Chapter 6 - Comparing Threats, Vulnerabilities, and Common Attacks

Question 1

Attack vector

Answer 1

Paths that attackers use to gain access to computers and networks.

When successful, these vectors enable attackers to exploit vulnerabilities

Question 2

Malware

Answer 2

Malware, or malicious software, includes a wide range of software that has malicious intent.

Malware is not software that you would knowingly purchase or download and install - but rather it is installed onto your system through devious means.

Question 3

Virus

Answer 3

Malicious code that attaches itself to a host application.

The host application must be executed to run, and the malicious code executes when the host application is executed.

The virus tries to replicate by finding other host applications to infect with the malicious code.

At some point the virus activates and delivers it payload. Typically the payload of a virus is damaging, and could delete files, cause random reboots, join the computer to a botnet, or enable backdoors that attackers can use to access systems remotely.

Most viruses won’t cause damage immediately, but rather give the virus time replicate first. A user often executes the virus unknowingly but other times the OS will automatically execute it after user interaction, such as when a user plugs in an infected USB drive.

Question 4

Shadow IT

Answer 4

Shadow IT refers to any unauthorized systems or applications within an organization, installed on a network without authorization or approval. Happens when insiders install systems without approval, often to bypass security controls.

Shadow IT increases risks because these systems aren’t managed.

Question 5

Worm

Answer 5

A self-replicating malware that travels throughout a network without the assistance of a host application or user interaction.

A worm resides in memory and can use different transport protocols to travel over a network.

One significant problem with worms is they consumes lots of network bandwidth, and can replicate themselves hundreds of times and spread to all the systems in the network.

Each infected system tries to locate and infect other systems on the network, and network performance can slow to a crawl.

Question 6

Log bomb

Answer 6

A string of code embedded into an application or script that will execute in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program.

Question 7

Backdoor

Answer 7

Provides another way or accessing a system, like a backdoor on a house.

Malware often installs backdoors on systems to bypass normal authentication methods.

Many types of malware create a backdoor quickly after infecting a system or network, giving them discreet access to the system or network. Even if the malware is later discovered and removed, the backdoor remains.

Question 8

Trojan

Answer 8

Like a trojan horse, typically looks like something beneficial, but it’s actually something malicious, such as installing a backdoor onto a user’s system.

A Trojan can come as pirated software, a useful utility, a game or something else that could entice a user to download or try. Attackers also have used drive-by-downloads to deliver Trojans.

In a drive-by-download, web servers include malicious code that attempts to download and install itself on user computers after the user visits. Steps:
1. Attackers compromise a website to gain control of it.
2. Attackers install a Trojan embedded in the website’s code.
3. Attackers attempt to trick users into visiting the site. Sometimes, they simply send the link to thousands of users via email, that some of them click.
4. When users visit, the website attempts to download the trojan onto a user’s system.

Another trojan is rogueware, also known as scareware, which masks as a free antivirus program, that encourages users to install after a popup appears saying it detected malware on the system.

Question 9

RAT

Answer 9

Remote Access Trojan, a type of malware that allows attackers to control systems from remote locations.

Often delivered via drive-by-downloads or malicious attachments in email. Once installed on a system, attackers can then access the infected computer at any time and install additional malware if needed.

-Often delivered as PE (Portable Executable) files in 32-bit and 64-bit (PE64) formats. They often compress the PE files using compression tools, such as tar (sometimes called tarball). Tar files have the .tar.gz file extension.

Question 10

Keyloggers

Answer 10

Keyloggers attempt to capture a user’s keystrokes.

Keystrokes are stored in a file and either sent to an attacker immediately, or saved until the attacker retrieve the file. KLs are typically software but can also be hardware, such as a USB keylogger.

Keyloggers can be thwarted by 2FA.

Question 11

Spyware

Answer 11

Software installed on a users’ systems without their awareness or consent with the purpose of monitoring the user’s computer and the user’s activity.

Spyware can take some level of control over the user’s computer to learn information and send the information to the third party.

Question 12

Rootkit

Answer 12

A rootkit is a group of programs (or maybe a single program) that hides the fact that the system has been infected or compromised by malicious code.

A user might suspect something is wrong but antivirus scans and other checks indicate everything is fine because the rootkit hides its running processes to avoid detection.

In addition to modifying the internal OS processes, rootkits also often modify system files such as the Registry, and can even modify system access.

Question 13

Botnet

Answer 13

A group of zombie computers controlled by attackers, and computers in a botnet check in with command and control servers periodically for instructions. Frequently used for DDoS attacks.

Bot = software robot
Bot herder = criminals who manage botnets.

Attackers use command and control resources to control infected computers. Once infected with malware the malware then attempts to connect to a command and control resource for instructions.

Question 14

Ransomware

Answer 14

A specific type of Trojan, ransomware attackers take control of computers or networks and lock out users.

With cryptomalware, attackers encrypt the data on computers within the network to prevent access.

In both cases the attackers then demand that the user or organization pay a ransom to regain access to the data forever.

Question 15

PUP

Answer 15

Potentially Unwanted Programs, programs that a users may not want even if they consented to download it.

Some of these unwanted programs are legit, but some are malicious, such as browser hijackers than can change the user’s browser settings without the user’s clear consent.

Question 16

Fileless virus

Answer 16

Also called fileless malware, is a type of malicious software that runs in memory (most malware is a file written to disk). Can be successful at bypassing anti-malware programs.

They use:
-Memory code injection
-Script-based techniques
-Windows Registry manipulation

Question 17

Potential indicators of attack

Answer 17

-Extra traffic
-Data exfiltration
-Encrypted traffic
-Traffic to specific IPs
-Outgoing spam

Question 18

Social engineering

Answer 18

the practice of using social tactics to gain information. Often low tech and encourages individuals to do something they wouldn’t normally, using:
-Flattery
-Position of authority
-Impersonating someone like a technician
-Tailgating

Question 19

Zero day

Answer 19

Zero day vulnerability is a vulnerability or bug that is unknown to trusted sources such as the OS or antivirus vendors.

Question 20

Watering hole attack

Answer 20

Attempts to discover which websites a group of people are likely to visit and then infects those websites with malware that can infect the visitors. The attacker’s goal is to infect a website that users trust already, making them more likely to download infected files.

Like a lion to for prey, hiding around waiting for them to come.

Like attackers hanging around a site that they know employees from a target site visit.

When the employees visit it, the site attempts to download malware on the employee systems.

These watering hole attacks often infect websites with zero day vulnerabilities giving them a better chance of infecting the ultimate target. APTs have used this as a method of infiltrating high profile targets.

Question 21

Typo squatting

Answer 21

Also called URL hijacking, occurs when someone buys a domain name that is close to a legitimate domain, for malicious purposes: hosting a malicious website, earning ad revenue, reselling the domain.

Question 22

Pretexting and Prepending

Answer 22

Pretext is a fictitious scenario added to a conversation to make a request more believable.
EXAMPLE: social engineer may state he works with a known vendor and claims that there’s a problem with some of the applications, then follows this with a request for information on the products used by the company in order to trick an employee into giving up information.

Prepending simply means adding something to the beginning of something also, such as prepending the subject, header or body of emails with additional data, like adding [SAFE].

Question 23

Spam, SPIM

Answer 23

Spam: unwanted or unsolicited email, sometimes harmless ads something malicious.

SPIM: spam over instant messenger

Question 24

Phishing, spear phishing, whaling

Answer 24

Phishing: the practice of sending email to users with the purpose of tricking them into revealing personal information or clicking on a link. AKA malicious spam. Links within email can also lead unsuspecting users to install malware.

Spear phishing: targeted phishing where instead of sending the email out to everyone indiscriminately, a spear phishing attack attempts to target specific groups of users, or even a single user - often employees at a company or customers of a company.
-EX: impersonating the CEO of a company requesting fellow users reply with their password. Digital signatures can prevent this.

Whaling: a form of spear phishing that attempts to target high level executives, like a CEO or CFO, by impersonating them or phishing them by pretending to be for example the IRS.

Question 25

Vishing

Answer 25

Phishing over phone

Question 26

Smishing

Answer 26

Phishing + SMS

Question 27

Blocking malware and other attacks

Answer 27

-Spam filter on mail gateways

-Anti-malware software on mail gateways and all systems

-Boundaries (like a UTM) and firewalls

-Spam filter

Question 28

Antivirus and Anti-Malware Software

Answer 28

Antivirus software detects and removes malware, such as viruses, trojans and worms.

Signature-based antivirus detects based on signature definitions, while heuristic-based software detects previously unknown malware based on behavior (previously unknown).

Some antivirus scanners use FILE INTEGRITY MONITORS to detect modified system files., which calculate hashes on system files as a baseline and periodically recalculates them.

Question 29

Cuckoo sandbox

Answer 29

Open source automated software analysis system whose primary purpose is to analyze suspicious files, such as suspected malware. Not done in realtime - you submit files to it, it then runs it in a VM and creates a report on its activity.

Question 30

Social engineering techniques

Answer 30

-Authority
-Intimidation
-Consensus
-Scarcity
-Familiarity
-Trust

Question 31

OSINT

Answer 31

Open source intelligence.

Common types of OSINT includes:
-Vulnerability databases
(such as NVD and CVE)

-Trusted Automated eXchange of Indicator Information (TAXII).

-Structured Threat Information eXpression (STIX)

-Automated Indicator Sharing (AIS)

-Dark web

-Public/private information sharing centers

-IOCs (indicators of compromise)

-Predictive analysis

-Threat maps

-File/code repositories