. Birthday attack, which attempts to just find a piece of plaintext that supplies the same hashed value, no matter what the original plaintext might have been. Relies on the birthday paradox.
2. Collision attack, when subjected to the same hashing, produce the same hash.
3. Downgrade attack, which force a system to revert to an older or less-secure mode of operation