Cybersäkerhet Flashcards
What are the seven phases in the cyber kill chain?
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Action on Objective
Reconnaissance
Identify and select a target. Often includes both OSINT and network
scanning.
Weaponization
Preparation of the attack payload. Create or get a tool for the attack.
Delivery
Find a way to deliver the payload to the target. This can be done through phishing and drive-by download.
Exploitation
Trigger the payload
Installation
Installation of a backdoor or Remote access trojan to maintain access
Command and Control
Establish infrastructure to enable C2 access to the compromised host
Actions on objectives
You have access to your target device and can now fulfill your goal. Ransom and data exfiltration.
Information gathering
Gather information from open sources (OSINT).
Enumeration
Scan the target to get more information about its technical properties:
* Look for open ports.
* Trying to figure out what software targets are running.
Exploitation
About finding and using vulnerabilities. You try to access the systems, which often involves using or building exploits.
Privilege Escalation
Expanding your access to the system.
- Horizontal: You gain access to another account with similar permissions.
- Vertical: You gain access to accounts with other different permissions.
Post-exploitation
When an attacker would realize their attack objective.
Black-box pentest
When the pentester have no knowledge about the attack target.
- Most similar to a real attack
- Able to capture ” reconnaissance” aspects of an attack
- Often time-consuming, and expensive
- Since the pentester is unaware of how the target works, attack
surfaces may be missed
Grey-box pentest
Pentester has some knowledge about the attack target.
- Can speed up the test and therefore limit costs
- Can target certain aspects of the test target
White-box pentest
Pentester has access to full knowledge about the target’s inner workings.
- Typically used for detailed testing of the functionality of the target
and expected behavior - Allows for the entire attack surface to be evaluated
Disclosure ethics
To maximize both interest, it is typical to work under a responsible
disclosure policy comprising the following steps
- Discovery of a vulnerability
- Report the vulnerability to the concerned vendor or organization
- Verification of the vulnerability by the recipient
- Remediation of the vulnerability by the vendor
- Disclosure of the vulnerability once the fix is ready
What is Shodan?
Online tool for searching for devices connected to the internet
MAPE-K
- Monitor
- Analyze
- Plan
- Execute
What are the two broad methods for data analysis?
- Misuse detection
- Anomaly detection
Misuse Detection
Will match signature of bad, and report when a hit is found.
- It’s cheap and easy to implement.
- Has a hard time identifying new events.
Anomaly detection
About finding deviations from normal system operations.
- Anomaly detection relies on models (often statistical) that define
normal and anomalous behavior - Events will be given a score that reflect how normal they are
False positive
Alert is raised for benign event
False negative
Alert is not raised for malicious event
True positive
Alert is raised for malicious event
True negative
Alert is not raised for benign event
What are the incident response phases?
- Establishing capabilities
- Handling
- Post-incident activities
Establishing capabilities
How to act when an incident happens. Develop a policy that outlines the rules for incident response work. And have resources available when something happens.
- What an incident is.
- CSIRST contact list
- Contingency plan
- Communication plan
- Resources that the CSIRT can use and allocate
Handling
- Analysis: Investigate the incident
- Mitigation: Containing the incident
- Communication: Legal and compliance, warn others, and maintain trust.
Post-incident activities
Return to normal operation
- Measure the performance of the incident handling and learn from that
- Legal aftermath
- Communication
- Possible long-term business impacts
What is a honeypot?
A system or set of systems offered as bait to attackers
Playbook
A document which outlines the steps for handling a specific type of incident
Contingency plan
A document that outlines the what’s, how’s, and who’s of an incident response in general.
Someone working in a SOC with analysis of threats and incidents is called a?
Security analyst
What is Snort?
An IDPS
What is a technique used by malware to avoid detection?
- Encryption
- Polymorphism or Metamorphism
- Memory-resident (file-less)
What is a reason why memory analysis can be powerful?
The data is in its true and recent form of data.
What is in metadata?
Time stamps and permissions
Dictionary Attack
A password-cracking attack where you collect a list of words and try them one by one
What is cyber-dependent crime?
A crime that depends on cyber for its execution
What is cyber-enabled crime?
A traditional crime that utilizes cyber
What tool is used to prohibit a computer from writing anything to a disk?
Write blocker
What is SPLUNK?
A SIEM
What is a tool for exploiting vulnerable systems?
Metasploit
Rules of Engagement
- Explicit permission to perform the test
- The scope of the test (machines and systems)
- Rules, such as permitted or forbidden techniques or what the pentester
should do upon upon certain discoveries
