Domain 1

Question 1

POC

Answer 1

Predictor of Compromise is a signal or warning that an incident may occur in the future.

Question 2

IOC

Answer 2

Indicator of Compromise is substantive or corroborating evidence* that an incident may have occurred or may be occurring now.

*Specific artefacts (Virus Signature, IP address, malicious URL, C2, file changes).

Question 3

List Malware characteristics

Answer 3

Transparent
Designed to exploit an OS or software vulnerability
OS and device agnostic
Activates programmatically
Responds to commands
Often evades scanning

Question 4

Virus

Types + Objective + Characteristics

Answer 4

Types:
Boot Sector Virus
File Infector Virus
Macro Virus

Objective: Malicious code whose primary function is to replicate and deliver it’s payload.

Characteristics:
Requires user intervention (clicking on a link).
Requires a host to execute and replicate.
Stealth, Memory Resident, Polymorphic, Metamorphic.

Question 5

Worm

Types + Objective + Characteristics

Answer 5

Types:
Crypto
C&C
APT
Bot

Objective: Malicious code that exploits known vulnerabilities.

Characteristics:
Self replicating
Takes advantage of network transport features to spread (email attachments, instant messages, network connections).

Question 6

Trojan

Types + Objective + Characteristics

Answer 6

Types:
RAT
Backdoor
Downloader
Keylogger

Objective: Malicious code disguised as a legitimate application.

Characteristics:
Spread through user interaction.

Question 7

Rootkit

Types + Objectives + Characteristics

Answer 7

Types:
Firmware
Kernel
Persistent
Application
Library

Objective: Malicious code designed to allow a remote user “root” access.

Characteristics:
Embedded in software or hardware.
Very difficult to remove.

Question 8

Spyware

Types + Objectives + Characteristics

Answer 8

Types:
Keylogger
Adware
Tracking cookies
Click fraud

Objective: Code that collects information without consent.

Characteristics:
Can be used to manipulate configuration settings.
Spreads through user interaction.

Question 9

Programmatic

Types + Objectives + Characteristics

Answer 9

Types:
Backdoor
Logic Bomb

Objective: Created / inserted by application programmers (coders) or publishers.

Characteristics:
Should be removed prior to production release.

Question 10

Malware Types:

Stealth

Answer 10

Stealth malware is designed to be inconspicuous in order to avoid detection.

Question 11

Malware Types:

Memory Resident

Answer 11

Memory Resident malware stays resident in memory upon execution can infect other programs running at the same time.

Question 12

Malware Types:

Armored

Answer 12

Armoured malware hides itself by obfuscation or by adding confusing or unnecessary code.

Question 13

Malware Types:

Polymorphic

Answer 13

Polymorphic malware evades pattern-matching detection by frequently changing identifiable characteristics like file name, file type or encryption keys.

Question 14

Malware Types:

Metamorphic

Answer 14

Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one.

Question 15

Digital infrastructure attacks:

Poisoning

Description + Technique

Answer 15

Description:
Manipulating a trusted source of data (DNS cache, ARP cache). Enables an attacker to control the trusted source of data.

Techqniue: DNS/ARP cache

Question 16

Digital infrastructure attacks:

Hijacking

Description + Technique

Answer 16

Description: Intercepting communication between two or more systems. Enables an attacker to eavesdrop, capture, manipulate, and/or reuse data packets.

Techqniue:
MiTM/ MiTB
Replay
Clickjacking

Question 17

Digital infrastructure attacks:

Denial of Service

Description + Technique

Answer 17

Description: Overwhelming system resources. Enables an attacker to make services unavailable for their intended use.

Technique:
DoS
DDoS

Question 18

Digital infrastructure attacks:

Code

Description + Technique

Answer 18

Description: Exploiting weaknesses in server or client-side code or applications. Enables an attacker to take control.

Technique:
Injection
XSS

Question 19

Wireless Attacks - Close Range

Technique: Bluejacking

Target + Description

Answer 19

Target: Bluetooth

Description: Enables an attacker to discover Bluetooth devices and send unsolicited/unwanted messages.

Question 20

Wireless Attacks - Close Range

Technique: Bluesnarfing

Target + Description

Answer 20

Target: Bluetooth

Description: Discovering and connecting to a Bluetooth device with weak or non-existent authentication requirements.

Question 21

Wireless Attacks - Close Range

Technique: NFC Bump

Target + Description

Answer 21

Target: NFC

Description: Enables an NFC enabled attacker to connect to an NFC device by being in close enough range

Question 22

Wireless Attacks - Close Range

Technique: RFID Eavesdropping

Target + Description

Answer 22

Target: RFID

Description: Intercepting communication between RFID Tags and Readers.

Question 23

Wireless Attacks - 802.11

Technique: Evil Twin

Target: 802.11 + Description

Answer 23

Description: Rogue access point that impersonates a legitimate access point.

Question 24

Wireless Attacks - 802.11

Technique: Initialisation Vector

Target: 802.11 + Description

Answer 24

Description: Capture of weak initialisation vector (IV) to decrypt data packets.

Question 25

Wireless Attacks - 802.11

Technique: WPS

Target: 802.11 + Description

Answer 25

Description: Brute force identification of WiFi Protected Setup (WPS) PIN used to override the access point passphrase and gain access to the network.

Question 26

Wireless Attacks - 802.11

Technique: Jamming

Target: 802.11 + Description

Answer 26

Description: Overwhelming wireless frequencies with illegitimate traffic (DoS).

Question 27

Wireless Attacks - 802.11

Technique: Disassociation

Target: 802.11 + Description

Answer 27

Description: Spoofing a disassociate message which forces a device to reassociate (often used as a precursor to an Evil Twin attack).

Question 28

Watering hole attack

Answer 28

Attacker cannot infiltrate your environment so instead attacks an industry related site. Infects the site and waits for you to access the site so that the attacker can then attack you. Visiting the site could download malicious code.

Question 29

Buffer overflow

Answer 29

Spills over into other memory areas.

Developers can perform a bounds check to make sure that nothing can write into memory where they was not expecting it.

Question 30

XML

Answer 30

XML is both human readable and machine readable. Extended markup language can be used for data transfer and storage.

Question 31

LDAP Injection

Answer 31

Modify LDAP requests to manipulate application results. We can see more information than normally would have access to.

Question 32

XSS Non-Persistant

Answer 32

Attacker inputs java script into a search bar or input field where the attacker will execute the script. Anyone from that point onwards who visits the site and inputs data, the attacker will get the information via email.

Question 33

XSS Persistant

Answer 33

Attacker stores javascript onto a site, allowing any user who accesses the site to run the javascript (malicious payload).

Question 34

Cross site request forgery – XSRF/CSRF:

Answer 34

You trust the web application, browser trusts the webpage. When you authenticate, everything between the browser and website is trusted to be you. The attacker takes advantage of that trust and performs functions for themselves.

Question 35

DNS Spoofing

Answer 35

Gain control of domain registration and you have control of where traffic goes.

Question 36

Relay Attack

Answer 36

Attacker gains access to raw network data by installing malware on their machine. The malware captures the data locally and sends it to the attacker. Attackers can they replay the data across the network making it look like the original user.

Question 37

Typosquatting

Answer 37

changing the domain name by for example one letter sending users to a malicious url. (Misspelling such as a typing error or a different top level domain .org).

Question 38

ClickJacking

Answer 38

Attacker sets up a webpage to manipulate users to send money. Webpage has a button to say ‘send £1000 to me’ but the attacker hides the payment button and instead replaces the button with a ‘click here for more puppies’ the user clicks to see more puppies but instead sends money to the attacker.

Question 39

Side Jacking

Answer 39

User authenticates with the web server. Web server sends the user a session ID. When the user wants to access the page and automatically log in, the user uses the session ID to do then but when sending the ID to the web server, the attacker intercepts and copies the session ID allowing the attacker to access the site acting as you, having access to everything you have.

To prevent session hijacking, use HTTPS, this encrypts end to end/ VPN.

Question 40

Shimming

Answer 40

Filling in the space between two objects. Windows has its own shim which allows older software to be compatible with the latest windows OS. Attackers write their own shims to bypass security controls such as UAC and could escalate their privilege.

Question 41

Refactoring

Answer 41

Metamorphic malware changes the way it looks (code) every time its downloaded. Difficult to match with signature based detection

Question 42

Wireless Replay Attacks

Answer 42

Easier to capture data. - WEP: Could not stop the capture of 802.11
packets. Attackers could sit around all day and capture IV or replay the ARP request and capture the IV packets that way.

Question 43

RF Jamming

Answer 43

DoS attack, prevents wireless connectivity. Goal is to decrease the SNR at the receiving device. Jamming device needs to be close. You also need the right equipment to find the jamming device by using a directional antenna and an attenuator.

Question 44

Constant Jamming

Answer 44

with random bits or Constant jamming with legitimate frames. OR data sent at random times.

Question 45

Reactive Jamming

Answer 45

when someone tries to communicate with the network device and the network stops working.

Question 46

RFID Tag is what type of communication?

Answer 46

BiDirectional communication.

Question 47

What are the benefits of NFC?

Answer 47

2 way coms between devices what are close to each other. Payment systems, helps with Bluetooth. Access token helps with payment info over an encrypted channel.

Question 48

RFID & NFC Attacks.

What are the type of attacks?

Answer 48

Remote capture, traffic over wireless network. Jamming, causing NFC devices to not operate. Relay/MiTM attack. Lose device, someone can use your token.

Question 49

Wireless Disassociation Attack

Answer 49

Connect to an open network. Carry on as normal. Network drops and comes back online every once in awhile. It’s a significant DoS attack.