Chapter 1 - Threats, Attacks, and Vulnerabilities Flashcards
Phishing
Social Engineering with a touch of spoofing
Usually by mail, text, etc.
Usually something wrong with the URL
Smishing (SMS Phishing)
Done by text message
Forwards links or asks for personal information
Examples: fake check, phone code verification, boss/ CEO
Vishing (Voice Phishing)
Done over the phone or voicemail
Caller ID spoofing is common
Examples: fake security checks or bank updates
Spam
Unsolicited messages
Examples: emails or forums
Mail Gateways
A filter that identifies spam and throws it away
Spam Over Instant Messaging (SPIM)
Unsolicited messages over instant messaging
Spear Phishing
Targeted phishing with inside information
Whaling
Spear phishing/ targeting the higher ups of a company
Have a ton of information for a bigger catch
Dumpster Diving
Physically going through a dumpster to find important details (for an attack) people/ companies have thrown out
Shoulder Surfing
Physically peeking over someone’s shoulder to look at their screen to try and steal information
Pharming
Redirecting a legit website to a bogus site
Harvest large group of people instead of just one person
Tailgating
Use an authorized person to gain unauthorized access to a building
Eliciting Information
Extracting information from the victim
Often used with vishing
Prepending
Add onto the beginning of a fake URL
Example: “https://pprofessormesser.com”
Identity Fraud
Someone else using your identity
Examples: credit card, bank, loan, government benefits fraud
Invoice Scams
Sending a fake invoice to the person/ department paying the bills at a company and the attacker ends up with the payment details
Credential Harvesting
Attackers collecting login credentials
Opening a document that runs a macro to start harvesting
Called password harvesting
Reconnaissance
Gather information on the victim
Usually background information
Examples: social media, corporate website
Hoax
A threat that doesn’t actually exist but seems like it COULD be real
Impersonation
Attacker pretends to be someone they are not
Uses details from reconnaissance
Watering Hole Attack
Strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware
Eventually, some member of the targeted group will become infected
Typosquatting
A type of URL hijacking
Purposely misspelling an URL
Example: “https:professormessor.com”
Pretexting
Lying to a victim to get information
Example: “Hi, we are calling from Visa regarding…”
Influence Campaigns
Sway public opinion on political and social issues
Influence Campaigns - Hybrid Warfare
A military strategy that can influence elections and fake news
Usually called cyberwarfare
Attack an entity with technology
Influence Campaigns - Social Media
Amplifying fake content on social media used by millions of people
Social Engineering Principles - Authority
The social engineer is in charge
Example: “I am calling from the off of the CEO…”
Social Engineering Principles - Intimidation
Things will be bad if you do not do this
Example: “If you don’t help me…”
Social Engineering Principles - Consensus/ Social Proof
Convince the victim based on what’s normally expected
Example: “Your co-worker, Jill, did this for me…”
Social Engineering Principles - Scarcity
The situation will not be this way for long
Example: Must make the change before time expires
Social Engineering Principles - Familiarity/ Liking
Someone you know, we have common friends
Social Engineering Principles - Trust
Someone who is safe
Example: “I am from IT, I am here to help”
Social Engineering Principles - Urgency
Paired with scarcity
Example: Act quickly, don’t think
Social Engineering Principles
Common methods used to increase social engineering for attacks
Defending Waterhole Attack
Defense in depth
Firewalls and IPS
Anti-virus/ anti-malware signature updates
Malware
Malicious software used to intend harm and gather information
Ransomware
Taking away data and requiring victim to pay to get it back
Trojans
Software that pretends to be something else to conquer your computer
Worms
Malware that self-replicates itself
Does NOT need to be executed by the user
Potentially Unwanted Programs (PUPs)
Usually downloaded by trojans
Software that a user may perceive as unwanted or unnecessary
File less Virus
A stealth attack operated in memory
Avoids anti-virus detection and is never installed in a file or application
Command and Control
Responsible for sending out commands to bots
Bots (Robots)
A type of software application or script that performs automated tasks on command
Cryptomalware
Newer generation of ransomware
Uses cryptography to encrypt victim information and sends the victim the key to decrypt if the victim sends them cryptocurrency
Logic Bombs
Waits for a predefined moment before attack is executed
Example: time, date, event
Keyloggers
A form of malware or hardware that keeps track of and records your keystrokes as you type
Remote Access Trojan (RATs)
Installed as a backdoor
Malware use to gain complete control of operating system
Rootkit
Modifies files in the foundational building blocks of the operating system (the core)
Backdoor
A new way to get into system with out going through front door and as much security
Placed on system through malware
Virus
Malware that can reproduce itself
Executed by user when a program is run
Examples: program, boot sector, script, macro viruses
Adware
Pop-ups that can cause performance issues on your device
Spyware
Malware that spies on you and everything you do
Botnets
A group of bots working together
DDoS
Spraying Attack
Attacking an account with the top three (or more) passwords
Move on if they do not work so there are no lockouts, alarms, or alerts
Dictionary Attack
Using a dictionary to find common words or wordlists
Brute Force Attack
Trying every possible password combination until the hash is met
Brute Force Attack - Online
Keep trying the login process
Very slow
Might lockout after a certain amount of attempts
Brute Force Attack - Offline
Brute forcing the hash
Get a list of users and hashes
Calculate a password hash, compare it to the stored hash
Rainbow Table
Pre-built/ calculated set of hashes
Increases speed
Plaintext/ Unencrypted
Storing passwords in the “clear”
There is no encryption and you can read the stored password
Malicious Universal Serial Bus (USB) Cable
Looks like a normal USB cable but has additional electronics inside
Human Interface Device (HID)
Downloads and installs malicious software
Malicious Flash Drive
Looks like a normal flash drive but can cause damage
Load malware documents, boot device, ethernet adapter
Card Cloning
Get card details from a skimmer
Create a duplicate of a card
Skimming
Stealing credit card information during a normal transaction
Tainted Training Data for Machine Learning (ML)
Attackers sending modified training data that causes AI to behave incorrectly
Security of Machine Learning Algorithms
Check the training data
Retrain with new data
Train the AI with possible poisoning
Evasion Attacks
Used to trick the AI into giving off confidential information
Supply Chain Attacks
Attackers can affect the supply chain by infecting different parts without suspicion
One exploit can infect the entire chain
Birthday Attack
Finding a hash collision through the effect of chance
Collision Attack
Finding two inputs producing the same hash value
Downgrade Attack
Having a system downgrade their encryption making it easy to exploit
Could use an on-path attack
Privilege Escalation
Gaining higher-level access to a system
More capabilities
Cross-Site Scripting (XSS)
Type of injection, in which malicious scripts are injected into otherwise benign and trusted websites
Non-persistent (Reflected) Cross-Site Scripting Attack
The injected malicious script is “reflected” off the web server as a response that includes some or all of the input sent to the server as part of the request
Persistent (Stored) Cross-Site Scripting Attack
Posting a message to a social network that includes a malicious payload
Posted and propagated to others
Code Injection
Adding your own information into a data stream
Structured Query Language (SQL) Injection
Inserting an SQL query into regular input or form fields in order to get credentials such as a username or password
Extensible Markup Language (XML) Injection
Modify requests and sending data and storing it in a different location
Lightweight Directory Access Protocol (LDAP) Injection
Modify requests and gaining directory information you normally would not have access to
Dynamic-Link Library Injection
Inject a DLL into an application and have that application run the code for us
Buffer Overflows
Overwriting a buffer memory and have it spill over into other memory areas
Replay Attacks
Data transfer is maliciously repeated or delayed
NOT an On-path attack
Cross-Site Request Forgery
Malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts
Pointer/ Object Dereference
Programming technique that references a portion of memory
Directory Traversal/ Path Traversal
Reading files from a web server that are outside the website’s file directory
Race Conditions
Two commands happening at the same time without being planned for
Error Handling
Giving just enough information when an error is made so an attacker exploit the system
Improper Input Handling
Finding input that can be malicious so an attack can be executed
Session Replays
Reproduction of a user’s interactions on a website or web application exactly how the user actually experienced it
Integer Overflow
When you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold
Server-Side Request Forgery
Attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker
Application Programming Interface (API) Attacks
The malicious usage or attempted usage of an API from automated threats such as access violations, bot attacks or abuse
Resource Exhaustion
Happens when a system or system user uses up all the available resources that the system has, leading it to be completely drained
Specialized DoS attack
Zip Bomb
Memory Leak
When unused memory is not properly released, begins to grow in size, eventually uses all available memory, and the system crashes
Secure Sockets Layer (SSL) Stripping
Combines on-path attack with a downgrade attack
Type of cyberattack in which an attacker downgrades a website from secure HTTPS to an insecure HTTP connection
Driver Manipulation
The alteration of system drivers to achieve a malicious outcome
Shimming
Filling in the space between two objects (middleman)
Inserting a layer between an application and the operating system to modify the behavior of the application
Refactoring
Appears different each time malware is downloaded
Add loops, points string codes, etc.
Can intelligently redesign itself
Pass the Hash (PtH)
Type of cybersecurity attack in which an attacker steals a “hashed” user credential and uses it to create a new user session on the same network
Time-of-check to Time-of-use Attack (TOCTOU)
Race condition that occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check
Evil Twin
Access point that looks like an existing network
Wireless version of phishing
Rogue Access Point
Unauthorized wireless access point
Not necessarily malicious
Potential backdoor
Bluesnarfing
Access a Bluetooth device and transfer data
Examples: contact list, calendar, emails, pictures, videos, etc.
Bluejacking
Sending unsolicited messages to another device via Bluetooth
Disassociation
Cyberattack where a hacker forces a device to lose internet connectivity either temporarily or for an extended time
Wireless DoS attack
Jamming
Prevent wireless communication by transmitting interfering wireless signals
DoS
Could be accidental: microwaves, lights, etc.
Radio Frequency Identification (RFID)
Electromagnetic fields to automatically identify and track tags attached to objects
Examples: access badges, pet/ animal identification, etc.
Near-field Communication (NFC)
Set of communication protocols that enables communication between two electronic devices over a short distance
Initialization Vector (IV)
A type of nonce
Used for randomizing an encryption scheme
Examples: encryption ciphers, WEP, SSL implementations
On-Path Network Attack (man-in-the-middle attack/ main-in-the-browser attack)
When an aggressor sits in the center between two stations and can catch, and sometimes, change that data that is being sent intelligently across the organization
Address Resolution Protocol (ARP) Poisoning
A form of spoofing attack that hackers use to intercept data
Used by attacker in an on-path attack
Media Access Control (MAC) Flooding
The flooding of MAC addresses in the MAC table forcing out the legitimate MAC addresses
Switch begins flooding traffic to all interfaces
Switch turns into a hub and all traffic is transmitted to all interfaces
MAC Cloning
Attacker changes their MAC address to match the MAC address of an existing device
Domain Hijacking
Getting access to the domain registration letting you have control where the traffic goes
DNS Poisoning
When fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website
Uniform Resource Locator (URL) Redirection
Vulnerability which allows an attacker to force users of your application to an untrusted external site
Click a link and get sent to a malicious site
Domain Reputation
The health or condition of your branded domain
Example: email - might not be able to send or receive emails
Domain Name System
The system by which internet domain names and addresses are tracked and regulated
Distributed Denial-of-service (DDoS)
An army of computer to overload and bring down a service
Use all bandwidth or resources
Application DoS
Making an application break or work harder
Examples: fill disk space, overuse of resources, increase response time
Operational Technology (OT) DoS
Overload the hardware and software for industrial equipment
Examples: Power grids, traffic lights, etc.
PowerShell (Malicious Code)
Attacks windows systems by accessing domains and files
.ps1 file extension
Python (Malicious Code)
Attacks infrastructure (routers, switches, servers) and used for cloud orchestration
.py file extension
Bash (Malicious Code)
Used in shell script to attack the Linux/ Unix environment (web, database, etc.)
.sh file extension
Macros (Malicious Code)
Use to automate functions and make application easier to use
Attackers create automated exploits by the user opening the file and have the macro run
Visual Basic for Applications (VBA) (Malicious Code)
Automates processes within Windows applications
CVE-2010-0815 / MS10-031 - Allows arbitrary code embedded in a document to run
On-Path Browser Attack
An aggressor is on the same computer as the victim using malware that takes information from victim
Denial of Service
Overload a service and force it to fail
Advanced Persistent Threat (APT)
Attackers being in the network and undetected for a long while to get highly sensitive data
Insider Threats
A threat to an organization that comes from people within the organization, such as employees or former employees who have inside information concerning the organization’s security practices, data and computer systems
State Actors
People or groups who use their technology skills to facilitate hacking, sabotage, theft, misinformation and other operations on behalf of a country
Hacktivists
A hacker that has a purpose of social change or with a political agenda
Script Kiddies
An unsophisticated attacker who runs pre-made scripts without any knowledge of what’s really happening
Criminal Syndicates
Professional criminals doing organized crime motivated by money
Hackers
Person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle
Hackers (authorized)
An ethical hacker with good intentions and has permission to hack
Hackers (unauthorized)
A malicious hacker who violates security for personal gain
Hackers (semi-authorized)
A hacker who finds a vulnerability but doesn’t use it
Shadow IT
The use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization
Competitors (Threat Actor)
A different organization having negative intents against your company by trying to take information or corrupt databases
Attributes of Actors
Internal/ external, level of sophistication/ capability, resources/ funding, intent/ motivation
Attack Vectors
A method used by the attacker to gain access or infect the target
Attack Vectors (Direct Access)
Physically accessing the data center and modifying the operating system
Examples: keylogger, transfer files, DoS, etc.
Attack Vectors (Wireless)
Modifying the access point of configuration
Examples: rogue access point, evil twin, etc.
Attack Vectors (Email)
Using an email to attack someone
Examples: phishing, delivery of malware, etc.
Attack Vectors (Supply Chain)
Tamper with underlying infrastructure or manufacturing process
Attack Vectors (Social Media)
Putting personal information online and using it against the user
Examples: user profiling
Attack Vectors (Removable Media)
Using attacks to remove media from systems
Examples: USB, flash drive, data exfiltration
Attack Vectors (Cloud)
Using security misconfigurations against applications and services
Examples: Brute force, orchestration attacks, DoS
Open-source Intelligence (OSINT)
Researching threat using public open-source resources
Examples: Internet, government data, commercial data
Closed/ Proprietary Intelligence
The purchase of compiled threat information someone else already has
Vulnerability Databases
Places where vulnerabilities can be researched
Examples: common vulnerabilities and exposures (CVE)
Public/ Private Information Sharing Centers
Provides a central resource for gathering information on cyber and related threats to critical infrastructure and providing two-way sharing of information between the private and public sectors
Dark Web
Overlay networks that use the Internet but require specific software, configurations, or authorization to access
Indicators of Compromise (IOC)
An event that indicates an intrusion
Examples: uncommon login patterns, unusual amount of connectivity
Automated Indicator Sharing (AIS)
A way for the intelligence industry to share important threat data or indicators
Structured Threat Information eXpression (STIX)
Describes cyber threat information
Examples: motivations, abilities, capabilities, etc.
Trusted Automated eXchange of Intelligence Information (TAXII)
Securely shares the STIX data over HTTPS
Predictive Analysis
Analyze a large amount of data, identify behaviors, and create a forecast for potential attacks
Threat Maps
A map created from real attack data to identify attacks and trends
File/ Code Repositories
Places to see code of what hackers are building and what people are accidentally releasing
Examples: GitHub
Threat Research
Seeking out potential risks and delivering insights to take action
Vendor Websites (research sources)
Them knowing when problems occur
Vulnerability Feeds (research sources)
Automated vulnerability notifications for when threats occur
Conferences (research sources)
A place to gathering information from other professionals about attacks
Academic Journals (research sources)
Research from academic professionals about security technologies
Request for Comments (RFC) (research sources)
Document that contains specifications and organizational notes about topics related to the internet and computer networking, such as routing, addressing and transport technologies
Local Industry Groups (research sources)
A gathering of local peers for shared industry and technology insights
Social Media (research sources)
Profiles with group conversations - professionals discussing details
Threat Feeds (research sources)
Monitoring threat announcements to stay informed
Examples: U.S. department of homeland security, etc.
Adversary Tactics, Techniques, and Procedures (TTP)
Describe the behaviors, strategies and methods used by attackers to develop and execute cyber attacks on enterprise networks
Threat Intelligence
Research threats and threat actors so you can make educated decisions and preventions
Zero-day Attacks
An attack that has not been discovered yet
Open Permissions
No security on data allowing attackers to perform actions that exploit and system
Unsecure Root Accounts
Vulnerable to takeover due to poor security configuration
Example: weak passwords
Errors
Messages that can provide useful information to an attacker
Examples: service type, version information, debug data
Weak Encryption
The uses a key of insufficient length making it easier to attack
Insecure Protocols
A protocol that introduces security concerns due to the lack of controls over confidentiality and/or integrity
Default Settings
Having preset credentials allowing access to all configurations
Open Ports and Services
Services open ports in which provides a pathway for attackers to exploit vulnerabilities in your system
Defend with a firewall
Third-Party Risks
The risk of outsourcing certain services or use software built by third parties to accomplish certain tasks
System Integration Risk
The potential for integration of technology, processes, information, departments or organizations to fail
Lack of Vendor Support Risk
Vendors not taking initiative to fix their products
Supply Chain Risk
The implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity
Outsourced Code Development
Hiring a third-party service provider to handle software development projects
Data Storage
Storing data with a third-party trust?
Improper Patch Management
The process of not distributing and applying updates to software
Firmware Patch Management
The BIOS of the device
Operating System Patch Management
Monthly and on-demand patches
Applications Patch Management
Provided by the manufacturer as needed
Legacy Platforms
An outdated computer system still in use
Impacts to Third-Party Risks
Data loss, data breaches, data exfiltration, identity theft, financial, reputation, availability loss
Threat Hunting
The practice of proactively searching for cyber threats that are lurking undetected in a network
Intelligence Fusion
Combining pieces of information to produce higher-quality information, knowledge, and understanding
Maneuver
Application of force to capture, disrupt, deny, degrade, destroy or manipulate computing and information resources in order to achieve a position of advantage in respect to competitors
Vulnerability Scans
Scanning used to discover the weaknesses of a given system
False Positive Scans
A vulnerability that was identified but doesn’t really exist
False Negatives Scans
A vulnerability exists, but wasn’t detected
Vulnerability Scan Log Review
The process of discovering, analyzing, and reporting on security flaws and vulnerabilities of what the scanner picked up
Credentialed Scans vs. Non-credentialed Scans
Credentialed scans - normal user, emulating an insider attack
Non-credentialed scans - The scanner can’t login to the remote device
Intrusive Scans vs. Non-intrusive Scans
Intrusive scans - You’ll try out the vulnerability to see if it works
Non-intrusive scans - Gather information, don’t try to exploit a vulnerability
Application Scans
Desktop, mobile apps
Web Application Scans
Software on a web server
Network Scans
Misconfigured firewalls, open ports, vulnerable devices
Common Vulnerabilities and Exposures (CVE)/ Common Vulnerability Scoring System (CVSS)
Provides a reference method for publicly known information-security vulnerabilities and exposures
Configuration Review
Validating the security of device configurations
Security Information and Event Management (SIEM)
Logging of security events and information
Syslog
Standard for message logging (integrated in SIEM)
SIEM - Packet Capture
Can intercept and log traffic that passes over a computer network or part of a network
SIEM - Data Inputs
Server authentication attempts
VPN connections
Firewall log sessions
Denied outbound traffic flows
Network utilizations
SIEM - User and Entity Behavior Analysis (UBEA)
Cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behavior of not only the users in a corporate network but also the routers, servers, and endpoints in that network
SIEM - Sentiment Analysis
The process of analyzing digital text to determine if the emotional tone of the message is positive, negative, or neutral
SIEM - Security Monitoring
Automated process of collecting and analyzing indicators of potential security threats, then triaging these threats with appropriate action
SIEM - Log Aggregation
Mechanism for capturing, normalizing, and consolidating logs from different sources to a centralized platform for correlating and analyzing the data
SIEM - Log Collectors
Collecting real-time log data within an organization’s network and bringing them together in a central location for better analysis
Security Orchestration, Automation, and Response (SOAR)
Software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows
SOAR - Orchestration
Connect many different tools together
Examples: firewalls, account management, email filters, etc.
SOAR - Automation
Handle security tasks automatically
SOAR - Response
Make changes immediately
Penetration Testing (Pentest)
Authorized simulated cyberattack on a computer system, performed to evaluate the security of the system
Pentest - Known Environment
Performed by a security expert trained to identify and document issues that are present in an environment
Pentest - Unknown Environment
Performed by a security expert that knows nothing about the systems under attack
“Blind” test
Pentest - Partially Known Environment
Performed by a security expert that has partial knowledge or access to an internal network or web application
Pentest - Rules of Engagement
Meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested
Pentest - Lateral Movement
Once in the network, can move from system to system
Pentest - Persistence
Once in a system, you need to make sure there is a way back in
Examples: backdoor, change passwords, etc.
Pentest - Cleanup
Removing all malicious activity from the pentest attack, leave the network in its original state
Examples: remove backdoors, change passwords back
Bug Bounty
A reward offered to a person who identifies an error or vulnerability in a computer program or system
Pivoting
Using a compromised system to spread between different computer systems once inside the network, simulating the behavior of a real attacker
Passive Reconnaissance
Attempt to gain information about targeted computers and networks without actively engaging with the systems
Active Reconnaissance
Attempt to gain information about targeted computers and networks by actively engaging with the systems
War Flying
Used with a drone and a wireless network detector to find wifi wireless network locations
Active Footprinting
Process of using tools and techniques, like using the traceroute commands or a ping sweep – Internet Control Message Protocol sweep – to collect data about a specific target
Passive Footprinting
Collecting data without actively engaging with the target system
Open Source Intelligence (OSINT)
The collection and analysis of information from many open sources
War Driving
Drive around with a wireless network detector to find wifi wireless network locations
Red Team
The offensive security team
Hired ethical hackers
Blue Team
The defensive security team
White Team
Not on a team
Manages the interactions between the red teams and blue teams
Referees
Purple Team
Red and blue teams working together
Both share their findings to see how it can benefit the organization
