Lesson 4 & 5 Flashcards
Pretexting
(form of impersonation) Using a scenario with convincing
additional detail The classic impersonation attack is for the social engineer to phone into a department,
claim they have to adjust something on the user’s system remotely, and get the user to
reveal their password. This specific attack is also referred to as pretexting.
Tailgating
- Access premises covertly
* Follow someone else through a door
• Piggy backing
- Access premises without authorization, but with the knowledge of an employee
- Get someone to hold a door open
• Identity fraud
- Impersonation with convincing detail and stolen or spoofed proofs
- Identity fraud versus identity theft
• Invoice scams
• Spoofing supplier details to submit invoices with false account details
• Credential theft and misuse
Credential harvesting
• Shoulder surfing
• Lunchtime attack
PHishing, whaling, vishing, spear fishing, sMishing
you know this
Spam
- Unsolicited email
- Email address harvesting
- Spam over Internet messaging (SPIM) (instant messagin service
Hoaxes
- Delivered as spam or malvertising
- Fake advertisement to get user to install remote desktop software
- Phone-based scams
Hoaxes, such as security alerts or chain emails, are another common social
engineering technique, often combined with phishing attacks. An email alert or web
pop-up will claim to have identified some sort of security problem, such as virus
infection, and offer a tool to fix the problem.
Prepending
adding text that appears to have been generated by the mail
system.
- Tagging email subject line
- Can be used by threat actor as a consensus or urgency technique
- Can be added by mail systems to warn users
Pharming
(passive technique)
• Redirection by DNS spoofing
Pharming is a passive means of redirecting users from a legitimate website to a
malicious one. Rather than using social engineering techniques to trick the user,
pharming relies on corrupting the way the victim’s computer performs Internet name
resolution, so that they are redirected from the genuine site to the malicious one. For
example, if mybank.foo should point to the IP address 2.2.2.2, a pharming attack would
corrupt the name resolution process to make it point to IP address 6.6.6.6.
Typosquatting
Www.comptia.org ==> www.connptia.org
Use cousin domains instead of redirection
• Make phishing messages more convincing
• Watering hole
- Target a third-party site
* Customer, supplier, hobbies, social media…
• Credential harvesting
• Attacks focused on obtaining credentials for sale rather than direct
intrusion
• Attacks focused on obtaining multiple credentials for single
company
Influence Campaigns
Sophisticated threat actors using multiple resources to change opinions on a mass scale - Soft power - Hybrid Warfare -social Media
• Soft power
• Leveraging diplomatic and cultural assets
• Hybrid warfare
• Use of espionage, disinformation, and hacking
• Social media (influence campaign)
- Use of hacked accounts and bot accounts
* Spread rumor and reinforce messaging
• Viruses and worms
• Spread within code without authorization
Trojans
• A malicious program concealed within a benign one
• Potentially unwanted programs/applications (PUPs/PAPs)
•Nonecessarily regarded as malicious
Pre-installed “bloatware” or installed alongside another app
• Not completely concealed, but installation may be covert
• Also called grayware
Computer Viruses
• Rely on some sort of host file or media • Non-resident/file infector • Memory resident • Boot • Script/macro • Multipartite • Polymorphic • Vector for delivery
Multipartite
virus uses multiple vectors
Polymorphic
(virus) able to obfuscate code to avoid detection
• Early computer worms
- Propagate in memory/over network links
* Consume bandwidth and crash process
• Fileless malware
does not write code to disk. avoids detection
“Living off the land”
Advanced persistent threat (APT)/advanced volatile threat (AVT)/
low observable characteristics (LOC)
All used to describe fileless live off the land malware
• Backdoor malware
Any type of access method to a host that circumvents the usual authentication method
and gives the remote user administrative control can be referred to as a backdoor.
RAT
Remote Access Trojan
backdoor malware that mimics the functionality of
legitimate remote control programs
bots and botnet
A group of bots that are all under
the control of the same malware instance can be manipulated as a botnet by the
herder program. A botnet can be used for many types of malicious purpose, including
triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or
performing cryptomining.
• Command & control (C2 or C&C)
Whether a backdoor is used as a standalone intrusion mechanism or to manage
bots, the threat actor must establish a connection from the compromised host to a
command and control (C2 or C&C) host or network.
Ransomware
Nuisance (lock out user by
replacing shell)
usually easier to fix
• Crypto-malware
High impact ransomware (encrypt
data files or drives)
• Cryptomining/crypojacking
• Hijack resources to mine
cryptocurrency
• Logic bombs
wait for a pre-configured time or date (time bomb) or a system or user event
Malware Indicators
Browser changes or overt ransomware notification
• Anti-virus notifications
• Endpoint protection platforms and next-gen A-V
• Behavior-based analysis
- Sandbox execution
- Cuckoo
• Resource utilization/consumption • Task Manager and top • File system changes • Registry • Temp file
cukoo
does sandbox execution. puts the malware in a completely isolated location from the host
shellcode
Fileless malware uses lightweight shellcode to achieve a backdoor mechanism
on the host. The shellcode is easy to recompile in an obfuscated form to evade
detection by scanners.
Process analysis
Signature-based detection is failing
to identify modern APT-style tools
Looking for abnormal behavior
Process Explorer
Does process analysis
output from hashing
checksum, hash or digest
Anti collision
(hashing) - no two plaintexts likely to produce the same checksum
SHA
Secure Hash Algorithm (SHA) - considered the strongest algorithm
Message Disgest Algorithm (MD5)
for hashing. not as strong as SHA but sometimes required for compatibilities
Hashing
not encryption. process is not reversible
Substitution vs Transposition
Substitution - changing the letters or symbols
Transposition - reordering
key protection
protecting the key is easier than protecting the algorithm
symetric encryption
Same key used for encryption and decryption on both sides
Good fo bulk
Problemtn distributing key securley
• Stream ciphers
- Encrypt and decrypt each bit/byte at a time
* Must be used with an initialization vector (IV)
• Block ciphers
- Treat data as equal-size blocks, using padding if necessary
- Advanced Encryption Standard (AES/AES256)
Advanced Encryption Standard (AES)
s the default symmetric encryption cipher
for most products. Basic AES has a key size of 128 bits, but the most widely used
variant is AES256, with a 256-bit key.
Asyemmetric encryption
private and public key
Message size is limited to key size so not suitable for large amounts of data • Used for small amounts of authentication data
Public Key Cryptography Algorithms
RSA algorithm (Rivest, Shamir, Adleman)
• Basis of many public key cryptography schemes
• Trapdoor function
• Easy to calculate with the public key, but difficult to reverse without the private
key
Elliptic curve cryptography (ECC)
• Concerns about RSA being vulnerable to cryptanalysis
• Another type of trapdoor function
• Can use smaller keys to obtain same security
RSA
RSA algorithm (Rivest, Shamir, Adleman)
• Basis of many public key cryptography schemes
• Trapdoor function
• Easy to calculate with the public key, but difficult to reverse without the private
key
ECC
Elliptic curve cryptography (ECC)
• Concerns about RSA being vulnerable to cryptanalysis
• Another type of trapdoor function
• Can use smaller keys to obtain same security
Digital Signatures
- Using public key cryptography with hashing
- Digital signatures provide integrity, authentication, non-repudiation
- RSA-based digital signatures
Hashing - authentication & non repudiation
RSA - integrity
Digital Envelopes and key exchange
hybrid - enable large amounts of data. able to send symetric key securely
Digital Certificate
Certificate authority validates authenticity foy signing
PKI
Perferct Foward sectrcy
Uses Diffie Hellman key agreemen protocols
Allows two parties to derive the sam secret value that an eaves dropper cannot guess
cipher suite and mode of operation
In a protocol such as Transport Layer Security (TLS), the requirements to both
authenticate the identity of the server and to encrypt communications between the
server and client need to be fulfilled by separate cryptographic products and cipher
implementations. The combination of ciphers supported is referred to as a **cipher
suite. The server and client negotiate mutually compatible cipher suites as part of the
TLS handshake.
The final part of a cipher suite determines the bulk encryption cipher. When AES
is selected as the symmetric cipher, it has to be used in a *mode of operation** that
supports a stream of network data.
• Unauthenticated encryption
• Secret key encryption cannot prove integrity
• Makes cryptographic system vulnerable to insertion and
modification attacks
• Authenticated encryption
• Message authentication code (MAC)
• Create a hash from combination of the message and a shared
secret
• Implementations vulnerable to padding oracle attacks
AEAD
- Authenticated encryption with additional data (AEAD)
- Counter modes or stream ciphers that do not use padding
- Associates message with context to prevent replay
Integrity (in cryptography)
• Using hash functions and message authentication codes to validate messages
• Resiliency
• Using cryptography to ensure authentication and integrity of control messages
Obfuscation (cryptography)
• Make something hard to understand
• Encryption can perform this function, but it is very hard to secure an embedded
key
• White box cryptography
White box cryptography
attempts to protect an embedded key while preserviing functinality of the code - all attempts have been brokent
nonce
rever reuse the same key value
salt
random pseudo number. goes with hashing
• Man-in-the-Middle (MitM)
• Interferes with the public key presented to the client
• Downgrade attack
• Forces server into using weak protocol versions and ciphers
• Key stretching
- Use additional rounds to strengthen keys
* Makes attacker do more work so slows down brute force
Entropy
Entropy is a measure of disorder. A plaintext will usually exhibit low entropy [salting and stretching increases entropy]
Collision
Function produces same has value for two different plain texts
Birthday attack
brute force attack aimed to exploiting collisions in has functions
Post quantum
when quantum computing become reality
lightweight cryptograhy
low power devices. encryption take up power
Homomorphic Encryption
Supports data analytics functions while preserving confidentiality and
privacy
Blockchain
Expanding list of transactional records (blocks)
• Each block is linked by hashing
- Public ledger
- Ledger of transactions performed on a digital asset
- Peer-to-peer so transactions are public
- Transactions cannot be deleted or reversed
• Widely used for cryptocurrencies
• Potential uses for financial transactions, online voting systems, identity
management systems, notarization, data storage,
Stenography
obfuscation
• Concealing messages within a covertext • Often uses file data that can be manipulated without introducing obvious artifacts • Image • Audio • Video • Covert channels
