Domain 2 : Given a scenario, analyze indicators of malicious activity

Question 1

Potentially Unwanted Programs (PUPs)

Answer 1

are programs that are downloaded inside other programs. They often overconsume computer resources and slow your computer down. PUPs are seen as grayware as they are neither malicious nor legitimate. Programs such as Malwarebytes will alert you of these kinds of downloads being PUPs and give you the option to delete them.

Question 2

Trojans

Answer 2

Trojans are designed to deceive users by their appearance as legitimate software or files, inviting them to download or execute a malicious program.

Question 3

Remote Access Trojans (RATs)

Answer 3

are stealthy infiltrators in the cyber realm, akin to modern Trojan horses. These hidden invaders are embedded within legitimate files, allowing cybercriminals remote control over compromised systems.

Question 4

Worm

Answer 4

A “worm” is malware that self-propagates and can reside in a computer’s memory. Unlike other forms of malware, worms possess an inherent ability to independently replicate and spread, reminiscent of biological organisms multiplying in their environment.

Question 5

Spyware

Answer 5

Spyware is known for its ability to slow down computers, using a computer’s processing power and RAM resources to covertly track user activities by using tracking cookies, before sending this collected information to third parties.

Question 6

Bloatware

Answer 6

Bloatware disguises itself as a helpful addition to new devices. But beneath this guise lies a drain on performance and storage, sapping resources and slowing operations.

Question 7

Polymorphic

Answer 7

Polymorphic viruses employ sophisticated techniques to modify their code, making them appear unique with each infection.

Question 8

Logic bombs

Answer 8

Logic bombs are digital time bombs lying dormant within systems that are designed to trigger specific actions or disruptions at a predetermined time or condition. Triggers can be things such as a certain time, a script, a scheduled task, or logging in to a computer system. Logic bombs can delete files and corrupt data, often aiming to exact revenge, extort money, or compromise security.

Question 9

Rootkits

Answer 9

Rootkits hide their presence by burying themselves deep within operating systems, thus evading detection. Rootkits possess system-level access (akin to root-level or kernel-level access), which enables them to intercept system-level function calls, events, or messages through hooked processes and thereby exert control over a system’s behavior.

Question 10

Keyloggers

Answer 10

Keyloggers are silent digital observers that discreetly record keystrokes as users type on their keyboards, capturing sensitive information including passwords and credit card details.

Question 11

Radio Frequency Identification (RFID) Cloning

Answer 11

Imagine a scenario in which sneaky cyber intruders copy the signals from key cards or badges that allow people to enter secure areas. This method is referred to as RFID cloning, and armed with special devices, these culprits use this strategy to copy and mimic these signals, granting them access to spots where they don’t belong. Another similar method, skimming, is implemented using a fake card reader to clone the card. Acquiring a biometric fingerprint card reader will enhance access security by introducing Multifactor Authentication (MF

Question 12

Amplified DDOS

Answer 12

Network-amplified attacks harness the power of a fundamental principle in network communications, which is the ability to send a small request that triggers a much larger response. This principle, when maliciously exploited, leads to the amplification of traffic directed at the victim. Attackers capitalize on protocols that generate significant responses for minimal input, such as the Internet Control Message Protocol (ICMP). This is where the amplification factor comes into play, allowing attackers to overwhelm their targets with a disproportionately massive volume of traffic.

Question 13

DDOS reflected

Answer 13

In reflected attacks, the attacker obtains the victim’s IP address and crafts a packet seemingly from the victim. This packet is then sent to servers that unintentionally resend it, leading to a flood of traffic that overwhelms the victim’s server and consuming its entire bandwidth.

Question 14

DOS

Answer 14

A Denial-of-Service (DoS) attack refers to a type of attack in which one host prevents a victim’s services from working

Question 15

DDOS

Answer 15

A Distributed Denial-of-Service (DDoS) attack is launched from multiple, even thousands, of hosts to take a victim’s services down. In this attack type, an attacker will place malware on computers/devices so that they can control these computers that are now bots (and a group of these bots is called a botnet).

Question 16

ARP Poisoning

Answer 16

ARP poisoning is an attack where a Local Area Network (LAN) is flooded with fake ARP messages with the victims’ IP address matching the attacker’s MAC address. Once this happens, traffic meant to be for the victim is sent to the attacker’s address. This can only happen on a LAN; the victims might be a router or a switch.

Question 17

DNS sinkhole

Answer 17

A DNS sinkhole identifies known malicious domains and ingeniously sends back false information to potential attackers, preventing them from launching an attack. Or, the sinkhole might redirect the malicious actors to a honeypot instead for further analysi

Question 18

Rouge access points

Answer 18

A rogue access point pretends to be a legitimate Wireless Access Point (WAP) to trick users into connecting and sharing sensitive information.

Question 19

On path

Answer 19

On-path attacks, often referred to as “man-in-the-middle” or interception attacks, involve an adversary positioning themselves to intercept the communication between two parties.

Question 20

Session replay

Answer 20

When a user connects to a web server, a session token is created (this may be saved as a cookie). Attacker incerpts the cookie using cross site scripting

Question 21

Replay attacks

Answer 21

A replay attack is an on-path attack that intercepts data but resends or “replays” the data at a later date. Kerberos can prevent this by assigning unique sequence numbers and timestamps to each authentication request and

Question 22

Credential replay attacks

Answer 22

In a credential replay attack, the attacker captures valid credentials (using packet-capturing tools such as Wireshark or tcpdump) during a legitimate login attempt and then uses those same credentials to impersonate the legitimate user and gain unauthorized access.

Question 23

Credential Stuffing

Answer 23

A credential stuffing attack targets users who submit the same credentials for every system and online application that they log in to, whether it be personal or business.

Question 24

Bash Shell

Answer 24

The Bash shell is a powerful tool found in most Unix-like operating systems that can nonetheless be exploited for malicious purposes. Attackers may use Bash scripts to execute unauthorized commands, compromise systems, or manipulate files. Common tactics include privilege escalation, file manipulation, and system reconnaissance. A Bash script can be identified by the .sh file extension.

Question 25

Injection attack

Answer 25

An injection attack involves the malicious insertion of untrusted data into application inputs, exploiting flaws that allow the execution of unintended commands.

Question 26

Buffer Overflow

Answer 26

Buffer overflow attacks capitalize on poorly managed memory buffers, causing the program to write data beyond the allocated buffer space

Question 27

Forgery Attacks

Answer 27

Forgery attacks manipulate data (often through the creation of falsified tokens or requests) with the goal of impersonating legitimate users or application

Question 28

Birthday attacks

Answer 28

This principle is applied to cryptographic systems, on which attackers exploit the likelihood of two distinct inputs producing the same hash value.

Question 29

Collision

Answer 29

A collision attack shatters this notion of uniqueness by manipulating the hash function.

Question 30

Pass-the- hash attack

Answer 30

These attacks aimed to recover user passwords from their hashed representations. The weakness of NTLM is that all of the passwords are stored in the Local Security Authority Subsystem Service (LSASS).

Question 31

Password spraying

Answer 31

sprayers focus on a few common usernames (such as admin, root, or user) and try a list of common passwords (such as 123456, password, password123, letmein, and changeme). You can prevent password spraying by implementing strong password policies, MFA, and monitoring systems for unusual login patterns.

Question 32

Online password attacks

Answer 32

This is where the attacker tries to guess or crack a user’s password using a website’s login interface

Question 33

Offline password attacks

Answer 33

This attack is where the attackers have managed to gain access to a system’s password storage and then attempt to crack them offline.

Question 34

LEAP

Answer 34

Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems.

Question 35

Exposure Factor

Answer 35

Exposure factor (EF) is the subjective, potential percentage of loss to a specific asset if a specific threat is realized

Question 36

Master Service Argreement

Answer 36

The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities. It typically addresses aspects such as payment terms, dispute resolution mechanisms, intellectual property rights, confidentiality clauses, and liability provisions.

Question 37

Miroservices

Answer 37

Microservices allow a large application to be separated into smaller independent parts, with each part having its own realm of responsibility

Question 38

Airgapped networks

Answer 38

An air-gapped network is akin to an island, safe, secure, and isolated from other networks that have lesser security and more significant threats. Hence air gaps are used in extreme risk or secretive environments such as nuclear power generation and highly classified defence systems.

Question 39

segmentation types

Answer 39

Network segmentation can be physical or logical. Physical segmentation involves using hardware, such as routers and switches, to divide a network into segments. Logical segmentation uses software to segment a network. The process of physical segmentation divides a larger network into several smaller subnets.

Question 40

Edge Computing

Answer 40

Edge computing is a distributed computing model that brings computation and data storage closer to the sources of data

Question 41

Hyper Threading

Answer 41

s a hardware innovation that allows more than one thread to run on each core. Improving performance.

Question 42

Clustering

Answer 42

Clustering is the task of dividing the unlabeled data or data points into different clusters such that similar data points fall in the same cluster than those which differ from the others

Question 43

Fail-safe

Answer 43

fail-safe, it has been designed so that if one part of it does not work, the whole thing does not become dangerous

Question 44

SNMP trap

Answer 44

type of SNMP protocol data unit (PDU). Unlike other PDU types, with an SNMP trap, an agent can send an unrequested message to the manager to notify about an important event.

Question 45

HA software

Answer 45

High availability software is software used to ensure that systems are running and available most of the time

Question 46

Port Mirroirng

Answer 46

Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection