1.4 Given a scenario, analyze potential indicators associated with network attacks.

Question 1

Evil twin

Answer 1

Using a false AP, cloning the identity of a legit AP based on client device’s request to connect

Question 2

Rogue WAP

Answer 2

Access point not authorized by network authorities, usually aren’t configured well for security

Question 3

Bluesnarfing

Answer 3

Unauthorized access of data via bluetooth connection

Question 4

Bluejacking

Answer 4

Sending unsolicited messages to bluetooth-capable devices

Question 5

Disassociation

Answer 5

A wireless management frame, disconnecting clients

Question 6

Radio frequency identifier (RFID)

Answer 6

Tracking technology based on ability to power a radio transmitter using current generated in an antenna

Question 7

Jamming

Answer 7

Transmission of radio signals to prevent reliable communications by decreasing effective signal-to-noise ratio

Question 8

Near field communication (NFC)

Answer 8

A standard establishing radio communications between devices in close proximity

Derivative from RFID

Question 9

Initialization vector (IV)

Answer 9

Mathematical and cryptographic term for random number

Most modern crypto functions use IV’s to increase security by reducing predictability & repeatability

Question 10

On-path attack (previously known as man-in-the middle attack/man-in-the-browser attack)

Answer 10

Initially a communications eavesdropping attack, where an attacker then positions themselves between a client and server

Question 11

Countermeasures to on-path attacks

Answer 11

Strong encryption protocols

Strong authentication

Domain Name System Security Extensions

Mutual cert. authentication

Question 12

Layer 2 attack

Answer 12

Falsifying layer 2 IP-to-MAC address resolution

Question 13

Media access control (MAC) flooding

Answer 13

Uses flooding attack to compromise a switch so that the switch gets stuck into flooding all network communications

Question 14

MAC cloning

Answer 14

Altering a system’s software copy of NIC’s MAC creating frames w/modified or spoofed MAC address

Question 15

Countermeasures to MAC cloning

Answer 15

Using intelligent switches monitoring for odd MAC address uses

Using NIDS monitoring for MAC address use and abuses

Maintaining an inventory of devices and MAC addresses to confirm if device is authorized or unknown/rogue

Question 16

Domain name system (DNS)

Answer 16

Domain Name System (DNS) translates domain names to IP addresses so browsers can load Internet resources.

Question 17

Domain hijacking

Answer 17

Changing the registration of a domain name w/o authorization of valid owner

Accomplished by stealing owner’s login, using XSRF, session hijacking, on-path attack, or exploiting flaw in domain registrar’s systems

Question 18

Methods of DNS poisoning

Answer 18

Rogue DNS server

DNS poisoning of zone file

Alter HOSTS file

Corrupt IP config via DHCP to change a DNS lookup address

Proxy falsification to redirect DNS traffic

Question 19

DNS poisoning

Answer 19

Act of falsifying DNS info used by client to reach a desired system

Question 20

Universal resource locator (URL) redirection

Answer 20

Force users of an application to an untrusted external site

Question 21

Domain reputation

Answer 21

Scoring system used to determine site legitimacy

Question 22

Distributed denial-of-service (DDoS)

Answer 22

Using one or more intermediary systems serving as attack platforms to perform DoS

These systems are known as bots, zombies, or agents

Question 23

Denial of service (DoS)

Answer 23

Form of attack w/the goal of preventing victimized system from performing legit activity

Question 24

Distributed reflective denial-of-service (DRDoS)

Answer 24

Employs amplification or bounce network that is an unknowing participant.

Attacker sends spoofed message packets to network’s broadcast address, then each host responds to that packet, with that response going to a victim

Question 25

DoS/DDoS/DRDoS attacks

Answer 25

Smurf
-Form of DRDoS
-Uses ICMP reply packets

Fraggle
-Form of DRDoS
-Uses UDP packets

SYN Flood
-Attack is an exploitation of TCP three-way handshake to perform resource exhaustion
-Sending numerous SYN packets w/o ACK packets

Ping of death
-Sending fragments to victim, which when re-assembled result in oversized ping packet, resulting in buffer overflow

Xmas attack
-Using XMAS scan to perform DoS

Teardrop
-Partial transmission of fragmented packets causing target to consume system resources holding onto the incomplete reassembles

Land attack
-SYN Flood where source and dest. address are both set to victim’s address causing logical error

Question 26

Protections to DoS/DDoS/DRDoS attacks

Answer 26

Firewalls, routers, and IDSs that can detect and auto block port or filter packets based on source/dest. address

Disable echo replies on external systems

Disable broadcast features on border systems

Block spoofed packets from entering or leaving

Keep all systems patched

Use a flood guard

Question 27

Network DoS Attack

Answer 27

Attempt to consume all bandwidth of connection

Question 28

Application DoS Attack

Answer 28

Attempt to consume all system resources through app queries or half-open connections

Question 29

Operational technology (OT) DoS Attack

Answer 29

Focused on OT systems, a collection of computer systems designed to monitor/manipulate physical world

Question 30

Malicious code or script execution

Answer 30

PowerShell - ps1

Python - py

Bash - sh

Macros

Virtual Basic for Applications (VBA)