Chapter 6 Flashcards
Nation-state attackers
Some attackers are highly organized and dedicated. Nation-state attackers are attackers who are directly employed by or sponsored by a government. Example of APT advanced persistent threat
APT
advanced persistent threat
China. Some reported names are PLA Unit 61398, Buckeye, and Double Dragon.
Iran. Some reported names are Elfin Team, Helix Kitten, and Charming Kitten.
North Korea. Some reported names are Ricochet Chollima and Lazarus Group.
Russia. Some reported names are Fancy Bear, Cozy Bear, Voodoo Bear, and Venomous Bear.
Organized crime
Organized crime is composed of a group of individuals working together in criminal activities. Their primary motivation is money.
Hacker
malicious individuals who use their technical expertise to launch attacks and break into systems or networks for personal gain.
unskilled attacker
An unskilled attacker uses existing computer scripts or code to launch attacks. These unskilled attackers (also known as script kiddies. Their motivations vary, but they are typically launching attacks out of boredom or to see what they can do.
hacktivist
A hacktivist launches attacks as part of an activist movement or to further a cause. Hacktivists typically aren’t launching these attacks for their benefit but instead to increase awareness about a cause. For example, The Yes Men, an activist group that tries to raise awareness of social and political issues, launches disinformation campaigns against organizations.
insider threat
An insider threat is anyone with legitimate access to an organization’s internal resources.
competitor
A competitor is any organization engaged in economic or commercial competition with another organization. Their motivation is typically to gain proprietary information about another company.
Attacker Attributes
Internal vs. external, Resources/funding, Level of sophistication/capability
Threat Actor Motivations
Data exfiltration
Disruption/chaos
Financial gain
Blackmail
Service disruption
Philosophical/political beliefs
Ethical/white hats
Revenge
Espionage
War
The motivations listed by CompTIA include data exfiltration, service disruption, blackmail, financial gain, philosophical/political beliefs, ethical hacking, revenge, espionage, and war.
Threat Vectors and Attack Surfaces
Threat vectors are the paths that attackers use to gain access to computers and networks. When successful, these vectors allow attackers to exploit vulnerabilities. Organizations often may think that they aren’t a logical attack target. However, it’s become increasingly clear that attackers often try to infiltrate lower-level targets to gain access to high-value targets.
Message-based – Attackers frequently send out spam with malicious links or attachments. This includes phishing, spear phishing, and whaling attacks,
Image-based – Attackers may use image-based attack vectors by embedding malicious code within image files
File-based - File-based attack vectors involve malicious code hidden in seemingly innocuous files,
Voice call – Voice call attack vectors include phone-based social engineering attacks, where attackers impersonate trusted individuals or organizations to manipulate victims into revealing sensitive information or granting access to secure systems.
Removable device- Attackers can exploit removable devices, like USB drives or external hard drives, by loading them with malware.
Software based Attackers might target vulnerabilities in software applications, either through client-based attacks (exploiting software installed on users’ devices) or agentless attacks (directly targeting web applications or services). Unsupported applications, which no longer receive security updates, are especially vulnerable.
System-based System-based attack vectors target vulnerabilities in computer systems, such as unsupported operating systems, vulnerable applications, hardware issues, open service ports, or default credentials. These weaknesses can provide an entry point for attackers to gain unauthorized access and control of the system.
Network-based – Network-based attack vectors focus on exploiting weaknesses in network infrastructure,
Supply-chain Supply-chain attack vectors target the relationships between organizations and their managed service providers (MSPs), vendors, or suppliers.
attack surface
An organization’s attack surface consists of all of the threat vectors that it is exposed to – all of the ways that an attacker might come after them.
Shadow IT
Shadow IT refers to unauthorized systems or applications used within an organization without authorization or approval.
Malware
You might hear people use the term virus to describe all types of malware, but that isn’t accurate. A virus is a specific type of malware, and malware includes many other types of malicious software, including worms, logic bombs, Trojans, ransomware, rootkits, spyware, and more.
Malware includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more. A virus is malicious code that attaches itself to an application and runs when the application is started. A worm is self-replicating and doesn’t need user interaction to run.
virus
A virus is malicious code that attaches itself to a host application.
Worms
A worm refers to self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A worm resides in memory and can travel over the network using different transport protocols. One of the significant problems caused by worms is that they consume network bandwidth.
Worms can replicate themselves hundreds of times and spread to all the systems in the network. Each infected system tries to locate and infect other systems on the network, and network performance can slow to a crawl.
logic bomb
A logic bomb is a string of code embedded into an application or script that will execute in response to an event. The event might be a specific date, time, or user action, such as when a user launches a specific program.
A logic bomb executes in response to an event, such as when a specific application is executed, or a specific time arrives.
Trojan
A Trojan, also called a Trojan horse, typically looks like something beneficial, but it’s actually something malicious.
A Trojan appears to be something useful but includes a malicious component, such as installing a backdoor on a user’s system. Many Trojans are delivered via drive-by downloads. They can also infect systems with fake antivirus software, pirated software, games, and browser extensions.
RAT
A remote access Trojan (RAT) is a type of malware that allows attackers to control systems from remote locations. It is often delivered via drive-by downloads or malicious attachments in email. Once installed on a system, attackers can then access the infected computer at any time and install additional malware if desired.
Keyloggers
Keyloggers attempt to capture a user’s keystrokes. The keystrokes are stored in a file and either sent to an attacker immediately or saved until the attacker retrieves the file. While a keylogger is typically software, it can also be hardware. For example, you can purchase a USB keylogger, plug it into the computer, and plug the keyboard into the USB keylogger. This hardware keylogger will record all keystrokes and store them within memory on the USB device.
One of the ways keyloggers can be thwarted is by using two-factor authentication (2FA), such as a text message sent to a phone, as discussed in Chapter 2, “Understanding Identity and Access Management.” Even if the attackers capture a password via a keylogger, they won’t have access to the text message sent to the phone.
Spyware
Spyware is software installed on users’ systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Spyware takes some level of control over the user’s computer to learn information and sends this information to a third party. If spyware can access a user’s private data, it results in a loss of confidentiality.
Keyloggers capture a user’s keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on the keylogger. Spyware monitors a user’s computer and often includes a keylogger
Rootkit
A rootkit is a program or group of programs that gains administrative access on a system to provide the attacker with administrative privileges and/or hide the fact that the system has been infected or compromised by malicious code. A user might suspect something is wrong, but antivirus scans and other checks might indicate everything is fine because the rootkit hides its running processes to avoid detection.
Tools that can inspect RAM can discover hooked processes.
Bloatware
Bloatware describes programs a user may not want, even if they consented to downloading them. Some of these unwanted programs are legitimate, but some are malicious, such as Trojans. The extras have often been called spyware, adware, junkware, or crapware.
Potential Indicators of a Malware Attack
Extra traffic. Malware typically adds a lot of extra traffic to a network.
Data exfiltration. Data exfiltration refers to the unauthorized transfer of data out of a network.
Encrypted traffic. Some malware will encrypt the data before data exfiltration attempts. This can bypass DLP
Traffic to specific IPs. Bot zombies will often attempt to connect to known command and control servers.
Attempts to access blacklisted IPs are a strong indicator that a system is compromised. Security teams should monitor firewall logs for this traffic.
Outgoing spam. Desktop computers don’t normally send large amounts of email. When they do, it’s often because they have been added to a botnet and are sending phishing emails as zombies.
