Intro to Ethical Hacking Flashcards
1
Q
What this Module Covers
A
Describe the elements of information security
Explain information security attacks and information warfare
Describe cyber kill chain methodology, TTPs, and IoCs
Describe hacking concepts, types, and phases
Explain ethical hacking concepts and scope
Understand information security controls (defense-in-depth, risk management, cyber threat intelligence, threat modeling, incident management process, and AI/ML)
Know about the information security acts and laws
2
Q
Module Flow
A
- Information Security Overview
- Cyber Kill Chain Concepts
- Hacking Concepts
- Ethical Hacking concepts
- Informartion Security Controls
- Information Security Laws and Standards
3
Q
Major 5 Elements of information Security
A
Confidentiality
Integrity
Availability
Authenticity
Non-Repudiation
4
Q
Confidentiality
A
The information or data is acccessible only by an authorized users
5
Q
Integrity
A
Prevent the data from unauthorized changes
6
Q
Availability
A
Assuring that the system responsible for transfering, storing and processing an informations are accesible by when required by authorized concerns
7
Q
Authenticity
A
Ensures the quality of data genuinity
The major role of authenticity is to ensure that user is genuine
8
Q
Non-Repudiation
A
A guarantee that the sender of a message can’t deny later of sent message
And the reciepient cant deny the reciept of message
9
Q
Confidentiality Breaches
A
May occur due to improper data handling or hacking attempt
10
Q
Confidentiality controls
A
Data Clasification
Data Encryption
Proper disposal of equipments(Such as HDD,USB,PC,RAM etc.)
11
Q
Measure of integrity
A
Checksum:
A number produce by a mathametical fuction to verify that a given block of data is not changed
12
Q
Measures of Availability
A
Disk Arrays for redundant system and cluster machine
Ativirus software to combat malware
Distributed denial of service prevention systems
13
Q
Authenticity controls
A
Biometric
Smart Card
Digital certificates
14
Q
Measure of Non-Repudiation
A
Using a Digital signature to ensure non repudiation
15
Q
Topic covers in information security overview
A
Elements of information security
Classification of attacks
information warefare
16
Q
Attacks
A
Motive(Goal) + Method + Vulnerability
17
Q
Attack Motives
A
Attack motives orginate by targeting a valuable resource either its a data / information processing systems.
System Vulnerabilities allow hackers to attempt an attack using attack techniques
18
Q
Motive behine Information security attack
A
Distrupting bussiness continuity
Stealing information and manipulating data
Creating fear and chaos by disrupting critical infrastructures
Causing financial loss to the target
Propagating religious or political belifs
Achiving state military objectives
Damaging the reputation of the target
Taking revenge
Demanding ransom
19
Q
Clasification of Attack
A
Passive Attacks Active Attacks Close-in-Attacks Insider Attacks Distribution Attacks
20
Q
Passive Attacks
A
Intercepting, monitoring network traffics,data flow on the target network
Not tamper with the data
Attacker perform reconnaissance on network trafic using sniffer
This kind of attack is difficult to detect ,becoz attacker not interact with endusers system
21
Q
Example of passive attacks
A
Sniffing eavesdropping Footprinting Network traffic analysis Decryption of weakly encrypted files
22
Q
Active attacks
A
Tamper with data in transit or break into the security system
Penetrate or infect the target internal networks and gain access to remote system to compromise the internal network
23
Q
Example of Active attacks
A
DOS
Man-in-Middle
Session Hijackig
SQL Injection
Firewall and IDS attack
Bypassing protection mechanisms
profiling
Malware attacks
Priviledge escalation
Backdoor access
Spoofing attacks
Cryptography attacks
Replay attacks
Password based attacks
XSS attacks
Exploitation of application and os software
DNS and ARP poisoning
Compromised Key attack
24
Q
Close-In Attacks
A
Attacker performed an attack by physicaly close to the target system or network to gather the information to perform the attack
25
Example of close-IN attack
Social Engineering such as eavesdropping,
Shoulder surfing
dumpster diving
26
Insider Attack
Insider attacks involve using privileged access to voilate rules
or
Intentionally cause a threat to the organizations information
27
Example of Insider attack
```
Planting keyloggers,
Backdoors,
Malware
Eavesdropping
wiretapping
Theft of physical devices
Data theft and Spoliation
Pod slurping
Social engineering
```
28
Distributing Attacks
Tamper with hardware or software prior to installation
29
Example of Distributing Attacks
Modification of software or hardware during production
Modification of software or hardware during distribution
30
Information warfare
Refers to use of ICT (information and comunication technologies) for competitive advantages over an opponent
31
Example of Information Warfare
```
Viruses,
Worms,
Torjan Horses,
Logic Bombs,
Trap doors,
Nanomachines,
Microbes,
Electronic Jamming,
Penetration expolits and tools
```
32
Martin Libicki Information warfar categories
```
Command and Control (C2 Warfar)
Intelligence-Based warfare
Electronics Warefare
Psychological warfare
Hacker warefare
Economic warfare
Cyberwarfare
```
33
Command & Control Warefare
Impact an attacker possesses over a compromised system
34
Intelligence-based warfare
Sensor-based technology that directly corrupts technologies systems
35
Electronic Warfar
Uses radio-electronic and cryptographic techniques to degrade communication
Radio electronic technic attack the physical
Cryptographic technic use bit and bytes to distrupt
36
Psychological warfar
Uses various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in battle
37
Hacker warfare
```
Purpose of this warfar can vary from the shutdown of systems,
Data errors,
theft of information,
theft of service,
System monitoring,
False messaging and access to the data
```
38
Economic Warfar
Can affect the economy of a bussiness or nation by blocking the flow of information
39
Cyberwarfare
Use of information systems against the virtual personas of individuals or groups
It is broadest of all information warfare.
It includes information terrorism, semantic attacks and simula-warfare
40
Inforamtion warfare consist of ?
Defensive and offensive startergies
41
Defencive information warfare
Involves all startergies and action to defend against attacks on ICT assets
```
Prevention
Deterrence
Alert
Detection
Emergency Preparedness
Response
```
42
Offensive information warfare
Involves attacks against the ICT assets of an opponent
```
Web Application Attacks
Web server Attacks
Malware Attacks
MITM Attacks
System Hacking
```
43
Cyber Kill chain concept
The cyber kill chain is an efficient and effective way of illustrating how an adversary can attack the target organization
This model helps organizations understand the various possible threats at every stage of an attack and the necessary countermeasures to defend against such attacks.
This models provides security proffessional with a clear insight into the attack startergy used by the adversary
So different level of security controls can be implemented to protect the IT infrastructure of the organization
44
list of Cyber Kill Chain Methodology
Common TTP's
Behavioral identification of adversaries
Indicator of Compromise
45
Cyber Kill Cain Metodology
Is a intelligence-driven defese for indentify and prevention of malicious intrution activities
Provides grater insight into attack phase
Helps security proffessionals to understand the adversary's tatics ,techniques, and procedures before hand
46
Cyber kill chain framework developed for
Securing cyberspace based on the concept of military kill chains
47
Cyber Kill chain methed aims to
Actively enhance intrusion detection and response
Cyber kill chain equiped with seven phase protection mechanism to mitigate and reduce cyber threats
48
Understanding cyber kill chain methodology
Helps security proffesionals to leverage controls at different stages of an attack and helps them to prevent the attack before it succeeds.
It also provies greater insignt into the attack phases, which helps in understanding the adversary's TTPs beforehand
49
Various phase of cyber kill chain methodology
```
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Action on objective
```
50
Reconnaissance
An adversary performs reconnaissanceto collect as much information about the targert as possible to probe a weak points before actually attacking.
They look for a information such as publicly availablabe.
51
Activities of the adversary wile reconnaissance
Gathering information about the target organization by searching the internet or through social engineering
Performing analysis of various online activities and publicly available information
gathering information from social networking site and web services
Obtaining information about website visited
Monitoring and analyzing the target organization website
Performing whois, DNS, and network footprinting
Performing scanning to identify open ports and services
52
Weaponization
Analyzes the data collected from reconnaissance to identify the vulnerabilities and techniques that can expolit and gain unauthorized access to the target.
Baced on the vulnerabilities creates a tailored deiverable malicious payload.
53
Activities of the adversary while weponization
Identifying appropriate malware payload on the analysis
Creating a new malware payload or selecting, rescuing, modifying the available malware payloads based on the identified vulnerabilities
Creating a phishing email camoaign
Leveraging expolit kits and botnets
54
Delivery
Transmit the payload to target as an
email,
via a malicious link on websites
through a vulnerable web application
usb drives
55
Delivery
Transmit the payload to target as an
email,
via a malicious link on websites
through a vulnerable web application
usb drives
56
Why delivery is a key stage
That measures the effectiveness of the defense strategies implemented by the target organization based on whether the intrusion attempt of the adversary is blocked or not
57
Activities of adversary while performing delivery
Sending phishing emails to employees of the target organization
Distributing USB drives containing malicious payload to employees of the target organization
Performing attacks such as watering hole on the compromised website
Implementing various hacking tools against the operating systems applications and servers of the target organization
58
Explitation
Afte the weapon is transmitted to the intended victim, exploitation triggers the adversary's malicious code to expolite a vulnerability in the perating system, application, or server n a target system
59
Threats may face by victims while exploiting
Authentication and authorization attack,
Arbitrary code execution,
Physical security threats,
Security misconfiguration
60
Activities of adversary while exploiting
Exploiting software or hardware vulnerabilities to gain remote access to the target system
61
Installation
Adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period
After the injection of malicious code gains the capability to spread the infection to other systems in the network
To hide the precense of malicious activities from security controls ,adversary use various techniques such as encryption
62
Activities of adversary on installation phase
Downloading and installing malicious software such as backdoors
Gaining remote access to the target system
Leveraging various methods to keep backdoor hidden and running
Maintaing access to the target system
63
Command and control
Creates a command and control channel,Which establishes two-way communication between the victim's system and adversary controlled server to communicate and pass data back forth
64
Activities of adversary on C2 phase
Establishing a 2 way communication channel between victims system to adversary controlled servers
Leveraging channels such as web traffic,email communication, and DNS messages
Applying privilege escalation techniques
Hiding any evidence of compromise using techniques such as encryption
65
Actions on Objectives
The adversary controls the victims system from the remote location and finally accomplishes their intended goals
Advr. gains access to confidentials data,distrub the network,destroy the capability of the target
by gaining access to the network ndcompromised more systems
Also its a launching point for other attacks
66
Tatics, Techniques, and procedures (TTPS)
TTP's Refers to the patterns of activities and methods associated with specific threat actors or groups of threat actors.
It helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructure of an organization
67
Tatics
Guideline that describes the way an attacker perfroms their attack from beginning to end
Understanding the tatics used in the last stage of an attack helps in proffiling the threat actor
this profile further helpful to analyze of thecniques and procedures used by the attackes
An attacker may continiously change the TTPs used,so its immportant to constantly review ad update teh tatics used by the APT Groups
68
Techniques
To launch an attack successfully, threat actors use several techniques during its execution. These techniques include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, and covering the tracks of data exfiltration
Therefore, understanding the techniques used in the different phases of an attack is essential to analyzing the threat groups effectively.
the techniques at the initial stage mainly describe the tools used for information gathering and initial exploitation
Techniques used in the middle stages of an attack mostly depend on technical tools for initially escalating privileges on systems that are compromised or performing lateral movements within the target organization’s network
At this stage of an attack, the attackers use various exploits or misuse configuration vulnerabilities on the target system
The techniques in the last stage of an attack can have both technical and nontechnical aspects
the techniques used for data-stealing are usually based on network technology and encryption
After successfully executing the attack and transferring the files, the attacker follows certain purely technical techniques to cover their tracks. They use automated software tools to clear logs files to evade detection
69
Procedures
“Procedures” involve a sequence of actions performed by the threat actors to execute different steps of an attack life cycle
Procedures mainly performed to increase the success rate of an attack and decrease the probability of detection by security mechanisms
In the initial stage of an attack, such as during information gathering, observing the procedure of an APT group is difficult. However, the later stages of an attack can leave trails that may be used to understand the procedures the attacker followed
70
Examples of procedures
Collects information about the
target organization;
identifies key targets, employees;
collects their contact details,
identifies vulnerable systems and potential entry points to the target network,
And documents all the collected information,
Threat actors in performing spear phishing, monitoring security controls to identify zero-day exploits in the target systems, and other tasks
71
Adversary behavioral Identification
Adversary behavioral identification involves the identification of the common metthods or techniques followed by an adversary to launch attcacks on or to penetrate an organizations network
It gives security proffessionals insight into upcoming threats and exploits
72
Adversary Behaviors
```
Internal Reconnaissance
Use of Powershell
Unspecified proxy activities
Use of command-line Interface
HTTP User Agent
Command and control server
Use of DNS Tunneling
Use of Web Shell
Data staging
```
73
Internal Reconnaissance
Once the adversary is inside the target network, they follow various techniques and methods to carry out internal reconnaissance.
This includes the enumeration of systems, host, Processes, the execution of various commands to find out information such as the local user contect and system cofiguration, hostname, IP address, ative remote systems, and programs running on the target systems
74
Identify misuse of powershell
Check powershell transcript logs or Windows Event logs
75
Unspecified Proxy Activities
An adversary can create and configure multiple domains pointing to the same host,thus allowing an adversary to switch quickly between the domains to avoid detection
76
Use of Command Line Interface
Adversary can use of command line to browse the files,read file content, modify file content, create new accounts, etc.
77
Use of DNS tunneling
Use DNS tunneling to obfuscate malicius traffic in the legitimate traffic carried by common protocols used in the network.
78
Use of Web shell
Use web sell to manipulate the web server by creating a shell within a website
79
Data Staging
After successful penetration into a targets network, the adversary uses data staging techniques to collect and combine as much data as possible
Collected data may exfiltrate or destroy by adversary
80
Indicator of Compromise (IoCs)
IoC's are the clues,artifacts and piece of forensic data found on the network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization infrastructue
IoC's are data feed to intelligence process
Performing frequent IoC's scan effectively and efficiently detect and respond to evolving cyber threat
81
IoC is an
Automic Indicators
Computed indicators
Behavioral Indicators
82
Atomic indicator
Are cant be segented into smaller parts and whose meaning is not changed in the context of an intrution
i.e: IP addresses and Email address
83
Computed Indicators
Are obtained from the data extracted from a security incident
i.e: Hash values and Regular expressions
84
Behavioral Indicators
Refer to a grouping of both atomic and computed indicators, Combined on the basic of some logic
85
IoC Categories
Email Indicators
Network Indicators
Host-based Indicators
Behavioral Indicators
86
Email Indicators (IoC)
It helps to indicate an attack usually use email service to send malicious data to the target
Indicator provides-
Sender Email address,
email subject,
attachment links
87
Network Indicators
It use to indicate network based attackes performed like C2,Malware delivery,identifying OS ,Browser type,and system info
Network indicator Provides :
URL's,Domain names and ip address
88
Host-Based Indicators
It used to performing an analysis of infected system within the organizational networks
Hostbased indicaters provide filenames, Filehash, Registry keys, DLL's and mutex
89
Behavioral Indicators
Used to identify specific behavior related to malicious activities,such as
code injection into memory
running the script of an application
90
Key Indicator of Compromise
Unusal outbound network traffic
Unusual activity through a priviledged user account
Geographical anomalies
Multiple login failures
Increased database read volume
Large HTML response size
Multiple requests for the same file
Mismatched port-application traffic
suspicious registry or system file changes
unusual DNS requests
Unusual DNS requests
Unexpected patching of systems
Signs of distributed denial of service activity
Bundles of data in wrong places
web traffic with superhuman behaviour
