13B - Physical and Network Attack Indicators Flashcards
What is reconnaissance in the context of network security?
Reconnaissance is where a threat actor uses scanning tools to learn about the network.
This phase is crucial for understanding the layout and vulnerabilities of the target network.
What does host discovery identify?
Host discovery identifies which IP addresses are in use.
This helps in mapping the network and understanding which devices are active.
What is the purpose of service discovery?
Service discovery identifies which TCP or UDP ports are open on a given host.
This information is vital for assessing potential entry points for an attack.
What does fingerprinting reveal?
Fingerprinting identifies the application types and versions of the software operating each port, and potentially of the operating system running on the host, and its device type.
This can help attackers tailor their exploits to specific vulnerabilities.
What is rapid scanning?
Rapid scanning generates a large amount of distinctive network traffic that can be detected and reported as an intrusion event.
It is challenging to differentiate malicious scanning activity from non-malicious scanning activity.
What do weaponization, delivery, and breach refer to?
Weaponization, delivery, and breach refer to techniques that allow a threat actor to get access without having to authenticate.
These methods are crucial for bypassing security measures.
What do command and control (C2 or C&C), beaconing, and persistence entail?
Command and control (C2 or C&C), beaconing, and persistence refer to techniques and malicious code that allow a threat actor to operate a compromised host remotely, and maintain access to it over a period of time.
These techniques are essential for sustaining an attack.
What is lateral movement in network security?
Lateral movement refers to the process by which an attacker is able to move from one part of a computing environment to another.
This technique allows attackers to explore and exploit multiple systems within the network.
Define pivoting in the context of cyber attacks.
Pivoting is when an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network.
This method enhances the attacker’s reach within the network.
What is a DRDoS attack ?
Distributed Reflected Denial Of Service (DRDoS) attack - A malicious request to a legitimate server is created and sent as a link to the victim, so that a server-side flaw causes the malicious component to run on the target’s browser. In a distributed reflected DoS (DRDoS) attack, the threat actor spoofs the victim’s IP address and attempts to open connections with multiple third-party servers. Those servers direct their SYN/ACK responses to the victim host. This rapidly consumes the victim’s available bandwidth.
What is an amplification attack ?
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor.
It is a type of reflected attack that targets weaknesses in specific application protocols to make the attack more effective at consuming target bandwidth.
Amplification attacks exploit protocols that allow the attacker to manipulate the request in such a way that the target is forced to respond with a large amount of data.
Protocols commonly targeted include domain name system (DNS), Network Time Protocol (NTP), and Connectionless Lightweight Directory Access Protocol (CLDAP). Another example of a particularly effective attack exploits the memcached database caching system used by web servers.
What is Address Resolution Protocol (ARP) ?
ARP is a broadcast mechanism by which the hardware MAC address of an interface is matched to an IP address on a local network segment.
It identifies the MAC address of a host on the local segment that owns an IPv4 address.
What is an ARP poisoning attack?
An ARP poisoning attack uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets. Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.
What is a Rogue Access Point ?
A rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not.
What is an Evil Twin?
A wireless access point that deceives users into believing that it is a legitimate network access point. It is basically a rogue access point masquerading as a legitimate one is called an evil twin.
What is a replay attack?
In cybersecurity, a replay attack occurs when an attacker intercepts and retransmits a valid, but potentially sensitive, data transmission to deceive the receiver into believing it’s legitimate, potentially leading to unauthorized access or actions. It is also known as ‘Man-In-The-Middle’ attack.
Eg. A hacker copies a packet sent between you and your bank. Sending that again could prompt the bank to repeat the action (such as transferring funds again, but this time to a different destination). Researchers say hackers using this approach resend packets very quickly, and they’re almost always exactly the same.
P.S. In the context of a web application, a replay attack most often means exploiting cookie-based sessions.
What is a KRACK attack ?
KRACK is an acronym for Key Reinstallation Attack. KRACK is a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to exploit a vulnerability in WPA2. When in close range of a potential victim, attackers can access and read encrypted data using KRACK.
What is a Password spraying attack?
Password spraying is a horizontal brute force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.
What is a credential replay attack?
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
What is a downgrade attack?
A downgrade attack makes a server or client use a lower specification protocol with weaker ciphers and key lengths.
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
What is a collision in cryptography?
A collision is where a weak cryptographic hashing function or implementation allows the generation of the same digest value for two different plaintexts.
How can collision attacks be used to forge digital signatures ?
1) The attacker creates a malicious document and a benign document that produce the same hash value.
2) The attacker submits the benign document for signing by the target.
3) The attacker then removes the signature from the benign document and adds it to the malicious document, forging the target’s signature.
What is a birthday attack?
A birthday attack is a means of exploiting collisions in hash functions through brute force.
The birthday paradox asks how large a group of people must be so that the chance of two of them sharing a birthday is 50%. The answer is 23, but people who are not aware of the paradox often answer around 180 (365/2).
What type of malicious activity is “Persistence”?
This is a mechanism that allows the threat actor’s backdoor to restart if the host reboots or the user logs off.
Typical methods are to use AutoRun keys in the registry, adding a scheduled task, or using Windows Management Instrumentation (WMI) event subscriptions.
