Chapter 7 - Protecting Against Advance Attacks Flashcards
Attack Frameworks
Used to identify Tactics, Techniques, and procedures used by attackers
Cyber kill chain
Tactics, techniques, and procedures used to disrupt a system or network.
- Reconnaissance, 2. Weaponization, 3. Delivery, 4. Exploitation, 5. Installation, 6. Command and Control (C2), 7. Actions on Objectives.
Reconnaissance
Researching and identifying a selected target
Weaponization
Delivering malware, via payload, such as putting a remote access Trojan into a MS Word doc.
- Delivery
Payload is delivered to target via email or usb. =
- Exploitation
After payload is delivered, weapon is triggered and activated to exploit a vulnerability within a application or operating system.
- Installation
Payload will install a remote access Trojan within the system to allow an attacker to remain present
- Command and Control (C2)
The infected system talks back to a malicious web based server, allowing the attacker to gain full control over the effected system
- Actions on Objectives
At this point the attacker can do whatever they want. Install ransomware or steal data, or render the system useless.
Diamond Model of Intrusion Analysis
Uses four key components in attempt to understand an attacker; Adversary, capabilities, Infrastructure, and Victim.
“Every intrusion event has an adversary that uses a capability across an infrastructure against a victim.”
Adversary
Identity; user names, email address, names on forums or social media
Capabilities
The malware, exploits and other tools used to hack and compromise the system.
Infrastructure
The internet domain names, emails, ip addresses, used by the attacker(s)
Victims
Can be identified by their names, email addresses, or network identifiers.
MITRE ATT&CK is a matrix of ten tactics and techniques attackers use to achieve each.
A matrix of ten tactics and techniques attackers use to achieve each;
initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection and exfiltration, and command and control.
What is DDoS?
Distributed Denial of Service (DDoS): This is when a network of bots (machines high-jacked over the internet) direct increased traffic to a target to overwhelm its servers causing resource exhaustion and making it unable to respond to legitimate clients.
What is an SYN Flood attack?
SYN Flood attack: This is when a threat actor initiates a TCP 3-way handshake with the target server, first sending it an SYN packet. The targeted server responds with an AWK/SYN packet, but the threat actor never completes the handshake by sending the last AWK packet. Rather, they create this never-ending loop by sending an initial SYN packet again and the server continues to respond with an AWK/SYN. This is a DoS or DDoS attack as it looks to exhaust resources.
What is Spoofing?
Spoofing is the act of impersonating someone or something else. There is MAC spoofing, this is when a threat actor uses a MAC address within the network in order to pretend they are legitimate. If this work, they are now able to receive all traffic indented for the authorized user. The same could happen with email addresses and IP addresses.
What is an On-Path attack?
An On-path attack is any attack in which the threat actor is able to intercept and or eavesdrop on the communication between two communicating sources. This is also known as a man-in-the-middle attack or man-in-the-browser attack.
What is a Secure Socket Layer (SSL) Stripping attack?
An SSL stripping attack is an encryption downgrade attack where a secure connection is downgraded to unsecure connection because the algorithm providing the encryption is compromised. An example of SSL stripping is turning HTTPS connections to HTTP connections.
What is an ARP posing attack?
Simply put, ARP poisoning is when an illegitimate user responds to an ARP broadcast with a spoofed MAC address or a bogus one. ARP will associate the IP address with the spoofed MAC address. Now traffic for IP address will be bound for the spoofed MAC address.
What is an ARP On-Path-Attcak?
An ARP On-Path-Attcak occurs after the successful poisoning of the ARP cache. The threat actor can now be on-path of communication within a network or comms leaving the network.
What is an ARP DoS Attack?
An ARP DoS attack can again be carried out after a successful ARP poisoning attack. If the threat actor spoofs the MAC address of the router they can denial communications from ever leaving or entering the network.
What is a MAC flooding attack?
A MAC flooding attack happens when the memory table of a switch becomes overwhelmed with new MAC addresses that it stores. After a while, the switch will have no more room to store any new MAC addresses and will start behaving like a HUB and begin broadcasting traffic to the entire network as it will be unable to direct traffic to a specific MAC address.