Chapter 8: Infrastructure Threats & Security Monitoring Flashcards
What is an On-Path attack?
When a threat actor positions themself in the middle between two communicating users or devices
What is a Replay attack?
Makes copy of a legitimate transmission before sending it to the recipient
What is a Man-in-The-Browser attack?
Attack intercepts communication between parties to steal or manipulate the data
(Usually in the form of a Trojan that installs a browser extension, difficult for anti-malware to pick up)
What is DNS poisoning?
Modifies a local host file on a device to point to a different domain
(To change file to DNS server under the threat actor control)
What is DNS Hijacking?
Infect an external DNS server with IP addresses that point to malicious site
what is DNSSEC?
DNS Security Extension - Protocols that authenticate responses to DNS reqests
What is OPENDNS?
DNS service for SOHO when router does not have this function
What is the Hosts File?
Plain text file that maps domain names to IP addresses
Windows - C:\Windows\System32\Drivers\etc\hosts
Linux - /etc/hosts
What is a reflection attack (amplified attacks)?
Threat actors attack a misconfigured Internet device or service to reflect & generate an even larger payload at the ultimate target
what is NTP multiplier attack?
NTP Protocol is the target of reflection attacks, can generate 206-fold increase in throughput
What is Powershell?
Administrative tasks are performed by cmdlets, which are specialized .NET classes that implement a specific operation
What is VBA?
Visual Basic for Applications - Event-driven Microsoft programming language - Used to create macros
What is ARP Poisoning?
Address Resolution Protocol - Relies upon the MAC address being spoofed
What is a MAC cloning attack?
Threat actors discover MAC address of device connected to switch and threat actor spoofs MAC address of own device to potential get data that was supposed to go to the other device
What is MAC flooding?
Flooding switch with Ethernet packets that have been spoofed so that every packet contains different MAC address - once the MAC address table of the switch is full, the switch will enter a fail-open mode and then broadcast incoming fames out of all other ports
What is Anomaly Monitoring?
Detecting statistical anomalies using a baseline of normal activities to look for deviation - while anomaly monitoring is more about spotting what’s different
What is signature-based monitoring?
Examines network traffic, activity, transactions, or behavior to look for well-known patterns to compare these activities against predefined signature
What is behavior-based monitoring?
Uses “normal” processes & actions as the standard - behavior-based monitoring is about understanding the context and significance of those differences.
What is Wireshark?
GUI packet capture & analysis tool
What is TCPdump?
Command-line packet analyzer
What is TCP replay?
Tool for editing packets then replaying them back into the network to be observed
What is Flow Analysis?
(aka Network Traffic Analysis) - Process of monitoring the network traffic
What is Net Flow?
Session sampling protocol that collects IP network traffic
What is sFlow?
Doesn’t statefully track flows, instead exports a statistical sampling of individual packet headers for monitoring
What is Data Loss Pervention?
DLP - System of security tools used to recognize & identify data that is critical to the organization & ensure it is protected
What is SNMP?
Simple Network Management Protocol - Protocol used to remotely monitor mange, & configure devices on the network
What is SNMP trap?
Type of PDU (protocol data unit) that that sends an unsolicited message to the manager about critical events in the managed device
What is log aggregation?
Enables security personnel to gather events from disparate sources into a single entity so that it can be search & analyzed
What is SCAP?
Security Content Automation Protocols - A collection of community accepted security standards, histed in open-source, online repositories
What is SIEM?
Security Information & Event Management - A set of tools & services offering a holistic view of an organization’s information security
What is SOAR?
Security Orchestration, Automation, & Response - Similar to SIEM, automatically initiate a response by placing system into quarantine & generating an alert
What is MUA?
Mail User Agent - What is used to read & send email from an endpoint
What is an MTA?
Mail Transfer Agent - Are programs that accept email messages from senders and route them towards their recipents
What is SEG?
Secure Email Gateway - Acts as a “Proxy” for the organization’s email server, can redirect traffic to a SEG to and inspect emails for malicious content
What is SPF?
Sender Policy Framework - Email authentication that identifies the MTA email servers that have been authorized to send email for a domain
What is DKIM?
Domain Keys Identified Mail - An authentication technique that validates the content of the email messages (digital signature)
What is DMARC?
Domain-based Message Authentication, Reporting, & Conformance) - Allows the owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF, or both) is extended/used when sending email from that domain
What is a credential relay attack?
Attackers use their own device for a MITM, and intercepts digests of user passwords as they are being transmitted and then relay the clients’ credentials
What is Heuristic monitoring?
Founded on experience-based techniques, uses an algorithm to determine if a threat exists
What are some activities that fall under security monitoring?
Quarantine, Reporting, and Archiving
What is a session ID?
Is a unique number that a web server assigns a specific user for the duration of that user’s visit (session) - Usually 128 bits and hashed - And used for a specific type of replay attack
