Chapter 7 Protecting against advanced attacks

Question 1

What are the steps of a cyber kill chain?

Taking the target down

Answer 1

1. Reconnaissance (researching identifying and selecting the target)
2. Weaponization (malware, RAT etc)
3. Delivery (attachment, email etc)
4. Exploitation (Triggering the exploit of an application or OS vulnerability)
5. Installation (installs backdoor)
6. Command & Control (attackers gain access)
7. Actions on Objectives (Achieving their ultimate goals)

Question 2

Name the model and describe it that includes four components of every intrusion event?

Answer 2

The diamond model. It describes four things required,

the adversaries (organization or threat actor)

the capabilities (malware, exploits, tools)

the infrastructure (physical or logical communication structures employed by the adversary to deliver a capability),

the victims (target to be exploited, organizations, assets, people)

Question 3

MITRE ATT&CK?

Answer 3

knowledge base of tactics and techniques used in real world attacks. It is considered a matrix. of A not for profit organization

Question 4

What are three attack frameworks?

Answer 4

Cyber kill chain, Diamond model of intrusion analysis, Mitre att&ck framework.

Question 5

How does a DoS and DDoS attack differ?

Answer 5

DoS one attacker against one target
DDoS is two or more computers against a single target (or organization). The goal in both is resource exhaustion.

Question 6

What are some ways resource exhaustion might occur?

Answer 6

In a DoS or DDoS attack it may target memory, or processor usage, or network traffic resulting in abnormally high amounts.

Question 7

How does a syn flood attack work as a DoS/DDoS method?

Answer 7

It disrupts the TCP handshake process, preventing others from connecting. The handshake is never completed as SYN’s are the only things being sent. Connections are left open.

Question 8

how might spoofing be used to launch an attack?

Answer 8

Like email addresses IP addresses can be spoofed. The attacker changes the source IP packet so it looks like it came from somewhere else. Similarly, the MAC may be changed via software.

Question 9

Maggie is sending information to bart but there is a delay, more than usual, it also seems there is a warning regarding the certificate, what is the most likely thing?

Answer 9

On-path attack, attacker is intercepting the traffic by having a connection, decrypting it (possibly) and encrypting it again.

Question 10

Secure socket stripping or downgrading attacks?

Answer 10

reducing HTTPS to HTTP. Attacker intercepts beginning of TLS negotiation, redirects to HTTP instead of HTTPS.

Question 11

Layer 2 attack, related to poisoning and how it works?

Answer 11

ARP poisonings, ARP - Attacker recreates ARP reply packet with spoofed or bogus MAC address, poisoning the cache. the victim’s ARP cache includes a different entry, it goes to the switch, then to the on-path attacker, who may decrypt it, send it back to the router.

Question 12

How might ARP be used to DoS a system?

Answer 12

The reply (the computer responding to the ARP request, responds with their MAC address) is forged so the default gateway is different and thus not reached.

Question 13

ARP request vs ARP reply?

Answer 13

ARP request broadcasts a message, asking, who has this IP address? the ARP reply includes the computer (who has the IP address) to respond with it’s mac address.

Question 14

How would you cause a flooding attack on a switch?

Answer 14

Barrage it with MAC addresses. Switch runs out of memory and starts broadcasting data to all ports which can be accessed using a protocol analyzer. A flood guard (limits MACs per switch) prevents this.

Question 15

Normal vs reverse DNS look up? what might it be useful for?

Answer 15

Normal - a website name is sent to DNS. Queried for it’s IP address. Connect via IP.
Reverse- an IP is sent to the DNS to find it’s name.
If someone is using a spoofed computer name, when it is looked up and found to be different it is suspicious.

Question 16

What is the name of an attack DNNSEC prevents?

Answer 16

DNS poisoning attack. Ensures records are authentic and have not changed.

Question 17

What attack shares similarity with DNS poisoning?

Answer 17

DNS pharming attacks. Also redirect users to different websites by corrupting the DNS server or client.

Question 18

DNS Sinkhole is used for?

Answer 18

Redirecting traffic away from malicious sites. Destroying botnets etc. It is a server configured to hand out different IPs for different domains.

Question 19

What are DNS log files and why are the useful?

Answer 19

record DNS queries and the IP that requested them - if malware is present it can identify all the history of DNS queries. Like computer history.

Question 20

How do systems prevent replay attacks?

Answer 20

timestamps & session IDs / sequence numbers similar to kereboros.

Question 21

What is the purpose of OWASP?

Answer 21

Open web application security project to improve the security of web applications that produce free tools, documentation, methodologies and technologies.

Question 22

How does code reuse and deadcode fit into secure application development and deployment?

Answer 22

Users should always try to reuse code - as its already likely been through deployment it prevents future bugs + saves time.

Deadcode however is never used or executed (and to be avoided),

Question 23

Name a popular method of code reuse and its function?

Answer 23

SDK(third party libraries software development kits), like javascript libararies, tested code etc. Usually tied to a single vendor.

Question 24

What is input validation and what does it lead to if unchecked? ( List 4 examples )

Answer 24

the process of checking data before it is used. Prevents an attacker sending malicious code across web applications. Attacks, buffer overflow, SQL injection, DLL injection, XSS.

Question 25

What does input validation look like?

Answer 25

Blocking improper characters (only allows numbers in this field)
Blocking HTML code - no embedded html code.
Prevent special characters
implement boundary/ranged checking - max product purcahse 1 per customer, not allowing 2.

Question 26

Locations that input validation can occur and difference?

Answer 26

client-side occurs on the client, input validation comes with html page. Less secure but quicker (disabling java script can work around this)
Server-side occurs on the server, takes longer, more secure.

Question 27

What is a race condition and how is it avoided?

Answer 27

two or more resources accessed (or met) at the same time leading to a conflict/shut down/error. WRiting proper code to prevent two processes occuring simultaneously.

Question 28

Key for good errors? what happens with bad error input?

Answer 28

errors shown need to be general & detailed information logged not shown. Improper error handling gives attackers information about the system they can exploit.

Question 29

How to perform code obfuscation and why?

Answer 29

rename variables, replace numbers with expressions, remove comments etc. Slow down people copying, understanding and exploiting any code they find

Question 30

What is the concept of using different compliers in code?

Answer 30

software diversity, creates a exe that could be written in (native language) and any other languages.. It also adds randomness, allowing it to work differently on different computers.

Question 31

What is code signing used for?

Answer 31

authenticating and validating software code, devs purchase a certificate, assign it to the code. It is now digitally signed and a hash verifies it hasnt changed.

Question 32

How is code analyzed and tested for security? list 4 ways.

Answer 32

Static analysis (without executing - may be done by hand or automated tools)
Manual code review (static, but not done by the writer)
Dynamic code analysis (viewing code as it is running, may use fuzzing which inputs random data during it)
Sandboxing

Question 33

Describe the stages of secure development environments

Answer 33

1. Development - isolated environment
2. Test - not a full production environment but includes more hardware and software
3. Staging - simulates prod environment, a replica.
4. Production - goes live in prod,
5. QA - Ongoing process throughout the lifetime, ensures app maintains high level of quality,

Question 34

What is normalization?

Answer 34

the ongoing improvement and refining of redunant and important data in databases. There are 3 normal forms. Each defining a format and improving databases

Question 35

What and how do SQL queries work?

Answer 35

Searching in a search bar creates a request to an SQL database, the results retrieved and formatted into a website page.

Question 36

User tries SQL injection, enters a commend, but the database is using stored procedures, how does this prevent it?

Answer 36

User inputs, it is passed to server, stored procedures are groups of SQL statements that execute as a whole, users input is passed to this stored procedure which executes instead (and this performs data validation).

Question 37

with regards to software / app development what is provisioning and deprovisioning?

Answer 37

provision - to prepare and config to launch on different devices and use different application services. (allow use of X in this app)
Deprovision - to remove and delete all associated data.

Question 38

Why are powershell scripts used for attacks? how to find and what to look for? what to look for bash scripts? and python?

Answer 38

they can create batch files (.bat) to run multiple commands, and .ps1 files that do the same. They have access to microsoft component object model and windows management instrumentation. Fileless viruses often use powershell. Best way to detect it to view logs looking for cmdlets “Get, add, new find” etc and nouns - command, service, location, process etc. Verb-noun combinations. Get-commands.
Bash, similar, calls to “bash” important to look for.
python .py or .pyc files

Question 39

What are web servers vulnerable to and why? and applications? not a list just a reason.

Answer 39

Webservers accept input (so buffer overflow sql injection), applications have vulnerabilities.

Question 40

What is a memory leak?

Answer 40

A bug that causes an application to use more and more memory the longer it runs. An application might reserve memory for short term use but never release it. System might run slower and slow until it is rebooted.

Question 41

What is a buffer overflow?

Answer 41

Programs have a buffer of memory they can access, assigned to them. If this buffer overflows, memory not allocated can be accessed and written malicous code into it.

Question 42

What other types of injections are there? ways to avoid it?

Answer 42

DLL, LDAP, and XML injections. Proper input validation

Question 43

What is a primary indication of an XML attack? and what does a mark up language do?

Answer 43

creation of unwanted accounts. It describes the layout/format and is used for transferring data.

Question 44

Give an example of a directory transversal

Answer 44

Changing the path, say it is C/Programfiles/Userdocuments/Public, transversal would be changing public to private to see if it works. Input validation helps.

Question 45

Reflected(non-persistent) vs Stored(persistent) XSS?

Answer 45

Reflected - it is reflected back, the malicious code is sent to user to click on, click it and it sends malicious code to the server so that is reflects it back to the user.
Stored/persistent - Instead of sending malicious code to the server, it is already stored in the database or trusted location.

Question 46

cross-site request forgery, how does it work?

Answer 46

The attacker tricks a user into performing an action on a website using a specially crafted HTML link. User performs action without realizing it. It takes advantage of the user already authenticating - stored information in the cookie or cache.

Question 47

Serverside vs client side request forgeries?

Answer 47

Serverside - taking advantage of server requests, such as using API or any other external URLs to formulate the webpage data. Injecting malicious code into these. This results in an attack on the server, possibly accessing organizational data. On the other hand, an SSRF attack primarily targets the backend server to read or update internal resources from an external network

Clientside - Directly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. Things such as cookies that the server reads FROM the client. I am unsure if this targets the client or webpage directly. Possibly both.

Question 48

Why use a shim? how can this be directed towards malicious intent

Answer 48

Shimming is the process of writing code to make a system believe the older driver version is compatible, developers may write a shim to make it compatible again. However, this can also be used to fool the operating system into running a manipulated driver with malicious code. This is driver manipulation tactics.

Question 49

What does adversial artificial intelligence do? Strategies to help? and precautions to take?

Answer 49

attempts to trick AI models by providing it deceptive data when successful can perform an error or malfunction in the AI. A strategy might include using tainted data to provide the unexpected, precaution is to keep these algorithms propriety.