Domain One: Threats, Attacks and Vulnerabilities Flashcards
What is an Indicator of Compromise ?
Indicators of compromise are indications or signs that unauthorised activity has compromised an information system.
What are common signs of IOCs ?
- Unusual Outbound Activity
- Anomalies in privileged user account or activity
- Geographical irregularities in network traffic
- Account Login Redflags - failed attempts
- Increases in database read volumes
- HTML response size increases
- Large number of requests for same files
- Mismatched port-application traffic - Hackers often try to hide what they do by using an encrypted vpn over a standard port
- Suspicious registry of file changes
- Unusual DNS Requests - An indicator of a command and control compromise where a bot is trying to contact its command
- Unexpected System Patching - Hackers may apply these to keep other attackers out or fool a Sys admin into complacency
- Mobile device profile changes
- Bundles of data in the wrong places - An indicator information has been moved to a location with outbound access as a pre-cursor to exfiltration
- Web Traffic with non-human behaviour - Again bots trying on a fast and repetitive schedule than no human could achieve
- Signs of DDoS attempts even if temporary
What frameworks automate IOCs ?
OpenIOC - Opensource sharing of IOCs
Stix/Taxii/Cybox - Automated sharing of IOCs
What is polymorphic malware ?
Malware that changes its code after each use making each replicant different for detection purposes - an example is changing the file hash or file type
What is a virus ?
Is malware that infects and uses other codes infrastructure and environments and uses its executable code and privileges
What is an amoured virus ?
Is a virus that uses encryption as a layer of protection against reverse engineering
What is ransomware ?
Is a denial of service attack that locks the user out of their system until the encryption key is transferred in exchange for monetary gain.
What is a worm ?
Unlike a virus that piggy backs off a legitimate entity the worm is self replicating and does not need a host
What is a Trojan ?
A program that charades with one characteristic of functionality but it has another nefarious purpose
What is a rootkit ?
Designed to specifically change the OS to facilitate non-standard activity
What is a keylogger ?
Software that logs every keystroke of an end user
What is Adware ?
Software supported by advertising can also be a form of malware
What is Spyware ?
Malware that spies on user activity and reports stolen information.
What are bots ?
A piece of software that performs tasks under the control of another program
What is a rat ?
Trojan that exposes a back door to enable further attacks
What is a logic bomb ?
Deliberately installed piece of software that remains dormant until some event or time which then triggers malicious payload
What are some examples of social engineering ?
Phising
Tailgating
Impersonation
Third-Party Authorisation
Help Desk/Tech Support
Contractors/Outside Parties
Dumpster Diving - Trawling rubbish and waste for sensitive information
Shoulder Surfing
Hoax - Mainly on social media trying to get users to change security settings
Watering Hole Attack - Normally a compromised web site that draws users in and harvests their information. A watering hole attack differs from phishing and spear-phishing attacks, which typically attempt to steal data or install malware onto users’ devices but are often equally targeted, effective, and challenging to prevent. Instead, a watering hole attack aims to infect users’ computers then gain access to a connected corporate network. Cyber criminals use this attack vector to steal personal information, banking details, and intellectual property, as well as gain unauthorized access to sensitive corporate systems. Typically, attackers will target public websites frequented by professionals from specific industries, such as discussion boards, industry conferences, and industry-standard bodies.
What is Phishing ?
is a bulk generated non specific target attempt to illicit information by representation as a trusted third party. Quantity vs quality.
What is Spear Phising ?
targeted approach with higher success potential than phishing.
What is Whaling
a form of Spear Phishing aimed at a high valued target such as a CEO
What is Vishing ?
Phishing with voice technologies
What is smishing ?
SMS
What is Amplification ?
A type of denial of service designed to create sufficient enough packets to overwhelm a host such as a large server. Typically a ping request can be sent out to a large network with the return host address with that of the target. The target then gets overwhelmed.
Its hard to defend against because the attack is coming from a legitimate source.
What is Buffer overflow ?
One of the most commonly used attacks, buffer overflows happen when the input buffer used to hold input is overwritten with data that is larger than the buffer can handle. This generally happens when error checking is not present either due to poor coding practices or limitations of the language.
The overflow causes adjacent areas in memory to be overwritten causing instability.
What is Clickjacking ?
This is where a overlay is put over a web site that is not visible to the user who thinks that when they interact with the sites controls it will do as they intend. However instead of interacting with control the overlay will do something nefarious such as steal information or redirect.
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees.
How do you mitigate against ClickJacking ?
Client-side methods – the most common is called Frame Busting. Client-side methods can be effective in some cases, but are considered not to be a best practice, because they can be easily bypassed.
Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking.
What is cross site request forgery ?
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
What are the two types of cross site scripting ?
Non Persistent - The injected script is not stored but executed immediately and passed back via the web browser
Persistent - script is stored permanently on the web server or on some back end storage system.
Dom Based - Script is executed via DOM process as opposed to web server process
What is cross site scripting ?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data
What is DDoS
The attacker exploits a known vulnerability in a specific applications operating system or attacks features in specific protocols or services in an attempt to deny authorised users access to an information system or the features of that system
What is distributed DDos ?
A distibuted DDos attack is where multiple attack platforms known as a bot net or zombie net are used to flood the target system so that the same denial effect is
What is DNS poisoning ?
When the attacker alters the DNS table of the host system sending a request for a legitimate website to a compromised one.
What is domain hijacking ?
This another redirection attack but this time the compromise is the domain itself as registered. This allow the attacker to potentially install malware when the redirected user lands.
A frequent tactic used by domain hijackers is to use acquired personal information about the actual domain owner to impersonate them and persuade the domain registrar (https://en.wikipedia.org/wiki/Domain_name_registry) to modify the registration information and/or transfer the domain to another registrar, a form of identity theft (https://en.wikipedia.org/wiki/Identity_theft). Once this has been done, the hijacker has full control of the domain and can use it or sell it to a third party.
What is driver manipulation ?
An attack on the system by changing how drivers work thus causing an OS to become potentially unstable
What are injections ?
This down to poor input field validation and is where the attacker can enter code into the input fields that can give them access to the underlying infrastructure or information at the same privilege level that the application is running under.
What is a man in browser attack ?
The location of the attacker is not between source and destination but is actually in the browser. Normally achieved through the installation of malware and this malware will generate a different instruction that the original users intent. For example on a banks website I may think I have updated my contact details but the malware issues a transfer of funds.
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.
The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking systems, even when other authentication factors are in use.
A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction.
Normally, the victim must be smart in order to notice a signal of such attack while they are accessing a web application like an internet banking account, even in presence of SSL channels, because all expected controls and security mechanisms are displayed and work normally.
What is man in the middle attack ?
This is the capturing of information between source and destination. The attacker can observe information before relaying it. To the sending system everything appears normal.
What is Pass the Hash ?
Where systems hash the password and use that to verify the user if an attacker captures that hash he can mimic the user. Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session.
What is privilege escalation ?
This a goal to to get higher privilege access than the original access.
What is a replay attack ?
The attacker captures some legitimate information used in a legitimate transaction between a user and a web site. The hope is the same outcome can be gained for the attackers advantage by replaying the information.
It is much easier to execute this type of attack with a wireless endpoint in play
What is session hijacking ?
The attacker bypasses any authentication mechanism by hijacking a valid authenticated session.
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:
Predictable session token;
Session Sniffing;
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
Man-in-the-middle attack (https://owasp.org/www-community/attacks/Man-in-the-middle_attack)
Man-in-the-browser attack (https://owasp.org/www-community/attacks/Man-in-the-browser_attack)
What is shimming ?
The act of putting code between OS and drivers - although legitimat attackers can place malicious code in between
A driver shimming attack involves the misuse of a helpful tool known as a shim within an operating system like Windows. Driver shims are intended to make older drivers work smoothly with newer software. They bridge the gap between older and newer components.
What is spoofing ?
CAn be MAC or IP spoofing and its a way to pretend that the code or request is coming from a legitimate source
Smurf Attack - The attacker spoofs a packet to all systems on a particular network and forges the from address so that the target host gets all the echo replies.
What is URL Hijacking ?
These are redirect attacks where the destination is a clone very similar to the original target but for example the URL or the name of the website is slightly different e.g. eboy.com or bbs.co.uk
What is a Zero Day ?
This is an attack that has never been seen before so that the vendor has no defence set up via the patching system or other countermeasures.
What is a birthday attack ?
Relies on the law of probability that in a room of 23 people there is a 50% chance of 2 people sharing the same birthday. A birthday attack assumes that instead of a shared birthday there will be a shared password.
What is BlueJacking
This is where a hacker can use your bluetooth device to send unwanted messages appearing to come from your phone.
What is BlueSnarfing ?
This is where bluetooth is used to connect to your device with the sole intent of stealing your information,
What is Bruteforce ?
Online bruteforce is done in real time against the server - remedied by locking accounts out after a specified number of retry attempts
Offline bruteforce - is where the attacker has captured your password file and has copied it to a offline location where they will have time and opportunity to crack the file due to no network latency. Mitigated by having the right acl and encryption solutions in place.
What is a collision ??
This is where two passwords can generate the same hash. An attacker can use this to their advantage to change content mitigated by newer hashing algorithms.
What is a dictionary attack ?
This is a dictionary of common passwords with common alterations such as an a being changed to a @
What is a dissociation attack ?
Is the act by attackers of disconnecting devices from a network. Because most devices are set to reconnect automatically this gives the attacker a replayable opportunity to capture the password or token when authenticating.
A disassociation attack is a cyberattack where a hacker forces a device to lose internet connectivity either temporarily or for an extended time. One second, you’re using your internet, and the next, your connection vanishes.
Your phone or laptop will try to reconnect as usual, but your router will be unavailable. The attack can be one where the attacker simply wants to kick you off the network for fun. However, it is seldom so. Most disassociation attacks are by hackers who want a profit.
And usually, in that case, when your device attempts to reconnect to the router, it’ll be connecting to an evil twin (cloned) router the attacker has set up for that purpose. Most people won’t notice a difference when they connect to a cloned router, but their internet activities will be visible to the attacker.
What is a downgrade vulnerability ?
This is where systems are allowed to run weaker protection due to backwards compatibility. Such as running an obsolete level of tls/ssl connections
What is an evil twin rogue attack ?
This is where a malicious access point is setup to attract users and allow the attacker to act as a man in the middle. Evil Twin is essentially a copy of a legitimate AP whereas a rogue ap is a malicious AP setup from scratch.
What is an initialisation vector attack ?
When establishing a connection a randomised identifier is sent between source and destination. If the randomisation is not completely random but guessable then it may allow an attacker to guess a correct sequence and therefore establish a connection for malicious purposes. The connection itself would however be see as being perfectly legitimate.
In WEP systems the IV is sent in clear text and was only 24 bits long which made them vulnerable.
What is a NFC attack ?
Used for transmitting information between mobile phones and a scanning station. Usually used for transmitting financial information.
What is a rainbow tables attack ?
Rainbow tables are a dictionary of how common passwords get represented in a hash. This lends itself to a brute force type of approach.
A mitigation is to salt the hash. This means adding extra random characters to the thing that is to be hashed.
A rainbow table attack is a password cracking method that uses a special table (a “rainbow table”) to crack the password hashes in a database. Applications don’t store passwords in plaintext, but instead encrypt passwords using hashes. After the user enters their password to login, it is converted to hashes, and the result is compared with the stored hashes on the server to look for a match. If they match, the user is authenticated and able to login to the application.
The rainbow table itself refers to a precomputed table that contains the password hash value for each plain text character used during the authentication process. If hackers gain access to the list of password hashes, they can crack all passwords very quickly with a rainbow table.
An attacker spots a web application with outdated password hashing techniques and poor overall security. The attacker steals the password hashes and, using a rainbow table, the attacker is able to decrypt the passwords of every user of the application.
A hacker finds a vulnerability in a company’s Active Directory and is able to gain access to the password hashes. Once they have the list of hashes they execute a rainbow table attack to decrypt the hashes into plaintext passwords.
Eliminate passwords: The ONLY way to ensure the prevention of password-based attacks is through eliminating passwords. Without a list of password hashes to steal there is no way to execute a rainbow table attack. Learn more about passwordless authentication (https://www.beyondidentity.com/resources/passwordless-authentication) today and keep your most critical applications secure.
Use salting: Hashed passwords should never be stored without salting. This makes the password more difficult to decrypt. However, we recommend eliminating the alphanumeric password altogether.
Use biometrics: Using a biometric method of authentication makes it difficult, if not impossible, for an attacker to use a rainbow table attack effectively. Rainbow table attacks will not work against biometric passwords.
Monitor your servers: Most modern server security software monitors against attempts to access sensitive information and can automatically act to mitigate and trap intruders before they can find the password database.
Don’t use outdated hashing algorithms: Hackers look for applications and servers using obsolete password hashing algorithms MD5 and SHA1. If your application uses either algorithm, your risk for rainbow table attacks substantially increases.
What is a replay attack ?
The attacker captures some legitimate information used in a legitimate transaction between a user and a web site. The hope is the same outcome can be gained for the attackers advantage by replaying the information.
It is much easier to execute this type of attack with a wireless endpoint in play
What is a RFID attack ?
Used for security badges and access to buildings and therefore gives access to attackers if they can copy the technology or deny access.
What is a weak implementation attack ?
This is the use of older security controls that are not as effective against modern hacking techniques. Such as an older encryption algorithm.
