Chapter 7 - Protecting Against Advance Attacks

Question 1

Attack Frameworks

Answer 1

Used to identify Tactics, Techniques, and procedures used by attackers

Question 2

Cyber kill chain

Answer 2

Tactics, techniques, and procedures used to disrupt a system or network.

1. Reconnaissance, 2. Weaponization, 3. Delivery, 4. Exploitation, 5. Installation, 6. Command and Control (C2), 7. Actions on Objectives.

Question 3

Reconnaissance

Answer 3

Researching and identifying a selected target

Question 4

Weaponization

Answer 4

Delivering malware, via payload, such as putting a remote access Trojan into a MS Word doc.

Question 5

3. Delivery

Answer 5

Payload is delivered to target via email or usb. =

Question 6

4. Exploitation

Answer 6

After payload is delivered, weapon is triggered and activated to exploit a vulnerability within a application or operating system.

Question 7

5. Installation

Answer 7

Payload will install a remote access Trojan within the system to allow an attacker to remain present

Question 8

6. Command and Control (C2)

Answer 8

The infected system talks back to a malicious web based server, allowing the attacker to gain full control over the effected system

Question 9

7. Actions on Objectives

Answer 9

At this point the attacker can do whatever they want. Install ransomware or steal data, or render the system useless.

Question 10

Diamond Model of Intrusion Analysis

Answer 10

Uses four key components in attempt to understand an attacker; Adversary, capabilities, Infrastructure, and Victim.

“Every intrusion event has an adversary that uses a capability across an infrastructure against a victim.”

Question 11

Adversary

Answer 11

Identity; user names, email address, names on forums or social media

Question 12

Capabilities

Answer 12

The malware, exploits and other tools used to hack and compromise the system.

Question 13

Infrastructure

Answer 13

The internet domain names, emails, ip addresses, used by the attacker(s)

Question 14

Victims

Answer 14

Can be identified by their names, email addresses, or network identifiers.

Question 15

MITRE ATT&CK is a matrix of ten tactics and techniques attackers use to achieve each.

Answer 15

A matrix of ten tactics and techniques attackers use to achieve each;

initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection and exfiltration, and command and control.

Question 16

What is DDoS?

Answer 16

Distributed Denial of Service (DDoS): This is when a network of bots (machines high-jacked over the internet) direct increased traffic to a target to overwhelm its servers causing resource exhaustion and making it unable to respond to legitimate clients.

Question 17

What is an SYN Flood attack?

Answer 17

SYN Flood attack: This is when a threat actor initiates a TCP 3-way handshake with the target server, first sending it an SYN packet. The targeted server responds with an AWK/SYN packet, but the threat actor never completes the handshake by sending the last AWK packet. Rather, they create this never-ending loop by sending an initial SYN packet again and the server continues to respond with an AWK/SYN. This is a DoS or DDoS attack as it looks to exhaust resources.

Question 18

What is Spoofing?

Answer 18

Spoofing is the act of impersonating someone or something else. There is MAC spoofing, this is when a threat actor uses a MAC address within the network in order to pretend they are legitimate. If this work, they are now able to receive all traffic indented for the authorized user. The same could happen with email addresses and IP addresses.

Question 19

What is an On-Path attack?

Answer 19

An On-path attack is any attack in which the threat actor is able to intercept and or eavesdrop on the communication between two communicating sources. This is also known as a man-in-the-middle attack or man-in-the-browser attack.

Question 20

What is a Secure Socket Layer (SSL) Stripping attack?

Answer 20

An SSL stripping attack is an encryption downgrade attack where a secure connection is downgraded to unsecure connection because the algorithm providing the encryption is compromised. An example of SSL stripping is turning HTTPS connections to HTTP connections.

Question 21

What is an ARP posing attack?

Answer 21

Simply put, ARP poisoning is when an illegitimate user responds to an ARP broadcast with a spoofed MAC address or a bogus one. ARP will associate the IP address with the spoofed MAC address. Now traffic for IP address will be bound for the spoofed MAC address.

Question 22

What is an ARP On-Path-Attcak?

Answer 22

An ARP On-Path-Attcak occurs after the successful poisoning of the ARP cache. The threat actor can now be on-path of communication within a network or comms leaving the network.

Question 23

What is an ARP DoS Attack?

Answer 23

An ARP DoS attack can again be carried out after a successful ARP poisoning attack. If the threat actor spoofs the MAC address of the router they can denial communications from ever leaving or entering the network.

Question 24

What is a MAC flooding attack?

Answer 24

A MAC flooding attack happens when the memory table of a switch becomes overwhelmed with new MAC addresses that it stores. After a while, the switch will have no more room to store any new MAC addresses and will start behaving like a HUB and begin broadcasting traffic to the entire network as it will be unable to direct traffic to a specific MAC address.

Question 25

What is MAC Cloning?

Answer 25

MAC cloning is replacing a system MAC address with another. Its basically like MAC spoofing.

Question 26

What is DNS Poisoning?

Answer 26

Simply put, DNS poisoning is associating an illegitimate IP address with a legitimate domain name on the DNS Server. For example, linking Google.com with my home IP address on a DNS Server. This will allow all traffic to google.com to come to my IP address.

Question 27

What is a Pharming attack?

Answer 27

Pharming attacks are used (like DNS Poisoning) to redirect users to websites they did not intend on going to. Like DNS poisoning, this can happen on a client machine or on DNS servers.

Question 28

What is URL redirection?

Answer 28

URL redirection is an attack that redirects users to different pages on a website or to a completely different site altogether.

Question 29

What is Domain Hijacking?

Answer 29

Domain Hijacking is the act of obtaining unauthorized access to a client’s domain name registration and changing the associated legitimate IP address with an illegitimate one.

Question 30

What is a DNS Sinkhole?

Answer 30

A DNS Sinkhole purposely provides incorrect results for a domain name in order to stop malicious actors from reaching a specific domain.

Question 31

What is Client-side input validation?

Answer 31

Client-side validation is the process of checking inputs on the client side before sending this imput to the server to be checked again.

Client side validation is faster than Server-side validation but it is less secure because it it be bypassed (i.e., disabling JavaScript on a web page).

Question 32

What is a Race Condition?

Answer 32

When two or more apps attempts to access the same resource at the same time a race condition occures.

Question 33

What is a TOCTOU attack aka State attack?

Answer 33

Time of Check to Time of Use attcaks occures in race conditions. This happends when at the time of check for a resource is valid but in between that time an time of check and
time of use a threat actor is able to modify the resource.

Question 34

What is the difference between Static Code and Dynanmic code analysis?

Answer 34

In Static code analysis, the manual or automated review of code is at rest. Compared to dynamic code analysis, where the code is being reviewed while it is running. For example, fuzzing is typically a method used to dynamically review code, random data is sent to an application to see how the underlying code operates.

Question 35

What are the criteria for 1NF?

Answer 35

The three criteria for First Normal Form (1NF) are:
1) Each row in the data table is unique and has a distinguishable primary key
2) Related data is contained in a separate table
3) None of the columns include repeating data from other columns

Question 36

What are the criteria for 2NF?

Answer 36

The two criteria for Second Normal Form (2NF) only apply if the primary keys are composite keys:
1) The table must be in 1NF
2) Non-primary key attributes are completely and only dependent on the full primary key

Question 37

What are the criteria for 3NF?

Answer 37

The two criteria for Second Normal Form (2NF) only apply if the primary keys are composite keys:
1) The table must be in 2NF
2) All columns that are not primary key are only dependent on the full primary key