1.2 - Given a scenario, analyze potential indicators to determine the type of attack. Flashcards

Given a scenario, analyze potential indicators to determine the type of attack.

1
Q

Malware

A
  • malicious software
  • harms usrs comp/data
  • targets info stored on local comps + other resources/comps
  • takes advantage of weaknesses/system vulnerabilties -> makes it more dangerous + enables spreading more effectively
  • gathers info (keystrokes)
  • viruses + worms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ransomware + protection

A
  • malware that takes over comp. + demands ransom
  • perps want ur $, will take ur comp. in the meantime
  • could be a false ransom
    -> locks ur comp. “by the police”
  • ransom may be avoided
  • security professional might be able to remove these kinds of malware

Protection
- ALWAYS have a backup, ideally an offline backup
- Keep OS up to date
-> patch vulnerabilities
- Keep apps up to date
-> security patches
- Keep antivirus + antimalware signatures up to date
- Keep everything up to date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Trojans

A
  • malware disguised as legit software
  • rely on unsupecting ppl running them -> provides perp with path into sys./device
  • software designed to be something else (typically hidden)
  • capture/conquer ur comp. free reign once inside
  • can open gates 4 other programs
  • can perform actions wthout usrs knowledge/consent
  • can collect + send data causing comp. to malfunction
  • don’t replicate themselves like viruses do
  • circumvent existing sec.
  • often classified by payload/function

Most common
- backdoor
- downloader
- infostealer
- keylogger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

PUPs (Potentially unwanted programs)

A
  • typically installed wthout user knowing
  • identified by antivirus/anti-malware
  • potentially undesirable software
  • often installed along with other software
  • overly aggressive toolbar
  • backup utility that displays ads
  • browser search engine hijacker
  • includes spyware, browser toolbars, web browser tracking, adware, dialers

Symptoms
- can slow down system, etc.

Detection/Removal
- antivirus/antimalware tools

Mitigation
- limit usr rights 2 prevent software installs
-limit what software can be installed
awareness
- best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Command and control

A
  • botnet contacts central control system -> provides commands + updates + tracks how many sys. r in botnet
  • mechanism by which malicious software communicates with remote server/controller
  • allows perps to send instructions to malware on infected comp.
  • these servers are essential for managing/maintaing control over compromised systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bots + infection + prevention

A
  • automated comp. program
  • doesn’t need usr interaction
  • outside sources can control
  • ur machine becomes a bot once infected
  • sits around -> checks in with command + control server -> waits for instructions

Infected via
- trojan horse
- OS/app vulnerability
- port left open
- unpatched vulnerability

Prevention
- OS/app patches
- antivirus/antimalware
- updated signatures
- identifying existing infection
-> on demand scans
-> network monitoring
- prevent command + control
-> block at firewall
-> identify at workstation with host based firewall/host based IPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cryptomalware

A
  • newer gen. of ransomware
  • data unavailable until u provide the $
  • malware encrypts ur data files BUT ur OS remains available
    -> want u running but not working
  • pay to obtain decryption key
    -> untraceable payment system
    -> unfortunate use of public key cryptography
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Logic bombs + prevention

A
  • virus/trojan horse
  • executes malicious actions when certain event occurs OR after certain period of time
  • time bomb (time or date)
  • user event (logic bomb)
  • difficult to identify

Prevention
- process + procedures
-> formal change control
- electronic monitoring
-> alert on changes
-> host based intrusion detection
- constant auditing
-> admin can circumvent existing systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Spyware + detection + protection

A
  • malware spies on you
  • can change comps config without consent
  • software communicates info from users system to another party without user knowing
  • EX: advertising, identify theft, etc
  • EX: browser monitoring, surfing habits, keyloggers

Detection
- slow system
- windows desktop slow coming up
- clicking link doesn’t do anything/takes you to unexpected website
- browser homepage changes (might not be able to reset it)
- webpages automatically added to your favorites list

Protection (adware + spyware)
- know what ur installing
- maintain antivirus/antimalware, always have latest signatures
- have a backup
- malwarebytes (run scans)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Keylogger trojans

A
  • monitors + sends keystrokes from infected comp.
  • EX: passwords, CC #s, messages
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RAT (remote access Trojan) + protection

A
  • provide perp with remote access to sys.
    -allow perp to take control of systems remotely
  • install without usrs knowledge
  • remote admin tool -> ultimate backdoor
  • malware installs server/service/host and perp connects with client software
    -identifying if it’s legit remote support tool or not is difficult
    -may cause false positives
  • EX: key logging, screen recording, screenshots, copy files, embed more malware, etc.

Protection
- DON’T run/download unknown software
- ALWAYS consider the consequences
- Keep antivirus/anti-malware signatures up to date
- ALWAYS have a backup
-security awareness
-antimalware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Rootkit + detection + removal

A
  • software that can be installed/hidden
    -designed to allow perps to access a sys. thru backdoor
  • can be part of software packages, installed thru unpatched vulnerabilities, downloaded/installed by usrs
  • compromise system + gain elevated privileges
  • can lead to compromising other devices on network
  • programs that view traffic/keystrokes + alter existing files to escape detection/create system backdoor
  • modifies core system files
  • might be invisible to OS, antivirus software b/c it can run in background
  • use encryption to protect outbound comms. + piggyback commonly used ports to communicate without interrupting apps

Detection
- look at memory processes
- monitor outbound comms.
- check for newly installed software
- antimalware scans
-detection tools look for behaviors + signatures typical of rootkits
-integrity checking
-data validation

Removing
- use remover specific to toolkit
- secureboot with UEFI (bios)
- have to remove toolkit AND malware rootkit is using

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Backdoor

A
  • provide access that bypasses normal authentication/authorization procedures
    -not malicious on own
  • app code functions devs create intentionally/unintentionally
  • shortcut entry point added to allow rapid code eval/testing during app development
  • can allow perp unauthorized access if they’re not removed b4 app deployment

Detection
-check 4 unexpected open ports + services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Password attacks

A
  • two categories
    -> online attack
    -> offline attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Spraying attack + detection

password attacks

A
  • try to log in wth incorrect pswd
    -> eventually locked out
  • attack acct wth top 3+ pswds
    -> move on to next acct if they don’t work
    -> no lockouts, alarms, or alerts
    slow approach

Detection
- single failed log in across multiple accts at same time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Dictionary attacks + prevention

password attacks

A
  • trying every word in dict. to gain access to system
  • common word lists available on the net + can sometimes be customized by language/line of work
  • pswd crackers can substitute letters (p&ssw0rd)
  • takes time
  • discover pswds for common words
    -> won’t discover ones wth random character pswds
  • can use dif. custom dicts.
    -> list could have 1234 and abcde
  • most successful on simple pswds b/c attack tries each word in list

Prevention
- “password” is easily compromised
-> changing “o” to numeral “0” + changing “a” to “@” could thwart attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Brute force attacks + online + offline

password attacks

A
  • tries every possible pswd combo until it matches hash
  • relies on cryptanalysis or hashing alg.
  • could take time b/c strong hasing alg. slows things down
  • cracks short pswds faster than dict. attacks

Online
- keep trying login process
- slow
- most accts lockout after certain # of failed attempts

Offline
- obtain list of usrs + hashes
- calculate pswd hash + compare to stored hash
- large computational resources
- attempts to exhaust all possible combos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Offline attacks

password attacks

A
  • convenient b/c can iterate thru dif. methods + countless attempts
  • perp has access to material independant of source system
  • EX: encrypted password database might have been downloaded
  • less risky for perp
    -> perp has opportunity to circumvent control wthout detection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Online attacks + detection + prevention

password attacks

A
  • occurs while connected to a system
  • EX: automated/manual attack against ur web based email acct
    -> attacker tries logging in with ur username/pswd

Detection
- usrs getting locked out of their accts

Prevention
- security best practices can help avoid
- EX: locking accts after several failed attempts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Rainbow table

password attacks

A
  • optimized prebuilt set of hashes (doesn’t have to contain every hash)
  • saves time + storage space
  • contain precalculated hash chains
  • speed increase, especially wth longer pswd lengths
  • need dif. tables for dif. hashing methods
    -> windows dif. than MySQL
  • can occur offline, perp only has to search against required pswd hashes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Plaintext/unencrypted

A
  • pswds shouldn’t be unencrypted in plaintext b/c easy to compromise
  • some apps store pswds unencrypted “in the clear”
  • -> u can read pswrd stored
  • anyone with access to pswd file/database has every cred.
  • get a better app if it saves pswd as plaintext
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Physical attacks

A
  • opportunities for attacks, often thru use of or on peripheral devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Malicious USB cable + prevention

Physical attacks

A
  • looks like normal one BUT has additional electronics inside
  • OS identifies it as a HID (human interface card)
    -> looks like you’ve connected keyboard/mouse
    -> keyboard doesn’t need extra rights/permissions
  • cable takes over once connected
    -> downloads/installs malicious software

Prevention
- don’t plug in just any USB cable
- ALWAYS use trusted hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Malicious flash drive + prevention

Physical attacks

A
  • could act as HID (human interface card)/keyboard
    -> start command prompt + type anything without ur intervention
  • perp can load malware in docs
  • can be configured as boot device, then infects comp. after reboot
  • acts as ethernet adapter
    -> redirects/modifies internet traffic requests
    -> acts as wireless gateway for other devices

Prevention
- NEVER connect an untrusted USB device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Card cloning | Physical attacks
- creates duplicate of a card -> looks/feels like OG -> often includes printed CVC (card validation code) - get card details from skimmer b/c clone needs an original - can only be used with magnetic stripe cards -> b/c chip can't be cloned - cloned gift cards r common
26
Skimming + prevention | Physical attacks
- stealing CC info, usually during normal transaction -> copy data from magnetic stripe (card #, expiration date, card holders name) - perp uses CC info for other financial transactions - fraud is responsibility of the seller - ATM skimming = includes small camera to watch for ur pin Prevention - ALWAYS check before using card readers
27
Adversarial AI
28
Tainted/poisoning training data for machine learning (ML) | Adversarial AI
- confuse A.I. - perps send modified training data which causes AI to behave incorrectly Mitigation - understand quality + security of source data - ensure developers r working in secure environ. - ensure data sources, sys, tools r maintained in secure manner - ensure changes to algs. = reviewed, tested, documented - encourage reviews
29
Machine learning | Adversarial AI
- modify themselves as they evolve to become better at task they're set to accomplish - identifies patterns in data -> improves predictions - requires lots of training data - EX: stop spam, movie choices, etc.
30
Security of machine learning algorithms | Adversarial AI
- check training data -> cross check + verify - constantly retrain with new data - train AI with possible poisoning -> what would the perp try to do?
31
Evasion attacks | Adversarial AI
- AI only as good as its training -> perps find holes + limitations - AI that knows spam could be fooled by dif. approach - AI that uses real world info can release confidential info
32
Supply chain attacks + protection
- many moving parts -> suppliers, manufacturers, etc - perps may infect any step without suspicion - one exploit can infect the entire chain Protection - use small supplier base -> tighter control on vendors - strict control over policies + procedures -> ensure proper security in place - security should be part of design (limit to trust)
33
Cloud-based vs. on-premises attacks
Cloud based - centralized - costs less - no dedicated hardware - no data to secure - 3rd party handles everything On-premises - security burden on the client - data center security + infra costs - perps want ur data, don't care where it is
34
Cloud-based attack security
- data in secure environment -> no physical access to DC -> 3rd party might have access to data - cloud providers r managing large scale sec. -> automated signature + sec. updates -> usrs must follow sec. best practices - limited downtime -> extensive fault tolerance (24/7/365 monitoring) - scalable sec. options -> one click sec. deployments -> may not be as customizable as necessary
35
On-premises attack security
- customize ur sec. posture -> full control when everything is in house - onsite IT team can manage sec. better - local team (LT) ensures everything = secure -> LT can be expensive + difficult to staff -> LT maintains uptime + availability -> system checks can occur at anytime -> no phone call for support -> security changes can take time (new equipment, configs, additional costs)
36
Cryptographic attacks | Cryptographic attacks
- perp doesn't have the combo (key) -> so they break the safe (cryptography) - finding ways to undo the security -> many potential cryptographic shortcomings -> problem is often implementation
37
Birthday attacks + protection | Cryptographic attacks
- perp generates multiple versions of plaintext to match hashes - EX: classroom of 23 students, what's the chance of 2 students sharing same birthday? It's about 50% -> in digital world the example above is a **hash collision** -> hash collision = same hash value for 2 dif. plaintexts -> find collision thru brute force Protection - protect urself with large hash output size
38
Collisions | Cryptographic attacks
- hash digests supposed to be unique - dif. input data should never create same hash
39
Downgrade attacks + prevention | Cryptographic attacks
- force systems to downgrade their security - result of sec. configs. not being upgraded - if server allows negotiation to downgrade to a lesser version, connection = susceptible to further attacks Prevention - update shit
40
Resident virus
- in memory. to reside in mem. usually needs to be called up from type of storage **WHEREAS Fileless viruses don't** - loaded each time system starts - may infect other areas based on certain actions - remain active after host program is terminated
41
Non-resident virus
- looks for targets locally + across network when executed - infects those areas then exits - **doesn't remain active (unlike Resident viruses)**
42
Macro viruses
- MS office apps ability to automate procedures - MS office macros = r written in VBA (visual basic for apps) - malware has opportunity to automatically generate instructions when docs launched - uses macro language + executes when doc. opens - office software offers option to generate alerts when they launch Linux - perps may leverage languages/tools (python, perl, bash) - can be used 2 create peristent remote access using bind OR reverse shells Prevention - educate usrs - provide scanning of office docs received by org. via email, etc
43
Boot sector virus
- placed in 1st hard drive sector - when computer boots the virus loads into memory - loads b4 OS even starts - were more prevalent wth floppy disks
44
Fileless virus
- stealth attack - good at avoiding antivirus detection **- operates in mem. BUT never installed in file or app. ** - uses legit tools that r often part of the OS/development packages -> EX: powershell, windows management, macros. **- doesn't require virus components to be written to disk unlike mem. resident viruses**
45
Program infecting virus
- infects executable program files - become active in memory - seeks out other files to infect - easily identified by binary pattern or signature
46
Polymorphic virus
- can change form/signature each time executed to avoid detection - malicious code capable of changing shape - detection = difficult wthout identifiable pattern or signature to match
47
Armored virus
- aims to make detection difficult - difficult to analyze functions **- seeks to defeat heauristic countermeasures ** - tries to prevent disassembly + debugging + analysis
48
Stealth virus
- memory resident virus - uses techniques to avoid detection -> EX: temporariliy removing itself from infected file or masking file size
49
Multipartite virus
- infects executable files - attacks master boot record of the system - if boot sector isn't cleaned wth infected files, the files can easily be infected again
50
Heuristic scanning
- examines instructions running within a program instead of looking for specific signature
51
Malware types + methods
- viruses - cyrptomalware - ransomeware - worms - trojan horse - rootkit - keylogger - adware/spyware - botnet
52
Endpoint protection technologies + symptoms
- first line of defense - defends against malware - identifies + remediates sec. threats - identifies machine that's been targeted/compromised Symptoms - unexpected system behavior - system instability
53
What should you examine to determine if systems is infected (MRM)?
Memory - might reside in mem. after execution - windows task manager + activity monitor -> provides insight into running processes + helps identify rogue processes Registries - provides various system settings malware often targets (windows) - entries enable software to automatically start at login - malware takes advantage of entries -> ensures malicious executables run each time comp. is set up Macros - MS office apps ability to automate procedures - gives malware opportunity to automatically generate instructions when docs launch - office software offers option to generate alerts when they launch
54
How do people get malware? Protection?
- worm takes advantage of vulnerability - malware installed includes remote access backdoor - bot can be installed later - comp. has to run a program Protection - don't click email links, pop-ups - keep os updated - keep apps updated/check with publisher
55
Virus and protection
- program/code runs on comp. wthout usrs knowledge/consent - attaches to other code + replicates when infected file executes/launches - needs u to execute program, just running program can spread it - many can replicate across networks + bypass sec. systems - may or may not cause problems (some r invisible) Protection - antivirus = common - make sure signature file is updated
56
Worms + mitigation
**- similar function/behavior to viruses EXCEPT that worms are self replicating + don't need a host file -spread themselves -self install - don't need to attach to files/programs -> capable of reproducing on its own (key difference to virus)** - takes advantage of sec. hole in app or OS - finds other systems running same software then replicates to new host - repeating process - doesn't need usr interaction - checks for internet connection + if it has it then tries to replicate (network = how it transmits) - EX: spread via email attachments, net. file shares, over internet Mitigation - firewalls - IDS/IPS - but doesn't help much once worm is inside
57
Backdoor trojans
- opens entry into system for access later - placed through malware - some software includes backdoor - bad software can have it as part of app
58
Downloader trojans
- downloads additional malicious software onto infected systems - acts as gateways for other malware once installed
59
Infostealer trojans
- attempts to steal info from infected machine - typically employs key logging , screen capturing, data scraping techniques - EX: login creds, browsing history, etc
60
Adware + protection
- gives advertisers online way to make a sale - can cause performance issues - form of spyware - can be included with other software - software on ur system sending info about u + ur surfing habits to remote location - only legitimate when user is informed Protection (adware + spyware) - know what ur installing - maintain antivirus/antimalware, always have latest signatures - have a backup - malwarebytes (run scans)
61
Botnets + prevention
- zombie army - large # of comp. that forwards transmissions to other comps. on internet - group of bots working together - can be programmed to conduct DDoS attacks, distribute spam, etc. (relay spam, proxy network traffic) - securely hidden - can perform tasks, gather info, commit crimes undetected Detection -analysis of bot traffic using net. monitoring tools (IPSs + IDSs) -antivirus tools -antimalware tools -endpoint detection response tools Prevention - OS/app patches - antivirus/antimalware - updated signatures - identifying existing infection -> on demand scans -> network monitoring - prevent command + control -> block at firewall -> identify at workstation with host based firewall/host based IPs
62
hash/hashing
- one way function -> can't turn hashed value into pswd - pswds commonly stored this way - if u hash a pswd u can compare output to prev. hashed pswd - represents data as fixed length string of text (fingerprint) - no collision -> dif. inputs won't have same hash - impossible to recover orig. message from the digest - unreadable database of pswds
63
Hybrid attacks | Password attacks
- dict. + brute force attacks can be combine into this kind - used dict. attack, then builds on it by adding #s to end of words, substitues certain letters for #s, capitalizing 1st letter of words - can be useful tool to help identify weak pswds + controls for audit purposes
64
Salt | Password attacks
- random data added to pswd when hashing - raintables won't work with salted hashing -> additional random value added to OG pswd - slows down brute force process BUT doesn't completely stop reverse engineering - each usr gets dif. random hash -> same pswd creates dif. hash - use a pswd manager
65
Stalkerware
-type of SPYWARE -used to monitor partners in relationships