Domain 1 Flashcards
Threats, Attacks & Vulnerabilities
POC
Predictor of Compromise is a signal or warning that an incident may occur in the future.
IOC
Indicator of Compromise is substantive or corroborating evidence* that an incident may have occurred or may be occurring now.
*Specific artefacts (Virus Signature, IP address, malicious URL, C2, file changes).
List Malware characteristics
Transparent Designed to exploit an OS or software vulnerability OS and device agnostic Activates programmatically Responds to commands Often evades scanning
Virus
Types + Objective + Characteristics
Types:
Boot Sector Virus
File Infector Virus
Macro Virus
Objective: Malicious code whose primary function is to replicate and deliver it’s payload.
Characteristics:
Requires user intervention (clicking on a link).
Requires a host to execute and replicate.
Stealth, Memory Resident, Polymorphic, Metamorphic.
Worm
Types + Objective + Characteristics
Types: Crypto C&C APT Bot
Objective: Malicious code that exploits known vulnerabilities.
Characteristics:
Self replicating
Takes advantage of network transport features to spread (email attachments, instant messages, network connections).
Trojan
Types + Objective + Characteristics
Types: RAT Backdoor Downloader Keylogger
Objective: Malicious code disguised as a legitimate application.
Characteristics:
Spread through user interaction.
Rootkit
Types + Objectives + Characteristics
Types: Firmware Kernel Persistent Application Library
Objective: Malicious code designed to allow a remote user “root” access.
Characteristics:
Embedded in software or hardware.
Very difficult to remove.
Spyware
Types + Objectives + Characteristics
Types: Keylogger Adware Tracking cookies Click fraud
Objective: Code that collects information without consent.
Characteristics:
Can be used to manipulate configuration settings.
Spreads through user interaction.
Programmatic
Types + Objectives + Characteristics
Types:
Backdoor
Logic Bomb
Objective: Created / inserted by application programmers (coders) or publishers.
Characteristics:
Should be removed prior to production release.
Malware Types:
Stealth
Stealth malware is designed to be inconspicuous in order to avoid detection.
Malware Types:
Memory Resident
Memory Resident malware stays resident in memory upon execution can infect other programs running at the same time.
Malware Types:
Armored
Armoured malware hides itself by obfuscation or by adding confusing or unnecessary code.
Malware Types:
Polymorphic
Polymorphic malware evades pattern-matching detection by frequently changing identifiable characteristics like file name, file type or encryption keys.
Malware Types:
Metamorphic
Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one.
Digital infrastructure attacks:
Poisoning
Description + Technique
Description:
Manipulating a trusted source of data (DNS cache, ARP cache). Enables an attacker to control the trusted source of data.
Techqniue: DNS/ARP cache
Digital infrastructure attacks:
Hijacking
Description + Technique
Description: Intercepting communication between two or more systems. Enables an attacker to eavesdrop, capture, manipulate, and/or reuse data packets.
Techqniue:
MiTM/ MiTB
Replay
Clickjacking
Digital infrastructure attacks:
Denial of Service
Description + Technique
Description: Overwhelming system resources. Enables an attacker to make services unavailable for their intended use.
Technique:
DoS
DDoS
Digital infrastructure attacks:
Code
Description + Technique
Description: Exploiting weaknesses in server or client-side code or applications. Enables an attacker to take control.
Technique:
Injection
XSS
Wireless Attacks - Close Range
Technique: Bluejacking
Target + Description
Target: Bluetooth
Description: Enables an attacker to discover Bluetooth devices and send unsolicited/unwanted messages.
Wireless Attacks - Close Range
Technique: Bluesnarfing
Target + Description
Target: Bluetooth
Description: Discovering and connecting to a Bluetooth device with weak or non-existent authentication requirements.
Wireless Attacks - Close Range
Technique: NFC Bump
Target + Description
Target: NFC
Description: Enables an NFC enabled attacker to connect to an NFC device by being in close enough range
Wireless Attacks - Close Range
Technique: RFID Eavesdropping
Target + Description
Target: RFID
Description: Intercepting communication between RFID Tags and Readers.
Wireless Attacks - 802.11
Technique: Evil Twin
Target: 802.11 + Description
Description: Rogue access point that impersonates a legitimate access point.
Wireless Attacks - 802.11
Technique: Initialisation Vector
Target: 802.11 + Description
Description: Capture of weak initialisation vector (IV) to decrypt data packets.
Wireless Attacks - 802.11
Technique: WPS
Target: 802.11 + Description
Description: Brute force identification of WiFi Protected Setup (WPS) PIN used to override the access point passphrase and gain access to the network.
Wireless Attacks - 802.11
Technique: Jamming
Target: 802.11 + Description
Description: Overwhelming wireless frequencies with illegitimate traffic (DoS).
Wireless Attacks - 802.11
Technique: Disassociation
Target: 802.11 + Description
Description: Spoofing a disassociate message which forces a device to reassociate (often used as a precursor to an Evil Twin attack).
Watering hole attack
Attacker cannot infiltrate your environment so instead attacks an industry related site. Infects the site and waits for you to access the site so that the attacker can then attack you. Visiting the site could download malicious code.
Buffer overflow
Spills over into other memory areas.
Developers can perform a bounds check to make sure that nothing can write into memory where they was not expecting it.
XML
XML is both human readable and machine readable. Extended markup language can be used for data transfer and storage.
LDAP Injection
Modify LDAP requests to manipulate application results. We can see more information than normally would have access to.
XSS Non-Persistant
Attacker inputs java script into a search bar or input field where the attacker will execute the script. Anyone from that point onwards who visits the site and inputs data, the attacker will get the information via email.
XSS Persistant
Attacker stores javascript onto a site, allowing any user who accesses the site to run the javascript (malicious payload).
Cross site request forgery – XSRF/CSRF:
You trust the web application, browser trusts the webpage. When you authenticate, everything between the browser and website is trusted to be you. The attacker takes advantage of that trust and performs functions for themselves.
DNS Spoofing
Gain control of domain registration and you have control of where traffic goes.
Relay Attack
Attacker gains access to raw network data by installing malware on their machine. The malware captures the data locally and sends it to the attacker. Attackers can they replay the data across the network making it look like the original user.
Typosquatting
changing the domain name by for example one letter sending users to a malicious url. (Misspelling such as a typing error or a different top level domain .org).
ClickJacking
Attacker sets up a webpage to manipulate users to send money. Webpage has a button to say ‘send £1000 to me’ but the attacker hides the payment button and instead replaces the button with a ‘click here for more puppies’ the user clicks to see more puppies but instead sends money to the attacker.
Side Jacking
User authenticates with the web server. Web server sends the user a session ID. When the user wants to access the page and automatically log in, the user uses the session ID to do then but when sending the ID to the web server, the attacker intercepts and copies the session ID allowing the attacker to access the site acting as you, having access to everything you have.
To prevent session hijacking, use HTTPS, this encrypts end to end/ VPN.
Shimming
Filling in the space between two objects. Windows has its own shim which allows older software to be compatible with the latest windows OS. Attackers write their own shims to bypass security controls such as UAC and could escalate their privilege.
Refactoring
Metamorphic malware changes the way it looks (code) every time its downloaded. Difficult to match with signature based detection
Wireless Replay Attacks
Easier to capture data. - WEP: Could not stop the capture of 802.11
packets. Attackers could sit around all day and capture IV or replay the ARP request and capture the IV packets that way.
RF Jamming
DoS attack, prevents wireless connectivity. Goal is to decrease the SNR at the receiving device. Jamming device needs to be close. You also need the right equipment to find the jamming device by using a directional antenna and an attenuator.
Constant Jamming
with random bits or Constant jamming with legitimate frames. OR data sent at random times.
Reactive Jamming
when someone tries to communicate with the network device and the network stops working.
RFID Tag is what type of communication?
BiDirectional communication.
What are the benefits of NFC?
2 way coms between devices what are close to each other. Payment systems, helps with Bluetooth. Access token helps with payment info over an encrypted channel.
RFID & NFC Attacks.
What are the type of attacks?
Remote capture, traffic over wireless network. Jamming, causing NFC devices to not operate. Relay/MiTM attack. Lose device, someone can use your token.
Wireless Disassociation Attack
Connect to an open network. Carry on as normal. Network drops and comes back online every once in awhile. It’s a significant DoS attack.