1.2 - Given a scenario, analyze potential indicators to determine the type of attack. Flashcards
Given a scenario, analyze potential indicators to determine the type of attack.
Malware
- malicious software
- harms usrs comp/data
- targets info stored on local comps + other resources/comps
- takes advantage of weaknesses/system vulnerabilties -> makes it more dangerous + enables spreading more effectively
- gathers info (keystrokes)
- viruses + worms
Ransomware + protection
- malware that takes over comp. + demands ransom
- perps want ur $, will take ur comp. in the meantime
- could be a false ransom
-> locks ur comp. “by the police” - ransom may be avoided
- security professional might be able to remove these kinds of malware
Protection
- ALWAYS have a backup, ideally an offline backup
- Keep OS up to date
-> patch vulnerabilities
- Keep apps up to date
-> security patches
- Keep antivirus + antimalware signatures up to date
- Keep everything up to date
Trojans
- malware disguised as legit software
- rely on unsupecting ppl running them -> provides perp with path into sys./device
- software designed to be something else (typically hidden)
- capture/conquer ur comp. free reign once inside
- can open gates 4 other programs
- can perform actions wthout usrs knowledge/consent
- can collect + send data causing comp. to malfunction
- don’t replicate themselves like viruses do
- circumvent existing sec.
- often classified by payload/function
Most common
- backdoor
- downloader
- infostealer
- keylogger
PUPs (Potentially unwanted programs)
- typically installed wthout user knowing
- identified by antivirus/anti-malware
- potentially undesirable software
- often installed along with other software
- overly aggressive toolbar
- backup utility that displays ads
- browser search engine hijacker
- includes spyware, browser toolbars, web browser tracking, adware, dialers
Symptoms
- can slow down system, etc.
Detection/Removal
- antivirus/antimalware tools
Mitigation
- limit usr rights 2 prevent software installs
-limit what software can be installed
awareness
- best practices
Command and control
- botnet contacts central control system -> provides commands + updates + tracks how many sys. r in botnet
- mechanism by which malicious software communicates with remote server/controller
- allows perps to send instructions to malware on infected comp.
- these servers are essential for managing/maintaing control over compromised systems
Bots + infection + prevention
- automated comp. program
- doesn’t need usr interaction
- outside sources can control
- ur machine becomes a bot once infected
- sits around -> checks in with command + control server -> waits for instructions
Infected via
- trojan horse
- OS/app vulnerability
- port left open
- unpatched vulnerability
Prevention
- OS/app patches
- antivirus/antimalware
- updated signatures
- identifying existing infection
-> on demand scans
-> network monitoring
- prevent command + control
-> block at firewall
-> identify at workstation with host based firewall/host based IPs
Cryptomalware
- newer gen. of ransomware
- data unavailable until u provide the $
- malware encrypts ur data files BUT ur OS remains available
-> want u running but not working - pay to obtain decryption key
-> untraceable payment system
-> unfortunate use of public key cryptography
Logic bombs + prevention
- virus/trojan horse
- executes malicious actions when certain event occurs OR after certain period of time
- time bomb (time or date)
- user event (logic bomb)
- difficult to identify
Prevention
- process + procedures
-> formal change control
- electronic monitoring
-> alert on changes
-> host based intrusion detection
- constant auditing
-> admin can circumvent existing systems
Spyware + detection + protection
- malware spies on you
- can change comps config without consent
- software communicates info from users system to another party without user knowing
- EX: advertising, identify theft, etc
- EX: browser monitoring, surfing habits, keyloggers
Detection
- slow system
- windows desktop slow coming up
- clicking link doesn’t do anything/takes you to unexpected website
- browser homepage changes (might not be able to reset it)
- webpages automatically added to your favorites list
Protection (adware + spyware)
- know what ur installing
- maintain antivirus/antimalware, always have latest signatures
- have a backup
- malwarebytes (run scans)
Keylogger trojans
- monitors + sends keystrokes from infected comp.
- EX: passwords, CC #s, messages
RAT (remote access Trojan) + protection
- provide perp with remote access to sys.
-allow perp to take control of systems remotely - install without usrs knowledge
- remote admin tool -> ultimate backdoor
- malware installs server/service/host and perp connects with client software
-identifying if it’s legit remote support tool or not is difficult
-may cause false positives - EX: key logging, screen recording, screenshots, copy files, embed more malware, etc.
Protection
- DON’T run/download unknown software
- ALWAYS consider the consequences
- Keep antivirus/anti-malware signatures up to date
- ALWAYS have a backup
-security awareness
-antimalware
Rootkit + detection + removal
- software that can be installed/hidden
-designed to allow perps to access a sys. thru backdoor - can be part of software packages, installed thru unpatched vulnerabilities, downloaded/installed by usrs
- compromise system + gain elevated privileges
- can lead to compromising other devices on network
- programs that view traffic/keystrokes + alter existing files to escape detection/create system backdoor
- modifies core system files
- might be invisible to OS, antivirus software b/c it can run in background
- use encryption to protect outbound comms. + piggyback commonly used ports to communicate without interrupting apps
Detection
- look at memory processes
- monitor outbound comms.
- check for newly installed software
- antimalware scans
-detection tools look for behaviors + signatures typical of rootkits
-integrity checking
-data validation
Removing
- use remover specific to toolkit
- secureboot with UEFI (bios)
- have to remove toolkit AND malware rootkit is using
Backdoor
- provide access that bypasses normal authentication/authorization procedures
-not malicious on own - app code functions devs create intentionally/unintentionally
- shortcut entry point added to allow rapid code eval/testing during app development
- can allow perp unauthorized access if they’re not removed b4 app deployment
Detection
-check 4 unexpected open ports + services
Password attacks
- two categories
-> online attack
-> offline attack
Spraying attack + detection
password attacks
- try to log in wth incorrect pswd
-> eventually locked out - attack acct wth top 3+ pswds
-> move on to next acct if they don’t work
-> no lockouts, alarms, or alerts
slow approach
Detection
- single failed log in across multiple accts at same time
Dictionary attacks + prevention
password attacks
- trying every word in dict. to gain access to system
- common word lists available on the net + can sometimes be customized by language/line of work
- pswd crackers can substitute letters (p&ssw0rd)
- takes time
- discover pswds for common words
-> won’t discover ones wth random character pswds - can use dif. custom dicts.
-> list could have 1234 and abcde - most successful on simple pswds b/c attack tries each word in list
Prevention
- “password” is easily compromised
-> changing “o” to numeral “0” + changing “a” to “@” could thwart attack
Brute force attacks + online + offline
password attacks
- tries every possible pswd combo until it matches hash
- relies on cryptanalysis or hashing alg.
- could take time b/c strong hasing alg. slows things down
- cracks short pswds faster than dict. attacks
Online
- keep trying login process
- slow
- most accts lockout after certain # of failed attempts
Offline
- obtain list of usrs + hashes
- calculate pswd hash + compare to stored hash
- large computational resources
- attempts to exhaust all possible combos
Offline attacks
password attacks
- convenient b/c can iterate thru dif. methods + countless attempts
- perp has access to material independant of source system
- EX: encrypted password database might have been downloaded
- less risky for perp
-> perp has opportunity to circumvent control wthout detection
Online attacks + detection + prevention
password attacks
- occurs while connected to a system
- EX: automated/manual attack against ur web based email acct
-> attacker tries logging in with ur username/pswd
Detection
- usrs getting locked out of their accts
Prevention
- security best practices can help avoid
- EX: locking accts after several failed attempts
Rainbow table
password attacks
- optimized prebuilt set of hashes (doesn’t have to contain every hash)
- saves time + storage space
- contain precalculated hash chains
- speed increase, especially wth longer pswd lengths
- need dif. tables for dif. hashing methods
-> windows dif. than MySQL - can occur offline, perp only has to search against required pswd hashes
Plaintext/unencrypted
- pswds shouldn’t be unencrypted in plaintext b/c easy to compromise
- some apps store pswds unencrypted “in the clear”
- -> u can read pswrd stored
- anyone with access to pswd file/database has every cred.
- get a better app if it saves pswd as plaintext
Physical attacks
- opportunities for attacks, often thru use of or on peripheral devices
Malicious USB cable + prevention
Physical attacks
- looks like normal one BUT has additional electronics inside
- OS identifies it as a HID (human interface card)
-> looks like you’ve connected keyboard/mouse
-> keyboard doesn’t need extra rights/permissions - cable takes over once connected
-> downloads/installs malicious software
Prevention
- don’t plug in just any USB cable
- ALWAYS use trusted hardware
Malicious flash drive + prevention
Physical attacks
- could act as HID (human interface card)/keyboard
-> start command prompt + type anything without ur intervention - perp can load malware in docs
- can be configured as boot device, then infects comp. after reboot
- acts as ethernet adapter
-> redirects/modifies internet traffic requests
-> acts as wireless gateway for other devices
Prevention
- NEVER connect an untrusted USB device
Card cloning
Physical attacks
- creates duplicate of a card
-> looks/feels like OG
-> often includes printed CVC (card validation code) - get card details from skimmer b/c clone needs an original
- can only be used with magnetic stripe cards
-> b/c chip can’t be cloned - cloned gift cards r common
Skimming + prevention
Physical attacks
- stealing CC info, usually during normal transaction
-> copy data from magnetic stripe (card #, expiration date, card holders name) - perp uses CC info for other financial transactions
- fraud is responsibility of the seller
- ATM skimming = includes small camera to watch for ur pin
Prevention
- ALWAYS check before using card readers
Adversarial AI
Tainted/poisoning training data for machine learning (ML)
Adversarial AI
- confuse A.I.
- perps send modified training data which causes AI to behave incorrectly
Mitigation
- understand quality + security of source data
- ensure developers r working in secure environ.
- ensure data sources, sys, tools r maintained in secure manner
- ensure changes to algs. = reviewed, tested, documented
- encourage reviews
Machine learning
Adversarial AI
- modify themselves as they evolve to become better at task they’re set to accomplish
- identifies patterns in data
-> improves predictions - requires lots of training data
- EX: stop spam, movie choices, etc.
Security of machine learning algorithms
Adversarial AI
- check training data
-> cross check + verify - constantly retrain with new data
- train AI with possible poisoning
-> what would the perp try to do?
Evasion attacks
Adversarial AI
- AI only as good as its training
-> perps find holes + limitations - AI that knows spam could be fooled by dif. approach
- AI that uses real world info can release confidential info
Supply chain attacks + protection
- many moving parts
-> suppliers, manufacturers, etc - perps may infect any step without suspicion
- one exploit can infect the entire chain
Protection
- use small supplier base
-> tighter control on vendors
- strict control over policies + procedures
-> ensure proper security in place
- security should be part of design (limit to trust)
Cloud-based vs. on-premises attacks
Cloud based
- centralized
- costs less
- no dedicated hardware
- no data to secure
- 3rd party handles everything
On-premises
- security burden on the client
- data center security + infra costs
- perps want ur data, don’t care where it is
Cloud-based attack security
- data in secure environment
-> no physical access to DC
-> 3rd party might have access to data - cloud providers r managing large scale sec.
-> automated signature + sec. updates
-> usrs must follow sec. best practices - limited downtime
-> extensive fault tolerance (24/7/365 monitoring) - scalable sec. options
-> one click sec. deployments
-> may not be as customizable as necessary
On-premises attack security
- customize ur sec. posture
-> full control when everything is in house - onsite IT team can manage sec. better
- local team (LT) ensures everything = secure
-> LT can be expensive + difficult to staff
-> LT maintains uptime + availability
-> system checks can occur at anytime
-> no phone call for support
-> security changes can take time (new equipment, configs, additional costs)
Cryptographic attacks
Cryptographic attacks
- perp doesn’t have the combo (key)
-> so they break the safe (cryptography) - finding ways to undo the security
-> many potential cryptographic shortcomings
-> problem is often implementation
Birthday attacks + protection
Cryptographic attacks
- perp generates multiple versions of plaintext to match hashes
- EX: classroom of 23 students, what’s the chance of 2 students sharing same birthday? It’s about 50%
-> in digital world the example above is a hash collision
-> hash collision = same hash value for 2 dif. plaintexts
-> find collision thru brute force
Protection
- protect urself with large hash output size
Collisions
Cryptographic attacks
- hash digests supposed to be unique
- dif. input data should never create same hash
Downgrade attacks + prevention
Cryptographic attacks
- force systems to downgrade their security
- result of sec. configs. not being upgraded
- if server allows negotiation to downgrade to a lesser version, connection = susceptible to further attacks
Prevention
- update shit
Resident virus
- in memory. to reside in mem. usually needs to be called up from type of storage WHEREAS Fileless viruses don’t
- loaded each time system starts
- may infect other areas based on certain actions
- remain active after host program is terminated
Non-resident virus
- looks for targets locally + across network when executed
- infects those areas then exits
- doesn’t remain active (unlike Resident viruses)
Macro viruses
- MS office apps ability to automate procedures
- MS office macros = r written in VBA (visual basic for apps)
- malware has opportunity to automatically generate instructions when docs launched
- uses macro language + executes when doc. opens
- office software offers option to generate alerts when they launch
Linux
- perps may leverage languages/tools (python, perl, bash)
- can be used 2 create peristent remote access using bind OR reverse shells
Prevention
- educate usrs
- provide scanning of office docs received by org. via email, etc
Boot sector virus
- placed in 1st hard drive sector
- when computer boots the virus loads into memory
- loads b4 OS even starts
- were more prevalent wth floppy disks
Fileless virus
- stealth attack
- good at avoiding antivirus detection
**- operates in mem. BUT never installed in file or app. ** - uses legit tools that r often part of the OS/development packages -> EX: powershell, windows management, macros.
- doesn’t require virus components to be written to disk unlike mem. resident viruses
Program infecting virus
- infects executable program files
- become active in memory
- seeks out other files to infect
- easily identified by binary pattern or signature
Polymorphic virus
- can change form/signature each time executed to avoid detection
- malicious code capable of changing shape
- detection = difficult wthout identifiable pattern or signature to match
Armored virus
- aims to make detection difficult
- difficult to analyze functions
**- seeks to defeat heauristic countermeasures ** - tries to prevent disassembly + debugging + analysis
Stealth virus
- memory resident virus
- uses techniques to avoid detection -> EX: temporariliy removing itself from infected file or masking file size
Multipartite virus
- infects executable files
- attacks master boot record of the system
- if boot sector isn’t cleaned wth infected files, the files can easily be infected again
Heuristic scanning
- examines instructions running within a program instead of looking for specific signature
Malware types + methods
- viruses
- cyrptomalware
- ransomeware
- worms
- trojan horse
- rootkit
- keylogger
- adware/spyware
- botnet
Endpoint protection technologies + symptoms
- first line of defense
- defends against malware
- identifies + remediates sec. threats
- identifies machine that’s been targeted/compromised
Symptoms
- unexpected system behavior
- system instability
What should you examine to determine if systems is infected (MRM)?
Memory
- might reside in mem. after execution
- windows task manager + activity monitor -> provides insight into running processes + helps identify rogue processes
Registries
- provides various system settings malware often targets (windows)
- entries enable software to automatically start at login
- malware takes advantage of entries -> ensures malicious executables run each time comp. is set up
Macros
- MS office apps ability to automate procedures
- gives malware opportunity to automatically generate instructions when docs launch
- office software offers option to generate alerts when they launch
How do people get malware? Protection?
- worm takes advantage of vulnerability
- malware installed includes remote access backdoor
- bot can be installed later
- comp. has to run a program
Protection
- don’t click email links, pop-ups
- keep os updated
- keep apps updated/check with publisher
Virus and protection
- program/code runs on comp. wthout usrs knowledge/consent
- attaches to other code + replicates when infected file executes/launches
- needs u to execute program, just running program can spread it
- many can replicate across networks + bypass sec. systems
- may or may not cause problems (some r invisible)
Protection
- antivirus = common
- make sure signature file is updated
Worms + mitigation
- similar function/behavior to viruses EXCEPT that worms are self replicating + don’t need a host file
-spread themselves
-self install
- don’t need to attach to files/programs -> capable of reproducing on its own (key difference to virus)
- takes advantage of sec. hole in app or OS
- finds other systems running same software then replicates to new host
- repeating process
- doesn’t need usr interaction
- checks for internet connection + if it has it then tries to replicate (network = how it transmits)
- EX: spread via email attachments, net. file shares, over internet
Mitigation
- firewalls
- IDS/IPS
- but doesn’t help much once worm is inside
Backdoor trojans
- opens entry into system for access later
- placed through malware
- some software includes backdoor
- bad software can have it as part of app
Downloader trojans
- downloads additional malicious software onto infected systems
- acts as gateways for other malware once installed
Infostealer trojans
- attempts to steal info from infected machine
- typically employs key logging , screen capturing, data scraping techniques
- EX: login creds, browsing history, etc
Adware + protection
- gives advertisers online way to make a sale
- can cause performance issues
- form of spyware
- can be included with other software
- software on ur system sending info about u + ur surfing habits to remote location
- only legitimate when user is informed
Protection (adware + spyware)
- know what ur installing
- maintain antivirus/antimalware, always have latest signatures
- have a backup
- malwarebytes (run scans)
Botnets + prevention
- zombie army
- large # of comp. that forwards transmissions to other comps. on internet
- group of bots working together
- can be programmed to conduct DDoS attacks, distribute spam, etc. (relay spam, proxy network traffic)
- securely hidden
- can perform tasks, gather info, commit crimes undetected
Detection
-analysis of bot traffic using net. monitoring tools (IPSs + IDSs)
-antivirus tools
-antimalware tools
-endpoint detection response tools
Prevention
- OS/app patches
- antivirus/antimalware
- updated signatures
- identifying existing infection
-> on demand scans
-> network monitoring
- prevent command + control
-> block at firewall
-> identify at workstation with host based firewall/host based IPs
hash/hashing
- one way function
-> can’t turn hashed value into pswd - pswds commonly stored this way
- if u hash a pswd u can compare output to prev. hashed pswd
- represents data as fixed length string of text (fingerprint)
- no collision
-> dif. inputs won’t have same hash - impossible to recover orig. message from the digest
- unreadable database of pswds
Hybrid attacks
Password attacks
- dict. + brute force attacks can be combine into this kind
- used dict. attack, then builds on it by adding #s to end of words, substitues certain letters for #s, capitalizing 1st letter of words
- can be useful tool to help identify weak pswds + controls for audit purposes
Salt
Password attacks
- random data added to pswd when hashing
- raintables won’t work with salted hashing
-> additional random value added to OG pswd - slows down brute force process BUT doesn’t completely stop reverse engineering
- each usr gets dif. random hash
-> same pswd creates dif. hash - use a pswd manager
Stalkerware
-type of SPYWARE
-used to monitor partners in relationships