CySA+ Study Notes 3 Flashcards
attack vector is a specific means of exploiting some point on the attack surface. MITRE identifies 3 principles categories of attack vector : (1) Cyber : Use of a hardware or software IT system. Some examples of cyberattack vectors include email or social media messaging, USB storage, compromised user account, open network application port, rogue device, and so on. (2) Human—Use of social engineering to perpetrate an attack through coercion, impersonation, or force. Note that attackers may use cyber interfaces to human attack vectors, such as email or social media. (3) Physical—Gaining local access to premises in order to effect an intrusion or denial of service attack.
info
??? is assessed by factoring the likelihood of an event and the impact of the event.
??? is measured as a probability or percentage, while impact is expressed as a cost (dollar) value.
Risk / Likelihood
??? utilizes insights gained from threat research and threat modeling to proactively discover whether there is evidence of TTPs already present within the network or system; it is less potentially disruptive than pen testing.
Threat Hunting
Est. a Hypothesis, Profiling Threat Actors and Activities (???) : Threat modeling promotes the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be, in terms of compromising system integrity or availability or exfiltrating confidential data.
Threat Hunting 2
??? many org.’s relevant data will be collected in a SIEM, In organizations without a SIEM, you will have to analyze log files, process information, and file system/Registry changes from individual hosts, plus packet captures from network sensors. By assuming an attacker’s objectives and capabilities, you can try to predict the tactics and tools they might use to attempt a network intrusion. Each project should demonstrate SMART (Specific, Measurable, Achievable, Realistic, Timely) objectives, and be accompanied by a review process to show how those objectives were or were not met.
Threat hunting Tactics
Improved Detection, Integrated Intell., Reducing attack surface area and blocking attack vectors, bundling critical assets.
Threat Hunting Benefits
??? (1) HTML code—The HTML code of an organization’s web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators. The layout and organization of the code can reveal development practices, capabilities, and level of security awareness. (2) Metadata—Attackers can run metadata scans on publicly available documents using a tool like Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could glean useful information from its metadata, including the names of authors or anyone that made a change to the document.
OSINT Gathering Techniques
is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type and version, plus vendor and ID information. It also gathers metadata, such as IP address, host name, and geographic location. As well as being a popular hacking tool for finding vulnerable Internet of Things (IoT) and industrial control system (ICS) devices, you can also use enterprise features of the site to monitor your own devices and networks.
Shodan (shodan.io)
??? An attacker might be able to obtain useful information by examining a company’s domain registration records by running a whois lookup against the appropriate Registry.
You can use the nslookup (or dig on linux) command in interactive mode to attempt a zone transfer.
A website ripper (or copier) is a tool that caches the code behind a website. A tool such as httrack (httrack.com) recurses through each directory of the local site and can follow links to third-party sites to a specified depth. Analyzing the ripped site might reveal vulnerabilities in the code or the web application used to deliver the content. There might be old or forgotten orphaned pages with useful information. Website ripping is also a means of harvesting email addresses.
DNS and Website Harvesting Techniques
??? can be performed by a switched port analyzer (SPAN) port (or mirror port). This means that a network switch is configured to copy frames passing over designated source ports to a destination port, which the packet sniffer is connected to. Sniffing can also be performed over a network cable segment by using a test access port (TAP). This means that a device is inserted in the cabling to copy frames passing over it. There are passive and active (powered) versions.
Capturing from a network segment
