Chapter 7 Protecting against advanced attacks Flashcards
What are the steps of a cyber kill chain?
Taking the target down
- Reconnaissance (researching identifying and selecting the target)
- Weaponization (malware, RAT etc)
- Delivery (attachment, email etc)
- Exploitation (Triggering the exploit of an application or OS vulnerability)
- Installation (installs backdoor)
- Command & Control (attackers gain access)
- Actions on Objectives (Achieving their ultimate goals)
Name the model and describe it that includes four components of every intrusion event?
The diamond model. It describes four things required,
the adversaries (organization or threat actor)
the capabilities (malware, exploits, tools)
the infrastructure (physical or logical communication structures employed by the adversary to deliver a capability),
the victims (target to be exploited, organizations, assets, people)
MITRE ATT&CK?
knowledge base of tactics and techniques used in real world attacks. It is considered a matrix. of A not for profit organization
What are three attack frameworks?
Cyber kill chain, Diamond model of intrusion analysis, Mitre att&ck framework.
How does a DoS and DDoS attack differ?
DoS one attacker against one target
DDoS is two or more computers against a single target (or organization). The goal in both is resource exhaustion.
What are some ways resource exhaustion might occur?
In a DoS or DDoS attack it may target memory, or processor usage, or network traffic resulting in abnormally high amounts.
How does a syn flood attack work as a DoS/DDoS method?
It disrupts the TCP handshake process, preventing others from connecting. The handshake is never completed as SYN’s are the only things being sent. Connections are left open.
how might spoofing be used to launch an attack?
Like email addresses IP addresses can be spoofed. The attacker changes the source IP packet so it looks like it came from somewhere else. Similarly, the MAC may be changed via software.
Maggie is sending information to bart but there is a delay, more than usual, it also seems there is a warning regarding the certificate, what is the most likely thing?
On-path attack, attacker is intercepting the traffic by having a connection, decrypting it (possibly) and encrypting it again.
Secure socket stripping or downgrading attacks?
reducing HTTPS to HTTP. Attacker intercepts beginning of TLS negotiation, redirects to HTTP instead of HTTPS.
Layer 2 attack, related to poisoning and how it works?
ARP poisonings, ARP - Attacker recreates ARP reply packet with spoofed or bogus MAC address, poisoning the cache. the victim’s ARP cache includes a different entry, it goes to the switch, then to the on-path attacker, who may decrypt it, send it back to the router.
How might ARP be used to DoS a system?
The reply (the computer responding to the ARP request, responds with their MAC address) is forged so the default gateway is different and thus not reached.
ARP request vs ARP reply?
ARP request broadcasts a message, asking, who has this IP address? the ARP reply includes the computer (who has the IP address) to respond with it’s mac address.
How would you cause a flooding attack on a switch?
Barrage it with MAC addresses. Switch runs out of memory and starts broadcasting data to all ports which can be accessed using a protocol analyzer. A flood guard (limits MACs per switch) prevents this.
Normal vs reverse DNS look up? what might it be useful for?
Normal - a website name is sent to DNS. Queried for it’s IP address. Connect via IP.
Reverse- an IP is sent to the DNS to find it’s name.
If someone is using a spoofed computer name, when it is looked up and found to be different it is suspicious.
What is the name of an attack DNNSEC prevents?
DNS poisoning attack. Ensures records are authentic and have not changed.
What attack shares similarity with DNS poisoning?
DNS pharming attacks. Also redirect users to different websites by corrupting the DNS server or client.
DNS Sinkhole is used for?
Redirecting traffic away from malicious sites. Destroying botnets etc. It is a server configured to hand out different IPs for different domains.
What are DNS log files and why are the useful?
record DNS queries and the IP that requested them - if malware is present it can identify all the history of DNS queries. Like computer history.
How do systems prevent replay attacks?
timestamps & session IDs / sequence numbers similar to kereboros.