2.4 Given a scenario, analyze indicators of malicious activity Flashcards
Physical attacks
- Brute force
- Radio frequency identification
(RFID) cloning - Environmental
Brute Force Attacks in physical attack
● Forcible entry
● Tampering with security devices
● Confronting security personnel
● Ramming a barrier with a vehicle
What is Brute Force attack
Type of attack where access to a system is gained by simply trying all of the possibilities until you break through.
Access Badges
● Use of Radio Frequency Identification (RFID) or Near Field
Communication (NFC) for access
Some of the different methods used by attackers to bypass organization surveillance systems
- Visual Obstruction: blocking, spraying, placing sticker, positioning objects
- Blinding Sensors and Cameras : overwhelming the sensor or camera with a sudden burst of light
Interfering with Acoustics : Jamming or playing loud music to disrupt the microphone’s functionality
Interfering with Electromagnetic: (EMI) : involves jamming the signals that surveillance system relies on to
monitor the environment
Access Badge Cloning
Copying the data from an RFID or NFC card or badge onto another card or device
How does an attacker clone an access badge ?
■ Step 1: Scanning
● Scanning or reading the targeted individual’s access badge
■ Step 2: Data Extraction
● Attackers extract the relevant authentication credentials from the card,
such as a unique identifier or a set of encrypted data
■ Step 3: Writing to a new card or device
● Attacker will then transfers the extracted data onto a blank RFID or NFC
card or another compatible device
■ Step 4: Using the cloned access badge
● Attackers gain unauthorized access to buildings, computer systems, or
even make payments using a cloned NFC-enabled credit card
How can you stop access badge cloning?
■ Implement advanced encryption in your card-based authentication systems
■ Implement Multi-Factor Authentication (MFA)
■ Regularly update your security protocols
■ Educate your users
■ Implement the use of shielded wallets or sleeves with your RFID access badges
■ Monitor and audit your access logs
Malware
Malicious software designed to infiltrate computer systems and potentially
damage them without user consent
Threat Vector
Method used to infiltrate a victim’s machine
Attack Vector
Combines both method of gaining unauthorized access and infection process
Examples of Threat Vector
○ Unpatched software
○ USB drive installation
○ Phishing campaign
Types of Malware Attacks
■ Viruses
■ Worms
■ Trojans
■ Ransomware
■ Spyware
■ Rootkits
Viruses
Attach to clean files, spread, and corrupt host file
Worms
● Standalone programs replicating and spreading to other computers
Trojans
● Disguise as legitimate software, grant unauthorized access
Ransomware
● Encrypts user data, demands ransom for decryption
Zombies and Botnets
● Compromised computers remotely controlled in a network for malicious
purposes
Rootkits
Designed to gain administrative level control over a given computer system
without being detected
Backdoors and Logic Bombs
Backdoors allow unauthorized access, logic bombs execute malicious actions
Keyloggers
● Record keystrokes, capture passwords or sensitive information
■ Spyware and Bloatware
● Spyware monitors and gathers user/system information,
bloatware
consumes resources without value
Malware Techniques and Infection Vectors
■ Evolving from file-based tactics to modern fileless techniques
■ Multi-stage deployment, leveraging system tools, and obfuscation techniques
Fileless Malware is used to create a process in the system memory without
relying on the local file system of the infected host
Indications of Malware Attack
■ Recognizing signs like the following
● Account lockouts
● Concurrent session utilization
● Blocked content
● Impossible travel
● Resource consumption
● Inaccessibility
● Out-of-cycle logging
● Missing logs
● Documented attacks
10 Different Types of Viruses
Boot Sector
Macro
Program
Multipartite
Encrypted
Polymorphic
Metamorphic
Stealth
Armored
Hoax
Boot Sector Virus
● One that is stored in the first sector of a hard drive and is then loaded
into memory whenever the computer boots up
Macro Virus
● Form of code that allows a virus to be embedded inside another
document so that when that document is opened by the user, the virus is
executed
Program Virus
● Try to find executables or application files to infect with their malicious
code
Multipartite Virus
● Combination of a boot sector type virus and a program virus
It can install itself in a program where it can be run every time the
computer starts up
Encrypted Virus
● Designed to hide itself from being detected by encrypting its malicious
code or payloads to avoid detection by any antivirus software
Polymorphic Virus
Advanced version of an encrypted virus, but instead of just encrypting the
contents it will actually change the viruses code each time it is executed
Metamorphic Virus
● Able to rewrite themselves entirely before it attempts to infect a given file
Stealth
Technique used to prevent the virus from being detected by the anti-virus
software
Armored
● Have a layer of protection to confuse a program or a person who’s trying
to analyze it
Hoax
● Form of technical social engineering that attempts to scare our end users
○ Worm
Able to self-replicate and spread throughout your network without a user’s
consent or their action
Worms are dangerous for two reasons
■ Infect your workstation and other computing assets
■ Cause disruptions to your normal network traffic since they are constantly trying
to replicate and spread themselves across the network
○ Worms are best known for spreading far and wide over the internet in a relative short
amount of time
Trojans
Piece of malicious software Claims that it will perform some needed or desired function for you
Remote Access Trojan (RAT)
■ Widely used by modern attackers because it provides the attacker with remote control of a victim machine
like a backdoor in our modern networks
Trojans are commonly used today by attackers to
- exploit a vulnerability in your
workstation and then - conducting data exfiltration to steal your sensitive documents,
- creating backdoors to maintain persistence on your systems,
- and other malicious
activities
How can we protect ourselves and our organizations against ransomware?
■ Always conduct regular backups
■ Install software updates regularly
■ Provide security awareness training to your users
■ Implement Multi-Factor Authentication (MFA)
What should you do if you find yourself or your organization as the victim of a
ransomware attack?
■ Never pay the ransom
■ If you suspect ransomware has infected your machine, you should disconnect it from the network
■ Notify the authorities
■ Restore your data and systems from known good backups
Command and Control Node
Computer responsible for managing and coordinating the activities of other
nodes or devices within a network
Botnets are used
■ as pivot points
■ disguise the real attacker
■ to host illegal activities
■ to spam others by sending out phishing campaigns and other malware
- to combine processing power to break through different
types of encryption schemes
○ Attackers usually only use about 20-25% of any zombie’s power
Most common use for a botnet is to conduct
a DDoS (Distributed Denial-of-Service)
attack
■ Distributed Denial-of-Service (DDoS) Attack
● Occurs when many machines target a single victim and attack them at the
exact same time
different rings of permissions throughout the system
Ring 3 (Outermost Ring)
● Where user level permissions are used
■ Ring 0 (Innermost or Highest Permission Levels)
● Operating in Ring 0 is called “kernel mode”
● Kernel Mode: Allows a system to control access to things like device drivers, your
sound card, your video display or monitor, and other similar things
DLL Injection
● Technique used to run arbitrary code within the address space of another
process by forcing it to load a dynamic-link library
Dynamic Link Library (DLL)
● Collection of code and data that can be used by multiple programs
simultaneously to allow for code reuse and modularization in software development
Shim
● Piece of software code that is placed between two components and that
intercepts the calls between those components and can be used redirect
them
How To detect Rootkits
To detect them, the best way is to boot from an external device and then scan
the internal hard drive to ensure that you can detect those rootkits using a good
anti-malware scanning solution from a live boot Linux distribution
Logic Bombs
Malicious code that’s inserted into a program, and the malicious code will only
execute when certain conditions have been met
Keyloggers can be either software-based or hardware-based
■ Software Keyloggers
● Malicious programs that get installed on a victim’s computer
■ Hardware Keyloggers
● Physical devices that need to be plugged into a computer
● These will resemble a USB drive or they can be embedded within a
keyboard cable itself
To protect your organization from keyloggers, ensure the following
■ Perform regular updates and patches
■ Rely on quality antivirus and antimalware solutions
■ Conduct phishing awareness training for your users
■ Implement multi-factor authentication systems
■ Encrypt keystrokes being sent to your systems
■ Perform physical checks of your desktops, laptops, and servers
Spyware can get installed on a system in several different ways
● Bundled with other software
● Installed through a malicious website
● Installed when users click on a deceptive pop-up advertisement
To help protect yourself against spyware,
you should only use reputable antivirus
and anti-spyware tools that are regularly updated detect and remove any
potential threats
To remove bloatware, you can either do the following
● Do a manual removal process
● Use bloatware removal tools to uninstall the unwanted applications
● Perform a clean operating system installation
How does this modern malware work?
Stage 1 Dropper or Downloader
- to retrieve additional portions of the malware code and to trick the user into activating it
Stage 2: Downloader
○ Downloads and installs a remote access Trojan to conduct
command and control on the victimized system
- “Actions on Objectives” Phase : Threat actors will execute primary objectives
- Concealment : Used to help the threat actor prolong unauthorized access
Dropper:
Specific malware type designed to initiate or run other malware.
Downloader
○ Retrieve additional tools post the initial infection facilitated by a
dropper
Shellcode
○ Broader term that encompasses lightweight code meant to
execute an exploit on a given target
“Actions on Objectives” Phase
○ Threat actors will execute primary objectives to meet core
objectives like
■ data exfiltration
■ file encryption
Concealment
○ Used to help the threat actor prolong unauthorized access to a
system by
■ hiding tracks
■ erasing log files
■ hiding any evidence of malicious activity
“Living off the Land”
■ A strategy adopted by many Advanced Persistent Threats
and criminal organizations
■ the threat actors try to exploit the standard tools to
perform intrusions
Indications of Malware Attacks:
Account Lockouts
Malware, especially those designed for credential theft or brute force
attacks, can trigger multiple failed login attempts that would result in a
user’s account being locked out
Indications of Malware Attacks:
Concurrent Session Utilization
● If you notice that a single user account has multiple simultaneous or
concurrent sessions open, especially from various geographic locations
Indications of Malware Attacks:
Blocked Content
● If there is a sudden increase in the amount of blocked content alerts you
are seeing from your security tools
Indications of Malware Attacks:
Impossible Travel
● Refers to a scenario where a user’s account is accessed from two or more
geographically separated locations in an impossibly short period of time
Indications of Malware Attacks:
Resource Consumption
● If you are observing any unusual spikes in CPU, memory, or network
bandwidth utilization that cannot be linked back to a legitimate task
Indications of Malware Attacks:
Resource Inaccessibility
● Ransomware
○ Form of malware that encrypts user files to make them
inaccessible to the user
● If a large number of files or critical systems suddenly become inaccessible
or if users receive messages demanding payment to decrypt their data
Indications of Malware Attacks:
Out-of-Cycle Logging
● If you are noticing that your logs are being generated at odd hours or
during times when no legitimate activities should be taking place (such as
in the middle of the night when no employees are actively working)
Missing Logs
● If you are conducting a log review as a cybersecurity analyst and you see that there are gaps in your logs or if the logs have been cleared without any authorized reason
Indications of Malware Attacks:
Published or Documented Attacks
● If a cybersecurity research or reporter published a report that shows that
your organization’s network has been infected as part of a botnet or other
malware-based attack
