Malware Flashcards
Malware
broad term used to describe any type of malicious software designed to infiltrate, damage, or gain unauthorized access to computer systems or networks.
Identifying Ransomware:
Encrypted files with a ransom note demanding payment in exchange for decryption keys.
Identifying Trojans:
Unexpected or unauthorized access, changes in system settings, or suspicious network activity.
Identifying Worms:
Rapid self-replication and spreading across a network or multiple systems.
Identifying Potentially Unwanted Programs (PUPs):
Unwanted toolbars, adware, or browser extensions installed without user consent.
Identifying Fileless Virus:
Unusual or suspicious processes running in memory without traditional executable files.
Identifying Command and Control (C2):
Communication with external C2 servers, often via unusual or non-standard network ports.
Identifying Bots:
A network of compromised devices (botnet) controlled by a central command center.
Identifying Cryptomalware:
Encrypted files with a ransom demand or ransom payment address.
Identifying Logic Bombs:
Unexpected system or application behavior triggered by specific conditions or dates.
Identifying Spyware:
Unusual network traffic, unauthorized access to sensitive data, or suspicious system activity.
Identifying Keyloggers:
Unauthorized access to sensitive data or evidence of keystroke recording.
Identifying Remote Access Trojan (RAT)
Suspicious or unauthorized remote access or control of a system.
Identifying Rootkit:
Concealed processes or files, unusual system behavior, or unauthorized access.
Identifying Backdoor:
Unauthorized access, unusual network traffic, or the presence of hidden pathways.
Password Attacks
Password attacks are attempts by malicious actors to gain unauthorized access to a system or account by guessing or cracking passwords.
Identifying Password Spraying:
Multiple login attempts with the same password against multiple user accounts.
Identifying Dictionary Attack:
Repeated login attempts using words from a dictionary or common passwords.
Identifying Brute Force Attack (Online):
Continuous and rapid login attempts without delay between each attempt.
Identifying Brute Force Attack (Offline):
Theft or possession of hashed password data (e.g., from a database breach).
Identifying Rainbow Table Attack:
Rapid password cracking with the use of precomputed rainbow tables.
Identifying Plaintext/Unencrypted Password Attack:
Passwords stored in plaintext format.
Physical Attacks:
- Malicious USB Cable
- Malicious Flash Drive
- Card Cloning
- Skimming
Identifying Malicious USB Cable:
The presence of a suspicious or unknown USB cable connected to a device, computer, or network.
Identifying Malicious Flash Drive:
Discovery of unknown or unverified USB flash drives in the organization, especially in public areas or near workstations.
Identifying Card Cloning:
Unusual or unauthorized transactions on payment cards or access control systems.
Identifying Skimming:
Suspicious or unusual devices attached to card readers, ATMs, or payment terminals.
Adversarial Artificial Intelligence (AI):
- Unusual Model Behavior
- Misclassification or Misbehavior
- Anomalies in Model Confidence
- Increased False Positives/Negatives
Identifying Unusual Model Behavior:
If an AI model exhibits unexpected or erratic behavior, it could be an indicator of an adversarial AI attack. Adversaries may manipulate inputs to exploit vulnerabilities in the model.
Identifying Misclassification or Misbehavior:
Frequent misclassification of inputs or outputs that do not align with the model’s intended behavior may indicate adversarial interference.
Identifying Anomalies in Model Confidence:
If the model’s confidence scores fluctuate widely or show inconsistencies, it could suggest adversarial attempts to undermine the model’s accuracy.
Identifying Increased False Positives/Negatives:
A noticeable increase in false positives or false negatives in AI-based security systems, such as intrusion detection or spam filters, might indicate adversarial attacks.
Tainted Training Data for Machine Learning (ML):
- Data Inconsistencies
- Unusual Model Performance
- Unexpected Bias
- Data Source Anomalies
Identifying Data Inconsistencies:
Analyze the training data for inconsistencies, inaccuracies, or anomalies that could indicate tampering or poisoning.
Identifying Unusual Model Performance:
If the ML model exhibits poor or erratic performance, it may be a sign of tainted training data.
Identifying Unexpected Bias:
Check for unexpected biases or discriminatory behavior in the ML model, which can be introduced through malicious data manipulation.
Identifying Data Source Anomalies
Investigate the sources of training data for any signs of compromise, such as unauthorized access or alterations.
Security of Machine Learning Algorithms:
- Model Evasion
- Unauthorized Access
- Model Stealing
- Abnormal Resource Usage
Supply-Chain Attacks:
- Unusual Network Activity
- Unauthorized Access
- Vendor Alerts
Identifying Unusual Network Activity:
An increase in network traffic or unusual data transfers between systems within your supply chain may indicate a supply-chain attack.
Identifying Unauthorized Access:
Suspicious login attempts or unauthorized access to systems or applications within your supply chain can be indicative of an attack.
Identifying Vendor Alerts:
Notifications or alerts from your suppliers or vendors about a security breach or compromise on their end may signal a supply-chain attack.
Cloud-Based vs. On-Premises Attacks:
- Anomalous Cloud Activity
- On-Premises Intrusion
- Logs and Alerts
Identifying Anomalous Cloud Activity:
In a cloud-based attack, you might observe unusual or unauthorized activities in your cloud services, such as accessing sensitive data, changing configurations, or spinning up new instances.
Identifying On-Premises Intrusion:
In an on-premises attack, signs may include unusual system or network activity, unauthorized access to physical premises, or signs of tampering with hardware or servers.
Identifying Logs and Alerts:
Monitor logs and security alerts from both cloud-based and on-premises systems to detect suspicious activities and breaches.
Cryptographic Attacks:
- Birthday Cryptographic Attack
- Collision Cryptographic Attack
- Downgrade Cryptographic Attack
Identifying Birthday Cryptographic Attack:
- A sudden increase in collisions in hash functions or unexpected hash collisions in your system logs.
- Difficulty in verifying data integrity or authenticity due to hash collisions.
Identifying Collision Cryptographic Attack:
- Instances where two different inputs produce the same cryptographic hash.
- Repeated failures in verifying digital signatures or certificates.
Identifying Downgrade Cryptographic Attack:
- Errors or issues with the negotiation of cryptographic protocols during secure communications.
- Unexpectedly weak encryption algorithms being used in secure connections.
