Module 02: Understanding Cyber Threats, IoCs, and Attack Methodology

Question 1

What is a cyber threat?

Answer 1

An act in which the adversary attempts to gain unauthorized access to an organization’s network by exploiting communication paths.

Question 2

What three things are behind a threat?

Answer 2

Intent
Capability
Motive

Question 3

What is TTP?

Answer 3

Part of the capability behind a threat. Tactics, Techniques, and Procedures used to target an organization.

Question 4

What allows the opportunity of a threat?

Answer 4

Security vulnerabilities or weaknesses

Question 5

What are the typical attack vectors?

Answer 5

Cloud computing threats
Viruses and worms
Ransomware
Mobile threats
Botnet
Insider threat
Phishing
Web application threats
IoT threats

Question 6

What is the formula of an attack?

Answer 6

Attack=Motive(goal) + Method (TTPs) + Vulnerability

Question 7

What does motive originate from?

Answer 7

A motive originates out of the notion that the target system stores or processes something valuable, and this leads to a threat of an attack on the system

Question 8

What are tactics?

Answer 8

Strategy followed by an attacker to perform the attack from beginning to end i.e. information gathering for initial exploitation, privilege escalation, lateral movement, etc.

Question 9

What are techniques?

Answer 9

Technical methods used by an attacker to achieve intermediate results during the attack i.e. initial exploitation, setting up and maintaining C&C channels, etc.

Question 10

What are procedures?

Answer 10

Organizational approach followed by the threat actors to launch an attack

Question 11

What is a vulnerability?

Answer 11

The existence of a weakness, design, or implementation error that, when exploited, leads to an unexpected and undesired event compromising the security of the system.

Question 12

What is a reconnaissance attack?

Answer 12

Attackers attempt to discover target network’s information to gain as much knowledge as possible around open ports, services, IPs, network layout etc.

Question 13

What are common reconnaissance methods?

Answer 13

Social engineer
Port scanning
DNS footprinting
Ping sweeping

Question 14

What are two types of reconnaissance attacks?

Answer 14

Active and Passive

Question 15

What are five types of network level attacks?

Answer 15

Packet sniffing
Port scanning
Ping sweeping
DNS footprinting
Social engineering

Question 16

What type of attack is used to check for live hosts, services, ports, etc.

Answer 16

Network scanning

Question 17

What is a popular network scanning tool?

Answer 17

nmap

Question 18

What process checks what services are running on a target computer by sending a sequence of messages?

Answer 18

Port scanning

Question 19

What are the various network level attacks?

Answer 19

Reconnaissance
Network scanning
Port Scanning
DNS Footprinting

Question 20

What attack allows the attacker to determine key hosts in the network and perform social engineering attacks?

Answer 20

DNS footprinting

Question 21

This process monitors and captures all data packets passing through a given network using sniffing tools

Answer 21

Network sniffing

Question 22

What often allows an attacker to perform network sniffing on a network?

Answer 22

Unsecured switch ports

Question 23

What are the three types of network sniffing?

Answer 23

Internet
External
Wireless

Question 24

What type of attack involves setting up a station between the client and server to capture and manipulate the traffic/session?

Answer 24

Man-in-the-middle attack

Question 25

What types of communication are susceptible to MiTM attacks?

Answer 25

Login functionality Unencrypted comms Financial sites

Question 26

What type of password attack involves using a file of common words, phrases, etc. against an application?

Answer 26

Dictionary attack

Question 27

This type of password attack tries every combination until the password is cracked.

Answer 27

Brute force

Question 28

It works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password

Answer 28

Hybrid attack

Question 29

It attacks cryptographic hash functions based on the probability that if a hashing process is used for creating a key, then the same is used for other key

Answer 29

Birthday attack

Question 30

It attacks rainbow tables that store pre-computed hash values in plaintext

Answer 30

Rainbow table attack

Question 31

What is privilege escalation?

Answer 31

An attacker performs a privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated application

Question 32

Unauthorized manipulation of IP addresses in the domain naming server cache is known as what?

Answer 32

DNS poisoning

Question 33

What is the goal of DNS poisoning?

Answer 33

Re-direct users to malicious sites

Question 34

What is ARP poisoning?

Answer 34

ARP poisoning is an attack in which the attacker tries to associate their own MAC address with the victim’s IP address so that the traffic meant for that IP address is sent to the attacker.

Question 35

What is a DHCP starvation attack?

Answer 35

Process of inundating DHCP servers with fake DHCP requests resulting in all available IP addresses being used.

Question 36

What is a DHCP spoof attack?

Answer 36

Process of implementing a rogue DHCP server and serving requests to clients.

Question 37

What type of attack involves sending large amounts of traffic to target network than it can handle, resulting in exhaustion of resources?

Answer 37

Network-based denial of service attack

Question 38

What are four types of network based DOS attacks?

Answer 38

TCP SYN Flooding ICMP Smurf Flooding UDP Flooding Intermittent Flooding

Question 39

This type of attack floods the target and does not respond with the expected ACK

Answer 39

TCP SYN Flooding

Question 40

This type of attack sends an ICMP echo broadcast and spoofs the source to be the target IP resulting in them being flooded.

Answer 40

ICMP Smurf Flooding

Question 41

What is a Distributed Denial of Service attack?

Answer 41

A DOS attack that involves many compromised systems i.e. botnets to carry out the attack.

Question 42

What are the two types of DDoS?

Answer 42

Network-centric - overloads service by consuming bandwidth | Application-centric - overloads service by sending inundate packets

Question 43

What is malware?

Answer 43

Malicious software that aim to disrupt service, gather sensitive information, damage systems, etc. Typically installed without the user's knowledge.

Question 44

This type of malware is a program that can duplicate itself by making copies of itself. It can only spread from one PC to another when its host is taken to the uncorrupted computer.

Answer 44

Virus

Question 45

This type of malware can replicate through a network on its own.

Answer 45

Worm

Question 46

This type of virus is coded with different mechanisms to make its detection difficult.

Answer 46

Armored virus

Question 47

A malicious program that masquerades as legitimate software.

Answer 47

Trojan

Question 48

A software program that tracks the user’s browsing patterns for marketing purposes and displaying advertisements. It collects the user’s data, such as what types of Internet sites the user visits in order to customize the adverts that are relevant to the user.

Answer 48

Adware

Question 49

A software program that hides its activities from detection and performs malicious activities to get privileged access to a target computer.

Answer 49

Rootkit

Question 50

This malware changes its signature to avoid pattern matching detection by antivirus programs.

Answer 50

Polymorphic malware

Question 51

A type of network attack, where an attacker gains unauthorized access to a target network and remains there undetected for a long period of time

Answer 51

APT - Advanced Persistent Attack

Question 52

What is the main goal of an APT?

Answer 52

To obtain sensitive information

Question 53

What are the characteristics of APT?

Answer 53

``` Objectives Timeliness Resources Risk Tolerance Skills and Methods Actions Attack Origination Points Numbers Involved in the Attack Knowledge Source Multiphased Tailored to the Vulnerabilities Multiple Points of Entries Evading Signature-Based Detection Systems Specific Warning Signs ```

Question 54

What is the APT threat lifecycle?

Answer 54

``` Preparation Initial Intrusion Expansion Persistence Search and Exfiltration Cleanup ```

Question 55

What are the main types of host-level attacks?

Answer 55

Malware infection Accidental or intentional deletion of data Unauthorized access

Question 56

Where do host-level attacks come from?

Answer 56

``` Un-patched computers Email Blended threats Network file shares Social engineering Internet downloads ```