Domain 1: Threats, Attacks, and Vulnerabilities (24%) Flashcards
*1.5 Actors and threats
White Hat (CompTIA: Authorized) ethical hackers, Penetration Testers
Non-malicious hackers who attempt to break into a company’s systems at their request
*1.5 Actors and threats
Black Hat (CompTIA: Unauthorized)
Malicious hackers who break into computer systems and networks without authorization or permission
*1.5 Actors and threats
Gray Hats (CompTIA: Semi-authorized)
Hackers without any affiliation to a company that attempts to break into a company’s network and risk breaking the law
*1.5 Actors and threats
Script kiddies
Have limited skill and only run other people’s exploits and tools
*1.5 Actors and threats
Hacktivists
Hackers who are driven by a cause like social change, political agendas, or terrorism.
ex: Anonymous
*1.5 Actors and threats
Advanced Persistent Threats (APT)
Highly trained and funded groups of hackers (often by nation-states) with covert and open-source intelligence at their disposal.
*1.5 Threat intelligence sources
Proprietary source
Proprietary is threat intelligence that comes as a commercial service offering, where you’re going to pay for access to these updates and research based on a subscription fee.
Note: Not as useful because these commercial services are just repackaging of information that’s available in free public registries.
*1.5 Threat intelligence sources
Closed-source
closed-source data is data that’s derived from the provider’s own research and analysis efforts, such as data from honeynets as they operate, plus information that’s mined
from their other customer systems, suitably anonymized-(to remove information that shows which particular person/entity something relates to).
example: FireEye
*1.5 Threat intelligence sources
Open-source
Open-source is data that’s available for use without a subscription, and this may include threat feeds similar to commercial providers, and it can contain reputation lists, and malware signature databases.
example: US-CERT, UK’s NCSC, AT&T Security (OTX), MISP, VirusTotal, Samphaus, SANS ISC Suspicious Domains.
*1.5 Threat intelligence sources
Open-source intelligence (OSINT)
Methods of obtaining information about a person or organization through public records, websites, and social media
example: Google, Facebook, enumeration scans. Public records, websites, and social media.
*1.7 Threat Hunting
A cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring. it is proactive, not reactive like incident response.
*1.2 Malware
Malware
malicious software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent.
examples: viruses, worms, trojan horses, ransomware, spyware, rootkits, spam.
*1.2 Malware
Virus
Malicious code that runs on a machine without the user’s knowledge and infects the computer when executed (10 types: Boot sector, Macro, Program, Miltipartite, Encrypted, Polymorphic, Metamorphic, Stealth, Armored, Hoax).
Remember: It needs user interaction like installing a program or opening a file
*1.2 Malware
Worms
Malicious software, like a virus, but able to replicate itself without user interaction. Doesn’t need you to do anything.
Example: A user receives an attachment to an e-mail or an instant message that contains a malicious worm. When the attachment is opened, the worm infects the user’s computer and then replicates itself by sending copies of the same e-mail or instant message to everyone in the user’s address book.
*1.2 Malware
Trojans
Trojan horses are a piece of malicious software that is disguised as a piece of harmless or desirable software that when downloaded it can conquer your computer and may open gates for other programs.
Note: Trojans are usually downloaded through e-mail attachments, websites, and instant messages. They are usually disguised as popular programs such as games, pictures, or music.
*1.2 Malware
Remote Access Trojan (RAT)
A trojan that provides the attacker with remote control of a victim machine.
Note: The ultimate backdoor that provides administrative control of a device (Prof. Messer).
*1.2 Malware
Ransomware
malware that restricts access to a victim’s computer or their files until a ransom is received.(locks your computer)
*1.2 Malware
Spyware
Software that secretly gathers information about the user without their consent. Hint: may include a keylogger.
Note: Adware is a type of spyware that displays ads based on what it spied on you.
*1.2 Malware
Rootkit
Software designed to gain administrative level control over a system without detection.
Note: DLL injections and driver manipulation = Rootkit
*1.1 Spam
the abuse of electronic messaging systems, most commonly through email.
-social media
-broadcast media
*1.1 Spim
abuse of instant messaging systems.
-texting
-instant messaging
What is a Threat Vector?
The method used by an attacker to access a victim’s machine
*1.1 What is a Watering hole attack?
When malware is placed on a website (watering hole) that you know your potential victims will access.
Example: A watering hole is a place where animals need to get water, a predator waits by the watering hole waiting for one of the animals to be careless. (malware is placed in a watering hole for animals to get).
*1.2 Malware
Botnet
A collection of compromised computers under the control of a master node
*1.2 Malware
Backdoor
Backdoors are used to bypass normal security and authentication functions.
A way for a software programmer to access a program while bypassing its authentication schemes. The backdoor is coded in by the programmer during development so that later she can “break into” her own program without having to authenticate to the system through normal access methods.
Note: Remote Access Trojans (RATs) are the ultimate backdoor- Administrative control of a device
*1.2 Malware
Logic Bombs
Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met.
*1.4 Wireless
Bluejacking
Sending of unsolicited messages to Bluetooth-enabled devices.
*1.4 Wireless
Bluesnarfing
Unauthorized access of information from a wireless device over a Bluetooth connection. “taking info”
*1.2 Malware
Backdoor
Code placed in computer programs to bypass normal authentication and other security mechanisms.
§ Backdoors are a poor coding practice and should not be utilized.
*1.3 Directory Traversal
Method of accessing unauthorized directories by moving through the
directory structure on a remote server.
A directory traversal is a method of accessing unauthorized directories by moving through the directory structure on a remote server.
*1.6 Zero-day
Attack against a vulnerability that is unknown to the original developer or
manufacturer.
*1.3 Buffer overflows
Occurs when a process stores data outside the memory range allocated
by the developer.
Buffer overflows attempt to put more data into memory than it is designed to
hold.
Let’s pretend that you have a glass sitting on a table. It can hold a certain amount of water, right? If it’s designed to hold 16 ounces of liquid but you pour 20 ounces in, well, the cup is gonna overflow with water and the table is gonna get wet. In this example, the glass is our buffer and when we overflow it with our data, in our case water, the extra is gonna spill out
onto the table and make a huge mess.
*1.3 Cross-site scripting
XSS
Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.
When this occurs, the attacker is trying to gain elevated privileges, steal information from a victim’s cookies, or gain other information stored by the victim’s web browser.
*1.3 Cross-site request forgery
XSRF/CSRF
In a cross-site request forgery, the attacker forces the user to execute actions on a web server that they already have been authenticated to.
For example, let’s say that you’ve already logged into your bank’s website and provided your username and your password. At this point, you’re already authenticated and the website trusts you. If an attacker can send a command to the web server through your authenticated session. They are forging the request to make it look like it came from you. The attacker in this case will be unable to see the web server’s response to his request or commands, but he could still use this to transfer funds from the victim, change their password or do a myriad of other requests on the victim’s behalf.
*1.3 Injections
Structured Query Language (SQL) injection
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application.
*1.3 Injections
Extensible Markup Language (XML) injection
which is the extensible markup language. This is used by web applications for authentication and authorizations and for other types of data exchange and uploading.
*1.3 Race condition
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
o A race condition vulnerability is found where multiple threads are attempting to
write a variable or object at the same memory location
A really funky way of saying that basically the computer is trying to race itself.
So if you’re trying to do something legitimately and the attacker is trying to do something at the same time and they can get in before you, they have now taken advantage of this race condition to be able to run their thing before you can run yours. And this is a very specific case.
When we start talking about a race condition vulnerability, this is found when there are multiple threats attempting to write a variable or object at the same memory location, at the same time.
*1.3 Race conditions
Time of check/Time of Use (TOCTOU/TOC TO TOU)
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
If the attacker can identify the time the check happened, and then do something before it was used, that’s a race condition, they can then manipulate the data after it’s been checked, but before it was used by the application, and therefore caused some kind of an issue.
How can you prevent race conditions and TOCTTOU?
- Develop applications to not process things sequentially if possible
- Implement a locking mechanism to provide app with exclusive
access
*1.4 Layer 2 attacks
MAC flooding
Attempt to overwhelm the limited switch memory set aside to store the
MAC addresses for each port
§ Switches can fail-open when flooded and begin to act like a hub
*1.2 Adversarial artificial intelligence (AI)
Machine Learning (ML)
A component of AI that enables a machine to develop strategies for
solving a task given a labeled dataset where features have been manually
identified but without further explicit instructions
§ Machine learning is only as good as the datasets used to train it
1.2 Password attacks
*Spraying
Brute force attack in which multiple user accounts are tested with a
dictionary of common passwords
1.8 Penetration Testing
Occurs when an attacker moves onto another workstation or user account
Pivoting
1.8 Penetration testing
Ability of an attacker to maintain a foothold inside the compromised
network
Persistence
1.8 Exercise types
The hostile or attacking team in a penetration test or incident
response exercise
Red Team
1.8 Exercise types
The defensive team in a penetration test or incident response
exercise
Blue Team
1.8 Exercise types
Staff administering, evaluating, and supervising a penetration test
or incident response exercise
White team
1.7 Syslog/Security information and event management (SIEM)
SYSLOG
A standardized format used for computer message logging that
allows for the separation of the software that generates
messages, the system that stores them, and the software that
reports and analyzes them
* SYSLOG uses port 514 over UDP
A protocol enabling different appliances and software applications to
transmit logs or event records to a central server
§ Syslog follows a client-server model and is the de facto standard for
logging of events from distributed systems
1.7 Syslog/Security information and event management (SIEM)
SIEM
A solution that provides real-time or near-real-time analysis of security
alerts generated by network hardware and applications
SIEM solutions can be implemented as software, hardware
appliances, or outsourced managed services
* Log all relevant events and filter irrelevant data
* Establish and document scope of events
* Develop use cases to define a threat
* Plan incident response to an event
Establish a ticketing process to track events
* Schedule regular threat hunting
* Provide auditors and analysts an evidence trail
o There are many commercial and open-source SIEM solutions available
EX: Splunk, Elk/Elastic Stack, ArcSight, QRadar, Alien Vault and OSSIM, Graylog
1.7 Security Orchestration, Automation, and Response
A class of security tools that facilitates incident response, threat hunting,
and security configuration by orchestrating automated runbooks and
delivering data enrichment
§ SOAR is primarily used for incident response
Non-malicious hackers who attempt to break into a company’s systems at their request
*1.5 Actors and threats
White Hat (CompTIA: Authorized) ethical hackers, Penetration Testers
Malicious hackers who break into computer systems and networks without authorization or permission
*1.5 Actors and threats
Black Hat (CompTIA: Unauthorized)
Hackers without any affiliation to a company that attempts to break into a company’s network and risk breaking the law
*1.5 Actors and threats
Gray Hats (CompTIA: Semi-authorized)
Have limited skill and only run other people’s exploits and tools
*1.5 Actors and threats
Script kiddies
Hackers who are driven by a cause like social change, political agendas, or terrorism.
ex: Anonymous
*1.5 Actors and threats
Hacktivists
Highly trained and funded groups of hackers (often by nation-states) with covert and open-source intelligence at their disposal.
*1.5 Actors and threats
Advanced Persistent Threats (APT)
Proprietary is threat intelligence that comes as a commercial service offering, where you’re going to pay for access to these updates and research based on a subscription fee.
Note: Not as useful because these commercial services are just repackaging of information that’s available in free public registries.
*1.5 Threat intelligence sources
Proprietary source
closed-source data is data that’s derived from the provider’s own research and analysis efforts, such as data from honeynets as they operate, plus information that’s mined
from their other customer systems, suitably anonymized-(to remove information that shows which particular person/entity something relates to).
example: FireEye
*1.5 Threat intelligence sources
Closed-source
Open-source is data that’s available for use without a subscription, and this may include threat feeds similar to commercial providers, and it can contain reputation lists, and malware signature databases.
example: US-CERT, UK’s NCSC, AT&T Security (OTX), MISP, VirusTotal, Samphaus, SANS ISC Suspicious Domains.
*1.5 Threat intelligence sources
Open-source
Methods of obtaining information about a person or organization through public records, websites, and social media
example: Google, Facebook, enumeration scans. Public records, websites, and social media.
*1.5 Threat intelligence sources
Open-source intelligence (OSINT)
A cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring. it is proactive, not reactive like incident response.
*1.7 Threat Hunting
malicious software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent.
examples: viruses, worms, trojan horses, ransomware, spyware, rootkits, spam.
*1.2 Malware
Malware
Malicious code that runs on a machine without the user’s knowledge and infects the computer when executed (10 types: Boot sector, Macro, Program, Miltipartite, Encrypted, Polymorphic, Metamorphic, Stealth, Armored, Hoax).
Remember: It needs user interaction like installing a program or opening a file
*1.2 Malware
Virus
Malicious software, like a virus, but able to replicate itself without user interaction. Doesn’t need you to do anything.
Example: A user receives an attachment to an e-mail or an instant message that contains a malicious worm. When the attachment is opened, the worm infects the user’s computer and then replicates itself by sending copies of the same e-mail or instant message to everyone in the user’s address book.
*1.2 Malware
Worms
Trojan horses are a piece of malicious software that is disguised as a piece of harmless or desirable software that when downloaded it can conquer your computer and may open gates for other programs.
Note: Trojans are usually downloaded through e-mail attachments, websites, and instant messages. They are usually disguised as popular programs such as games, pictures, or music.
*1.2 Malware
Trojans
A trojan that provides the attacker with remote control of a victim machine.
Note: The ultimate backdoor that provides administrative control of a device (Prof. Messer).
*1.2 Malware
Remote Access Trojan (RAT)
malware that restricts access to a victim’s computer or their files until a ransom is received.(locks your computer)
*1.2 Malware
Ransomware
Software that secretly gathers information about the user without their consent. Hint: may include a keylogger.
Note: Adware is a type of spyware that displays ads based on what it spied on you.
*1.2 Malware
Spyware
Software designed to gain administrative level control over a system without detection.
Note: DLL injections and driver manipulation = Rootkit
*1.2 Malware
Rootkit
the abuse of electronic messaging systems, most commonly through email.
-social media
-broadcast media
*1.1 Spam
abuse of instant messaging systems.
-texting
-instant messaging
*1.1 Spim
The method used by an attacker to access a victim’s machine
What is a Threat Vector?
When malware is placed on a website (watering hole) that you know your potential victims will access.
Example: A watering hole is a place where animals need to get water, a predator waits by the watering hole waiting for one of the animals to be careless. (malware is placed in a watering hole for animals to get).
*1.1 What is a Watering hole attack?
A collection of compromised computers under the control of a master node
*1.2 Malware
Botnet
Backdoors are used to bypass normal security and authentication functions.
A way for a software programmer to access a program while bypassing its authentication schemes. The backdoor is coded in by the programmer during development so that later she can “break into” her own program without having to authenticate to the system through normal access methods.
Note: Remote Access Trojans (RATs) are the ultimate backdoor- Administrative control of a device
*1.2 Malware
Backdoor
Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met.
*1.2 Malware
Logic Bombs
Sending of unsolicited messages to Bluetooth-enabled devices.
*1.4 Wireless
Bluejacking
Unauthorized access of information from a wireless device over a Bluetooth connection. “taking info”
*1.4 Wireless
Bluesnarfing
Code placed in computer programs to bypass normal authentication and other security mechanisms.
§ Backdoors are a poor coding practice and should not be utilized.
*1.2 Malware
Backdoor
Method of accessing unauthorized directories by moving through the
directory structure on a remote server.
A directory traversal is a method of accessing unauthorized directories by moving through the directory structure on a remote server.
*1.3 Directory Traversal
Attack against a vulnerability that is unknown to the original developer or
manufacturer.
*1.6 Zero-day
Occurs when a process stores data outside the memory range allocated
by the developer.
Buffer overflows attempt to put more data into memory than it is designed to
hold.
Let’s pretend that you have a glass sitting on a table. It can hold a certain amount of water, right? If it’s designed to hold 16 ounces of liquid but you pour 20 ounces in, well, the cup is gonna overflow with water and the table is gonna get wet. In this example, the glass is our buffer and when we overflow it with our data, in our case water, the extra is gonna spill out
onto the table and make a huge mess.
*1.3 Buffer overflows
Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.
When this occurs, the attacker is trying to gain elevated privileges, steal information from a victim’s cookies, or gain other information stored by the victim’s web browser.
*1.3 Cross-site scripting
XSS
In a cross-site request forgery, the attacker forces the user to execute actions on a web server that they already have been authenticated to.
For example, let’s say that you’ve already logged into your bank’s website and provided your username and your password. At this point, you’re already authenticated and the website trusts you. If an attacker can send a command to the web server through your authenticated session. They are forging the request to make it look like it came from you. The attacker in this case will be unable to see the web server’s response to his request or commands, but he could still use this to transfer funds from the victim, change their password or do a myriad of other requests on the victim’s behalf.
*1.3 Cross-site request forgery
XSRF/CSRF
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application.
*1.3 Injections
Structured Query Language (SQL) injection
which is the extensible markup language. This is used by web applications for authentication and authorizations and for other types of data exchange and uploading.
*1.3 Injections
Extensible Markup Language (XML) injection
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
o A race condition vulnerability is found where multiple threads are attempting to
write a variable or object at the same memory location
A really funky way of saying that basically the computer is trying to race itself.
So if you’re trying to do something legitimately and the attacker is trying to do something at the same time and they can get in before you, they have now taken advantage of this race condition to be able to run their thing before you can run yours. And this is a very specific case.
When we start talking about a race condition vulnerability, this is found when there are multiple threats attempting to write a variable or object at the same memory location, at the same time.
*1.3 Race condition
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
If the attacker can identify the time the check happened, and then do something before it was used, that’s a race condition, they can then manipulate the data after it’s been checked, but before it was used by the application, and therefore caused some kind of an issue.
How can you prevent race conditions and TOCTTOU?
- Develop applications to not process things sequentially if possible
- Implement a locking mechanism to provide app with exclusive
access
*1.3 Race conditions
Time of check/Time of Use (TOCTOU/TOC TO TOU)
Attempt to overwhelm the limited switch memory set aside to store the
MAC addresses for each port
§ Switches can fail-open when flooded and begin to act like a hub
*1.4 Layer 2 attacks
MAC flooding
A component of AI that enables a machine to develop strategies for
solving a task given a labeled dataset where features have been manually
identified but without further explicit instructions
§ Machine learning is only as good as the datasets used to train it
*1.2 Adversarial artificial intelligence (AI)
Machine Learning (ML)
Brute force attack in which multiple user accounts are tested with a
dictionary of common passwords
1.2 Password attacks
*Spraying
A standardized format used for computer message logging that
allows for the separation of the software that generates
messages, the system that stores them, and the software that
reports and analyzes them
* SYSLOG uses port 514 over UDP
A protocol enabling different appliances and software applications to
transmit logs or event records to a central server
§ Syslog follows a client-server model and is the de facto standard for
logging of events from distributed systems
1.7 Syslog/Security information and event management (SIEM)
SYSLOG
A solution that provides real-time or near-real-time analysis of security
alerts generated by network hardware and applications
SIEM solutions can be implemented as software, hardware
appliances, or outsourced managed services
* Log all relevant events and filter irrelevant data
* Establish and document scope of events
* Develop use cases to define a threat
* Plan incident response to an event
Establish a ticketing process to track events
* Schedule regular threat hunting
* Provide auditors and analysts an evidence trail
o There are many commercial and open-source SIEM solutions available
EX: Splunk, Elk/Elastic Stack, ArcSight, QRadar, Alien Vault and OSSIM, Graylog
1.7 Syslog/Security information and event management (SIEM)
SIEM
A class of security tools that facilitates incident response, threat hunting,
and security configuration by orchestrating automated runbooks and
delivering data enrichment
§ SOAR is primarily used for incident response
1.7 Security Orchestration, Automation, and Response
Condition that occurs when two different files create the same hash
digest
1.2 Cryptographic attacks
Collision
A technique that allows an attacker to authenticate to a remote server or
service by using the underlying NTLM or LM hash instead of requiring the
associated plaintext password
1.3 Pass the hash
Technique used by an attacker to find two different messages that have
the same identical hash digest
§ 99% chance of finding a matching birthday in a 57-person group
§ 50% chance of finding a matching birthday in a 23-person group
§ Collision
* Occurs when two different inputs to a hash create an identical
hash digest output
1.2 Cryptographic Attacks
Birthday Attack
