Domain 2: Threats, Vulnerabilities and Mitigations Flashcards
Threat actors
Objective 2.1
Threat actors
- familiarize yourself with the following thread actors, understand their motivations, their level of sophistication, funding, and if they are internal or external to an organization
- Nation-state (aka advanced persistent threat)
- Unskilled attacker (aka script kiddie)
- Hacktivist
- Organized crime
- also an APT
- Insider threat
- Shadow IT
Nation-state or APT
• advanced persistent threat (APT)
• carry out attacks against foreign countries or organizations for the benefit of their parent country
• can be made up of the countries, military or cyber operations group
• compromise network security of their targets with innovative, sophisticated network attacks through advanced tools and techniques
Unskilled attacker
• “script kiddie”
• low skilled attacker, who knows enough to be dangerous, but may not be able to carry out tax on their own. Instead, they leverage tools created by others without fully understanding how or why of vulnerability works
Hacktivist
• a person who hacks to further a social or political cause
• target groups out of ethical or philosophical differences
- political, media or financial groups
• actions include the facing websites, leaking information and performing Dos attacks
Organized crime
• organize criminals that use hacking to further their criminal enterprises
• cybercrime is gaining popular due to the ability to operate from different countries, making prosecution more complex
• examples include ransom data, theft, extortion, blackmail, and identity, theft
• ransom where as a service is a form of attack perpetrated by organized crime groups who will carry out a ransom attack on a target organization. You bring them to target and ways to deliver the ransomware and they’ll split the proceeds with you 80/20 or 90/10
Insider threat
• a threat actor that comes from inside the organization
• threat can be due to malicious action or simply incompetence
• examples include disgruntled or uneducated employees
Shadow IT
• The installation and use of IT systems or software without the permission of the IT department
• may be trying to be helpful to colleagues, but might circumvent policy or under my security controls in the process
Threat vectors and attack surfaces
Objective 2.2
Social engineering attacks
• message-based attacks
- email (phishing)
- SMS or text messages
- chat - direct messages (DM) or instant messaging (IM)
• Voice-based attacks
- “vishing” or “voice phishing”
- method of talking an individual into doing something they normally would not do
Phishing
Spear phishing
Whaling
File-based attacks
• many forms of malware attack system through a download file or email attachment
• fileless malware is a form of an attack where there is no file that stays resident on the system
- usually a downloader pulls them out from online, runs the malware, does the damage and removes itself making it hard to identify it or spot
• images can also be malicious:
- Do use of stenography
- Can contain malware hidden inside
- Can contain sensitive information being exfiltrated
Vulnerable software
• software can have number of security flaws baked in:
- inadvertent, oversights
- malicious inclusion, “backdoor”
• two correct discovered vulnerabilities, we must watch for patches and update as necessary
Removable media
• mass storage devices
• data can be infiltrated from an organization through removable media
• “Airgapped” systems can be compromised through removal media
- Ex. Stuck-net attack on Iranian nuclear facility
Unsupported systems and applications
• any system connected to an organizations network should be identified and monitored
• any software in use at an organization should be listed and watched for updates
• if users are introducing other systems or software that are not receiving regular patches or updates, this is a vulnerability
• two ways to scan for:
- client-based scanning (agent-based)• Use of software agent on the endpoint systems to scan software and report back to central server
- agentless• use of a network service to scan for (enumerate) hosts and query software installed on those hosts
Insecure networks
• wired
- Active network ports within facilities, especially those in public or obscure areas (e.g. lobby, dining facility, hallways, vacant offices)
• wireless
- lack of wireless security, use of insecure protocols
- Transmitting beyond confines of the facility
• Bluetooth
- disable Bluetooth if not needed
- Monitor connections via Bluetooth
- Be aware that Bluetooth can be an attack vector
Open ports
- any point where data can connect to an internal service is potential point of attack
- on the host or firewall is a potential vulnerability
- all unnecessary, unneeded services should be disabled in their port closed
- only required ports should be opened on a firewall
- Data passing through these ports should be monitored and manage for malicious activity
Default credentials
• admin : admin
• leaving the default settings on system can open an organization up to widespread attacks. Numerous scanners exist that attempt to exploit default login information on commercially available devices.
Supply chain attacks
• type of cyber attack where an attacker goes for a less secure system within supply chain
• rather than attacking a company directly, attacker may realize the target information may be in a less protected system elsewhere in the supply chain
• supply chain consists of:
- Manage service providers (MSP)
- vendors
- suppliers
Social engineering
Phishing
• phishing
- is a method of sending digital correspondences that appears legitimate, but actually is meant to lure potential victim into providing personal information for malicious purposes
- vishing - portmanteau of “voice” and “phishing”• using fishing techniques over voice calls
• Smishing - portmanteau of “SMS” and “phishing”
• using phishing techniques over SMS or text messages
Misinformation and pretexting
Misinformation/disinformation
• providing false or misleading information to a potential victim to sway their line of thinking or trick them into doing something
• ex. “Your computer is at risk. Click here to download the latest security patch now.”
Pretexting
• form of social engineering, where an attacker creates a fake backstory to trick a user into doing something against the users or organizations interest
• ex. Calling ahead to let the front desk know and inspector will arrive that afternoon and will need access to elevator control room and the primary data center.
Watering hole
• why work hard breaking into a network?
• instead, attackers lie in wait
• let victims come to them
• Typosquatting
- Buying up a domain that is similar to a popular site, hoping to catch a victims who mistype a URL or will go to a site because the link appears similar to the intended trusted site
Vulnerabilities
Objective 2.3
Zero-day
• vulnerability in a software or system that the creators or responsible parties are not aware of
• if exploited by an attacker, no users will have had this vulnerability fixed. Does. The attack will always succeed.
Application vulnerabilities
• Improper input handling
- when a program incorrectly handles validation, sanitization or handling of input
- this results in common exploits such as SQL injection and cross site scripting (XSS)
• Improper error handling
- if an error divulges too much information to the end user, and attacker can use this to learn about the underlying code
- conversely, graceful, and properly logged (rather than displayed error) messages can serve as an indicator of an attack and help determine possible remedies. 
Application vulnerabilities continued
• replay attacks
- when and re-transmits valid data with malicious intent
- For example, an attacker might resend a victims hashed password to fraudulently authenticate with a service as that user. This is referred to as “pass the hash”
OS vulnerabilities
• malicious libraries
- Attackers attack operating systems through malicious libraries that will be incorporated into an application when it executes and loads the library
• malicious drivers
- attackers attack OS through malicious drivers that monitor data transiting the device or carry out malicious activity deeper in the operating system since drivers are inherently trusted by the OS.
Web vulnerabilities
• SQL injection
- common method of attacking database supported systems
- if Web application takes user input and does not validate information or sanitize the input. Base will execute whatever the user provides.
- Example:
Web vulnerabilities continued
• cross-site scripting (XSS)
- type of injection attack
- involves injecting, malicious Scripps typically Java script into trusted websites
- Attackers input is not properly sanitized, the attacker can modify the code, behavior, and or content of the website
• reflected XSS
- Tells site to pull in code from another website
• stored XSS
- Gives code to site to be stored in database, when database is queried for following users, script is executed and alters site behavior for those users
Web vulnerabilities continued
• cross-site request forgery
- An attack against a user who is authenticated to a web application
- The attacker takes advantage of the authentication to force the user to take an unwanted action by convincing the user to submit a malicious request a cover by their credentials
Web vulnerabilities continued
• directory traversal
- A possible attack when the attacker reads files on a web server outside the websites home directory
- identifiable through use of ..in the URL
Virtualization vulnerabilities continued
• VM escape
- Attackers will attempt to escape their virtual environment and interact with the host environment
- this can be a hard problem to solve. Layered security in good logging practices can go along way toward mitigating these threats. Be sure to keep VM Software up-to-date!
Malware continued
• logic bomb
- A code that is secretly incorporated into legitimate software, and is set to execute when a specific condition is met in the program
- Generally used to commit a malicious action:
- code that deletes company data when the IT employee is fired, “dead man switch”
- code that erases part of a website on a specific date
Network attacks
• on-path attack
- formerly man-in-the-middle
- when an attacker is between two targets, communications, intercepting, and or forwarding messages
- Attack can passively watch (spy) on the communication or actively altered it. This attack is associated with defeating encryption.
Application attacks
• also known as resource exhaustion attacks
• denial-of-service (DoS)
- where in attacker attempts to make a network resource unavailable to others by disrupting the host’s connection to the network
• distribution denial-of-service (DDoS)
-a DoS attack in which multiple computers work together to cause a denial of service to a network source
- Attacking computers are often compromised by malicious software that makes the attack possible

Cryptographic attacks continued
• Rainbow tables
- A table of previously-computed values for reversing hashing functions
- Used to crack hash passwords
Host-based firewall
-
Host-based firewall
- A software firewall installed on a single host to monitor and control its incoming and outgoing network traffic
