Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AEN > Cyber Threats and Kill Chain Methodology > Flashcards

Cyber Threats and Kill Chain Methodology Flashcards

1
Q

1) Overview of Cyber Threats

A

<p>A cyber threat is defined as an act in which the adversary attempts to <span><strong>gain unauthorized access</strong></span> to an organization’s network by exploiting communication paths.</p>

<p>Adversaries use cyber threats to <strong><span>infiltrate and steal data</span> </strong>such as individual’s personal information, financial information, and login credentials.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

2) Cyber Security Attack Vectors

A

<ol><li>Cloud Computing Threats</li><li>Advanced Persistent Threat (APT)</li><li>Viruses and Worms</li><li>Ransomware</li><li>Mobile Threats</li><li>Botnet</li><li>Insider Threat</li><li>Phishing</li><li>Web Application Threats</li><li>IoT Threats</li></ol>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3) Cyber Security Threat Categories

A

<ul><li><strong>Network Threats</strong><ul><li>Information gathering</li><li>Sniffing and eavesdropping</li><li>Spoofing</li><li>Session hijacking and Man-in-the-Middle attack</li><li>DNS and ARP Poisoning</li><li>Password-based attacks</li><li>Denial-of-Service attacks</li><li>Compromised-key attacks</li><li>Firewall and IDS attacks</li></ul></li><li><strong>Malware attacks</strong><ul><li>Footprinting</li><li>Profiling</li><li>Password attacks</li><li>Denial-of-Service attacks</li><li>Arbitrary code execution</li><li>Unauthorized access</li><li>Privilege escalation</li><li>Backdoor attacks</li><li>Physical security threats</li></ul></li><li><strong>Application Threats</strong><ul><li>Improper data/Input validation</li><li>Authentication and authorization attacks</li><li>Security misconfiguration</li><li>Information disclosure</li><li>Hidden-field tampering</li><li>Broken session management</li><li>Buffer overflow issues</li><li>Cryptography attacks</li><li>SQL injection</li><li>Phishing</li><li>Improper error handling and exception management</li></ul></li></ul>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

4) Threat Actors/Profiling the Attacker

A

<p><strong>Hacktivist</strong> Individuals who promote a political agenda by hacking, especially by defacing or disabling websites</p>

<p><strong>Cyber Terrorists</strong>Individuals with a wide range of skills, motivated by religious or political beliefs to create fear of large-scale disruption of computer networks</p>

<p><strong>Suicide Hackers </strong>Individuals who aim to bring down the critical infrastructure for a “cause” and are not worried about facing jail terms or any other kind of punishment</p>

<p><strong>State-Sponsored Hackers </strong>Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments</p>

<p><strong>Organized Hackers </strong>Professional hackers having an aim of attacking a system for profits</p>

<p><strong>Script Kiddies </strong>An unskilled hacker who compromises system by running scripts, tools, and software developed by real hackers</p>

<p><strong>Industrial Spies </strong>Individuals who try to attack the companies for commercial purposes</p>

<p><strong>Insider Threat </strong>Threat that originates from people within the organization such as disgruntled employee, terminated employee, and undertrained staff</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

5) Threat intent capability opportunity triad

A

<ul><li>There is always an intent, capability, and opportunity behind a threat to exist.
<ul><li><span><strong>Intent</strong></span>: Goal of an adversary behind targeting the organization</li><li><strong><span>Capability</span></strong>: Tactics, Techniques, and Procedures (TTPs) that an adversary can use to target the organization</li><li><span><strong>Opportunity</strong></span>: Security vulnerability or weakness exists in organization that can allow an adversary to target the organization</li></ul></li><li>In Cyber Threat Intelligence (CTI), analysis is performed based on the intent, capability, and opportunity triad.</li><li>With the study of this triad, experts can <span><strong>evaluate and make informed</strong></span>, forward-leaning strategic, operational, and tactical <span><strong>decisions on existing or emerging threats</strong></span> to the organization.</li></ul>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

6) Motives goals and objectives of cyber-security attacks

A

<ul><li><h3><span><strong>Attacks</strong></span> = <strong>Motive (Goal) + Method + Vulnerability</strong></h3></li><li><h3>A motive originates out of the notion that the <span><strong>target system stores or processes</strong></span> something valuable and this leads to threat of an attack on the system.</h3></li><li><h3>Attackers try various tools and attack techniques to <strong><span>exploit vulnerabilities</span></strong> in a computer system or security policy and controls to achieve their motives</h3></li></ul>

<p></p>

<p><strong>Motives Behind Cyber Security Attacks</strong></p>

<ul><li>Disrupting business continuity</li><li>Information theft</li><li>Manipulating data</li><li>Creating fear and chaos by disrupting critical infrastructures</li><li>Financial loss to the target</li><li>Propagating religious or political beliefs</li><li>Achieving state's military objectives</li><li>Damaging reputation of the target</li><li>Taking revenge</li><li>Demanding ransom</li></ul>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

7) Hacking forums

A

<h3><strong>Hacking forums provide information related to hackers such as </strong></h3>

<ul><li><h3><span>Methods</span> used to launch an attack</h3></li><li><h3><span>Techniques and tools</span> used to perform an attack</h3></li><li><h3><span>Procedures</span> followed for covering the tracks after an attack</h3></li></ul>

<p></p>

<h3><strong>Hacking Forums links</strong></h3>

<ul><li><h4>Hack Forums (https://hackforums.net)</h4></li><li><h4>Hackaday (https://hackaday.com)</h4></li><li><h4>The Ethical Hacker Network (https://www.ethicalhacker.net)</h4></li><li><h4>Hack This Site (https://www.hackthissite.org)</h4></li><li><h4>Hak5 Forums (https://forums.hak5.org)</h4></li><li><h4>Evil Zone (https://evilzone.org)</h4></li><li><h4>Hack In The Box (http://www.hitb.org)</h4></li><li><h4>The Hacker News (https://thehackernews.com)</h4></li><li><h4>0x00sec (https://0x00sec.org</h4></li><li><h4>Exploit Database (https://www.exploit-db.com)</h4></li><li><h4>Packet Storm (https://packetstormsecurity.com)</h4></li></ul>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

8) Definition of Advanced persistent threats

A

<ul><li>Advanced Persistent Threats (APTs) are defined as a <strong><span>type of network attack</span></strong>, where an attacker gains unauthorized access to a target network and remains there undetected for a long period of time.</li><li>The main objective behind these attacks is to <strong><span>obtain sensitive information</span></strong> rather than sabotaging the organization and organization’s network.</li></ul>

<p><strong>Information Obtained during APT attacks</strong></p>

<ul><li><strong>Classified documents</strong></li><li><h4>User credentials</h4></li><li><h4>Employee or customer’s personal information</h4></li><li><h4>Network information</h4></li><li><h4>Transaction information</h4></li><li><h4>Credit card information</h4></li><li><h4>Organization’s business strategy information</h4></li><li><h4>Control system access information</h4></li></ul>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

9) Characteristics of APTs

A

<ol><li><strong>Objectives:</strong>Obtaining sensitive information or fulfilling political or strategic goals</li><li><strong>Timeliness: </strong>Time taken by the attacker from assessing the target’s system for vulnerabilities to gaining and maintaining access</li><li><strong>Resources: </strong>Amount of knowledge, tools, and techniques required to carry out an attack</li><li><strong>Risk Tolerance: </strong>Level up to which the attack remains undetected in the target’s network</li><li><strong>Skills and Methods: </strong>Methods and tools used by the attackers to perform certain attack</li><li><strong>Actions: </strong>APT consists of a certain number of technical “actions” that makes them different from other cyberattacks</li><li><strong>Attack Origination Points: </strong>Numerous attempts to gain entry to the target’s network</li><li><strong>Numbers Involved in the Attack: </strong>Number of host systems that are involved in the attack</li><li><strong>Knowledge Source: </strong>Gathering information through online sources about specific threats</li><li><strong>Multi-phased: </strong>APT attacks are multiphased which include reconnaissance, gaining access, discovery, capture, and data exfiltration</li><li><strong>Tailored to the Vulnerabilities: </strong>APTs target-specific vulnerabilities present in the victim’s network</li><li><strong>Multiple Points of Entries: </strong>Adversary creates multiple points of entries through the server to maintain access to the target network</li><li><strong>Evading Signature-Based Detection Systems: </strong>APT attacks can easily bypass the security mechanisms such as firewall, antivirus software, IDS/IPS, and email spam filter</li><li><strong>Specific Warning Signs: </strong>Specific indications of an APT attack include inexplicable user account activities, presence of a backdoors, unusual file transfers and file uploads, unusual database activities, etc.</li></ol>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

10) APT life-cycle

A

<ol><li><strong>Preparation</strong><ol><li>Define target</li><li>research target</li><li>Organize team</li><li>Build or attain tools</li><li>test for detection</li></ol></li><li><strong>Initial Intrusion</strong><ol><li>Deployment of malware</li><li>Establishment of outbound connection</li></ol></li><li><strong>Expansion</strong><ol><li>Expand access</li><li>Obtain credeantials</li></ol></li><li><strong>Persistent</strong><ol><li>Maintian access</li></ol></li><li><strong>Search and Exfiltration</strong><ol><li>Exfiltration data</li></ol></li><li><strong>Cleanup</strong><ol><li>Cover tracks</li><li>Remain undetected</li></ol></li></ol>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

11) Cyber Kill Chain Methodology

A

<ul><li>The cyber kill chain methodology is a component of intelligence-driven defense for identification and <span><strong>prevention of malicious intrusion activities. </strong></span></li><li>It provides greater insight into attack phases, which helps analysts to understand the <strong><span>adversary’s TTPs beforehand.</span></strong></li></ul>

<p><strong>Reconnaissance </strong>Gather data on the target to probe for weak points</p>

<ol><li>Gathering information about the target organization by searching the Internet or through social engineering</li><li>Performing analysis of various online activities and publicly available information</li><li>Gathering information from social networking sites and web services</li><li>Obtaining information about websites visited</li><li>Monitoring and analyzing the target organization’s website</li><li>Performing Whois, DNS, and network footprinting</li><li>Performing scanning to identify open ports and services</li></ol>

<p><strong>Weaponization </strong>Create a deliverable malicious payload using an exploit and a backdoor</p>

<ol><li>Identifying appropriate malware payload based on the analysis</li><li>Creating a new malware payload or selecting/reusing/modifying the available malware payloads based on the identified vulnerability</li><li>Creating the phishing email campaign o Leveraging exploit kits and botnets</li></ol>

<p><strong>Delivery </strong>Send weaponized bundle to the victim using email, USB, etc.</p>

<ol><li>Sending phishing emails to the employees of the target organization</li><li>Distributing USB drives containing malicious payload to the employees of the target organization</li><li>Performing attacks such as watering hole on the compromised website</li><li>Implementing various hacking tools against operating systems, applications, and servers of the target organization</li></ol>

<p><strong>Exploitation </strong>Exploit a vulnerability by executing code on the victim’s system</p>

<ol><li>Exploiting software or hardware vulnerability to gain remote access to the target system</li></ol>

<p><strong>Installation </strong>Install malware on the target system</p>

<ol><li>Downloading and installing malicious software such as backdoors</li><li>Gaining remote access to the target system</li><li>Leveraging various methods to keep backdoor hidden and running</li><li>Maintaining access to the target system</li></ol>

<p><strong>Command and Control </strong>Create a command and control channel to communicate and pass data back and forth</p>

<ol><li>Establishing a two-way communication channel between victim’s system and adversary-controlled server</li><li>Leveraging channels such as web traffic, email communication, and DNS messages.</li><li>Applying privilege escalation techniques</li><li>Hiding the evidence of compromise using techniques such as encryption</li></ol>

<p><strong>Actions on Objectives </strong>Perform actions to achieve intended objectives/goals</p>

<p></p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

12) Tactics, Techniques and Procedures

A

<p>The term Tactics, Techniques, and Procedures (TTPs) refers to the <strong><span>patterns of activities and methods</span></strong> associated with specific threat actors or groups of threat actors.</p>

<p><strong>Tactics</strong></p>

<ul><li>“Tactics” is defined as a guideline that describes the <span><strong>way an attacker performs the attack</strong></span> from beginning to the end.</li><li>It consists of various <strong><span>tactics of information gathering</span></strong> to perform initial exploitation, perform privilege escalation, perform the lateral movement, deploy measures for persistence access to the system, etc.</li><li>An organization can <strong><span>profile threat actor based on tactics they use</span></strong>, this consists of the way they gather information about a target, methods they follow for initial compromise, and the number of entry points used while attempting to enter into the target network.</li></ul>

<p><strong>Techniques</strong></p>

<ul><li>“Techniques” is defined as <strong><span>technical methods used by an attacker</span></strong> to achieve intermediate results during the attack.</li><li>These techniques include <strong><span>initial exploitation</span></strong>, setting up and maintaining <strong><span>command and control channels</span></strong>, accessing the target infrastructure and cover tracks of data exfiltration, etc.</li><li>After aggregation of techniques used in all the stages of an attack, the organization can use the information to <span><strong>profile the threat actors</strong></span>.</li></ul>

<p><strong>Procedures</strong></p>

<ul><li>“Procedures” is defined as <strong><span>organizational approach followed by the threat actors</span></strong> to launch an attack.</li><li>The number of <strong><span>actions usually differ</span></strong> depending upon the objective of the procedure and threat actor group.</li><li>For example, in a basic procedure of information gathering, an actor collects information about the target organization, identify key targets, employees, collect contact details, identify vulnerable systems, potential entry points to the target network, and document all the collected information.</li><li>By understanding and proper analysis of the procedures followed by certain threat actors during an attack <span><strong>helps the organization to profile the threat actor</strong></span>.</li></ul>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

13) Adversary Behavioural Identification

A

<p>Adversary behavioral identification involves the <strong><span>identification of common methods</span></strong> or techniques followed by an adversary to launch attacks to penetrate an organization’s network.</p>

<p>It gives an insight to the security analysts on <strong><span>upcoming threats and exploits</span></strong>.</p>

<ol><li><h4><strong>Internal Reconnaissance</strong></h4></li><li><h4><strong>Use of PowerShell</strong></h4></li><li><h4><strong>Unspecified Proxy Activities</strong></h4></li><li><h4><strong>Use of Command-Line Interface</strong></h4></li><li><h4><strong>HTTP User Agent</strong></h4></li><li><h4><strong>Command and Control Server</strong></h4></li><li><h4><strong>Use of DNS Tunneling</strong></h4></li><li><h4><strong>Use of Web Shell</strong></h4></li><li><h4><strong>Data Staging</strong></h4></li></ol>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

14) Kill Chain Deep dive scenario- Spear Phishing

A

<p></p>

<strong>Kill Chain Phase</strong><strong>Scenario</strong><strong>Use Cases</strong>

Reconnaissance

<p> The target organization’s employee posts information about his project, position in the organization, and interest on the social networking website such as Facebook and LinkedIn</p>

<p> Adversary gathers contact details of the target employee from the social networking site</p>

Weaponization

<p> Adversary creates a deliverable malware payload using an exploit and a backdoor</p>

<p> Adversary prepares a command and control server to manage his activities on the target’s network and drop-zone servers on the Internet</p>

<p> Adversary drafts plausible phishing email with attached malicious payload</p>

<p> Adversary ensures that the antivirus does not detect the attachment</p>

Delivery

<p> Adversary sends a phishing email to the target employee</p>

<p> Email passes through target organization’s antivirus protection</p>

<p> Suspicious attachment including the password in an email message</p>

<p> Suspicious file type download</p>

Exploitation

<p> The target employee opens the legitimate-looking email and downloads the attachment and double-clicks the malicious file Exploitation</p>

<p> The EXE file is executed, which installs several files in the root folder and modifies registry keys</p>

<p> The adversary takes advantage of the unpatched vulnerability in the target system to escalate privileges</p>

<p> Malware infects the system</p>

<p> Execution of malicious program, which is not whitelisted</p>

Installation

<p> Malware is launched after installation, which leads to persistence access to the target system</p>

<p> Malware sends a signal and establishes a back channel with the command and control server using organization’s HTTP proxy server</p>

<p> Adversary spreads the infection to other end systems in the network</p>

<p> Suspicious activities of the proxy server</p>

<p> Execution of new program, which is not whitelisted, generating network traffic</p>

Command and Control

<p> Adversary obtains locally stored password hashes and a hash of user account in domain admin group on another workstation computer from the target’s system</p>

<p> Adversary establishes a two-way communication channel between compromised systems and C&C server using HTTP</p>

<p> Adversary performs remote exploitation on the target system or network</p>

<p> Command and control blacklist</p>

<p> Domain accessed not in the whitelist</p>

<p> Protocol vulnerabilities</p>

Actions on Objectives

<p> Adversary searches for files of interest in all the systems by establishing a connection with them using domain</p>

<p> Adversary finds and collects the files using file sharing on the main computer and encrypts the files in RAR archive</p>

<p> Adversary transfers the RAR from the target system to his drop-zone servers through organization’s proxy server</p>

<p> Usage of admin privileges</p>

<p> RAR file detected</p>

<p> Usage of same credentials on multiple systems</p>

<p></p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

15) Indicators of compromise

A

<p>Indicators of Compromise (IoCs) are the <span><strong>clues/artifact/pieces of forensic data</strong></span> that are found on a network or operating system of an organization that indicates a potential intrusion or malicious activity in organization’s infrastructure.</p>

<p>IoCs are itself not intelligence, in fact, IoCs <strong><span>act as a good source of information</span></strong> about threats that serve as data points in the intelligence process.</p>

<p>The security analysts need to <span><strong>perform continuous monitoring</strong></span> of Indicators of Compromise (IoCs) to effectively and efficiently detect and <strong><span>respond to the evolving cyber threats.</span></strong></p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

16) Why indicators of compromise are important?

A

<ol><li>Helps security analysts in <strong><span>detecting data breaches</span></strong>, malware intrusion attempts, or other threat activities</li><li>Assists security analysts in knowing "<strong><span>what happened</span></strong>" about the attack</li><li>Helps improve response time as well as <span><strong>upgrade the detection rate</strong></span> of the threats</li><li>Provides security analysts with <span><strong>data feeds</strong></span> that can be fed into the organization’s <span><strong>auto-response mechanism</strong></span></li><li>Helps analysts in finding answers to the following questions:
<ol><li>Does the file consist of malicious content?</li><li>Is the organization network compromised?</li><li>How did the network get infected?</li><li>What is the history of a specific IP address?</li></ol></li><li>Assists analysts in following a consistent approach for documentation of each specific threat that can be easily shared with team members</li><li>Provides an easier way for the detection of zero-day attacks for which detection rules need to be developed for the existing security tools</li><li>Provides a good source of data and a good starting point for carrying out investigation process</li></ol>

17
Q

17) Categories of indicators of compromise

A

<p>Understanding of IoCs helps analysts to <strong><span>quickly detect the threats</span></strong> entering the organization and protect the organization from evolving threats.</p>

<p></p>

<p><strong>For this purpose, IoCs are divided into four categories</strong></p>

<ol><li><strong>Email Indicators</strong><ol><li>Email indicators are used to send malicious data to the target organization or individual.</li><li>Examples include sender’s email address, email subject, attachments or links, etc</li></ol></li><li><strong>Network Indicators</strong><ol><li>Network indicators are useful for command and control, malware delivery, identifying operating system, etc.</li><li>Examples include URLs, domain names, IP addresses, etc.</li></ol></li><li><strong>Host-Based Indicators</strong><ol><li>Host-based indicators are found by performing analysis on the infected system within the organizational network.</li><li>Examples include filenames, file hashes, registry keys, DLLs, mutex, etc.</li></ol></li><li><strong>Behavioral Indicators</strong><ol><li>Behavioral indicators of compromise are used for identifying specific behavior related to malicious activities.</li><li>Examples of behavioral indicators include document executing PowerShell script, remote command execution, etc.</li></ol></li></ol>

18
Q

18) Key indicators of compromise

A

<ol><li>Unusual Outbound Network Traffic</li><li>Unusual Activity through Privileged User Account</li><li>Geographical Anomalies</li><li>Multiple Login Failures</li><li>Increase in Database Read Volume</li><li>Large HTML Response Size</li><li>Multiple Requests for the Same File</li><li>Mismatched Port-Application Traffic</li><li>Suspicious Registry or System File Changes</li><li>Unusual DNS Requests</li><li>Unexpected Patching of Systems</li><li>Signs of DDoS Activity</li><li>Bundles of Data in Wrong Places</li><li>Web Traffic with Superhuman Behavior</li></ol>

19
Q

19) Pyramid of pain

A

<ul><li><strong><span>Hash Values - Trivial</span></strong></li><li><strong><span>IP Address - Easy</span></strong></li><li><span><strong>Domain Names - Simple</strong></span></li><li><strong><span>Network/Host Artifacts - Annoying</span></strong></li><li><strong><span>Tools - Challenging</span></strong></li><li><strong><span>TTPs - Tough!</span></strong></li></ul>

<p></p>

<ul><li>Pyramid of Pain represents the types of indicators that the analyst must look out to <span><strong>detect the activities of an adversary</strong></span> as well as the amount of pain that the adversary needs to adapt to pivot and continue with the attack even when the indicators at each level are being denied.</li><li>It consists of <strong><span>six types of IoCs</span></strong> that are arranged in increasing order of the impact on the adversary and effort of the analyst, respectively.</li><li><span><strong>IoC on the bottom</strong></span> of the pyramid will <strong><span>have less impact</span> </strong>on the adversary, whereas <strong><span>IoC placed on the top</span></strong> would not only have a <strong><span>huge impact</span></strong> but would also require vast amount of effort by the analyst for its disclosure.</li></ul>

AEN (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions