Domain 2 : Given a scenario, analyze indicators of malicious activity Flashcards
Potentially Unwanted Programs (PUPs)
are programs that are downloaded inside other programs. They often overconsume computer resources and slow your computer down. PUPs are seen as grayware as they are neither malicious nor legitimate. Programs such as Malwarebytes will alert you of these kinds of downloads being PUPs and give you the option to delete them.
Trojans
Trojans are designed to deceive users by their appearance as legitimate software or files, inviting them to download or execute a malicious program.
Remote Access Trojans (RATs)
are stealthy infiltrators in the cyber realm, akin to modern Trojan horses. These hidden invaders are embedded within legitimate files, allowing cybercriminals remote control over compromised systems.
Worm
A “worm” is malware that self-propagates and can reside in a computer’s memory. Unlike other forms of malware, worms possess an inherent ability to independently replicate and spread, reminiscent of biological organisms multiplying in their environment.
Spyware
Spyware is known for its ability to slow down computers, using a computer’s processing power and RAM resources to covertly track user activities by using tracking cookies, before sending this collected information to third parties.
Bloatware
Bloatware disguises itself as a helpful addition to new devices. But beneath this guise lies a drain on performance and storage, sapping resources and slowing operations.
Polymorphic
Polymorphic viruses employ sophisticated techniques to modify their code, making them appear unique with each infection.
Logic bombs
Logic bombs are digital time bombs lying dormant within systems that are designed to trigger specific actions or disruptions at a predetermined time or condition. Triggers can be things such as a certain time, a script, a scheduled task, or logging in to a computer system. Logic bombs can delete files and corrupt data, often aiming to exact revenge, extort money, or compromise security.
Rootkits
Rootkits hide their presence by burying themselves deep within operating systems, thus evading detection. Rootkits possess system-level access (akin to root-level or kernel-level access), which enables them to intercept system-level function calls, events, or messages through hooked processes and thereby exert control over a system’s behavior.
Keyloggers
Keyloggers are silent digital observers that discreetly record keystrokes as users type on their keyboards, capturing sensitive information including passwords and credit card details.
Radio Frequency Identification (RFID) Cloning
Imagine a scenario in which sneaky cyber intruders copy the signals from key cards or badges that allow people to enter secure areas. This method is referred to as RFID cloning, and armed with special devices, these culprits use this strategy to copy and mimic these signals, granting them access to spots where they don’t belong. Another similar method, skimming, is implemented using a fake card reader to clone the card. Acquiring a biometric fingerprint card reader will enhance access security by introducing Multifactor Authentication (MF
Amplified DDOS
Network-amplified attacks harness the power of a fundamental principle in network communications, which is the ability to send a small request that triggers a much larger response. This principle, when maliciously exploited, leads to the amplification of traffic directed at the victim. Attackers capitalize on protocols that generate significant responses for minimal input, such as the Internet Control Message Protocol (ICMP). This is where the amplification factor comes into play, allowing attackers to overwhelm their targets with a disproportionately massive volume of traffic.
DDOS reflected
In reflected attacks, the attacker obtains the victim’s IP address and crafts a packet seemingly from the victim. This packet is then sent to servers that unintentionally resend it, leading to a flood of traffic that overwhelms the victim’s server and consuming its entire bandwidth.
DOS
A Denial-of-Service (DoS) attack refers to a type of attack in which one host prevents a victim’s services from working
DDOS
A Distributed Denial-of-Service (DDoS) attack is launched from multiple, even thousands, of hosts to take a victim’s services down. In this attack type, an attacker will place malware on computers/devices so that they can control these computers that are now bots (and a group of these bots is called a botnet).
ARP Poisoning
ARP poisoning is an attack where a Local Area Network (LAN) is flooded with fake ARP messages with the victims’ IP address matching the attacker’s MAC address. Once this happens, traffic meant to be for the victim is sent to the attacker’s address. This can only happen on a LAN; the victims might be a router or a switch.
DNS sinkhole
A DNS sinkhole identifies known malicious domains and ingeniously sends back false information to potential attackers, preventing them from launching an attack. Or, the sinkhole might redirect the malicious actors to a honeypot instead for further analysi
Rouge access points
A rogue access point pretends to be a legitimate Wireless Access Point (WAP) to trick users into connecting and sharing sensitive information.
On path
On-path attacks, often referred to as “man-in-the-middle” or interception attacks, involve an adversary positioning themselves to intercept the communication between two parties.
Session replay
When a user connects to a web server, a session token is created (this may be saved as a cookie). Attacker incerpts the cookie using cross site scripting
Replay attacks
A replay attack is an on-path attack that intercepts data but resends or “replays” the data at a later date. Kerberos can prevent this by assigning unique sequence numbers and timestamps to each authentication request and
Credential replay attacks
In a credential replay attack, the attacker captures valid credentials (using packet-capturing tools such as Wireshark or tcpdump) during a legitimate login attempt and then uses those same credentials to impersonate the legitimate user and gain unauthorized access.
Credential Stuffing
A credential stuffing attack targets users who submit the same credentials for every system and online application that they log in to, whether it be personal or business.
Bash Shell
The Bash shell is a powerful tool found in most Unix-like operating systems that can nonetheless be exploited for malicious purposes. Attackers may use Bash scripts to execute unauthorized commands, compromise systems, or manipulate files. Common tactics include privilege escalation, file manipulation, and system reconnaissance. A Bash script can be identified by the .sh file extension.
Injection attack
An injection attack involves the malicious insertion of untrusted data into application inputs, exploiting flaws that allow the execution of unintended commands.
Buffer Overflow
Buffer overflow attacks capitalize on poorly managed memory buffers, causing the program to write data beyond the allocated buffer space
Forgery Attacks
Forgery attacks manipulate data (often through the creation of falsified tokens or requests) with the goal of impersonating legitimate users or application
Birthday attacks
This principle is applied to cryptographic systems, on which attackers exploit the likelihood of two distinct inputs producing the same hash value.
Collision
A collision attack shatters this notion of uniqueness by manipulating the hash function.
Pass-the- hash attack
These attacks aimed to recover user passwords from their hashed representations. The weakness of NTLM is that all of the passwords are stored in the Local Security Authority Subsystem Service (LSASS).
Password spraying
sprayers focus on a few common usernames (such as admin, root, or user) and try a list of common passwords (such as 123456, password, password123, letmein, and changeme). You can prevent password spraying by implementing strong password policies, MFA, and monitoring systems for unusual login patterns.
Online password attacks
This is where the attacker tries to guess or crack a user’s password using a website’s login interface
Offline password attacks
This attack is where the attackers have managed to gain access to a system’s password storage and then attempt to crack them offline.
LEAP
Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems.
Exposure Factor
Exposure factor (EF) is the subjective, potential percentage of loss to a specific asset if a specific threat is realized
Master Service Argreement
The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities. It typically addresses aspects such as payment terms, dispute resolution mechanisms, intellectual property rights, confidentiality clauses, and liability provisions.
Miroservices
Microservices allow a large application to be separated into smaller independent parts, with each part having its own realm of responsibility
Airgapped networks
An air-gapped network is akin to an island, safe, secure, and isolated from other networks that have lesser security and more significant threats. Hence air gaps are used in extreme risk or secretive environments such as nuclear power generation and highly classified defence systems.
segmentation types
Network segmentation can be physical or logical. Physical segmentation involves using hardware, such as routers and switches, to divide a network into segments. Logical segmentation uses software to segment a network. The process of physical segmentation divides a larger network into several smaller subnets.
Edge Computing
Edge computing is a distributed computing model that brings computation and data storage closer to the sources of data
Hyper Threading
s a hardware innovation that allows more than one thread to run on each core. Improving performance.
Clustering
Clustering is the task of dividing the unlabeled data or data points into different clusters such that similar data points fall in the same cluster than those which differ from the others
Fail-safe
fail-safe, it has been designed so that if one part of it does not work, the whole thing does not become dangerous
SNMP trap
type of SNMP protocol data unit (PDU). Unlike other PDU types, with an SNMP trap, an agent can send an unrequested message to the manager to notify about an important event.
HA software
High availability software is software used to ensure that systems are running and available most of the time
Port Mirroirng
Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection
