2.4 Flashcards
Brute force Attacks
forcible entry
tampering with security devices
confronting security personnel
ramming barriers with vehicles
Viruses and types
Made up of malicious code thats run a machine without a users knowledge
boot sector
macro
program
multipartite
encrypted
polymorphic
metamorphic
stealth
armored
hoax
boot sector virus
stored on first section of hard drive and is loaded into memory when the computer is booted
Macro virus
form of code that allows a virus to be embedded inside another document
Program virus
multipartite virus
combo of boot virus and program virus
encrypted virus
designed to hide itself from being detected by encrypting its malcious code so anti virus software will not detect it
Polymorphic virus
advanced form of encrypted, it changes the viruses code each time it is executed by altering the decryption module in order for it to evade detection
Metamorphic virus
more advanced then polymorhpic able to rewrite themselves entirely before it attempts to infect a given file
stealth virus
technique used to prevent the virus from being detected by the anti virus software
armored virus
have a layer of protection to confuse a program or a person who is trying to analyze it
hoax
form of technical social engineering that attempts to scare our end users into taking some kind of undesirable action on their system (a message pops up saying you have a virus and gives you steps to remove it)
worm
unlike a virus that requires a user action, a worm replicates itself in the network without any action it takes advantage of vulnerabilities in os or apps aka missing security patches
it is malicious software
trojan
piece of malicious code that is disguised as harmless or desirable software could be a tetris game for example
RAT Remote Access Trojan
widely used by modern attackers because it provides the attacker with remote control of a victim machine
Ransomeware
type of malicious software designed to block access to a system by encrypting data until a ransom is paid
Zombies
Name of a compromised system that is part of a botnet. It is used to perform tasks using remote commands from the attacker without user knowledge
attakers often use only 20-25% of zombies power
Botnet
a network compromised of zombies controlled by malicious actors
mostly used for DDoS
Command and Control Node
Computer responsible for managing and coordinating the activities of other nodes or devices within a network
Rootkit
Digs deeply into OS to embed itself there and gain admin privileges over a system without being detected
can open and shut ports, delete programs install programs etc
Ring 3
outermost ring where user permissions are used
Ring 0
inntermost or highest permission level aka kernel mode
kernel mode
allows a system to control access to things like device drivers, sound card, monitor etc
DLL Injection
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic link library
DLL
Dynamic Link Library
collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development
device drivers for example have dll programs
Shim
piece of software code that is placed between two components and that intercepts the calls between those components and can redirect them can be used to -non maliciously or maliciously. Use code signing
Backdoor
originally placed in computer programs to bypass normal authentication functions most often by programmers
Easter Egg
a hidden feature or novelty within a program usually an inside joke. Generally these have a lot of vulnerabilities because they arent tested as rigorously and are added right before the program is completed
logic bombs
malicious code inserted into a program and only executes when certain conditions are met. fired employee may do it
keylogger
software or hardware that records keystrokes
software keylogger
usually delivered through social engineering attack like phishing
hardware keylogger
physical device that is plugged into the computer. anti virus software may not detect and think its a real keyboard
spyware
malicious software that is designed to gather and send info about a user or org without their knowledge
bloatware
any pre-installed software that you did not specifically request. It wastes storage space, slows performance etc
malware exploitation technique
specific method by which malware code penetrates and infects a targeted system
fileless malware
used to create process in the system memory without relying on the local file system of the infected host
anti irus software usually scans the filesystem however fileless malware relies on RAM making it difficult to detect. It maintains persistence and evades signature based detection methods. It bypasses many traditional security measures
stage 1 dropper or downloaded
piece of malware that is usually created as a lightweight shell code that can be executed on a given systemdro
the goal is to establish a foothold in a system but it doesnt perform a significant amount of malicious actions it is the initial infection
dropper
specific type of malware designed to initiate or run other malware forms within a payload on an infected host
downloader
retrieve additional tools post the initial infection facilitated by a dropper
shell code
broader term that encompasses the lightweight code meant to execute an exploit on a given targer
stage 2 downloader
downloads and installs a remote acess trojan to conduct command and control on the victimized system
Actions on Objectives Phase
threat actors will execute primary objectives to meet core objectives like data exfiltrations
its when threat actors become advanced persistent threats
concealment
used to help the threat actor prolong unauthroized access to a system by hiding tracks, erasing logs
Living off the land
a strategy adopted by many advanced persistent threats and criminal orgs
indicators of malware attacks
account lockouts
concurrent session utilization
impossible travel
blocked content (sudden increase in people trying to access blocked content)
resource consumption
resource inaccessibility (ransomware would do this)
out of cycle logging (odd times people are doing things)
missing logs
published or documented attacks
Password attacks
brute force
dictionary
password praying
hybrid
Brute Force attack
someone tries every possible character combinatio
dictionary attack
uses a list of commonly known passwords, may include variations like Pa$$w0rd
Password Spraying
a form of brute force that tries a few commonly used passwords against many accounts
hybrid
brute force and dictionary
Types of DDoS attacks
denial of service
amplified DDoS
Amplification Factor: The ratio of response size to request size. Higher amplification factors mean more effective attacks. For example, a small query can trigger a large response.
Exploited Protocols: Commonly used protocols include DNS (Domain Name System), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), and Memcached. These protocols can be exploited because their responses are significantly larger than their requests.
Reflected DDoS NTP Reflection: An attacker sends a request to an NTP server with the “monlist” command using the target’s IP address as the source. The NTP server responds to the target with a large amount of data, reflecting the attack traffic. Basically the victim ends up attacking itself
Types of DNS attacks
DNS Cache Poisoning
DNS Amplification
DNS Tunneling
Domain Hijacking
DNS Zone Transfer
DNS Cache Poisoning:
Think of DNS like a phone book that translates website names (like google.com) into numbers (IP addresses) that computers understand. DNS cache poisoning is like sneaking a fake phone number into the phone book. When someone looks up a website, they might get directed to the wrong place, like a fake website set up by a hacker.
DNS Amplification:
Imagine you ask a question, and instead of getting a short answer, you get a super long and loud reply. DNS amplification is kind of like that. Hackers send a small question to a server, but the server sends back a huge and loud answer to the target. It’s like making a whisper into a shout.
DNS Tunneling:
This is a bit like sending secret messages through a tunnel. Instead of using the internet for normal stuff, hackers can sneak their own data through DNS requests. It’s like hiding a letter inside another letter. This lets them sneak data past security measures.
Domain Hijacking:
Think of your website like your house. Domain hijacking is like someone breaking into your house, changing the locks, and pretending they own it. Hackers steal control of a website by taking over the domain name. They can redirect visitors to fake sites or steal information.
DNS Zone Transfer:
A DNS zone is like a neighborhood in the phone book where all the addresses are listed. Zone transfer is like someone copying down the whole neighborhood’s addresses. Hackers use this to get all the info about a website’s addresses and settings, which they can use to plan other attacks.
These simpler explanations should give you a clearer picture of what these terms mean in the context of cybersecurity and internet security.
DoS
denial of service used to make computer’s resources unavailable
types of DoS attacks
flood attacks (ping and syn)
permanent Denial of service
Fork Bomb
DDoS
Ping Flood
DoS attack overloads a server with ICMP echo ping requests
Syn Flood
DoS attack
initiating multiple TCP sessions but not completing 3 way handshake
PDOS
permanent denial of service
exploits security flaws to break a networking device permanently by re flashing its firmware
Fork Bomb
DoS attack
think of eating and getting hungrier because your stomach is bigger and getting fatter and fatter
create a large number of processes, not considered a worm
self replicating nature causes DoS
DDoS
distributed denial of service
involves multiple machines attacking a single server
DNS Amplification
DDoS attack that allows an attacker to initiate DNS requests from a spoof IP address to flood a website
Black Hole or Sinkhole
Mitigation against DoS and DDoS to route traffic to a non existent server temporarily
IPS
intrusion prevention system
can identify and respond to DoS attacks for small scale incidents
Elastic Cloud Infrastructure
scaling infrastructure when needed to handle large scale attacks
Specialized Cloud Service Providers
Provide web app filtering, content distribution and robust network defenses Cloud Flare ex
DNS
domain name system
fundamental component of the internet that translates human friendly domain names into ip addresses
DNS Cache poisoning spoofing
corrupts a DNS resolver’s cache with false info
redirects user to malicious websites
DNSSEC
domain name system security extensions to add digitial signatures to dns data
DNS amplification attack
overwhelms a target system with DNS response traffic by exploiting DNS resolution process
DNS Tunneling
encapsulates non dns traffic
Domain Hijacking Domain Theft
unauthorized change of domain registration
DNS Zone Transfer
attempts to obtain an entire DNS zone data copy
exposes sensitive info about a domains network infrastructure
Directory Traversal Attack
an injection attack occurs when an attacker inserts malicious code through the app interface
app attack that allows access to commands, files and directoiries
../../../
attackers may use encoding like %e%e%e
File Inclusion
web app vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor
remote file inclusion
an attacker executes ascript to inject a remote file into the web app or website user = http://malware.bad/malicious file.php
Arbitrary Code Execution
vulnerability allows an attacker to run their code without restrictions
remote code execution
type of arbitrary code execution that occurs remotely often over internet
privilege escalation
gaining higher level permissions then originally assigned
vertical privilege escalation
going from normal user to higher privilege
horizontal privilege escalation
accessing or modifying resources at the same level as the attacker
occurs when a user attempts to access resources for which they dont have permissions at the samer level
rootkit
class of malware that conceals its presense by modifying system files often at the kernel level
Kernel rootkit
ring zero
has max privileges
user mode rootkit
rings 1-3 has admin privileges
Reply attack
a type of network based attack where valid data transmissions are maliciously fraudulently repeated or delayed
involves intercepting data analyzing it and deciding whether to retransmit it later
different then a session hijack where the attacker alters real time data transamission
Credential reply attack
specific reply attack that involves capturing user credentials during a session and reusing them
session management
fundamental security component in web apps
enabled web apps to uniquely identify a user across a number of different actions and reqests while keeping state of the data generated by the user
cookie
text file used to store info about a user when they visit a website
session cookies
non persistent reside in memory and deleted when the browser is closed
persistent cookies
stored in browser cache until they are deleted or reach an expiration date
session hijacking
a type of spoofing attack where an attacker disconnects a host and then replaces it with his or her own machine spoofing the original hosts ip address
session prediction attacks
a spoofing attack where the attacker attempts to preduct the session token
cookie poisoning
modifies the contents of a cookie after it has been generated and sent to web service from clients browser
on path attack
an attack where the attacker positions their workstation logically between two hosts during communication the attacker then captures monitors and relays communications between the two hosts
on path ARP poisoning
manipulating address resolution protocol tables to redirect network traffic
DNS poisoning
altering dns responses to reroute traffic In the digital world, DNS poisoning works similarly. DNS (Domain Name System) is like a phone book that translates website names (like google.com) into numbers (IP addresses) that computers understand. DNS poisoning is when a hacker sneaks into the DNS system and changes the records. So, when you try to visit a website, your computer gets directed to the wrong place, like a fake website set up by the hacker.
Rogue wireless access point
creating a fake wireless access point to intercept traffic
rogue hub or switch
introducing a malicious hub to capture data on a wired network
Replay attack
occurs when attacker captures valid data and then replays it without delay common in wireless network attacks
Relay Attack
the attacker becomes part of the conversation between two hosts serves as a proxy and can read or modify communications between hosts
SSL Stripping
an attack that tricks the encrpytion app into presenting an http connection isnted of https
downgrade attack
an attacker forces a client or server to abandon its higher security mode in favor of a lower one
LDAP
lightweight directory access protocol
an open vendor neutral industry standard app protocol for accessing and maintaining distributed directory info services over an internet protocol network
LDAP Injection
an app attack that targets web based apps by fabricating ldap statements that are typically created by user input
Command injection
occurs when threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application
process injection
method of executing arbitrary code in the address space of a separate live process
