Course 5 - Week 4 - Common threats

Question 1

What is Social Engineering?

Answer 1

It is a manipulation technique in which a threat actor tries to trick someone into disclosing sensitive information.
Examples are phishing, Social media phishing, USB baiting etc

Question 2

What are the stages of a Social engineering attack?

Answer 2

It has 4 stages -

1. Preparation - In this stage, the attacker prepares for his attack.
2. Establishing trust - in this stage, the attacker opens the line of communication with his target.
3. Use of persuasion tactics -
4. Disconnecting from the target / breaking the contact with target -

Question 3

Give me some examples of Social Engineering attacks.

Answer 3

1. Baiting
2. Physical Social engineering
3. Phishing
4. Watering Hole attack
5. Qid Pro Quo

Question 4

What is Qid Pro Quo attack?

Answer 4

It is a type of baiting used to trick some into believing that they will be rewarded in return for sharing access, information, or money.

Question 5

Give me an example of some measures/controls that we can implement to prevent Social engineering attacks.

Answer 5

Firewall rules, MFA, Email filtering, and block lists are examples of a few layers that we can add to our defenses.

Question 6

What is a phishing kit and what it includes?

Answer 6

It is a toolkit for attackers who run phishing campaigns.
It entails the following tools :

1. Malicious attachments
2. Malicious/fraudulent web links
3. Fake Data collection forms

Question 7

What is Angler phishing?

Answer 7

It is a phishing technique in which attackers impersonate customer service representatives on Social Media.

Question 8

What is Malware?

Answer 8

It stands for Malicious Software. It is malicious software or program that is designed to harm computer or to interfere with its normal functions.

There are different kind of Malwares like Virus, Worms etc

Question 9

What is a Virus?

Answer 9

It is a type of Malware that infects an endpoint when some executable infected with this malware is actioned by some user.
It modifies the existing files on a system or fully replaces them with the malware code.
For example - opening an infected Word file.

Question 10

What is a Worm?

Answer 10

It is a type of malware that will self-replicate itself onto other devices on the network once it is installed on one device on a network.

Question 11

What is an Adware?

Answer 11

It is a type of PUA - Potentially unwanted application.
It is run when some legitimate application/ program is run by the user. It might display ads, crash systems or install other unwanted software.

Question 12

What is Trojan?

Answer 12

It is a type of Malware that is hidden in some legitimate Software. It might give unauthorized access to an attacker or it might also provide a backdoor to an attacker.

One way of deploying this malware is through phishing email links or attachments.

Question 13

What is Spyware?

Answer 13

It is a type of malware that collects and sells information without consent. It is also considered a PUA.

Question 14

What is Scareware?

Answer 14

It is another kind of PUA in which attackers scare users into infecting their own devices.

Emails and pop-ups are a couple of ways scareware is spread.

Question 15

What is Fileless Malware?

Answer 15

Fileless malware does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer. This type of infection resides in memory where malware never touches the hard drive. This is unlike other types of malware stored within a file on disk. Instead, these stealthy infections get into the operating system or hide within trusted applications.
Fileless malware is detected by performing memory analysis requiring operating system experience.

In a nutshell, fileless malware does not leave any footprints. It might not have its one file stored on the hard drive. It might only exist in memory so restarting the system might remove this fileless malware.

It might also exist as changed registry files and can avoid detection.

Question 16

What are rootkits?

Answer 16

It is malware that provides remote administrative access to a computer. Most attackers use rootkits to open a backdoor to a system.

Rootkits might impersonate themselves as legit drivers and can also hide them in the BIOS.

Question 17

What is botnet

Answer 17

it is the collection of computers infected with a bot malware that can be controlled from the command and control server by a bot herder.

Viruses, worms, Trojans are often used to spread the initial infection and them them into a bot.

Question 18

What is a Ransomware attack?

Answer 18

It is an attack in which a threat actor encrypts the organization’s data and then asks for money to decrypt it.

Question 19

What is cryptojacking?

Answer 19

It is a form of malware that installs software to illegally mine cryptocurrencies.
Normally cryptojacking malware is used to gain unauthorized control of personal computers to mine cryptocurrency.

Question 20

What are the common signs of Cryptojacking?

Answer 20

System slowdown
Increased CPU usage
Sudden System crashes
Fast draining batteries
Unusually high electricity bill

Question 21

What are the common measures that we can take to defend against malware?

Answer 21

Using web browser extensions that block malware
ad-block extension
Disabling Java-script
Staying up to date with security trends

Question 22

What is a web-based exploit?

Answer 22

It is an exploit on the web server in which malicious code is executed on the server using some vulnerability.

Question 23

What is an injection attack and its some examples?

Answer 23

An injection attack is an attack in which malicious code is inserted into the web server.
Two examples of injection attacks -
1. Cross-site scripting - XSS attack
2. SQL injection attack.

Question 24

What is a cross-site Scripting attack and what are its types?

Answer 24

Cross-site scripting is an injection attack in which malicious code is inserted into the web server.
It has 2 types -
Reflected XSS Cross-Site Scripting attack
Stored XSS attack
DOM (Document Object Model) based XSS attack

Question 25

Define 3 types of XSS attacks.

Answer 25

Reflected XSS attack - in this injection attack, target user/device is sent a link with a malicious script in it. Trusting this link, the target clicks on the link and connects to the server. Eventually, during server replies back with the malicious script in its response and at this time, the target device runs this malicious script on the system.

Stored XSS attack - In a stored XSS attack, the attacker directly loads some malicious code on the web server. It infects the server items that are served to the clients. Items like images, buttons, etc. Just clicking on the URL of this infected site, makes the client get infected with the malicious code and run it.

DOM-Based XSS attack - In DOM based XSS attack, malicious code is inserted in the URL of the web server and it can also be seen in the URL.

Question 26

What is SQL injection attack?

Answer 26

It is an attack on a database in which a malicious query is sent to the database. It is done to gain admin access to the database or to steal confidential information like customer bank information, from the database.

Question 27

What are the different types of SQL injection attacks?

Answer 27

1. In-band SQL injection attack - In this attack the result of the attack is gotten through the same medium that was used to conduct an attack. For example, We can use an application search field to send a malicious query to the database and we get the results of this query through the same search bar.
2. Out-of-band SQL injection attack - This is the opposite of an In-Band SQL injection attack. In this attack, the attacker uses a different communication channel to launch the attack and get the results.
3. Inferential SQL injection attack - In this attack, the attacker is unable to directly see the results of their attack. Instead, they can interpret the results by analyzing the behavior of the system.
   For example - an attacker tried to conduct this SQL injection attack through the website login page. He might not get any direct result back but there might be an error message that might show up. This error might have information about the structure of the database. Using this information, the attacker might conduct other kinds of attacks.

Question 28

What are some ways to prevent from injection attacks?

Answer 28

We will discuss 3 common ways:

1. Prepared Statement - it is a coding technique that executes SQL statements before passing them on to the database.
2. Input sanitation - Programming that removes user input which could be interpreted as a code.
3. Input validation - Programming that ensures user input meets a system’s expectations.

Question 29

What is threat modeling?

Answer 29

There are different approaches to threat modeling.
It is the process of finding all assets and their vulnerabilities and the level of risk associated with them (or how each is exposed to threats).

Question 30

What are the different steps involved in threat modeling?

Answer 30

1. Define the scope - In this step, we will find out all the assets on which we will perform threat modeling.
2. Identify threats - We do research and find out known threats to our assets defined in the 1st step.
3. Characterize the environment - in this step, we figure out how dataflows occur in the organization’s network and how different devices interact with each other or how people interact with the organization’s technology.
4. Analyze threats - In this step, the team analyzes existing controls/protections and finds out existing gaps.
5. Mitigate risk - The team decides how existing threats/vulnerabilities should be defended. They either accept the risk, avoid the risk, transfer the risk, or reduce it.
6. Evaluate findings - Steps 1-5 are evaluated in this steps and fixes are applied.

Question 31

What is PASTA and what are its different steps?

Answer 31

PASTA is a threat analysis framework.
1. Define business and security objectives - In this step, we find out all the business objectives and security objectives. Objectives like protecting the customer data.
2. Define the technical scope - In this step, we make a list of all the technical devices that are involved. Ex - application, data server, other security controls, etc.
3. Decompose the application - In this step, we decompose the application to find out how data is received from the customers and how it is eventually stored in the database.
4. Perform a threat analysis - In this step, we find out all the threats that can pose a threat to our assets identified in the 1st step. We also get more information about new threats to our assets using Open Source Intelligence (OSINT).
5. Perform a vulnerability analysis - In this step, we perform a vulnerability analysis on our assets using a CVE (common vulnerability and exposure) list or by performing a penetration test.
6. Conduct attack modeling - In this step, we simulate attacks on our assets and find out the existing security gaps that are not covered by our current security controls or processes/policies. Attack trees are created in this step.
7. Analyze risk and impact -In this stage, all the above findings are analyzed and the team can give risk management recommendations to business stakeholders.

Question 32

What is one trait of effective threat modeling?

Answer 32

Threat modeling should be incorporated at every stage of the software development lifecycle or SDLC. Before, during, and after an application is developed.

Question 33

Give me some examples of threat modeling framework.

Answer 33

PASTA, STRIDE, TRIKE, VAST

Question 34

What is the STIRIDE threat modeling framework?

Answer 34

It is a threat modeling framework created by GOOGLE to identify vulnerabilities in six attack vectors. The acronym represents each of these vectors.
STRIDE -
S - Spoofing
T - Tampering
R - Repudiation
I - Information disclosure
D - Denial Of Service
E - Elevation of privileges

Question 35

What are some questions that we can ask who doing threat modeling?

Answer 35

1. What are we working on?
2. What kind of things can go wrong?
3. What are we doing about it?
4. Have we addressed everything?
5. Did we do a good job?

Question 36

What are the steps involved in the NIST incident response lifecycle?

Answer 36

1. Preparation - in this part, everyone is told about their responsibilities and the procedures they are supposed to follow in specific situations.
2. Detect and analyze
3. Containment, eradication and recovery
4. Post-incident activity

Question 37

Define an Event?

Answer 37

An Event is an observable occurrence on a network, system, or device.

Question 38

What are the 5 W’s that are revealed during incident investigation?

Answer 38

1. What happened
2. Who triggered the incident
3. when it happened?
4. Where it happened?
5. Why it happened?

Question 39

What is an incident handler journal?

Answer 39

It is a documentation template used to document the incident investigation activities and the 5 W’s related to the incident.

Question 40

What is incident response team called and what are different roles in it?

Answer 40

It is called CSIRT - Cyber Security Incident Response Team
Different roles in it ->

1. Security Analyst - The Security Analyst has the least expertise and is responsible for acting on Incident alerts, triaging them, performing root cause investigations, and resolving or escalating them. They are also responsible for continuously monitoring the environment.
2. Team lead - They receive escalated tickets from Security analysts and are responsible for the deep-level investigation and are also responsible for applying fixes.
3. Incident coordinator -

Question 41

Give me another example of Incident Response team.

Answer 41

SOC - Security Operations center -

1. SOC analyst Level 1 - Has the least amount of experience. Responsibilities include - Monitoring, Reviewing, and Prioritizing alerts based on criticality or severity. Creating and closing alerts using a ticketing system.
2. SOC Analyst Level 2 - Responsibilities include configuring and refining security tools. Reporting to SOC lead.
3. SOC lead - Manages the operations of their team. Explore methods of detection by performing advanced detection techniques such as malware and forensics analysis.
4. SOC Manager

Question 42

What is incident response plan and what are its elements?

Answer 42

Incident Response Plan - It is a document that outlines the procedures to take in each step of incident response.

It elements -
- Incident Response procedures
- System Information
- Other documents like contact lists, forms, templates

Question 43

What is an IDS?

Answer 43

IDS stands for intrusion detection system that analyzes the network or system traffic to look for patterns of any suspicious activity or possible intrusions.

Its examples -
Suricata
Zeek
Snort
Kismet
Sagan

Question 44

What is EDR?

Answer 44

EDR stands for Endpoint Detection and Response
EDR is an application that is installed on endpoints to detect any possible intrusions or malicious activity. It can also detect anomalies in the endpoints by doing behavioral analysis.

Some example of Detection categories -
1. True positive
2. True negative
3. False positive
4. False negative

Question 45

What are the processes involved in SIEM tools?

Answer 45

1. Collect and aggregate data This step involves parsing. Parsing maps data according to their fields and their corresponding values.
2. Normalize data
3. Analyze data as per detection rules and conditions

Some examples of SIEM tools -

Chronicle, Splunk

Question 46

What is network traffic and network data?

Answer 46

Network Traffic - This is the amount of data that moves across a network.

Network Data - This is the data that is transmitted between devices on a network.

Question 47

What is IOC and IOA?

Answer 47

IOC - Indicators of compromise - it is the observable evidence that points to a potential incident that has occurred.

IOA - Indicators of Attack - It is the observable evidence that points to a potential ongoing attack/incident.

Question 48

What is Data exfiltration?

Answer 48

It is the unauthorized transmission of data from a system.

Question 49

Give me some example of network monitoring tools.

Answer 49

IDS
Network Protocol Analyzers

Question 50

What is a packet capture file?

Answer 50

It is a file containing data packets intercepted from an interface or network.

Some examples of network protocol analyzers -
Wireshark, tcpdump, Tshark

Question 51

What are the different formats of packet capture files?

Answer 51

Libpcap - It is a packet capture library designed to be used by unix-like systems like MacOS and Linux. Tools like tcpdump use libpcap as the default packet capture file format.

Winpcap - it is an old packet capture file format used in windows systems

NpCap - It is a library designed by the port scanning tool NMAP that is commonly used in windows OS.

PCAPng - It is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng” which stands for next generation.

Question 52

What are fields in IPv4 and IPv6?

Answer 52

Remember it!!!

Question 53

Can we filter traffic in Wireshark?

Answer 53

Yes, we can filter using protocols like tcp, http, udp etc
We can also filter traffic based on IP source, destination, Source/destination port number etc
Like -> ip.src == 8.8.8.8
udp.port == 53

Note - Length in wireshark is the total length of the packet.

Question 54

What the command syntax to capture/read data with tcpdump?

Answer 54

sudo tcpdump [-i interface] [options] [expressions]

Expressions -> Expressions are used to filter out the output of the tcp command.

Example -

sudo tcpdump -i any -w packetcapture.pcap

sudo tcpdump -r packetcapture.pcap

For getting verbose information ->

sudo tcpdump -r packetcapture.pcap -v

Question 55

What are different options that we can use with tcpdump?

Answer 55

1. -r
2. -w
3. -v - for verbosity
4. -n - by default tcpdump performs name resolution. The negative point of performing name resolution is that it might alert an attacker that you are investigating them through their DNS records.
   -nn will not resolve both the hostnames or ports
5. -c -> To tell tcpdump about how many packets to capture.
   sudo tcpdump -i any -w packetcapture.pcap -c 1

Question 56

Give me an example of the usage of expressions with tcpdump command.

Answer 56

sudo tcpdump -r pacture.pcap -n ‘ip and (port 80 or port 443)’