Chapter 7 Protecting against advanced attacks Flashcards

1
Q

What are the steps of a cyber kill chain?

Taking the target down

A
  1. Reconnaissance (researching identifying and selecting the target)
  2. Weaponization (malware, RAT etc)
  3. Delivery (attachment, email etc)
  4. Exploitation (Triggering the exploit of an application or OS vulnerability)
  5. Installation (installs backdoor)
  6. Command & Control (attackers gain access)
  7. Actions on Objectives (Achieving their ultimate goals)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name the model and describe it that includes four components of every intrusion event?

A

The diamond model. It describes four things required,

the adversaries (organization or threat actor)

the capabilities (malware, exploits, tools)

the infrastructure (physical or logical communication structures employed by the adversary to deliver a capability),

the victims (target to be exploited, organizations, assets, people)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

MITRE ATT&CK?

A

knowledge base of tactics and techniques used in real world attacks. It is considered a matrix. of A not for profit organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are three attack frameworks?

A

Cyber kill chain, Diamond model of intrusion analysis, Mitre att&ck framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does a DoS and DDoS attack differ?

A

DoS one attacker against one target
DDoS is two or more computers against a single target (or organization). The goal in both is resource exhaustion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some ways resource exhaustion might occur?

A

In a DoS or DDoS attack it may target memory, or processor usage, or network traffic resulting in abnormally high amounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does a syn flood attack work as a DoS/DDoS method?

A

It disrupts the TCP handshake process, preventing others from connecting. The handshake is never completed as SYN’s are the only things being sent. Connections are left open.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

how might spoofing be used to launch an attack?

A

Like email addresses IP addresses can be spoofed. The attacker changes the source IP packet so it looks like it came from somewhere else. Similarly, the MAC may be changed via software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Maggie is sending information to bart but there is a delay, more than usual, it also seems there is a warning regarding the certificate, what is the most likely thing?

A

On-path attack, attacker is intercepting the traffic by having a connection, decrypting it (possibly) and encrypting it again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Secure socket stripping or downgrading attacks?

A

reducing HTTPS to HTTP. Attacker intercepts beginning of TLS negotiation, redirects to HTTP instead of HTTPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Layer 2 attack, related to poisoning and how it works?

A

ARP poisonings, ARP - Attacker recreates ARP reply packet with spoofed or bogus MAC address, poisoning the cache. the victim’s ARP cache includes a different entry, it goes to the switch, then to the on-path attacker, who may decrypt it, send it back to the router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How might ARP be used to DoS a system?

A

The reply (the computer responding to the ARP request, responds with their MAC address) is forged so the default gateway is different and thus not reached.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ARP request vs ARP reply?

A

ARP request broadcasts a message, asking, who has this IP address? the ARP reply includes the computer (who has the IP address) to respond with it’s mac address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How would you cause a flooding attack on a switch?

A

Barrage it with MAC addresses. Switch runs out of memory and starts broadcasting data to all ports which can be accessed using a protocol analyzer. A flood guard (limits MACs per switch) prevents this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Normal vs reverse DNS look up? what might it be useful for?

A

Normal - a website name is sent to DNS. Queried for it’s IP address. Connect via IP.
Reverse- an IP is sent to the DNS to find it’s name.
If someone is using a spoofed computer name, when it is looked up and found to be different it is suspicious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the name of an attack DNNSEC prevents?

A

DNS poisoning attack. Ensures records are authentic and have not changed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What attack shares similarity with DNS poisoning?

A

DNS pharming attacks. Also redirect users to different websites by corrupting the DNS server or client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

DNS Sinkhole is used for?

A

Redirecting traffic away from malicious sites. Destroying botnets etc. It is a server configured to hand out different IPs for different domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are DNS log files and why are the useful?

A

record DNS queries and the IP that requested them - if malware is present it can identify all the history of DNS queries. Like computer history.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How do systems prevent replay attacks?

A

timestamps & session IDs / sequence numbers similar to kereboros.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the purpose of OWASP?

A

Open web application security project to improve the security of web applications that produce free tools, documentation, methodologies and technologies.

22
Q

How does code reuse and deadcode fit into secure application development and deployment?

A

Users should always try to reuse code - as its already likely been through deployment it prevents future bugs + saves time.

Deadcode however is never used or executed (and to be avoided),

23
Q

Name a popular method of code reuse and its function?

A

SDK(third party libraries software development kits), like javascript libararies, tested code etc. Usually tied to a single vendor.

24
Q

What is input validation and what does it lead to if unchecked? ( List 4 examples )

A

the process of checking data before it is used. Prevents an attacker sending malicious code across web applications. Attacks, buffer overflow, SQL injection, DLL injection, XSS.

25
Q

What does input validation look like?

A

Blocking improper characters (only allows numbers in this field)
Blocking HTML code - no embedded html code.
Prevent special characters
implement boundary/ranged checking - max product purcahse 1 per customer, not allowing 2.

26
Q

Locations that input validation can occur and difference?

A

client-side occurs on the client, input validation comes with html page. Less secure but quicker (disabling java script can work around this)
Server-side occurs on the server, takes longer, more secure.

27
Q

What is a race condition and how is it avoided?

A

two or more resources accessed (or met) at the same time leading to a conflict/shut down/error. WRiting proper code to prevent two processes occuring simultaneously.

28
Q

Key for good errors? what happens with bad error input?

A

errors shown need to be general & detailed information logged not shown. Improper error handling gives attackers information about the system they can exploit.

29
Q

How to perform code obfuscation and why?

A

rename variables, replace numbers with expressions, remove comments etc. Slow down people copying, understanding and exploiting any code they find

30
Q

What is the concept of using different compliers in code?

A

software diversity, creates a exe that could be written in (native language) and any other languages.. It also adds randomness, allowing it to work differently on different computers.

31
Q

What is code signing used for?

A

authenticating and validating software code, devs purchase a certificate, assign it to the code. It is now digitally signed and a hash verifies it hasnt changed.

32
Q

How is code analyzed and tested for security? list 4 ways.

A

Static analysis (without executing - may be done by hand or automated tools)
Manual code review (static, but not done by the writer)
Dynamic code analysis (viewing code as it is running, may use fuzzing which inputs random data during it)
Sandboxing

33
Q

Describe the stages of secure development environments

A
  1. Development - isolated environment
  2. Test - not a full production environment but includes more hardware and software
  3. Staging - simulates prod environment, a replica.
  4. Production - goes live in prod,
  5. QA - Ongoing process throughout the lifetime, ensures app maintains high level of quality,
34
Q

What is normalization?

A

the ongoing improvement and refining of redunant and important data in databases. There are 3 normal forms. Each defining a format and improving databases

35
Q

What and how do SQL queries work?

A

Searching in a search bar creates a request to an SQL database, the results retrieved and formatted into a website page.

36
Q

User tries SQL injection, enters a commend, but the database is using stored procedures, how does this prevent it?

A

User inputs, it is passed to server, stored procedures are groups of SQL statements that execute as a whole, users input is passed to this stored procedure which executes instead (and this performs data validation).

37
Q

with regards to software / app development what is provisioning and deprovisioning?

A

provision - to prepare and config to launch on different devices and use different application services. (allow use of X in this app)
Deprovision - to remove and delete all associated data.

38
Q

Why are powershell scripts used for attacks? how to find and what to look for? what to look for bash scripts? and python?

A

they can create batch files (.bat) to run multiple commands, and .ps1 files that do the same. They have access to microsoft component object model and windows management instrumentation. Fileless viruses often use powershell. Best way to detect it to view logs looking for cmdlets “Get, add, new find” etc and nouns - command, service, location, process etc. Verb-noun combinations. Get-commands.
Bash, similar, calls to “bash” important to look for.
python .py or .pyc files

39
Q

What are web servers vulnerable to and why? and applications? not a list just a reason.

A

Webservers accept input (so buffer overflow sql injection), applications have vulnerabilities.

40
Q

What is a memory leak?

A

A bug that causes an application to use more and more memory the longer it runs. An application might reserve memory for short term use but never release it. System might run slower and slow until it is rebooted.

41
Q

What is a buffer overflow?

A

Programs have a buffer of memory they can access, assigned to them. If this buffer overflows, memory not allocated can be accessed and written malicous code into it.

42
Q

What other types of injections are there? ways to avoid it?

A

DLL, LDAP, and XML injections. Proper input validation

43
Q

What is a primary indication of an XML attack? and what does a mark up language do?

A

creation of unwanted accounts. It describes the layout/format and is used for transferring data.

44
Q

Give an example of a directory transversal

A

Changing the path, say it is C/Programfiles/Userdocuments/Public, transversal would be changing public to private to see if it works. Input validation helps.

45
Q

Reflected(non-persistent) vs Stored(persistent) XSS?

A

Reflected - it is reflected back, the malicious code is sent to user to click on, click it and it sends malicious code to the server so that is reflects it back to the user.
Stored/persistent - Instead of sending malicious code to the server, it is already stored in the database or trusted location.

46
Q

cross-site request forgery, how does it work?

A

The attacker tricks a user into performing an action on a website using a specially crafted HTML link. User performs action without realizing it. It takes advantage of the user already authenticating - stored information in the cookie or cache.

47
Q

Serverside vs client side request forgeries?

A

Serverside - taking advantage of server requests, such as using API or any other external URLs to formulate the webpage data. Injecting malicious code into these. This results in an attack on the server, possibly accessing organizational data. On the other hand, an SSRF attack primarily targets the backend server to read or update internal resources from an external network

Clientside - Directly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. Things such as cookies that the server reads FROM the client. I am unsure if this targets the client or webpage directly. Possibly both.

48
Q

Why use a shim? how can this be directed towards malicious intent

A

Shimming is the process of writing code to make a system believe the older driver version is compatible, developers may write a shim to make it compatible again. However, this can also be used to fool the operating system into running a manipulated driver with malicious code. This is driver manipulation tactics.

49
Q

What does adversial artificial intelligence do? Strategies to help? and precautions to take?

A

attempts to trick AI models by providing it deceptive data when successful can perform an error or malfunction in the AI. A strategy might include using tainted data to provide the unexpected, precaution is to keep these algorithms propriety.

50
Q
A