Chapter 6 Threats, vulnerabilities & attacks.

Question 1

An attack by a nation state/government which is highly organized? what are they called and their goals?

Answer 1

State actors, advanced persistent threat. They have specific goals, propaganda, information seeking, secrets etc. Not really money.

Question 2

Hacktivist primary reason

Answer 2

Activism, further a cause

Question 3

Black vs white vs grey hat

Answer 3

Black - unauthorized hacker committing crime
White - authorized hacker, pen tester
grey semi authorized, good intentions but may cross a line like a hacktivist.

Question 4

What is an insider threat?

Answer 4

someone who has access to internal resources which could lead to data exfiltration

Question 5

Motivations of a competitor?

Answer 5

economic gain/competition/stealing propriety information

Question 6

Unauthorized applications or actions within a company are called

Answer 6

Shadow IT

Question 7

Define a virus

Answer 7

malicious code that attaches itself to an application, must be executed in order to run. Tries to replicate and attach to other files. At some point delivers its payload. May delete files, reboot, join botnet etc.

Question 8

Define a worm

Answer 8

Travels through a network, doesn’t need an application or user interaction (like viruses do), resides in memory, consumes network bandwidth, self-replicating.

Question 9

What is the hallmark of a logic bomb?

Answer 9

executes depending on a certain condition that is met.

Question 10

Hall mark of a trojan and what is a RAT?

Answer 10

Appears to be something useful or enticing but is actually something else. Includes a malicious component, such as installing a backdoor. RAT is a remote access trojan, allows attackers to control from a remote location, or send keylogs to remote locations.

Question 11

What about spyware? what does it do

Answer 11

it can monitor users information and behaviours, may include a keylogger and send this information, used for impersonation, advertising etc.

Question 12

Hallmarks of a rootkit? how does it avoid detection?

Answer 12

Hides in the system, avoids detection, access to the root/kernal installs hooks into memory prevents antivirus software making calls to the OS, they hide their processes in RAM

Question 13

A trojan that locks people out of their resources? why?

Answer 13

Ransomware, cryptomalware. To demand a ransom usually.

Question 14

Define hallmarks PUP

Answer 14

potentially unwanted programs. may be legit, maybe not, some may be malware, spyware etc.

Question 15

How might fileless viruses work?

Answer 15

running in memory, might work via memory code injections, script-based techniques such as powershell, registry manipulation, may be embedded in other files.

Question 16

What are indicators of malware?

Answer 16

Increased network traffic (to specific unknown IPs), data exfiltration (may be encrypted, may not), outgoing spam,

Question 17

Common hallmarks of social engineering?

Answer 17

Flattery, authority, impersonation, tailgating, using a I know someone/common grounds. Shoulder surfing can be apart of it

Question 18

What is a Hoax?

Answer 18

often through email, impending doom, can be very damaging, waste time, aren’t real. Ï have these naked pictures of you, send me bitcoin”

Question 19

Water hole attack?

Answer 19

in a common place, can be a website, cafe,

Question 20

Typosquatting, pretexting, prepending

Answer 20

changing the URL to look similar, pretexting - adding a pretext to a situation to try and elicit information/request, prepending is the same

Question 21

Invoice scams

Answer 21

Trick you into paying a fake invoice

Question 22

Credential harvesting

Answer 22

techniques used to gather credentials, fake login page etc. Key loggers

Question 23

OSIT gathering: social engineering what is it?

Answer 23

reconnaissance,

Question 24

Hybrid warfare?

Answer 24

Use of social media (or other means) to spread misinformation (may be used by state actors? propaganda?)

Question 25

You see a large amount of encrypted data leaving the network, is this cause for concern and why?

Answer 25

Yes, it may be being encrypted to bypass DLP software, it is a sign of an infection/attack

Question 26

Spear phishing vs whaling

Answer 26

Spear phishing involves the direct targeting of people, or a specific group, possibly a workforce, impersonating the CEO etc. Whaling targets someone high up, such as the CFO

Question 27

What does a file integrity monitor do?

Answer 27

checks that the integrity ( or baseline ) of files hasn’t changed. It first calculates their hashes at baseline and periodically recalculates the hashes. Many times this can help detect rootkits.

Question 28

What is a good piece of software for checking virus / malware activity?

Answer 28

Cuckoo sandbox, run in a sandbox, see what it does over time.

Question 29

Steps of social engineering that work well?

Answer 29

Authority, intimidation, consensus (does every testimony say its safe?), scarcity (limited quantity of an item that is running out), urgency similar, may have a countdown timer for this limited product. Familiarity (who is endorsing it, or does this person have a mutual friend?), trust (we are experienced, from XYZ company).

Question 30

OSINT of threat searching?

Answer 30

OSINT - Open source, includes threat databases such as TAXII (trusted automated exchange of indicator information), NVD (national vulnerability database), CVE (Common vulnerabilities and exposures), STIX (structured threat information exchange), AIO (Automated indicator sharing - which uses both TAXII and STIX), Dark web, public & private information centres, IoC (indicators of compromise, alerts from antivirus etc), Predictive analysis, Threat maps, file/code repositories,

Question 31

Additional resources for finding out threats?

Answer 31

Vendors, conferences, journal articles, industry groups, RFC and social media

Question 32

What is malware?

Answer 32

includes malicious ware/code, viruses, worms, logic bombs, backdoors, trojans, ransomware, rootkits & more.

Question 33

What is a virus?

Answer 33

Malicious code - attaches itself to a host application. Runs when host runs.

Question 34

Define a worm?

Answer 34

self-replicating malware (doesn’t need host), travels throughout network without user intervention

Question 35

A trojan?

Answer 35

Appears to be one thing, is actually another.

Question 36

What virus is commonly known to use powershell scripts? what is one other thing they do?

Answer 36

Fileless virus, hides in memory.

Question 37

Hoax?

Answer 37

something circulated, impending doom, doesn’t actually exist.