Malicious Activity Flashcards
What are the evolving concerns in the digital age?
Cyber attacks, increasing in frequency and sophistication
The digital landscape is constantly changing, resulting in new and more advanced cyber threats.
What is the first step to effective prevention and mitigation of cyber threats?
Understanding Cyber Threats
Awareness of the tactics, techniques, and procedures employed by cybercriminals is crucial.
What are the variants of Distributed Denial of Service (DDoS) attacks?
- Denial of Service
- Amplified DDoS
- Reflected DDoS
What are the types of Domain Name Server (DNS) attacks?
- DNS Cache Poisoning
- DNS Amplification
- DNS Tunneling
- Domain Hijacking
- DNS Zone Transfer
What is a Directory Traversal Attack?
Injection attack when attacker inserts malicious cose through an application interface
What does a Privilege Escalation Attack involve?
Exploiting system vulnerability to gain elevated access
What is a Replay Attack?
Malicious or fraudulent repeat/delay of a valid data transmission
What is Session Hijacking?
Attacker takes over a user session to gain unauthorized access
What are Malicious Code Injection Attacks?
Introduction of harmful code into a program or system
What are some Indicators of Compromise (IoC)?
- Account lockout
- Concurrent session usage
- Blocked content
- Impossible travel
- Resource consumption
- Inaccessibility
- Out-of-cycle logging
- Published documents indicating hacking
- Missing logs
What is a Denial of Service (DoS) attack?
An attack that attempts to make a computer or server’s resources unavailable
What is a Flood Attack?
- Ping Flood
- SYN Flood
What is a Permanent Denial of Service (PDOS) Attack?
Exploits security flaws to break a networking device permanently by re-flashing its firmware
What is a Fork Bomb?
Attack creates a large number of processes, consuming processing power
What is a Distributed Denial of Service (DDoS) attack?
Malicious attempt to disrupt the normal functioning of a network by overwhelming it with a flood of internet traffic
What is a DNS Amplification Attack?
Allows an attacker to initiate DNS requests from a spoof IP address to flood a website
What is the purpose of a Black Hole or Sinkhole in DoS prevention?
Routes attacking IP traffic to a non-existent server through a null interface
What is DNS Cache Poisoning?
Corrupts a DNS resolver’s cache with false information
What is DNS Tunneling?
Encapsulates non-DNS traffic over port 53
What is Domain Hijacking?
Unauthorized change of domain registration
What is a Directory Traversal Attack?
An injection attack that allows access to commands, files, and directories
What is Arbitrary Code Execution?
Vulnerability that allows an attacker to run their code without restrictions
What is Remote Code Execution?
Type of arbitrary code execution that occurs remotely
What is the difference between Vertical and Horizontal Privilege Escalation?
- Vertical: From normal user to higher privilege
- Horizontal: Accessing resources at the same level
What are rootkits?
Class of malware that conceals its presence by modifying system files
What is a Replay Attack?
Type of network-based attack where valid data transmissions are maliciously re-broadcast
What is a Credential Replay Attack?
Capturing a user’s login credentials during a session and reusing them for unauthorized access
How can Replay Attacks be prevented?
- Use session tokens
- Implement multi-factor authentication
- Use security protocols like WPA3
What is Session Management?
Enables web applications to uniquely identify a user across different actions
What is a Cookie in web applications?
Text file used to store information about a user when they visit a website
What is Cookie Poisoning?
Modifies the contents of a cookie after it has been generated
What is an On-Path Attack?
An attack where the attacker positions their workstation logically between two hosts
What is ARP Poisoning?
Manipulating Address Resolution Protocol (ARP) tables to redirect network traffic
What is SSL Stripping?
An attack that tricks the encryption application into presenting an HTTP connection instead of HTTPS
What is LDAP Injection?
An application attack that targets web-based applications by fabricating LDAP statements
What is Command Injection?
Occurs when a threat actor is able to execute arbitrary commands on a system
What does LDAP stand for?
Lightweight Directory Access Protocol
LDAP is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.
What is LDAP Injection?
An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input
Protection against LDAP injection attacks includes input validation and input sanitization.
What is Command Injection?
Occurs when a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application
What is Process Injection?
Method of executing arbitrary code in the address space of a separate live process
There are many different ways to inject code into a process, including DLLs, Thread Execution Hijacking, and Process Hollowing.
List some methods of Process Injection.
- Injection through DLLs
- Thread Execution Hijacking
- Process Hollowing
- Process Doppel Ganging
- Asynchronous Procedure Calls
- Portable Executable Injections
What are some mitigation strategies for Process Injection?
- Endpoint security solutions configured to block common sequences of attack behavior
- Security Kernel Modules
- Practice of Least Privilege
- Indicators of Compromise (IoC)
What does Indicators of Compromise (IoC) refer to?
Pieces of forensic data that identify potentially malicious activity on a network or system
IoCs serve as digital evidence that a security breach has occurred.
What is an Account Lockout?
Occurs when an account is locked due to multiple failed login attempts
It indicates a potential brute force attack to gain access.
What is Concurrent Session Usage?
Refers to multiple active sessions from a single user account
It may indicate a possible account compromise.
What does Blocked Content imply?
Involves attempts to access or download content blocked by security protocols
This suggests a user trying to access malicious content or an attacker attempting to steal data.
What does Impossible Travel indicate?
Detects logins from geographically distant locations within an unreasonably short timeframe
It indicates a likely account compromise.
What is Resource Consumption?
Unusual spikes in resource utilization
This includes CPU, Memory, and Network bandwidth, and may indicate malware infections or DDoS attacks.
What is Resource Inaccessibility?
Inability to access resources like files, databases, or network services
It suggests a ransomware attack, where files are encrypted, and a ransom is demanded.
What does Out-of-Cycle Logging indicate?
Log entries occurring at unusual times
It suggests an attacker trying to hide their activities during off-peak hours.
What are Missing Logs a sign of?
Sign that logs have been deleted to hide attacker activities
This may result in gaps in the log data, making it harder to trace the attacker’s actions.
What does the publication of Articles or Documents by attackers imply?
Attackers publicly disclose their actions, boasting about their skills or causing reputational damage
This can occur on social media, hacker forums, or the victim’s own website.
