Low confidence questions Flashcards
What is a ‘sheep dip’ ?
Similar to a sandbox, a sheep dip is an isolated host used to test new software and removable media for malware indicators before it is authorized on the production network.
What is Shellcode ?
Shellcode is a minimal program designed to exploit a vulnerability in the OS or in a legitimate app to gain privileges, or to drop a backdoor on the host if run as a Trojan. Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.
What is Credential dumping ?
In Credential Dumping, the malware might try to access the credentials file (SAM on a local Windows workstation), or sniff credentials held in memory by the lsass.exe system process. Additionally, a DCSync attack attempts to trick a domain controller into replicating its user list along with their credentials with a rogue host.
What is Pivoting/lateral movement/insider attack ?
Pivoting/lateral movement/insider attack is the general procedure is to use the foothold to execute a process remotely, using a tool such as PsExec or PowerShell. The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.
What is Persistence ?
Persistence is a mechanism that allows the threat actor’s backdoor to restart if the host reboots or the user logs off. Typical methods are to use AutoRun keys in the registry, adding a scheduled task, or using Windows Management Instrumentation (WMI) event subscriptions.
What is a downgrade attack ?
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages. A downgrade attack makes a server or client use a lower specification protocol with weaker ciphers and key lengths.
What is a Kerberoasting attack ?
A Kerberoasting attack attempts to discover the passwords that protect service accounts by obtaining service tickets and subjecting them to brute force password cracking attacks.
What are Collision Attacks ?
A collision is where a weak cryptographic hashing function or implementation allows the generation of the same digest value for two different plaintexts. A collision attack exploits this vulnerability to forge a digital signature. The attack works as follows:
The attacker creates a malicious document and a benign document that produce the same hash value. The attacker submits the benign document for signing by the target.
The attacker then removes the signature from the benign document and adds it to the malicious document, forging the target’s signature.
A collision attack could be used to forge a digital certificate to spoof a trusted website or to make it appear as though Trojan malware derived from a trusted publisher.
What is a Birthday Attack ?
A collision attack depends on being able to create a malicious document that outputs the same hash as the benign document.
Some collision attacks depend on being able to manipulate the way the hash is generated.
A birthday attack is a means of exploiting collisions in hash functions through brute force. The attack is named after the birthday paradox. This paradox shows that the computational time required to brute force a collision might be less than expected.
The birthday paradox asks, how large must a group of people be so that the chance of two of them sharing a birthday is 50%. The answer is 23, but people who are not aware of the paradox often answer around 180 (365/2).
What is a Credential Replay attack ?
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
What are ‘Pass The Ticket’ (PtT) attacks ?
These are types of credential replay are directed against Kerberos authentication and authorization.
For example, a golden ticket attack attempts to forge a ticket granting ticket. If successful, this gives the threat actor effectively unrestricted access to all domain resources.
A silver ticket attack attempts to forge service tickets.
Briefly describe the ‘Pass-the-Hash’ process.
The process involves four steps as follows:
- Victim logs on. DC verifies user with Kerberos.
- Victim logs on again. Kerberos credentials cached in SAM.
- Attacker dumps SAM on victim’s computer. Hashed credentials revealed.
- Attacker uses hash on other computer. Hashed credentials recognized by Kerberos.
What is a dissociation attack ?
A disassociation attack exploits the lack of encryption in management frame traffic to send spoofed frames.
One type of disassociation attack injects management frames that spoof the MAC address of a single victim station in a disassociation notification, causing it to be disconnected from the network.
Another variant of the attack broadcasts spoofed frames to disconnect all stations. As well as trying to redirect connections to an evil twin, a disassociation attack might also be used in conjunction with a replay attack aimed at recovering the network key.
What is a digital certificate ?
Identification and authentication information presented in the X.509 format and issued by a certificate authority (CA) as a guarantee that a key pair (as identified by the public key embedded in the certificate) is valid for a particular subject (user or host). It is essentially a wrapper for a subject’s public key.
What is a root certificate ?
In PKI, a root certificate is a self-signed certificate that serves as the trust anchor and can issue certificates to intermediate CAs in a hierarchy.
What is EAP (Extensible Authentication Protocol) ?
Framework for negotiating authentication methods that enable systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication and to establish secure tunnels through which to submit credentials.
What is Remote Authentication Dial-In User Service (RADIUS) ?
AAA protocol used to manage remote and wireless authentication infrastructures.
It allows the authenticator and authentication server to communicate authentication and authorization decisions. The authenticator is a RADIUS client; the authentication server is a RADIUS server.
What is the Internet Key Exchange (IKE) protocol ?
Internet Key Exchange (IKE) protocol is a framework for creating a security association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree on secure protocols and cipher suites to use to exchange data.
It implements an authentication method, selects which cryptographic ciphers are mutually supported by both peers, and performs key exchange.
What is Out-of-Band Management ?
Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.
A serial console or modem port on a router is a physically out-of-band management method. A network appliance can also be managed using a browser-based interface or a virtual terminal over Ethernet and IP. This type of management link is made out-of-band either by connecting the port used for management access to a physically separate network infrastructure or connecting to a dedicated management VLAN. This can be costly to implement, but out-of-band management is more secure and means that access to the device is preserved when there are problems affecting the production network.
What is Software-Defined Networking (SDN) ?
Software-Defined Networking (SDN) is a network architecture that separates the control plane from the data plane, enabling network management and control through software applications, rather than relying on hardware devices.
What are Replication and Journalling in cyber security ?
Replication involves creating and maintaining exact copies of data on different storage systems or locations.
A method used by file systems to record changes not yet made to the file system in an object called a journal.
What is AES Galois Counter Mode (GCM) in WPA3 ?
A high-performance mode of operation for symmetric encryption. Provides a special characteristic called authenticated encryption with associated data, or AEAD.
