Chapter 8: Infrastructure Threats & Security Monitoring

Question 1

What is an On-Path attack?

Answer 1

When a threat actor positions themself in the middle between two communicating users or devices

Question 2

What is a Replay attack?

Answer 2

Makes copy of a legitimate transmission before sending it to the recipient

Question 3

What is a Man-in-The-Browser attack?

Answer 3

Attack intercepts communication between parties to steal or manipulate the data
(Usually in the form of a Trojan that installs a browser extension, difficult for anti-malware to pick up)

Question 4

What is DNS poisoning?

Answer 4

Modifies a local host file on a device to point to a different domain
(To change file to DNS server under the threat actor control)

Question 5

What is DNS Hijacking?

Answer 5

Infect an external DNS server with IP addresses that point to malicious site

Question 6

what is DNSSEC?

Answer 6

DNS Security Extension - Protocols that authenticate responses to DNS reqests

Question 7

What is OPENDNS?

Answer 7

DNS service for SOHO when router does not have this function

Question 8

What is the Hosts File?

Answer 8

Plain text file that maps domain names to IP addresses
Windows - C:\Windows\System32\Drivers\etc\hosts
Linux - /etc/hosts

Question 9

What is a reflection attack (amplified attacks)?

Answer 9

Threat actors attack a misconfigured Internet device or service to reflect & generate an even larger payload at the ultimate target

Question 10

what is NTP multiplier attack?

Answer 10

NTP Protocol is the target of reflection attacks, can generate 206-fold increase in throughput

Question 11

What is Powershell?

Answer 11

Administrative tasks are performed by cmdlets, which are specialized .NET classes that implement a specific operation

Question 12

What is VBA?

Answer 12

Visual Basic for Applications - Event-driven Microsoft programming language - Used to create macros

Question 13

What is ARP Poisoning?

Answer 13

Address Resolution Protocol - Relies upon the MAC address being spoofed

Question 14

What is a MAC cloning attack?

Answer 14

Threat actors discover MAC address of device connected to switch and threat actor spoofs MAC address of own device to potential get data that was supposed to go to the other device

Question 15

What is MAC flooding?

Answer 15

Flooding switch with Ethernet packets that have been spoofed so that every packet contains different MAC address - once the MAC address table of the switch is full, the switch will enter a fail-open mode and then broadcast incoming fames out of all other ports

Question 16

What is Anomaly Monitoring?

Answer 16

Detecting statistical anomalies using a baseline of normal activities to look for deviation - while anomaly monitoring is more about spotting what’s different

Question 17

What is signature-based monitoring?

Answer 17

Examines network traffic, activity, transactions, or behavior to look for well-known patterns to compare these activities against predefined signature

Question 18

What is behavior-based monitoring?

Answer 18

Uses “normal” processes & actions as the standard - behavior-based monitoring is about understanding the context and significance of those differences.

Question 19

What is Wireshark?

Answer 19

GUI packet capture & analysis tool

Question 20

What is TCPdump?

Answer 20

Command-line packet analyzer

Question 21

What is TCP replay?

Answer 21

Tool for editing packets then replaying them back into the network to be observed

Question 22

What is Flow Analysis?

Answer 22

(aka Network Traffic Analysis) - Process of monitoring the network traffic

Question 23

What is Net Flow?

Answer 23

Session sampling protocol that collects IP network traffic

Question 24

What is sFlow?

Answer 24

Doesn’t statefully track flows, instead exports a statistical sampling of individual packet headers for monitoring

Question 25

What is Data Loss Pervention?

Answer 25

DLP - System of security tools used to recognize & identify data that is critical to the organization & ensure it is protected

Question 26

What is SNMP?

Answer 26

Simple Network Management Protocol - Protocol used to remotely monitor mange, & configure devices on the network

Question 27

What is SNMP trap?

Answer 27

Type of PDU (protocol data unit) that that sends an unsolicited message to the manager about critical events in the managed device

Question 28

What is log aggregation?

Answer 28

Enables security personnel to gather events from disparate sources into a single entity so that it can be search & analyzed

Question 29

What is SCAP?

Answer 29

Security Content Automation Protocols - A collection of community accepted security standards, histed in open-source, online repositories

Question 30

What is SIEM?

Answer 30

Security Information & Event Management - A set of tools & services offering a holistic view of an organization's information security

Question 31

What is SOAR?

Answer 31

Security Orchestration, Automation, & Response - Similar to SIEM, automatically initiate a response by placing system into quarantine & generating an alert

Question 32

What is MUA?

Answer 32

Mail User Agent - What is used to read & send email from an endpoint

Question 33

What is an MTA?

Answer 33

Mail Transfer Agent - Are programs that accept email messages from senders and route them towards their recipents

Question 34

What is SEG?

Answer 34

Secure Email Gateway - Acts as a "Proxy" for the organization's email server, can redirect traffic to a SEG to and inspect emails for malicious content

Question 35

What is SPF?

Answer 35

Sender Policy Framework - Email authentication that identifies the MTA email servers that have been authorized to send email for a domain

Question 36

What is DKIM?

Answer 36

Domain Keys Identified Mail - An authentication technique that validates the content of the email messages (digital signature)

Question 37

What is DMARC?

Answer 37

Domain-based Message Authentication, Reporting, & Conformance) - Allows the owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF, or both) is extended/used when sending email from that domain

Question 38

What is a credential relay attack?

Answer 38

Attackers use their own device for a MITM, and intercepts digests of user passwords as they are being transmitted and then relay the clients' credentials

Question 39

What is Heuristic monitoring?

Answer 39

Founded on experience-based techniques, uses an algorithm to determine if a threat exists

Question 40

What are some activities that fall under security monitoring?

Answer 40

Quarantine, Reporting, and Archiving

Question 41

What is a session ID?

Answer 41

Is a unique number that a web server assigns a specific user for the duration of that user's visit (session) - Usually 128 bits and hashed - And used for a specific type of replay attack