Social Engineering Techniques & Other Attack Types

Question 1

Name four types of phishing

Answer 1

• spearphishing (targets specific employees)
• whaling (targets high level employees, executives, or senior management)
• smishing (SMS phishing)
• vishing (voice phishing, targets cell phones, telephones or voip)

Question 2

What is phishing?

Answer 2

a cyber attack that uses disguised email or other communication channel as a vector

Question 3

Common phishing indicators

Answer 3

1) Vague salutations: for example, dear valued customer or dear employee
2) Suspicious-looking domain names/display names
3) URL Paths: for example, the company name is actually farther down into the url path or the domain is a common misspelling.
4) Wrong hypertext
5) Awkward grammar
6) Urgency in text
7) Lack of contact info
8) Spoofed headers/logos

Question 4

Define Business Email Compromise (BEC)

Answer 4

This is a form of attack that targets companies who outsource, conduct wire transfers and have suppliers abroad. They often target corporate email accounts of high level employees. They’re either spoofed or compromised through tools known as keyloggers or other phishing attacks to perform fraudulent transfers.

Question 5

Common BEC Schemes

Answer 5

Phony invoices and transfers
“C-suite” or “C-Team” fraud (impersonate the CEO)
E-mail or webmail account compromise
Attorney impersonation and hoaxing
Data theft of personally identifiable information (PII)

Question 6

What is pharming?

Answer 6

a website’s traffic is manipulated or spoofed, and confidential information is stolen.

may be accomplished using a trojan or other virus that changes the computer’s host file to direct traffic away from it’s target and toward a fake website.

crackers may also poison a DNS server to re-direct multiple users to unintentionally go to the fake site, which can be used to install malware on their computers.

For the exam, remember that pharming has to do with name resolution or DNS (domain name system).

Question 7

Spam

Answer 7

slang term for unsolicited commercial email or junk email

Question 8

common categories of spam

Answer 8

email spam
comment spam
trackback spam
negative SEO attack
spiders and DDoS (bots)

Question 9

Spim

Answer 9

Spam over instant messaging

disrupts chatting and can contain viruses or spyware

by blacking any messages from sources not on your contact list, you can prevent spim

most anti-virus programs include both spam and spim protection features

Question 10

Typosquatting

Answer 10

Involves sitting on sites under someone else’s brand or copyright and targeting internet users who erroneously type a web site address into their browser address bar

other names for typo squatting are URL hijacking, sting sites, or fake URL

ex. - facebool, gooogle, amason

Question 11

Tailgating

Answer 11

also called piggybacking

occurs when access tokens or badges are being used in a single-factor or multi-factor authentication scheme for physical access to buildings, rooms, or certain high security areas such as data centers

each subject uses their badge or token with the sensor every time they access a building or protected area

often considered a violation of security policy (AUP/acceptable use policy) combined with some enforcement policy if users do not comply

Question 12

dumpster diving

Answer 12

credit card information
invoices and receipts
ip addresses
organization charts
names of key employees
manuals and charts
memos and sticky notes
hard drives
removable storage
phone numbers

Question 13

shoulder surfing

Answer 13

goal is to look over the shoulder as he or she enters password or PIN

easier to carry out today with spy cam technology and camera-equipped mobile devices

binoculars and telescopes from nearby buildings can see screens and keyboards

Question 14

watering hole

Answer 14

leverage a compromised webserver in order to target groups or associations in social networks

only members of the association are attacked, while other traffic is untouched

can be difficult to identify using traffic analysis since most traffic from the infected site is benign

Question 15

EXAM QUESTION

Why is social engineering so effective?

Answer 15

six reasons

1) lack of proper security and awareness training
2) inadequate acceptable use policy (AUP)
3) no buy-in from management and employees for prevention measures
4) no enforcement of policies - no carrot and no stick
5) outdated anti-virus, outdated DLP (data leakage prevention), and mobile device application management tools
6) poor perimeter security controls for e-mail, messaging, telephony, and web activities

Question 16

difference between malware and exploit

Answer 16

all malware are exploits, but not all exploits involve malware/malicious code

Question 17

Common types of malware

Answer 17

1) PUPs (potentially unwanted programs)
2) Ransomware
3) Trojans and RATs
4) Worms
5) Spyware and adware
6) Keyloggers

Question 18

RATs

Answer 18

Remote access trojans

often part of multi-staged exploits

1) create backdoors
2) establish Command & Control communication with a backend server (we call these “botnets”
3) some well known RATs include Ghost, Poison Ivy, PlugX, and Sakula
4) Now on mobile devices

PlugX is now a common choice for nationstates which are using RATs as their payload

Question 19

PUPs

Answer 19

Potentially unwanted programs

Question 20

PUAs

Answer 20

Potentially unwanted apps

Question 21

Ransomware

Answer 21

encrypts key files and holds them for ransom from the target organization.

usually demands crypto such as Bitcoin or Monero, which are difficult to track

cryptolocker toolkits have exploded since Gpcoder in 2005

average ransom demand has more than doubled

over 30 percent of victims are in the U.S.

newest trend is Ransomware-as-a-Service (Raas) on dark net, which is a subset of Maas (Malware-as-a-Service)

Question 22

Steps of a ransomware campaign

Answer 22

1) installation: crypto-ransomware installs itself after bootup
2) contacting headquarters: malware contacts a server belonging to an attacker or group
3) handshake and keys: the ransomware client and server “handshake” and the server generates two cryptographic keys
4) encryption: the ransomware starts encrypting every file it finds with common file extensions
5) extortion: a screen displays giving a time limit to pay up before criminals destroy the key to decrypt the files

Question 23

Trojans

Answer 23

Trojan horses have no replicating abilities like viruses or worms

They are malicious code and programs that masquerade as legitimate applications or are embedded in real programs

Question 24

Trojan sources

Answer 24

Games
Utilities and tools
Device drivers
Patches & updates
Free/shareware
System upgrades

Question 25

RATs and C2 (C&C) Servers

Answer 25

1) attacker sets up a C&C server (aka C2)
2) RAT infected PC acts as a server and sends information back to the client via the RAT server program
3) allows the attacker to conduct malicious operations
a) capture webcam
b) keystroke logging
c) install a remote shell (like CMD.exe on a windows system)
d) Continuously update RAT version to evade anti-virus and anti-malware programs
e) download files
f) upload files

Question 26

Worms

Answer 26

special form of self-replicating virus (malware) that generally spreads without user action

distribute complete copies (possibly modified copies) of themselves across networks

a worm can consume resources, infiltrate data, or simply cause the CPU on the system to waste cycles resulting in a computer becoming unresponsive

Question 27

IOCs

Answer 27

Indicators of Compromise: the activity of the worm and the artifacts it leaves behind

Question 28

Worms behaving as RATs

Answer 28

Because worms typically do not need to attach to a host program or file, they can also tunnel into a system and allow for remote control of the system or service

Classic examples are Sasser, ILOVEYOU, Conficker (four or five variants of this), and Stuxnet (launched against Iranian nuclear facilities)

Question 29

Worm risk factors

Answer 29

1) shared computers with weak passwords
2) removable devices, such as external hard drives and USB sticks, may get infected with a worm
3) computers without the latest security updates may get infected by the worm
4) computers with open share permissions
5) computers with a proper password policy, current security updates, antivirus or security software, and secured shares are protected from infection

Question 30

Spyware and Adware

Answer 30

Spyware is software that gathers data about a computer user without the user’s permission or knowledge

Spyware can show advertisements, track information and make modifications to endpoints without user knowledge

Malware, adware, and spyware are often found among P2P networks, download sites, and bit torrents

Alexa, Echo, and similar “smart” devices can be used as spyware

Question 31

Keyloggers

Answer 31

Keystroke logging is typically done by a malicious code that records keystrokes and sends data back to a C&C server

Spyware uses keyloggers to capture passwords, credit card information, or other PI

Software can also be used to track employees or family members to adhere to acceptable use

It is also a valuable tool for analyzing human-computer collaboration

Keylogger detectors are special mitigation tools

Examples: PAL Keylogger Pro, and KeyGhost

Question 32

Complex Malware Types

Answer 32

1) Rootkits
2) Backdoors
3) Fileless viruses
4) Botnets
5) Crypto malware
6) Logic bombs
7) Stegomalware
8) Polymorphic packers
9) Multipartate virus
10) Emerging variants (check out sans.org to keep up to date on these, can sign up for email and text bulletins)

Note: most malware attacks are multi-phased, stealthy, and polymorphic

Question 33

Rootkits

Answer 33

malicious modules that are placed in unauthorized areas to do things like:

1) access data
2) monitor actions
3) escalate privileges
4) modify programs
5) conduct further exploits

term is a combination of “Root,” which represents the root user in a unix or linux system (or administrator in a windows system) and “Kit,” which is a software or malware toolkit

can be difficult to detect because they’re initiated often before the operating system is fully loaded into memory or fully “booted”

can target the BIOS or the UEFI, the bootloader or system files

they can install hidden files, hidden processes, they can run processes beneath the surface and can even install hidden user accounts.

because rootkits can be installed in firmware or software, they have the ability to intercept data from network connections, keyboard input or output, and other peripherals

Question 34

Backdoors

Answer 34

Backdoors are considered Trojan programs

1) Most often masqueraded as some real program such as a game, device driver, or a patch. That is why it’s so important to digitally sign all of your code.
2) Closely related to the results of a botnet attack because it can attack more than one system
3) Typically it generates a covert channel, either to a C&C server or another member of a botnet
4) The remote attacker controls systems
5) Common now on mobile devices

Question 35

Backdoor exploits

Answer 35

1) collect system and personal data from the system and even attached storage devices.
2) perform DoS attacks on other systems (DDoS and botnet)
3) run and terminate tasks and processes
4) download additional files for multi-phased attack
5) audit the system status. info which is gathered can be used to elevate or escalate privileges or be used as part of the killchain in a more advanced or persistent threat in the near coming future
6) open remote command line shells on remote windows and linux systems
7) modify computer settings like the registry or configuration files and can even shut down or restart systems

Question 36

Fileless viruses

Answer 36

Fileless operates in memory without being stored in a file or installed directly on a machine

Fileless viruses go directly into memory and the malicious content never reaches a hard drive

An evolutionary strain of malicious software

One of the key categories that antivirus vendors and antimalware vendors are dealing with right now, using advanced systems like machine learning and AI to discover these fileless viruses

FVs have a tendency to target high value targets like banks, telecoms, and government agencies

Examples: Frodo, Dark Avenger

Question 37

Bots and Botnets (DDoS)

Answer 37

Bots are the most common form of a Distributed Denial of Service Attack (DDoS) today

The robot network (botnet) consists of a zombie computer and a master command and control (C&C) server to remotely control victims, and many victims are unaware

The communication often occurs over Internet Relay Chat (IRC), encrypted channels, bot-centric peer-to-peer netorks, and even social media like Twitter

Bots can exfil data, log keystrokes, scan memory, force a system to participate in mining cyber currency, and more

Question 38

Crypto Malware

Answer 38

Crypto malware is an advanced and evolving form of ransomware that encrypts a user’s files and demands ransom

Sophisticated cryptomalware uses advanced encryption mechanisms, so files can’t be decrypted without a unique key

What makes Crypto Malware different from run of the mill ransomware is its ability to have polymorphic variants that are being used and running, often changing their behavior during the lifecycle of the killchain

Question 39

Cryptolocker Infection Chain

Answer 39

1) User receives spam with a malicious attachment
2) The malicious attachment, usually a UPATRE variant, downloads a ZBOT variant
3) The ZBOT variant exhibits several routines, including downloading CRILOCK variant
4) The CRILOCK variant encrypts files to force users to purchase the private encryption key

Question 40

Logic bombs

Answer 40

Logic bombs trigger the exploit when a certain even occurs

1) mouse movements
2) certain file is accessed or a program is run
3) certain date or timestamp
4) program execution
5) number of times certain code is run
6) during a major event such as the super bowl or an election day
7) on a holiday

Question 41

Stegomalware

Answer 41

Based on steganography, broadly defined as anything done by a cracker to hide data in an unexpected channel

A JPEG picture of a dog playing with bubbles may actually contain destructive malware

A dangerous banking RAT has hidden its settings in the icon file of a website (as an alternate example to the above)

Many stegomalware hosting sites are buried deep within Tor

Common tools are Steghide, rSteg, and Crypture

The same tool must be used to reverse the process and expose the hidden malware

Question 42

Polymorphic Packers

Answer 42

Has the ability to change and move in stages

For example starting out in RAM memory the moving into compressed RAR files deep in the file system

Polymorphism is used in email attacks and drive-by exploits, and also in APTs (Advanced Persistent Threats) once the cracker has a foothold

Polymorphic packers are tools that bundle up different types of malware in a single package ( either an email attachment or drive-by malware from a website)

Question 43

APTs

Answer 43

Advanced Persistent Threats

Question 44

Multipartite Viruses

Answer 44

Also known as a multipart virus/malware

Often combines file and boot/system infector viruses

Simultaneous attacks the boot sector and executable files

Question 45

Password Attacks

Answer 45

Repeated attempts to identify a user account, password, or both

Question 46

Cryptographic Hashing

Answer 46

A one-way mathematical function that takes the password and runs it through a SHA-1 or SHA-2 (pronounced “Shaw”) process. The output is a fixed length fingerprint or hash, which is actually what’s stored on the backend database, windows server, etc.

Question 47

Cain

Answer 47

Password attack tool

Question 48

John/John the Ripper

Answer 48

Password attack tool

Question 49

Dictionary and word lists

Answer 49

openwall.com has a list of words, misspelled words, and common patterns on the qwerty keyboard

Question 50

Spraying

Answer 50

Attempts to access many accounts, typically targeting a single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols (like SAML or Shibboleth, or OpenID Connect).

Attackers use a few commonly used passwords instead of traditional brute-force attacks that can quickly result in the targeted account getting locked out.

The “low and slow” methods involve the threat actor attempting a single frequently used password (such as Password123 or Letmein) against many accounts before moving on attempt a second password.

Question 51

Rainbow tables

Answer 51

Used when passwords in a computer system are not stored directly in plaintext but are protected by a cryptographic hash function.

Question 52

Rainbow tables

Answer 52

Used when passwords in a computer system are not stored directly in plaintext but are protected by a cryptographic hash function.

A rainbow table is a precompiled dictionary database of plaintext passwords and their corresponding hash values that can be used to find out what plaintext password produces a certain hash value.

Since a collision can occur (more than one password producing the same hash) it’s not important to know what the original password was, as long as the one selected produces the correct hash.

Question 53

Spraying

Answer 53

Attempts to access many accounts, typically targeting a single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols (like SAML or Shibboleth, or OpenID Connect).

Attackers use a few commonly used passwords instead of traditional brute-force attacks that can quickly result in the targeted account getting locked out.

The “low and slow” methods involve the threat actor attempting a single frequently used password (such as Password123 or Letmein) against many accounts before moving on attempt a second password.

Question 54

Using Rainbow Tables

Answer 54

A rainbow table works by performing a cryptoanalysis very quickly and effectively. It’s not like a brute force attack, which works by calculating the hash function of every string present. A rainbow table attack already has a table of computed hashes.

Question 55

Malicious USB Cables

Answer 55

Also known as an “evil” or “lightning” cable.

Attackers have created an exploit using a generic looking USB cable that can get commands from a nearby smartphone and then run them on the PC it’s plugged into.

Some USB-to-lighting cables are tailored with a wifi chip inside one of the sockets, so that unsuspecting victims will assume the normal cable is safe to use with their computer.

Unfortunately the cable will be detected by the computer as a Human Interface Device that resembles a keyboard or a mouse.

It can also be connected to a malicious flashdrive

Question 56

Skimming and Card Cloning Overview

Answer 56

The benefits of RFID / NFC for travelers and shoppers are numerous, and the tech is here to stay.

RFID and NDC devices are vulnerable to a variety of physical attacks.

Data stored on RFID chips can be stolen, skimmed, and scammed by anyone with easily obtained RFID readers.

Question 57

Skimming

Answer 57

Uses devices that overlay an ATM machine or point-of-sale scanner to steal the information from the victim.

Crackers can also clone credit cards and debit cards by stealing the name, account number, expiration date, and three digit code.

Question 58

Adversarial Artificial Intelligence

Answer 58

Incorporation of AI, machine learning, and robotic techniques with learning, reasoning and decision making abilities into security analysis, defense and of course, military systems.

Question 59

Two types of attacks that can compromise unsupervised machine learning algorithms and systems

Answer 59

1) An evasion attack involves an adversary, constantly probing classifiers with new inputs trying to evade detection. These are also called “adversarial inputs” because they’re designed to bypass classifiers.
2) “Data poisoning” is when an attacker feeds polluted training data to a classifier. It can blur the boundary between what is classified as good and bad, in the favor of the attacker. The most common type of data poisoning is “model stealing”, which basically generates results in the classifier, categorizing bad inputs as good ones.

Question 60

Supply-chain Attacks

Answer 60

Also called a “value chain” or “third party attack”. The attacker infiltrates a system through an outside partner, a vendor or a provider with access to your systems and/or data. It’s a form of a side channel attack.