Chapter 8: Infrastructure Threats & Security Monitoring Flashcards

1
Q

What is an On-Path attack?

A

When a threat actor positions themself in the middle between two communicating users or devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Replay attack?

A

Makes copy of a legitimate transmission before sending it to the recipient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Man-in-The-Browser attack?

A

Attack intercepts communication between parties to steal or manipulate the data
(Usually in the form of a Trojan that installs a browser extension, difficult for anti-malware to pick up)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is DNS poisoning?

A

Modifies a local host file on a device to point to a different domain
(To change file to DNS server under the threat actor control)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is DNS Hijacking?

A

Infect an external DNS server with IP addresses that point to malicious site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is DNSSEC?

A

DNS Security Extension - Protocols that authenticate responses to DNS reqests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is OPENDNS?

A

DNS service for SOHO when router does not have this function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the Hosts File?

A

Plain text file that maps domain names to IP addresses
Windows - C:\Windows\System32\Drivers\etc\hosts
Linux - /etc/hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a reflection attack (amplified attacks)?

A

Threat actors attack a misconfigured Internet device or service to reflect & generate an even larger payload at the ultimate target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what is NTP multiplier attack?

A

NTP Protocol is the target of reflection attacks, can generate 206-fold increase in throughput

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Powershell?

A

Administrative tasks are performed by cmdlets, which are specialized .NET classes that implement a specific operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is VBA?

A

Visual Basic for Applications - Event-driven Microsoft programming language - Used to create macros

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is ARP Poisoning?

A

Address Resolution Protocol - Relies upon the MAC address being spoofed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a MAC cloning attack?

A

Threat actors discover MAC address of device connected to switch and threat actor spoofs MAC address of own device to potential get data that was supposed to go to the other device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is MAC flooding?

A

Flooding switch with Ethernet packets that have been spoofed so that every packet contains different MAC address - once the MAC address table of the switch is full, the switch will enter a fail-open mode and then broadcast incoming fames out of all other ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Anomaly Monitoring?

A

Detecting statistical anomalies using a baseline of normal activities to look for deviation - while anomaly monitoring is more about spotting what’s different

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is signature-based monitoring?

A

Examines network traffic, activity, transactions, or behavior to look for well-known patterns to compare these activities against predefined signature

18
Q

What is behavior-based monitoring?

A

Uses “normal” processes & actions as the standard - behavior-based monitoring is about understanding the context and significance of those differences.

19
Q

What is Wireshark?

A

GUI packet capture & analysis tool

20
Q

What is TCPdump?

A

Command-line packet analyzer

21
Q

What is TCP replay?

A

Tool for editing packets then replaying them back into the network to be observed

22
Q

What is Flow Analysis?

A

(aka Network Traffic Analysis) - Process of monitoring the network traffic

23
Q

What is Net Flow?

A

Session sampling protocol that collects IP network traffic

24
Q

What is sFlow?

A

Doesn’t statefully track flows, instead exports a statistical sampling of individual packet headers for monitoring

25
Q

What is Data Loss Pervention?

A

DLP - System of security tools used to recognize & identify data that is critical to the organization & ensure it is protected

26
Q

What is SNMP?

A

Simple Network Management Protocol - Protocol used to remotely monitor mange, & configure devices on the network

27
Q

What is SNMP trap?

A

Type of PDU (protocol data unit) that that sends an unsolicited message to the manager about critical events in the managed device

28
Q

What is log aggregation?

A

Enables security personnel to gather events from disparate sources into a single entity so that it can be search & analyzed

29
Q

What is SCAP?

A

Security Content Automation Protocols - A collection of community accepted security standards, histed in open-source, online repositories

30
Q

What is SIEM?

A

Security Information & Event Management - A set of tools & services offering a holistic view of an organization’s information security

31
Q

What is SOAR?

A

Security Orchestration, Automation, & Response - Similar to SIEM, automatically initiate a response by placing system into quarantine & generating an alert

32
Q

What is MUA?

A

Mail User Agent - What is used to read & send email from an endpoint

33
Q

What is an MTA?

A

Mail Transfer Agent - Are programs that accept email messages from senders and route them towards their recipents

34
Q

What is SEG?

A

Secure Email Gateway - Acts as a “Proxy” for the organization’s email server, can redirect traffic to a SEG to and inspect emails for malicious content

35
Q

What is SPF?

A

Sender Policy Framework - Email authentication that identifies the MTA email servers that have been authorized to send email for a domain

36
Q

What is DKIM?

A

Domain Keys Identified Mail - An authentication technique that validates the content of the email messages (digital signature)

37
Q

What is DMARC?

A

Domain-based Message Authentication, Reporting, & Conformance) - Allows the owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF, or both) is extended/used when sending email from that domain

38
Q

What is a credential relay attack?

A

Attackers use their own device for a MITM, and intercepts digests of user passwords as they are being transmitted and then relay the clients’ credentials

39
Q

What is Heuristic monitoring?

A

Founded on experience-based techniques, uses an algorithm to determine if a threat exists

40
Q

What are some activities that fall under security monitoring?

A

Quarantine, Reporting, and Archiving

41
Q

What is a session ID?

A

Is a unique number that a web server assigns a specific user for the duration of that user’s visit (session) - Usually 128 bits and hashed - And used for a specific type of replay attack