Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MODULE 14 - Common Threats and Attacks CERTIFICATION CYBER OPS ASSOCIATE > MODULE 14 - CERTIFICATION CYBER OPS ASSOCIATE > Flashcards

MODULE 14 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

1
Q

Malware

Types of Malware

End devices are especially prone to malware attacks. Therefore, the focus of this topic is on threats to end devices.

Malware is short for malicious software or malicious code.

It is code or software that is specifically designed to damage, disrupt, steal, or generally inflict some other “bad” or illegitimate action on data, hosts, or networks.

A

It is important to know about malware because threat actors and online criminals frequently try to trick users into installing malware to help exploit security gaps.

In addition, malware morphs so rapidly that malware-related security incidents are extremely common because antimalware software cannot be updated quickly enough to stop the new threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Viruses A virus is a type of malware that spreads by inserting a copy of itself into another program.

After the program is run, viruses then spread from one computer to another, infecting the computers. Most viruses require human help to spread.

For example, when someone connects an infected USB drive to their PC, the virus will enter the PC.

The virus may then infect a new USB drive, and spread to new PCs. Viruses can lay dormant for an extended period and then activate at a specific time and date.

A

A simple virus may install itself at the first line of code in an executable file.

When activated, the virus might check the disk for other executables so that it can infect all the files it has not yet infected.

Viruses can be harmless, such as those that display a picture on the screen, or they can be destructive, such as those that modify or delete files on the hard drive.

Viruses can also be programmed to mutate to avoid detection. Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and email. Email viruses are a common type of virus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Trojan Horses

The term Trojan horse originated from Greek mythology. Greek warriors offered the people of Troy (the Trojans) a giant hollow horse as a gift.

The Trojans brought the giant horse into their walled city, unaware that it contained many Greek warriors.

At night, after most Trojans were asleep, the warriors burst out of the horse, opened the city gates, and allowed a sizeable force to enter and take over the city.

Trojan horse malware is software that appears to be legitimate, but it contains malicious code which exploits the privileges of the user that runs it.

Often, Trojans are found attached to online games.

A

Users are commonly tricked into loading and executing the Trojan horse on their systems. While playing the game, the user will not notice a problem.

In the background, the Trojan horse has been installed on the user’s system. The malicious code from the Trojan horse continues operating even after the game has been closed. The Trojan horse concept is flexible.

It can cause immediate damage, provide remote access to the system, or access through a back door. It can also perform actions as instructed remotely, such as “send me the password file once per week.”

This tendency of malware to send data back to the cybercriminal highlights the need to monitor outbound traffic for attack indicators. Custom-written Trojan horses, such as those with a specific target, are difficult to detect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Trojan Horse Classification:

https://snipboard.io/s0Sn1G.jpg

Trojan horses are usually classified according to the damage that they cause, or the manner in which they breach a system, as shown in the figure.

A

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Remote-access :

Enables unauthorized remote access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Data-sending :

Provides the threat actor with sensitive data, such as passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Destructive:

Corrupts or deletes files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Proxy :

Uses the victim’s computer as the source device to launch attacks and perform other illegal activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

FTP :

Enables unauthorized file transfer services on end devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Security software disabler ::

Stops antivirus programs or firewalls from functioning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Denial of Service (DoS) :

Slows or halts network activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Type of Trojan Horse ::

– Remote-access

– Data-sending

– Destructive

– Proxy

– FTP

– Security software disabler

– Denial of Service (DoS)

– Keylogger

A

Keylogger :

Actively attempts to steal confidential information, such as credit card numbers, by recording keystrokes entered into a web form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Worms Computer

worms are similar to viruses because they replicate and can cause the same type of damage.

Specifically, worms replicate themselves by independently exploiting vulnerabilities in networks.

Worms can slow down networks as they spread from system to system.

A

Whereas a virus requires a host program to run, worms can run by themselves.

Other than the initial infection, they no longer require user participation. After a host is infected, the worm is able to spread very quickly over the network.

Worms are responsible for some of the most devastating attacks on the internet.

In 2001, the Code Red worm had initially infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers. – Initial Code Red Worm Infection – Code Red Infection 19 hours later

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Whereas a virus requires a host program to run, worms can run by themselves. Other than the initial infection, they no longer require user participation.

After a host is infected, the worm is able to spread very quickly over the network. Worms are responsible for some of the most devastating attacks on the internet.

In 2001, the Code Red worm had initially infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers. – Initial Code Red Worm Infection – Code Red Infection 19 hours later

A

Initial Code Red Worm Infection : The initial infection of the SQL Slammer worm is known as the worm that ate the internet. SQL Slammer was a denial of service (DoS) attack that exploited a buffer overflow bug in Microsoft’s SQL Server.

At its peak, the number of infected servers doubled in size every 8.5 seconds. This is why it was able to infect 250,000+ hosts within 30 minutes.

When it was released on the weekend of January 25, 2003, it disrupted the internet, financial institutions, ATM cash machines, and more.

Ironically, a patch for this vulnerability had been released 6 months earlier. The infected servers did not have the updated patch applied. This was a wake-up call for many organizations to implement a security policy requiring that updates and patches be applied in a timely fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Whereas a virus requires a host program to run, worms can run by themselves.

Other than the initial infection, they no longer require user participation. After a host is infected, the worm is able to spread very quickly over the network.

Worms are responsible for some of the most devastating attacks on the internet. In 2001, the Code Red worm had initially infected 658 servers.

Within 19 hours, the worm had infected over 300,000 servers. – Initial Code Red Worm Infection – Code Red Infection 19 hours later

A

Code Red Infection 19 hours later : The initial infection of the SQL Slammer worm is known as the worm that ate the internet. SQL Slammer was a denial of service (DoS) attack that exploited a buffer overflow bug in Microsoft’s SQL Server.

At its peak, the number of infected servers doubled in size every 8.5 seconds. This is why it was able to infect 250,000+ hosts within 30 minutes.

When it was released on the weekend of January 25, 2003, it disrupted the internet, financial institutions, ATM cash machines, and more. Ironically, a patch for this vulnerability had been released 6 months earlier.

The infected servers did not have the updated patch applied. This was a wake-up call for many organizations to implement a security policy requiring that updates and patches be applied in a timely fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Worms share similar characteristics.

They all exploit an enabling vulnerability, have a way to propagate themselves, and they all contain a payload.

A

Worms share similar characteristics.

They all exploit an enabling vulnerability, have a way to propagate themselves, and they all contain a payload.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Worm Components

Despite the mitigation techniques that have emerged over the years, worms have continued to evolve and pose a persistent threat.

Worms have become more sophisticated over time, but they still tend to be based on exploiting weaknesses in software applications.

A

Common Worm Pattern :

– Enabling vulnerability

– Propagation mechanism

– Payload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Common Worm Pattern :

– Enabling vulnerability

– Propagation mechanism

– Payload

A

Enabling vulnerability :

A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Common Worm Pattern :

– Enabling vulnerability

– Propagation mechanism

– Payload

A

Propagation mechanism :

After gaining access to a device, the worm replicates itself and locates new targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Common Worm Pattern :

– Enabling vulnerability

– Propagation mechanism

– Payload

A

Payload :

Any malicious code that results in some action is a payload.

Most often this is used to create a backdoor that allows a threat actor access to the infected host or to create a DoS attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Worms are self-contained programs that attack a system to exploit a known vulnerability.

Upon successful exploitation, the worm copies itself from the attacking host to the newly exploited system and the cycle begins again.

Their propagation mechanisms are commonly deployed in a way that is difficult to detect.

A

The propagation technique used by the Code Red worm is shown in the figure.

Code Red Worm Propagation

https://snipboard.io/ZKmzPE.jpg

Note: Worms never really stop spreading on the internet. After they are released, worms continue to propagate until all possible sources of infection are properly patched.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Ransomware Threat

actors have used viruses, worms, and Trojan horses to carry their payloads and for other malicious reasons.

However, malware continues to evolve.

A

Currently, the most dominating malware is ransomware.

Ransomware is malware that denies access to the infected computer system or its data.

The cybercriminals then demand payment to release the computer system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Ransomware

Ransomware has evolved to become the most profitable malware type in history.

In the first half of 2016, ransomware campaigns targeting both individual and enterprise users became more widespread and potent.

A

There are dozens of ransomware variants. Ransomware frequently uses an encryption algorithm to encrypt system files and data.

The majority of known ransomware encryption algorithms cannot be easily decrypted, leaving victims with little option but to pay the asking price.

Payments are typically paid in Bitcoin because users of bitcoin can remain anonymous.

Bitcoin is an open-source, digital currency that nobody owns or controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Ransomware Email and malicious advertising, also known as malvertising, are vectors for ransomware campaigns.

Social engineering is also used, as when cybercriminals who identify themselves as security technicians call homes and persuade users to connect to a website that downloads the ransomware to the user’s computer..

A

Email and malicious advertising, also known as malvertising, are vectors for ransomware campaigns.

Social engineering is also used, as when cybercriminals who identify themselves as security technicians call homes and persuade users to connect to a website that downloads the ransomware to the user’s computer..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Other Malware These are some examples of the varieties of modern malware:

– Spyware

– Adware

– Scareware

– Phishing

– Rootkits

This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

A

Spyware :

Used to gather information about a user and send the information to another entity without the user’s consent.

Spyware can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Other Malware These are some examples of the varieties of modern malware:

– Spyware

– Adware

– Scareware

– Phishing

– Rootkits

This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

A

Adware :

Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited.

It can then send pop-up advertising pertinent to those sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Other Malware These are some examples of the varieties of modern malware:

– Spyware

– Adware

– Scareware

– Phishing

– Rootkits

This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

A

Scareware :

Includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat.

It is generally directed at an unsuspecting user and attempts to persuade the user to infect a computer by taking action to address the bogus threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Other Malware These are some examples of the varieties of modern malware:

– Spyware

– Adware

– Scareware

– Phishing

– Rootkits

This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

A

Phishing :

Attempts to convince people to divulge sensitive information.

Examples include receiving an email from their bank asking users to divulge their account and PIN numbers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Other Malware These are some examples of the varieties of modern malware:

– Spyware

– Adware

– Scareware

– Phishing

– Rootkits

This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

A

Rootkits :

Installed on a compromised system.

After it is installed, it continues to hide its intrusion and provide privileged access to the threat actor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Common Malware Behaviors

Cybercriminals continually modify malware code to change how it spreads and infects computers.

However, most produce similar symptoms that can be detected through network and device log monitoring.

A

Computers infected with malware often exhibit one or more of the following symptoms:

Appearance of strange files, programs, or desktop icons

Antivirus and firewall programs are turning off or reconfiguring settings

Computer screen is freezing or system is crashing

Emails are spontaneously being sent without your knowledge to your contact list

  • Files have been modified or deleted
  • Increased CPU and/or memory usage
  • Problems connecting to networks
  • Slow computer or web browser speeds
  • Unknown processes or services running
  • Unknown TCP or UDP ports open
  • Connections are made to hosts on the Internet without user action
  • Strange computer behavior

Note: Malware behavior is not limited to the above list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Common Network Attacks

  • Reconnaissance,

Access, and

Social Engineering

Types of Network Attacks Malware is a means to get a payload delivered. When it is delivered and installed, the payload can be used to cause a variety of network-related attacks from the inside. Threat actors can also attack the network from outside.

A

Why do threat actors attack networks?

There are many motives including money, greed, revenge, or political, religious, or sociological beliefs.

Network security professionals must understand the types of attacks used to counter these threats to ensure the security of the LAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Why do threat actors attack networks?

There are many motives including money, greed, revenge, or political, religious, or sociological beliefs.

Network security professionals must understand the types of attacks used to counter these threats to ensure the security of the LAN.

A

To mitigate attacks, it is useful to first categorize the various types of attacks.

By categorizing network attacks, it is possible to address types of attacks rather than individual attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

To mitigate attacks, it is useful to first categorize the various types of attacks.

By categorizing network attacks, it is possible to address types of attacks rather than individual attacks.

A

Although, there is no standardized way of categorizing network attacks, the method used in this course classifies attacks in three major categories.

Reconnaissance Attacks Access Attacks DoS Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Reconnaissance Attacks

Reconnaissance is information gathering.

It is analogous to a thief surveying a neighborhood by going door-to-door pretending to sell something.

What the thief is actually doing is looking for vulnerable homes to break into, such as unoccupied residences, residences with easy-to-open doors or windows, and those residences without security systems or security cameras.

A

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities.

Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

– Perform an information query of a target

– Initiate a ping sweep of the target network

– Initiate a port scan of active IP addresses

– Run vulnerability scanners

– Run exploitation tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities.

Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

– Perform an information query of a target

– Initiate a ping sweep of the target network

– Initiate a port scan of active IP addresses

– Run vulnerability scanners

– Run exploitation tools

A

Perform an information query of a target :

The threat actor is looking for initial information about a target.

Various tools can be used, including the Google search, organizations website, whois, and more.

36
Q

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities.

Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

– Perform an information query of a target

– Initiate a ping sweep of the target network

– Initiate a port scan of active IP addresses

– Run vulnerability scanners

– Run exploitation tools

A

Initiate a ping sweep of the target network :

The information query usually reveals the target’s network address.

The threat actor can now initiate a ping sweep to determine which IP addresses are active.

37
Q

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities.

Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

– Perform an information query of a target

– Initiate a ping sweep of the target network

– Initiate a port scan of active IP addresses

– Run vulnerability scanners

– Run exploitation tools

A

Initiate a port scan of active IP addresses :

This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

38
Q

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities.

Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

– Perform an information query of a target

– Initiate a ping sweep of the target network

– Initiate a port scan of active IP addresses

– Run vulnerability scanners

– Run exploitation tools

A

Run vulnerability scanners :

This is to query the identified ports to determine the type and version of the application and operating system that is running on the host.

Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.

39
Q

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities.

Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

– Perform an information query of a target

– Initiate a ping sweep of the target network

– Initiate a port scan of active IP addresses

– Run vulnerability scanners

– Run exploitation tools

A

Run exploitation tools :

The threat actor now attempts to discover vulnerable services that can be exploited.

A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

40
Q

Click each button to view the progress of a reconnaissance attack from information query, to ping sweep, to port scan. :

– Internet Information Queries

– Performing Ping Sweeps

– Performing Port Scans

A

Click each button to view the progress of a reconnaissance attack from information query, to ping sweep, to port scan. :

– Internet Information Queries

– Performing Ping Sweeps

– Performing Port Scans

41
Q

Access Attacks Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services.

The purpose of this type of attack is to gain entry to web accounts, confidential databases, and other sensitive information.

A

Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status. :

– Password Attacks

– Spoofing Attacks

42
Q

Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status. :

– Password Attacks

– Spoofing Attacks

A

Password Attacks :

In a password attack, the threat actor attempts to discover critical system passwords using various methods.

Password attacks are very common and can be launched using a variety of password cracking tools.

43
Q

Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status. :

– Password Attacks

– Spoofing Attacks

A

Spoofing Attacks :

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data.

Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

These spoofing attacks will be discussed in more detail later in this module Other Access attacks include:

Trust exploitations

Port redirections

Man-in-the-middle attacks

Buffer overflow attacks

44
Q

Spoofing Attacks :

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data.

Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

These spoofing attacks will be discussed in more detail later in this module Other Access attacks include:

Trust exploitations

Port redirections

Man-in-the-middle attacks

Buffer overflow attacks

A

Trust exploitations :

In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target.

Click Play in the figure to view an example of trust exploitation.

45
Q

Spoofing Attacks :

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data.

Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

These spoofing attacks will be discussed in more detail later in this module Other Access attacks include:

Trust exploitations

Port redirections

Man-in-the-middle attacks

Buffer overflow attacks

A

Port redirections :

In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets.

The example in the figure shows a threat actor using SSH (port 22) to connect to a compromised Host A.

Host A is trusted by Host B and, therefore, the threat actor can use Telnet (port 23) to access it.

46
Q

Spoofing Attacks :

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data.

Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

These spoofing attacks will be discussed in more detail later in this module Other Access attacks include:

Trust exploitations

Port redirections

Man-in-the-middle attacks

Buffer overflow attacks

A

Man-in-the-middle attacks :

In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.

The figure displays an example of a man-in-the-middle attack.

47
Q

Spoofing Attacks :

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data.

Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

These spoofing attacks will be discussed in more detail later in this module Other Access attacks include:

Trust exploitations

Port redirections

Man-in-the-middle attacks

Buffer overflow attacks

A

Buffer overflow attacks :

In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with unexpected values.

This usually renders the system inoperable, creating a DoS attack.

The figure shows that the threat actor is sending many packets to the victim in an attempt to overflow the victim’s buffer.

48
Q

Social Engineering

Attacks Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information.

Some social engineering techniques are performed in-person while others may use the telephone or internet.

A

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

49
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Pretexting :

A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

50
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Phishing :

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

51
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Spear phishing :

A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

52
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Spam :

Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.

53
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Something for Something :

Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in exchange for something such as a gift.

54
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Baiting :

A threat actor leaves a malware infected flash drive in a public location.

A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.

55
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Impersonation :

In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.

56
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Tailgating :

This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.

57
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Shoulder surfing :

This is where a threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other information.

58
Q

Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses.

For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access.

The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

– Pretexting

– Phishing

– Spear phishing

– Spam

– Something for Something

– Baiting

– Impersonation

– Tailgating

– Shoulder surfing

– Dumpster diving

A

Dumpster diving :

This is where a threat actor rummages through trash bins to discover confidential documents.

59
Q

The Social Engineer Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks.

It is a set of menu-based tools that help launch social engineering attacks.

The SET is for educational purposes only. It is freely available on the internet.

A

Enterprises must educate their users about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.

60
Q

The figure shows recommended practices that should be followed by all users.

Recommended Social Engineering

Protection Practices

https://snipboard.io/cPmVBM.jpg

A

The figure shows recommended practices that should be followed by all users.

Recommended Social Engineering

Protection Practices

https://snipboard.io/cPmVBM.jpg

61
Q

Strengthening the Weakest Link Cybersecurity is only as strong as its weakest link.

Since computers and other internet-connected devices have become an essential part of our lives, they no longer seem new or different.

People have become very casual in their use of these devices and rarely think about network security. The weakest link in cybersecurity can be the personnel within an organization, and social engineering a major security threat.

Because of this, one of the most effective security measures that an organization can take is to train its personnel and create a “security-aware culture.”

A

Strengthening the Weakest Link Cybersecurity is only as strong as its weakest link.

Since computers and other internet-connected devices have become an essential part of our lives, they no longer seem new or different.

People have become very casual in their use of these devices and rarely think about network security. The weakest link in cybersecurity can be the personnel within an organization, and social engineering a major security threat.

Because of this, one of the most effective security measures that an organization can take is to train its personnel and create a “security-aware culture.”

62
Q

DoS and DDoS Attacks A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications.

There are two major types of DoS attacks:

– Overwhelming Quantity of Traffic

– Maliciously Formatted Packets

A

Overwhelming Quantity of Traffic :

The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle.

This causes transmission and response times to slow down.

It can also crash a device or service.

63
Q

DoS and DDoS Attacks A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications.

There are two major types of DoS attacks:

– Overwhelming Quantity of Traffic

– Maliciously Formatted Packets

A

Maliciously Formatted Packets ::

The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it.

This causes the receiving device to run very slowly or crash.

64
Q

Click each button for an illustration and explanation of DoS and DDoS attacks. :

– Dos Attacks

– DDoS Attack

A

Dos Attacks :

DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money.

These attacks are relatively simple to conduct, even by an unskilled threat actor.

65
Q

Click each button for an illustration and explanation of DoS and DDoS attacks. :

– Dos Attacks

– DDoS Attack

A

DDoS Attack :

A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies.

The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware.

The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system.

The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack.

66
Q

Components of DDoS Attacks:

If threat actors can compromise many hosts, they can perform a Distributed DoS Attack (DDoS).

DDoS attacks are similar in intent to DoS attacks, except that a DDoS attack increases in magnitude because it originates from multiple, coordinated sources, as shown in the figure.

A DDoS attack can use hundreds or thousands of sources, as in IoT-based DDoS attacks.

A

The following terms are used to describe components of a DDoS attack: :

– zombies

– bots

– botnet

– handlers

– botmaster

67
Q

The following terms are used to describe components of a DDoS attack: :

– zombies

– bots

– botnet

– handlers

– botmaster

A

zombies :

This refers to a group of compromised hosts (i.e., agents).

These hosts run malicious code referred to as robots (i.e., bots).

The zombie malware continually attempts to self-propagate like a worm.

68
Q

The following terms are used to describe components of a DDoS attack: :

– zombies

– bots

– botnet

– handlers

– botmaster

A

bots :

Bots are malware that is designed to infect a host and communicate with a handler system.

Bots can also log keystrokes, gather passwords, capture and analyze packets, and more.

69
Q

The following terms are used to describe components of a DDoS attack: :

– zombies

– bots

– botnet

– handlers

– botmaster

A

botnet :

This refers to a group of zombies that have been infected using self-propagating malware (i.e., bots) and are controlled by handlers.

70
Q

The following terms are used to describe components of a DDoS attack: :

– zombies

– bots

– botnet

– handlers

– botmaster

A

handlers :

This refers to a master command-and-control (CnC or C2) server controlling groups of zombies.

The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to remotely control the zombies.

71
Q

The following terms are used to describe components of a DDoS attack: :

– zombies

– bots

– botnet

– handlers

– botmaster

A

botmaster : :

This is the threat actor who is in control of the botnet and handlers.

Note: There is an underground economy where botnets can be bought (and sold) for a nominal fee.

This can provide threat actors with botnets of infected hosts ready to launch a DDoS attack against the target of choice.

72
Q

Mirai Botnet Mirai is malware that targeted IoT devices that are configured with default login information.

Closed-circuit television (CCTV) cameras made up the majority of Mirai’s targets.

Using a brute force dictionary attack, Mirai ran through a list of default usernames and passwords that were widely known on the internet.

A

root/default root/1111 root/54321 admin/admin1234

admin1/password guest/12345 tech/tech support/support

73
Q

root/default root/1111 root/54321 admin/admin1234

admin1/password guest/12345 tech/tech support/support

A

After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that run on these devices.

These utilities were used to turn the devices into bots that could be remotely controlled as part of a botnet.

The botnet was then used as part of a distributed denial of service (DDoS) attack.

In September 2016, a Mirai botnet of over 152,000 CCTVs and digital video recorders (DVRs) was responsible for the largest DDoS attack known until that time.

With peak traffic of over 1 Tb/s, it took down the hosting services of a France-based web hosting company.

74
Q

After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that run on these devices.

These utilities were used to turn the devices into bots that could be remotely controlled as part of a botnet.

The botnet was then used as part of a distributed denial of service (DDoS) attack.

In September 2016, a Mirai botnet of over 152,000 CCTVs and digital video recorders (DVRs) was responsible for the largest DDoS attack known until that time.

With peak traffic of over 1 Tb/s, it took down the hosting services of a France-based web hosting company.

A

In October 2016 the services of Dyn, a domain name service (DNS) provider, were attacked, causing internet outages for millions of users in the United States and Europe.

Play the video to view a demonstration of how a botnet-based DDoS attack makes services unavailable -youtube search Note: In December 2017, three American threat actors pleaded guilty to conspiring to “conduct DDoS attacks against websites and web hosting companies located in the United States and abroad.” The three felons face up to 10 years in prison and $250,000 in fines.

75
Q

Buffer Overflow Attack

https://snipboard.io/qCQHkG.jpg

The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-related flaw on a server and exploit it.

Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack.

A

For example, a threat actor enters input that is larger than expected by the application running on a server.

The application accepts the large amount of input and stores it in memory.

The result is that it may consume the associated memory buffer and potentially overwrite adjacent memory, eventually corrupting the system and causing it to crash.

76
Q

For example, a threat actor enters input that is larger than expected by the application running on a server.

The application accepts the large amount of input and stores it in memory.

The result is that it may consume the associated memory buffer and potentially overwrite adjacent memory, eventually corrupting the system and causing it to crash.

A

An early example of using malformed packets was the Ping of Death.

In this legacy attack, the threat actor sent a ping of death, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes.

The receiving host would not be able to handle a packet of that size and it would crash.

77
Q

An early example of using malformed packets was the Ping of Death.

In this legacy attack, the threat actor sent a ping of death, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes.

The receiving host would not be able to handle a packet of that size and it would crash.

A

Buffer overflow attacks are continually evolving. For instance, a remote denial of service attack vulnerability was recently discovered in Microsoft Windows 10.

Specifically, a threat actor created malicious code to access out-of-scope memory.

When this code is accessed by the Windows AHCACHE.SYS process, it attempts to trigger a system crash, denying service to the user.

Search the Internet on “TALOS-2016-0191 blog” to go to the Cisco Talos threat intelligence website and read a description of such an attack.

Note: It is estimated that one third of malicious attacks are the result of buffer overflows.

78
Q

Evasion Methods Threat actors learned long ago that “to hide is to thrive”.

This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses.

A

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

79
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Encryption and tunneling :

This evasion technique uses tunneling to hide, or encryption to scramble, malware files.

This makes it difficult for many security detection techniques to detect and identify the malware.

Tunneling can mean hiding stolen data inside of legitimate packets.

80
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Resource exhaustion :

This evasion technique makes the target host too busy to properly use security detection techniques.

81
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Traffic fragmentation :

This evasion technique splits a malicious payload into smaller packets to bypass network security detection.

After the fragmented packets bypass the security detection system, the malware is reassembled and may begin sending sensitive data out of the network.

82
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Protocol-level misinterpretation :

This evasion technique occurs when network defenses do not properly handle features of a PDU like a checksum or TTL value.

This can trick a firewall into ignoring packets that it should check.

83
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Traffic substitution :

In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data in the payload.

This is done by encoding it in a different format.

For example, the threat actor could use encoded traffic in Unicode instead of ASCII.

The IPS does not recognize the true meaning of the data, but the target end system can read the data.

84
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Traffic insertion :

Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious sequence of data.

The IPS rules miss the malicious data, accepting the full sequence of data.

85
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Pivoting :

This technique assumes the threat actor has compromised an inside host and wants to expand their access further into the compromised network.

An example is a threat actor who has gained access to the administrator password on a compromised host and is attempting to login to another host using the same credentials.

86
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Rootkits :

A rootkit is a complex attacker tool used by experienced threat actors. It integrates with the lowest levels of the operating system.

When a program attempts to list files, processes, or network connections, the rootkit presents a sanitized version of the output, eliminating any incriminating output.

The goal of the rootkit is to completely hide the activities of the attacker on the local system.

87
Q

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected.

For this reason, many attacks use stealthy evasion techniques to disguise an attack payload.

Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include:

– Encryption and tunneling

– Resource exhaustion

– Traffic fragmentation

– Protocol-level misinterpretation

– Traffic substitution

– Traffic insertion

– Pivoting

– Rootkits

– Proxies

A

Proxies :

Network traffic can be redirected through intermediate systems in order to hide the ultimate destination for stolen data. In this way, known command-and-control not be blocked by an enterprise because the proxy destination appears benign.

Additionally, if data is being stolen, the destination for the stolen data can be distributed among many proxies, thus not drawing attention to the fact that a single unknown destination is serving as the destination for large amounts of network traffic.

New attack methods are constantly being developed. Network security personnel must be aware of the latest attack methods in order to detect them.

MODULE 14 - Common Threats and Attacks CERTIFICATION CYBER OPS ASSOCIATE (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions