Section 1 – Attacks, Threats, and Vulnerabilities

Question 1

Typosquatting

Answer 1

Also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else’s brand or copyright) that targets Internet users who incorrectly type a website address into their web browser

Question 2

URL hijacking

Answer 2

Targeting people on the internet who incorrectly type a website’s domain name in the browser.

Scammers register domain names that may seem similar to the original brand name, except there is a small typo in the domain that can be easily missed.

Question 3

Prepending

Answer 3

When an attacker prepends, or attaches, a trustworthy value like “RE:” or “MAILSAFE: PASSED” to a message in order to make the message appear more trustworthy.

Question 4

Pretexting

Answer 4

Is a form of social engineering in which an attacker gets access to information, a system or a service through deceptive means. The attacker will present a false scenario — or pretext — to gain the victim’s trust

Question 5

Pharming

Answer 5

redirects internet users to fake websites to steal user data. It’s generally carried out by using one of the following techniques: Malware, DNS cache poisoning, Host file modification, Rogue DNS servers

Question 6

Vishing

Answer 6

Is short for “voice phishing,” which involves defrauding people over the phone, enticing them to divulge sensitive information. In this definition of vishing, the attacker attempts to grab the victim’s data and use it for their own benefit

Question 7

Smishing

Answer 7

Is a form of phishing, which uses social engineering to trick someone into revealing private information. However, the attack is executed using a text message.

Question 8

Reconnaissance

Answer 8

Gather information on the victim

Question 9

Spear phishing, whaling

Answer 9

Is a strategic phishing attack, targeted towards high profile executives, that is disguised as a permitted email. An attacker can prod the target for information that helps them access sensitive areas of the network, passwords, or other user information.

Question 10

Impersonation

Answer 10

Is a type of targeted phishing attack where a malicious actor pretends to be someone else or other entities to steal sensitive data from unsuspecting employees using social engineering tactics.

Question 11

Hoaxes

Answer 11

Is a fake warning about a virus or other piece of malicious code. Typically a hoax takes the form of an e-mail or other message warning the reader of a dangerous new virus and suggesting that the reader pass the message on.
Hoaxes cause no damage in themselves, but their distribution by well-meaning people often causes fear and uncertainty.

Question 12

Watering hole attack

Answer 12

Is a form of cyberattack that targets groups of users by infecting websites that they commonly visit.
Watering hole attacks are relatively rare, but they continue to have a high success rate. That is because they target legitimate websites that cannot be blacklisted, and cyber criminals deploy zero-day exploits that antivirus detectors and scanners will not pick up.

Question 13

Malware types

Answer 13

Virus, Crypto, Ransomware, Worms, Trojan Horse, Rootkit, Keyloggers, Adware/Spyware, Botnet

Question 14

Trojan Horse

Answer 14

SW pretends to be something else

Question 14

Rootkit

Answer 14

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software.

Question 15

Worms

Answer 15

Uses the network as a transmission media, replicates by itself.

Question 16

Virus vs Worm?

Answer 16

Virus needs to be executed, Worm replicates automatically

Question 17

Spraying attack

Answer 17

brute force logins based on list of usernames with default passwords on the application. An attacker will use one password against many different accounts on the application to avoid account lockouts

Question 18

Rainbow table

Answer 18

tables of reversed hashes used to crack password hashes

Question 19

Password salting

Answer 19

technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them

Question 20

Skimming

Answer 20

Skimming occurs when devices illegally installed on ATMs, point-of-sale (POS) terminals, or fuel pumps capture data or record cardholders’ PINs.

Question 21

Birthday attack

Answer 21

Type of brute force attack. Is a form of cryptographic attack that cracks mathematical algorithms by looking for matches in the hash function. The strategy relies upon the birthday paradox.

Question 22

Downgrade attack

Answer 22

is an attack that seeks to cause a connection, protocol, or cryptographic algorithm to drop to an older and less secure version.

Question 23

Collision (hash)

Answer 23

When two inputs producing the same hash value

Question 24

Man-in-the-middle attack

Answer 24

this attack constitutes an interception of a data transfer or other digital communication. By doing this, the attacker gains access to exchanges that are supposed to be secured.

Question 25

Data Execution Prevention (DEP)

Answer 25

a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable.

Question 26

Cross-site Scripting (XSS) attacks

Answer 26

are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Question 27

Pass-the-Hash attack

Answer 27

an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

Question 28

Replay attack

Answer 28

occurs when transmitted authentication or access control information is intercepted and then re-transmitted to either produce an unauthorized effect or gain unauthorized access.

Question 29

Session hijacking attack

Answer 29

compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

Question 30

Web Application Firewall (WAF)

Answer 30

filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others

Question 31

reverse proxy

Answer 31

sits in front of one or more web servers, intercepting requests from clients. Helps with Load balancing, Protection from attacks, Global Server Load Balancing, Caching, SSL encryption

Question 32

Zero-day attack

Answer 32

happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability

Question 33

Shimming (ATM)

Answer 33

fraudsters insert a “shim” into the card reader that allows them to copy the chip-card information

Question 34

SSL stripping attacks

Answer 34

(also known as SSL downgrade or HTTP downgrade attacks) are a type of cyber attack in which hackers downgrade a web connection from the more secure HTTPS to the less secure HTTP.
They act as a man in the middle by establishing their own HTTPS connection with the website (posing as the user) and maintaining the HTTP connection with the user

Question 35

Eavesdropping attack

Answer 35

also known as a sniffing or snooping attack, is a theft of information as it is transmitted over a network by a computer, smartphone, or another connected device.

Question 36

Time-of-check Time-of-use (TOCTOU)

Answer 36

a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Question 37

Null-pointer dereference

Answer 37

A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area, typically causing a crash or exit.

Question 38

Directory traversal

Answer 38

(also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server

Question 39

Input sanitization

Answer 39

A measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and strings to prevent the injection of harmful codes into the system.

Question 40

Cross-Site Request Forgery (CSRF)

Answer 40

CSRF (also XSRF, or one-click attack, or session riding) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

Question 41

Server-side request forgery

Answer 41

SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Question 42

Shimming (drivers)

Answer 42

is additional code that can be run instead of the original driver. When an application attempts to call an older driver, the operating system intercepts the call and redirects it to run the shim code instead.

Question 43

Refactoring (drivers)

Answer 43

set of techniques used to identify the flow and then modify the internal structure of code without changing the code’s visible behavior

Question 44

Resource exhaustion

Answer 44

computer security exploits that crash, hang, or otherwise interfere with the targeted program or system. They are a form of denial-of-service attack

Question 45

Advanced persistent threat (APT)

Answer 45

An attack campaign in which an intruder establishes an illicit, long-term presence on a network in order to mine highly sensitive data

Question 46

State actors

Answer 46

Operating on behalf of nation-states primarily use cyber threat activity to advance their geopolitical objectives. They are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination.

Question 47

Hacktivists

Answer 47

Carry out ideologically motivated cyber threat activity and are generally lower sophistication than state-sponsored cyber threat actors or organized cybercriminals. These actors, alongside terrorist groups and thrill-seekers, often rely on widely available tools that require little technical skill to deploy.

Question 48

Shadow IT

Answer 48

The use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software, and hardware.

Question 49

Evil twin vs rogue AP

Answer 49

A rogue AP is an illegitimate access point plugged into a network to create a bypass from outside into the legitimate network. By contrast, an evil twin is a copy of a legitimate access point.

Question 50

Bluesnarfing attack

Answer 50

Happen when your Bluetooth is on and set on “discoverable to others” mode. To launch a Bluesnarfing attack, the attacker needs to exploit the object exchange protocol (OBEX protocol) to exchange information between the wireless devices

Question 51

Bluejacking

Answer 51

Sends unsolicited messages to bluetooth-enabled devices

Question 52

Automated indicator sharing

Answer 52

Enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyberattacks.

Question 53

Structured Threat Information Expression

Answer 53

STIX is a language and serialization format used to exchange cyber threat intelligence (CTI)

Question 54

Trusted Automated eXchange of Intelligence Information

Answer 54

TAXII is a collection of services and message exchanges to enable the sharing of information about cyber threats across product, service and organizational boundaries

Question 55

Adversarial Tactics, Techniques, and Common Knowledge

Answer 55

MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013. The framework consists of 14 tactics categories consisting of “technical objectives” of an adversary

Question 56

Threat (intelligence) feeds

Answer 56

Is an ongoing stream of data related to potential or current threats to an organization’s security. TI feeds provide information on attacks, including zero-day attacks, malware, botnets and other security threats.

Question 57

Intelligence fusion

Answer 57

A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources.

Question 58

Common Vulnerability Scoring System (CVSS)

Answer 58

Is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.

Question 59

Reconnaissance in pentesting

Answer 59

A discovery phase to gather information about available systems on the network and how they’re configured.

Question 60

Vulnerability Assessment in pentesting

Answer 60

A comprehensive assessment which identifies misconfigured systems, outdated software, and other vulnerabilities that could be leveraged to compromise a system or the network.

Question 61

Exploitation in pentesting

Answer 61

Vulnerabilities are reviewed and tested to determine if they can be exploited to gain unauthorized access, extract data, or move throughout the network.

Question 62

Risk Determination in pentesting

Answer 62

An assessment of each verified vulnerability is performed to determine the likelihood of compromise and the potential impact on the organization.

Question 63

White Box pentesting

Answer 63

Also known as clear-box, open-box, auxiliary and logic-driven testing. Penetration testers are given full access to source code, architecture documentation and so forth. The main challenge is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing.

Question 64

Black-box pentesting

Answer 64

The penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

Question 65

Gray-box pentesting

Answer 65

A gray-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. Gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.

Question 66

Rules of engagement in pentesting

Answer 66

ROE are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested.

Question 67

Lateral movement in pentesting

Answer 67

Is a technique to progressively move through a network, after compromising an endpoint, to search for the key data and assets that are ultimately the target of an attack campaign.

Question 68

Persistence in pentesting

Answer 68

Is a technique widely used by red teaming professionals and adversaries to maintain a connection with target systems after interruptions that can cut off their access

Question 69

Pivoting in pentesting

Answer 69

Is the use of one infected computer to attack a different computer. This is done to avoid restrictions such as firewalls.

Question 70

Wardriving

Answer 70

is locating and logging onto open wireless access points while driving down streets

Question 71

Warflying

Answer 71

Is where a person uses a drone to detect unsecured wireless networks.

Question 72

Footprinting

Answer 72

Refers to the process of collecting as much as information as possible about the target system to find ways to penetrate into the system - profiling an organization, gathering information about the host, network and people related to the organization.

Question 73

Red vs Blue teams

Answer 73

Red Teams are offensive security focused. They simulate how a possible attacker would attack cybersecurity defenses.
Blue Teams are defense focused. They architect and maintain the protective internal cybersecurity infrastructure.

Question 74

Purple Teams

Answer 74

(Blue Red Teams) are both offensively and defensively minded and were designed to ensure holistic and synergistic operations and information exchange between attackers and company defenders. Typically purple teams aren’t really a team at all, rather a collaborative agreement between red and blue teams.

Question 75

Black team

Answer 75

Is a phrase used to describe a physical penetration test.

Question 76

White team

Answer 76

Is responsible for refereeing an engagement between a Red Team (attackers) and a Blue Team (defenders) in an enterprise set up with information and systems. The white team acts as a judge by enforcing rules during the exercise and scoring the other groups. Besides, the team ensures that the activities of Red and Blue Teams run fairly without causing operational problems.

Question 77

SPIM

Answer 77

Spam over IM

Question 78

Dumpster driving

Answer 78

Entails threat actors to search through a victim’s trash

Question 79

Social Engineering Principles

Answer 79

Authority, Intimidation - intimidate a victim by trying to appear superior
Consensus / Social Proof - convinces victims they can be trusted
Scarcity - false urgency
Familiarity/Liking, trust - use charisma or likeability to get a victim to complete a request

Question 80

Potentially unwanted programs (PUPs)

Answer 80

A PUP serves as a marketing tool and often modifies browser settings or displays unwanted advertisements. The most common form of PUP is adware.

Question 81

Fileless virus

Answer 81

Is malicious code that works directly within a computer’s memory instead of the hard drive. It uses legitimate, otherwise benevolent programs to compromise your computer instead of malicious files.

Question 82

Command and Control attack

Answer 82

Attack that involves tools to communicate with and control an infected machine or network. To profit for as long as possible from a malware attack, a hacker needs a covert channel or backdoor

Question 83

Logic bombs

Answer 83

A piece of code left lying in wait on a computer that will execute under certain specified conditions and take actions the owner of that computer would consider malicious.

Question 84

API attacks

Answer 84

Malicious usage of an API from automated threats such as access violations, bot attacks or abuse.

Question 85

Pass-the-Hash (PtH) attack

Answer 85

A technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems.

Question 86

Initialization vector in WEP

Answer 86

It performs an integrity check to ensure that packets are not modified in transit. For this, it uses a 24-bit IV. The IV is included in the packet in the cleartext part of a message. Its goal is to ensure that two ciphertexts are not encrypted with the same key stream.

Question 87

Maneuver (Threat hunting)

Answer 87

How to think like a malicious user to help you identify potential indicators of compromise in your environment.