Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security+ > 2.4 Given a scenario, analyze indicators of malicious activity > Flashcards

2.4 Given a scenario, analyze indicators of malicious activity Flashcards

1
Q

Access Badge Cloning Prevention

A
  • Implement advanced encryption. Strengthen card-based authentication systems with robust encryption
  • Use MFA. Adds extra layers of security beyond badge access
  • Regularly update security protocols. Ensure systems stay ahead of evolving threats
  • Educate users. Awareness reduces risks of badge misuse
  • Shielded wallets or sleeves. Protect RFID badges from unauthorized scanning
  • Monitor and audit access logs. Detect suspicious activities early and respond promptly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Types of Malware

A
  • Viruses. Requires user action. Attach to clean files, spread, and corrupt host files.
  • Worms. Standalone. Can replicate itself w/o user interaction. Disrupt network traffic by constantly replicating and spreading across the network.
  • Trojans. Pretend to be real software to get in without permission.
  • Ransomware.
  • Zombies and Botnets.
  • Rootkits. Hide presence and activities at the OS level
  • Backdoors - Put in programs to skip security checks.
  • Logic Bombs. Harmful code that runs only when specific conditions are met.
  • Keyloggers.
  • Spyware. Gathers data
  • Bloatware. Legit software that comes pre-installed. Not malicious, but consumes resources.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Viruses

A

Malicious code that runs without the user’s knowledge, infecting the system when executed

  • Boot Sector Virus. Resides in the first sector of a hard drive, loading during boot
  • Macro Virus. Embeds in documents, executing when opened
  • Program Virus. Infects executable or application files
  • Multipartite Virus. Combines boot sector and program infection methods
  • Encrypted Virus. Hides via encryption to evade antivirus detection
  • Polymorphic Virus. Advanced version of an encrypted virus. Alters code with each execution to evade detection
  • Metamorphic Virus. Completely rewrites itself before infecting a file. Even more challenging to detect than polymorphic viruses.
  • Stealth Virus. Uses techniques to avoid antivirus detection
  • Armored Virus. Adds layers to confuse analysts and programs
  • Hoax Virus. Social engineering tactic to scare users into harmful actions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Rootkits

A

Gains undetected admin control over a system. Rootkits try to move to Ring 0 to avoid detection

Malware that hides by modifying system files

  • Kernel Mode Rootkit (Ring Zero): Embedded in the kernel, giving maximum control
  • User Mode Rootkit (Rings 1-3): Works at user level, using registry or task scheduler for persistence

They use:

  • DLL Injection. Loads malicious code via a Dynamic Link Library (DLL)
  • Shim. A technique to intercept and redirect function calls between software components.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Malware Attack Techniques

A
  1. Stage 1 Dropper or Downloader
    Dropper: Initiates other malware on the infected system
    Downloader: Retrieves additional tools after initial infection
  2. Shellcode. Lightweight code executing exploits on a target
  3. Stage 2 Downloader. Installs remote access Trojans for command and control
  4. Actions on Objectives Phase. Executes goals like data exfiltration or file encryption
  5. Concealment Techniques Hides tracks, erases logs, and covers malicious activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Indications of Malware Attacks / Indicators of Compromise (IoC)

A
  • Account Lockouts: Multiple failed logins suggest brute force attacks
  • Concurrent Session Usage: Multiple sessions from one account hint at account compromise
  • Blocked Content: Attempts to access blocked files may indicate malware or data theft attempts
  • Impossible Travel: Logins from distant locations in short timeframes suggest account compromise
  • Resource Consumption/Spikes: High CPU, memory, or bandwidth usage signals malware or DDoS attacks
  • Resource Inaccessibility: Inability to access files or services suggests ransomware
  • Out-of-Cycle Logging: Unusual log times hint at hidden attacker activities
  • Missing Logs: Deleted logs attempt to cover attacker traces
  • Published Attacks Reports in NY Times link your network to botnets or malware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Password Attacks

A
  • Brute Force Tries every character combination until the password is found. For single user
  • Dictionary Attack
  • Password Spraying - same few passwords against many users.
  • Hybrid Attack: Combines brute force and dictionary methods by adding numbers or symbols to common passwords.
  • Online Attacks: Guess password directly on an online system
  • Offline Attacks: Target password in a downloaded file (e.g., database)
  • Log Indicators:
    • Event ID 4625: High volume of failed logon attempts
    • Event ID 4740: Multiple account lockouts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Distributed Denial of Service (DDoS)

A
  • Types of Attacks
    • Ping Flood: Overloads a server with Ping requests (Mitigation: Block echo replies)
    • SYN Flood: Opens TCP sessions without completing them (Mitigation: Flood guard, timeouts, IPS)
    • Permanent DoS (PDOS): Breaks devices by re-flashing firmware (Fix: Full firmware reload)
    • Fork Bomb: Self-replicates to consume processing power
  • DNS Amplification: the victim’s IP address is spoofed in small requests sent to publicly accessible or misconfigured UDP servers, which respond with large data packets, overwhelming the victim’s network.
  • Preventing
    • Black Hole/Sinkhole: Redirects attack traffic to null servers
    • IPS
    • Elastic Cloud Infrastructure: Scales resources to absorb large attacks (Costly)
    • Cloud Providers: Services like CloudFlare and Akamai offer protection filtering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Domain Name System (DNS) Attacks

A
  • Pharming Attack: Manipulates DNS on a user’s system to redirect to a fake website.
  • DNS Poisoning Attack: Corrupts DNS records on a DNS server, causing redirection.
  • Key Difference: Location of corruption — pharming affects user’s system, DNS poisoning affects DNS server.
    • Mitigation: Use DNSSEC and secure configurations
  • DNS Amplification Attack: Overwhelms targets by sending spoofed DNS queries
    • Mitigation: Limit response size and rate-limit DNS traffic
  • DNS Tunneling: Encapsulates non-DNS traffic over port 53 to bypass firewalls
    • Mitigation: Analyze DNS logs for suspicious patterns
  • Domain Hijacking: Unauthorized domain registration changes, leading to loss of control
    • Mitigation: Use registry lock and secure account info
  • DNS Zone Transfer Attack: Steals entire DNS zone data for reconnaissance and future attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Directory Traversal Attack

A

On the exam! If you see ”../” or ”..\“ → It’s a Directory Traversal Attack

  • Directory Traversal Attack: Injects malicious code to access unauthorized files or directories
    • Example: http://example.com/../../../../etc/shadow
    • Unix systems: Use ../
    • Windows systems: Use ..\ or sometimes ../
    • Encoding: %2e%2e%2f represents ../ to hide attacks
  • File Inclusion: SUB-TYPE of DTA. Vulnerability that allows downloading or uploading files to open backdoors
    • Remote File Inclusion: Injects remote files into a web app (e.g., user=http://malware.bad/malicious.php)
    • Local File Inclusion: Adds existing server files (old ones or the new, uploaded via a website standard function) to the web app (e.g., user=../../Windows/system32/cmd.exe%00)
  • Prevention:
    • Use input validation to block traversal and inclusion attempts
    • Monitor logs for suspicious entries like ../
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Execution and Escalation Attacks

A
  • Arbitrary Code Execution: Allows attackers to run code without restrictions on the target system
  • Remote Code Execution (RCE): Executes arbitrary code remotely, often over the internet
  • Privilege Escalation: Gains higher-level permissions than assigned. Admins - use TWO accounts.
    • Vertical Privilege Escalation
    • Horizontal Privilege Escalation
  • Rootkits: see a separate card
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Replay Attacks

A
  • Replay Attack: Intercepts valid data transmissions and retransmits them later
    • Difference from Session Hijack:
      • Session Hijack: Alters real-time data
      • Replay Attack: Intercepts data and reuses it later
  • Applications of Replay Attacks:
    • Occurs in banking, email, online shopping, and social media
    • Common in wireless authentication using WEP encryption
  • Credential Replay Attack:
    • Captures and reuses login credentials to gain unauthorized access
  • Preventing Replay Attacks:
    • Use session tokens to make each session unique
    • Implement multi-factor authentication
    • Use WPA3 for secure wireless
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Session Management / Hijacking

A
  • Cookies:
    • Session Cookies: Non-persistent, deleted when browser closes
    • Persistent Cookies: Stored in cache until deleted or expired (Should be encrypted for sensitive data)
  • Session Hijacking:
    • Attacker disconnects a host and replaces it by spoofing the original IP
    • Occurs via cookie theft or modification
  • Session Prediction Attack:
    • Attacker guesses session tokens to hijack sessions
    • Mitigation: Use non-predictable algorithms to generate tokens
  • Cookie Poisoning:
    • Modifies cookies to exploit vulnerabilities in web apps
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

On-Path Attacks

A
  • Attack Methods:
    • ARP (Address Resolution Protocol) Poisoning: Alters ARP tables to redirect traffic
    • DNS Poisoning: Reroutes via modified DNS responses
    • Rogue Wi-Fi Access Point: Fake Wi-Fi to capture data
    • Rogue Hub/Switch: Malicious device to intercept traffic
  • Replay Attack: Reuses captured data later or immediately
  • Relay Attack: Attacker acts as a proxy between hosts
  • Challenges:
    • Encryption (TLS 1.3) makes interception harder
    • SSL Stripping: Downgrades HTTPS to HTTP
  • Downgrade Attack: Forces lower security levels (e.g., weaker Wi-Fi encryption)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Injection Attacks

A

In addition to SQL and XML.

  • LDAP Injection: Fabricates LDAP statements through user input to exploit web apps
    • Mitigation: Use input validation and sanitization
  • Command Injection: Executes arbitrary shell commands via vulnerable web apps (e.g., using the sh/redirect on the site that provides the ping functionality.)
  • Process Injection: Executes code inside another process
    • Techniques:
      • DLL Injection
      • Thread Execution Hijacking
      • Process Hollowing
      • Process Doppelgänging
      • Asynchronous Procedure Calls
      • Portable Executable Injection
  • Mitigation:
    • Use endpoint security to block common attack patterns
    • Implement security kernel modules
    • Follow Least Privilege
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Security+ (29 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions