Chapter 8: Infrastructure Threats & Security Monitoring Flashcards
What is an On-Path attack?
When a threat actor positions themself in the middle between two communicating users or devices
What is a Replay attack?
Makes copy of a legitimate transmission before sending it to the recipient
What is a Man-in-The-Browser attack?
Attack intercepts communication between parties to steal or manipulate the data
(Usually in the form of a Trojan that installs a browser extension, difficult for anti-malware to pick up)
What is DNS poisoning?
Modifies a local host file on a device to point to a different domain
(To change file to DNS server under the threat actor control)
What is DNS Hijacking?
Infect an external DNS server with IP addresses that point to malicious site
what is DNSSEC?
DNS Security Extension - Protocols that authenticate responses to DNS reqests
What is OPENDNS?
DNS service for SOHO when router does not have this function
What is the Hosts File?
Plain text file that maps domain names to IP addresses
Windows - C:\Windows\System32\Drivers\etc\hosts
Linux - /etc/hosts
What is a reflection attack (amplified attacks)?
Threat actors attack a misconfigured Internet device or service to reflect & generate an even larger payload at the ultimate target
what is NTP multiplier attack?
NTP Protocol is the target of reflection attacks, can generate 206-fold increase in throughput
What is Powershell?
Administrative tasks are performed by cmdlets, which are specialized .NET classes that implement a specific operation
What is VBA?
Visual Basic for Applications - Event-driven Microsoft programming language - Used to create macros
What is ARP Poisoning?
Address Resolution Protocol - Relies upon the MAC address being spoofed
What is a MAC cloning attack?
Threat actors discover MAC address of device connected to switch and threat actor spoofs MAC address of own device to potential get data that was supposed to go to the other device
What is MAC flooding?
Flooding switch with Ethernet packets that have been spoofed so that every packet contains different MAC address - once the MAC address table of the switch is full, the switch will enter a fail-open mode and then broadcast incoming fames out of all other ports
What is Anomaly Monitoring?
Detecting statistical anomalies using a baseline of normal activities to look for deviation - while anomaly monitoring is more about spotting what’s different
What is signature-based monitoring?
Examines network traffic, activity, transactions, or behavior to look for well-known patterns to compare these activities against predefined signature
What is behavior-based monitoring?
Uses “normal” processes & actions as the standard - behavior-based monitoring is about understanding the context and significance of those differences.
What is Wireshark?
GUI packet capture & analysis tool
What is TCPdump?
Command-line packet analyzer
What is TCP replay?
Tool for editing packets then replaying them back into the network to be observed
What is Flow Analysis?
(aka Network Traffic Analysis) - Process of monitoring the network traffic
What is Net Flow?
Session sampling protocol that collects IP network traffic
What is sFlow?
Doesn’t statefully track flows, instead exports a statistical sampling of individual packet headers for monitoring