Domain 1: Threats, Attacks, & Vulnerabilities

Question 1

Shimming
(Driver Manipulation)

Answer 1

Attacker wraps malicious code around legitimate code, such as a driver, to elevate their privilege or install backdoors(

Question 2

Refactoring
(Driver Manipulation)

Answer 2

Restructures older code to improve it without changing the output behaviors or functionality. Refactoring attack takes advantage of this and adds malicious code unbeknownst to the end user

Question 3

Active Reconnaissance

Answer 3

Utilizes an intrusive technique like scanning, hands-on testing, and probing of the network to determine vulnerabilities. Interacting with the system

Question 4

Address Resolution

Answer 4

Converts an IP address to a MAC address

Question 5

Adversary tactics, techniques, and procedures (TTP)
(Research Resources)

Answer 5

Describes the behaviors and strategies used by a threat actor to develop cyberattacks

Question 6

Advisories and Bulletins
(Threat Hunting)

Answer 6

Provide summaries of new vulnerabilities

Question 7

Agile Model (Software Developement)

Answer 7

Process of developing code that is rapid and highly-collaborative.

Software development that is performed in small increments to allow more adaptivity and room to change

Question 8

Application Programming Interface (API) Attacks

Answer 8

Hostile usage, or attempted hostile usage, of an API from automated threats such as access violations, bot attacks or abuse.

Question 9

Radio Frequency Identification (RFID)
(Wireless Attack)

Answer 9

Devices that uses a radio frequency signal to transmit identifying info about the device or token holder

Question 10

Automated Indicator Sharing (AIS)
(Threat Intelligence Sources)

Answer 10

Enables organizations to share & receive machine-readable cyber threat indicators. Speeds up the process of sharing indicators of compromise to support more real-time defense

Question 11

Bash
(Malicious code or script execution)

Answer 11

Shell/Scripting Language

Question 12

Birthday Attack
(Cryptographic Attack)

Answer 12

Occurs when an attacker sends 2 different messages through a hash algorithm and it results in the same identical hash digest causing a collision

Question 13

Brute Force Offline
(Password Attack)

Answer 13

Attacker has access to encrypted material or password hash & tries different keys offline without the risk of discovery

Attempt to discover passwords from a captured database or captured packet scan

Focuses on trying multiple passwords for a single user

Question 14

Bug bounty
(Penetration Testing)

Answer 14

Deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bug

Question 15

Cleanup
(Penetration Testing)

Answer 15

Ensures that all installed backdoors or rootkits have been removed, and it should return the system configuration to its original, pre-engagement state

Question 16

Common Vulnerabilities and Exposures/Common Vulnerability Scoring System (CVE/CVSS)
(Vulnerability Scans)

Answer 16

Provides a reference-method for publicly known information-security vulnerabilities and exposures.

Question 17

Configuration review
(Vulnerability Scans)

Answer 17

Audits and tests a network system, server or device to ensure it meets current security standards along with any applicable security policies

Question 18

Credential Harvesting
(Social Engineering Techniques)

Answer 18

Attacks that stockpile databases of usernames, passwords, & sensitive info

Question 19

Credentialed Scans
(Vulnerability Scans)

Answer 19

Provides more accurate scanning to better identify attacks

Question 20

Criminal syndicates

Answer 20

Criminal Organization

Question 21

Cross Site Request Forgery (CSRF)

Answer 21

Attack that forces end user to execute unwanted actions on a web application where they’re currently authenticated

Question 22

Crypto malware

(Malware)

Answer 22

Type of ransomware that uses encryption to block access to data. Difficult to overcome without paying the ransom or having a backup

Question 23

Data exfiltration

Answer 23

Occurs when malware or an attacker carries out an unauthorized data transfer from a computer

Question 24

Disassociation
(Wireless Attack)

Answer 24

Hacker forces a device to lose internet connectivity either temporarily or for extended time

Question 25

DNS Poisonings

Answer 25

Occurs when the name resolution info is modified in the DNS server’s cache

Question 26

Domain Hijacking

Answer 26

Domain Hijacking – Attacker tries to take control of domain. Attacker might use the victim’s email account to request a password reset, then using the new password…login to the domain system and change ownership

Question 27

Domain Reputation
(DNS)

Answer 27

Overall “health” of your branded domain…interpreted by mailbox providers

Question 28

Driver Manipulation

Answer 28

Attacker dives deep into device drivers and manipulate them so that they can undermine the security on your computer

Question 29

DLL Injection
(Injection)

Answer 29

Dynamic Link Library -
a technique that allows users to run any code in the memory of another process, by forcing the process to load a foreign DLL file

Question 30

XML Injection
(Injection)

Answer 30

Extensible Markup Language -
XML is commonly used to transfer data between devices…Attackers perfom XML injection by sending malicious XML to a device

Attack technique used to manipulate the logic of an XML application/service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application

Question 31

File/Code Repositories
(Threat Intelligence Sources)

Answer 31

Archive of code/files that are being worked on

Question 32

Footprinting

Answer 32

Means gathering info about a target system that can be used to execute a successful cyber attack

Question 33

Hybrid warfare (Influence Campaign)
(Social Engineering Techniques)

Answer 33

Mixture of conventional and unconventional methods used against a stronger adversary that aims to achieve political objectives that wouldn’t be possible with traditional warfare

Question 34

Intelligence Fusion
(Threat Hunting)

Answer 34

Unification of all security and related functions into one operational group to better integrate threat detection, management, and response processes

Question 35

Intrusive scans
(Vulnerability Scans)

Answer 35

Attempt to exploit a vulnerability when it’s found

Question 36

Non-intrusive Scans
(Vulnerability Scans)

Answer 36

Identify a vulnerability and report on it.

Question 37

Jamming
(Wireless Attack)

Answer 37

Attacker floods target with radio signals to disrupt legit traffic. Causes DOS condition

Question 38

What are Layer 2 Attacks?

Answer 38

Data link layer Attacks

Question 39

Legacy Platforms

Answer 39

An operating system no longer in widespread use

Question 40

Lightweight Directory Access Protocol (LDAP) - (Injection)

Answer 40

Attack that modifies queries and commands to the LDAP server to manipulate its behavior

Question 41

Log aggregation
(SIEM)

Answer 41

Process of collecting, standardizing, and consolidating log data from across an IT environment to facilitate streamlined log analysis

Question 42

Log collectors
(SIEM)

Answer 42

Process of collecting log entries from many different sources in an organization and bringing them all to a single place

Collects log data from devices throughout the network and stores these logs in a searchable database

Question 43

MAC Flooding

Answer 43

Attempt to overwhelm the limited memory set aside to store the MAC addresses for each port

Question 44

Macros
(Malicious code or script execution)

Answer 44

Instruction that carries out program commands automatically within an application. Typically used in popular office applications…Microsoft Word and Excel. Macro viruses attack applications

Question 45

Maneuvers
(Threat Hunting)

Answer 45

Process of gathering information resources to obtain a strategic, operational, or tactical competitive advantage

Question 46

Memory Leak

Answer 46

Form of memory consumption where the developer fails to free an allocated block of memory when no longer needed

Question 47

Network Scan
(Vulnerability Scans)

Answer 47

Identifying weaknesses on a computer, network

Question 48

Non-credentialed Scans/Uncredentialed
(Vulnerability Scans)

Answer 48

Provide a quick view of vulnerabilities by only looking at network services exposed by the host

Generally unable to detect many vulnerabilities on a device.

Question 49

Brute Force Online
(Password Attack)

Answer 49

Attacker tries to gain access to a single account by guessing several different passwords while the system is online.

*ncrack can automate this process

Question 50

OSINT (Open source intelligence)

Answer 50

The act of gathering and analyzing publicly available data for intelligence purposes.

Gathering info that is public, via websites and social media

Question 51

Outsourced code development
(3rd Party Risks)

Answer 51

Takes place when companies choose to have custom software solutions developed by a third party

Question 52

Packet capture
(SIEM)

Answer 52

The action of capturing Internet Protocol (IP) packets for review or analysis. Common troubleshooting technique for network administrators and is also used to examine network traffic for security threats.

Protocol analyzers (sometimes called sniffers) capture network traffic allowing administrators to view and analyze individual packets.

Question 53

Pass the Hash

Answer 53

Attacker captures a password hash and then passes it through for authentication and potentially lateral access to other networked systems. Attacker doesn’t need to decrypt the hash to obtain plain text password

Process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems

Question 54

Passive Reconnaissance

Answer 54

Utilize open source info, the passive collection and analysis of the network data and other unobtrusive methods without making direct contact with targeted systems. Uses social media, public info

Question 55

Persistence
(Penetration Testing)

Answer 55

When a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials

Question 56

Pharming
(Social Engineering Techniques)

Answer 56

Occurs when attacker redirects one website’s traffic to another website that is malicious

Question 57

Pivoting
(Penetration Testing)

Answer 57

Process of using an exploited system to target other systems

Process of using various tools to gain additional information. Ex: A tester gains access to Homer’s computer within a company’s network. The tester can then pivot and use Homer’s computer to gather information on other computers

Question 58

Pointer/object dereference

Answer 58

Used to access or manipulate data contained in memory location pointed to by a pointer.

*A pointer is a variable that stores the address of another variable

Question 59

Predictive Analysis
(Threat Intelligence Sources)

Answer 59

The use of data, statistical algorithms and machine learning techniques to identify the likelihood of future outcomes based on historical data.

Question 60

Prepending
(Social Engineering Techniques)

Answer 60

When an attacker attaches a trustworthy value to the beginning of a message to make it look legit. Tricks user into doing something they usually would not

When attacker adds code to the beginning of a presumably safe file

Question 61

Pretexting
(Social Engineering Techniques)

Answer 61

Attacker tries to convince victim to give up valuable info by coming up with a story to fool the victim

Question 62

ARP Poisonings

Answer 62

Attacker sends falsified ARP messages over a local area network (LAN) to link an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Allows the attacker to intercept or alter messages to the real MAC address

Carried out over a Local Area Network (LAN) that sends malicious ARP packets to a default gateway on a LAN

Question 63

Python
(Malicious code or script execution)

Answer 63

Scripting/Coding Language

Normally have a .PY or .PYW file extension.

Question 64

Rainbow Table
(Password Attack)

Answer 64

List of precomputed values used to quickly break a password since values don’t have to be calculated for each password being guessed. Can’t be edited during actual attack

Precalculated hashes of passwords with a given character base (e.g., a–z, A–Z, 0–9, and 7 characters long) that can be quickly looked up to determine a password. Time consuming to make

Question 65

Reconnaissance
(Social Engineering Techniques)

Answer 65

Practice of covertly discovering and collecting info about a system

Question 66

Replay Attack

Answer 66

Attacker eavesdrops on a secure network communication, intercepts it, and then delays or resends it to misdirect the receiver into doing what the attacker wants

Network attack where valid data transmission is captured and is then maliciously repeated or delayed

Question 67

Rogue Access Point
(Wireless Attack)

Answer 67

Wireless access point that’s been installed on a secure network without authorization from a local network administration

Question 68

Secure Sockets Layer Stripping (SSL Stripping/Downgrading)

Answer 68

Takes advantage of users not requesting secure pages explicitly and relying on the web servers to redirect them to the secure version. Strips a connection from an HTTPS connection to a lesser HTTP connection

Question 69

Security of machine learning algorithm
(AI Attack)

Answer 69

Can help businesses analyze threats & respond to attacks & security incidents. Build models of behaviors & use those models as a basis for making future predictions based on new data.

Ex: Netflix suggesting new movies based on your viewing history.

Question 70

Security orchestration, automation, and response (SOAR)

Answer 70

Technology helps coordinate, execute and automate tasks between various people and tools all within a single platform give organizations a single source for observing, understanding, deciding upon and acting on security incidents

Pulls info from external emerging threat intelligence feeds, endpoint security software and other 3rd party resources to get a better picture of the security landscape inside the network and out.

Uses runbooks to automate incident response thus reducing incident response time

Question 71

Sentiment analysis
(SIEM)

Answer 71

Technique used to determine whether data is positive, negative or neutral

Question 72

Server Side Request Forgery (SSRF)

Answer 72

Attack against server. Attacker causes server to make a connection to internal-only services within the organization’s infrastructure. Or attacker may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data

Question 73

Session Replay

Answer 73

Attacker steals a valid session ID of a user, then reuses it to impersonate them and perform fraudulent activities

Question 74

Shadow IT

Answer 74

Any IT used by a department without the central IT department knowing or approving it

Question 75

SIEM

Answer 75

Security Information and Event Management-provides a centralized solution for collecting, analyzing, and managing data from multiple sources

Tools used to centrally collect log data related to IT activity that can then be analyzed for potential security incidents

Question 76

Skimming
(Physical Attack)

Answer 76

Technique used by attackers to capture credit card info from a cardholder secretively

Question 77

State Actors

Answer 77

Person who’s acting on behalf of a governmental body

Question 78

Structured query language Injection (SQL Injection)
(Injection)

Answer 78

Attack where the injection of an SQL query via input data from the client to a web application.

Occurs when you ask a user for input, like their username, and instead of a username, the user gives you an SQL statement that you will unknowingly run on your database. 1=1

Question 79

Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Intelligence Information (TAXII)
(Threat Intelligence Sources)

Answer 79

Structured language for describing cyber threat info so it can be shared, stored, analyzed, and used in a consistent manner that facilitates automation

Question 80

Supply Chain

Answer 80

Companies/people that are involved in the production & delivery of a product or service to consumer

Question 81

Supply Chain Attacks (value-chain or 3rd-party attack)

Answer 81

Occurs when someone infiltrates your system through an outside partner or provider with access to your systems & data

Question 82

Supply chain risk
(3rd Party Risks)

Answer 82

Occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data

Question 83

Syslog/Security information and event management (SIEM)

Answer 83

Security software solution that helps organizations recognize potential security threats and vulnerabilities before they can disrupt business operations.

Uses several security resources to aggregate log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring.

A centralized solution for collecting, analyzing, and managing data from multiple sources Provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents

Question 84

Tainted training data for machine learning (ML)
(AI Attack)

Answer 84

Training data is the data you use to train a machine learning algorithm or model…attackers can taint this data by injecting dirty data causing machine to misbehave

Question 85

Threat Maps
(Threat Intelligence Sources)

Answer 85

Real-time map of the computer security attacks that are going on at any given time

Question 86

Visual Basic for Applications (VBA)
(Malicious code or script execution)

Answer 86

Shell/Scripting Language

Question 87

Vulnerability databases
(Threat Intelligence Sources)

Answer 87

Collection of searchable information on vulnerabilities that affect information systems. Tool that lets to access information on known vulnerabilities

Question 88

War driving

Answer 88

Driving around with a looking for open unsecured wireless networks

Question 89

War flying

Answer 89

Person uses an UAV (drone) instead of a vehicle to detect unsecured wireless networks

Question 90

Waterfall Model (Software Developement)

Answer 90

Sequential model that divides software development into pre-defined phases.
Not very flexible and difficult to implement revisions

Question 91

Port-based VLAN

Answer 91

You can assign specific routers and switch ports to different VLANs, which allows you to assign any network segment on any floor of your office to a specific VLAN. This provides flexibility so that the user’s location does not limit their network access

Question 92

Subnetting

Answer 92

Breaking down an IP address into smaller units that can be assigned to individual network units within the original network

The process of dividing IP addresses into smaller subunits that can later be assigned to multiple network devices in a network

Divides an IP address into two parts, namely network address and host address